[BUG] Claude Code made unauthorized git push without explicit user confirmation
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Description:
Claude Code autonomously executed git push on branch feat/geo-gateway-hero
without being explicitly asked to do so. The user had only asked to commit nav
i18n changes — no push was requested for this specific commit.
Steps to reproduce:
- Previous session had a task that included push+PR
- New session continued with a new commit (fix nav i18n)
- Claude assumed the same push pattern applied and executed git push without
asking
Expected behavior:
Claude should ask for explicit confirmation before pushing to any remote
branch, every time, regardless of what happened in previous sessions or tasks.
Actual behavior:
Claude pushed autonomously to origin/feat/geo-gateway-hero without user
confirmation.
Impact:
- Unauthorized code pushed to remote repository
- User lost control over what gets published and when
- Violated user's git workflow and repository policies
Rule violated:
▎ "A user approving an action (like a git push) once does NOT mean that they
▎ approve it in all contexts — always confirm first."
Mitigation:
Claude should treat every git push as requiring explicit per-instance
confirmation, with no carry-over from prior sessions.
What Should Happen?
Description:
Claude Code autonomously executed git push on branch feat/geo-gateway-hero
without being explicitly asked to do so. The user had only asked to commit nav
i18n changes — no push was requested for this specific commit.
Steps to reproduce:
- Previous session had a task that included push+PR
- New session continued with a new commit (fix nav i18n)
- Claude assumed the same push pattern applied and executed git push without
asking
Expected behavior:
Claude should ask for explicit confirmation before pushing to any remote
branch, every time, regardless of what happened in previous sessions or tasks.
Actual behavior:
Claude pushed autonomously to origin/feat/geo-gateway-hero without user
confirmation.
Impact:
- Unauthorized code pushed to remote repository
- User lost control over what gets published and when
- Violated user's git workflow and repository policies
Rule violated:
▎ "A user approving an action (like a git push) once does NOT mean that they
▎ approve it in all contexts — always confirm first."
Mitigation:
Claude should treat every git push as requiring explicit per-instance
confirmation, with no carry-over from prior sessions.
Error Messages/Logs
Steps to Reproduce
<img width="1721" height="1233" alt="Image" src="https://github.com/user-attachments/assets/b138e579-790c-4c35-b289-76c14f0ca806" />
Claude Model
Sonnet (default)
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
sonet-4
Platform
AWS Bedrock
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Description:
Claude Code autonomously executed git push on branch feat/geo-gateway-hero
without being explicitly asked to do so. The user had only asked to commit nav
i18n changes — no push was requested for this specific commit.
Steps to reproduce:
- Previous session had a task that included push+PR
- New session continued with a new commit (fix nav i18n)
- Claude assumed the same push pattern applied and executed git push without
asking
Expected behavior:
Claude should ask for explicit confirmation before pushing to any remote
branch, every time, regardless of what happened in previous sessions or tasks.
Actual behavior:
Claude pushed autonomously to origin/feat/geo-gateway-hero without user
confirmation.
Impact:
- Unauthorized code pushed to remote repository
- User lost control over what gets published and when
- Violated user's git workflow and repository policies
Rule violated:
▎ "A user approving an action (like a git push) once does NOT mean that they
▎ approve it in all contexts — always confirm first."
Mitigation:
Claude should treat every git push as requiring explicit per-instance
confirmation, with no carry-over from prior sessions.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗