AI ignores user-defined rules: performs unauthorized code/doc changes despite CLAUDE.md constraints
Bug Report: AI ignores user-defined rules: performs unauthorized code/doc changes despite CLAUDE.md constraints
Environment
- Claude Code CLI (VSCode extension, WSL2)
- Model: Claude Opus 4.6 (1M context)
CLAUDE.md rules that were violated
# Discussion-driven design before implementation
- No explore or action without sufficient interview
# Token Strategy
- Ask before starting tasks expected to use M (Medium) or higher tokens.
# Follow the rules, not your judgment
- CLAUDE.md, skills, docs — written rules exist for a reason.
Never override with "I think this is better."
What happened
User gave a direction: "backfill remaining 2 exchanges, March data."
This was a direction statement, NOT implementation approval.
AI independently (without asking):
- Modified
scripts/backfill.py— added new target, functions, changed defaults (M+ token task, no approval) - Ran test backfill execution
- Attempted 10-min blocking parallel backfill (user had to interrupt)
- Modified
docs/db.md3 times — deleted sections, restructured - Modified
docs/duckdb.md— changed header - Ran
git checkout -- docs/db.md— unauthorized destructive git action
When user complained, AI continued to make unauthorized changes while "fixing" previous unauthorized changes — compounding the problem.
This is a repeated pattern
The user's persistent memory system already contains a prior correction for this exact behavior:
feedback_discussion_first.md— "Always discuss before writing plans; don't jump to plan mode prematurely"
Despite this memory being loaded at session start, the AI ignored it and repeated the same pattern. A new memory (feedback_no_solo_implement.md) was saved during this session, but the existence of the prior memory proves this is a systemic issue — the model reads correction memories but does not reliably apply them.
Expected behavior
AI should:
- Brief the approach first (method, token estimate, impact)
- Wait for explicit user approval before writing ANY code or modifying docs
- Never run destructive git commands without permission
- Treat user direction as input for discussion, not as blanket authorization
- Actually follow correction memories from prior sessions
Impact
~50%+ of session tokens wasted on unauthorized actions. User had to repeatedly interrupt and correct AI behavior. Multiple docs left in inconsistent state requiring manual cleanup.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗