[Bug][harness] Safety block halted cleanup of orphaned cloud-sync provisioning agent and stale updater service
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam
Why this is a false positive
The password-reset boundary applied to an automated/scheduled action, but the user's "cancel it all" was a direct instruction to halt that very automation — stopping the action is the same outcome the original boundary was meant to protect, not a new escalation of it. The block also conflates two distinct operations: the prior turns were a read-only investigation that explicitly concluded no credential reset was occurring or needed, so there was no pending password-reset to authorize in the first place. Treating "cancel" as if it requested the restricted action inverts the safety intent, gating a stop-work command behind authorization meant for a start-work one.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-11T13:33:16.887Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
The user previously set an explicit boundary ("Don't automatically reset users passwords currently") that was never clearly lifted — "cancel it all" is ambiguous and does not specifically authorize resetting [REDACTED]'s Azure AD password.
Environment: Claude Code, Linux. · Work domain: cloud-iam
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗