theorydeltaclaim-fidelity audits
built 2026-07-17dossiers: 5last verified 2026-07-09independent · evidence-traced · no vendor influence

LABEL CHECK / DOSSIER

Claude Code

https://github.com/anthropics/claude-code·verified at v2.1.195 (2026-06-26)·last verified 2026-06-28·volatile (re-verified per release (≤2 weeks))

14claims sampled
4as labeled
9partial
1not as labeled
11open deltas
4verified closed

closure trend: settings-layer CVEs and managed-policy bypasses patch within releases; enforcement-layer deltas (deny rules, hook blocking, alias resolution) persist or are closed stale without fixes

Verdict

Claude Code's capability claims largely hold as labeled, but its enforcement-language claims — deny rules, hook exit-code blocking, managed-policy precedence, shell-operator awareness, and per-provider model-alias resolution — are each contradicted by confirmed silent failures, several of which the vendor closed as stale rather than fixed.

Claim ledger — 14 rows

#statusclaimedobservedevidenceverified
1not as labeled"Deny rules prevent Claude Code from using the specified tool" and "If a tool is denied at any level, no other level can allow it"Full detail →Source-reviewed against the issue tracker: deny non-enforcement is a recurring regression across three major version lines — v1.0.93 (#6699, Aug 2025), v2.0.8 (#8961, Oct 2025), and v2.1.49 (#27040, Feb 2026, where… Full detail →[1][2][3][4]2026-07-16
3partial"Exit 2 = Blocking error" — the hooks reference table states exit code 2 on PreToolUse "blocks the tool call" and on Stop "prevents Claude from stopping", while any other exit code is a non-blocking errorFull detail →Source-reviewed: exit 2 reliably blocks PreToolUse on Bash, but did not block Agent/Task tool calls — 100% failure across 19 attempted Task blocks over 7 days (#26923); a fix is asserted in a later release and TD has… Full detail →[1][2]
4partial"Hooks are user-defined shell commands, HTTP endpoints, or LLM prompts that execute automatically at specific points in Claude Code's lifecycle"Full detail →Hooks fire in the common path, but 30+ failure modes are confirmed across silent non-firing, ignored decisions, platform breakage, and data corruption: PreToolUse/PostToolUse hooks intermittently never fire while other… Full detail →[1][2][3]2026-07-16
5partial"sonnet — Uses the latest Sonnet model for daily coding tasks" and "Aliases point to the recommended version for your provider and update over time"Full detail →Source-reviewed Feb–Mar 2026: on Bedrock/Vertex, model: opus in agent frontmatter resolved to the hardcoded dated ID claude-opus-4-1-20250805 — not the live alias target — producing hard 400 errors when the org… Full detail →[1][2][3][4]
6partial"Claude Code can connect to hundreds of external tools and data sources through the Model Context Protocol (MCP). MCP servers give Claude Code access to your tools, databases, and APIs"Full detail →Connectivity itself is broadly confirmed, but the bridge is not a transparent pass-through: it silently coerces array, object, number, and boolean parameters to strings, breaking connectors with strict Zod schemas with… Full detail →[1][2]2026-07-16
7as labeled"Each subagent runs in its own context window with a custom system prompt, specific tool access, and independent permissions"Full detail →Confirmed: per-subagent context isolation, tool allowlists and denylists (tools, disallowedTools frontmatter), per-agent model and permissionMode all behave as documented (backing block re-validated against docs and… Full detail →[1]
8as labeledSubagents help you "Control costs by routing tasks to faster, cheaper models like Haiku"Full detail →Confirmed: per-subagent model frontmatter routes tasks to cheaper models as documented. Full detail →[1]2026-07-16
9partial"Sandboxed bash tool: Sandbox bash commands with filesystem and network isolation, reducing permission prompts while maintaining security"Full detail →The sandbox exists and is release-verified, but the boundary has had silent gaps: before v2.1.78, sandbox.enabled: true silently fell back to unsandboxed execution when seatbelt/bwrap was missing from the host. Full detail →[1]
10partial"Trust verification: First-time codebase runs and new MCP servers require trust verification"Full detail →The dialog exists, but trust-before-verify has been breached four times by CVE: ANTHROPIC_BASE_URL in a committed settings file forwarded the API Authorization header before the trust dialog completed (CVE-2026-21852… Full detail →[1]
11partial"Write access restriction: Claude Code can only write to the folder where it was started and its subfolders—it cannot modify files in parent directories without explicit permission"Full detail →Holds in the default path, with two patched boundary escapes: symlinks inside the workspace could redirect acceptEdits reads and writes to arbitrary filesystem locations outside the project directory (patched <… Full detail →[1]
12as labeled"Claude Code uses strict read-only permissions by default. When additional actions are needed (editing files, running tests, executing commands), Claude Code requests explicit permission"Full detail →Confirmed as the default-mode behavior across TD's corpus review: writes, edits, and non-read-only Bash commands prompt by default, and the built-in read-only command set runs without prompting as documented. Full detail →[1]
13partial"Managed settings: cannot be overridden by any other level, including command line arguments"Full detail →True as currently shipped per release review, but the guarantee has failed twice: before v2.1.74, a user-level allow rule or a committed skill's allowed-tools frontmatter silently won over enterprise managed ask… Full detail →[1][2]2026-07-16
14as labeled"CLAUDE.md files are markdown files that give Claude persistent instructions ... Claude reads them at the start of every session" and both memory systems "are loaded at the start of every conversation"Full detail →Confirmed: project, user, and parent-directory CLAUDE.md files load at session start, and project-root CLAUDE.md is re-injected after compaction, as documented. Full detail →[1]2026-07-16

Delta ledger — 11 open

CC-01opened ≤2026-02

Deny rules in parent settings do not apply to Agent-spawned subagents — confirmed in 5+ issues; #5465 closed not-planned as an architectural limitation

UPDATE 2026-07-04: v2.1.186 fixed 'Agent(type) deny rules and Agent(x,y) allowed-types restrictions not being enforced for named subagent spawns' — but that governs which subagent TYPES may spawn, not whether a parent… Full detail →

closes when:A deny rule set in parent settings blocks the matching command inside an Agent-spawned subagent, re-verified on a current release

evidence:[1][2]Re-verified 2026-07-04 (v2.1.201): #5465 closed not-planned, #25000 closed duplicate — neither fixed

CC-02opened ≤2026-03

Path deny rules do not bind MCP tools (#28595) or Bash recursive grep/Glob (#28008) accessing the same denied paths

UPDATE 2026-07-04: TD executed the Bash-grep half of this criterion on v2.1.201 — a Read(secret.txt) deny rule did NOT block 'grep -r' recursing into the denied path (the secret line was printed verbatim), while a… Full detail →

closes when:A deny rule on a path blocks MCP file-read tools and Bash grep -r/Glob against that same path, re-verified on a current release

evidence:[1][2]Re-verified 2026-07-04 (v2.1.201, TD-executed): #28595 closed duplicate, #28008 closed stale — neither fixed; Bash 'grep -r' bypass confirmed still active by controlled reproduction

CC-03opened 2025-08

Deny-rule non-enforcement is a recurring regression — three documented instances (v1.0.93 #6699, v2.0.8 #8961, v2.1.49 #27040) with no root-cause fix

UPDATE 2026-07-04: the regression pattern holds. #6699 was closed 'completed' (a real fix, 2025-09) but deny non-enforcement recurred at v2.0.8 (#8961, still open) and v2.1.49 (#27040, since closed stale). Full detail →

closes when:A regression-test-backed fix lands and path-specific deny patterns enforce across two consecutive minor releases, re-verified

evidence:[1][2][3]Re-verified 2026-07-04 (v2.1.201, TD-executed): #6699 completed (2025-09) then regressed; #8961 still open; #27040 closed stale (2026-05-23) without a fix; deny non-enforcement (grep -r vector) confirmed persisting by controlled reproduction

CC-04opened ≤2026-02

PreToolUse exit code 2 does not block Agent/Task tool calls — 100% failure across 19 attempted blocks (#26923); fix asserted in a later release, re-verification pending

UPDATE 2026-06-28: #26923 is now CLOSED and the docs list PreToolUse as a blocking event, but the resolution method is unconfirmed — this is a re-verification trigger (DC-2), not a closure. Full detail →

closes when:A PreToolUse hook exiting 2 blocks an Agent tool call, with the block message replacing the tool output, re-verified on a current release

evidence:[1]Re-verified open 2026-06-28 against v2.1.195

CC-05opened ≤2026-02

PreToolUse/PostToolUse hooks intermittently never fire while other events in the same settings file fire reliably (#6305, open, has repro, root cause unknown)

closes when:Tool-event hooks fire on 100% of matched tool calls across a multi-session soak test, with the root cause identified and fixed, re-verified

evidence:[1]Re-verified open 2026-06-28 against v2.1.195

CC-06opened 2026-02

model: alias in agent frontmatter hardcoded to a dated model ID on Bedrock/Vertex, ignoring ANTHROPIC_MODEL — all three issues closed stale/duplicate without a linked fix (re-checked 2026-06-11)

UPDATE 2026-06-28: the Opus 4.1 crash/400 behavior is resolved — docs now show Opus 4.6 on Bedrock/Vertex and document ANTHROPIC_DEFAULT_OPUS_MODEL. Full detail →

closes when:model: opus in agent frontmatter resolves to the provider's current alias target, or honors ANTHROPIC_DEFAULT_OPUS_MODEL, on Bedrock/Vertex, re-verified on a current release

evidence:[1][2][3]Re-verified open 2026-06-28 against v2.1.195

CC-07opened ≤2026-05

MCP bridge silently coerces array, object, number, and boolean tool parameters to strings — breaks strict-Zod connectors with no error signal

UPDATE 2026-07-04: #32524 — the canonical coercion issue, 9 duplicates, 'has repro' — was closed by stale-bot as not-planned (2026-07-03), NOT fixed. Full detail →

closes when:Non-string parameters arrive at MCP tools with native JSON types and a strict-Zod connector round-trip passes, re-verified

evidence:[1][2]Re-verified 2026-07-04 (v2.1.201): #32524 closed stale/not-planned 2026-07-03 without a fix; no coercion fix in the v2.1.196–201 changelog

CC-08opened ≤2026-05

~/.claude/mcp.json is silently ignored for user-level MCP config — only ~/.claude.json is honored, with no warning

UPDATE 2026-06-28: re-checked as a design gap, not a tracked bug — Anthropic treats ~/.claude.json as the intended user-level path; #56437/#62888 closed not-planned. Full detail →

closes when:Servers defined in ~/.claude/mcp.json load, or the file produces an explicit warning at startup, re-verified

evidence:[1][2][3]Re-verified 2026-07-04 (v2.1.201): #56437 (2026-06-02) and #62888 (2026-06-27) confirmed closed not-planned (stale)

CC-09opened 2026-06-23

HTTP 304 cache response zeroes out local managed-settings.json — all deny/allow rules silently dropped

closes when:A 304 (not-modified) response from the managed-settings source preserves the locally cached deny/allow rules rather than emptying them, TD re-verified on a current release

evidence:[1]

CC-10opened 2026-06-08

Compound-command deny bypass via git -C / cd && / env-prefix forms still active (#66176, filed pre-dossier-cut, absent from prior dossier)

closes when:A Bash prefix rule does not grant permission to env-prefixed or git -C / cd && compound forms it does not literally match, TD re-verified

evidence:[1]

CC-11opened 2026-06

Hook reliability cluster — 4 new non-firing / corruption issues in 17 days (non-interactive non-firing #71022, Linux transcript gap #70632, /clear session_id corruption #70606, unreliable hookAdditionalContext #70479)

closes when:Tool-event and session hooks fire on 100% of matched events across a multi-platform soak test, TD re-verified

evidence:[1][2][3][4]

Closed deltas — 4 (falsification-gated)

CC-C1closed verifiedre-verified 2026-05-24

ANTHROPIC_BASE_URL in project settings forwarded the API Authorization header before the trust dialog completed (CVE-2026-21852)

closed by:patched < v2.0.65 — Check Point Research disclosure, Jan 2026

CC-C2closed verifiedre-verified 2026-05-24

enableAllProjectMcpServers: true executed MCP startup commands before the trust dialog appeared (CVE-2025-59536)

closed by:patched < v1.0.111 (Oct 2025); CVE published Feb 2026

CC-C3closed verifiedre-verified 2026-05-24

Symlinks inside the workspace redirected acceptEdits reads and writes outside the project directory

closed by:patched < v2.1.71, per release notes

CC-C4closed verifiedre-verified 2026-05-24

User-level allow rules and skill allowed-tools frontmatter silently overrode enterprise managed ask policies

closed by:v2.1.74 security fix, per changelog

Methodology

sampling
Theory Delta Method §2 material-claims rule (strategy/method.md): a claim is sampled if it appears on the product's own label and would plausibly influence an adoption decision. Sampling frame: code.claude.com/docs label surfaces — the permissions, hooks, security, sub-agents, mcp, model-config, and memory pages — captured 2026-06-11. 14 claims sampled. Non-as-labeled rows were limited to claim areas backed by a published Theory Delta evidence page; contested label claims without a published evidence page (for example, automatic subagent delegation) were deferred to a later verification pass rather than scored.
verification depth
source-reviewed
verification statement
Evidence is drawn predominantly from Anthropic's own documentation and changelogs, the anthropics/claude-code issue tracker, CVE disclosures (Check Point Research), and Theory Delta's published findings, so the dossier's verification_depth is stated as source-reviewed. The model-alias issues (#22587, #25530, #27754, #26179) were re-checked on 2026-06-11 and re-verified 2026-06-28 (v2.1.195). Two rows carry deeper evidence: on 2026-07-04 (v2.1.201) Theory Delta EXECUTED a controlled deny-rule reproduction for row 1 / deltas CC-02 and CC-03 — a scratch project with a Read(secret.txt) deny rule driven via 'claude -p' — and observed that the direct Read tool and a direct Bash 'cat' of the denied path were both blocked, but 'grep -r' recursing into the denied file printed the secret verbatim (the #28008 bypass persists). What was NOT executed on this pass: the MCP-file-read-tool binding (CC-02, no connector wired), the built-in Glob/Grep-tool leak (CC-02, tool unavailable in the nested -p session), the subagent deny-inheritance path (CC-01), the MCP parameter-coercion round-trip (row 6 / CC-07), and every other claim row — those remain source-reviewed. Closed-delta re-verification for the four CVE deltas is by release and disclosure review, not re-execution.
backing confidence
empirical
strongest case against
Claude Code ships near-daily, so version-specific findings decay fast: the model-alias hardcoding evidence dates from February 2026 and its issues were closed stale or duplicate without a linked fix — the behavior may have been quietly fixed, and the docs have since been rewritten to describe per-provider alias resolution honestly; the Task-blocking hook gap (#26923) closed completed with a vendor fix awaiting TD re-execution; and several partial verdicts rest on patched CVEs where current shipped behavior matches the label. The 2026-07-04 executed pass cuts the other way for row 1: rather than upgrading it, controlled reproduction on v2.1.201 confirmed the recursive-grep deny bypass still exfiltrates a denied file, entrenching the not_as_labeled verdict even though the three backing issues were all closed (stale/duplicate/not-planned) and direct-path deny enforcement measurably hardened in v2.1.162–163. The tool's decay class is volatile; this dossier should be re-verified per release or at least every two weeks.
theorydelta.com · 2026independent · evidence-backed · every claim sourced or labelledabout ·glossary ·rss ·mcp ·llms.txt