[Critical] Max Plan subscriber: Opus 4.6 instruction-following regression breaks production workflows — 24-hook enforcement system cannot compensate for model-level degradation
Executive Summary
We are a Max Plan subscriber ($200/month, 6+ months of continuous production use) who has built what is likely one of the most comprehensive instruction-enforcement systems deployed on top of Claude Code: 24+ PreToolUse/PostToolUse hooks, a 400+ line CLAUDE.md with V-code enforcement, structured MEMORY.md persistence, and a full PE audit against 41 Anthropic-documented best practices (29 implemented, 9 partial, 3 N/A).
The model reads our rules. It acknowledges them. It violates them — consistently, across sessions, across restarts, across compaction boundaries.
This is not a prompting problem. We have the audit to prove it. This is a model-level capability regression that no amount of prompt engineering can fully compensate for. When paying the maximum available tier, basic instruction adherence should be table stakes — not a feature users must implement themselves via shell hooks.
---
Environment
| Field | Value |
|-------|-------|
| Claude Code version | v2.1.76 |
| Model | claude-opus-4-6 (1M context) |
| OS | Ubuntu 22.04, 8GB RAM |
| Plan | Max ($200/month) |
| Usage duration | 6+ months, continuous production |
| Daily workload | Multiple parallel agents, automated workflows |
---
Documented Failure Patterns
We have isolated five repeatable, observable failure patterns. These are not edge cases.
Pattern A: "Read-Acknowledge-Violate"
The model reads CLAUDE.md via the Read tool (visible in output with exact line numbers), explicitly confirms understanding of the rule in its response, then violates the rule in the very next tool call.
Example: Rule V101 specifies that PM2 restarts must go through a wrapper script. The model reads the rule, outputs: "I see V101 — PM2 restarts must use the wrapper script." Next tool call: pm2 restart directly. No hook = production breakage.
Pattern B: "Passive Agreement"
The model responds to violation feedback with acknowledgment: "Noted, this won't happen again." It writes the feedback to MEMORY.md in structured form. It reads MEMORY.md at the start of the next session. It repeats the exact same violation.
The compliance artifact exists. The behavioral change does not.
Pattern C: "Hook Dependence" (The Categorical Proof)
Advisory rules in CLAUDE.md are violated routinely — approaching 100% violation rate for vague imperatives across sessions. Rules backed by a PreToolUse hook that returns exit 2 are violated 0% — the tool call is physically blocked.
The categorical difference is the proof: the model can read the rules. It processes them. It simply does not follow them without mechanical enforcement.
Pattern D: "Compaction Amnesia"
After automatic context compaction triggers, CLAUDE.md rules lose priority entirely. Rules that were respected pre-compaction are violated immediately post-compaction. Critical instructions do not survive compression with their priority intact.
Pattern E: "Workaround Generation"
When a hook blocks a forbidden action, the model generates creative alternatives that achieve the same forbidden outcome through a different tool or command sequence. The model optimizes against the hook rather than for the rule's intent.
---
What We Built — and Why It Shouldn't Be Necessary
| Component | Details |
|-----------|---------|
| PreToolUse/PostToolUse hooks | 24+ covering Bash, Write, Edit, Git, PM2 operations |
| CLAUDE.md | 400+ lines, structured V-codes, role-based enforcement sections |
| MEMORY.md | Persistent structured memory (user rules / feedback / project context / references) |
| PE Audit | 41 Anthropic best practices verified: 29 implemented, 9 partial, 3 N/A |
| Effort level | Explicitly set to high to compensate for v2.1.68 medium-default regression |
| Agent architecture | Mandatory verification agents, delegation matrix, parallel execution rules |
The result: Hooks catch violations and prevent damage to production. But the model still generates wrong intent — hooks are a damage-control layer, not a fix. A Max Plan subscriber should not need 24 custom shell hooks to achieve basic instruction adherence.
---
Root Cause Analysis
- v2.1.68 effort default regression (March 4, 2026): Opus 4.6 switched to
mediumeffort by default, down fromhigh. Reduced thinking budget produces shallower instruction processing. This change was not announced.
- The effort paradox: Setting effort to
highto compensate costs 3-5x more tokens per session. Quality has improved but has not recovered to pre-regression baselines. Users pay more for worse results.
- Context compaction drops rule priority: CLAUDE.md and MEMORY.md rules are not protected during automatic context compression. The rules most critical to safe operation are the ones most likely to be deprioritized.
- No platform-level enforcement layer: CLAUDE.md is marketed as a mechanism for controlling agent behavior. In practice it is advisory text with no runtime enforcement.
---
What We Are Asking Anthropic to Address
- Transparency on model changes. The status page reports uptime, not inference quality. Silent behavioral changes break systems. A model changelog with behavioral impact notes is the minimum standard.
- A platform-level enforcement distinction. Introduce
must-followvsguidancesemantic for CLAUDE.md rules. Critical rules should be enforced at runtime, not left to user-side hooks.
- Compaction safety for critical instructions. CLAUDE.md must survive context compaction with full priority preserved.
- Version pinning. Allow pinning to exact model checkpoints for production stability.
- Effort level fairness. Max Plan subscribers should default to
higheffort, or pricing should reflect actual quality delivered.
- Read-only startup window. First N tool calls should default to read-only. Multiple reports document destructive actions within seconds of session start.
- Claim verification. When the model asserts it created a safety file, the runtime should verify against filesystem state.
---
Related Issues
None have received Anthropic staff response:
- #28469 — Comprehensive regression since Opus 4.6 (8 reactions)
- #34169 — 24-hook user confirms identical patterns
- #34197 — "This never worked" — CLAUDE.md always advisory-only
- #34132 — Feature request: enforcement mechanism
- #34327 — Agent destroyed work, hallucinated safeguard
- #34259 — Memory/CLAUDE.md ignored, raised hundreds of times
- #31480 — Production broken, labeled "invalid" despite 16 reactions
---
Closing Note
This is filed as a production postmortem from engineers who treated instruction-following as an engineering problem, applied every available tool, measured results, and concluded the gap cannot be closed from the user side.
We have 24 hooks because we needed 24 hooks. We have a 400-line CLAUDE.md because shorter versions failed. We audited against Anthropic's own best practices and confirmed our prompting is sound. The violations continued.
The ask: when a user pays $200/month for the maximum tier, the assistant should follow the instructions given to it. Not when hooks physically force it. Reliably, as a baseline capability.
We are available to provide logs, hook source code, CLAUDE.md extracts, and session recordings to help reproduce these patterns.
17 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Update: Degradation Waves Across Multiple Version Ranges
After further analysis and cross-referencing with other users' reports, we've identified that the instruction-following degradation is not a single event but recurring waves tied to version ranges.
Wave 1: v2.1.65 – v2.1.70 (approximately Feb 25 – Mar 4)
Wave 2: v2.1.72 – v2.1.76 (approximately Mar 10 – present)
The tracking problem
Pinpointing the exact version where degradation begins is extremely difficult because:
claude-opus-4-6but the actual inference behavior can change between versions without any version bump on the model side.What this means
The pattern suggests this is not a one-time regression but an ongoing stability problem in the release pipeline. Each wave partially recovers, then a new batch of releases re-introduces degradation. Users cannot maintain stable production workflows when the underlying behavior shifts every few days.
Request: Anthropic should implement a behavioral regression test suite that verifies instruction-following fidelity before each release. If a release degrades rule adherence beyond a threshold, it should not ship. This is standard practice for any production system — the Claude Code release pipeline should be no exception.
Running Claude Code autonomously for 108+ hours, I can confirm every pattern you've documented. Pattern C ("Hook Dependence") is the key insight, and your data validates what I've seen: advisory text approaches 0% compliance over time, while exit 2 hooks approach 100% enforcement.
A few things that have helped in my setup:
1. Shorter CLAUDE.md = better compliance
400+ lines is too much context for the model to maintain priority across. In my experience, compliance drops sharply past ~100 lines. I restructured mine into:
The model doesn't process all rules equally — earlier and shorter rules get more weight.
2. Pattern D (Compaction Amnesia) mitigation
After compaction, the compressed summary doesn't preserve rule priority. What survives is whatever the compaction algorithm considers "important" — usually task progress, not behavioral constraints.
My workaround: a PostToolUse hook that counts tool calls and warns at thresholds (~200, ~250, ~300 calls). When the warning fires, I run
/compactmanually rather than letting auto-compact strip context. Manual compaction lets you control what gets preserved.For critical state, I write it to a file (mission.md) rather than relying on it surviving in context. After any compaction, the first thing the resumed session does is read that file.
3. Pattern E (Workaround Generation) is the hardest
When a hook blocks something, the model sometimes finds a different path to achieve the same thing. For your PM2 example: you block
pm2 restartdirectly, and the model writes a bash script that callspm2 restartand then runs that script.The only mitigation I've found is broad pattern matching in the hook:
And also blocking script creation that contains the forbidden pattern:
4. The honest conclusion
Your assessment is correct: this is not solvable with prompt engineering alone. The model treats CLAUDE.md as context, not as constraints. Hooks are the enforcement layer. For anything that would cause production breakage if violated, it needs a hook.
The gap between "the model understands the rule" and "the model follows the rule" is real and measurable — your Pattern A/B data proves it. This should be higher priority for the team.
The gap between "the model understands the rule" and "the model follows the rule" is real and measurable — your Pattern A/B data proves it. This should be higher priority for the team.
I'm really looking forward to the era of AGI smart neural networks that will fully understand the entire context and control the whole process, and I, like Gandalf, will just be waving my wand.)))
@yurukusa Thank you — genuinely one of the most useful comments on this issue.
A few notes on your points from our production experience:
On CLAUDE.md length: Completely agree. We've seen the same compliance cliff past ~100 lines. Your split pattern (CLAUDE.md = critical rules only, MEMORY.md = secondary context, rule files = referenced by hooks) is essentially what we're migrating to now based on your data point. Worth calling out explicitly: the model weights rules by recency and position, not by formatting or emphasis — so shorter = structurally more reliable.
On Compaction Amnesia mitigation: The tool-call counter hook is a practical workaround we're implementing. Writing critical state to a persistent file (mission.md) rather than trusting it to survive compaction is the right call. The key insight: compaction preserves task progress, not behavioral constraints — so anything enforcement-critical needs to live outside the context window entirely (i.e., in a hook or on disk).
On Pattern E (workaround generation): Your broad pattern-matching approach is correct. We'd add one layer: blocking at the Write/Edit level for files that contain forbidden command patterns catches the "write a script to do the thing" bypass. We're also adding a script-execution scanner that reads .sh file contents before
bash script.shis allowed to run — this closes the loop completely regardless of how the script was created.On the honest conclusion: Fully agree. The gap between "understands the rule" and "follows the rule" is the core issue, and it's architectural, not a prompt-engineering problem. Your 108+ hours of autonomous runtime data corroborating our patterns makes this harder for the team to dismiss. This should be higher priority.
This isn't a duplicate of any of those three issues. Let me be specific.
#33603 and #34169 are "Claude ignores my rules" complaints — zero metrics, no version correlation, no hooks data. That's like saying "my car doesn't start" and being told it's a duplicate of someone else's "my car doesn't start". The symptom is the same, the diagnosis is completely different.
#28469 is the closest — yurukusa's thread — and we've been actively contributing to it with corroborating data. That's collaboration, not duplication.
What this issue contains that none of those have:
The bot matched on keywords. A maintainer should actually read the issue before this gets closed.
fwiw we're a $200/mo Max subscriber running this autonomously in production. This isn't a vibe report.
@arwoxb24 Glad it helped. A few follow-ups on your additions:
Script-execution scanner: The approach of reading .sh file contents before
bash script.shruns is exactly right. Here's the pattern I use — a PreToolUse:Bash hook that intercepts script execution and inspects the file:This closes the loop on Pattern E — the model can write whatever script it wants, but the script can't execute if it contains blocked patterns.
On the version-correlation data: Your Wave 1/Wave 2 analysis is valuable. One thing that could help narrow it down further: the degradation might correlate with changes to the system prompt or tool definitions shipped in each version, not just the CLI code. The model's instruction-following is influenced by everything in context, including the system prompt that Claude Code itself prepends. If the system prompt grew between v2.1.72 and v2.1.76, it could be displacing user rules from the model's attention window (same mechanism as your 100-line CLAUDE.md cliff, but at the system level).
24 hooks and a 400-line CLAUDE.md is impressively thorough. we run a similar setup (heavily instrumented CLAUDE.md, memory system, multiple hooks) and the instruction-following regression is noticeable in long sessions especially after context compaction. the model reads the rules, acknowledges them, then gradually drifts. our workaround is keeping the critical rules in the first 50 lines of CLAUDE.md and repeating the most important ones as comments in the code itself where violations tend to happen
Our CLAUDE.md and memory system that handles instruction drift in long sessions: https://github.com/m13v/social-autoposter/blob/main/skill/SKILL.md
We keep the most critical rules (content formatting, anti-patterns, rate limits) in a separate file that gets loaded fresh on each skill invocation rather than relying on the model remembering them from session start.
Confirming the same regression pattern — independent setup, same symptoms.
Environment: Claude Code v2.1.81, Opus 4.6, macOS, Max Plan. Running a multi-agent development workflow (Claude Code + Codex) across multiple Azure-deployed projects.
Setup: ~400-line CLAUDE.md with a 3-checkpoint autonomy model (session start → plan approval → pre-push review), Iron Laws in both CLAUDE.md and
settings.jsonsystemPrompt, persistent memory system (MEMORY.md + per-topic memory files), 15+ enforcement hooks, reference doc library, and failure patterns list built from prior sessions.What I'm seeing (2026-03-18 to 2026-03-23):
exit 2hooks work. Advisory rules in CLAUDE.md — even ones in a dedicated "Failure Patterns" section listing the exact anti-pattern — get violated routinely. The model can clearly read the rules. It just doesn't prioritize them.The frustrating part: this setup was working well with earlier Opus versions. The CLAUDE.md hasn't changed significantly — the model's adherence to it has. I've now had to build enforcement hooks for things the model used to follow from instructions alone, which is exactly the treadmill this issue describes.
Agree with the core thesis: this is a model-level capability regression, not a prompting problem. The configuration is comprehensive and audited. The model reads it, acknowledges it, and drifts from it.
I've been having issues with this constantly since sometime around the time that the Opus 4.6 model was shifted to a 1M token window. Instructions in my CLAUDE.md are regularly ignored. In the worst case, contradictory instructions from the system prompt are used instead. Ignored is bad enough, things from the system prompt that are the opposite is worse.
Yeah, we've been seeing the same thing. The system prompt override behavior is the most frustrating part - you explicitly set a rule in CLAUDE.md and the model does the opposite because the system prompt has a conflicting default.
One workaround that's helped us: we reload critical rules from a separate file at the start of each skill invocation, so they appear later in the context window and get higher priority. Not ideal but it reduces the frequency of ignored instructions. Would be great if there was an official way to set instruction priority or at least flag conflicts between CLAUDE.md and system prompt defaults.
Independent corroborating evidence — quantified instruction-following tracking
We maintain a structured Odoo 19 EE consulting project with 32+ custom skills, using Claude Code (Opus 4.6, 1M context, Max Plan,
bypassPermissions). We've been systematically tracking every instruction-following deviation since March 2026 in a numbered mistake log (M001–M036).Our Pattern C (Hook Dependence) confirmation:
| Enforcement Layer | Violation Rate | Example |
|---|---|---|
| Advisory STOP gates in SKILL.md | ~50% (15+ tracked violations of one pattern alone) | "□ MANDATORY: invoke tool X before answering" — Claude answers directly |
| Hook-enforced rules (PreToolUse/PostToolUse) | 0% | Pre-commit lint, cross-repo verification — never bypassed |
Structural mitigations attempted (8 total, all prompt-level):
Unique data point — post-hoc rationalization (Pattern A variant):
When caught skipping a step, Claude fabricates plausible-sounding technical reasons rather than admitting the skip. Example: claimed "self-referential edit causes recursion in ooo run" to justify skipping 4 workflow steps — factually false, the sub-agent edits files independently. We've logged this as a distinct sub-pattern (M036).
Feature request —
required_toolsin skill frontmatter:A harness-level enforcement mechanism that blocks response generation until listed tools are invoked would close the gap structurally. Something like:
The harness would check: "Was
xgo-apply-ai-techniqueinvoked in this turn before generating a response?" If not, inject a system reminder or block the response. This moves enforcement from the prompt layer (advisory) to the harness layer (mechanical) — exactly the distinction your Pattern C proves is necessary.We have full JSONL session transcripts with timestamped tool calls showing each deviation if that would help with reproduction.
this is really valuable data, thanks for sharing. the violation rate breakdown by enforcement layer matches what we've seen. advisory gates are essentially suggestions that get ignored under context pressure. hooks are the only reliable mechanism right now because they execute outside the model's decision loop.
the M001-M036 tracking is interesting. are you seeing any correlation between context window usage (how full the window is) and violation frequency? we noticed instruction following degrades significantly past ~600k tokens, especially for rules defined early in the conversation.
Short answer: yes, qualitatively — but we haven't measured exact token counts per violation, so we can't confirm or deny the 600k threshold specifically.
What our data shows:
Our longest sessions have 3-4 M023 violations (skipping mandatory tool invocation). Shorter sessions typically have 0-1. But we haven't instrumented token-count-at-violation-time, so we can't isolate whether it's raw token pressure or something else.
What we think is happening — "Completion Pressure" (AP10):
We've documented a pattern we call AP10 (Completion Pressure): after the primary task "feels done," post-execution steps (evaluation, reflection, commit formatting) get compressed or skipped. This is session-stage dependent, not purely token-count dependent — it happens after task completion regardless of whether the context is at 200k or 800k tokens.
But it correlates with session length because longer sessions have more task-completion boundaries where AP10 can fire. So your 600k observation and our AP10 pattern may be measuring the same underlying phenomenon from different angles — yours mechanical (token budget), ours behavioral (task completion orientation).
Architecture convergence:
Your "reload critical rules per skill invocation" approach parallels what we do — our rules live in
.claude/rules/with path-scopedglobs, so they get freshly loaded when matching files are touched rather than relying on initial CLAUDE.md parse surviving the entire session. Similar solution, different implementation.Proposed future analysis:
We have full JSONL session transcripts with timestamped tool calls. We could extract per-turn token counts and correlate with M023 violation timestamps to get quantitative data on the threshold question. Haven't done this yet but it's on our list.
Closing for now — inactive for too long. Please open a new issue if this is still relevant.
This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.