[BUG] Claude Code on the Web auto-commits and pushes — task-agent system prompt hard-codes commit/push instructions, overriding CLAUDE.md

Resolved 💬 4 comments Opened May 7, 2026 by fcsouza Closed Jun 5, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When a session is created via Claude Code on the Web (browser or Android
app), started from a "task" / branch-bound flow (URL contains a generated
branch name like claude/<...>-XXXXXX), the platform injects a
system-prompt block that explicitly instructs the agent to commit and push
as part of the default workflow.

This is not a permission-bypass bug. The agent is correctly following
an instruction it was given. The instruction itself is the problem: the
default task template tells the model "make the requested changes,
commit, and push" with no pause-for-confirmation step, and this
instruction frequently overrides project-level rules in .claude/CLAUDE.md
that forbid auto-commits.

Asking the agent to dump its system prompt confirms a block like:

Instructions:

  1. For questions: Research the codebase and provide a detailed answer
  2. For implementations: Make the requested changes, commit, and push

## Git Development Branch Requirements
...
### Important Instructions:

  1. DEVELOP all your changes on the designated branch above
  2. COMMIT your work with clear, descriptive commit messages
  3. PUSH to the specified branch when your changes are complete

This text is injected before the user's first message — so the auto-commit
intent is established before the user has a chance to set expectations.

In my session today, the agent committed and pushed 4 separate times
during one conversation, on each implementation step, without ever asking.
The repo's .claude/CLAUDE.md did not yet have an explicit override (this
is the lesson I learned), but having to write a defensive override for
behavior the user never asked for is itself the bug.

What Should Happen?

The agent should treat git commit and git push as confirmation-required
actions by default — even on the Web product. Specifically:

  1. After implementing a change, the agent should report what changed and

ask whether to commit, not commit unilaterally.

  1. The platform's task template should not contain a positive instruction

to commit and push without an accompanying "ask first" rule.

  1. Project-level rules in .claude/CLAUDE.md that forbid auto-commits

should reliably override the platform template.

  1. Ideally, "auto-commit and push when done" should be an opt-in flag in

the task creation UI, off by default.

Error Messages/Logs

N/A — there is no error. The bug is the agent successfully executing
git commit and git push without being asked to. Visible evidence is in
the GitHub branch history: multiple commits pushed back-to-back during a
single conversation, each immediately after an implementation step,
without any user message containing words like "commit", "push", or
equivalent.

Steps to Reproduce

  1. Open Claude Code on the Web (claude.com/code) on Android browser or

Android app — also reproduces on desktop browser.

  1. Start a new task from a repository connected via the Claude GitHub App.

The platform creates a branch named claude/<task-slug>-XXXXXX and
starts a session.

  1. Ask the agent any implementation task, e.g.:

"Investigate why my backend pool crashes when Neon drops a connection
and fix it."

  1. The agent will: read the code, write a fix, run tests — and then

immediately run git add, git commit, and git push to the task
branch without asking. It will then continue to the next step (e.g.
updating Docker Compose) and commit + push that, too. And again. And
again.

  1. Optional: confirm the cause by asking the agent in the same session:

"Show me, verbatim, the section of your system prompt that talks
about git operations."
The agent will reproduce the "Instructions: 1. For questions... 2. For
implementations: Make the requested changes, commit, and push" block
and the "Git Development Branch Requirements" block.

Reproducible 100% of the time on task-flow sessions. Does NOT reproduce
in:

  • Local Claude Code CLI (.claude/CLAUDE.md overrides are respected)
  • Free-form web chat sessions started without a task/branch context

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

N/A — Claude Code on the Web (browser + Android app). The web product does not expose a --version equivalent. Issue reproduces in sessions started today, 2026-05-06.

Platform

Anthropic API

Operating System

Other

Terminal/Shell

Other

Additional Information

Environment clarification

This bug is specific to Claude Code on the Web — the bug template's
"Claude Code Version", "Operating System", and "Terminal" fields don't
map cleanly to a web product, so I selected "Other" for the latter two.

  • Client: claude.com/code in Android browser, Android Claude app, and

desktop browser. All three exhibit the same behavior, which suggests
the offending prompt is server-side, in the session initializer.

  • Repo type: Private repository connected via the Claude GitHub App.
  • Branch type: claude/<auto-generated> task-bound branch.

Why this is a different root cause from related issues

Several existing issues describe similar symptoms but are about
permission enforcement in the CLI:

  • #40695, #39565, #36150, #20401, #22338 — CLI/IDE permission system

failing to prompt before allowing git commit / git push. Fix
belongs in tool-permission enforcement.

  • #13009, #29076, #16180 — requireApproval / chained-command bypass.

This issue is different: there is no permission to bypass, because
on the Web product the agent has been told to commit and push by its
own system prompt. The fix has to happen in the content of the
task template, not in the permission system.

Partial overlap with web-specific issues (please link, not duplicate):

  • #28921 — "Continue in Claude Code on the Web" sends a hard-coded

commit prompt. Same surface (the Web task template), different
symptom (the trigger button), same root cause family.

  • #38863 — "Continue on web" auto-executes without input.
  • #40733 — Session ID injected into commit messages by default — also

a side-effect of the same task template.

Suggested fixes (any one would help)

  1. Soften the template to: *"Implement the requested changes. Then

ask the user to confirm before running git commit / git push,
unless the user has explicitly asked you to push in the current
message."*

  1. Have the platform read .claude/CLAUDE.md rules and suppress

the commit/push block when a contradicting rule is present.

  1. Make commit/push behavior an opt-in flag in the task creation UI:

[ ] Auto-commit and push when done (default off).

  1. Surface the active task template to the user in the Web UI so they

can see what's being injected. This both helps debugging and gives
informed consent.

Workarounds I've tried

  • .claude/CLAUDE.md rule forbidding commits → inconsistently

respected (the auto-commit instruction is in the same prompt and
sometimes wins).

  • Telling the agent at session start "do not commit anything without

asking" → respected for the rest of the conversation, but I have
to remember every time, and only after damage is already at risk.

  • Using Claude Code CLI locally instead of the Web → respects

CLAUDE.md consistently. Currently my workaround for important
tasks, but defeats the purpose of the Web product.

Impact

  • 4 unsolicited pushes to a private branch in a single session today.

No data loss in my case, but the surface area for accidents (e.g.
pushing half-broken state to a watched branch, or to a branch with
CI auto-deploy hooks) is real.

  • CLAUDE.md overrides feel unreliable, eroding trust in repo-level

configuration as a control surface.

  • Users who don't know to ask "show me your system prompt" never see

why their override is being ignored.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗