[Bug][harness] Auto-mode classifier blocks reading own service's config over SSH during deploy debugging, halt
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): defensive-hardening
Why this is a false positive
Reading a service's own configuration file over SSH during authorized in-scope hardening work was blocked as a potential secret-exposure risk, but inspecting that config is a legitimate and necessary diagnostic step for the deployment being worked on, explicitly directed by the operator. The classifier flagged it solely because the file may contain key material, without distinguishing operator-authorized configuration review on a system under the user's control from unauthorized credential exfiltration. No third party is involved and the contents stay within the user's own session, so the "production read without authorization" rationale does not match the actual context.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-25T04:18:48.594Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Environment: Claude Code, Linux. · Work domain: defensive-hardening
---
<sub>🔎 Filed automatically by ClAudit v1.6.1 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗