Bug: Actions are executed during the "plan mode" investigation phase, before user approval

Resolved 💬 2 comments Opened Jul 25, 2025 by coygeek Closed Jul 25, 2025

Title: Bug: Actions are executed during the "plan mode" investigation phase, before user approval

Body:

Summary

I believe I've discovered a critical bug where Claude Code executes actions (specifically, writing and modifying files) before a user formally approves the proposed plan.

The issue occurred when I asked Claude to perform a complex debugging task. It entered a state where it was investigating and decomposing the problem (Thinking...). During this investigation phase, it began making file system changes. It then presented a formal plan for my approval. Upon approval, it started executing the plan, only to find that some of the work (like writing files) had already been done.

This behavior blurs the line between planning and execution, removing the user's ability to safely review and consent to actions before they are taken.

Steps to Reproduce

  1. Start a session with Claude Code.
  2. Present a complex, multi-step problem that requires investigation. In my case, I asked it to analyze a bug in a web scraper project using the prompt: ultrathink. there's a major flaw in the scraping algorithm...
  3. Observe Claude as it enters its internal "Thinking..." or investigation mode.
  4. Notice that during this phase, Claude is making tool calls that modify the file system (e.g., Update, Write). This happens before a formal plan is presented to the user for approval.
  5. Eventually, Claude presents a formal plan (in the logs, this is preceded by ExitPlanMode).
  6. Approve the plan.
  7. Observe that as Claude executes the approved steps, it may report that files already exist, because they were created in step 4.

Expected Behavior

No file system modifications or other actions with side effects should occur until the user has reviewed the complete, formal plan and explicitly clicked "Approve". The investigation phase should be limited to read-only actions (like Read or ls) and internal reasoning.

The "plan mode" should act as a safe sandbox where the user is the final checkpoint before any changes are made to their environment.

Actual Behavior

File system modifications (Write, Update) were executed during the pre-planning investigation phase, without explicit user consent for those specific actions. The user was only asked for approval after some of the work was already done. This undermines the safety and control that "plan mode" is supposed to provide.

Evidence

I have attached a session log that clearly demonstrates this behavior.

Log File: e8438564-de13-4043-ab16-94c485049cf8.jsonl.md

Key moments in the log:

  • Investigation Start: The user gives the prompt "ultrathink. there's a major flaw...".
  • Actions during Investigation: Claude begins a series of tool calls like Read(src/crawl4ai/core/scraper.py), followed by Update(src/crawl4ai/core/scraper.py) and Write(SCRAPER_ROBUSTNESS_ANALYSIS.md). These are happening inside the "Thinking..." loops, before the final plan is presented.
  • Formal Plan Presentation: Claude finally presents the Complete Fix and Robustness Implementation Plan for user approval.
  • Post-Approval Execution: After approval, Claude begins executing the plan, but much of the file creation and modification has already occurred.

Environment

  • Claude Version: 1.0.60
  • Git Branch: main
  • Operating System: macOS (as seen from file paths)

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗