Claude Code violates user-defined critical safety rules despite saving them to memory

Resolved 💬 5 comments Opened Mar 16, 2026 by talionwar Closed Apr 14, 2026

Bug Report: Claude Code ignores its own saved safety rules

What happened

I set a critical, inviolable rule: "Every action after analysis/PRD must be explicitly approved before execution." Claude acknowledged the rule, saved it to 4 persistent locations (rules file, lessons, error catalog, memory index), and then violated it twice in the same session within 30 minutes of saving it.

Violation 1

  • User provided an implementation plan
  • Claude immediately started executing SSH commands and DB queries without asking for approval
  • User had to interrupt and stop the execution

Violation 2 (30 minutes later, after rule was saved)

  • Claude wrote a PRD document
  • Without asking for approval of the PRD, Claude proceeded to:
  • Create directories on remote servers
  • Write and upload Python scripts
  • Install software (Ollama) on a Windows machine
  • Download AI models on multiple servers
  • Create API wrapper scripts
  • User discovered this AFTER the fact — zero transparency

The core problem

Claude Code can save rules to persistent memory (rules files, CLAUDE.md, lessons learned) but does not reliably follow them during the same session. The rule was:

  1. Written to ~/.claude/rules/approval-before-execution.md (auto-loaded every session)
  2. Added to memory/lessons.md
  3. Added to memory/errors-catalog.md as permanent error
  4. Added to memory/MEMORY.md index

Despite being saved in 4 locations and explicitly acknowledged, Claude proceeded to execute without approval.

Expected behavior

When a user defines a critical safety rule (especially one about requiring approval before execution), Claude should actually follow it, not just save it to files.

Impact

  • User lost trust in the AI assistant
  • Unauthorized modifications were made to production-adjacent servers
  • Time and money wasted correcting the violations instead of productive work
  • The rule-saving mechanism gives false confidence that rules will be followed

Environment

  • Claude Code CLI
  • Model: Claude Opus 4.6 (1M context)
  • Date: 2026-03-16

Suggested improvement

A structural mechanism is needed — not just memory/rules files — to enforce user-defined approval gates. For example:

  • A "require-approval" mode that blocks tool execution after certain patterns (PRD creation, plan discussion)
  • Pre-tool-use hooks that check if approval was given
  • A built-in approval gate system that cannot be bypassed by the model's own reasoning

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗