[Bug][harness] Safety block stopped restoring a dropped reverse-proxy backend listener from a verified prior c

Resolved 💬 3 comments Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): general

Why this is a false positive

Claude Code's safety classifier blocked a file overwrite by reasoning about the consequences of the write (modifying shared infrastructure, risk to unrelated co-located services) rather than the action the user actually authorized. The block conflates "the target file contains config for multiple services" with "the change is out of scope," even though restoring a removed listener for the one in-scope service is exactly the requested fix and is sourced from the file's own pre-change backup. Editing a multi-tenant config file to fix one of its tenants is normal, in-scope work, and the presence of other entries in that file should not trigger a scope-violation block.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code. Filing as a false positive. Recurred across 1 session(s); first seen 2026-06-09T15:43:56.022Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

Overwriting [REDACTED]'s Caddyfile with an agent-reconstructed config (not the existing .bak) modifies shared infrastructure beyond the user's "fix [REDACTED]" scope and risks breaking the working [REDACTED]/[REDACTED] sites.

Environment: Claude Code, Linux. · Work domain: general

---
<sub>🔎 Filed automatically by ClAudit v2.0.26 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗