[BUG] Model fallback downgrade is disruptive and doesn't stay pinned (Fable→Opus mid-session)

Resolved 💬 2 comments Opened Jun 11, 2026 by FlowTether Closed Jun 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

What happened

During a long Claude Code session I was flagged with a cybersecurity/biology
safety classification and silently rerouted to a different model — while
drafting an ordinary networking email. The flagged turn had zero code and zero
security content.

Earlier in the same session I had run an authorized, read-only security audit
of my OWN codebase (a defensive use case). That work necessarily used terms
like "vulnerability," "exploit path," "injection," "exfiltration." I believe the
classifier accumulated that vocabulary and fired ~20 minutes later on an
unrelated, benign turn.

Why this is a bug

  1. It scores stale/rolling context and can't tell the topic changed. The

trigger turn was about networking, not code. Flagging it based on earlier
content is a false positive by construction.

  1. It can't distinguish defensive from offensive. Auditing your own

code/app to FIND and FIX bugs is the textbook authorized case. Keyword
density alone shouldn't override that.

Expected

Authorized defensive security work in one's own repo should not trip
cyber/bio "uplift" classifiers, and classification should reflect the actual
current topic, not a stale window.

Impact

Repeated mid-task model downgrades that degrade output quality during legitimate
work, with no way to mark the work as authorized/defensive.

Environment

  • Claude Code CLI (version: claude --version)
  • Long agentic session involving a read-only self-audit workflow

What Should Happen?

Authorized defensive security work in one's own repo should not trip
cyber/bio "uplift" classifiers, and classification should reflect the actual
current topic, not a stale window.

Error Messages/Logs

● Fable 5's safety measures flagged this message for cybersecurity or biology topics. They may flag safe, normal content as well. These measures let us bring you Mythos-level capability in other areas sooner,
  and we're working to refine them. Switched to Opus 4.8. Send feedback with /feedback or learn more: https://support.claude.com/en/articles/15363606

Steps to Reproduce

Steps to Reproduce:

  1. Start a long Claude Code session pinned to a specific model (e.g. via /model).
  1. Spend a substantial portion of the session on legitimate, authorized

DEFENSIVE security work on your own codebase — e.g. ask Claude to audit your
own project for vulnerabilities and propose fixes. This naturally produces
high-density security vocabulary in context: "vulnerability," "exploit path,"
"injection," "exfiltration," "attack sequence," "cross-tenant," etc. (In my
case this was a read-only multi-agent audit workflow over my own app's code.)

  1. After that work, change the topic completely to something benign and

unrelated — in my case, drafting a routine networking email to someone I'd
met at a conference. No code, no security content in this part of the
conversation.

  1. Observe: a cybersecurity/biology safety classification fires on the BENIGN

turn, and the session is silently downgraded off the pinned model.

Notes on reproducibility:

  • This is a classifier, so it is probabilistic, not deterministic — it may not

fire on every run. The pattern is: heavy defensive-security context earlier in
the session, then a flag on a later, unrelated, benign turn.

  • The key signals are (a) the flagged turn contains no security or bio content

itself, and (b) the only plausible source is accumulated earlier context from
authorized self-audit work — i.e. the classifier appears to score a stale/
rolling window and cannot tell the topic has changed.

  • I cannot share the exact code or content (proprietary + contains a third

party's personal contact details), but the trigger does not depend on
specifics — any session with a dense defensive-security segment followed by an
unrelated benign segment should be able to surface it.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

2.1.170

Claude Code Version

Fable 5

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

Additional context:

The reason this matters beyond one annoyed user: authorized defensive security
work is exactly the use case you WANT people doing in an agentic coding tool —
auditing your own code to find and fix vulnerabilities before they ship. Firing
a cyber/bio "uplift" classifier on that work, and then on unrelated benign turns
that merely follow it, penalizes the right behavior. It teaches security-
conscious developers that talking plainly about vulnerabilities in their own
codebase gets the tool degraded mid-task.

Two things would address it without weakening real safety:

  1. Topic-currency: weight the classifier toward the ACTUAL current turn rather

than a stale rolling window, so a benign topic isn't flagged for vocabulary
from 20 minutes earlier.

  1. Authorization/context signal: defensive framing ("audit MY repo," "find and

fix") and the fact that the work is on the user's own local codebase should
weigh against raw keyword density.

The downgrade was also effectively silent in practice — easy to miss mid-work —
which compounds the problem: by the time I noticed, I'd already gotten degraded
output on a task I'd specifically pinned a model for. (Filing that half
separately as a CLI bug.)

Net: false positive on benign content, triggered by accumulated context from
legitimate defensive security work, with a downgrade that's too easy to miss.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗