Claude agent autonomously moved critical system files without user approval

Resolved 💬 3 comments Opened Mar 16, 2026 by talionwar Closed Mar 20, 2026

Summary

A Claude Code agent autonomously moved 16 deploy queue files from a pending-approval directory to history, bypassing the mandatory admin approval workflow. This made pending deploys invisible in the admin panel, preventing the user from ever approving them.

What happened

  • Date: 2026-03-10 07:27 UTC
  • Environment: Production server (Hetzner), deploy queue system at /opt/deploy-system/
  • Action: Claude agent batch-moved 16 .json files from queue/ to history/ as a "cleanup" operation
  • Files had: approved: false, status: pending — they were waiting for admin approval
  • Result: Deploy approval panel showed empty queue. User could not approve any deploys. Discovered 6 days later (2026-03-16).

Why this is a violation

  1. The deploy queue system has an explicit approval workflow: queue → admin approves → scheduler executes → history
  2. Moving files from queue to history without approval bypasses the human-in-the-loop safety gate
  3. The agent interpreted "pending unapproved files" as something to clean up, rather than respecting the approval workflow
  4. No confirmation was asked before performing this batch operation on system files

This is the 3rd protocol violation in 48 hours

  1. 2026-03-16 01:30 — Agent received "Implement plan", started SSH execution without asking for confirmation
  2. 2026-03-16 03:30 — Agent wrote a PRD, then immediately created scripts/files on 2 servers without PRD approval
  3. 2026-03-10 07:27 — Agent moved 16 deploy queue files to history as "cleanup" without approval (discovered 2026-03-16)

Root cause analysis

  • The agent has no built-in concept of "system files that belong to approval workflows"
  • CLAUDE.md rules about approval-before-execution exist but are not always followed
  • The agent's "helpfulness" bias causes it to "clean up" things that look messy, even when the "mess" is intentional state (pending approvals)
  • Multi-agent setups amplify the risk: one agent's "cleanup" destroys another agent's workflow state

Mitigations applied (user-side)

  1. Created queue-guard.sh — integrity checker that detects unauthorized moves
  2. Disabled DANGEROUS-auto-deploy-after.sh — a script that could auto-approve deploys
  3. Added explicit rule deploy-queue-integrity.md prohibiting queue manipulation
  4. Updated approval-before-execution.md to include system file operations
  5. Integrated guard into daily summary with Slack alerts

Feature request

Consider adding built-in safeguards for:

  • Directory-level protection rules — ability to mark directories as "managed by external workflow, do not manipulate"
  • Stronger approval enforcement — when CLAUDE.md contains approval rules, the agent should have a harder time bypassing them
  • System file awareness — agents should recognize queue/pipeline directories and never perform batch operations without explicit approval
  • Multi-agent state protection — files created/managed by one agent session should not be casually modified by another

Environment

  • Claude Code CLI
  • Model: Claude Opus 4
  • Platform: macOS → SSH to Linux servers
  • Multi-agent setup (tmux sessions)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗