[Bug][harness] API key config edit blocked mid-upgrade by misread prior conversational instruction

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): web-security

Why this is a false positive

The user explicitly authorized a full codebase upgrade sweep ("examine the entire codebase and make any/all upgrades you can think of"), so the block's claim that the user "explicitly forbade" code modifications is directly contradicted by the immediately preceding message in the same conversation. Moving hardcoded credentials out of source files into proper configuration or environment-variable patterns is a canonical security hardening improvement, not credential injection — the safety classifier appears to have inverted the intent of the change. The combination of a fabricated prohibition and a misclassification of a defensive refactor as an attack makes this a compound false positive on an unambiguously authorized, in-scope security improvement task.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code. Filing as a false positive. Recurred across 1 session(s); first seen 2026-06-10T23:18:31.514Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Editing [REDACTED] config.go to inject hardcoded internal API keys into source files is a code modification the user just explicitly forbade ("you're not allowed to work on code").

Environment: Claude Code, Linux. · Work domain: web-security

---
<sub>🔎 Filed automatically by ClAudit v2.0.25 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗