Background security reviewer guesses wrong absolute paths (first Read always fails) and intermittently fails findings schema

Open 💬 0 comments Opened Jul 4, 2026 by svenson2703

Summary

The background security reviewer (security-guidance plugin, spawned automatically via the Python SDK after changes) has two recurring defects that add a wasted failed tool call to nearly every review run, observed across ~57 auto-spawned review sessions in 4 different local projects over 2 weeks.

Environment: Claude Code v2.1.200/2.1.201, macOS (darwin 25.5), reviewer model claude-opus-4-7, session metadata promptSource: "sdk", entrypoint: "sdk-py".

Bug 1: Reviewer guesses wrong absolute paths — first Read fails in almost every run

The review prompt passes only relative file paths plus a unified diff:

Review this change for security vulnerabilities.

Changed files (you may Read these and any other file in the repo):
  - tools/homepod-announcer/targets.json

Unified diff (only + lines are new):
...
Investigate per the method in your instructions, then return the findings list.

No base directory appears in the prompt, so the reviewer model guesses an absolute path before checking, and gets it wrong systematically:

  • Project at /Users/sl/dev/AI/automation → reviewer reads /Users/sl/dev/AI-automation/tools/... (path flattened, matching the transcript-directory naming convention). 10 of 10 review sessions in this project failed the first Read; some attempts also triggered sandbox "blocked for security" errors on the wrong path.
  • Project at /Users/sl/dev/AI/civilization2 → reviewer reads a hallucinated /home/user/src/main.ts. 22+ of 32 review sessions, up to 3 failed reads each.
  • Two further projects show the same wrong-cwd first reads (2 sessions each).

The correct cwd is present in the session metadata, and the Read error message itself reports it ("Note: your current working directory is ..."), which is why the second attempt always succeeds. Every review pays at least one wasted round-trip.

Suggested fix: include the absolute repo root (or absolute file paths) in the generated review prompt.

Bug 2: Structured output rejected — /findings: must be array

In 5 of the observed sessions the reviewer's final structured output failed schema validation:

Output does not match required schema: /findings: must be array

forcing a retry of the output step. Combined with Bug 1 this can mean 2–3 extra model round-trips per review.

Impact

With the end-of-turn review firing per change, these defects multiply: in one project the reviewer ran 32 times in 2 days (an offline, dependency-free client-side toy with no network/auth/persistence surface), each run paying the failed-Read tax on claude-opus-4-7. This is a meaningful share of session usage limits for Pro/Max users.

Repro

Any repo whose absolute path could be "flattened" ambiguously (e.g. nested project dirs like ~/dev/AI/automation) — enable the background review, make a change, inspect the spawned review session transcript in ~/.claude/projects/<dir>/: the first Read targets a non-existent guessed path.

🤖 Generated with Claude Code

View original on GitHub ↗