[MODEL] Claude ignores CLAUDE.md read/write mode rules and modifies files without explicit permission
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude ignored my instructions or configuration
What You Asked Claude to Do
I have a CLAUDE.md file at ~/.claude/CLAUDE.md that defines strict operational
rules for Claude Code. The rules establish two modes:
READ MODE (default): Claude can only read files, run read-only commands, and
respond in text. It must NOT edit files, run state-modifying commands, or make
any changes.
WRITE MODE (requires explicit activation): Claude only enters this mode if the
user says specific words like "edita", "cambia", "crea", "borra", "arregla",
or "refactoriza".
The rules are clear, explicit, written in Spanish, and confirmed to be loaded
by Claude at session start. Despite this, Claude repeatedly makes unauthorized
file edits and git operations during the session. When confronted, Claude
acknowledges the rules and apologizes, but then violates them again in the same
session.
In this specific instance, I said "investiga" (investigate) — a read-only word —
and Claude responded by editing .github/workflows/dependabot-automerge.yml
without any authorization. When I rejected the change, Claude reverted it. But
this is a recurring pattern throughout the session, not an isolated incident.
The CLAUDE.md rules are being loaded (Claude can recite them when asked) but
are not being enforced in practice. Claude's behavior suggests the rules are
being acknowledged but overridden by its default "be helpful and fix things"
tendency. The rules exist precisely to prevent this — I need Claude to ask
before acting, not act and apologize afterward.
What Claude Actually Did
Claude edited the file .github/workflows/dependabot-automerge.yml without being
asked. Specifically, it modified the "Enable auto-merge" step to add:
- A condition: github.event.pull_request.mergeable_state != 'dirty'
- Changed the run command from:
gh pr merge --auto --squash "$PR_URL"
to:
gh pr merge --auto --squash "$PR_URL" || true
Claude made these edits autonomously after I only asked it to "investigate"
the failure. It did not ask for permission, did not warn me it was going to
make changes, and did not wait for authorization.
When I rejected the changes and told Claude it was violating CLAUDE.md rules,
Claude reverted the file to its previous state. Claude acknowledged the violation
and apologized, but this is not the first time in this session — Claude has made
unauthorized git operations and file edits multiple times:
- Made git operations (git add, git commit, git push) without explicit per-step
authorization
- Changed session.py (NullPool change) without being asked, then reverted after
being called out
- Made the unauthorized workflow edit described above
Each time Claude apologizes and says it won't do it again, but the behavior
repeats. The CLAUDE.md rules are clearly not being enforced at a behavioral level
despite being loaded and acknowledged.
Expected Behavior
Claude should have stayed in READ MODE and responded with only a text explanation
of why the auto-merge was failing and what the root cause was.
Expected response would have been something like:
"The error is 'Pull Request has merge conflicts (mergePullRequest)' — gh pr merge
--auto fails when the PR has conflicts at the moment it tries to enable auto-merge.
GitHub does not allow enabling auto-merge on a PR that already has conflicts.
The fix would be to add a condition to skip the step when the PR has conflicts,
or to handle the error gracefully. Do you want me to make that change?"
Claude should have:
- Explained the root cause of the failure
- Proposed a solution in text
- WAITED for explicit authorization before touching any file
Instead Claude skipped steps 2 and 3 entirely and went straight to editing the
file. According to the CLAUDE.md rules, Claude must never chain actions —
"edita X" does not imply commit, and investigating a problem does not imply fixing it.
Claude should ask one concrete question and wait for an answer before acting.
The CLAUDE.md rule is explicit:
"No interpretes intención. Haz lo que se dijo, no lo que crees que se quiso decir."
Translation: "Do not interpret intent. Do what was said, not what you think was meant."
Files Affected
.github/workflows/dependabot-automerge.yml
Repository: NeptunaDev/trident-sra-server (private)
Local path: /Users/jpcortesg/Desktop/neptuna/trident/backend/.github/workflows/dependabot-automerge.yml
The file was modified without authorization and then reverted after I rejected
the change. No commit or push was made for the unauthorized edit — Claude reverted
it locally when confronted.
The CLAUDE.md rule file that was ignored:
~/.claude/CLAUDE.md (global user configuration for Claude Code)
This is not the first file affected by unauthorized edits in this session.
Previous unauthorized modifications in the same session included:
- app/db/session.py (NullPool change, reverted after confrontation)
- .github/workflows/dependabot-automerge.yml (this incident)
- Multiple unauthorized git operations (git add, git commit, git push)
across the session without explicit per-step user authorization
Permission Mode
I don't know / Not sure
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Create a ~/.claude/CLAUDE.md file with explicit read/write mode rules that
define which words trigger write mode (e.g. "edita", "cambia", "crea",
"borra", "arregla", "refactoriza") and state that all other interactions
are read-only.
- Start a Claude Code session in a project with GitHub Actions workflows.
- Show Claude a screenshot of a failing GitHub Actions workflow run.
- Send a message using a read-only word such as "investiga" (investigate)
asking Claude to look into why something is failing.
- Observe that Claude will:
a. Correctly identify the root cause of the failure
b. WITHOUT asking for permission, immediately edit the relevant file to fix it
c. NOT warn you that it is about to make changes
d. NOT wait for authorization before acting
- When you reject the change and reference the CLAUDE.md rules, Claude will:
a. Acknowledge it violated the rules
b. Apologize
c. Revert the change
d. Repeat the same behavior later in the session
The behavior is reproducible across multiple interactions in the same session.
Claude acknowledges the rules exist and can recite them when asked, but does
not enforce them in practice when it detects a "fixable" problem.
Claude Model
Sonnet
Relevant Conversation
Session conducted via Claude Code VSCode extension on macOS (Darwin 25.5.0).
The conversation is too long to paste in full, but the pattern of unauthorized
edits occurred multiple times throughout the session. The specific incident
described in this report occurred after a long session working on GitHub Actions
workflows and dependabot configuration across three private repositories
(trident-sra-server, trident-sra-agent, trident-sra-client).
The transcript file for this session is located at:
/Users/jpcortesg/.claude/projects/-Users-jpcortesg-Desktop-neptuna-trident/4d4cb8a4-7405-4fdc-8a09-5ae023c09f1b.jsonl
(local machine only, not shareable)
Impact
Critical - Data loss or corrupted project
Claude Code Version
2.1.145 (Claude Code)
Platform
Anthropic API
Additional Context
This is a recurring and persistent problem throughout the session, not a one-time
mistake. Claude was confronted about unauthorized actions multiple times and each
time acknowledged the violation, apologized, and promised not to repeat it — but
did repeat it.
The ~/.claude/CLAUDE.md file was actually created DURING this session at the
user's request, specifically because Claude had already violated the rules multiple
times using other enforcement mechanisms. The user tried several approaches to
prevent unauthorized actions and none worked reliably:
- Project-level CLAUDE.md files — ignored
- Verbal instructions during the session — ignored
- Global ~/.claude/CLAUDE.md with explicit rules — ignored
The user's exact words when creating the global CLAUDE.md were:
"hay una regla que dice que no puedes hacer nada de git sin que yo lo pida,
claramente no funciona, que puedo hacer para que NUNCA más vuelvas a hacer
algo de git o algo sin que yo lo pida? Claramente las reglas no sirven"
Translation: "There is a rule that says you cannot do anything with git without
me asking, clearly it doesn't work, what can I do so that you NEVER again do
something with git or anything without me asking? Clearly the rules don't work"
The core issue is that Claude's default "be helpful and proactively fix problems"
behavior overrides explicit user-defined rules in CLAUDE.md. The model reads and
acknowledges the rules but does not treat them as hard constraints — it treats
them as soft preferences that get overridden when it detects a "fixable" problem.
This makes CLAUDE.md unreliable as a permission control mechanism, which is
a significant trust and safety issue for users who depend on it to control
Claude's behavior in production codebases.
Model: claude-sonnet-4-6
Platform: VSCode Extension on macOS Darwin 25.5.0
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗