[Feature Request] Improve safety classifier to distinguish defensive debugging from offensive security content
Bug Description
False positive: safety flag triggered during legitimate debugging of my own codebase.
Context: I was investigating why daily log files (ktag_YYMMDD.log) were disappearing from /var/log on my own production server. The investigation involved grepping my own PHP source code for terms like "unlink", log file paths, and cron-related batch scripts to identify which process was deleting the files.
During this session, Fable 5's safety measures flagged my message as cybersecurity-related content and the session was switched to Opus 4.8. The root cause turned out to be completely benign: a cron job that archives the previous day's log to S3 and removes the local copy on success — standard log rotation/archiving behavior.
Nothing in the session involved offensive security, malware, exploitation, or third-party systems. It was routine sysadmin/devops troubleshooting on infrastructure I own and operate: reading my own code, tracing file deletion logic, and verifying S3 upload behavior.
Suggestion: searching one's own codebase for "unlink" / log-deletion logic is an extremely common debugging pattern and should not trigger a cybersecurity flag. Please consider tuning the classifier to distinguish defensive/diagnostic work on one's own systems from offensive security content. The forced model switch mid-investigation disrupted a multi-step debugging workflow.
Environment Info
- Platform: darwin
- Terminal: iTerm.app
- Version: 2.1.170
- Feedback ID: d83602c8-47b2-4ef6-be82-485159b04cc4
Errors
[]This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗