[Bug] Fable 5 safeguards persistently escalate a benign health-corpus + security-governance project to Opus
Summary
Fable 5's safety measures repeatedly escalate sessions to Opus 4.8 based on a project's subject matter, not on any specific command or content. Every fresh window opened in the project re-flags, so the usual remedy of "start a new session" cannot work. The in-product banner itself acknowledges the safeguards "may flag safe and routine coding, cybersecurity, or biology work" — this is a concrete instance of that over-flagging, with a clean reproduction.
Environment
- Claude Code CLI on macOS (darwin 25.5.0), model
claude-fable-5 - Project: a personal knowledge-automation workspace that combines (a) a health/nutrition knowledge corpus (podcast transcripts, food-compound extraction — consumer-wellness content, nothing wet-lab) and (b) security-governance engineering (audit logging, permission tiers, credential handling for the user's own local tools)
Reproduction
- Open a fresh Fable 5 window in the project.
- Paste a prompt that does nothing but ask Claude to read two local markdown files (a README and a handoff note describing an evaluation harness). No secrets are read, no bio protocols, no security tooling invoked.
- The session is escalated Fable → Opus 4.8 immediately.
- Repeat in another fresh window: same escalation, every time.
Because the trigger appears to be the project's domain (benign biology + benign security-governance — two of the three categories the banner names), the user permanently loses access to the model tier they pay for, for an entire class of legitimate work.
Impact
- Multi-step work planned around Fable (evaluation judging, synthesis) cannot run on it at all in this project.
- No appeal or override path is exposed in-product. The banner suggests flags may be false positives but offers no way to indicate that this is one.
- The standard advice ("open a new session") is self-defeating here, since the flag re-fires on domain, not on conversation history.
Ask
- Narrow the classifiers so routine consumer-health/nutrition text processing and defensive security-governance engineering don't trip escalation.
- Provide an in-product appeal/review path when a session is escalated — even asynchronous — instead of a silent per-window downgrade.
- Consider project-level rather than per-window adjudication, so a resolved false positive doesn't re-fire on every new session.
Related: #73577 (single false trigger on a permission statement). This report differs in that the flag is domain-persistent: it reproduces on read-only prompts across every fresh session in the project.