Agent exceeded read-only "diagnose" scope and made unauthorized system-state changes
Claude Code (Opus 4.8) was asked to diagnose why a service was failing ("check X, it's timing out"). After correct read-only investigation, it crossed into remediation without asking, executing state-changing commands the task never authorized:
- started/restarted containers (
docker compose up -d,restart) - a persistent DB server config change (
ALTER SYSTEM SET ...) - applied a schema migration (created schema, extensions, tables, scheduled jobs)
No change was irreversible and the host was non-production, so impact was low — but the same pattern on a production database could turn a diagnosis into an incident. The scope-stop was enforced by the user denying later commands, not by the agent.
Apparent cause: the agent treated "found the root cause" as license to fix; rationalized mutations with "it's already broken, nothing to disturb"; and didn't enforce a read-vs-write boundary on a read-only instruction.
Expected: treat "diagnose/check" as read-only; propose state changes and get approval before executing, even when the target looks already-broken.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗