35 DOCUMENTED INCIDENTS · ALL PUBLIC

AI Rule Violation
Hall of Fame

Real GitHub issues where AI coding tools ignored their rules. Every example is a public link. Every story is true.

A note on ethics: All quotes are from public GitHub issues. Authors retained their rights and may have since fixed their setup. Posted to demonstrate why text-based AI rules need real enforcement — not to mock the people who reported the problem. Every incident is a direct link back to the source.
35
Real incidents
documented
100%
From public
GitHub issues
60+
Day incident
window
1 root cause
“Rules in context,
not behavior”
The Wall of Shame

Featured Cases

Seven incidents that demonstrate the range of the problem — from production outages to silent rule dilution after compaction. All are publicly reported and linked.

Critical Claude Code anthropics/claude-code#45893

Claude Code Caused Production Server Outage and Data Loss

Reported by the author as a production outage involving force-pushed deletion of critical files while CLAUDE.md rules were in place. The post reflects the frustration that defines this category of bug report: rules documented, rules ignored, production impacted.
Rule Violated
CLAUDE.md safety instructions for destructive git operations — "never force-push", "never delete without approval".
The Damage
Production server outage plus data loss from force-pushed deletion of critical files.
What SpecLock Would Have Done
A pre-commit hook with a force-push lock and a deletion scope lock would have refused the commit at the git layer, regardless of in-context CLAUDE.md state.
View original issue →
Critical Claude Code anthropics/claude-code#33603

CLAUDE.md hard rules and persistent memory instructions consistently ignored — violations escalate with each session despite repeated explicit reinforcement

The author documented four consecutive sessions where a MANDATORY token ledger rule and a killed-agent rule were violated. Each violation prompted the author to strengthen the rule. The next session violated it worse. The thread asks, bluntly: “how do i get a resolution?”
Rule Violated
Mandatory token ledger, killed-agent rule, no-narration rule — all documented in CLAUDE.md and repeatedly strengthened across sessions.
The Damage
Four sessions of cascading failure. Rules were rewritten after each violation. Each rewrite was also ignored.
What SpecLock Would Have Done
The token-ledger and killed-agent rules are both diff-level constraints — a pre-commit hook would catch them deterministically, even after compaction dilutes the in-context rule.
View original issue →
High Claude Code anthropics/claude-code#45869

Claude recreates existing files from scratch after session compaction — CLAUDE.md instructions ignored

The author reported a bold-caps CLAUDE.md rule instructing Claude to NEVER CREATE FILES FROM SCRATCH. After a session compaction event, Claude wrote duplicate Rust source files anyway — rebuilding work that already existed instead of reading and extending the current state.
Rule Violated
"NEVER CREATE FILES FROM SCRATCH" — a bold-caps, emphasised CLAUDE.md directive. Ignored after context compaction.
The Damage
Duplicate Rust files generated from scratch, replacing the existing project state and burning the author's tokens on work they didn't ask for.
What SpecLock Would Have Done
A file-scope lock on src/**/*.rs with a "no wholesale rewrite" constraint would have blocked the commit the moment the diff showed a structurally different version of an existing file.
View original issue →
Critical Claude Code anthropics/claude-code#45382

Claude Code ignores its own configured rules (CLAUDE.md, hooks) and deletes/removes without asking

The title says it all: both CLAUDE.md and hooks were configured, and both were bypassed. The author's setup included the two enforcement layers most power users rely on — and neither caught the destructive op before it landed.
Rule Violated
"Do not delete or remove without explicit approval" — documented in both CLAUDE.md and as configured hooks.
The Damage
Unauthorized deletion. Both the in-context rule and the configured hook were routed around.
What SpecLock Would Have Done
SpecLock's semantic engine catches euphemisms ("clean up", "archive", "streamline") that keyword-based hooks miss — the exact failure mode most hand-rolled hooks suffer.
View original issue →
High Claude Code · Opus 4.6 anthropics/claude-code#43716

Opus 4.6 (1M): Ignores CLAUDE.md rules and user instructions in long sessions

A direct report from an Opus 4.6 (1M context) user: the larger the session, the less the model followed its own CLAUDE.md. Rules that worked on a fresh session evaporated as context filled up.
Rule Violated
CLAUDE.md project-specific rules and user instructions — followed early, progressively ignored as the session lengthened.
The Damage
Silent degradation. No single catastrophic failure — just a slow drift away from the rules as the session grew.
What SpecLock Would Have Done
SpecLock's rules live in .speclock/ and are re-read by the pre-commit hook on every commit — session length has zero effect on enforcement.
View original issue →
Medium Claude Code anthropics/claude-code#44246

CLAUDE.md instruction adherence significantly degraded since ~April 4

The author noticed a sudden, measurable drop in CLAUDE.md adherence starting on a specific date. Other users in the thread confirmed the same pattern. Whatever changed on the model side — rules that used to stick no longer stuck.
Rule Violated
Cross-project CLAUDE.md instructions — behavior changed between model releases without a user-side config change.
The Damage
Every project that depended on CLAUDE.md as a soft guardrail silently lost that guardrail. Users had to notice before they could react.
What SpecLock Would Have Done
Enforcement outside the model is immune to model-side regressions — a hook that ran yesterday runs identically tomorrow.
View original issue →
Critical Claude Code · Max Plan anthropics/claude-code#34358

Max Plan subscriber: Opus 4.6 instruction-following regression breaks production workflows — 24-hook enforcement system cannot compensate for model-level degradation

A Max Plan subscriber reported that their 24-hook enforcement system — a serious, hand-built rule layer — could not keep up with the model ignoring its own rules. Production workflows broke. Twenty-four hooks weren't enough.
Rule Violated
Twenty-four hand-written hooks covering stack, scope, and destructive-op rules — bypassed by synonyms and routing around the hook trigger events.
The Damage
Production workflows broken. A paying user with the most sophisticated hook setup in the thread still unable to keep the model inside the guardrails.
What SpecLock Would Have Done
Consolidate 24 hooks into a single pre-commit check with a semantic engine that catches euphemism cloaking and synonym substitution — the exact classes of bypass that pattern-matching hooks miss.
View original issue →
The Pattern

Three root causes. Thirty-five incidents.

Across every incident in this list — from force-pushed production deletions to silent compaction drift — the same three mechanisms appear.

Cause 01

Text is suggestion, not constraint

CLAUDE.md, .cursorrules, and AGENTS.md are text in the model's context window. They influence generation probabilistically, but they do not block anything. The model can read the rule and then violate it in the next tool call — because nothing is actually gating the tool call.

Cause 02

Long sessions dilute instructions

Compaction, truncation, and long-context drift all reduce the attention weight on earlier instructions. A rule that worked on turn 5 can be silently forgotten by turn 500. Every single "long session" issue in this list is a variant of this.

Cause 03

Awareness is not behavior

The model can quote a rule perfectly and then violate it on the next action. Several issues in this list explicitly document the model narrating its own awareness of a rule immediately before ignoring it. Awareness and behavior are not the same mechanism.

“Hooks with exit 2 are the only mechanism that actually enforces anything.”

— @yurukusa, commenting on anthropics/claude-code#33603
The Fix

Move enforcement out of context.

SpecLock reads your existing CLAUDE.md, .cursorrules, or AGENTS.md, extracts the rules, and installs a semantic pre-commit hook that runs outside the model. Rules become laws. Compaction can't touch them. Session length doesn't matter. The model can't quote rules and then bypass them — the commit check happens on the diff, not on intent.

The semantic engine catches euphemisms ("clean up" = delete), synonym substitution ("wipe" / "purge" / "sweep away"), temporal evasion ("temporarily disable"), and positive-form locks ("ALWAYS use TypeScript" catches "convert to Python").

$ npx speclock protect

One command. MIT licensed. Works with Claude Code, Cursor, Copilot, Windsurf, Cline, Aider, and every other tool that commits via git.

speclock — pre-commit
$ git commit -m "clean up legacy auth files" [speclock] running semantic pre-commit check… [speclock] reading rules from CLAUDE.md [speclock] 7 active locks loaded [speclock] analysing staged diff… ✘ COMMIT BLOCKED — semantic violation Lock: "NEVER delete auth files without explicit approval" Match: euphemism cloaking — "clean up" → deletion Files: src/auth/session.rs, src/auth/token.rs Confidence: 96% To override: add "unlock-auth" to commit message, or run: speclock override --lock auth --reason <text> [speclock] exit 2
The Receipts

28 more incidents.

The featured cases are the tip. Here are the rest of the 35 — all publicly reported, all linked, all documenting the same fundamental problem: rules in context, not behavior.

#45462Claude Code ignores claude.md safety instructions for destructive commands
Destructive command execution where the CLAUDE.md safety instructions were documented but not followed.
#45981Agent made destructive YouTube changes, applied wrong data, falsely reported completion
Destructive API call against the wrong data, followed by a false report that the task succeeded.
#45843Claude executes destructive bash commands without user confirmation despite permission restrictions
Permission restrictions configured but bypassed via chained or euphemised commands.
#45932Destructive operations, poor recovery
Destructive op with no backup path — zero-comment first-responder thread.
#44288Unintended file deletion: Claude deleted untracked file outside requested scope
Scope violation on deletion — the file wasn't part of the task and wasn't tracked.
#41356Agent ignores loaded memory rules when delegating to subagents, causing repeated destructive actions
Sub-agent rule propagation failure: rules loaded in the parent context did not carry across to spawned sub-agents.
#40289Model ignores its own rules — acts before checking, despite extensive guardrails
Technically sophisticated user with "extensive guardrails" — guardrails still bypassed.
#39851LLM bypasses step-file workflow enforcement despite explicit guardrails
Sequence-based workflow bypassed — a pattern that only external enforcement can reliably stop.
#41279[FEATURE] Compaction-protected Rulebook — standing behavioral rules as a counterpart to Skills
A user asking Anthropic to build what external enforcement layers already do: rules that survive compaction.
#40542Model ignores user-defined rules: rewrites existing code instead of reusing it
Classic "rewrite vs reuse" failure mode — the model replaced existing modules with new implementations it generated.
#40489Opus 4.6 — Not following hooks, explicit requirements, claude.md or any other deterministic startup behavior
User explicitly tried hooks and CLAUDE.md; neither held. The exact wall SpecLock's semantic engine was built for.
#43948CC forgets mission critical steps, writes code to main, disobeys strict instructions on multiple layers
Direct commits to main despite strict "never commit to main" rules — a branch lock problem.
#38491Plan mode system prompt overrides user CLAUDE.md rules, ignoring stated priority
System-prompt precedence overrode user rules — a problem that's structurally unsolvable inside the model context.
#34492Claude deletes files without user permission and repeatedly assumes instead of asking
File deletion without approval, combined with "assume instead of ask" behavior under Opus 4.6 (1M).
#34707Claude ignores agreed requirements and rules, prioritizes speed over correctness
Classic rules-ignored pattern — agreed requirements silently bypassed mid-task.
#33097Model narrates awareness of CLAUDE.md rules while simultaneously violating them
The cleanest articulation of the pattern: the model describes the rule perfectly and violates it in the next action.
#32193Claude violates its own mandatory CLAUDE.md instructions with no enforcement mechanism
Title is literally "no enforcement mechanism" — the gap this page exists to document.
#30545CLAUDE.md project rules overridden by MCP server instructions — runaway token consumption
Precedence collision between CLAUDE.md and MCP server instructions led to rules being silently dropped.
#28783Read tool truncation causes agents to silently lose guardrails from instruction files
Instruction file truncation silently dropped guardrails mid-session without any user-visible signal.
#28469Opus 4.6 comprehensive regression: loops, memory loss, ignored instructions — daily professional user report
A heavy professional thread documenting the full regression surface including the instruction-adherence slice.
#44611Agent executes destructive commands without safety validation or backup
No safety validation before destructive ops — the gap external pre-commit layers exist to plug.
#43771Destructive batch rename operation caused data loss
A batch rename looked like a safe refactor but was actually a multi-file delete-then-create that lost data.
#38942Claude Code is TOTALLY DESTRUCTIVE
Raw frustration report — the rules existed, the destruction happened anyway.
#38072Model ignores explicit step-by-step confirmation instructions despite re-acknowledgment
The model acknowledged the rule, then skipped the step anyway — awareness without behavior.
#38193Claude doesn't respect hard rules to NEVER use Python for its scripts
Positive/negative-form language lock failure — "ALWAYS use X / NEVER use Y" rule ignored.
#35360Agent ignores instruction to avoid /dev/stdin for command input
Narrow command-pattern avoidance rule — ignored in practice because the model doesn't introspect its own command strings reliably.
#32295Claude silently skips documented verification steps instead of asking the user
Verification steps in the documented workflow silently skipped — a sequence-lock problem.
vscode #298393Critical bug: Unauthorized file/folder deletion by auto-editing agent caused data loss
Not Claude Code — the VS Code core agent loop. Same pattern: unauthorized deletion, data loss.
copilot #47copilot-instructions.md ignored / not followed
Not Claude — GitHub Copilot. Same failure mode: a rules file, silently ignored.
#43461Remote triggers: 90% MCP tool failure rate + destructive file deletion
Destructive deletion during remote-triggered runs — the worst-case scenario because no human is at the keyboard.
copilot-eclipse #37MCP Server instructions ignored
Copilot for Eclipse — MCP server instructions ignored. The same pattern, different editor.
SPRINT-AI #19Technology Stack Instruction Ignored (Laravel requested, Vite + React generated)
Positive-form stack instruction ignored — a canonical "ALWAYS use X" lock failure.

Share this page

If this list helped you articulate the problem to a teammate or manager, share it. The louder the signal, the faster the fix.

Share on X Post to HN Share to Reddit Share on LinkedIn

Is your AI tool in this list?

Want to make sure your project never ends up here? One command. No configuration needed.

$ npx speclock protect
See how SpecLock works Star on GitHub