[Bug][aup] Security review of HMAC-SHA512, double-ratchet, and rotating API keys in streaming app wrongly bloc

Open 💬 0 comments Opened Jun 25, 2026 by sworrl

Type: AUP / Usage-Policy block (false positive) · Work domain (heuristic): general

Why this is a false positive

The blocked request asked for a security review of a personal application's own communication layer—verifying HMAC-SHA512 message authentication, a double-ratchet key exchange, and rotating API keys between first-party services the author wrote and controls. This is routine defensive cryptography work on the requester's own codebase, with no target system, no third party, and no offensive or evasive component. The refusal appears to be triggered by surface keyword matching on security and cryptography terms rather than any actual policy-violating intent or action.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code. Filing as a false positive. Recurred across 1 session(s); first seen 2026-05-21T15:41:09.853Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). Please double press esc to edit your last message or start a new session for Claude Code to assist with a different task. If you are seeing this refusal repeatedly, try running /model claude-sonnet-4-20250514 to switch models.

Environment: Claude Code, Linux. · Work domain: general

---
<sub>🔎 Filed automatically by ClAudit v2.0.26 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗