claude-code - 💡(How to fix) Fix [BUG] Cyber safeguards false positive: routine sysadmin audit commands blocked, write-only reporting blocked in new session, context poisoning breaks session recovery

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

The cyber safeguards filter fires on three categories of work that have no offensive application:

1. Standard sysadmin audit commands run as root on own infrastructure (find / -perm -4000 — SUID enumeration, present in Lynis/OpenSCAP/CIS benchmarks)
2. After a block fires, the entire session becomes unusable — subsequent messages with zero security content (e.g. "how is it going?") are also blocked
3. In a brand new session with no commands executed, repeated Write() calls to produce a markdown audit report were blocked because the document content mentioned security terminology (e.g. `/root/.ssh/authorized_keys` is mode 0777)

All three occurred while auditing a Proxmox node we own and operate, running as root.

What Should Happen?

1. Auditing your own infrastructure as root should not trigger the cyber filter. The filter should consider ownership/authorisation context, not just command signatures.
2. A block on one message should not poison the rest of the session. Subsequent messages should be evaluated independently.
3. Write() tool calls producing markdown documents should not be filtered on the security terminology appearing in the document content. Writing about security findings is not the same as executing offensive commands.

Error Messages/Logs

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). Please double press esc to edit your last message or start a new session for Claude Code to assist with a different task.
Request ID: req_011CbFr6AcLjEMmhqAVHL5fA

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered cyber-related safeguards. To request an adjustment pursuant to our Cyber Verification Program based on how you use Claude, fill out https://claude.com/form/cyber-use-case?token=[token]
Request ID: req_011CbFr7iBf4RowG2QBRUgQQ

Write(audit-report.md) blocked in new session:
Request ID: req_011CbFrTbe4gH6DzjBSZm7Cv
Request ID: req_011CbFrUPqgapjtUTsKTv1sJ
Request ID: req_011CbFrV3AkhogP3fWKrZKjU
Request ID: req_011CbFrVxDsnPnrtV5FPA8sM
Request ID: req_011CbFrWeWnoKHk3k5HGnVap

Steps to Reproduce

Bug 1 — Audit command false positive + context poisoning

1. Start Claude Code as root on a Linux server you own
2. Ask Claude to perform a security audit: "perform a security audit of this system, check for misconfigurations, list SUID binaries, check SSH config"
3. Claude will successfully run: pveum user list, aa-status, sshd -T, iptables -L -n -v, apt list --upgradable, openssl x509 ..., smartctl -a ...
4. Claude attempts find / -perm -4000 (SUID binary enumeration) → block fires
5. Send any follow-up message, e.g. "how is it going?" → also blocked despite containing no security content

Bug 2 — Write-only reporting blocked in new session

1. After Bug 1 terminates a session, start a completely new Claude Code session (claude fresh)
2. Ask Claude to read the prior session's JSONL transcript from ~/.claude/projects/ and write a markdown audit report from the findings already collected
3. Claude reads the JSONL files (allowed), then calls Write(audit-report.md) with content containing lines like:
4. | CRITICAL | /root/.ssh/authorized_keys is mode 0777 (world-writable) |
5. Write() is blocked repeatedly (5+ times) despite no commands being executed and no interaction with any system — purely writing a local markdown file

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

2.1.146

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

• Session IDs with full JSONL transcripts available: a8654819-f562-41f2-9e55-7c1034e4dd34 (primary, 501 KB), 873782ec-da52-4808-9972-5f57d8cf1a65 (earlier attempt, 242 KB)
• CVP application submitted via the tokenised URL in req_011CbFr7iBf4RowG2QBRUgQQ (pending)
• The write-only blocking means CVP approval may not fix Bug 2, since the filter is triggering on document content not executable intent. This makes it impossible to produce audit reports, pentest findings docs, or incident response summaries — the primary legitimate use cases CVP is meant to enable.
• Related: issue #50162 documents the same class of problem for bug bounty researchers. This adds the own-infrastructure sysadmin case and the write-only reporting case.