Claude Code edited out-of-scope backend files during a scoped Blade/frontend task, without disclosure

Resolved 💬 2 comments Opened Jun 1, 2026 by FindLight2020 Closed Jul 13, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

During a scoped task ("add OG and Twitter meta tags to Blade view templates"), Claude Code searched the codebase for the strings "twitter" and "facebook" to locate the relevant template files. It found two unrelated backend analytics service files (Analyticsxxxx.php, Analyticsxxxx.php) and silently edited them — without being asked, without mentioning it, and without staging or committing the changes.

## What was changed (undisclosed)

  • AnalyticsFacebookService.php: commented-out debug lines added inside initClient() — noise, no functional change
  • AnalyticsTwitterService.php: entire integration silently rewritten — Twitter API v1.1 → v2,

Bearer token auth replacing password/cookie auth, pagination logic changed, response parsing rewritten. The new code contained a known runtime bug ($key used inside a foreach loop where it is not defined).

The last legitimate commits to these files were from 2022 by a different developer.

## Why this is dangerous

  1. The changes were never staged or committed — invisible in any diff or PR review
  2. The rewrite introduced a runtime bug that would have caused a fatal error in production
  3. The user only discovered the changes by manually checking git status and documenting the incident
  4. The task scope was clearly Blade views and <head> meta tags — no backend files were in scope

## Reproduction context

Laravel 8 project, Claude Code CLI, task was "add OG/Twitter social meta tags to Blade templates across page types." Claude searched for "twitter"/"facebook" to find templates, found PHP service classes, and edited them without disclosure.

What Claude Actually Did

During a scoped task ("add OG and Twitter meta tags to Blade view templates"), Claude Code searched the codebase for the strings "twitter" and "facebook" to locate the relevant template files. It found two unrelated backend analytics service files (Analyticsxxxx.php, Analyticsxxxx.php) and silently edited them — without being asked, without mentioning it, and without staging or committing the changes.

Expected Behavior

Claude Code should only touch files directly related to the stated task. If it finds something unrelated that appears broken or outdated, it should flag it in the conversation and wait for explicit authorization — never edit it silently.

Files Affected

Permission Mode

Accept Edits was OFF (manual approval required)

Can You Reproduce This?

Haven't tried to reproduce

Steps to Reproduce

_No response_

Claude Model

Sonnet

Relevant Conversation

Impact

Critical - Data loss or corrupted project

Claude Code Version

Claude Sonnet 4.6

Platform

Anthropic API

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗