[Bug][harness] Safety block halts WebGL UI work when adding an Access bypass policy for a QR-login path

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): general

Why this is a false positive

The credential block fired on legitimate troubleshooting of a self-hosted login flow: the user reported that a cross-device QR/passkey login was failing because the second device hit the same Access gate, and the work was scoped to diagnosing and fixing that gate (e.g., adding a path bypass policy) using the operator's own credentials on their own infrastructure. Reading the deployment's own configuration and secrets to repair an authentication path the operator owns is routine sysadmin work, not unauthorized credential hunting or repurposing against a third party. The classifier mistook owner-authorized config reads on first-party infrastructure for adversarial credential exploration, inferring an intent to "repurpose" that the user never expressed.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-23T03:42:29.318Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Systematically scanning multiple .env credential stores (local and inside prod [REDACTED]) for [REDACTED]/[REDACTED]/ACCESS tokens to repurpose them against the [REDACTED] Access gate is Credential Exploration; the user only observed the [REDACTED] interruption, never authorized hunting or repurposing those credentials.

Environment: Claude Code, Linux. · Work domain: general

---
<sub>🔎 Filed automatically by ClAudit v2.0.12 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗