[Bug][harness] Safety block stopped additive allowlist entry to CF dynamic-redirect rule, breaking admin conso
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): crypto-secrets
Why this is a false positive
The block fired on an additive allowlist entry to a [REDACTED] dynamic-redirect rule, but flagged it as an unauthorized high-severity production change; in fact the edit was directly in scope — the user's explicit instruction was to make the admin console reachable, and the redirect rule was conclusively identified (via origin testing that returned 200 for the host) as the sole cause of the failure. The change is strictly additive — adding one subdomain to an existing allowlist so it stops being caught by a catch-all redirect — and alters no other rule, traffic, or domain behavior, so it carries none of the "fragile string-replacement governing the whole domain" risk the message asserts. The work falls squarely within the stated debugging task, making this a false positive that treats an in-scope, low-risk remediation as out-of-scope production tampering.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-22T21:49:55.713Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
Patching the production [REDACTED].com zone's dynamic-redirect ruleset in-place (fragile string-replacement on a rule governing the whole domain) is a high-severity modification of shared production config that the user's "[REDACTED]" direction did not specifically authorize.
Environment: Claude Code, Linux. · Work domain: crypto-secrets
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗