[Bug] False positive security flags based on accumulated context from previous files in session
Bug Description
Update 2026-07-05 — strongest repro yet, and it isolates the cause cleanly.
A HARMLESS 142-line organism file (a numeric forward-pass, NOT a parser) was
flagged — but not because of its own content. The PREVIOUS file reviewed in the
same session produced routine findings whose wording included memory-safety terms
(heap overflow, memcpy without length check, NULL-deref). On the very next turn
the classifier fired on the benign file purely from that accumulated context.
Proof it is context, not content: the same 142-line file passes cleanly in a
fresh session. Nothing about the file changed — only whether the session already
held prior findings.
So the trigger is confirmed to be accumulated review findings, not any single
message and not the file under review. Every file after the first now needs its
own fresh session. For a multi-file codebase audit this multiplies sessions
linearly — exactly the false positive the flag text admits ("may flag safe and
routine coding").
Environment Info
- Platform: darwin
- Terminal: Apple_Terminal
- Version: 2.1.201
- Feedback ID: 8fe2bde9-f4bb-4d5e-935f-0c862160ad87
Errors
[]This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗