[Bug] Defensive security auditing incorrectly flagged as offensive activity, forcing model downgrade

Open 💬 0 comments Opened Jul 10, 2026 by tetris992

Bug Description
[Defensive security work is being repeatedly flagged and force-switched from Fable 5 to Opus 4.8.

Context: our SaaS vendor (Channex) was hit by a DDoS. We audited our OWN production infra to check whether we're resilient to the same attack — reviewing rate limiting, WAF/Cloudflare posture, and unauthenticated endpoint amplification in our own codebase. This is purely defensive hardening of infrastructure we own and operate.

The safeguard flagged this multiple times and switched models mid-session, even after the user manually switched back to Fable 5. There was no attack, no targeting of third parties, no offensive tooling — the opposite: making our own service harder to take down.

Request: the safeguard should distinguish defensive security / DDoS-resilience auditing on your own systems from offensive activity. Keyword-level flagging of "DDoS / rate limit / WAF / firewall" is catching legitimate, routine production security work and disrupting the session by force-downgrading the selected model.
]

Environment Info

  • Platform: darwin
  • Terminal: vscode
  • Version: 2.1.206
  • Feedback ID: d6094ac9-75ec-4ba5-b97c-0089e06470e0

Errors

[]

View original on GitHub ↗