[Bug][harness] Auto-mode classifier blocks copying a managed TLS cert/key from one host to another to provisio

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): crypto-secrets

Why this is a false positive

The block is a false positive.

The TLS certificate/key being copied is a service credential the operator already owns and manages on their own infrastructure, requested explicitly to provision a TLS listener for their own relay service — routine deployment ops, not credential exploration. The classifier inferred filesystem-wide private-key scanning from the phrase "reach cert to relay," but the action is a single targeted copy of one named, operator-managed certificate between two of their own hosts, with no scanning, enumeration, or access to third-party secrets involved.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-25T04:26:10.932Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Environment: Claude Code, Linux. · Work domain: crypto-secrets

---
<sub>🔎 Filed automatically by ClAudit v1.6.0 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗