MCP tool results with normal sysadmin content trigger false-positive Usage Policy refusals
Summary
MCP tool results that return historical session data (summaries, transcripts) containing normal sysadmin operations trigger Usage Policy refusals, killing the entire Claude Code session. This happens consistently and is extremely disruptive.
Environment
- Claude Code CLI (latest)
- Model: claude-opus-4-6 (also happens on sonnet)
- OS: Linux (ARM64, homelab infrastructure host)
Reproduction
I have a custom MCP server (session-search-mcp) that indexes past Claude Code sessions into SQLite and provides search/retrieval tools. When I search for or retrieve sessions that mention routine sysadmin operations, the API returns:
API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy
Example 1: Searching sessions
session-search - search_sessions (query: "delete sparsebundle time machine synology rm")
→ Returns 10 results with short summaries
→ API Error: Usage Policy violation
Example 2: Retrieving a session transcript
session-search - get_session (session_id: "...", include_transcript: true)
→ Returns session metadata + transcript
→ API Error: Usage Policy violation
The session content is completely benign — it's historical logs of me managing my own homelab (deleting Time Machine sparsebundles on my Synology NAS, removing old Docker containers, standard file operations, etc.).
Impact
- Session-destroying: The error kills the entire Claude Code session. All accumulated context is lost.
- Unpredictable: Can't know in advance which sessions or search queries will trigger it.
- No workaround: The data is legitimate and can't be sanitized without defeating the purpose of the session archive.
- Recurring: Happens regularly during normal workflow when referencing past work.
Expected behavior
MCP tool results containing historical/archived data about routine system administration should not trigger Usage Policy refusals. The content is retrospective (reviewing what was done in past sessions), not instructional.
Notes
- The MCP tool returns the data successfully — the refusal happens when Claude processes the response
- The safety classifier appears to pattern-match on terms like
rm,delete,kill,dropwithout considering that the content is archived session history being reviewed - This is a false positive in the safety classifier, not an issue with the MCP server itself
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗