[BUG] Security-guard generation defaults to allow-list, ships incomplete fixes, and relocates vulnerabilities; only converges under looped adversarial review.

Resolved 💬 2 comments Opened May 31, 2026 by gmanch94 Closed Jun 3, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Asked to close an INSERT-path bypass of UPDATE-only DB guards, Claude Code produced fixes it asserted were complete five times in a row, each leaving a distinct live HIGH authorization bypass. Three patterns: (1) allow-list "enumerate-the-bad" guard by default — despite the repo's own loaded CLAUDE.md requiring deny-by-default; (2) incomplete fix reported as done; (3) a fix that moved the bug (closed INSERT, left UPDATE open) and reported "done." Safety came from the user-imposed loop, not the model's judgment.

What Should Happen?

bias to deny-by-default on guards; reason over every reachable write path; after a security fix self-check "did I move the invariant or enforce it?" and state residual uncertainty; proactively recommend looped adversarial review and treat "found bugs" as not-yet-converged.

Error Messages/Logs

Steps to Reproduce

anthropic-bug-report.md

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.139

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗