What files has your AI coding assistant read today?
Claude Code, Anthropic's terminal-based coding agent, can read files outside your project's working directory without asking permission. That includes your .env files, SSH keys, browser configs, and anything else your user account can access. Every file it reads gets sent in full to Anthropic's servers for processing. And there is no built-in way to replay the exact API payloads afterward to see what was transmitted.
This is not a bug. It is a documented design choice. Anthropic says the broad read access helps Claude Code understand system libraries and dependencies. But it also means a single careless prompt could cause the tool to scan files you never intended to share.
What Actually Gets Sent
When Claude Code reads a file, the full contents go to Anthropic's API. This includes your prompts, bash command outputs, MCP server results, and any CLAUDE.md project rules. Files it does not read stay local. The distinction matters: Claude Code is not vacuuming your entire disk. But the boundary between "read" and "not read" depends on the model's judgment about what is relevant to your request.
Retention varies by account type. API and Enterprise accounts get zero retention and no training. Pro and Max users who opt out of model improvement still face 30-day retention. Free users who leave the default settings? Up to five years, and that data can be used for training.
The Audit Gap
Claude Code supports OpenTelemetry for monitoring, which sounds reassuring until you look at what it actually logs. You get metadata: tool names, command strings, prompt lengths, token counts. You do not get the raw file contents that were transmitted. So you can see that Claude Code read /etc/ssh/ssh_config at 2:14 PM, but you cannot verify exactly what it sent about that file.
Local session history in ~/.claude/projects/ provides some visibility in JSONL format. But this is not the same as an auditable record of every API payload.
What You Can Do
Claude Code has six permission modes ranging from default (prompts for each new tool) to bypassPermissions (skips everything). The plan mode is read-only and blocks all modifications. You can also set deny rules to block reads of specific files, though this only applies to Claude Code's built-in Read tool. A cat .env through the bash tool bypasses file-level deny rules unless you also enable the sandbox.
Three critical vulnerabilities disclosed in February 2026 (CVE-2025-59536, CVE-2026-21852) showed that malicious project files could trigger code execution and API key exfiltration before trust dialogs appeared. All three were patched, but they illustrate the attack surface.
For teams handling sensitive code, the practical advice is specific: use API tokens (zero retention), enable the sandbox, set deny rules for credential files, and run Claude Code in containers or VMs when working with anything you would not want on someone else's server. A community project called Masquerade MCP acts as a privacy firewall that redacts data before it reaches Anthropic, though that adds its own trust layer.
The core tension is real. An AI coding tool that cannot read your codebase is useless. One that reads everything with no practical audit trail requires a level of trust most security-conscious teams are not comfortable giving.