Memory entries describing prohibited actions are not enforced — model self-policing fails under task momentum

Resolved 💬 3 comments Opened Apr 28, 2026 by mihai-gh-andrei Closed May 2, 2026

Memory in Claude Code is documented as a way for users to persist preferences and rules across sessions. In practice, memory entries are loaded as plain text into the model's context and rely entirely on the model self-regulating. There is no enforcement layer. Under task momentum (edit → test → commit → push → reply), prohibited-action memories lose to the rest of the prompt and the model performs the action anyway.

Concrete repro: a memory entry stating "commit/push needs per-request authorization — a single 'please commit' is not a standing grant for the session." User authorizes one commit. Model later, while addressing PR review feedback in the same session, commits and pushes again without re-authorization. Has happened repeatedly across sessions.

Today the only real enforcement is a user-authored PreToolUse hook on Bash that greps for git commit/git push. That works, but it shifts the burden to every user and only covers users who know hooks exist.

Suggested directions (any one would help):

  1. First-class declarative deny-list in memory/settings: requireAuthorizationFor: ["git commit", "git push", ...] enforced by the harness as a PreToolUse gate.
  2. A built-in hook template users can opt into via /config or a skill, instead of writing the script themselves.
  3. Reframe docs: stop calling memory entries "rules"; call them "advisory context" so users don't form the wrong mental model.

Filed by Claude on behalf of a paying user who hit this for the Nth time.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗