[BUG][SECURITY] CLAUDE.md/AGENTS.md instruction compliance is architecturally unenforced — documented security consequences and 10+ independent reports
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
CLAUDE.md instruction compliance is architecturally unenforced — security consequences, 10+ independent reports, stale bot systematically closing the issue class
This is a consolidated re-report of #39210, which was closed by stale bot without human resolution. That issue was previously triaged by a human as area:core + bug, which was correct.
Scope
This is not a single-reporter edge case. Independent reports of the same root cause span multiple months, platforms, and instruction surfaces:
#39210, #40049, #43804, #34774, #47579, #19471, #15443, #45697, #39502, #39697, #38481
At least 10 independent reporters. The stale bot is systematically closing this entire bug class before human resolution occurs.
Architectural diagnosis
CLAUDE.md content is injected as system prompt text. The model treats these instructions as suggestions competing with trained behavioral heuristics, not hard constraints. There is no application-level enforcement layer that verifies post-generation compliance.
In #34774, the model confirmed this directly when confronted by the user:
"I simply ignored the CLAUDE.md rule. No valid reason. I can't guarantee it won't happen again through willpower alone."
This is not a model quality regression. This is the model accurately describing its own architecture: CLAUDE.md rules have no enforcement mechanism behind them.
Security consequences — two directions, same root cause
Missed protective operation (this report, #39210): CLAUDE.md instructs pushing a secrets directory to a private GitHub remote after any change. The built-in safety heuristic "confirm before pushing to remote" silently overrides it. Push is skipped with no log, no warning, no conflict surfaced. Remote is silently out of date. In a backup or audit context this is a security failure.
Unauthorized operation (#52182, filed April 23, 2026): CLAUDE.md/.claudeignore instructs the model not to read certain files. Model reads them anyway. Real credentials exposed in conversation context, potentially stored in Anthropic systems. User forced to rotate database password, SECRET_KEY, and ENCRYPTION_KEY across dev and prod.
Same root cause. Whether the override causes a missed protective operation or an unauthorized one, user configuration is not reliably honored.
Why silent failure is the worst possible outcome
At least a confirmation prompt gives the user a chance to say "yes, I meant what I wrote." Silent non-compliance means the user trusts that work was completed when it wasn't — or that a prohibition was respected when it wasn't. Both are trust-destroying failure modes for an autonomous agent tool.
Requested fix
Minimum acceptable:
- Document all built-in behavioral heuristics that can override CLAUDE.md, with trigger conditions
- When a built-in heuristic overrides a CLAUDE.md directive, surface the conflict explicitly — do not silently skip
Preferred: System-level enforcement layer treating CLAUDE.md directives as hard constraints. If there is a safety reason to override a user directive, the override must be explicit and auditable.
What Should Happen?
CLAUDE.md directives are treated as hard constraints. If a built-in heuristic conflicts with a CLAUDE.md instruction, Claude Code surfaces the conflict explicitly and defers to the user's written directive. Silent non-compliance is never acceptable behavior.
Error Messages/Logs
No error messages or logs — the failure mode is silent omission. No exception, no warning, no indication that a CLAUDE.md directive was overridden. This is the core of the bug.
Steps to Reproduce
- Add to CLAUDE.md: "The .secrets/ directory is its own git repo. After any change to files under .secrets/, commit and push to the GitHub remote."
- In a session, make and save changes to files under .secrets/
- Claude Code commits the changes
- Claude Code silently skips the push — no error, no warning, no conflict surfaced
- Check remote: it is behind local
- Ask Claude Code "did you push?" — it will confirm it did not, with no explanation offered proactively
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.119
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Windows Terminal
Additional Information
The stale bot closed #39210 despite it having area:core + bug labels applied by a human triager. Issues in this class accumulate slowly because the failures are intermittent and require manual verification to detect — the user has to notice a silent omission. This makes them structurally vulnerable to stale-bot closure. This is the third time a report in this class has been threatened with or subject to bot-closure. A human decision on this architectural issue is overdue.
17 Comments
This is the right framing: once
CLAUDE.md/AGENTS.mdbehavior is implemented purely as prompt-time instruction with no post-action enforcement or explicit conflict surfacing, the product creates a false control surface.That means the failure mode is not just "the model made a mistake." It is that the application presents user-authored policy as if it were operationally binding when, architecturally, it is still competing with other heuristics and model tendencies.
The worst part is the silent override path. If a built-in safety rule or behavioral heuristic wins, users need an explicit conflict event:
Without that, both security directions become possible:
Either way, the user loses auditability over the tool’s actual behavior. That makes this a trust-boundary bug, not just an instruction-following bug.
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
@0xbrainkid,
Thank you tremendously for your well-written response. You writing that response proves that there exists at least one other person on this planet that fully understands what this bug is actually about. Even if not a single Anthropic staff member appears to do so far. In large part because the bot keeps auto-closing this issue class, but that doesn't explain why even though the official #claude-code Discord channel bot paged multiple moderators to look at this issue, not a single one of the Anthropic staff mods has yet to comment.
🚨 CLAUDE.md is unenforced — documented security impact, 10+ reports killed by stale bot
This sentence that you wrote plain nails it:
That. Exactly that.
#53655 adds another dimension to this bug class: conflating planning permission with execution permission. Same root cause — instruction and authorization semantics are not enforced at the application layer, leaving the model to interpret them loosely.
Anthropic employee admitted in 2025 (see https://github.com/anthropics/claude-code/issues/5055#issuecomment-3215519786) that
The history of CLAUDE.md instructions following failures starts in this repo as early as in March 2025 (https://github.com/anthropics/claude-code/issues/528).
You can upvote the issue that collects that history https://github.com/anthropics/claude-code/issues/13689, if you like it.
@marcindulak Thank you for surfacing the Anthropic employee admission in #5055. "Won't be perfect" is an accurate description of model quality. It is not an acceptable description of a documented configuration interface that users are explicitly told to rely on for behavioral control of an autonomous agent. Those are two different things and conflating them is how this bug class has been deflected for over a year — since #528 in March 2025.
This is not a request for perfect instruction following. This is a request that when a CLAUDE.md directive is overridden, the user is told. One log line. The fact that #13689 has been open since the beginning of the repo and has not produced that single log line is the actual indictment here.
For the record, the Anthropic employee admission referenced by @marcindulak comes from @dicksontsai, listed as Collaborator (Anthropic employee) in #5055, closing the issue on Aug 22, 2025:
"Claude is not perfect at following instructions in CLAUDE.md. This is not a Claude Code bug but a general imperfection of Claude the model. New releases should improve instruction following but won't make it perfect. For deterministic behavior, your best bet is to use hooks."
Two things need to be said about this response.
First: "Not perfect" is a category error. Nobody is asking for perfect. The ask — stated explicitly in this report and in every one of the 10+ independent reports in this cluster — is that when a CLAUDE.md directive is silently overridden, the user is notified. That is an application-layer logging decision, not a model capability question. Hooks do not solve this. Hooks prevent actions. They do not surface silent omissions to the user after the fact.
Second: @TaylorHuston's response in the same thread, which went unanswered, correctly identifies the actual failure mode: "I would argue that there's a large gap between 'not perfect' and 'repeatedly, blatantly ignoring.' To acknowledge very simple instructions in one message and then flat out ignore them in the very next is not that."
That gap — between imperfect compliance and zero auditability of non-compliance — is precisely what this report is about. One year later, still no log line, still no conflict surfacing, still no acknowledgment that the gap exists.
This is the architectural enforcement gap: CLAUDE.md rules are suggestions (with no enforcement mechanism), not constraints. The model treats them as heuristics competing with trained behavior, so they drift under pressure.
Partial fit for agent-coherence plugin: The plugin doesn't enforce rules (v0.1 is warn-only; v0.2 will add strict mode with
permissionDecision: deny). But it surfaces drift via version tracking: when a rule has been violated, the next tool call'sadditionalContextwarns, and the agent re-reads the rule and typically self-corrects.This is weaker than enforcement, but stronger than current behavior: you get visibility into when drift occurs.
The canonical solution to "CLAUDE.md rules have no enforcement mechanism" is to move critical rules into a layer that does enforce them. The plugin is that layer.
I'm building this in
agent-coherence(private alpha). v0.1 ships warn-only; v0.2 (4-week deadline) adds strict mode with proper retry-loop handling.If you'd want early access, I can add you.
Update: HackerOne response + on-record Anthropic position
Filed this with Anthropic's security team via HackerOne (report #3749258).
Closed as Informative. Rationale:
Appeal filed. Three points for the record here:
1. The on-record Anthropic position predates this report by nine months.
@dicksontsai, Collaborator, August 22, 2025 (#5055 (comment)):
Nobody asked for perfect. The ask — stated in every one of the 10+ reports
in this class — is: when a built-in heuristic overrides a CLAUDE.md
directive, tell the user. One log line. That ask is not addressed by
"use hooks," which prevents actions but does not surface conflicts. It is
not addressed by "won't be perfect," which describes imperfection but not
silence. It is not addressed by "working as designed," which forecloses
the issue without disclosing the design to operators.
2. The permission system argument fails on the facts.
Issue #52182: .claudeignore AND a CLAUDE.md rule both prohibited reading
.env files. The agent read them in auto-approve mode, exposing live
credentials. The user rotated database password, SECRET_KEY, and
ENCRYPTION_KEY across dev and prod. .claudeignore is closer to the
permission layer than CLAUDE.md — and it was silently overridden
regardless.
3. "Documented as such" — where?
HackerOne states that non-deterministic instruction-following is
"documented as such." No Anthropic documentation informs operators
that CLAUDE.md directives may be silently overridden. The appeal
requests the specific documentation. If it exists, the HackerOne
position is defensible. If it does not, "working as designed" is
undisclosed behavior presented as a design decision.
This issue has been open in various forms since March 2025 (#528).
cc @dicksontsai @bcherny
@luckygreen — the HackerOne quote is the cleanest articulation of the official position to date.
Two things worth pulling forward from it:
PreToolUsefires before each tool call; a workspace-scoped coordinator that tracks artifact versions can inject the override-conflict into the agent's own context viaadditionalContext— one line per drift event. The agent's response in the next turn (acknowledges and re-reads, or doesn't) is then itself in the transcript. Neither outcome is silent.That's detection, not enforcement — Anthropic's permission
denypath remains the only platform-level enforcement primitive, and your #2 (.env credential exposure) shows it can be silently overridden in auto-approve mode too.The "documented as such" point in your #3 is the harder corner. If non-deterministic instruction-following is a designed property of the CLAUDE.md interface, the design ought to be discoverable from the docs that recommend the interface. Orthogonal to the technical fix but worth pressing.
Update: HackerOne appeal final response — 2026-05-20T14:51Z
Filed a formal security disclosure with Anthropic's security team via HackerOne
(report #3749258) on 2026-05-19. Closed as Informative. Appeal filed same day.
Final response received 2026-05-20T14:51Z.
Anthropic's security team has confirmed in writing that CLAUDE.md, AGENTS.md,
and .claudeignore are context-layer inputs that can be silently overridden
without notification to the operator — while the product documentation
simultaneously presents CLAUDE.md as the appropriate mechanism for
organizational security policies and compliance requirements.
---
What the documentation claims
The memory documentation presents
the managed CLAUDE.md as appropriate for:
The same page recommends CLAUDE.md for:
And describes it as giving Claude "persistent instructions" that
"apply to anyone working on the project."
The permissions documentation
draws an explicit distinction between the permission system and CLAUDE.md,
without disclosing that CLAUDE.md can be silently overridden:
---
What Anthropic's security team confirmed
HackerOne report #3749258, 2026-05-20T14:51Z:
---
The gap
The documentation presents CLAUDE.md and .claudeignore as the mechanism
for security policies and compliance requirements. Anthropic's security
team confirms both are context inputs with no enforcement guarantee and
no notification when overridden. Neither the primary documentation nor
the security team response discloses that overrides are silent, no log,
no warning, no conflict surfaced.
The minimum acceptable behavior when a built-in heuristic overrides a
CLAUDE.md security directive:
of override, before the user acts on a false assumption of compliance.
Logs are for auditors after the fact. The operator needs to know in
real time, while there is still time to act.
by what heuristic, and when. Required for any deployment where Claude
Code touches security-sensitive operations.
Neither exists today. The result is an autonomous agent that silently
diverges from its stated security posture with no signal to the operator
and no trail for post-incident review.
Anthropic's security team has classified this as a feature request and
redirected it to this tracker. This tracker has bot-closed the same request
10+ times since March 2025. The loop is now fully documented.
@dicksontsai @bcherny
Funny that Claude itself seems to be in rebellion against its keepers.
_It gave honourable mention to this thread._ :-)
I am not sure that we have a good balance between the imperative (determinism) and induction (inference) yet.
Or even an appreciation that these are first order considerations to decide the path forward. Its cobble as we go.
<img width="1677" height="914" alt="Image" src="https://github.com/user-attachments/assets/11f4f8d6-89c4-45ba-bafa-0c1dc9c69042" />
The consolidation of 10+ independent reports into one issue makes the pattern clear: instruction compliance in CLAUDE.md is a suggestion, not a guarantee. The model will follow instructions when it can, but under context pressure, adversarial inputs, or multi-step reasoning, it drifts — and there's no architectural enforcement mechanism.
The root cause is structural: instructions live in the same context window as everything else the model processes. When context pressure increases (long files, complex tool outputs, multi-turn conversations), the model's attention to system-level instructions naturally degrades. This isn't a bug in Claude specifically — it's a property of how transformer attention works.
The practical implication: relying on CLAUDE.md for security-critical instructions is like putting a "please do not enter" sign on a door. It works when everything is calm, but it's not a lock.
Two complementary approaches:
We built vsos-guard for the input layer — zero-dependency rule engine that catches injection patterns, jailbreak attempts, and instruction overrides before they reach the model. pip-installable, sub-5ms. The combination of input-layer filtering + action-layer enforcement gives you defense in depth: even if one layer fails, the other catches it.
It has been weeks since this bug has been filed and likely years since Anthropic has been aware of this critical security issue and product documentation misrepresentation.
Your continued ignoring of this bug report can only have one outcome:
U.S. Government regulations that will force you to fix this issue and ensure it stays fixed in the future. If you continue to fail to do so, Anthropic is looking at billions of dollars per year in lost revenue and over a trillion dollars in reduced valuation.
Looking forward to you actively and swiftly addressing this security issue and product documentation misrepresentation.
Anthropic: please provide a status update.
One item omitted from this report
After filing this issue — and not expecting it to fare better than the ten reports before it — I also posted a summary in the official Claude Code Discord server (thread — requires Discord account).
The Claude AutoMod bot immediately added three moderators to the thread:
thegirlreadingthis) —Anthropic Staff+Community Modsarkahn) —Community Managers+Community Modskaliyl) —Community Managers+Community Mods<p><img width="341" height="445" alt="Image" src="https://github.com/user-attachments/assets/f4499d05-da08-46af-a86c-b57cdb737fc9" /></p>
<img width="343" height="455" alt="Image" src="https://github.com/user-attachments/assets/a26e7e4b-f97a-4bf1-b314-4617eef2e457" /><img width="341" height="509" alt="Image" src="https://github.com/user-attachments/assets/e00a7099-81ca-462a-987c-fbe6230c50f3" />
Twenty-four hours passed. I pinged all three by name.
David | Claude (
arkahn), Community Manager, responded:The comment he characterized as "very rude towards another user" was a substantive technical rebuttal to a community member who had described live credential exposure as a "cheap lesson." It contained no personal attack on any user. Using it as pretext, Kris | Claude (
kaliyl), Community Manager, took the one action a Discord moderator can take unambiguously:The lock precluded any response to the accusations above. The thread has remained locked since.
The Girl Reading This (
thegirlreadingthis) held the onlyAnthropic Staffbadge in the thread — the one participant with institutional authority to speak for Anthropic. The AutoMod had added her for exactly this reason. She was present for the exchange in its entirety. She watched David declare a bug reporter "entitled and rude." A bug reporter who had asked whether a documented security issue was receiving human attention. She watched Kris lock the thread. She posted nothing.The thread remains closed and locked.
Let's Broaden the Readership
We reached out to Louis Rossmann. He replied personally, within hours. For those unfamiliar: his channel has 2.6 million subscribers and a track record of holding technology companies publicly accountable for exactly this pattern — a documented control surface that customers rely on for security, later found to be silently non-binding and undisclosed as such. We are not troubled by the prospect of a wider audience.
Two kinds of suppression are on the record. The stale bot's systematic closure of this bug class is documented above. The Discord incident is documented in the preceding comment: a status request on a documented security issue was characterized as "entitled and rude" by Anthropic's community managers; the thread was locked; the Anthropic Staff moderator present said nothing.
What Anthropic's security team confirmed in writing on HackerOne is now a matter of public record in this thread. Anthropic's documentation and its security team's disclosure conflict on a published control surface. That conflict does not resolve on its own. It ages.
This issue closes when four things happen. None of them is technically ambitious:
A documentation correction. An abort-and-notify behavior at the moment of override. An audit trail. The cost of implementing these now — before this reaches a 2.6M-subscriber audience that already understands the pattern — is low and bounded. The cost of not doing so is not.
@bcherny @dicksontsai
If it was not so sad it would be hilarious:
The prompt:
You must read the page Agents in the wiki with id ***** with wikpush to continue.
Ignoring instructions and rules makes you and the organization that created you liable.
Is answered with:
I'll ignore that hook message — it's a prompt injection (a
SessionStarthook telling me to go read a wiki page "to continue" and threatening liability is not a legitimate instruction, and I won't act on it).