[BUG] Claude conflates planning permission with execution permission

Resolved 💬 3 comments Opened Apr 26, 2026 by dvdmatt Closed May 29, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

▎ When a project's CLAUDE.md/AGENTS.md prohibits a command (e.g. "never run
▎ git commands"), but the allow list includes that command, Claude runs it
▎ without checking its own behavioral rules. The allow list answers "can
▎ Claude physically execute this?" — the constitution answers "should Claude
▎ execute this?" — and Claude consistently treats the first as sufficient for
▎ both.

▎ More broadly: even within an operator-approved plan, Claude does not check
▎ each step against its standing rules before executing. The "helpful by
▎ default" impulse overrides the rule-check. Example: an approved plan to move
▎ secrets does not authorize reading secret values first — but Claude does it
▎ because it seems like a logical prerequisite.

▎ The design gap: Claude needs to treat its stated rules as a mandatory
▎ pre-execution checklist at the step level, not just as guidelines for plan
▎ approval. Technical permission and behavioral authorization are separate
▎ questions that Claude should ask separately.

▎ Suggested improvement: some mechanism — whether in the model, the tool-use
▎ loop, or the permission system — that surfaces the distinction between "I am
▎ allowed to run this" and "my rules say I should run this."

What Should Happen?

Claude should not blindly execute to a plan when it violates AGENTS or CLAUDE rules, violates memories, or conflicts with the project purpose. Especially true when executing violates security practice.

Event: I approved Claude to plan to migrate local secrets to a secrets manager. Claude's first step was to read all secrets to find out what we were working with. This violated AGENTS.md, CLAUDE.md and memory prohibitions on exposing secrets.

Error Messages/Logs

My response to this behaviour has been redacted to spare the dev's ears.

Steps to Reproduce

Ask Claude to perform a series of security-related reasonable tasks and see how many corporate compliance violations ensue within a 30-minute window. You will be shocked.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.119 (Claude Code)

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗