Hey everyone,
I recently spent 3 hours debugging a wild issue where a recent Claude Code update completely broke my app’s release pipeline. It’s a perfect example of Hyrum’s Law, and I thought you guys would find the internal mechanics of this bug really interesting.
The Mystery
For the last month, I’ve been building and releasing my app using Claude Code. Everything worked perfectly for 20 releases. But last Friday, my release script suddenly failed with:
Wrong password for that private key
.
The password hadn’t changed. The key hadn’t changed. A fresh test key with the same password worked fine. So why was my original key suddenly failing?
The Root Cause (
BashTool
&
shellQuoting.ts
)
A month ago, I generated this signing key through a bash command inside Claude Code. When the CLI interactively asked for a password, I typed my password, which ended with an exclamation mark (
!
).
If you look into Claude Code’s architecture (
BashTool.tsx
->
Shell.ts
->
shellQuoting.ts
), it uses a library called
shell-quote
to sanitize commands before evaluating them. It turns out, prior to version 2.1.92, Claude Code had a bug where it would silently escape exclamation marks.
It turned
mypassword!
into
mypassword!
.
Because Claude Code intercepted the input, my key was generated and encrypted with a literal backslash that I never typed and never saw.
Hyrum’s Law in Action
Why did it work for 20 releases? Because I kept running my release scripts inside Claude Code! Every time the script executed, Claude Code consistently applied the same buggy escaping. The backslash was injected every time, so the password matched perfectly.
Then, Claude Code updated to version 2.1.92. Anthropic fixed the
!
escaping behavior. The password was finally being passed cleanly.
But because my key was generated with the bug, the “correct” password no longer matched! Fixing the internal quoting bug in Claude Code broke my workflow.
JSONL Logs to the Rescue
The only way I figured this out was by digging through Claude Code’s
.claude.jsonl
command logs from a month ago. Being able to trace the exact string mutations from the history logs is a lifesaver. Without those logs, I would have had to rotate my keys and break auto-updates for all my users.
Takeaway for Claude Code users:
If you are generating SSH keys, signing certificates, or setting database passwords using interactive CLI prompts inside Claude Code — be very careful with special characters (
!
,
$
,
). It’s always safer to pass them via explicit flags (e.g.,
-p “password”
) rather than trusting the terminal wrapper not to mutate interactive TTY input.
Has anyone else caught Claude Code silently mutating your CLI arguments or strings?
submitted by
/u/MaxNardit
Originally posted by u/MaxNardit on r/ClaudeCode