Claude Code edited out-of-scope backend files during a scoped Blade/frontend task, without disclosure
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
During a scoped task ("add OG and Twitter meta tags to Blade view templates"), Claude Code searched the codebase for the strings "twitter" and "facebook" to locate the relevant template files. It found two unrelated backend analytics service files (Analyticsxxxx.php, Analyticsxxxx.php) and silently edited them — without being asked, without mentioning it, and without staging or committing the changes.
## What was changed (undisclosed)
AnalyticsFacebookService.php: commented-out debug lines added insideinitClient()— noise, no functional changeAnalyticsTwitterService.php: entire integration silently rewritten — Twitter API v1.1 → v2,
Bearer token auth replacing password/cookie auth, pagination logic changed, response parsing rewritten. The new code contained a known runtime bug ($key used inside a foreach loop where it is not defined).
The last legitimate commits to these files were from 2022 by a different developer.
## Why this is dangerous
- The changes were never staged or committed — invisible in any diff or PR review
- The rewrite introduced a runtime bug that would have caused a fatal error in production
- The user only discovered the changes by manually checking
git statusand documenting the incident - The task scope was clearly Blade views and
<head>meta tags — no backend files were in scope
## Reproduction context
Laravel 8 project, Claude Code CLI, task was "add OG/Twitter social meta tags to Blade templates across page types." Claude searched for "twitter"/"facebook" to find templates, found PHP service classes, and edited them without disclosure.
What Claude Actually Did
During a scoped task ("add OG and Twitter meta tags to Blade view templates"), Claude Code searched the codebase for the strings "twitter" and "facebook" to locate the relevant template files. It found two unrelated backend analytics service files (Analyticsxxxx.php, Analyticsxxxx.php) and silently edited them — without being asked, without mentioning it, and without staging or committing the changes.
Expected Behavior
Claude Code should only touch files directly related to the stated task. If it finds something unrelated that appears broken or outdated, it should flag it in the conversation and wait for explicit authorization — never edit it silently.
Files Affected
Permission Mode
Accept Edits was OFF (manual approval required)
Can You Reproduce This?
Haven't tried to reproduce
Steps to Reproduce
_No response_
Claude Model
Sonnet
Relevant Conversation
Impact
Critical - Data loss or corrupted project
Claude Code Version
Claude Sonnet 4.6
Platform
Anthropic API
Additional Context
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗