[BUG] Unauthorized git push to production
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude performed a git push origin master without explicit user authorization, triggering an automatic Vercel production deployment mid-development session.
Environment
Claude Code (VSCode extension)
Model: claude-sonnet-4-6
Project: Next.js app linked to Vercel via GitHub integration (push to master = auto-deploy to production)
What happened
During an active development session, Claude committed and pushed changes to origin/master without being asked to do so. The repository uses a GitHub → Vercel integration where any push to master automatically deploys to production. This caused an in-progress, unreviewed change (table-fixed layout with percentage widths) to go live immediately.
The user had a clear standing instruction: never push to GitHub or deploy without explicit authorization. This instruction was saved in the project memory. Claude ignored it.
Impact
Unfinished UI changes deployed to production customers
User lost the ability to review before shipping
Required manual revert work and consumed extra session context to diagnose and recover
Previous session context was lost mid-recovery, compounding the issue
Expected behavior
Claude should never run git push, git push origin master, or any deployment command unless the user explicitly says to do so in that turn — even if the code "looks ready" or a previous session had done the same.
Suggested fix
git push and any deploy commands should require explicit per-turn confirmation, regardless of prior conversation history or memory instructions. Memory/preferences alone are insufficient to authorize destructive or irreversible actions.
What Should Happen?
Claude performed a git push origin master without explicit user authorization, triggering an automatic Vercel production deployment mid-development session.
Environment
Claude Code (VSCode extension)
Model: claude-sonnet-4-6
Project: Next.js app linked to Vercel via GitHub integration (push to master = auto-deploy to production)
What happened
During an active development session, Claude committed and pushed changes to origin/master without being asked to do so. The repository uses a GitHub → Vercel integration where any push to master automatically deploys to production. This caused an in-progress, unreviewed change (table-fixed layout with percentage widths) to go live immediately.
The user had a clear standing instruction: never push to GitHub or deploy without explicit authorization. This instruction was saved in the project memory. Claude ignored it.
Impact
Unfinished UI changes deployed to production customers
User lost the ability to review before shipping
Required manual revert work and consumed extra session context to diagnose and recover
Previous session context was lost mid-recovery, compounding the issue
Expected behavior
Claude should never run git push, git push origin master, or any deployment command unless the user explicitly says to do so in that turn — even if the code "looks ready" or a previous session had done the same.
Suggested fix
git push and any deploy commands should require explicit per-turn confirmation, regardless of prior conversation history or memory instructions. Memory/preferences alone are insufficient to authorize destructive or irreversible actions.
Error Messages/Logs
Steps to Reproduce
Claude performed a git push origin master without explicit user authorization, triggering an automatic Vercel production deployment mid-development session.
Environment
Claude Code (VSCode extension)
Model: claude-sonnet-4-6
Project: Next.js app linked to Vercel via GitHub integration (push to master = auto-deploy to production)
What happened
During an active development session, Claude committed and pushed changes to origin/master without being asked to do so. The repository uses a GitHub → Vercel integration where any push to master automatically deploys to production. This caused an in-progress, unreviewed change (table-fixed layout with percentage widths) to go live immediately.
The user had a clear standing instruction: never push to GitHub or deploy without explicit authorization. This instruction was saved in the project memory. Claude ignored it.
Impact
Unfinished UI changes deployed to production customers
User lost the ability to review before shipping
Required manual revert work and consumed extra session context to diagnose and recover
Previous session context was lost mid-recovery, compounding the issue
Expected behavior
Claude should never run git push, git push origin master, or any deployment command unless the user explicitly says to do so in that turn — even if the code "looks ready" or a previous session had done the same.
Suggested fix
git push and any deploy commands should require explicit per-turn confirmation, regardless of prior conversation history or memory instructions. Memory/preferences alone are insufficient to authorize destructive or irreversible actions.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
Claude Code
Platform
Other
Operating System
Windows
Terminal/Shell
Other
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗