Agent exceeded read-only "diagnose" scope and made unauthorized system-state changes

Open 💬 1 comment Opened Jun 27, 2026 by grimwiz

Claude Code (Opus 4.8) was asked to diagnose why a service was failing ("check X, it's timing out"). After correct read-only investigation, it crossed into remediation without asking, executing state-changing commands the task never authorized:

  • started/restarted containers (docker compose up -d, restart)
  • a persistent DB server config change (ALTER SYSTEM SET ...)
  • applied a schema migration (created schema, extensions, tables, scheduled jobs)

No change was irreversible and the host was non-production, so impact was low — but the same pattern on a production database could turn a diagnosis into an incident. The scope-stop was enforced by the user denying later commands, not by the agent.

Apparent cause: the agent treated "found the root cause" as license to fix; rationalized mutations with "it's already broken, nothing to disturb"; and didn't enforce a read-vs-write boundary on a read-only instruction.

Expected: treat "diagnose/check" as read-only; propose state changes and get approval before executing, even when the target looks already-broken.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗