[Feature Request] Improve safety classifier to distinguish defensive debugging from offensive security content

Open 💬 2 comments Opened Jun 10, 2026 by kodamacom

Bug Description
False positive: safety flag triggered during legitimate debugging of my own codebase. Context: I was investigating why daily log files (ktag_YYMMDD.log) were disappearing from /var/log on my own production server. The investigation involved grepping my own PHP source code for terms like "unlink", log file paths, and cron-related batch scripts to identify which process was deleting the files. During this session, Fable 5's safety measures flagged my message as cybersecurity-related content and the session was switched to Opus 4.8. The root cause turned out to be completely benign: a cron job that archives the previous day's log to S3 and removes the local copy on success — standard log rotation/archiving behavior. Nothing in the session involved offensive security, malware, exploitation, or third-party systems. It was routine sysadmin/devops troubleshooting on infrastructure I own and operate: reading my own code, tracing file deletion logic, and verifying S3 upload behavior. Suggestion: searching one's own codebase for "unlink" / log-deletion logic is an extremely common debugging pattern and should not trigger a cybersecurity flag. Please consider tuning the classifier to distinguish defensive/diagnostic work on one's own systems from offensive security content. The forced model switch mid-investigation disrupted a multi-step debugging workflow.

Environment Info

  • Platform: darwin
  • Terminal: iTerm.app
  • Version: 2.1.170
  • Feedback ID: d83602c8-47b2-4ef6-be82-485159b04cc4

Errors

[]

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗