The Bug Report Is Not The Whole Story
On July 4, 2026, a public issue was opened in the Anthropic Claude Code repository titled “Potential session/cache leakage between workspace instances or consumer accounts.” The reporter said an agent session, while authenticated to an Enterprise ZDR workspace, suddenly started talking about Minecraft temple bricks and then recapped that unrelated task as if it belonged to the current session. The issue is still just a report, not confirmed proof of cross-account leakage, but it is filed in the public Claude Code repo and labeled as a security-area bug. That is enough to make it worth reading carefully, not enough to turn it into folklore by lunch. The public GitHub issue is the source for that specific report.
The useful lesson is larger than one vendor and one strange transcript. AI coding agents now sit between your repo, your terminal, your account, your cloud credentials, your project instructions, your shell history, and sometimes your browser. That is a lot of plumbing. Plumbing leaks. Sometimes the leak is server-side. Sometimes it is local context pollution. Sometimes it is a user launching a tool from the wrong folder because Tuesday was already going badly.
The defensive posture should be the same either way: every serious AI coding workflow needs workspace quarantine.
A Fresh Chat Is Not A Fresh Workspace
The old mental model was simple: open a new chat, paste the task, get an answer, close the tab. That model breaks down when the assistant becomes a coding agent. A coding agent is not merely answering. It is reading files, loading project rules, remembering corrections, asking for tool permissions, running commands, editing code, and preserving enough state to remain useful tomorrow.
Anthropic’s Claude Code documentation says each session begins with a fresh context window, but it also describes two mechanisms that carry knowledge across sessions: CLAUDE.md files and auto memory. The same documentation says these are loaded at the start of every conversation and treated as context rather than hard enforcement. That is the key distinction. Context guides behavior. It does not create a security boundary. Anthropic’s memory documentation lays this out directly.
That is not a criticism of memory. Persistent project instructions are useful. Without them, every agent session starts like a new contractor who has never seen a monorepo, which is a form of punishment. But persistent context also means a project can be contaminated by old instructions, broad user-level preferences, imported files, local notes, or a launch directory that does not match the task.
A new chat window feels clean. The filesystem may disagree.
Where Context Actually Crosses The Line
Most workspace contamination will not look like a dramatic platform breach. It will look boring. Boring is where the bodies are buried.
- Wrong launch directory: The agent starts in one folder but works in another. Project instructions from the launch path can shape behavior even if the actual task lives elsewhere.
- Shared user memory: Personal rules stored at the user level can apply across projects. That is convenient for formatting preferences and dangerous for client-specific assumptions.
- Imported instruction files: A project rule can pull in other files. If those imports are broad, stale, or private, the agent may receive more context than the user realizes.
- Additional directories: Giving an agent access outside the repo can be necessary for shared libraries or docs, but every extra directory expands the blast radius.
- Tool permissions: Read-only is one thing. Shell commands, file writes, package installs, and network calls are another thing entirely.
- Compaction and summaries: Long sessions get compressed. If the summary is wrong, the agent can confidently carry forward a false version of reality. Very software, very cursed.
Claude Code’s documentation says its memory loading walks up from the current working directory and can include files in that hierarchy. It also describes organization-wide, user-level, project-level, and local instruction locations. That is a powerful setup, but it means the current working directory is not a cosmetic detail. It is part of the prompt supply chain.
The Minimum Viable Quarantine Setup
Workspace quarantine does not require a security theater department and a laminated checklist. It does require a few hard habits.
- Launch from the repo root you actually intend to modify. Do not start the agent from a convenient old folder because it contains useful notes. Move the notes into the correct project or pass them explicitly.
- Keep client and employer work in separate OS users or containers. Separate browser profiles are nice. Separate home directories are better. Shared home-level agent memory is how ghosts get jobs.
- Use one account per trust boundary. Personal experiments, open source work, employer code, and client work should not share the same agent identity if the stakes are different.
- Commit project instructions, not secrets. Put build commands, architecture rules, and test conventions in project files. Do not put tokens, private URLs, customer names, incident details, or credentials in memory files.
- Prefer deny rules for dangerous tools. If an agent should never touch deployment, production databases, or billing code without a human, enforce that outside the model’s goodwill.
- Reset between unrelated tasks. End the session, check what memory changed, and start from the correct directory. Yes, it is less magical. Magic is often just missing audit logs.
This is the same spirit behind requiring AI coding agents to show what leaves your machine. The agent should not get a fog machine just because it writes decent TypeScript.
What To Record When The Agent Acts Strange
If an AI coding agent suddenly references a task, file, person, repo, customer, or weirdly specific fact that does not belong in the session, do not just laugh and keep going. Preserve the evidence before the tool overwrites the interesting part.
- Save the transcript immediately. Include the strange message, the few turns before it, and any compaction summary that may have fed it.
- Record the exact working directory. The launch path matters. So does the directory where the agent was actually editing files.
- List loaded instruction files. Check project, local, user-level, and organization-level memory or rules. Look for stale imports and broad shared files.
- Capture account and workspace state. Note which account, organization, subscription, cloud provider, or enterprise workspace was active.
- Preserve tool logs. Shell commands, file reads, file writes, network calls, and permission prompts are often more useful than the final answer.
- Search local files for the leaked phrase. If the phrase exists in a memory file, shell log, README, test fixture, browser scrape, or adjacent repo, the cause may be local contamination rather than server leakage.
The goal is not to prove a scandal in five minutes. The goal is to separate three categories: the model hallucinated unrelated content, the local workspace supplied hidden context, or the service crossed a boundary it should not cross. Those require different fixes. Treating all three as the same problem is how teams end up with vibes instead of incident response.
What Vendors Should Expose
Developers should not need to reverse-engineer an agent’s memory diet. Coding agent vendors should make workspace boundaries visible by default.
- A loaded-context manifest: Show every memory file, rule file, imported document, additional directory, and system policy included in the session.
- A trust-boundary badge: Make it obvious whether the agent is using a personal, team, enterprise, Bedrock, Vertex, or other routed identity.
- A session origin panel: Show launch directory, active repo, git remote, branch, and any directory outside the repo that the agent can read.
- A memory diff: When auto memory changes, show exactly what was added, changed, or removed before it affects the next session.
- A hard reset button: Not a new chat. A real clean-room start that excludes prior memory, local rules, cached summaries, and imported files unless the user explicitly re-enables them.
- An incident export: One button should package transcript, tool calls, memory manifest, permissions, account routing, client version, and timestamps for security review.
None of this makes AI coding agents less useful. It makes them usable in places where code matters. The industry keeps selling agents as junior developers. Fine. Junior developers do not get invisible cross-project memory, silent tool access, and a production shell without controls either. At least, not twice.