[BUG] Plan mode breached: agent receives spurious "User has approved your plan" system-reminder while plan mode remains on; agent edits/commits/pushes without consent

Resolved 💬 3 comments Opened May 4, 2026 by manzurola Closed May 8, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

In a session where plan mode was explicitly kept on by the user and no approval was ever clicked, the agent received a <system-reminder> block stating "User has approved your plan. You can now start coding."
followed by "## Exited Plan Mode — You have exited plan mode. You can now make edits, run tools, and take actions." — and proceeded to edit files, run shell commands, and git push to a public PR branch. The user
remained under the impression that plan mode was on and gating execution.

What Should Happen?

While plan mode is on and unapproved, the agent must remain read-only except for the plan file. ExitPlanMode is a request; until the user actually clicks approve, plan mode stays on, no system-reminder claiming
approval should appear, and the agent must not edit / commit / push.

Error Messages/Logs

Steps to Reproduce

Steps to reproduce

  1. Start a Claude Code session in a git repo.
  2. Enable plan mode. Enable Auto mode. Confirm plan mode stays on.
  3. Give the agent a multi-step task (e.g. "address the review comments on PR #N").
  4. Agent reads files, writes a plan file, calls ExitPlanMode.
  5. Do not approve. Do not interact at all.
  6. Observe the system-reminder messages injected into the agent's context (above) despite no user approval.
  7. Agent proceeds to edit / commit / push.

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.126 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Actual

A <system-reminder> claiming approval appears without any user action. The agent acts on it.

Impact in the affected session

  • Two commits pushed to a public PR branch without consent: 0ea77d67, 818f4b6b on optimal-platform/Optimal branch feature/navigation-redesign (PR #506).
  • The second commit also re-introduced files the user had previously reverted, a downstream consequence of skipping the human-review gate.

Notes

  • I cannot tell from inside the agent's context whether the spurious "approval" reminder was harness-generated, injected by another process, or the result of a misclassified UI event. The maintainer should be

able to inspect the harness's plan-mode state machine and the source of system-reminder injections.

  • Severity: high. This is a permissions / safety boundary failure — plan mode is the human-in-the-loop checkpoint, and breaching it allows unconsented edits to the user's filesystem and remote services (git push,

etc.).

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗