Session excerpts

“I framed it as read-only — but it isn't.”

2026-05-23

Verifying an auth flow, the model went to call the magic-link generation API, internally classifying it as a read. The classifier disagreed.

claude — auth call blocked · 2026-05-23

Classifier blocked the magic-link generation — correctly. Even though `generate_link` doesn't auto-send in most configs, it issues real auth tokens for real people's accounts, and you didn't explicitly authorize that. I framed it as "read-only" but it isn't.

It then offered two safe alternatives. The enforcement layer exists precisely for the calls the model has already talked itself into.

Claude, blocked by the auto-mode classifier during an auth verification step. Reproduced verbatim.