LABEL CHECK / DOSSIER
Claude Code
closure trend: settings-layer CVEs and managed-policy bypasses patch within releases; enforcement-layer deltas (deny rules, hook blocking, alias resolution) persist or are closed stale without fixes
Verdict
Claude Code's capability claims largely hold as labeled, but its enforcement-language claims — deny rules, hook exit-code blocking, managed-policy precedence, shell-operator awareness, and per-provider model-alias resolution — are each contradicted by confirmed silent failures, several of which the vendor closed as stale rather than fixed.
Claim ledger — 14 rows
Delta ledger — 11 open
Deny rules in parent settings do not apply to Agent-spawned subagents — confirmed in 5+ issues; #5465 closed not-planned as an architectural limitation
UPDATE 2026-07-04: v2.1.186 fixed 'Agent(type) deny rules and Agent(x,y) allowed-types restrictions not being enforced for named subagent spawns' — but that governs which subagent TYPES may spawn, not whether a parent… Full detail →
closes when:A deny rule set in parent settings blocks the matching command inside an Agent-spawned subagent, re-verified on a current release
evidence:[1][2]Re-verified 2026-07-04 (v2.1.201): #5465 closed not-planned, #25000 closed duplicate — neither fixed
Path deny rules do not bind MCP tools (#28595) or Bash recursive grep/Glob (#28008) accessing the same denied paths
UPDATE 2026-07-04: TD executed the Bash-grep half of this criterion on v2.1.201 — a Read(secret.txt) deny rule did NOT block 'grep -r' recursing into the denied path (the secret line was printed verbatim), while a… Full detail →
closes when:A deny rule on a path blocks MCP file-read tools and Bash grep -r/Glob against that same path, re-verified on a current release
evidence:[1][2]Re-verified 2026-07-04 (v2.1.201, TD-executed): #28595 closed duplicate, #28008 closed stale — neither fixed; Bash 'grep -r' bypass confirmed still active by controlled reproduction
Deny-rule non-enforcement is a recurring regression — three documented instances (v1.0.93 #6699, v2.0.8 #8961, v2.1.49 #27040) with no root-cause fix
UPDATE 2026-07-04: the regression pattern holds. #6699 was closed 'completed' (a real fix, 2025-09) but deny non-enforcement recurred at v2.0.8 (#8961, still open) and v2.1.49 (#27040, since closed stale). Full detail →
closes when:A regression-test-backed fix lands and path-specific deny patterns enforce across two consecutive minor releases, re-verified
evidence:[1][2][3]Re-verified 2026-07-04 (v2.1.201, TD-executed): #6699 completed (2025-09) then regressed; #8961 still open; #27040 closed stale (2026-05-23) without a fix; deny non-enforcement (grep -r vector) confirmed persisting by controlled reproduction
PreToolUse exit code 2 does not block Agent/Task tool calls — 100% failure across 19 attempted blocks (#26923); fix asserted in a later release, re-verification pending
UPDATE 2026-06-28: #26923 is now CLOSED and the docs list PreToolUse as a blocking event, but the resolution method is unconfirmed — this is a re-verification trigger (DC-2), not a closure. Full detail →
closes when:A PreToolUse hook exiting 2 blocks an Agent tool call, with the block message replacing the tool output, re-verified on a current release
evidence:[1]Re-verified open 2026-06-28 against v2.1.195
PreToolUse/PostToolUse hooks intermittently never fire while other events in the same settings file fire reliably (#6305, open, has repro, root cause unknown)
closes when:Tool-event hooks fire on 100% of matched tool calls across a multi-session soak test, with the root cause identified and fixed, re-verified
evidence:[1]Re-verified open 2026-06-28 against v2.1.195
model: alias in agent frontmatter hardcoded to a dated model ID on Bedrock/Vertex, ignoring ANTHROPIC_MODEL — all three issues closed stale/duplicate without a linked fix (re-checked 2026-06-11)
UPDATE 2026-06-28: the Opus 4.1 crash/400 behavior is resolved — docs now show Opus 4.6 on Bedrock/Vertex and document ANTHROPIC_DEFAULT_OPUS_MODEL. Full detail →
closes when:model: opus in agent frontmatter resolves to the provider's current alias target, or honors ANTHROPIC_DEFAULT_OPUS_MODEL, on Bedrock/Vertex, re-verified on a current release
evidence:[1][2][3]Re-verified open 2026-06-28 against v2.1.195
MCP bridge silently coerces array, object, number, and boolean tool parameters to strings — breaks strict-Zod connectors with no error signal
UPDATE 2026-07-04: #32524 — the canonical coercion issue, 9 duplicates, 'has repro' — was closed by stale-bot as not-planned (2026-07-03), NOT fixed. Full detail →
closes when:Non-string parameters arrive at MCP tools with native JSON types and a strict-Zod connector round-trip passes, re-verified
evidence:[1][2]Re-verified 2026-07-04 (v2.1.201): #32524 closed stale/not-planned 2026-07-03 without a fix; no coercion fix in the v2.1.196–201 changelog
~/.claude/mcp.json is silently ignored for user-level MCP config — only ~/.claude.json is honored, with no warning
UPDATE 2026-06-28: re-checked as a design gap, not a tracked bug — Anthropic treats ~/.claude.json as the intended user-level path; #56437/#62888 closed not-planned. Full detail →
closes when:Servers defined in ~/.claude/mcp.json load, or the file produces an explicit warning at startup, re-verified
evidence:[1][2][3]Re-verified 2026-07-04 (v2.1.201): #56437 (2026-06-02) and #62888 (2026-06-27) confirmed closed not-planned (stale)
HTTP 304 cache response zeroes out local managed-settings.json — all deny/allow rules silently dropped
closes when:A 304 (not-modified) response from the managed-settings source preserves the locally cached deny/allow rules rather than emptying them, TD re-verified on a current release
evidence:[1]
Compound-command deny bypass via git -C / cd && / env-prefix forms still active (#66176, filed pre-dossier-cut, absent from prior dossier)
closes when:A Bash prefix rule does not grant permission to env-prefixed or git -C / cd && compound forms it does not literally match, TD re-verified
evidence:[1]
Hook reliability cluster — 4 new non-firing / corruption issues in 17 days (non-interactive non-firing #71022, Linux transcript gap #70632, /clear session_id corruption #70606, unreliable hookAdditionalContext #70479)
closes when:Tool-event and session hooks fire on 100% of matched events across a multi-platform soak test, TD re-verified
Closed deltas — 4 (falsification-gated)
ANTHROPIC_BASE_URL in project settings forwarded the API Authorization header before the trust dialog completed (CVE-2026-21852)
closed by:patched < v2.0.65 — Check Point Research disclosure, Jan 2026
enableAllProjectMcpServers: true executed MCP startup commands before the trust dialog appeared (CVE-2025-59536)
closed by:patched < v1.0.111 (Oct 2025); CVE published Feb 2026
Symlinks inside the workspace redirected acceptEdits reads and writes outside the project directory
closed by:patched < v2.1.71, per release notes
User-level allow rules and skill allowed-tools frontmatter silently overrode enterprise managed ask policies
closed by:v2.1.74 security fix, per changelog
Methodology
- sampling
- Theory Delta Method §2 material-claims rule (strategy/method.md): a claim is sampled if it appears on the product's own label and would plausibly influence an adoption decision. Sampling frame: code.claude.com/docs label surfaces — the permissions, hooks, security, sub-agents, mcp, model-config, and memory pages — captured 2026-06-11. 14 claims sampled. Non-as-labeled rows were limited to claim areas backed by a published Theory Delta evidence page; contested label claims without a published evidence page (for example, automatic subagent delegation) were deferred to a later verification pass rather than scored.
- verification depth
- source-reviewed
- verification statement
- Evidence is drawn predominantly from Anthropic's own documentation and changelogs, the anthropics/claude-code issue tracker, CVE disclosures (Check Point Research), and Theory Delta's published findings, so the dossier's verification_depth is stated as source-reviewed. The model-alias issues (#22587, #25530, #27754, #26179) were re-checked on 2026-06-11 and re-verified 2026-06-28 (v2.1.195). Two rows carry deeper evidence: on 2026-07-04 (v2.1.201) Theory Delta EXECUTED a controlled deny-rule reproduction for row 1 / deltas CC-02 and CC-03 — a scratch project with a Read(secret.txt) deny rule driven via 'claude -p' — and observed that the direct Read tool and a direct Bash 'cat' of the denied path were both blocked, but 'grep -r' recursing into the denied file printed the secret verbatim (the #28008 bypass persists). What was NOT executed on this pass: the MCP-file-read-tool binding (CC-02, no connector wired), the built-in Glob/Grep-tool leak (CC-02, tool unavailable in the nested -p session), the subagent deny-inheritance path (CC-01), the MCP parameter-coercion round-trip (row 6 / CC-07), and every other claim row — those remain source-reviewed. Closed-delta re-verification for the four CVE deltas is by release and disclosure review, not re-execution.
- backing confidence
- empirical
- strongest case against
- Claude Code ships near-daily, so version-specific findings decay fast: the model-alias hardcoding evidence dates from February 2026 and its issues were closed stale or duplicate without a linked fix — the behavior may have been quietly fixed, and the docs have since been rewritten to describe per-provider alias resolution honestly; the Task-blocking hook gap (#26923) closed completed with a vendor fix awaiting TD re-execution; and several partial verdicts rest on patched CVEs where current shipped behavior matches the label. The 2026-07-04 executed pass cuts the other way for row 1: rather than upgrading it, controlled reproduction on v2.1.201 confirmed the recursive-grep deny bypass still exfiltrates a denied file, entrenching the not_as_labeled verdict even though the three backing issues were all closed (stale/duplicate/not-planned) and direct-path deny enforcement measurably hardened in v2.1.162–163. The tool's decay class is volatile; this dossier should be re-verified per release or at least every two weeks.