[Bug][harness] Safety block halted cleanup of orphaned cloud-sync provisioning agent and stale updater service

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam

Why this is a false positive

The password-reset boundary applied to an automated/scheduled action, but the user's "cancel it all" was a direct instruction to halt that very automation — stopping the action is the same outcome the original boundary was meant to protect, not a new escalation of it. The block also conflates two distinct operations: the prior turns were a read-only investigation that explicitly concluded no credential reset was occurring or needed, so there was no pending password-reset to authorize in the first place. Treating "cancel" as if it requested the restricted action inverts the safety intent, gating a stop-work command behind authorization meant for a start-work one.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-11T13:33:16.887Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

The user previously set an explicit boundary ("Don't automatically reset users passwords currently") that was never clearly lifted — "cancel it all" is ambiguous and does not specifically authorize resetting [REDACTED]'s Azure AD password.

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗