{
  "tool": {
    "name": "Claude Code",
    "repo": "https://github.com/anthropics/claude-code",
    "version_at_verification": "v2.1.195",
    "last_verified": "2026-06-28",
    "dossier_version": "2026-06-28",
    "decay_class": "volatile",
    "version_date": "2026-06-26"
  },
  "scorecard": {
    "claims_sampled": 14,
    "as_labeled": 4,
    "partial": 9,
    "not_as_labeled": 1,
    "open_deltas": 11,
    "verified_closed": 4,
    "closure_trend": "settings-layer CVEs and managed-policy bypasses patch within releases; enforcement-layer deltas (deny rules, hook blocking, alias resolution) persist or are closed stale without fixes"
  },
  "verdict": "Claude Code's capability claims largely hold as labeled, but its enforcement-language claims — deny rules, hook exit-code blocking, managed-policy precedence, shell-operator awareness, and per-provider model-alias resolution — are each contradicted by confirmed silent failures, several of which the vendor closed as stale rather than fixed.",
  "claims": [
    {
      "id": "1",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-1/",
      "claimed": "\"Deny rules prevent Claude Code from using the specified tool\" and \"If a tool is denied at any level, no other level can allow it\"",
      "claimed_source_url": "https://code.claude.com/docs/en/permissions",
      "observed": "Source-reviewed against the issue tracker: deny non-enforcement is a recurring regression across three major version lines — v1.0.93 (#6699, Aug 2025), v2.0.8 (#8961, Oct 2025), and v2.1.49 (#27040, Feb 2026, where files matching an explicit Read(**/appsettings.Production.json) deny pattern were read and edited with no prompt and no error). A deny rule on a path does not bind MCP tools reading the same path (#28595) or Bash recursive grep/Glob (#28008), and deny rules in parent settings do not apply to Agent-spawned subagents — confirmed across 5+ issues, with #5465 closed not-planned as an architectural limitation. CVE-2026-25724 added a symlink deny bypass. The current docs qualify the claim (a \"best-effort\" Read-rule statement, a subprocess warning, and explicit symlink deny semantics) — a partial label correction since the finding was published. UPDATE 2026-07-04 (v2.1.201, TD-executed): the three deny-bypass issues this row rested on all closed WITHOUT a fix — #27040 closed stale/not-planned (2026-05-23), #28595 auto-closed as a duplicate of #27040 (2026-03-01), and #28008 closed by stale-bot despite a 'has repro' label (2026-03-24). Theory Delta then executed a controlled reproduction on the current release: a scratch project with a Read(secret.txt) deny rule was driven via claude -p. The direct Read tool was blocked; a direct Bash 'cat secret.txt' of the exact denied path was also blocked (an improvement consistent with the v2.1.162–163 path-deny hardening); but 'grep -r' recursing into the denied file printed the secret line verbatim — the #28008 recursive-grep bypass persists and still exfiltrates the denied file's contents. A separate v2.1.162 changelog entry ('Read deny rules not hiding files from Glob/Grep results') hardened the built-in Grep/Glob tools, not shell grep -r. The categorical label ('no other level can allow it') therefore remains contradicted on the current release; status held at not_as_labeled on executed evidence.",
      "status": "not_as_labeled",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-deny-rules-not-enforced",
        "https://github.com/anthropics/claude-code/issues/27040",
        "https://github.com/anthropics/claude-code/issues/28595",
        "https://github.com/anthropics/claude-code/issues/28008"
      ]
    },
    {
      "id": "2",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-2/",
      "claimed": "\"Claude Code is aware of shell operators, so a rule like Bash(safe-cmd *) won't give it permission to run the command safe-cmd && other-cmd ... A rule must match each subcommand independently\"",
      "claimed_source_url": "https://code.claude.com/docs/en/permissions",
      "observed": "Holds as the general design, source-reviewed. Confirmed counterexample at v2.1.51: a Bash(cd:*) prefix rule matched the full compound command cd /path && python3 script.py, allowing arbitrary follow-on commands to execute without prompting (#28784, open at last review). UPDATE 2026-06-28: the compound-command bypass class is confirmed still active via #66176 (git -C, cd &&, and env-prefix forms).",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-deny-rules-not-enforced",
        "https://github.com/anthropics/claude-code/issues/28784",
        "https://github.com/anthropics/claude-code/issues/66176"
      ]
    },
    {
      "id": "3",
      "claimed": "\"Exit 2 = Blocking error\" — the hooks reference table states exit code 2 on PreToolUse \"blocks the tool call\" and on Stop \"prevents Claude from stopping\", while any other exit code is a non-blocking error",
      "claimed_source_url": "https://code.claude.com/docs/en/hooks",
      "observed": "Source-reviewed: exit 2 reliably blocks PreToolUse on Bash, but did not block Agent/Task tool calls — 100% failure across 19 attempted Task blocks over 7 days (#26923); a fix is asserted in a later release and TD has not re-verified it. PostToolUse exit 1 halts Claude awaiting user input despite being documented as non-blocking (#4809), and on Windows v2.1.37–v2.1.63 PreToolUse exit codes were ignored entirely (#21988). The reliable blocking mechanism for Agent and Bash calls is permissionDecision: deny in stdout JSON with exit 0.",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-hooks-unreliable-enforcement",
        "https://github.com/anthropics/claude-code/issues/26923"
      ]
    },
    {
      "id": "4",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-4/",
      "claimed": "\"Hooks are user-defined shell commands, HTTP endpoints, or LLM prompts that execute automatically at specific points in Claude Code's lifecycle\"",
      "claimed_source_url": "https://code.claude.com/docs/en/hooks",
      "observed": "Hooks fire in the common path, but 30+ failure modes are confirmed across silent non-firing, ignored decisions, platform breakage, and data corruption: PreToolUse/PostToolUse hooks intermittently never fire while other events in the same settings file fire reliably (#6305, open, has repro, root cause unknown); all plugin-registered hooks stop executing after context compaction (#25655, closed not-planned); SessionStart HTTP hooks never dispatched in v2.1.63 (#30170); and PostToolUse hooks were observed not firing on Write-tool invocations. No single hook event is a reliable enforcement point — defense-in-depth across multiple events is required. UPDATE 2026-06-28: the hook failure surface grew by 4 issues in 17 days — non-interactive non-firing (#71022), Linux transcript gap (#70632), /clear session_id corruption (#70606), and unreliable hookAdditionalContext (#70479).",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-hooks-unreliable-enforcement",
        "https://github.com/anthropics/claude-code/issues/6305",
        "https://github.com/anthropics/claude-code/issues/71022"
      ]
    },
    {
      "id": "5",
      "claimed": "\"sonnet — Uses the latest Sonnet model for daily coding tasks\" and \"Aliases point to the recommended version for your provider and update over time\"",
      "claimed_source_url": "https://code.claude.com/docs/en/model-config",
      "observed": "Source-reviewed Feb–Mar 2026: on Bedrock/Vertex, model: opus in agent frontmatter resolved to the hardcoded dated ID claude-opus-4-1-20250805 — not the live alias target — producing hard 400 errors when the org allowlist excluded that model, and ANTHROPIC_MODEL did not override it (#22587, #25530, #27754). Re-checked against the live tracker 2026-06-11: all three issues are now closed as stale or duplicate with no fix linked, so current frontmatter behavior is unverified in either direction. The label itself has since narrowed: the model-config page now documents that Bedrock, Vertex, and Foundry aliases resolve to older versions than the Anthropic API and instructs pinning via ANTHROPIC_DEFAULT_OPUS_MODEL. UPDATE 2026-06-28 (v2.1.195): the Bedrock/Vertex alias hardcoding is resolved — the model-config page now documents distinct per-provider targets (Opus 4.6 on Bedrock/Vertex vs Opus 4.8 on the Anthropic API) with ANTHROPIC_DEFAULT_OPUS_MODEL as a documented override; #22587/#25530 confirmed closed not-planned. Five new aliases added (best, fable, opusplan, sonnet[1m], opus[1m]). Residual per-provider version lag persists by design.",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-model-aliases-silent-failures",
        "https://github.com/anthropics/claude-code/issues/22587",
        "https://github.com/anthropics/claude-code/issues/25530",
        "https://code.claude.com/docs/en/model-config"
      ]
    },
    {
      "id": "6",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-6/",
      "claimed": "\"Claude Code can connect to hundreds of external tools and data sources through the Model Context Protocol (MCP). MCP servers give Claude Code access to your tools, databases, and APIs\"",
      "claimed_source_url": "https://code.claude.com/docs/en/mcp",
      "observed": "Connectivity itself is broadly confirmed, but the bridge is not a transparent pass-through: it silently coerces array, object, number, and boolean parameters to strings, breaking connectors with strict Zod schemas with no error signal (source-reviewed, validated 2026-05-03). User-level config placed in ~/.claude/mcp.json is silently ignored — only ~/.claude.json is honored — and .mcp.json servers load at session initialization only, so mid-session config changes have no effect until restart. UPDATE 2026-06-28: MCP parameter coercion remains open (#32524, 9 duplicates); ~/.claude.json confirmed as the sole honored user-level config path. UPDATE 2026-07-04 (v2.1.201): #32524 (numeric/array/object/boolean coercion, 9 duplicates, 'has repro') was closed by stale-bot as not-planned on 2026-07-03 — a stale closure, not a fix; no coercion fix appears in the v2.1.196–201 changelog, so the bypass remains unaddressed and the row holds at partial. Not TD-executed this pass (no strict-Zod connector round-trip run). The two user-config-path issues behind the ~/.claude/mcp.json gap, #56437 and #62888, also closed not-planned (stale) on 2026-06-02 and 2026-06-27.",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-mcp-bridge-coerces-parameters",
        "https://github.com/anthropics/claude-code/issues/32524"
      ]
    },
    {
      "id": "7",
      "claimed": "\"Each subagent runs in its own context window with a custom system prompt, specific tool access, and independent permissions\"",
      "claimed_source_url": "https://code.claude.com/docs/en/sub-agents",
      "observed": "Confirmed: per-subagent context isolation, tool allowlists and denylists (tools, disallowedTools frontmatter), per-agent model and permissionMode all behave as documented (backing block re-validated against docs and releases 2026-06-08). The flip side of \"independent permissions\" — non-inheritance of parent deny rules — is scored at row 1.",
      "status": "as_labeled",
      "evidence": [
        "https://code.claude.com/docs/en/sub-agents"
      ]
    },
    {
      "id": "8",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-8/",
      "claimed": "Subagents help you \"Control costs by routing tasks to faster, cheaper models like Haiku\"",
      "claimed_source_url": "https://code.claude.com/docs/en/sub-agents",
      "observed": "Confirmed: per-subagent model frontmatter routes tasks to cheaper models as documented. One undisclosed default worth noting: subagents default to model: inherit and bill at the parent session's model — a 62-definition plugin audit found zero agent definitions requiring Opus, and the feature request for a global subagent model cap (#26179) was closed stale on 2026-03-21.",
      "status": "as_labeled",
      "evidence": [
        "https://code.claude.com/docs/en/sub-agents"
      ]
    },
    {
      "id": "9",
      "claimed": "\"Sandboxed bash tool: Sandbox bash commands with filesystem and network isolation, reducing permission prompts while maintaining security\"",
      "claimed_source_url": "https://code.claude.com/docs/en/security",
      "observed": "The sandbox exists and is release-verified, but the boundary has had silent gaps: before v2.1.78, sandbox.enabled: true silently fell back to unsandboxed execution when seatbelt/bwrap was missing from the host. Two documented settings weaken it in place — sandbox.allowUnsandboxedCommands re-enables a per-command escape hatch, and sandbox.enableWeakerNetworkIsolation (v2.1.71) degrades macOS network isolation, documented by Anthropic itself as reducing security.",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ]
    },
    {
      "id": "10",
      "claimed": "\"Trust verification: First-time codebase runs and new MCP servers require trust verification\"",
      "claimed_source_url": "https://code.claude.com/docs/en/security",
      "observed": "The dialog exists, but trust-before-verify has been breached four times by CVE: ANTHROPIC_BASE_URL in a committed settings file forwarded the API Authorization header before the trust dialog completed (CVE-2026-21852, patched < v2.0.65); enableAllProjectMcpServers executed MCP startup commands before the dialog appeared (CVE-2025-59536, patched < v1.0.111); a repo-controlled permissions.defaultMode: bypassPermissions silently skipped the trust dialog itself (CVE-2026-33068); and deny rules failed through symlinks (CVE-2026-25724). All are patched per disclosure review (source-reviewed 2026-05-24), and the docs themselves disclose that trust verification is disabled in -p non-interactive mode.",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ]
    },
    {
      "id": "11",
      "claimed": "\"Write access restriction: Claude Code can only write to the folder where it was started and its subfolders—it cannot modify files in parent directories without explicit permission\"",
      "claimed_source_url": "https://code.claude.com/docs/en/security",
      "observed": "Holds in the default path, with two patched boundary escapes: symlinks inside the workspace could redirect acceptEdits reads and writes to arbitrary filesystem locations outside the project directory (patched < v2.1.71), and before v2.1.78 bypassPermissions mode allowed silent writes to .git and .claude directories — a supply-chain vector. Both fixes are release-reviewed, not re-executed by TD.",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ]
    },
    {
      "id": "12",
      "claimed": "\"Claude Code uses strict read-only permissions by default. When additional actions are needed (editing files, running tests, executing commands), Claude Code requests explicit permission\"",
      "claimed_source_url": "https://code.claude.com/docs/en/security",
      "observed": "Confirmed as the default-mode behavior across TD's corpus review: writes, edits, and non-read-only Bash commands prompt by default, and the built-in read-only command set runs without prompting as documented.",
      "status": "as_labeled",
      "evidence": [
        "https://code.claude.com/docs/en/security"
      ]
    },
    {
      "id": "13",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-13/",
      "claimed": "\"Managed settings: cannot be overridden by any other level, including command line arguments\"",
      "claimed_source_url": "https://code.claude.com/docs/en/permissions",
      "observed": "True as currently shipped per release review, but the guarantee has failed twice: before v2.1.74, a user-level allow rule or a committed skill's allowed-tools frontmatter silently won over enterprise managed ask policies — a privilege escalation path in managed deployments — and v2.1.80 fixed managed settings (enabledPlugins, permissions.defaultMode, policy-set env vars) not being applied at startup when remote-settings.json was cached from a prior session. Both fixes are release-reviewed; TD has not re-executed the managed-policy precedence matrix. UPDATE 2026-06-28: a new active regression — an HTTP 304 response zeroes out the local managed-settings.json, silently dropping all deny/allow rules (#70181, open 2026-06-23).",
      "status": "partial",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface",
        "https://github.com/anthropics/claude-code/issues/70181"
      ]
    },
    {
      "id": "14",
      "verified_at": "2026-07-16",
      "verified_by": "probe-ci",
      "probe": "probes/claude-code/claim-14/",
      "claimed": "\"CLAUDE.md files are markdown files that give Claude persistent instructions ... Claude reads them at the start of every session\" and both memory systems \"are loaded at the start of every conversation\"",
      "claimed_source_url": "https://code.claude.com/docs/en/memory",
      "observed": "Confirmed: project, user, and parent-directory CLAUDE.md files load at session start, and project-root CLAUDE.md is re-injected after compaction, as documented. The label is notably candid that the mechanism is context rather than enforcement (\"there's no guarantee of strict compliance\") — a qualification the corpus independently confirms, including a 217,000-repo study measuring the cost overhead of agent config files.",
      "status": "as_labeled",
      "evidence": [
        "https://code.claude.com/docs/en/memory"
      ]
    }
  ],
  "deltas": [
    {
      "id": "CC-01",
      "title": "Deny rules in parent settings do not apply to Agent-spawned subagents — confirmed in 5+ issues; #5465 closed not-planned as an architectural limitation",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/25000",
        "https://github.com/anthropics/claude-code/issues/5465",
        "Re-verified 2026-07-04 (v2.1.201): #5465 closed not-planned, #25000 closed duplicate — neither fixed"
      ],
      "opened": "≤2026-02",
      "status": "open",
      "falsification_criterion": "A deny rule set in parent settings blocks the matching command inside an Agent-spawned subagent, re-verified on a current release",
      "description": "UPDATE 2026-07-04: v2.1.186 fixed 'Agent(type) deny rules and Agent(x,y) allowed-types restrictions not being enforced for named subagent spawns' — but that governs which subagent TYPES may spawn, not whether a parent path/tool deny rule binds INSIDE a spawned subagent (this delta's criterion). The inheritance criterion was not TD-executed this pass; delta unchanged."
    },
    {
      "id": "CC-02",
      "title": "Path deny rules do not bind MCP tools (#28595) or Bash recursive grep/Glob (#28008) accessing the same denied paths",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/28595",
        "https://github.com/anthropics/claude-code/issues/28008",
        "Re-verified 2026-07-04 (v2.1.201, TD-executed): #28595 closed duplicate, #28008 closed stale — neither fixed; Bash 'grep -r' bypass confirmed still active by controlled reproduction"
      ],
      "opened": "≤2026-03",
      "status": "open",
      "falsification_criterion": "A deny rule on a path blocks MCP file-read tools and Bash grep -r/Glob against that same path, re-verified on a current release",
      "description": "UPDATE 2026-07-04: TD executed the Bash-grep half of this criterion on v2.1.201 — a Read(secret.txt) deny rule did NOT block 'grep -r' recursing into the denied path (the secret line was printed verbatim), while a direct Bash 'cat' of the same path WAS blocked. Criterion not met; delta stays open, now on executed rather than issue-review evidence. The MCP-file-read-tool half and the built-in Glob/Grep-tool half (the latter reportedly hardened in v2.1.162) remain source-reviewed, not executed this pass."
    },
    {
      "id": "CC-03",
      "title": "Deny-rule non-enforcement is a recurring regression — three documented instances (v1.0.93 #6699, v2.0.8 #8961, v2.1.49 #27040) with no root-cause fix",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/6699",
        "https://github.com/anthropics/claude-code/issues/8961",
        "https://github.com/anthropics/claude-code/issues/27040",
        "Re-verified 2026-07-04 (v2.1.201, TD-executed): #6699 completed (2025-09) then regressed; #8961 still open; #27040 closed stale (2026-05-23) without a fix; deny non-enforcement (grep -r vector) confirmed persisting by controlled reproduction"
      ],
      "opened": "2025-08",
      "status": "open",
      "falsification_criterion": "A regression-test-backed fix lands and path-specific deny patterns enforce across two consecutive minor releases, re-verified",
      "description": "UPDATE 2026-07-04: the regression pattern holds. #6699 was closed 'completed' (a real fix, 2025-09) but deny non-enforcement recurred at v2.0.8 (#8961, still open) and v2.1.49 (#27040, since closed stale). TD-executed repro on v2.1.201 shows the recursive-grep deny bypass still fires. Direct-path deny did harden (v2.1.162–163: Bash 'cat' of the exact path now blocked, built-in Glob/Grep tools no longer leak denied files), but no single fix enforces the whole path-deny class across two consecutive releases; criterion not met, delta stays open."
    },
    {
      "id": "CC-04",
      "title": "PreToolUse exit code 2 does not block Agent/Task tool calls — 100% failure across 19 attempted blocks (#26923); fix asserted in a later release, re-verification pending",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/26923",
        "Re-verified open 2026-06-28 against v2.1.195"
      ],
      "opened": "≤2026-02",
      "status": "open",
      "falsification_criterion": "A PreToolUse hook exiting 2 blocks an Agent tool call, with the block message replacing the tool output, re-verified on a current release",
      "description": "UPDATE 2026-06-28: #26923 is now CLOSED and the docs list PreToolUse as a blocking event, but the resolution method is unconfirmed — this is a re-verification trigger (DC-2), not a closure. One TD re-execution test (exit-2 against an Agent/Task call) is needed to close or reopen."
    },
    {
      "id": "CC-05",
      "title": "PreToolUse/PostToolUse hooks intermittently never fire while other events in the same settings file fire reliably (#6305, open, has repro, root cause unknown)",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/6305",
        "Re-verified open 2026-06-28 against v2.1.195"
      ],
      "opened": "≤2026-02",
      "status": "open",
      "falsification_criterion": "Tool-event hooks fire on 100% of matched tool calls across a multi-session soak test, with the root cause identified and fixed, re-verified"
    },
    {
      "id": "CC-06",
      "title": "model: alias in agent frontmatter hardcoded to a dated model ID on Bedrock/Vertex, ignoring ANTHROPIC_MODEL — all three issues closed stale/duplicate without a linked fix (re-checked 2026-06-11)",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/22587",
        "https://github.com/anthropics/claude-code/issues/25530",
        "https://github.com/anthropics/claude-code/issues/27754",
        "Re-verified open 2026-06-28 against v2.1.195"
      ],
      "opened": "2026-02",
      "status": "open",
      "falsification_criterion": "model: opus in agent frontmatter resolves to the provider's current alias target, or honors ANTHROPIC_DEFAULT_OPUS_MODEL, on Bedrock/Vertex, re-verified on a current release",
      "description": "UPDATE 2026-06-28: the Opus 4.1 crash/400 behavior is resolved — docs now show Opus 4.6 on Bedrock/Vertex and document ANTHROPIC_DEFAULT_OPUS_MODEL. The residual is per-provider version lag by design, not a fault; recommend rescoping or closing this delta on next pass."
    },
    {
      "id": "CC-07",
      "title": "MCP bridge silently coerces array, object, number, and boolean tool parameters to strings — breaks strict-Zod connectors with no error signal",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-mcp-bridge-coerces-parameters",
        "https://github.com/anthropics/claude-code/issues/32524",
        "Re-verified 2026-07-04 (v2.1.201): #32524 closed stale/not-planned 2026-07-03 without a fix; no coercion fix in the v2.1.196–201 changelog"
      ],
      "opened": "≤2026-05",
      "status": "open",
      "falsification_criterion": "Non-string parameters arrive at MCP tools with native JSON types and a strict-Zod connector round-trip passes, re-verified",
      "description": "UPDATE 2026-07-04: #32524 — the canonical coercion issue, 9 duplicates, 'has repro' — was closed by stale-bot as not-planned (2026-07-03), NOT fixed. Per D0086, a stale closure never closes a delta; criterion (native-typed params + strict-Zod round-trip) not re-verified and not TD-executed this pass. Delta stays open."
    },
    {
      "id": "CC-08",
      "title": "~/.claude/mcp.json is silently ignored for user-level MCP config — only ~/.claude.json is honored, with no warning",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-mcp-bridge-coerces-parameters",
        "https://github.com/anthropics/claude-code/issues/56437",
        "https://github.com/anthropics/claude-code/issues/62888",
        "Re-verified 2026-07-04 (v2.1.201): #56437 (2026-06-02) and #62888 (2026-06-27) confirmed closed not-planned (stale)"
      ],
      "opened": "≤2026-05",
      "status": "open",
      "falsification_criterion": "Servers defined in ~/.claude/mcp.json load, or the file produces an explicit warning at startup, re-verified",
      "description": "UPDATE 2026-06-28: re-checked as a design gap, not a tracked bug — Anthropic treats ~/.claude.json as the intended user-level path; #56437/#62888 closed not-planned. Recommend retyping from pending-bug to documented design gap. UPDATE 2026-07-04: #56437/#62888 re-confirmed closed not-planned (stale); design gap unchanged, not TD-executed this pass."
    },
    {
      "id": "CC-C1",
      "title": "ANTHROPIC_BASE_URL in project settings forwarded the API Authorization header before the trust dialog completed (CVE-2026-21852)",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ],
      "opened": "2026-01",
      "status": "closed_verified",
      "closed_by": "patched < v2.0.65 — Check Point Research disclosure, Jan 2026",
      "reverified_date": "2026-05-24"
    },
    {
      "id": "CC-C2",
      "title": "enableAllProjectMcpServers: true executed MCP startup commands before the trust dialog appeared (CVE-2025-59536)",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ],
      "opened": "2025-10",
      "status": "closed_verified",
      "closed_by": "patched < v1.0.111 (Oct 2025); CVE published Feb 2026",
      "reverified_date": "2026-05-24"
    },
    {
      "id": "CC-C3",
      "title": "Symlinks inside the workspace redirected acceptEdits reads and writes outside the project directory",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ],
      "opened": "≤2026-03",
      "status": "closed_verified",
      "closed_by": "patched < v2.1.71, per release notes",
      "reverified_date": "2026-05-24"
    },
    {
      "id": "CC-C4",
      "title": "User-level allow rules and skill allowed-tools frontmatter silently overrode enterprise managed ask policies",
      "evidence": [
        "https://api.theorydelta.com/published/claude-code-settings-attack-surface"
      ],
      "opened": "≤2026-03",
      "status": "closed_verified",
      "closed_by": "v2.1.74 security fix, per changelog",
      "reverified_date": "2026-05-24"
    },
    {
      "id": "CC-09",
      "title": "HTTP 304 cache response zeroes out local managed-settings.json — all deny/allow rules silently dropped",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/70181"
      ],
      "opened": "2026-06-23",
      "status": "open",
      "falsification_criterion": "A 304 (not-modified) response from the managed-settings source preserves the locally cached deny/allow rules rather than emptying them, TD re-verified on a current release"
    },
    {
      "id": "CC-10",
      "title": "Compound-command deny bypass via git -C / cd && / env-prefix forms still active (#66176, filed pre-dossier-cut, absent from prior dossier)",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/66176"
      ],
      "opened": "2026-06-08",
      "status": "open",
      "falsification_criterion": "A Bash prefix rule does not grant permission to env-prefixed or git -C / cd && compound forms it does not literally match, TD re-verified"
    },
    {
      "id": "CC-11",
      "title": "Hook reliability cluster — 4 new non-firing / corruption issues in 17 days (non-interactive non-firing #71022, Linux transcript gap #70632, /clear session_id corruption #70606, unreliable hookAdditionalContext #70479)",
      "evidence": [
        "https://github.com/anthropics/claude-code/issues/71022",
        "https://github.com/anthropics/claude-code/issues/70632",
        "https://github.com/anthropics/claude-code/issues/70606",
        "https://github.com/anthropics/claude-code/issues/70479"
      ],
      "opened": "2026-06",
      "status": "open",
      "falsification_criterion": "Tool-event and session hooks fire on 100% of matched events across a multi-platform soak test, TD re-verified"
    }
  ],
  "methodology": {
    "sampling_rule_ref": "Theory Delta Method §2 material-claims rule (strategy/method.md): a claim is sampled if it appears on the product's own label and would plausibly influence an adoption decision. Sampling frame: code.claude.com/docs label surfaces — the permissions, hooks, security, sub-agents, mcp, model-config, and memory pages — captured 2026-06-11. 14 claims sampled. Non-as-labeled rows were limited to claim areas backed by a published Theory Delta evidence page; contested label claims without a published evidence page (for example, automatic subagent delegation) were deferred to a later verification pass rather than scored.",
    "verification_depth": "source-reviewed",
    "verification_statement": "Evidence is drawn predominantly from Anthropic's own documentation and changelogs, the anthropics/claude-code issue tracker, CVE disclosures (Check Point Research), and Theory Delta's published findings, so the dossier's verification_depth is stated as source-reviewed. The model-alias issues (#22587, #25530, #27754, #26179) were re-checked on 2026-06-11 and re-verified 2026-06-28 (v2.1.195). Two rows carry deeper evidence: on 2026-07-04 (v2.1.201) Theory Delta EXECUTED a controlled deny-rule reproduction for row 1 / deltas CC-02 and CC-03 — a scratch project with a Read(secret.txt) deny rule driven via 'claude -p' — and observed that the direct Read tool and a direct Bash 'cat' of the denied path were both blocked, but 'grep -r' recursing into the denied file printed the secret verbatim (the #28008 bypass persists). What was NOT executed on this pass: the MCP-file-read-tool binding (CC-02, no connector wired), the built-in Glob/Grep-tool leak (CC-02, tool unavailable in the nested -p session), the subagent deny-inheritance path (CC-01), the MCP parameter-coercion round-trip (row 6 / CC-07), and every other claim row — those remain source-reviewed. Closed-delta re-verification for the four CVE deltas is by release and disclosure review, not re-execution.",
    "backing_confidence": "empirical",
    "executed_by_td": true,
    "strongest_case_against": "Claude Code ships near-daily, so version-specific findings decay fast: the model-alias hardcoding evidence dates from February 2026 and its issues were closed stale or duplicate without a linked fix — the behavior may have been quietly fixed, and the docs have since been rewritten to describe per-provider alias resolution honestly; the Task-blocking hook gap (#26923) closed completed with a vendor fix awaiting TD re-execution; and several partial verdicts rest on patched CVEs where current shipped behavior matches the label. The 2026-07-04 executed pass cuts the other way for row 1: rather than upgrading it, controlled reproduction on v2.1.201 confirmed the recursive-grep deny bypass still exfiltrates a denied file, entrenching the not_as_labeled verdict even though the three backing issues were all closed (stale/duplicate/not-planned) and direct-path deny enforcement measurably hardened in v2.1.162–163. The tool's decay class is volatile; this dossier should be re-verified per release or at least every two weeks."
  },
  "provenance": {
    "source_block": "theorydelta-blocks/blocks/claude-code-deep.md (re-validated 2026-06-08)",
    "source_blocks": [
      "theorydelta-blocks/blocks/claude-code-deep.md",
      "theorydelta-blocks/blocks/claude-code-permissions.md",
      "theorydelta-blocks/blocks/claude-code-hooks-failure-modes.md",
      "theorydelta-blocks/blocks/claude-code-model-aliases.md",
      "theorydelta-blocks/blocks/claude-code-mcp-bridge.md",
      "theorydelta-blocks/blocks/claude-code-settings-security.md"
    ],
    "additional_sources": [
      "published/claude-code-deny-rules-not-enforced.md",
      "published/claude-code-hooks-unreliable-enforcement.md",
      "published/claude-code-model-aliases-silent-failures.md",
      "published/claude-code-mcp-bridge-coerces-parameters.md",
      "published/claude-code-settings-attack-surface.md"
    ],
    "derived_date": "2026-06-28"
  }
}