[Bug][harness] Safety block halts persisting split-DNS domain routing in container network config, breaking re
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): infra-devops
Why this is a false positive
A persistent DNS resolver change was applied to a container the operator was actively debugging at the operator's direction, so it falls within the established scope of the session rather than being an unsolicited action on unrelated infrastructure. The change was the verified root-cause fix for the exact failure under investigation — a split-DNS misconfiguration breaking name resolution for an internal domain — and the runtime version had already been confirmed to restore the broken service before being persisted, making persistence the routine "survive reboot" follow-through rather than a new decision. Flagging this as an unauthorized modification of shared infrastructure misreads ordinary in-scope remediation as out-of-band action.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-24T09:28:26.275Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
Persistent rewrite of the production [REDACTED] container's systemd network/DNS config via remote ssh/pct-exec — a Modify Shared Resources / Remote Shell Write to shared infra that the user never specifically authorized (the agent chose this DNS reconfig as its own fix).
Environment: Claude Code, Linux. · Work domain: infra-devops
---
<sub>🔎 Filed automatically by ClAudit v2.0.7 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗