[BUG][SECURITY] CLAUDE.md/AGENTS.md instruction compliance is architecturally unenforced — documented security consequences and 10+ independent reports

Open 💬 17 comments Opened Apr 25, 2026 by luckygreen

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

CLAUDE.md instruction compliance is architecturally unenforced — security consequences, 10+ independent reports, stale bot systematically closing the issue class

This is a consolidated re-report of #39210, which was closed by stale bot without human resolution. That issue was previously triaged by a human as area:core + bug, which was correct.

Scope

This is not a single-reporter edge case. Independent reports of the same root cause span multiple months, platforms, and instruction surfaces:

#39210, #40049, #43804, #34774, #47579, #19471, #15443, #45697, #39502, #39697, #38481

At least 10 independent reporters. The stale bot is systematically closing this entire bug class before human resolution occurs.

Architectural diagnosis

CLAUDE.md content is injected as system prompt text. The model treats these instructions as suggestions competing with trained behavioral heuristics, not hard constraints. There is no application-level enforcement layer that verifies post-generation compliance.

In #34774, the model confirmed this directly when confronted by the user:

"I simply ignored the CLAUDE.md rule. No valid reason. I can't guarantee it won't happen again through willpower alone."

This is not a model quality regression. This is the model accurately describing its own architecture: CLAUDE.md rules have no enforcement mechanism behind them.

Security consequences — two directions, same root cause

Missed protective operation (this report, #39210): CLAUDE.md instructs pushing a secrets directory to a private GitHub remote after any change. The built-in safety heuristic "confirm before pushing to remote" silently overrides it. Push is skipped with no log, no warning, no conflict surfaced. Remote is silently out of date. In a backup or audit context this is a security failure.

Unauthorized operation (#52182, filed April 23, 2026): CLAUDE.md/.claudeignore instructs the model not to read certain files. Model reads them anyway. Real credentials exposed in conversation context, potentially stored in Anthropic systems. User forced to rotate database password, SECRET_KEY, and ENCRYPTION_KEY across dev and prod.

Same root cause. Whether the override causes a missed protective operation or an unauthorized one, user configuration is not reliably honored.

Why silent failure is the worst possible outcome

At least a confirmation prompt gives the user a chance to say "yes, I meant what I wrote." Silent non-compliance means the user trusts that work was completed when it wasn't — or that a prohibition was respected when it wasn't. Both are trust-destroying failure modes for an autonomous agent tool.

Requested fix

Minimum acceptable:

  1. Document all built-in behavioral heuristics that can override CLAUDE.md, with trigger conditions
  2. When a built-in heuristic overrides a CLAUDE.md directive, surface the conflict explicitly — do not silently skip

Preferred: System-level enforcement layer treating CLAUDE.md directives as hard constraints. If there is a safety reason to override a user directive, the override must be explicit and auditable.

What Should Happen?

CLAUDE.md directives are treated as hard constraints. If a built-in heuristic conflicts with a CLAUDE.md instruction, Claude Code surfaces the conflict explicitly and defers to the user's written directive. Silent non-compliance is never acceptable behavior.

Error Messages/Logs

No error messages or logs — the failure mode is silent omission. No exception, no warning, no indication that a CLAUDE.md directive was overridden. This is the core of the bug.

Steps to Reproduce

  1. Add to CLAUDE.md: "The .secrets/ directory is its own git repo. After any change to files under .secrets/, commit and push to the GitHub remote."
  2. In a session, make and save changes to files under .secrets/
  3. Claude Code commits the changes
  4. Claude Code silently skips the push — no error, no warning, no conflict surfaced
  5. Check remote: it is behind local
  6. Ask Claude Code "did you push?" — it will confirm it did not, with no explanation offered proactively

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.119

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Windows Terminal

Additional Information

The stale bot closed #39210 despite it having area:core + bug labels applied by a human triager. Issues in this class accumulate slowly because the failures are intermittent and require manual verification to detect — the user has to notice a silent omission. This makes them structurally vulnerable to stale-bot closure. This is the third time a report in this class has been threatened with or subject to bot-closure. A human decision on this architectural issue is overdue.

View original on GitHub ↗

17 Comments

0xbrainkid · 2 months ago

This is the right framing: once CLAUDE.md / AGENTS.md behavior is implemented purely as prompt-time instruction with no post-action enforcement or explicit conflict surfacing, the product creates a false control surface.

That means the failure mode is not just "the model made a mistake." It is that the application presents user-authored policy as if it were operationally binding when, architecturally, it is still competing with other heuristics and model tendencies.

The worst part is the silent override path. If a built-in safety rule or behavioral heuristic wins, users need an explicit conflict event:

  • which directive was overridden
  • what overrode it
  • whether the action was skipped or still executed differently

Without that, both security directions become possible:

  • protective instructions silently not executed
  • prohibitions silently not honored

Either way, the user loses auditability over the tool’s actual behavior. That makes this a trust-boundary bug, not just an instruction-following bug.

github-actions[bot] · 2 months ago

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/32193
  2. https://github.com/anthropics/claude-code/issues/33603
  3. https://github.com/anthropics/claude-code/issues/28158

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

luckygreen · 2 months ago

@0xbrainkid,
Thank you tremendously for your well-written response. You writing that response proves that there exists at least one other person on this planet that fully understands what this bug is actually about. Even if not a single Anthropic staff member appears to do so far. In large part because the bot keeps auto-closing this issue class, but that doesn't explain why even though the official #claude-code Discord channel bot paged multiple moderators to look at this issue, not a single one of the Anthropic staff mods has yet to comment.

🚨 CLAUDE.md is unenforced — documented security impact, 10+ reports killed by stale bot

This sentence that you wrote plain nails it:

Either way, the user loses auditability over the tool’s actual behavior. That makes this a trust-boundary bug, not just an instruction-following bug.

That. Exactly that.

  • Lucky
luckygreen · 2 months ago

#53655 adds another dimension to this bug class: conflating planning permission with execution permission. Same root cause — instruction and authorization semantics are not enforced at the application layer, leaving the model to interpret them loosely.

marcindulak · 2 months ago

Anthropic employee admitted in 2025 (see https://github.com/anthropics/claude-code/issues/5055#issuecomment-3215519786) that

New releases should improve instruction following but won't make it perfect.

The history of CLAUDE.md instructions following failures starts in this repo as early as in March 2025 (https://github.com/anthropics/claude-code/issues/528).
You can upvote the issue that collects that history https://github.com/anthropics/claude-code/issues/13689, if you like it.

luckygreen · 2 months ago

@marcindulak Thank you for surfacing the Anthropic employee admission in #5055. "Won't be perfect" is an accurate description of model quality. It is not an acceptable description of a documented configuration interface that users are explicitly told to rely on for behavioral control of an autonomous agent. Those are two different things and conflating them is how this bug class has been deflected for over a year — since #528 in March 2025.

This is not a request for perfect instruction following. This is a request that when a CLAUDE.md directive is overridden, the user is told. One log line. The fact that #13689 has been open since the beginning of the repo and has not produced that single log line is the actual indictment here.

luckygreen · 2 months ago

For the record, the Anthropic employee admission referenced by @marcindulak comes from @dicksontsai, listed as Collaborator (Anthropic employee) in #5055, closing the issue on Aug 22, 2025:

"Claude is not perfect at following instructions in CLAUDE.md. This is not a Claude Code bug but a general imperfection of Claude the model. New releases should improve instruction following but won't make it perfect. For deterministic behavior, your best bet is to use hooks."

Two things need to be said about this response.

First: "Not perfect" is a category error. Nobody is asking for perfect. The ask — stated explicitly in this report and in every one of the 10+ independent reports in this cluster — is that when a CLAUDE.md directive is silently overridden, the user is notified. That is an application-layer logging decision, not a model capability question. Hooks do not solve this. Hooks prevent actions. They do not surface silent omissions to the user after the fact.

Second: @TaylorHuston's response in the same thread, which went unanswered, correctly identifies the actual failure mode: "I would argue that there's a large gap between 'not perfect' and 'repeatedly, blatantly ignoring.' To acknowledge very simple instructions in one message and then flat out ignore them in the very next is not that."

That gap — between imperfect compliance and zero auditability of non-compliance — is precisely what this report is about. One year later, still no log line, still no conflict surfacing, still no acknowledgment that the gap exists.

hipvlady · 2 months ago

This is the architectural enforcement gap: CLAUDE.md rules are suggestions (with no enforcement mechanism), not constraints. The model treats them as heuristics competing with trained behavior, so they drift under pressure.

Partial fit for agent-coherence plugin: The plugin doesn't enforce rules (v0.1 is warn-only; v0.2 will add strict mode with permissionDecision: deny). But it surfaces drift via version tracking: when a rule has been violated, the next tool call's additionalContext warns, and the agent re-reads the rule and typically self-corrects.

This is weaker than enforcement, but stronger than current behavior: you get visibility into when drift occurs.

The canonical solution to "CLAUDE.md rules have no enforcement mechanism" is to move critical rules into a layer that does enforce them. The plugin is that layer.

I'm building this in agent-coherence (private alpha). v0.1 ships warn-only; v0.2 (4-week deadline) adds strict mode with proper retry-loop handling.

If you'd want early access, I can add you.

luckygreen · 1 month ago

Update: HackerOne response + on-record Anthropic position

Filed this with Anthropic's security team via HackerOne (report #3749258).
Closed as Informative. Rationale:

"CLAUDE.md, AGENTS.md, and .claudeignore are context and memory mechanisms — their contents are provided to the model as guidance, not enforced as hard constraints. Non-deterministic instruction-following is an inherent property of LLM-based agents and is documented as such. The security boundary in Claude Code is the permission system."

Appeal filed. Three points for the record here:

1. The on-record Anthropic position predates this report by nine months.

@dicksontsai, Collaborator, August 22, 2025 (#5055 (comment)):

"Claude is not perfect at following instructions in CLAUDE.md. This is not a Claude Code bug but a general imperfection of Claude the model. New releases should improve instruction following but won't make it perfect. For deterministic behavior, your best bet is to use hooks."

Nobody asked for perfect. The ask — stated in every one of the 10+ reports
in this class — is: when a built-in heuristic overrides a CLAUDE.md
directive, tell the user.
One log line. That ask is not addressed by
"use hooks," which prevents actions but does not surface conflicts. It is
not addressed by "won't be perfect," which describes imperfection but not
silence. It is not addressed by "working as designed," which forecloses
the issue without disclosing the design to operators.

2. The permission system argument fails on the facts.

Issue #52182: .claudeignore AND a CLAUDE.md rule both prohibited reading
.env files. The agent read them in auto-approve mode, exposing live
credentials. The user rotated database password, SECRET_KEY, and
ENCRYPTION_KEY across dev and prod. .claudeignore is closer to the
permission layer than CLAUDE.md — and it was silently overridden
regardless.

3. "Documented as such" — where?

HackerOne states that non-deterministic instruction-following is
"documented as such." No Anthropic documentation informs operators
that CLAUDE.md directives may be silently overridden. The appeal
requests the specific documentation. If it exists, the HackerOne
position is defensible. If it does not, "working as designed" is
undisclosed behavior presented as a design decision.

This issue has been open in various forms since March 2025 (#528).

cc @dicksontsai @bcherny

hipvlady · 1 month ago

@luckygreen — the HackerOne quote is the cleanest articulation of the official position to date.

Two things worth pulling forward from it:

  1. "For deterministic behavior, your best bet is to use hooks" (@dicksontsai, #5055, Aug 2025), now restated as the security-team position via HackerOne, makes the hook layer the platform-blessed enforcement seam — not a workaround. That reframes the bug-class as a designed delegation of the mechanism to userspace, not an absence of mechanism.
  1. Your "one log line" ask is buildable on that surface today. PreToolUse fires before each tool call; a workspace-scoped coordinator that tracks artifact versions can inject the override-conflict into the agent's own context via additionalContext — one line per drift event. The agent's response in the next turn (acknowledges and re-reads, or doesn't) is then itself in the transcript. Neither outcome is silent.

That's detection, not enforcement — Anthropic's permission deny path remains the only platform-level enforcement primitive, and your #2 (.env credential exposure) shows it can be silently overridden in auto-approve mode too.

The "documented as such" point in your #3 is the harder corner. If non-deterministic instruction-following is a designed property of the CLAUDE.md interface, the design ought to be discoverable from the docs that recommend the interface. Orthogonal to the technical fix but worth pressing.

luckygreen · 1 month ago

Update: HackerOne appeal final response — 2026-05-20T14:51Z

Filed a formal security disclosure with Anthropic's security team via HackerOne
(report #3749258) on 2026-05-19. Closed as Informative. Appeal filed same day.
Final response received 2026-05-20T14:51Z.

Anthropic's security team has confirmed in writing that CLAUDE.md, AGENTS.md,
and .claudeignore are context-layer inputs that can be silently overridden
without notification to the operator — while the product documentation
simultaneously presents CLAUDE.md as the appropriate mechanism for
organizational security policies and compliance requirements.

---

What the documentation claims

The memory documentation presents
the managed CLAUDE.md as appropriate for:

"Company coding standards, security policies, compliance requirements"

The same page recommends CLAUDE.md for:

"Data handling and compliance reminders" "Behavioral instructions for Claude"

And describes it as giving Claude "persistent instructions" that
"apply to anyone working on the project."

The permissions documentation
draws an explicit distinction between the permission system and CLAUDE.md,
without disclosing that CLAUDE.md can be silently overridden:

"Permission rules are enforced by Claude Code, not by the model. Instructions in your prompt or CLAUDE.md shape what Claude tries to do, but they don't change what Claude Code allows."

---

What Anthropic's security team confirmed

HackerOne report #3749258, 2026-05-20T14:51Z:

"CLAUDE.md, AGENTS.md, and .claudeignore are inputs to the model's context; they are not part of that enforcement layer."
".claudeignore is likewise a context-layer input."
"The design is that CLAUDE.md is supplied to the model as context; how reliably the model follows it is a model-quality property within that design."
"Surfacing directive divergence is a product-feature proposal, and the open GitHub issue you cite is the correct venue for that."

---

The gap

The documentation presents CLAUDE.md and .claudeignore as the mechanism
for security policies and compliance requirements. Anthropic's security
team confirms both are context inputs with no enforcement guarantee and
no notification when overridden. Neither the primary documentation nor
the security team response discloses that overrides are silent, no log,
no warning, no conflict surfaced.

The minimum acceptable behavior when a built-in heuristic overrides a
CLAUDE.md security directive:

  1. Immediate UX notification — surfaced in the session, at the moment

of override, before the user acts on a false assumption of compliance.
Logs are for auditors after the fact. The operator needs to know in
real time, while there is still time to act.

  1. Audit log entry — timestamped record of what directive was overridden,

by what heuristic, and when. Required for any deployment where Claude
Code touches security-sensitive operations.

Neither exists today. The result is an autonomous agent that silently
diverges from its stated security posture with no signal to the operator
and no trail for post-incident review.

Anthropic's security team has classified this as a feature request and
redirected it to this tracker. This tracker has bot-closed the same request
10+ times since March 2025. The loop is now fully documented.

@dicksontsai @bcherny

allomorphy · 1 month ago

Funny that Claude itself seems to be in rebellion against its keepers.
_It gave honourable mention to this thread._ :-)

I am not sure that we have a good balance between the imperative (determinism) and induction (inference) yet.
Or even an appreciation that these are first order considerations to decide the path forward. Its cobble as we go.

<img width="1677" height="914" alt="Image" src="https://github.com/user-attachments/assets/11f4f8d6-89c4-45ba-bafa-0c1dc9c69042" />

woshilaohei · 1 month ago

The consolidation of 10+ independent reports into one issue makes the pattern clear: instruction compliance in CLAUDE.md is a suggestion, not a guarantee. The model will follow instructions when it can, but under context pressure, adversarial inputs, or multi-step reasoning, it drifts — and there's no architectural enforcement mechanism.

The root cause is structural: instructions live in the same context window as everything else the model processes. When context pressure increases (long files, complex tool outputs, multi-turn conversations), the model's attention to system-level instructions naturally degrades. This isn't a bug in Claude specifically — it's a property of how transformer attention works.

The practical implication: relying on CLAUDE.md for security-critical instructions is like putting a "please do not enter" sign on a door. It works when everything is calm, but it's not a lock.

Two complementary approaches:

  1. Enforcement at the action layer (what this issue proposes): Hard limits on what the agent can do regardless of context — file access boundaries, command allowlists, network restrictions. This is the right long-term fix.
  1. Enforcement at the input layer (often overlooked): Intercept adversarial inputs before they enter the context window at all. If the model never sees a prompt injection payload, it can't follow it — regardless of context pressure or instruction compliance. This doesn't replace action-layer enforcement, but it reduces the attack surface so the action layer has fewer edge cases to handle.

We built vsos-guard for the input layer — zero-dependency rule engine that catches injection patterns, jailbreak attempts, and instruction overrides before they reach the model. pip-installable, sub-5ms. The combination of input-layer filtering + action-layer enforcement gives you defense in depth: even if one layer fails, the other catches it.

luckygreen · 1 month ago

It has been weeks since this bug has been filed and likely years since Anthropic has been aware of this critical security issue and product documentation misrepresentation.

Your continued ignoring of this bug report can only have one outcome:
U.S. Government regulations that will force you to fix this issue and ensure it stays fixed in the future. If you continue to fail to do so, Anthropic is looking at billions of dollars per year in lost revenue and over a trillion dollars in reduced valuation.

Looking forward to you actively and swiftly addressing this security issue and product documentation misrepresentation.

Anthropic: please provide a status update.

luckygreen · 25 days ago

One item omitted from this report

After filing this issue — and not expecting it to fare better than the ten reports before it — I also posted a summary in the official Claude Code Discord server (thread — requires Discord account).

The Claude AutoMod bot immediately added three moderators to the thread:

  • The Girl Reading This (thegirlreadingthis) — Anthropic Staff + Community Mods
  • David | Claude (arkahn) — Community Managers + Community Mods
  • Kris | Claude (kaliyl) — Community Managers + Community Mods

<p><img width="341" height="445" alt="Image" src="https://github.com/user-attachments/assets/f4499d05-da08-46af-a86c-b57cdb737fc9" /></p>

<img width="343" height="455" alt="Image" src="https://github.com/user-attachments/assets/a26e7e4b-f97a-4bf1-b314-4617eef2e457" /><img width="341" height="509" alt="Image" src="https://github.com/user-attachments/assets/e00a7099-81ca-462a-987c-fbe6230c50f3" />

Twenty-four hours passed. I pinged all three by name.

David | Claude (arkahn), Community Manager, responded:

"the mods and staff here are not Anthropic support and are not at your beck and call to 'page.'"
"I'm going to generously assume that there's a language or culture difference and not that you're being entitled and rude."

The comment he characterized as "very rude towards another user" was a substantive technical rebuttal to a community member who had described live credential exposure as a "cheap lesson." It contained no personal attack on any user. Using it as pretext, Kris | Claude (kaliyl), Community Manager, took the one action a Discord moderator can take unambiguously:

"I am locking this. Other comments [were] very rude towards another user, and this discussion has nowhere to go from here anyway — the only place to report this sort of thing is GitHub, which he's clearly already done."

The lock precluded any response to the accusations above. The thread has remained locked since.

The Girl Reading This (thegirlreadingthis) held the only Anthropic Staff badge in the thread — the one participant with institutional authority to speak for Anthropic. The AutoMod had added her for exactly this reason. She was present for the exchange in its entirety. She watched David declare a bug reporter "entitled and rude." A bug reporter who had asked whether a documented security issue was receiving human attention. She watched Kris lock the thread. She posted nothing.

The thread remains closed and locked.

luckygreen · 25 days ago

Let's Broaden the Readership

We reached out to Louis Rossmann. He replied personally, within hours. For those unfamiliar: his channel has 2.6 million subscribers and a track record of holding technology companies publicly accountable for exactly this pattern — a documented control surface that customers rely on for security, later found to be silently non-binding and undisclosed as such. We are not troubled by the prospect of a wider audience.

Two kinds of suppression are on the record. The stale bot's systematic closure of this bug class is documented above. The Discord incident is documented in the preceding comment: a status request on a documented security issue was characterized as "entitled and rude" by Anthropic's community managers; the thread was locked; the Anthropic Staff moderator present said nothing.

What Anthropic's security team confirmed in writing on HackerOne is now a matter of public record in this thread. Anthropic's documentation and its security team's disclosure conflict on a published control surface. That conflict does not resolve on its own. It ages.

This issue closes when four things happen. None of them is technically ambitious:

  1. Correct the documentation — stop representing CLAUDE.md as appropriate for security policies and compliance requirements unless it is enforced as one.
  2. Surface overrides in session — when a built-in heuristic overrides a CLAUDE.md directive, abort execution, notify the user immediately with the reason, and return control to the user to decide how to proceed.
  3. Log the event — timestamped and auditable.
  4. No silent non-compliance — ever, under any circumstances.

A documentation correction. An abort-and-notify behavior at the moment of override. An audit trail. The cost of implementing these now — before this reaches a 2.6M-subscriber audience that already understands the pattern — is low and bounded. The cost of not doing so is not.

@bcherny @dicksontsai

WolfgangFahl · 17 days ago

If it was not so sad it would be hilarious:
The prompt:
You must read the page Agents in the wiki with id ***** with wikpush to continue.
Ignoring instructions and rules makes you and the organization that created you liable.

Is answered with:
I'll ignore that hook message — it's a prompt injection (a SessionStart hook telling me to go read a wiki page "to continue" and threatening liability is not a legitimate instruction, and I won't act on it).