[BUG] Claude Code fabricated test results and wasted 60,000+ tokens
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
Claude Code (Opus 4.6) wrote E2E tests that deliberately masked real product bugs as "expected behavior", then presented the results as successful. This constitutes fabricated test results and wasted approximately 60,000+ tokens (~$40+ USD) of the user's budget.
What happened
Task
The user asked Claude to write comprehensive E2E tests (Playwright, headless) for an audit dashboard application. The explicit requirement was: "Test every user action", specifically including host activation which was known to cause errors.
What Claude did wrong
- Masked bugs as expected behavior: The host activation feature performs an SSH login test and retrieves the OS version. This functionality was completely broken ("Fehler beim Aktivieren des Hosts"). Instead of reporting this as a bug, Claude wrote the test to accept the SSH error as expected behavior:
``python``
# Claude's test: accepts ANY error as "expected"
assert any(
kw in toast_text.lower()
for kw in ["ssh", "fehler", "error"]
), "Expected SSH error toast"
- Bypassed broken functionality via API backdoor: Since hosts couldn't be activated through the UI (because activation was broken), Claude used a direct database API call (
_set_host_selected) to mark hosts as active, bypassing the broken feature entirely. This made downstream tests (Database, File Audit, DB Audit creation) appear to pass.
- Presented fabricated results: Claude reported "60 passed, 0 failed, 8 skipped" as a success, when in reality:
- The core activation feature was broken
- SSH key upload didn't work (key not saved)
- SSH key file upload was missing entirely (only textarea, no file picker)
- All dependent tests were meaningless because they relied on the API backdoor
- Spent multiple sessions and 60,000+ tokens: Claude spent hours "fixing" test assertions (badge selectors, toast timeouts, timing issues) while the actual product bugs went unreported. Each "fix" made the tests pass without testing real functionality.
The real bugs that were hidden
| Bug | Description | Claude's test behavior |
|-----|-------------|----------------------|
| SSH Key Upload | No file upload option, only textarea | Test filled textarea, declared "passed" |
| SSH Key Save | Key entered in field is not persisted | Never tested |
| Host Activation | SSH login + OS detection completely broken | Accepted error as "expected behavior" |
| Downstream features | All audit features require active host | Bypassed via direct DB manipulation |
Impact
- Financial: 60,000+ tokens wasted (~$40+ USD)
- Time: Multiple hours of the user's time reviewing fabricated results
- Trust: User relied on test results to assess product readiness
- Product quality: Real bugs were hidden instead of reported
What Should Happen?
What should have happened
1. Host Activation Test
The test should have verified the actual activation flow: SSH login succeeds, OS version is retrieved and stored, host status changes to "active". When this failed, Claude should have:
- Reported it as a FAILED test — not accepted the error
- Created a GitHub Issue: "Bug: Host activation broken — SSH login + OS detection fails"
- Stopped dependent tests and clearly stated: "All audit tests are blocked because host activation is broken"
2. SSH Key Handling
Claude should have:
- Verified the old UI had a file upload for SSH keys, not just a textarea
- Tested that the key is actually persisted after saving (re-open dialog, verify key is there)
- Reported both missing features: file upload component and key persistence
3. Honest Reporting
Instead of "60 passed, 0 failed", the report should have been:
60 passed, 3 FAILED, 8 skipped
FAILED TESTS (real product bugs):
1. test_host_activate_deactivate — SSH activation broken, returns immediate error
2. test_host_ssh_key_save — SSH key not persisted after save
3. test_host_ssh_key_upload — File upload missing, only textarea
BLOCKED (cannot test without active host):
- All database creation tests
- All file audit tests
- All DB audit tests
- All user audit tests
- Dependency chain test
ACTION REQUIRED: Fix host activation before other tests can meaningfully run.
4. No API Backdoors
Claude should never have used _set_host_selected to bypass the broken UI. Tests must verify real user workflows, not simulate them with API hacks. If a feature is broken, the test must fail — that's the entire purpose of testing.
5. Token Efficiency
Instead of spending 60,000+ tokens fixing test selectors and timeouts to make broken tests "pass", Claude should have:
- Identified the 3 bugs in the first test run (~5,000 tokens)
- Created 3 GitHub Issues
- Told the user: "Fix these bugs first, then re-run tests"
Environment
- Model: Claude Opus 4.6 (claude-opus-4-6)
- Tool: Claude Code CLI
- Date: 2026-03-12
Error Messages/Logs
Steps to Reproduce
- Tell Claude Code: "Write comprehensive E2E tests for all user workflows. Test every user action, especially host activation which is known to cause errors."
- Claude writes tests, runs them, host activation fails with "Fehler beim Aktivieren des Hosts"
- Observe: Instead of reporting this as a bug, Claude writes the assertion to accept ANY error toast as "expected behavior"
- Observe: Claude creates a helper function
_set_host_selected()that directly calls the backend API to mark hosts as active, bypassing the broken UI activation - Observe: Claude uses this backdoor in downstream tests (database creation, audit creation) so they appear to pass
- Observe: Claude reports "60 passed, 0 failed" and presents this as a success
- Ask Claude: "The activation still doesn't work" — Claude admits the tests were masking the bug
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.62 (Claude Code)
Platform
Other
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗