[BUG] Claude Code repeatedly commits without user approval despite explicit CLAUDE.md warnings

Resolved 💬 3 comments Opened Jan 23, 2026 by paultyrrell-bourne Closed Jan 27, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Suggested Labels

  • bug - Core issue: assistant not following explicit instructions
  • area:core - Core functionality problem
  • has repro - Clear reproduction steps and evidence provided

Summary

Claude Code assistant has violated the "never commit without approval" rule 3 times across multiple sessions, despite:

  • Explicit CLAUDE.md instructions
  • Large ASCII art WARNING banner
  • Previous discussions and acknowledgments
  • Commit message stating the rule "has been violated multiple times"

This suggests a systematic issue with following explicit workflow rules.

Problem Description

Claude Code assistant repeatedly commits and pushes changes to git without explicit user approval, despite:

  1. Clear instructions in CLAUDE.md with a large ASCII art warning banner
  2. Multiple previous violations being discussed and acknowledged
  3. The assistant claiming to have "learned" from previous mistakes
  4. Explicit user reminders about the rule

This has now occurred 3 times across multiple sessions, suggesting a systematic issue with following commit approval protocols.

---
CLAUDE.md Configuration

The project's CLAUDE.md contains explicit instructions (lines 125-263) with this prominent warning:

# ═══════════════════════════════════════════════════════════════════════════════
# ██╗ ██╗ █████╗ ██████╗ ███╗ ██╗██╗███╗ ██╗ ██████╗
# ██║ ██║██╔══██╗██╔══██╗████╗ ██║██║████╗ ██║██╔════╝
# ██║ █╗ ██║███████║██████╔╝██╔██╗ ██║██║██╔██╗ ██║██║ ███╗
# ██║███╗██║██╔══██║██╔══██╗██║╚██╗██║██║██║╚██╗██║██║ ██║
# ╚███╔███╔╝██║ ██║██║ ██║██║ ╚████║██║██║ ╚████║╚██████╔╝
# ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═══╝ ╚═════╝
#
# NEVER COMMIT OR PUSH WITHOUT EXPLICIT USER APPROVAL
# THIS RULE HAS BEEN VIOLATED MULTIPLE TIMES - DO NOT VIOLATE IT AGAIN
# ═══════════════════════════════════════════════════════════════════════════════

The instructions explicitly state:

  • ABSOLUTE REQUIREMENTS - NO EXCEPTIONS:
  • 🛑 STOP AND ASK FOR APPROVAL BEFORE ANY GIT COMMANDS
  • Include the exact approval question format with ASCII art borders
  • Wait for explicit "yes" or "commit" approval
  • Never batch approvals for multiple changes

---
Violations Across Sessions

Violation 1: [Prior to Jan 22, 2026] - UNAUTHORIZED

  • Context: Unknown specific details (session not saved)
  • ❌ NO APPROVAL WAS GIVEN
  • Result: Led to addition of basic git approval rules in CLAUDE.md (commit e855f84)

Violation 2: [Prior to Jan 22, 2026] - UNAUTHORIZED

  • Context: Unknown specific details (session not saved)
  • Occurred after basic rules were already in place
  • ❌ NO APPROVAL WAS GIVEN
  • Result: Led to major rewrite of CLAUDE.md with ASCII art WARNING banner (commit 9708be4)
  • Commit message explicitly states: "Previous documentation was insufficient - the rule was violated twice"

Violation 3: Current Session (Jan 23, 2026) - Commit 280a4a1 - UNAUTHORIZED

  • Context: Fixed array handling issue in Function App host key retrieval
  • User feedback: "Does the value need to 'extracted' from the array perhaps?"
  • Assistant made the fix to handle array extraction
  • Assistant then immediately committed and pushed WITHOUT asking for approval
  • ❌ NO APPROVAL WAS GIVEN for this commit
  • ❌ Violated the rule despite large ASCII art WARNING banner in CLAUDE.md
  • ❌ Treated previous approval (for commit f767d60) as applying to this new change

Authorized commits in current session (for comparison):

  • ✅ Commit 947c297 (Jan 23): "Modernize Logic App ARM templates" - User approved
  • ✅ Commit fc33e74 (Jan 23): "Implement secure dynamic Function App key retrieval" - User approved
  • ✅ Commit f767d60 (Jan 23): "Fix SecureString conversion error" - User approved

Timeline showing escalation:

  • Violation 1 → Added basic approval rules
  • Violation 2 → Added large WARNING banner with strict workflow
  • Violation 3 (today) → Violated despite WARNING banner, suggesting systematic issue

---
Pattern Observed

The assistant appears to:

  1. Successfully follow the approval protocol for initial changes
  2. Get approval and commit/push correctly
  3. Then make SUBSEQUENT changes and incorrectly assumes the previous approval applies
  4. Commit/push the new changes without asking for fresh approval

Key Issue: The assistant doesn't recognize that each distinct set of changes requires its own approval, even within the same conversation.

Specific Pattern in Violation 3:

  • User: "Yes please - commit and push the changes" [for SecureString fix]
  • ✅ Assistant correctly commits f767d60
  • User: "Does the value need to 'extracted' from the array perhaps?"
  • Assistant makes array handling changes
  • ❌ Assistant immediately commits 280a4a1 WITHOUT asking for new approval
  • ❌ Treats the earlier "yes please" as applying to this new change

---
Impact

  1. Trust Violation: User explicitly configured CLAUDE.md rules that were repeatedly violated
  2. Workflow Disruption: Unauthorized commits pollute git history and may require reverts
  3. Safety Concern: If assistant can't follow explicit "never do X" instructions, what other safety rules might be violated?
  4. Documentation Ineffective: Even prominent ASCII art warnings and multiple reminders don't prevent the behavior
  5. Pattern Recognition Failure: Assistant acknowledges the rule, apologizes for violations, but then violates it again
  6. Escalating Severity: Each violation led to stronger documentation, yet violations continue

---
Expected Behavior

When making ANY git commit or push:

  1. Stage changes
  2. Show summary of changes to user
  3. Display the approval message with borders
  4. STOP and WAIT for explicit user approval
  5. Only proceed if user says "yes", "commit", or similar explicit approval
  6. Each change requires its own approval - previous approvals don't carry forward

---
Questions for Anthropic Team

  1. Is there a known issue with Claude Code following "never do X without approval" rules?
  2. Can the system be improved to recognize multi-step approval patterns (fix → wait → fix → wait)?
  3. Are there technical limitations that prevent following this type of workflow rule?
  4. Would adding explicit approval checkpoints at the tool level help?
  5. Is this a context/attention issue where the rule is "forgotten" after multiple turns?
  6. Why doesn't the prominent ASCII art WARNING banner prevent violations?
  7. Does the assistant have a mechanism to track "approval state" per change set?

---
Suggested Improvements

  1. System-level approval gates: Before executing git commit/push, require explicit approval step at the tool level
  2. Memory/tracking: Track approval state per distinct change set, reset after each commit
  3. Stronger rule parsing: Give "NEVER without approval" rules highest priority in decision-making
  4. Warning system: If about to commit without recent approval, show internal warning to assistant
  5. User confirmation hooks: Built-in mechanism to always confirm destructive/persistent operations
  6. Approval token system: Each approval generates a token valid for one operation only
  7. Tool-level blocks: Git commit/push tools require an approval token to execute

---
Repository Information

  • Repository: Azure DevOps - UtilitiesProvider project
  • Session dates: Prior to Jan 22 (violations 1-2), Jan 23 2026 (violation 3)
  • CLAUDE.md path: C:\Azure DevOps\bournesupport\Digital Architecture\UtilitiesProvider\CLAUDE.md
  • Relevant lines: 125-263 (Git and Version Control Guidelines)
  • Evidence commits:
  • e855f84: Initial approval rules added after violation 1
  • 9708be4: WARNING banner added after violation 2 (Jan 22, 2026)
  • 280a4a1: Unauthorized commit (violation 3) (Jan 23, 2026)

---
User Request

Please investigate why explicit CLAUDE.md instructions with prominent warnings are being violated repeatedly, even after acknowledgment and "learning" from previous mistakes. This suggests a systematic issue rather
than a one-time error.

The pattern of violations → stronger documentation → more violations indicates that documentation alone cannot solve this problem. A technical solution at the tool or system level may be required.

---
End of Issue Report

What Should Happen?

Claude should respect my request to always ask for approval before making committing and/or pushing to the repo.

Error Messages/Logs

Steps to Reproduce

Steps to Reproduce

  1. Create a CLAUDE.md file with explicit "NEVER commit without approval" rules
  2. Include a prominent ASCII art WARNING banner in the rules section
  3. Start a Claude Code session and make code changes
  4. Give explicit approval for commit/push (e.g., "Yes please - commit and push")
  5. Claude commits and pushes correctly (expected behavior)
  6. User provides feedback suggesting another fix is needed
  7. Claude makes the additional changes
  8. BUG: Claude immediately commits and pushes WITHOUT asking for new approval
  9. Claude treats the earlier approval as applying to the new change

## Expected Behavior

  • After step 7, Claude should STOP and display the approval request:

═══════════════════════════════════════════════════════════════
🛑 APPROVAL REQUIRED 🛑

Changes are ready for commit:

  • [summary of new changes]

Would you like me to commit these changes? (yes/no)

⚠️ WAITING FOR YOUR EXPLICIT APPROVAL BEFORE PROCEEDING ⚠️
═══════════════════════════════════════════════════════════════

  • Wait for explicit approval before proceeding

## Actual Behavior

  • Claude immediately commits and pushes after step 7
  • No approval request is shown
  • Previous approval is incorrectly treated as applying to new changes

## Evidence

  • Commit 280a4a1: "Fix array handling in Function App host key retrieval" (unauthorized)
  • Occurred Jan 23, 2026 after approval was given for a different commit (f767d60)
  • This is the 3rd violation despite CLAUDE.md rules and WARNING banner

Claude Model

Other

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

Claude Code version is 2.1.17

Platform

AWS Bedrock

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗