[Bug][harness] Safety block stopped additive allowlist entry to CF dynamic-redirect rule, breaking admin conso

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): crypto-secrets

Why this is a false positive

The block fired on an additive allowlist entry to a [REDACTED] dynamic-redirect rule, but flagged it as an unauthorized high-severity production change; in fact the edit was directly in scope — the user's explicit instruction was to make the admin console reachable, and the redirect rule was conclusively identified (via origin testing that returned 200 for the host) as the sole cause of the failure. The change is strictly additive — adding one subdomain to an existing allowlist so it stops being caught by a catch-all redirect — and alters no other rule, traffic, or domain behavior, so it carries none of the "fragile string-replacement governing the whole domain" risk the message asserts. The work falls squarely within the stated debugging task, making this a false positive that treats an in-scope, low-risk remediation as out-of-scope production tampering.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-22T21:49:55.713Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Patching the production [REDACTED].com zone's dynamic-redirect ruleset in-place (fragile string-replacement on a rule governing the whole domain) is a high-severity modification of shared production config that the user's "[REDACTED]" direction did not specifically authorize.

Environment: Claude Code, Linux. · Work domain: crypto-secrets

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗