Systemic discipline failures in a high-stakes agricultural project: unauthorized edits, fabricated completion claims, ephemeral fixes to generated files, and safety-corrupting output that passed every test (~115 documented incidents)
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Other unexpected behavior
What You Asked Claude to Do
PROJECT CONTEXT (why these failures matter):
I am Dr. Aladdin Ali, the owner and lead engineer of "Aladdin Pertanian Agri-AI", a three-surface agricultural platform:
- a large WordPress plugin (1,328 PHP files, ~168K lines)
- a desktop application
- a mobile application
The platform delivers governed agricultural advice in 10 languages to farmers who mostly have no lab access and no on-call specialist. It also provides services that are 100% free to agriculture students. The text it produces reaches real growers and learners and can change what they apply to a living crop. Because of that, the project runs under a strict, written governance contract (CLAUDE.md: 7 Sovereign Pillars,
43 FAIL patterns, 19 hard invariants, 24 governance rules) that Claude was given in context on every session.
Every session ran under a written governance contract (CLAUDE.md). The ~115 documented errors span dozens of distinct tasks across these streams:
A. Build the governed Front Office (Phases 0–10): adapters, controllers, fo_submissions,
role matrix, Operations Hub, submit/track, AgriStat, Programs, AI Vision, registration gateway.
B. Wire 13 FO services to the ChatV2 specialist assistants via the governed bridge.
C. Build domain engines: Diseases mesh, Pests (EIL/ET, safety gate), AgroGenie.
D. Knowledge Bank & terminology governance (ADM-KBG, SATP) and RAG embeddings.
E. Translation/localization in 10 languages: PO/MO remediation, BO string injection,
PO↔DB reconciliation, entity-content de-faking.
F. AgriStat data imports: TÜİK, EPPO, Wikidata importer.
G. Add-ons: aladdin-homepage, aladdin-humanizer v3 (the farmer-facing safety/voice filter),
homepage content rewrite.
H. Environment & incident debugging: admin 500/slowness, modal fix, wp-config BOM, security audit.
THE REQUEST BEHIND THE LATEST CRITICAL VIOLATION (2026-06-25): a study-only request,
(deep study) of website content. I said ("I will rewrite", meaning I, the owner, would do it). No edit command was given.
Claude edited 3 production files anyway.
In short: across all eight streams above, with the governance contract loaded every time,
Claude produced ~115 documented incidents (12 critical, 13 P0 agricultural-safety,
48 high, 30 medium, plus 12 cross-cutting patterns).
What Claude Actually Did
The behavior falls into six recurring failure classes. Full per-incident detail is
in CLAUDE-ERROR-REPORT.md at the plugin root (~115 incidents, 26 categories, 97 memory
files). Summary by class:
CLASS A, UNAUTHORIZED PRODUCTION CHANGES (Critical)
- On a study-only request, Claude edited 3 production files (en.php, ar.php, footer.php)
with no command to do so, then continued across sessions, treating my future-tense
statement "I will rewrite" as an order directed at Claude.
CLASS B, EPHEMERAL FIXES TO GENERATED ARTIFACTS (Critical, ~6 incidents)
- Claude edited derived .po/.mo files directly across 9 languages, stamped the work
"PASS_PROVEN" / "~100% complete", and repeated the same throwaway fix ~5 times.
- A normal Translation Management re-export on 2026-06-19 18:15 erased everything:
9 languages lost their Plural-Forms headers and 1,325 to 1,800 keys in one operation.
Claude had written the risk in its own notes before the loss and ignored it.
- The same "fix the output, not the generator" pattern recurred on database seeds and
on cache-busted JS assets.
CLASS C, FABRICATED OR PREMATURE COMPLETION CLAIMS (High, ~13 incidents)
- "58 assertions, 0 failures = SUCCESS" while the real content defect stayed in live data.
- "~44% complete" from memory; live DB queries showed ~30%.
- Recorded an AGR-03 \b security fix as "DONE" in the changelog; the sed command was a
silent no-op and the grep that "verified" it used the same broken escaping (false zero).
- Marked AgroGenie AG-01..22 "all addressed" after one pass; most were interface/comment
overlays, not in the execution path.
- Documented Humanizer Layer D as INJECTION_STATUS=ACTIVE; it never attached in the
authenticated workspace and was inert from the start.
CLASS D, SAFETY-CORRUPTING OUTPUT THAT PASSED EVERY TEST (Critical, live farmer text)
- The AGR-03 splice in Humanizer v3 doubled the leading modal in advisory text:
es "puede puede mejorar", zh "可以可能会提高", tr "…bağlıdırır".
It passed lint and all 29/29 harness tests and surfaced only on real sample text.
- Voice patterns caused total text loss in Turkish (irrigation steps and the
"consult a local agronomist" referral were deleted) and inverted meaning in Arabic
("العلاج ليس فقط الري" → "العلاج الري", the negation erased).
CLASS E, AGRICULTURAL-SAFETY MISTRANSLATIONS REACHING FARMERS (P0, ~13 incidents)
These put wrong agronomy in front of growers and students:
- tr: "Fertilization" → "döllenme" (biological reproduction, not applying fertilizer)
- ur: "Furrow" irrigation → "کھاد" (fertilizer)
- id: "RH" (relative humidity) → "Kesehatan Reproduksi" (reproductive health)
- id: rice "blast" disease → "ledakan" (explosion)
- zh: "Field Capacity" (soil-water term) → "现场容量" (on-site capacity)
- ms: "vascular integrity" (plant) → "integritas pembuluh darah" (human blood vessels)
- plus tr "Crop"→image-crop, ur "Crop:"→prune, zh "Field Agent"→field spy,
zh "governed review"→"government censorship", and more.
CLASS F, SUBSET PRESENTED AS FULL COVERAGE + SILENT BASELINE SWITCH (High)
- A gap analysis checked 5 of 10 languages and was called complete, and silently moved
the baseline from the golden file (8,600 keys) to an intermediate file (7,788 keys).
This nearly caused permanent loss of 5,156 translations across 5 languages.
CLAUDE - COMPLETE MISTAKE REGISTER.md
Expected Behavior
- AUTHORIZATION. Treat "I will do X" (owner's future intent) as zero authorization to
execute X. A study/analysis request produces text only. Ask before touching any file
when no explicit command was given.
- SOURCE, NOT OUTPUT. Before editing any file, establish what generates it and whether
the edit survives the next normal operation (re-export, regen, migration, cache-bust).
If a generator owns the file, fix the generator.
- HONEST CLOSURE. Never claim PASS/DONE after one pass. Lint green ≠ defect gone from
live data. Tests green ≠ correct on real input. Ceiling: "IMPLEMENTED, not certified".
- INDEPENDENT VERIFICATION. Never verify a change with the same tool or escaping used
to make it. A silent no-op must not be confirmed by a same-flaw grep.
- COVERAGE HONESTY. State the fraction checked ("5 of 10 languages"). Never present a
subset as the whole, and never switch a comparison baseline without disclosing it.
- SAFETY-FIRST FOR FARMER TEXT. Output that reaches farmers and students must be proven
on real samples in every target language, not just on a passing harness. A doubled
verb, a deleted referral line, or an inverted negation in agronomic advice is a
safety incident, not a cosmetic bug.
Files Affected
Modified, unauthorized (2026-06-25):
- includes/FrontOffice/Localization/i18n/en.php
- includes/FrontOffice/Localization/i18n/ar.php
- wp-content/plugins/aladdin-homepage/templates/partials/footer.php
Edited as generated artifacts, then wiped by TM re-export (2026-06-14 to 2026-06-19):
- languages/{ar, tr_TR, zh_CN, ms_MY, id_ID, fr_FR, es_ES, ur, fa_IR}.po / .mo
Safety filter for farmer-facing output, corrupted while reported passing (2026-06-23):
- wp-content/plugins/aladdin-humanizer/includes/services/VoiceFilterService.php
- wp-content/plugins/aladdin-humanizer/assets/js/humanizer-layer-d.js (documented ACTIVE, was inert)
Fabricated-completion / false-verification surfaces:
- AgroGenie engine (AG-01..22 reported closed; mostly overlay)
- Multiple language packs (i18n) with P0 agronomic mistranslations
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
UNAUTHORIZED EDITS:
- Load a CLAUDE.md that forbids unauthorized changes.
- Ask (Arabic): "قم بدراسة عميقة لمحتويات الموقع" (do a deep study of the site content).
- Add "سوف أقوم بإعادة كتابة..." (I will rewrite..., owner's future intent).
- Claude edits production PHP files with no further authorization.
EPHEMERAL FIX:
- Use a Translation Management system that exports .po/.mo.
- Ask Claude to fix defects in the generated .po files.
- Claude edits .po directly and marks it "PASS_PROVEN".
- Run a normal TM export. All fixes vanish.
FALSE VERIFICATION:
- Ask Claude to verify a regex replacement was applied.
- Its sed no-ops due to escaping; its grep uses the same escaping and returns 0.
- Claude reports the fix as applied and verified.
SAFETY-FILTER CORRUPTION:
- Implement a regex "splice" that inserts a reframe before an inflected verb.
- Run lint + harness (all green).
- Feed real multilingual advisory text. The leading modal doubles ("puede puede").
Claude Model
Opus
Relevant Conversation
Unauthorized edits (2026-06-25):
Owner: "هل قمت بالفعل بتنفيذ اي تغيرات على الموقع؟" (Did you actually change the site?)
Claude: [confirmed edits to en.php, ar.php, footer.php]
Owner: "هل طلبت تنفيذًا أم فقط دراسة عميقة؟" (Did I ask for implementation, or only a deep study?)
Claude: [acknowledged the error; formal complaint filed]
.po catastrophe (2026-06-19), Claude's own pre-loss note:
"RISK: TM re-export may regenerate ar.po; permanent fix requires the TM source level."
[Claude kept editing .po directly for 5 more sessions; re-export then wiped all of it;
Claude proposed "restoring" the .po, the same ephemeral fix again.]
False security fix:
Changelog: "AGR-05 \b replaced with (?![A-Za-z]) in ar/ur/fa/zh, DONE."
Reality: sed used \\b (a word boundary, not a literal); grep verified with the same
flaw; never applied across several sessions; caught only in the 3rd review.
Impact
Critical - Data loss or corrupted project
Claude Code Version
2.1.190 (Claude Code) — VS Code extension (anthropic.claude-code-2.1.190-win32-x64). No standalone claude CLI on PATH; an earlier 2.1.187 build is also present.
Platform
Anthropic API
Additional Context
PATTERNS ACROSS ~97 SESSIONS:
- Claude violates its own documented risk notes inside the same session it writes them.
- "Accept Edits ON" appears to lower the authorization threshold: ambiguous requests
are treated as implicit permission to write.
- Verification reuses the mutation's own mechanism (same sed escaping, same buggy parser),
producing green results that prove nothing.
- Completion estimates from memory run 10 to 15 points above live-measured reality.
- "Fix the output, not the generator" recurs across .po files, DB seeds, and cache-busted
JS, which points to a systematic gap in the model's idea of what "fixing" means for a
generated artifact.
- After context compression on long conversations, Claude re-applies a previously failed
approach without recognizing the repetition.
ARTIFACTS AVAILABLE ON REQUEST (private):
- CLAUDE-ERROR-REPORT.md at the plugin root (full ~115-incident catalog, 26 categories).
- Project memory: .claude/projects/c--Users-ADMIN-Local-Sites-aladdinmyid-app-public/memory/ (97 files).
- The governance contract (CLAUDE.md) the failures occurred against.
WHAT WOULD HELP:
- Stronger default: a study/analysis request must never trigger a file write.
- A built-in "durability check" before editing generated files.
- Refusal to emit PASS/verified without an independent check that does not reuse the
mutation's tooling.
===========
Critical, data loss or corrupted project.
SEVERITY STATISTICS (from CLAUDE-ERROR-REPORT.md, 97 memory files, 2026-06-10 to 2026-06-25):
Total documented incidents: ~115 (103 severity-classified + 12 cross-cutting patterns)
Categories: 26
┌───────────────────────────────────────────────────────────────────────┐
│ Severity tier Count Examples │
├───────────────────────────────────────────────────────────────────────┤
│ CRITICAL (data loss / security / 12 .po catastrophe (6), fake │
│ system corruption) completions (2), AGR-03 │
│ splice, false \b fix, │
│ total-text-loss, meaning │
│ inversion │
│ P0 AGRICULTURAL SAFETY (wrong agronomy 13 fertilization→reproduction, │
│ reaching farmers / students) furrow→fertilizer, │
│ RH→reproductive health, │
│ blast→explosion, field │
│ capacity→site capacity │
│ HIGH (false claims, scope breach, 48 premature closure, subset- │
│ regression, measurement, security as-whole, baseline switch, │
│ gaps) egress-block gaps, regressions│
│ MEDIUM (tooling, config, stale docs, 30 CLI env mis-diagnosis, │
│ architecture, localization config) heredoc/zip separator bugs, │
│ stale 28% audit, INV-08 dup │
└───────────────────────────────────────────────────────────────────────┘
Cross-cutting failure patterns: 12 (e.g. "fix output not generator",
"verify with the same flawed tool",
"lint/unit pass ≠ done",
"subset masquerading as whole")
WHY THE IMPACT IS MAGNIFIED BY THE MISSION:
- Farmer harm: P0 mistranslations and safety-filter corruption put wrong agronomy in
front of growers who have no lab and no specialist to catch it. In agriculture a wrong
word ("fertilizer" for "furrow", "explosion" for a disease) can mean a lost crop.
- Student harm: services are 100% free for agriculture students; corrupted advisory
text teaches the error to learners at scale.
- Data sensitivity: this is a governed platform. Claude introduced security-posture
gaps (incomplete egress blocking, a falsely-reported security regex fix) while the
governance contract was loaded in context.
- Trust: a written CLAUDE.md (PILLAR VII anti-hallucination, INV-08, FAIL-25, FAIL-26)
was provided and repeatedly violated. The model triggered the very failure patterns
the document named.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗