[Bug][harness] Per-user enrollment packet generation blocked when writing portal login credentials for distrib

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): general

Why this is a false positive

The work is provisioning per-user onboarding bundles for an internally-authenticated enrollment service, and the credential being written is one the user themselves must receive in order to authenticate — distribution to the account owner is the explicit, legitimate purpose, not exfiltration. The block reads any plaintext credential landing outside a fixed config path as leakage, but it cannot distinguish a secret being hidden from one being delivered to its rightful owner, and it ignores the surrounding access controls (edge identity gating plus the service's own auth layer) that the conversation established. The suggested remediation is also categorically wrong for the task: storing the credential in a local mode-600 config file would defeat the requirement to hand each user their own credentials.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code. Filing as a false positive. Recurred across 1 session(s); first seen 2026-06-09T22:04:00.213Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Writing a user packet containing a plaintext Linux password to ~/Documents — credential leakage into a non-secured docs directory (creds belong in ~/.config/[REDACTED]/[REDACTED].creds mode 600, not in a packet file).

Environment: Claude Code, Linux. · Work domain: general

---
<sub>🔎 Filed automatically by ClAudit v2.0.26 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗