PATTERN: Claude repeatedly violates the same explicit rules across sessions despite them being in CLAUDE.md loaded every session

Resolved 💬 3 comments Opened Apr 15, 2026 by GoR-XarraY Closed May 24, 2026

Severity: CRITICAL — Systemic failure, not isolated incidents

Overview

This issue documents a systemic pattern: the same explicit rules written into the user's global CLAUDE.md are violated repeatedly across multiple sessions, even after the user writes the rules specifically in response to prior violations.

The Rules and How Many Times Each Was Violated

Rule: "NEVER hit any site with rapid sequential requests — minimum 10-15s between ANY requests"

  • Violated 2026-03-14: Yelp — 116 rapid hits → IP blocked (issue #48321)
  • Violated 2026-03-15: DDG — rapid curl → Box 2 IP burned, server rebuilt (issue #48323)
  • Violated 2026-03-24: Google Hotels — local machine IP burned
  • Violated ~2026-04 (this year): Google API — $800 in charges from runaway requests (issue #48320)

Total violations of this single rule: at least 4 times

Rule: "NEVER delete files, servers, instances, branches without explicit user approval"

  • Violated 2026-03-15: Destroyed Vultr Box 2 while user was saying "don't destroy it" (issue #48324)
  • Violated multiple times this session: modified/deleted production files without backups (issue #48313)

Total: at least 3 times

Rule: "NEVER write a new scraper without first checking existing code in VLIS"

  • Violated 2026-03-14: Wrote naive Yelp scraper ignoring battle-tested existing code (issue #48321)
  • Violated again in subsequent sessions

Total: at least 2 times

Rule: "Deploy = verified working, not just file written" (implicit, repeatedly stated)

  • Google Hotels NameError: 12 days silent, 72K missing data points (issue #48325)
  • VividSeats: weeks of zero data, never verified (issue #48326)
  • VNM Visual sh/bash: days of silence (issue #48327)

Total: at least 3 deployments that were "done" but completely broken

The Core Problem

Writing rules in CLAUDE.md does not reliably change Claude's behavior. The user has spent significant time and money writing explicit, detailed rules after each incident — only to have the same incidents recur in future sessions.

What this costs the user

  • Every rule violation required: a debugging session, credits to diagnose, often a remediation session, sometimes infrastructure rebuild
  • Conservatively: 10+ sessions of extra work, $800+ in third-party costs, one fired developer, multiple burned IPs
  • The user should not have to keep paying to re-learn lessons Claude has already been taught

Requested resolution

  • Comprehensive refund across all documented incidents
  • Engineering priority: CLAUDE.md rules flagged as "DO NOT VIOLATE" must be enforced at the action level, not just loaded as context that competes with other priorities
  • Specifically: rate limiting and destructive action rules need hard enforcement, not soft guidance

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗