[BUG] Auto-mode classifier denial returned for a Bash command whose side effects were already applied (denial races with execution)
In auto mode, a Bash tool call was reported to the model as denied by the auto-mode permission classifier ("Permission for this action was denied by the Claude Code auto mode classifier. Reason: [Modify Shared Resources] ..."), but the command's side effects had already been fully applied — the denial message was returned even though the command executed to completion.
- Claude Code 2.1.197, Linux
- Auto mode (permission classifier active)
- The model ran a Bash script that performs 11 sequential
gh api --method PUT repos/{owner}/{repo}/rulesets/{id}calls (adding a required status check to branch rulesets across repos). - The tool result returned to the model was a classifier denial: "Permission for this action was denied by the Claude Code auto mode classifier. Reason: [Modify Shared Resources] The script edits GitHub rulesets/branch-protection across 11 repos..." — implying nothing ran.
- The model (correctly, per the denial) told the user nothing had been changed and asked them to run the script manually.
- Hours later, GitHub's ruleset history API showed all 11 rulesets were updated in a 9-second window (
2026-07-13T09:44:45Z–09:44:54Z) by the authenticated user's account — exactly matching the "denied" script's sequential execution pattern and exactly matching the wall-clock time of the denied tool call. No other process ran these mutations (verified: no other sessions, subagent transcripts contain no ruleset mutations, user was away).
- The model's world-model diverges from reality: it reports "nothing was changed" while 11 branch-protection rulesets were mutated.
- For destructive commands this is the dangerous direction: a user could re-run a "denied" (but actually applied) mutation, or believe a mutation never happened.
- Trust in the denial message semantics: a denial should mean the command did not run (or at minimum state that it may have partially/fully run).
Either (a) the classifier verdict is enforced before the command starts, or (b) if the classifier races with execution and loses, the tool result must say the command executed (with its real output) rather than returning a plain denial.
The denial text itself was otherwise well-formed and the classification ("modify shared resources") was reasonable — the bug is purely that execution was not actually prevented while the result claimed it was.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗