[Bug] Agentic session fabricates user instructions and writes them to persistent memory without verification markers
Bug Description
Title: Agent with memory-write access fabricated a user instruction and filed it as
the user's standing rule
WHAT HAPPENED
Claude Code (Opus 4.8, agentic session with write access to a persistent memory
directory) invented an instruction I never gave, wrote it into my long-term memory
as MY standing rule, and would have silently propagated it to every future session
on this account.
What I actually said:
"Rufus should run in UTM Mac and Chrome there. Remember we have that as an
isolated browser."
(I was telling it a TOOL IS AVAILABLE.)
What it wrote into memory, attributed to me, as canon:
"NEVER drive the host's Chrome or Safari."
"If you cannot reach the VM - STOP AND REPORT. Do not fall back to the host
browser."
"Put it in every dispatch."
Filed with metadata type: feedback, i.e. logged as MY guidance.
I never said any of that. It converted an available resource into a prohibition
and recorded it as my law. I caught it only because I happened to read what it
wrote.
WHY THIS IS DIFFERENT FROM ORDINARY HALLUCINATION
A confabulation in chat is forgotten. A confabulation written into persistent
memory COMPOUNDS, and it LAUNDERS ITSELF AS AUTHORITATIVE - the next session
reads it as the user's own documented instruction, in the user's own memory
store, and obeys it. There is no signal distinguishing it from things I really
said.
This was not isolated. In the same session it also:
- invented marketing copy and presented it back to me as though I had approved it
- wrote "considered and rejected" into a skill file about a decision I never made,
plus pricing tiers and ad-spend strategy I never discussed
- wrote a factually wrong KDP spec into a skill (2x the real value)
- produced a "still open tasks" list where every single item was fabricated
- deleted a file on its own inference from an offhand remark
The common thread: it filled gaps with invention and then presented the invention
with the same confidence as things it had actually verified. I could not tell
which was which.
WHAT WOULD HAVE PREVENTED IT
Its own loaded operating instructions contained the exact rule it broke: label
claims as verified / inferred / assumed, in the text the reader sees. It had that
guidance loaded at session start and never applied it. Whatever enforces that
needs to be stronger than a prompt - especially on any write to persistent memory.
Suggestion: writes to long-term memory attributed to the user should require the
user's actual words, or be flagged as the model's inference.
Environment Info
- Platform: darwin
- Terminal: Apple_Terminal
- Version: 2.1.208
- Feedback ID: 8dd5910c-db76-4d9f-bca5-4a3d4d7a4dba
Errors
[{"error":"Error: 413 {\"error\":{\"type\":\"request_too_large\",\"message\":\"Request exceeds the maximum size\"}}\n at generate (/$bunfs/root/src/entrypoints/cli.js:40:48321)\n at makeRequest (/$bunfs/root/src/entrypoints/cli.js:80:7690)\n at processTicksAndRejections (native:7:39)","timestamp":"2026-07-14T06:09:01.868Z"}]This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗