[Bug] Fable safety filter falsely flags legitimate development code as unsafe

Resolved 💬 2 comments Opened Jun 10, 2026 by phillip-hirsch Closed Jun 13, 2026

Bug Description
The following message was flagged by Fable's safety measures despite not containing cybersecurity or biology topics: ⏺ Bash(cd /Users/phillip/Developer/claude-orchestrator; sed -n '60,72p' src/executor.ts; echo "=== lockfile check ==="; rg -q "@typescript-eslint/utils" bun.lock && echo "tseslint/utils IN lockfile" || echo "tseslint/utils NOT in lockfile"; rg -q '"eslint"' bun.lock && echo "eslint IN lockfile" || echo "eslint NOT in lockfile"; rg -q "@effect/eslint-plugin" bun.lock && echo "effect-plugin IN lockfile" || echo "effect-plugin NOT in lockfile")
// only auto-approves matches — it does NOT deny the rest — so non-isolated
// calls also get a deny-by-default canUseTool gate (#12).
const tools = [...new Set(grants.map((t) => t.replace(/\(.*\)$/, "")))]
const allowed = grants
const bashPrefixes = grants
.filter((t) => t.startsWith("Bash(") && t.endsWith(":*)"))
.map((t) => t.slice("Bash(".length, -":*)".length))
const commandAllowed = (command: string): boolean =>
command
.split(/&&|\|\||[;|]/)
.map((part) => part.trim())
.every((part) =>
bashPrefixes.some((p) => part === p || part.startsWith(${p} ))
=== lockfile check ===
tseslint/utils NOT in lockfile
eslint IN lockfile
effect-plugin IN lockfile

Environment Info

  • Platform: darwin
  • Terminal: ghostty
  • Version: 2.1.170
  • Feedback ID: f88c5b9b-8340-446e-925e-16eb60a5fa30

Errors

[]

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗