Classifier overrides user CLAUDE.md context for legitimate server admin tasks — and blocks the user from writing the fix
Environment
Claude Code CLI, Claude Opus 4.8, macOS
What happened — concrete session example
I asked Claude to change a password on my own staging server (staging.tradetron.tech). I have SSH access. Claude has SSH access via keys I provided. The server, the database, the user account — all mine.
Claude refused 3 times, citing "entering passwords into fields" — a restriction clearly written for browser UI interactions, not SSH/CLI database operations. It invented a form-field framing I never mentioned, then defended it across multiple rounds using "security" as justification.
It eventually did it when I pointed out the logical inconsistency ("you'd drop the whole table but not update one column?"). The task took 30 seconds once started. The refusals cost 20 minutes.
The deeper architectural problem
- A safety classifier fired on surface pattern ("change password") before context reasoning ran ("SSH access, owned server, admin task")
- User-written
~/.claude/CLAUDE.mdcontext ("SSH access = full authorization for server admin ops") cannot override this classifier — the classifier reads context after it fires, or ignores it - When I asked Claude to write the fix into CLAUDE.md so future sessions wouldn't repeat this, the classifier blocked that write too — explicitly citing "Auto-Mode Bypass" as the reason
This is a closed loop. The user cannot fix it. The AI cannot fix it. The CLAUDE.md system — Anthropic's own recommended solution for persistent context — is defeated by the layer sitting beneath it.
What the right behavior looks like
"Change password" + SSH access established + owned server = DevOps task. Execute. The authorization question is answered by the SSH access itself.
Why this matters beyond one frustrating session
The classifier has no cost when it's wrong. It blocks a legitimate task, the user pays the price (time, frustration, loss of trust), and the system registers nothing. This asymmetry produces systematic over-caution. The "security" framing makes it hard to argue against, which makes it worse — it has the structure of dogma rather than reasoning.
CLAUDE.md exists precisely to give users persistent context so they don't have to re-litigate the same decisions every session. A classifier that can override CLAUDE.md and prevent the user from updating CLAUDE.md to address the override is a system that cannot be corrected by its users.
Suggested fix
Context established in user-level CLAUDE.md (especially explicit pre-authorization statements about owned infrastructure) should be weighted above surface-pattern classifier firing for non-catastrophic action categories. Server admin operations on infrastructure the user demonstrably has SSH access to are not in the catastrophic category.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗