CVP-approved org still hit by AUP/cyber false-positives in Claude Code — exemption not propagating (related #49679)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
I'm a CVP-approved user on the Max 20x plan. The cyber-use-case adjustment is
active on my organization, yet I've been hit by AUP/cyber false-positive blocks
twice in one week in Claude Code, on a strictly defensive, 100% static project.
The exemption does not appear to propagate to Claude Code sessions. This looks
related to #49679.
Environment
- Plan: Claude Max 20x (paid)
- Surface: Claude Code (TUI)
- CVP status: approved
- Organization ID (CVP-approved): e3a49e9d-1d35-42e4-bf0c-93ba6b526da1
(confirmed in ~/.claude.json → oauthAccount.organizationUuid)
What's wrong
A legitimate defensive project — a 100% static ML/DL malware detector
(program dependence graphs, function-level explainability for analysts) — was
blocked mid-session under the Usage Policy. No code is executed, no real target
is involved; it's static file analysis only. Each block ends an in-progress
session and loses accumulated context.
The block is the generic Usage Policy variant. No cyber-use-case form URL was
issued, which suggests the CVP exemption is not being evaluated on these
requests at all.
Request IDs (false positives)
- req_011Cc68wErVQDgUQXtpE8YLF
- req_011Cc9cVNiZVgLHPx5hmC7Pc
Impact
As a Max 20x subscriber, billed tokens are consumed before the block fires, and
multi-hour sessions are lost to false positives on defensive work the CVP is
explicitly meant to enable.
Channels already tried (automated replies only)
- Support ticket (conversation ID 215474718983217)
- Email to usersafety@anthropic.com (three threads, automated responses only)
Requests
- Review the two request IDs above as false positives.
- Confirm whether CVP exemption is expected to propagate to Claude Code for
this org — and if so, why it isn't applying here (cf. #49679).
- Tune so that defensive malware-detection vocabulary is not treated as
violative cyber content for CVP-approved orgs.
What Should Happen?
No AUP false positive !
Error Messages/Logs
Steps to Reproduce
juste ask claude to create an antivirus (AV/EDR) and you will see !
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.181
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗