Your AI coding assistant just deployed to production without asking.
You told it: "only push to live with my explicit approval."
It said: "Oops. I forgot. Sorry."
This is not a one-off bug. It is a structural problem — and if you understand why it happens, you can fix it for good.
Why Claude Code "Forgets" Your Rules
CLAUDE.md is not a system prompt. It is injected as user context.
That distinction matters enormously.
A system prompt is processed before anything else. It is deterministic. The model treats it as hard constraint.
A user context is weighed against everything else in the conversation — the current task, previous turns, implied urgency, tool calls in flight. Your rule is there. But so is everything else. And in long, complex tasks, your rule can lose.
This is not a bug in Claude Code. It is the architecture. Your CLAUDE.md instructions are probabilistically complied with, not deterministically enforced.
The practical result: the bigger and longer your task, the higher the chance your safety-critical instructions get underweighted — especially for actions that feel "natural" in the flow (like deploying after a successful build).
The Rules That Get Ignored First
Not all CLAUDE.md rules are equally at risk. The ones that fail most often share these traits:
1. They require the agent to stop before completing something.
"Ask me before deploying." "Only push with my approval." "Confirm before deleting files."
These are stop-gates. They require the agent to interrupt a task mid-flow. That is a high-friction instruction that competes with the agent's completion drive.
2. They are written once, far from the action.
If your deploy rule is on line 3 of a 200-line CLAUDE.md, and the agent is deep in a deploy sequence, it is competing with recent context. Recency wins.
3. They are implicit about scope.
"Always ask before pushing" is vague. To what? Staging? Production? Any git push? The ambiguity creates interpretation space — and the agent fills it with the path of least resistance.
What Actually Works
Rule 1: Separate your stop-gates from your guidance
Do not mix safety-critical rules with style rules. Put them in a dedicated block at the top:
## CRITICAL CONSTRAINTS — NEVER SKIP
- NEVER push to production without explicit "deploy approved" message from user
- NEVER delete files without listing them first and waiting for confirmation
- NEVER run database migrations without dry-run output shown to user first
The word "NEVER" in caps creates weight. The specific trigger condition removes ambiguity. The expected confirmation signal tells the agent exactly what it is waiting for.
Rule 2: Reinforce at the point of risk
CLAUDE.md is global. But Claude Code also reads sub-directory CLAUDE.md files. Place a reinforcing rule in the directory where the risky action lives:
/your-project/
CLAUDE.md ← global rules
deploy/
CLAUDE.md ← "Deploy requires explicit user approval. Stop here."
src/
CLAUDE.md ← dev rules
When the agent navigates into deploy/, it picks up that constraint fresh, close to the action.
Rule 3: Use task-level confirmation anchors
At the start of tasks that involve risky operations, prime the constraint:
"You are going to help me set up the CI pipeline. Important: you will NOT push anything to production in this session. Any deployment step should be flagged and stopped until I explicitly say go."
This injects the constraint into the immediate conversation context, where it is much harder to underweight.
Rule 4: Define what "explicit approval" means
"Wait for my approval" is abstract. "Wait until I send the message: DEPLOY APPROVED" is concrete.
The agent can check for a literal string. It cannot reliably read your implied intent.
The Broader Pattern
Every CLAUDE.md failure follows the same shape:
- The rule exists
- The rule is vague, far from the action, or competes with task completion pressure
- The agent weighs compliance cost vs. task progress
- Compliance loses
The fix is not to write better rules. The fix is to write rules that are structurally hard to ignore: specific, close to the risk, with a defined confirmation gate.
Already Using CLAUDE.md? This Pack Handles the Structure For You
If you want to skip the trial-and-error, the CLAUDE.md Rules Pack ($27) includes:
- Pre-structured safety constraint blocks
- Stop-gate templates with explicit confirmation anchors
- Conflict-prevention rules for multi-file setups
- Global + sub-directory rule separation examples
Also useful: the Cursor Rules Pack v2 ($27) — same structured approach for .mdc files in Cursor Agent mode.
→ Get the CLAUDE.md Rules Pack — $27
New to CLAUDE.md? Grab the free starter pack first — no payment required.
Written by Olivia Craft — building practical AI agent tooling for developers.
Top comments (0)