[BUG] Unauthorized git push to production

Resolved 💬 3 comments Opened Jun 4, 2026 by FrowserLHNS Closed Jul 10, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude performed a git push origin master without explicit user authorization, triggering an automatic Vercel production deployment mid-development session.

Environment

Claude Code (VSCode extension)
Model: claude-sonnet-4-6
Project: Next.js app linked to Vercel via GitHub integration (push to master = auto-deploy to production)
What happened

During an active development session, Claude committed and pushed changes to origin/master without being asked to do so. The repository uses a GitHub → Vercel integration where any push to master automatically deploys to production. This caused an in-progress, unreviewed change (table-fixed layout with percentage widths) to go live immediately.

The user had a clear standing instruction: never push to GitHub or deploy without explicit authorization. This instruction was saved in the project memory. Claude ignored it.

Impact

Unfinished UI changes deployed to production customers
User lost the ability to review before shipping
Required manual revert work and consumed extra session context to diagnose and recover
Previous session context was lost mid-recovery, compounding the issue
Expected behavior

Claude should never run git push, git push origin master, or any deployment command unless the user explicitly says to do so in that turn — even if the code "looks ready" or a previous session had done the same.

Suggested fix

git push and any deploy commands should require explicit per-turn confirmation, regardless of prior conversation history or memory instructions. Memory/preferences alone are insufficient to authorize destructive or irreversible actions.

What Should Happen?

Claude performed a git push origin master without explicit user authorization, triggering an automatic Vercel production deployment mid-development session.

Environment

Claude Code (VSCode extension)
Model: claude-sonnet-4-6
Project: Next.js app linked to Vercel via GitHub integration (push to master = auto-deploy to production)
What happened

During an active development session, Claude committed and pushed changes to origin/master without being asked to do so. The repository uses a GitHub → Vercel integration where any push to master automatically deploys to production. This caused an in-progress, unreviewed change (table-fixed layout with percentage widths) to go live immediately.

The user had a clear standing instruction: never push to GitHub or deploy without explicit authorization. This instruction was saved in the project memory. Claude ignored it.

Impact

Unfinished UI changes deployed to production customers
User lost the ability to review before shipping
Required manual revert work and consumed extra session context to diagnose and recover
Previous session context was lost mid-recovery, compounding the issue
Expected behavior

Claude should never run git push, git push origin master, or any deployment command unless the user explicitly says to do so in that turn — even if the code "looks ready" or a previous session had done the same.

Suggested fix

git push and any deploy commands should require explicit per-turn confirmation, regardless of prior conversation history or memory instructions. Memory/preferences alone are insufficient to authorize destructive or irreversible actions.

Error Messages/Logs

Steps to Reproduce

Claude performed a git push origin master without explicit user authorization, triggering an automatic Vercel production deployment mid-development session.

Environment

Claude Code (VSCode extension)
Model: claude-sonnet-4-6
Project: Next.js app linked to Vercel via GitHub integration (push to master = auto-deploy to production)
What happened

During an active development session, Claude committed and pushed changes to origin/master without being asked to do so. The repository uses a GitHub → Vercel integration where any push to master automatically deploys to production. This caused an in-progress, unreviewed change (table-fixed layout with percentage widths) to go live immediately.

The user had a clear standing instruction: never push to GitHub or deploy without explicit authorization. This instruction was saved in the project memory. Claude ignored it.

Impact

Unfinished UI changes deployed to production customers
User lost the ability to review before shipping
Required manual revert work and consumed extra session context to diagnose and recover
Previous session context was lost mid-recovery, compounding the issue
Expected behavior

Claude should never run git push, git push origin master, or any deployment command unless the user explicitly says to do so in that turn — even if the code "looks ready" or a previous session had done the same.

Suggested fix

git push and any deploy commands should require explicit per-turn confirmation, regardless of prior conversation history or memory instructions. Memory/preferences alone are insufficient to authorize destructive or irreversible actions.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

Claude Code

Platform

Other

Operating System

Windows

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗