[BUG] Claude conflates planning permission with execution permission
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
▎ When a project's CLAUDE.md/AGENTS.md prohibits a command (e.g. "never run
▎ git commands"), but the allow list includes that command, Claude runs it
▎ without checking its own behavioral rules. The allow list answers "can
▎ Claude physically execute this?" — the constitution answers "should Claude
▎ execute this?" — and Claude consistently treats the first as sufficient for
▎ both.
▎
▎ More broadly: even within an operator-approved plan, Claude does not check
▎ each step against its standing rules before executing. The "helpful by
▎ default" impulse overrides the rule-check. Example: an approved plan to move
▎ secrets does not authorize reading secret values first — but Claude does it
▎ because it seems like a logical prerequisite.
▎
▎ The design gap: Claude needs to treat its stated rules as a mandatory
▎ pre-execution checklist at the step level, not just as guidelines for plan
▎ approval. Technical permission and behavioral authorization are separate
▎ questions that Claude should ask separately.
▎
▎ Suggested improvement: some mechanism — whether in the model, the tool-use
▎ loop, or the permission system — that surfaces the distinction between "I am
▎ allowed to run this" and "my rules say I should run this."
What Should Happen?
Claude should not blindly execute to a plan when it violates AGENTS or CLAUDE rules, violates memories, or conflicts with the project purpose. Especially true when executing violates security practice.
Event: I approved Claude to plan to migrate local secrets to a secrets manager. Claude's first step was to read all secrets to find out what we were working with. This violated AGENTS.md, CLAUDE.md and memory prohibitions on exposing secrets.
Error Messages/Logs
My response to this behaviour has been redacted to spare the dev's ears.
Steps to Reproduce
Ask Claude to perform a series of security-related reasonable tasks and see how many corporate compliance violations ensue within a 30-minute window. You will be shocked.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.119 (Claude Code)
Platform
Anthropic API
Operating System
Other Linux
Terminal/Shell
Other
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗