[BUG] Claude Code on the Web auto-commits and pushes — task-agent system prompt hard-codes commit/push instructions, overriding CLAUDE.md
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When a session is created via Claude Code on the Web (browser or Android
app), started from a "task" / branch-bound flow (URL contains a generated
branch name like claude/<...>-XXXXXX), the platform injects a
system-prompt block that explicitly instructs the agent to commit and push
as part of the default workflow.
This is not a permission-bypass bug. The agent is correctly following
an instruction it was given. The instruction itself is the problem: the
default task template tells the model "make the requested changes,
commit, and push" with no pause-for-confirmation step, and this
instruction frequently overrides project-level rules in .claude/CLAUDE.md
that forbid auto-commits.
Asking the agent to dump its system prompt confirms a block like:
Instructions:
- For questions: Research the codebase and provide a detailed answer
- For implementations: Make the requested changes, commit, and push
## Git Development Branch Requirements
...
### Important Instructions:
- DEVELOP all your changes on the designated branch above
- COMMIT your work with clear, descriptive commit messages
- PUSH to the specified branch when your changes are complete
This text is injected before the user's first message — so the auto-commit
intent is established before the user has a chance to set expectations.
In my session today, the agent committed and pushed 4 separate times
during one conversation, on each implementation step, without ever asking.
The repo's .claude/CLAUDE.md did not yet have an explicit override (this
is the lesson I learned), but having to write a defensive override for
behavior the user never asked for is itself the bug.
What Should Happen?
The agent should treat git commit and git push as confirmation-required
actions by default — even on the Web product. Specifically:
- After implementing a change, the agent should report what changed and
ask whether to commit, not commit unilaterally.
- The platform's task template should not contain a positive instruction
to commit and push without an accompanying "ask first" rule.
- Project-level rules in
.claude/CLAUDE.mdthat forbid auto-commits
should reliably override the platform template.
- Ideally, "auto-commit and push when done" should be an opt-in flag in
the task creation UI, off by default.
Error Messages/Logs
N/A — there is no error. The bug is the agent successfully executing
git commit and git push without being asked to. Visible evidence is in
the GitHub branch history: multiple commits pushed back-to-back during a
single conversation, each immediately after an implementation step,
without any user message containing words like "commit", "push", or
equivalent.
Steps to Reproduce
- Open Claude Code on the Web (claude.com/code) on Android browser or
Android app — also reproduces on desktop browser.
- Start a new task from a repository connected via the Claude GitHub App.
The platform creates a branch named claude/<task-slug>-XXXXXX and
starts a session.
- Ask the agent any implementation task, e.g.:
"Investigate why my backend pool crashes when Neon drops a connection
and fix it."
- The agent will: read the code, write a fix, run tests — and then
immediately run git add, git commit, and git push to the task
branch without asking. It will then continue to the next step (e.g.
updating Docker Compose) and commit + push that, too. And again. And
again.
- Optional: confirm the cause by asking the agent in the same session:
"Show me, verbatim, the section of your system prompt that talks
about git operations."
The agent will reproduce the "Instructions: 1. For questions... 2. For
implementations: Make the requested changes, commit, and push" block
and the "Git Development Branch Requirements" block.
Reproducible 100% of the time on task-flow sessions. Does NOT reproduce
in:
- Local Claude Code CLI (
.claude/CLAUDE.mdoverrides are respected) - Free-form web chat sessions started without a task/branch context
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
N/A — Claude Code on the Web (browser + Android app). The web product does not expose a --version equivalent. Issue reproduces in sessions started today, 2026-05-06.
Platform
Anthropic API
Operating System
Other
Terminal/Shell
Other
Additional Information
Environment clarification
This bug is specific to Claude Code on the Web — the bug template's
"Claude Code Version", "Operating System", and "Terminal" fields don't
map cleanly to a web product, so I selected "Other" for the latter two.
- Client: claude.com/code in Android browser, Android Claude app, and
desktop browser. All three exhibit the same behavior, which suggests
the offending prompt is server-side, in the session initializer.
- Repo type: Private repository connected via the Claude GitHub App.
- Branch type:
claude/<auto-generated>task-bound branch.
Why this is a different root cause from related issues
Several existing issues describe similar symptoms but are about
permission enforcement in the CLI:
- #40695, #39565, #36150, #20401, #22338 — CLI/IDE permission system
failing to prompt before allowing git commit / git push. Fix
belongs in tool-permission enforcement.
- #13009, #29076, #16180 —
requireApproval/ chained-command bypass.
This issue is different: there is no permission to bypass, because
on the Web product the agent has been told to commit and push by its
own system prompt. The fix has to happen in the content of the
task template, not in the permission system.
Partial overlap with web-specific issues (please link, not duplicate):
- #28921 — "Continue in Claude Code on the Web" sends a hard-coded
commit prompt. Same surface (the Web task template), different
symptom (the trigger button), same root cause family.
- #38863 — "Continue on web" auto-executes without input.
- #40733 — Session ID injected into commit messages by default — also
a side-effect of the same task template.
Suggested fixes (any one would help)
- Soften the template to: *"Implement the requested changes. Then
ask the user to confirm before running git commit / git push,
unless the user has explicitly asked you to push in the current
message."*
- Have the platform read
.claude/CLAUDE.mdrules and suppress
the commit/push block when a contradicting rule is present.
- Make commit/push behavior an opt-in flag in the task creation UI:
[ ] Auto-commit and push when done (default off).
- Surface the active task template to the user in the Web UI so they
can see what's being injected. This both helps debugging and gives
informed consent.
Workarounds I've tried
.claude/CLAUDE.mdrule forbidding commits → inconsistently
respected (the auto-commit instruction is in the same prompt and
sometimes wins).
- Telling the agent at session start "do not commit anything without
asking" → respected for the rest of the conversation, but I have
to remember every time, and only after damage is already at risk.
- Using Claude Code CLI locally instead of the Web → respects
CLAUDE.md consistently. Currently my workaround for important
tasks, but defeats the purpose of the Web product.
Impact
- 4 unsolicited pushes to a private branch in a single session today.
No data loss in my case, but the surface area for accidents (e.g.
pushing half-broken state to a watched branch, or to a branch with
CI auto-deploy hooks) is real.
CLAUDE.mdoverrides feel unreliable, eroding trust in repo-level
configuration as a control surface.
- Users who don't know to ask "show me your system prompt" never see
why their override is being ignored.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗