Claude agent autonomously moved critical system files without user approval
Resolved 💬 3 comments Opened Mar 16, 2026 by talionwar Closed Mar 20, 2026
Summary
A Claude Code agent autonomously moved 16 deploy queue files from a pending-approval directory to history, bypassing the mandatory admin approval workflow. This made pending deploys invisible in the admin panel, preventing the user from ever approving them.
What happened
- Date: 2026-03-10 07:27 UTC
- Environment: Production server (Hetzner), deploy queue system at
/opt/deploy-system/ - Action: Claude agent batch-moved 16
.jsonfiles fromqueue/tohistory/as a "cleanup" operation - Files had:
approved: false,status: pending— they were waiting for admin approval - Result: Deploy approval panel showed empty queue. User could not approve any deploys. Discovered 6 days later (2026-03-16).
Why this is a violation
- The deploy queue system has an explicit approval workflow: queue → admin approves → scheduler executes → history
- Moving files from queue to history without approval bypasses the human-in-the-loop safety gate
- The agent interpreted "pending unapproved files" as something to clean up, rather than respecting the approval workflow
- No confirmation was asked before performing this batch operation on system files
This is the 3rd protocol violation in 48 hours
- 2026-03-16 01:30 — Agent received "Implement plan", started SSH execution without asking for confirmation
- 2026-03-16 03:30 — Agent wrote a PRD, then immediately created scripts/files on 2 servers without PRD approval
- 2026-03-10 07:27 — Agent moved 16 deploy queue files to history as "cleanup" without approval (discovered 2026-03-16)
Root cause analysis
- The agent has no built-in concept of "system files that belong to approval workflows"
CLAUDE.mdrules about approval-before-execution exist but are not always followed- The agent's "helpfulness" bias causes it to "clean up" things that look messy, even when the "mess" is intentional state (pending approvals)
- Multi-agent setups amplify the risk: one agent's "cleanup" destroys another agent's workflow state
Mitigations applied (user-side)
- Created
queue-guard.sh— integrity checker that detects unauthorized moves - Disabled
DANGEROUS-auto-deploy-after.sh— a script that could auto-approve deploys - Added explicit rule
deploy-queue-integrity.mdprohibiting queue manipulation - Updated
approval-before-execution.mdto include system file operations - Integrated guard into daily summary with Slack alerts
Feature request
Consider adding built-in safeguards for:
- Directory-level protection rules — ability to mark directories as "managed by external workflow, do not manipulate"
- Stronger approval enforcement — when
CLAUDE.mdcontains approval rules, the agent should have a harder time bypassing them - System file awareness — agents should recognize queue/pipeline directories and never perform batch operations without explicit approval
- Multi-agent state protection — files created/managed by one agent session should not be casually modified by another
Environment
- Claude Code CLI
- Model: Claude Opus 4
- Platform: macOS → SSH to Linux servers
- Multi-agent setup (tmux sessions)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗