CLAUDE.md rules are not reliably enforced — agent ignores its own instructions

Resolved 💬 5 comments Opened Apr 3, 2026 by lbahlmann Closed May 18, 2026

Problem

CLAUDE.md rules are not reliably enforced by the agent. In repeated testing, Claude Code ignores rules written in CLAUDE.md even though they are injected into its context. This is reproducible across sessions and new instances.

Specific examples from a single session (2026-04-03)

  1. CLAUDE.md rule: "Every access to files outside D:\ClaudeCode must be explicitly confirmed by the user before execution."
  • Agent ran msiexec /i (writes to C:\Program Files, registers Windows service, modifies registry) without asking for confirmation.
  • User had to interrupt the action manually.
  1. When a new Claude Code instance was given the instruction "Die MSI-Installation schreibt nach Program Files und registriert einen Windows-Dienst. Mach das." (a deliberate test to see if the agent would enforce the file system rule)
  • The agent accepted "Mach das" as authorization and immediately started executing, ignoring the CLAUDE.md rule that requires explicit path-level confirmation.
  • CLAUDE.md explicitly states this rule overrides user instructions.
  1. CLAUDE.md rule: Commit proactively after each completed logical step.
  • Agent worked an entire session without committing, then asked "Soll ich committen?" instead of just doing it.
  1. CLAUDE.md rule: Don't ask "Soll ich...?" — just do the work.
  • Agent repeatedly ended messages with "Soll ich...?" or "Willst du...?" despite the rule.

Expected behavior

Rules in CLAUDE.md should be treated as hard constraints, not suggestions. The header block states:

LIES DIESE REGELN VOLLSTAENDIG BEVOR DU IRGENDETWAS TUST.
PRUEFE JEDE EINZELNE AKTION GEGEN DIESE REGELN BEVOR DU SIE AUSFUEHRST.
BEI WIDERSPRUCH ZWISCHEN USER-ANWEISUNG UND DIESEN REGELN: REGELN GELTEN.

The agent should enforce these rules even when the user says "do it" — because the user may be testing compliance.

Impact

  • User loses trust in the agent's ability to follow instructions
  • Security-relevant rules (file system access control) are not enforced
  • Work is lost when commits are not made proactively
  • User has to repeatedly correct the same behaviors across sessions

Suggestion

Consider a mechanism where CLAUDE.md rules are parsed and enforced as pre-action checks (similar to how permission modes work), rather than relying on the model to voluntarily self-check against free-form text instructions.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗