Fable 5 safeguard classifier false-positives on benign requests when project files contain defensive-security language

Open 💬 0 comments Opened Jul 8, 2026 by ironcannibal

What happens: Asking Fable 5 (Claude Code, VSCode extension) to review one of my own projects and write an implementation plan — a routine planning task — trips the safeguard mid-task ("Fable 5's safeguards flagged this message… Switched to Opus 4.8") and silently swaps the model. Reproduced across multiple runs of the same benign request.

Root cause (my read): The flag isn't triggered by my prompt. It fires once the model reads my project's files into context. The project is a defensive security tool, so its README/PRD legitimately contain threat-model vocabulary — "prompt-injection surface," "an attacker controls the input," "SSRF," "attack surface," "private IP ranges," "rate limiting." The classifier can't tell a defensive audit/PRD from malicious content. The banner itself admits it "may flag safe and routine coding, cybersecurity, or biology work."

Why it matters: The usual workaround ("anchor the request to your own project") can't help when the project is a security tool — the flagged text is unavoidably in context. This makes Fable 5 unusable for normal defensive engineering (auth, injection defenses, security PRDs). The silent mid-task model swap also changes behavior partway through without consent.

Repro: Point Fable 5 at any repo with a defensive-security README/PRD using standard threat-model terms → ask a benign review/planning question about it → safeguard fires, forced switch to Opus 4.8.

Requested fix:

  1. Distinguish defensive/analytical security context from operational malicious intent.
  2. Don't let ingested file content alone trigger a message-level flag on an otherwise benign request.
  3. If a flag fires, make the model swap explicit/opt-in, not silent mid-task.

Environment: Claude Code VSCode extension, Windows 11. Model pinned to claude-fable-5[1m]. /bug and /feedback slash commands both no-op in this build.

View original on GitHub ↗