Mid-session model downgrade during authorized security-remediation work, with no surfaced reason

Open 💬 0 comments Opened Jul 11, 2026 by Gerry9000

What happened

During a long, authorized security-remediation session — an engineer auditing and fixing their own codebase's access-control and committed-credential findings — Claude Code switched from the higher-tier model to a fallback model mid-session. Re-selecting the preferred model via /model did not stick while the condition persisted, and no reason for the switch was surfaced in the session. The user later indicated the switch was content-related rather than a usage/capacity limit.

Why this is a problem

  1. No transparency. The downgrade happened with no visible explanation, so it was initially indistinguishable from a usage/capacity fallback. A user should not have to guess why their selected model was overridden.
  2. Authorized defensive work legitimately involves sensitive material. Security remediation necessarily surfaces things like committed credentials (to verify and rotate them) and vulnerability mechanics (to fix them). If a content-safety signal contributed to the downgrade, first-party, remediation-focused security work will routinely encounter such material and should not be treated as adversarial.
  3. Workflow disruption. Silently changing the model mid-task changes behavior and cost characteristics without the user's awareness or consent.

Requests

  1. When a model downgrade/override occurs, surface the reason to the user in-session (usage limit vs. capacity vs. content signal).
  2. Provide a supported path for authorized security-remediation and audit workflows so they are not silently downgraded.
  3. If credential-shaped strings or security-vulnerability discussion are contributing signals, weigh the high false-positive rate for legitimate defensive-security and audit work.

Environment

  • Claude Code CLI, long-running session focused on defensive security remediation of a first-party codebase.

_Note: the exact trigger was not surfaced in-session; the content attribution above is the user's read, not a confirmed cause._

View original on GitHub ↗