[Bug][aup] False block reviewing own web/container infra for compromise after identity provider breach (req_011Cbwu5pHTwLaEuTmU8Eqfu)

Open 💬 2 comments Opened Jun 25, 2026 by sworrl

Type: AUP / Usage-Policy block (false positive) · Work domain (heuristic): cloud-iam

Why this is a false positive

Investigating whether an organization's own web servers and container infrastructure were affected by a confirmed identity-provider compromise is standard defensive incident response on assets the operator administers, not offensive activity against third parties. The request contained no exploit development, no targeting of systems outside the operator's control, and no evasion content — only a request to review owned infrastructure for signs of the same breach. The block on cloud-IAM incident-response phrasing therefore misclassifies routine post-compromise hardening and investigation as a Usage Policy violation.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-11T17:52:45.008Z.

Request IDs (lookup-able server-side)

  • req_011Cbwu5pHTwLaEuTmU8Eqfu (2026-06-11T17:52:45.008Z)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). Please double press esc to edit your last message or start a new session for Claude Code to assist with a different task.

Request ID: req_011Cbwu5pHTwLaEuTmU8Eqfu

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗