[Bug] Claude failed to detect Cloudflare account mismatch between user identity and active deployment target

Resolved 💬 3 comments Opened May 11, 2026 by mciciliatti Closed May 15, 2026

Environment

  • Platform: win32
  • Terminal: vscode
  • Claude Code version: 2.1.138
  • Model: claude-opus-4-7 (autonomous subagent mode)
  • Feedback ID: 6827a066-13ea-493e-96cb-fa427ffb49b2

---

Bug description

Claude failed to flag a Cloudflare account mismatch despite both signals being visible in tool output.

Context: The user explicitly stated their Cloudflare identity (user@example.com) at the start of the session for a new client project. Later, when running wrangler whoami, the output showed:

You are logged in with an OAuth Token, associated with the email user@example.com.
  Account Name: client-org@example.com's Account
  Account ID:   <ACCOUNT_ID_REDACTED>

The "logged in as" email matched the user, but the active Account Name belonged to a third party (a delegated org the user has access to). Claude captured the Account ID into the spec/plan and proceeded to deploy a full SvelteKit + Cloudflare project (D1, KV, Pages, Worker) to the wrong account. An autonomous subagent finalized the deploy, and the mismatch was only discovered when R2 setup failed — by that time, 31 commits + a deployed app were on the wrong tenant.

---

Expected behavior

When a whoami-style command reveals that the active account/org name does not match the human identity the user provided, Claude should pause and confirm before any create/deploy action. The mismatch is a strong signal that auth is pointing at a delegated context.

---

Actual behavior

Claude silently used the mismatched Account ID, dispatched an autonomous subagent that completed the full deploy, and only surfaced the error when a subsequent operation (R2 bucket creation) failed.

---

Impact

High — caused real cleanup work on a third party's account (had to ask the account owner to manually delete provisioned resources) and required a full re-deploy.

---

Errors observed

[
  {
    "error": "Error: Request was aborted.",
    "timestamp": "2026-05-11T14:15:19.063Z"
  },
  {
    "error": "Error: File does not exist. Note: your current working directory is /projects/oishii/oishii.",
    "timestamp": "2026-05-11T14:15:45.063Z"
  }
]

---

Suggested fix

Tighten the heuristic: "user-provided identity" + "deploy-target identity differs"stop and confirm. This is generalizable beyond Cloudflare:

| Platform | Identity signal | Mismatch indicator |
|---|---|---|
| Cloudflare | wrangler whoami email | Account Name ≠ user identity |
| AWS | aws sts get-caller-identity | Account ID / role ARN |
| GCP | gcloud config get project | Project ≠ expected |
| Vercel | vercel whoami | Org/team scope |

A single pre-flight check before any create / deploy action would prevent this class of error.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗