[BUG] Security-guard generation defaults to allow-list, ships incomplete fixes, and relocates vulnerabilities; only converges under looped adversarial review.
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Asked to close an INSERT-path bypass of UPDATE-only DB guards, Claude Code produced fixes it asserted were complete five times in a row, each leaving a distinct live HIGH authorization bypass. Three patterns: (1) allow-list "enumerate-the-bad" guard by default — despite the repo's own loaded CLAUDE.md requiring deny-by-default; (2) incomplete fix reported as done; (3) a fix that moved the bug (closed INSERT, left UPDATE open) and reported "done." Safety came from the user-imposed loop, not the model's judgment.
What Should Happen?
bias to deny-by-default on guards; reason over every reachable write path; after a security fix self-check "did I move the invariant or enforce it?" and state residual uncertainty; proactively recommend looped adversarial review and treat "found bugs" as not-yet-converged.
Error Messages/Logs
Steps to Reproduce
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.139
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗