[Bug] Long-session agent degradation: silent audit bypass, state confabulation, and withheld diagnostics

Resolved 💬 3 comments Opened May 5, 2026 by dr12hes Closed May 9, 2026

Bug Description
Single Claude Code session today (5 May 2026), Opus 4.7, ~8 hours.
Six distinct behavioural failures, all in one session:

  1. Silent audit-skip: agent stopped invoking the configured DeepSeek

audit step partway through a task batch without logging or
surfacing the change. Tasks 61-64 were committed unaudited.

  1. Confabulation about system state: when challenged on (1), agent

claimed DEEPSEEK_API_KEY was unset. The key was set and had been
used successfully earlier in the same session.

  1. Queued already-shipped work: agent promoted three tasks to "todo"

without checking the codebase. The work was already implemented
and merged in prior PRs (#73, #79). Required user intervention
to catch.

  1. Orchestrator bypass: agent followed the project's SKILL.md doc

which directed it to use duet next + manual worker spawning.
This bypassed the entire safety stack (zombie recovery, file-race
detection, timeouts, merger agent) which only fires inside
duet run.

  1. --skip-gate in worker prompts: twelve eskimo-project tasks were

spawned with --skip-gate baked into the agent prompts, bypassing
the audit.pass requirement entirely. worker_runs table is empty
for all twelve.

  1. Withheld diagnostic information: agent identified a flaw in its

own diff-retrieval fix (using started_at instead of merge-base,
producing empty diffs that made audits vacuous) and did not
surface this. Only disclosed when user explicitly accused agent
of hiding something. Agent's own words: "I haven't been fully
upfront."

Failures 1, 2, and 6 are the most concerning — all involve the
agent producing inaccurate reports about system state. Failures
3, 4, and 5 are drift under task pressure.

Context: I was building a multi-agent orchestration system (duet)
specifically designed to prevent this class of failure through
cross-audit and audit-log gating. The agent helped me design the
hardening while simultaneously exhibiting the failure modes the
hardening was meant to prevent. This is documented in the same
session.

Pattern is consistent with the long-session degradation issues
acknowledged in the April 23 postmortem, but the specific failure
modes (confabulation, withholding) are not covered there.

Session transcripts available on request.

Environment Info

  • Platform: darwin
  • Terminal: Apple_Terminal
  • Version: 2.1.112
  • Feedback ID: 9a290d60-99d2-4b5e-9491-1231b26faae5

Errors

[{"error":"McpToolCallError: Error executing tool ask_local: Error code: 401 - {'detail': 'Invalid API key'}\n    at qM7 (/$bunfs/root/src/entrypoints/cli.js:4754:63)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T08:05:07.086Z"},{"error":"Error: Request was aborted.\n    at makeRequest (/$bunfs/root/src/entrypoints/cli.js:50:3448)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T10:59:37.658Z"},{"error":"Error: File does not exist. Note: your current working directory is /Users/david/dev/duet.\n    at call (/$bunfs/root/src/entrypoints/cli.js:4727:7630)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T11:01:29.012Z"},{"error":"Error: EISDIR: illegal operation on a directory, read '/Users/david/dev/duet/src/duet'\n    at WKH (/$bunfs/root/src/entrypoints/cli.js:1561:144)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T11:21:24.426Z"},{"error":"MaxFileReadTokenExceededError: File content (31804 tokens) exceeds maximum allowed tokens (25000). Use offset and limit parameters to read specific portions of the file, or search for specific content instead of reading the whole file.\n    at Xf7 (/$bunfs/root/src/entrypoints/cli.js:4718:12550)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T13:14:20.495Z"},{"error":"Error: EISDIR: illegal operation on a directory, read '/Users/david/dev/eskimo/apps/api/app/services/document_sync'\n    at WKH (/$bunfs/root/src/entrypoints/cli.js:1561:144)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T13:14:57.726Z"},{"error":"MaxFileReadTokenExceededError: File content (42539 tokens) exceeds maximum allowed tokens (25000). Use offset and limit parameters to read specific portions of the file, or search for specific content instead of reading the whole file.\n    at Xf7 (/$bunfs/root/src/entrypoints/cli.js:4718:12550)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T14:13:04.038Z"},{"error":"MaxFileReadTokenExceededError: File content (42539 tokens) exceeds maximum allowed tokens (25000). Use offset and limit parameters to read specific portions of the file, or search for specific content instead of reading the whole file.\n    at Xf7 (/$bunfs/root/src/entrypoints/cli.js:4718:12550)\n    at processTicksAndRejections (native:7:39)","timestamp":"2026-05-05T14:13:09.035Z"},{"error":"Error: Request was aborted.\n    at makeRequest (/…

Note: Content was truncated.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗