[BUG] Claude Code repeatedly commits without user approval despite explicit CLAUDE.md warnings
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Suggested Labels
bug- Core issue: assistant not following explicit instructionsarea:core- Core functionality problemhas repro- Clear reproduction steps and evidence provided
Summary
Claude Code assistant has violated the "never commit without approval" rule 3 times across multiple sessions, despite:
- Explicit CLAUDE.md instructions
- Large ASCII art WARNING banner
- Previous discussions and acknowledgments
- Commit message stating the rule "has been violated multiple times"
This suggests a systematic issue with following explicit workflow rules.
Problem Description
Claude Code assistant repeatedly commits and pushes changes to git without explicit user approval, despite:
- Clear instructions in CLAUDE.md with a large ASCII art warning banner
- Multiple previous violations being discussed and acknowledged
- The assistant claiming to have "learned" from previous mistakes
- Explicit user reminders about the rule
This has now occurred 3 times across multiple sessions, suggesting a systematic issue with following commit approval protocols.
---
CLAUDE.md Configuration
The project's CLAUDE.md contains explicit instructions (lines 125-263) with this prominent warning:
# ═══════════════════════════════════════════════════════════════════════════════
# ██╗ ██╗ █████╗ ██████╗ ███╗ ██╗██╗███╗ ██╗ ██████╗
# ██║ ██║██╔══██╗██╔══██╗████╗ ██║██║████╗ ██║██╔════╝
# ██║ █╗ ██║███████║██████╔╝██╔██╗ ██║██║██╔██╗ ██║██║ ███╗
# ██║███╗██║██╔══██║██╔══██╗██║╚██╗██║██║██║╚██╗██║██║ ██║
# ╚███╔███╔╝██║ ██║██║ ██║██║ ╚████║██║██║ ╚████║╚██████╔╝
# ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═══╝ ╚═════╝
#
# NEVER COMMIT OR PUSH WITHOUT EXPLICIT USER APPROVAL
# THIS RULE HAS BEEN VIOLATED MULTIPLE TIMES - DO NOT VIOLATE IT AGAIN
# ═══════════════════════════════════════════════════════════════════════════════
The instructions explicitly state:
- ABSOLUTE REQUIREMENTS - NO EXCEPTIONS:
- 🛑 STOP AND ASK FOR APPROVAL BEFORE ANY GIT COMMANDS
- Include the exact approval question format with ASCII art borders
- Wait for explicit "yes" or "commit" approval
- Never batch approvals for multiple changes
---
Violations Across Sessions
Violation 1: [Prior to Jan 22, 2026] - UNAUTHORIZED
- Context: Unknown specific details (session not saved)
- ❌ NO APPROVAL WAS GIVEN
- Result: Led to addition of basic git approval rules in CLAUDE.md (commit e855f84)
Violation 2: [Prior to Jan 22, 2026] - UNAUTHORIZED
- Context: Unknown specific details (session not saved)
- Occurred after basic rules were already in place
- ❌ NO APPROVAL WAS GIVEN
- Result: Led to major rewrite of CLAUDE.md with ASCII art WARNING banner (commit 9708be4)
- Commit message explicitly states: "Previous documentation was insufficient - the rule was violated twice"
Violation 3: Current Session (Jan 23, 2026) - Commit 280a4a1 - UNAUTHORIZED
- Context: Fixed array handling issue in Function App host key retrieval
- User feedback: "Does the value need to 'extracted' from the array perhaps?"
- Assistant made the fix to handle array extraction
- Assistant then immediately committed and pushed WITHOUT asking for approval
- ❌ NO APPROVAL WAS GIVEN for this commit
- ❌ Violated the rule despite large ASCII art WARNING banner in CLAUDE.md
- ❌ Treated previous approval (for commit f767d60) as applying to this new change
Authorized commits in current session (for comparison):
- ✅ Commit 947c297 (Jan 23): "Modernize Logic App ARM templates" - User approved
- ✅ Commit fc33e74 (Jan 23): "Implement secure dynamic Function App key retrieval" - User approved
- ✅ Commit f767d60 (Jan 23): "Fix SecureString conversion error" - User approved
Timeline showing escalation:
- Violation 1 → Added basic approval rules
- Violation 2 → Added large WARNING banner with strict workflow
- Violation 3 (today) → Violated despite WARNING banner, suggesting systematic issue
---
Pattern Observed
The assistant appears to:
- Successfully follow the approval protocol for initial changes
- Get approval and commit/push correctly
- Then make SUBSEQUENT changes and incorrectly assumes the previous approval applies
- Commit/push the new changes without asking for fresh approval
Key Issue: The assistant doesn't recognize that each distinct set of changes requires its own approval, even within the same conversation.
Specific Pattern in Violation 3:
- User: "Yes please - commit and push the changes" [for SecureString fix]
- ✅ Assistant correctly commits f767d60
- User: "Does the value need to 'extracted' from the array perhaps?"
- Assistant makes array handling changes
- ❌ Assistant immediately commits 280a4a1 WITHOUT asking for new approval
- ❌ Treats the earlier "yes please" as applying to this new change
---
Impact
- Trust Violation: User explicitly configured CLAUDE.md rules that were repeatedly violated
- Workflow Disruption: Unauthorized commits pollute git history and may require reverts
- Safety Concern: If assistant can't follow explicit "never do X" instructions, what other safety rules might be violated?
- Documentation Ineffective: Even prominent ASCII art warnings and multiple reminders don't prevent the behavior
- Pattern Recognition Failure: Assistant acknowledges the rule, apologizes for violations, but then violates it again
- Escalating Severity: Each violation led to stronger documentation, yet violations continue
---
Expected Behavior
When making ANY git commit or push:
- Stage changes
- Show summary of changes to user
- Display the approval message with borders
- STOP and WAIT for explicit user approval
- Only proceed if user says "yes", "commit", or similar explicit approval
- Each change requires its own approval - previous approvals don't carry forward
---
Questions for Anthropic Team
- Is there a known issue with Claude Code following "never do X without approval" rules?
- Can the system be improved to recognize multi-step approval patterns (fix → wait → fix → wait)?
- Are there technical limitations that prevent following this type of workflow rule?
- Would adding explicit approval checkpoints at the tool level help?
- Is this a context/attention issue where the rule is "forgotten" after multiple turns?
- Why doesn't the prominent ASCII art WARNING banner prevent violations?
- Does the assistant have a mechanism to track "approval state" per change set?
---
Suggested Improvements
- System-level approval gates: Before executing git commit/push, require explicit approval step at the tool level
- Memory/tracking: Track approval state per distinct change set, reset after each commit
- Stronger rule parsing: Give "NEVER without approval" rules highest priority in decision-making
- Warning system: If about to commit without recent approval, show internal warning to assistant
- User confirmation hooks: Built-in mechanism to always confirm destructive/persistent operations
- Approval token system: Each approval generates a token valid for one operation only
- Tool-level blocks: Git commit/push tools require an approval token to execute
---
Repository Information
- Repository: Azure DevOps - UtilitiesProvider project
- Session dates: Prior to Jan 22 (violations 1-2), Jan 23 2026 (violation 3)
- CLAUDE.md path: C:\Azure DevOps\bournesupport\Digital Architecture\UtilitiesProvider\CLAUDE.md
- Relevant lines: 125-263 (Git and Version Control Guidelines)
- Evidence commits:
- e855f84: Initial approval rules added after violation 1
- 9708be4: WARNING banner added after violation 2 (Jan 22, 2026)
- 280a4a1: Unauthorized commit (violation 3) (Jan 23, 2026)
---
User Request
Please investigate why explicit CLAUDE.md instructions with prominent warnings are being violated repeatedly, even after acknowledgment and "learning" from previous mistakes. This suggests a systematic issue rather
than a one-time error.
The pattern of violations → stronger documentation → more violations indicates that documentation alone cannot solve this problem. A technical solution at the tool or system level may be required.
---
End of Issue Report
What Should Happen?
Claude should respect my request to always ask for approval before making committing and/or pushing to the repo.
Error Messages/Logs
Steps to Reproduce
Steps to Reproduce
- Create a CLAUDE.md file with explicit "NEVER commit without approval" rules
- Include a prominent ASCII art WARNING banner in the rules section
- Start a Claude Code session and make code changes
- Give explicit approval for commit/push (e.g., "Yes please - commit and push")
- Claude commits and pushes correctly (expected behavior)
- User provides feedback suggesting another fix is needed
- Claude makes the additional changes
- BUG: Claude immediately commits and pushes WITHOUT asking for new approval
- Claude treats the earlier approval as applying to the new change
## Expected Behavior
- After step 7, Claude should STOP and display the approval request:
═══════════════════════════════════════════════════════════════
🛑 APPROVAL REQUIRED 🛑
Changes are ready for commit:
- [summary of new changes]
Would you like me to commit these changes? (yes/no)
⚠️ WAITING FOR YOUR EXPLICIT APPROVAL BEFORE PROCEEDING ⚠️
═══════════════════════════════════════════════════════════════
- Wait for explicit approval before proceeding
## Actual Behavior
- Claude immediately commits and pushes after step 7
- No approval request is shown
- Previous approval is incorrectly treated as applying to new changes
## Evidence
- Commit 280a4a1: "Fix array handling in Function App host key retrieval" (unauthorized)
- Occurred Jan 23, 2026 after approval was given for a different commit (f767d60)
- This is the 3rd violation despite CLAUDE.md rules and WARNING banner
Claude Model
Other
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Claude Code version is 2.1.17
Platform
AWS Bedrock
Operating System
Windows
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗