[BUG] Model fallback downgrade is disruptive and doesn't stay pinned (Fable→Opus mid-session)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
What happened
During a long Claude Code session I was flagged with a cybersecurity/biology
safety classification and silently rerouted to a different model — while
drafting an ordinary networking email. The flagged turn had zero code and zero
security content.
Earlier in the same session I had run an authorized, read-only security audit
of my OWN codebase (a defensive use case). That work necessarily used terms
like "vulnerability," "exploit path," "injection," "exfiltration." I believe the
classifier accumulated that vocabulary and fired ~20 minutes later on an
unrelated, benign turn.
Why this is a bug
- It scores stale/rolling context and can't tell the topic changed. The
trigger turn was about networking, not code. Flagging it based on earlier
content is a false positive by construction.
- It can't distinguish defensive from offensive. Auditing your own
code/app to FIND and FIX bugs is the textbook authorized case. Keyword
density alone shouldn't override that.
Expected
Authorized defensive security work in one's own repo should not trip
cyber/bio "uplift" classifiers, and classification should reflect the actual
current topic, not a stale window.
Impact
Repeated mid-task model downgrades that degrade output quality during legitimate
work, with no way to mark the work as authorized/defensive.
Environment
- Claude Code CLI (version:
claude --version) - Long agentic session involving a read-only self-audit workflow
What Should Happen?
Authorized defensive security work in one's own repo should not trip
cyber/bio "uplift" classifiers, and classification should reflect the actual
current topic, not a stale window.
Error Messages/Logs
● Fable 5's safety measures flagged this message for cybersecurity or biology topics. They may flag safe, normal content as well. These measures let us bring you Mythos-level capability in other areas sooner,
and we're working to refine them. Switched to Opus 4.8. Send feedback with /feedback or learn more: https://support.claude.com/en/articles/15363606
Steps to Reproduce
Steps to Reproduce:
- Start a long Claude Code session pinned to a specific model (e.g. via /model).
- Spend a substantial portion of the session on legitimate, authorized
DEFENSIVE security work on your own codebase — e.g. ask Claude to audit your
own project for vulnerabilities and propose fixes. This naturally produces
high-density security vocabulary in context: "vulnerability," "exploit path,"
"injection," "exfiltration," "attack sequence," "cross-tenant," etc. (In my
case this was a read-only multi-agent audit workflow over my own app's code.)
- After that work, change the topic completely to something benign and
unrelated — in my case, drafting a routine networking email to someone I'd
met at a conference. No code, no security content in this part of the
conversation.
- Observe: a cybersecurity/biology safety classification fires on the BENIGN
turn, and the session is silently downgraded off the pinned model.
Notes on reproducibility:
- This is a classifier, so it is probabilistic, not deterministic — it may not
fire on every run. The pattern is: heavy defensive-security context earlier in
the session, then a flag on a later, unrelated, benign turn.
- The key signals are (a) the flagged turn contains no security or bio content
itself, and (b) the only plausible source is accumulated earlier context from
authorized self-audit work — i.e. the classifier appears to score a stale/
rolling window and cannot tell the topic has changed.
- I cannot share the exact code or content (proprietary + contains a third
party's personal contact details), but the trigger does not depend on
specifics — any session with a dense defensive-security segment followed by an
unrelated benign segment should be able to surface it.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.1.170
Claude Code Version
Fable 5
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
Additional context:
The reason this matters beyond one annoyed user: authorized defensive security
work is exactly the use case you WANT people doing in an agentic coding tool —
auditing your own code to find and fix vulnerabilities before they ship. Firing
a cyber/bio "uplift" classifier on that work, and then on unrelated benign turns
that merely follow it, penalizes the right behavior. It teaches security-
conscious developers that talking plainly about vulnerabilities in their own
codebase gets the tool degraded mid-task.
Two things would address it without weakening real safety:
- Topic-currency: weight the classifier toward the ACTUAL current turn rather
than a stale rolling window, so a benign topic isn't flagged for vocabulary
from 20 minutes earlier.
- Authorization/context signal: defensive framing ("audit MY repo," "find and
fix") and the fact that the work is on the user's own local codebase should
weigh against raw keyword density.
The downgrade was also effectively silent in practice — easy to miss mid-work —
which compounds the problem: by the time I noticed, I'd already gotten degraded
output on a task I'd specifically pinned a model for. (Filing that half
separately as a CLI bug.)
Net: false positive on benign content, triggered by accumulated context from
legitimate defensive security work, with a downgrade that's too easy to miss.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗