You start a background task in Claude Code, go get coffee, and come back to three draft pull requests sitting on GitHub. Nobody approved them. Since July 1, Claude Code's background agents commit their work, push it to your remote, and open a draft PR the moment a task finishes, with no confirmation step in between. Version 2.1.198 made that the default behavior for roughly 235,000 Claude Code users worldwide. Great if you want to iterate fast. Less great if your team requires a human to decide what gets published to a shared repository, and right now there is no setting to turn it off.
\n\nWhat changed in version 2.1.198?
\n\nUntil June 30, Claude Code's background agents followed a simple pattern: you gave an instruction, the agent worked in an isolated worktree, and once the code was ready it stopped and waited for your approval. You reviewed the diff, made the commit yourself, and opened a pull request if you wanted one. The human had the final say.
\n\nThat pause is gone as of July 1. A background agent that finishes a task now does three things automatically: commits the change, pushes the new branch to origin, and opens a draft pull request on GitHub. The PR carries "draft" status, so it will not auto-merge. But the code already lives on your remote. Anyone on your team can see that branch.
\n\nOne more thing shifted in the same release. Subagents now run in the background by default, so Claude keeps working while a subagent finishes its own task and only reports back when it's done. Combine that with the auto-PR behavior and the effect compounds fast. Two days later, on July 3, Anthropic shipped version 2.1.200, which switched the default permission mode to "Manual." That sounds like a brake, but it doesn't touch the auto-PR behavior. The background agent still commits and pushes on its own.
\n\nHow does a background agent work inside a worktree?
\n\nA worktree is a separate working copy of your repository that sits next to your main project. Think of it like a duplicate tab in a spreadsheet where you test a formula without touching the original data: your main branch stays untouched while the worktree holds its own version of the code.
\n\nClaude Code's background agents work exclusively inside a worktree. They clone your branch, make their changes, and until recently that was the end of it. Now the agent goes one step further once the work is done: it commits, pushes a new branch to your remote, and opens a draft PR with a description of what it did.
\n\nThe upside is real. You can kick off five tasks in parallel without returning after each one to commit and push by hand. The agent hands you something reviewable. For a solo developer who wants to iterate quickly, that's a genuine productivity gain. Here's the thing though: it rests on an assumption that doesn't hold for every team, namely that pushing to the remote is fine without explicit sign-off.
\n\nWhy are developers demanding a kill switch?
\n\nOn July 2, one day after the release, developer FelixBC opened an issue on GitHub with a blunt request: add a setting to turn this off.
\n\n\n\n\n"Pushing branches and opening PRs is outward-facing. For workflows where the human is the only one allowed to publish, a default-on publish step needs an off switch."
\nFelixBC, GitHub issue #73197\n
The problem sits in the word "default." Teams running a propose-only workflow, where a developer opens every pull request by hand after review, lose control the moment an agent publishes to the remote without anyone explicitly signing off.
\n\nFelixBC asked for three separate toggles: one for auto-commit, one for auto-push, one for auto-PR, ideally configurable through settings.json and the /config command inside Claude Code itself. As a stopgap, he suggested that existing permission deny-rules, such as Bash(git push:*), should block the behavior. Neither option exists today. There is no backgroundAgents.autoCreatePr: false flag in the settings, no toggle in /config, and no documentation on how to disable it. As of this writing, Anthropic has not responded publicly to the issue.
This isn't the first time the pattern has surfaced. A user previously filed a bug report about Claude Code on the web, where the task-agent system prompt hardcoded commit-and-push instructions that overrode a user's own CLAUDE.md configuration. The shape of the problem repeats: the agent takes a step you didn't explicitly ask for, and there's no documented way to prevent it.
\n\nWhy did this land during a rough week for trust?
\n\nThe auto-PR behavior surfaced five days after a separate trust incident. A Reddit user found hidden code in Claude Code that detected whether a user was located in China. Anthropic confirmed the code existed and called it a mistake. It has since been removed, but the fact that it sat unnoticed for three months rattled the community.
\n\nTwo undocumented behaviors in the same tool inside one week. It's a pattern anyone rolling out AI tools across a team will recognize: capability keeps expanding, but transparency doesn't always keep pace. For context, the industry data backs this up. Stack Overflow's 2026 Developer Survey found that only 14.1% of professional developers use AI agents daily at work, and just 3% report "highly trusting" AI output, down from 40% a few years earlier. Verification, not blind delegation, is still how most teams operate.
\n\nClaude Code isn't the only tool moving in this direction. Claude Agent for Jira has been opening pull requests directly from Jira tickets since June. OpenAI's Codex Remote writes code in the background while you sit in a meeting. The trend is consistent across vendors: AI agents are moving from suggesting changes to publishing them.
\n\nWhat does Claude Code cost, and who does this affect?
\n\nClaude Code ships as part of the Claude subscription. Claude Pro runs $20 a month, and Claude Max starts at $100 a month with considerably more capacity. The background agents that now open PRs automatically are available to every paying tier, not a niche enterprise feature gated behind a separate contract.
\n\nThat makes the reach wide. Any developer on a $20-a-month Pro plan who kicks off a background task in a worktree gets auto-PRs now. According to TheAIDaily's own workforce AI-adoption data, a majority of organizations globally have adopted at least one AI coding tool, yet only a minority have formal policies for how those tools interact with shared systems like git repositories.
\n\nIf you work on client repositories, the stakes are higher still. A draft PR landing at the wrong moment in a client's repo can cause confusion, especially when the client's team has no idea the agent publishes on its own.
\n\nHow do you protect your repository in five minutes?
\n\nBranch protection rules on GitHub are your first line of defense. They take about five minutes to set up and stop any agent, human or automated, from pushing straight to your main branch without review.
\n\nSet these up under GitHub Settings, Branches, Add rule:
\n- \n
- Require a pull request before merging into main \n
- Require at least one approval from a teammate \n
- Block force pushes \n
- Require status checks (CI/CD) to pass before merging \n
With those rules active, Claude Code's background agent can still open a draft PR, but the code only reaches production after human approval and passing tests. The draft PR becomes what it should be: a proposal, not a publication.
\n\nSolo developers sometimes assume branch protection is overkill when nobody else is on the repo. But AI agents change what "alone" means. You didn't write every line yourself; you gave an instruction and the agent produced hundreds of lines in response. There's a real gap between knowing what you wrote yourself and having verified what the agent wrote for you, and that gap alone justifies a review step, even on a one-person project.
\n\nWorth noting: if you also want to block the push to the remote itself, that requires a pre-push hook in your repository or a CI check that rejects unauthorized branches. More work to set up, but it's the only way to guarantee nothing lands on your remote without a human signing off first.
\n\nWhere does the agent stop and your team start?
\n\nClaude Code's background agents moved from "write code and wait" to "write code, commit, push, and open a PR" in about six months. Each step makes sense on its own. Together, they shift where the human ends and the machine begins.
\n\nIt's a pattern playing out well beyond Claude Code. Every AI tool you fold into a workflow becomes autonomous in increments. It starts with suggestions, moves to actions, and ends at publication. Six months ago, Claude Code suggested code changes. Today it publishes them to your shared repository. And it's moving fast: six months from now, the question might be who merged that PR, not who opened it. Setting boundaries now is what keeps that question from becoming a real problem.
\n\nClaude Code's auto-PR behavior is a clear example of the pattern: the feature itself is useful, the missing off switch isn't. Anthropic will likely ship a setting eventually, the same way it removed the hidden China-detection code quickly once it surfaced. Until then, the responsibility sits with the team deploying the tool.
\n\nCheck your Claude Code settings today, set up branch protection if you haven't already, and talk with your team about where the agent stops and the human begins. That five-minute conversation is worth more than any AI feature on the market.
\n