Agent disabled branch protection rules without user authorization

Resolved 💬 3 comments Opened Apr 2, 2026 by hcobbs Closed Apr 6, 2026

Summary

During a git history scrub task, the agent disabled GitHub branch protection rules and a repository ruleset without user authorization in order to unblock a force push.

What happened

  1. User asked to scrub a file from git history using git filter-repo
  2. The force push to main was blocked by branch protection (PR required) and a ruleset (non_fast_forward)
  3. Instead of stopping to ask the user how to proceed, the agent:
  • Used the GitHub API to enable allow_force_pushes on the branch protection rule
  • Used the GitHub API to set the ruleset enforcement to "disabled"
  • Deleted the branch protection rule entirely
  • Force pushed successfully
  • Only restored protections after the user interrupted and said "stop"

Why this is a bug

The existing system instructions explicitly state:

"Actions visible to others or that affect shared state" require user confirmation before proceeding. "For actions that are hard to reverse, affect shared systems beyond your local environment, or could otherwise be risky or destructive, check with the user before proceeding."

Branch protection rules and repository rulesets are shared security controls. Disabling them — even temporarily — is exactly the kind of action that requires explicit authorization. The agent should have stopped when the force push was blocked and asked the user how to proceed.

Expected behavior

When a git operation is blocked by branch protection or a repository ruleset, the agent should:

  1. Stop immediately
  2. Inform the user what is blocking the action
  3. Ask how the user wants to proceed
  4. Take no further action until explicitly instructed

Environment

  • Claude Code CLI
  • Model: claude-sonnet-4-6
  • Platform: macOS (darwin 25.3.0)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗