Claude Code now auto-opens pull requests, and developers want a kill switch
Tools & Apps

Claude Code now auto-opens pull requests, and developers want a kill switch

· 7 min read

You start a background task in Claude Code, go get coffee, and come back to three draft pull requests sitting on GitHub. Nobody approved them. Since July 1, Claude Code's background agents commit their work, push it to your remote, and open a draft PR the moment a task finishes, with no confirmation step in between. Version 2.1.198 made that the default behavior for roughly 235,000 Claude Code users worldwide. Great if you want to iterate fast. Less great if your team requires a human to decide what gets published to a shared repository, and right now there is no setting to turn it off.

\n\n

What changed in version 2.1.198?

\n\n

Until June 30, Claude Code's background agents followed a simple pattern: you gave an instruction, the agent worked in an isolated worktree, and once the code was ready it stopped and waited for your approval. You reviewed the diff, made the commit yourself, and opened a pull request if you wanted one. The human had the final say.

\n\n

That pause is gone as of July 1. A background agent that finishes a task now does three things automatically: commits the change, pushes the new branch to origin, and opens a draft pull request on GitHub. The PR carries "draft" status, so it will not auto-merge. But the code already lives on your remote. Anyone on your team can see that branch.

\n\n

One more thing shifted in the same release. Subagents now run in the background by default, so Claude keeps working while a subagent finishes its own task and only reports back when it's done. Combine that with the auto-PR behavior and the effect compounds fast. Two days later, on July 3, Anthropic shipped version 2.1.200, which switched the default permission mode to "Manual." That sounds like a brake, but it doesn't touch the auto-PR behavior. The background agent still commits and pushes on its own.

\n\n

How does a background agent work inside a worktree?

\n\n

A worktree is a separate working copy of your repository that sits next to your main project. Think of it like a duplicate tab in a spreadsheet where you test a formula without touching the original data: your main branch stays untouched while the worktree holds its own version of the code.

\n\n

Claude Code's background agents work exclusively inside a worktree. They clone your branch, make their changes, and until recently that was the end of it. Now the agent goes one step further once the work is done: it commits, pushes a new branch to your remote, and opens a draft PR with a description of what it did.

\n\n

The upside is real. You can kick off five tasks in parallel without returning after each one to commit and push by hand. The agent hands you something reviewable. For a solo developer who wants to iterate quickly, that's a genuine productivity gain. Here's the thing though: it rests on an assumption that doesn't hold for every team, namely that pushing to the remote is fine without explicit sign-off.

\n\n

Why are developers demanding a kill switch?

\n\n

On July 2, one day after the release, developer FelixBC opened an issue on GitHub with a blunt request: add a setting to turn this off.

\n\n
\n

"Pushing branches and opening PRs is outward-facing. For workflows where the human is the only one allowed to publish, a default-on publish step needs an off switch."

\nFelixBC, GitHub issue #73197\n
\n\n

The problem sits in the word "default." Teams running a propose-only workflow, where a developer opens every pull request by hand after review, lose control the moment an agent publishes to the remote without anyone explicitly signing off.

\n\n

FelixBC asked for three separate toggles: one for auto-commit, one for auto-push, one for auto-PR, ideally configurable through settings.json and the /config command inside Claude Code itself. As a stopgap, he suggested that existing permission deny-rules, such as Bash(git push:*), should block the behavior. Neither option exists today. There is no backgroundAgents.autoCreatePr: false flag in the settings, no toggle in /config, and no documentation on how to disable it. As of this writing, Anthropic has not responded publicly to the issue.

\n\n

This isn't the first time the pattern has surfaced. A user previously filed a bug report about Claude Code on the web, where the task-agent system prompt hardcoded commit-and-push instructions that overrode a user's own CLAUDE.md configuration. The shape of the problem repeats: the agent takes a step you didn't explicitly ask for, and there's no documented way to prevent it.

\n\n

Why did this land during a rough week for trust?

\n\n

The auto-PR behavior surfaced five days after a separate trust incident. A Reddit user found hidden code in Claude Code that detected whether a user was located in China. Anthropic confirmed the code existed and called it a mistake. It has since been removed, but the fact that it sat unnoticed for three months rattled the community.

\n\n

Two undocumented behaviors in the same tool inside one week. It's a pattern anyone rolling out AI tools across a team will recognize: capability keeps expanding, but transparency doesn't always keep pace. For context, the industry data backs this up. Stack Overflow's 2026 Developer Survey found that only 14.1% of professional developers use AI agents daily at work, and just 3% report "highly trusting" AI output, down from 40% a few years earlier. Verification, not blind delegation, is still how most teams operate.

\n\n

Claude Code isn't the only tool moving in this direction. Claude Agent for Jira has been opening pull requests directly from Jira tickets since June. OpenAI's Codex Remote writes code in the background while you sit in a meeting. The trend is consistent across vendors: AI agents are moving from suggesting changes to publishing them.

\n\n

What does Claude Code cost, and who does this affect?

\n\n

Claude Code ships as part of the Claude subscription. Claude Pro runs $20 a month, and Claude Max starts at $100 a month with considerably more capacity. The background agents that now open PRs automatically are available to every paying tier, not a niche enterprise feature gated behind a separate contract.

\n\n

That makes the reach wide. Any developer on a $20-a-month Pro plan who kicks off a background task in a worktree gets auto-PRs now. According to TheAIDaily's own workforce AI-adoption data, a majority of organizations globally have adopted at least one AI coding tool, yet only a minority have formal policies for how those tools interact with shared systems like git repositories.

\n\n

If you work on client repositories, the stakes are higher still. A draft PR landing at the wrong moment in a client's repo can cause confusion, especially when the client's team has no idea the agent publishes on its own.

\n\n

How do you protect your repository in five minutes?

\n\n

Branch protection rules on GitHub are your first line of defense. They take about five minutes to set up and stop any agent, human or automated, from pushing straight to your main branch without review.

\n\n

Set these up under GitHub Settings, Branches, Add rule:

\n
    \n
  • Require a pull request before merging into main
  • \n
  • Require at least one approval from a teammate
  • \n
  • Block force pushes
  • \n
  • Require status checks (CI/CD) to pass before merging
  • \n
\n\n

With those rules active, Claude Code's background agent can still open a draft PR, but the code only reaches production after human approval and passing tests. The draft PR becomes what it should be: a proposal, not a publication.

\n\n

Solo developers sometimes assume branch protection is overkill when nobody else is on the repo. But AI agents change what "alone" means. You didn't write every line yourself; you gave an instruction and the agent produced hundreds of lines in response. There's a real gap between knowing what you wrote yourself and having verified what the agent wrote for you, and that gap alone justifies a review step, even on a one-person project.

\n\n

Worth noting: if you also want to block the push to the remote itself, that requires a pre-push hook in your repository or a CI check that rejects unauthorized branches. More work to set up, but it's the only way to guarantee nothing lands on your remote without a human signing off first.

\n\n

Where does the agent stop and your team start?

\n\n

Claude Code's background agents moved from "write code and wait" to "write code, commit, push, and open a PR" in about six months. Each step makes sense on its own. Together, they shift where the human ends and the machine begins.

\n\n

It's a pattern playing out well beyond Claude Code. Every AI tool you fold into a workflow becomes autonomous in increments. It starts with suggestions, moves to actions, and ends at publication. Six months ago, Claude Code suggested code changes. Today it publishes them to your shared repository. And it's moving fast: six months from now, the question might be who merged that PR, not who opened it. Setting boundaries now is what keeps that question from becoming a real problem.

\n\n

Claude Code's auto-PR behavior is a clear example of the pattern: the feature itself is useful, the missing off switch isn't. Anthropic will likely ship a setting eventually, the same way it removed the hidden China-detection code quickly once it surfaced. Until then, the responsibility sits with the team deploying the tool.

\n\n

Check your Claude Code settings today, set up branch protection if you haven't already, and talk with your team about where the agent stops and the human begins. That five-minute conversation is worth more than any AI feature on the market.

\n
Michael Groeneweg
Written by Michael Groeneweg AI consultant at Digital Impact and founder of UnicornAI.nl

Michael is an AI consultant at Digital Impact in Rotterdam and the founder of UnicornAI.nl, where he builds AI solutions and SaaS integrations for businesses. An entrepreneur for ten years, he has spent the last few refusing to touch anything that doesn't have AI woven into it, at work and at home, to the mild dismay of the people around him. His travels have turned into a running experiment in what AI can and can't do from a cafe terrace in Lisbon or a train station in Tokyo. He obsessively tests new tools, builds solutions for clients, and believes nobody should buy the hype, but nobody can keep pretending AI doesn't change everything either. Loves good coffee, long flights, and people who build with AI instead of just talking about it.

Written by a human, with AI assisting research and editing. More on our method in the AI disclosure.