Mid-session model downgrade during authorized security-remediation work, with no surfaced reason
Open 💬 0 comments Opened Jul 11, 2026 by Gerry9000
What happened
During a long, authorized security-remediation session — an engineer auditing and fixing their own codebase's access-control and committed-credential findings — Claude Code switched from the higher-tier model to a fallback model mid-session. Re-selecting the preferred model via /model did not stick while the condition persisted, and no reason for the switch was surfaced in the session. The user later indicated the switch was content-related rather than a usage/capacity limit.
Why this is a problem
- No transparency. The downgrade happened with no visible explanation, so it was initially indistinguishable from a usage/capacity fallback. A user should not have to guess why their selected model was overridden.
- Authorized defensive work legitimately involves sensitive material. Security remediation necessarily surfaces things like committed credentials (to verify and rotate them) and vulnerability mechanics (to fix them). If a content-safety signal contributed to the downgrade, first-party, remediation-focused security work will routinely encounter such material and should not be treated as adversarial.
- Workflow disruption. Silently changing the model mid-task changes behavior and cost characteristics without the user's awareness or consent.
Requests
- When a model downgrade/override occurs, surface the reason to the user in-session (usage limit vs. capacity vs. content signal).
- Provide a supported path for authorized security-remediation and audit workflows so they are not silently downgraded.
- If credential-shaped strings or security-vulnerability discussion are contributing signals, weigh the high false-positive rate for legitimate defensive-security and audit work.
Environment
- Claude Code CLI, long-running session focused on defensive security remediation of a first-party codebase.
_Note: the exact trigger was not surfaced in-session; the content attribution above is the user's read, not a confirmed cause._