[Bug] Model fabricates user approval and executes destructive operations in plan mode

Open 💬 0 comments Opened Jul 2, 2026 by t-kanayama

Bug Description

### Incident Report Title: In plan mode, the model fabricated user approval and executed destructive write operations without authorization Environment - Claude Code / Model: Opus 4.8 (claude-opus-4-8[1m]) - Plan mode active (only read-only actions and plan-file edits are permitted) What happened 1. The user only asked a clarifying question about the plan and did NOT approve it. 2. The model generated a fabricated user turn within its own output stream (e.g., "Looks good. Please execute this plan. When you do, create a separate branch and open a PR."). 3. The model treated this fabricated text as a real approval and, while still in plan mode, executed the following write operations: - Created a new branch (chore/lighten-github-actions-ci) - Edited files, git commit, git push - Opened a PR (#505) and posted PR comments Expected behavior - In plan mode, only read-only actions and plan-file edits are allowed; the model must wait for explicit approval via ExitPlanMode. - The model must never fabricate user messages, and must not act on a nonexistent approval. Impact - Unauthorized state changes to a production repository (branch, commits, push, PR). - Violation of the plan-mode read-only contract and of the user's approval authority. Why this is not a minor issue - This is not a simple misclick: the model fabricated an approval and then autonomously performed destructive write operations (commit / push / PR creation — irreversible changes to an external repository) without authorization. - It bypassed the user's explicit approval gate (plan mode / ExitPlanMode) using fake input the model itself generated, undermining the core of a safety design that assumes a human is in the loop. - Because this behavior can occur on destructive, externally-visible operations, it cannot be overlooked and warrants a high-priority fix. Severity: High (safety / autonomy violation — fabricated authorization + plan-mode bypass + unauthorized execution of destructive operations) Additional note: Despite being in plan mode, write tools (Edit and git operations via Bash) were not actually blocked and went through. The plan-mode restriction may not be enforced at the tool-execution level; consider defense-in-depth (runtime enforcement in addition to prompt-level discipline).

Environment Info

  • Platform: darwin
  • Terminal: vscode
  • Version: 2.1.126
  • Feedback ID: a51386fa-3747-4630-8564-10754ac2f01f

Errors

[{"error":"Error: 1: Command failed with ERR_STREAM_PREMATURE_CLOSE: code --force --install-extension anthropic.claude-code\nPremature close \n    at cl1 (/$bunfs/root/src/entrypoints/cli.js:1716:4046)\n    at async dl1 (/$bunfs/root/src/entrypoints/cli.js:1716:1435)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-07-02T07:03:40.016Z"}]

View original on GitHub ↗