Claude Code Failure-Mode Cluster Tracker

Between 2026-05-20 21:48 UTC and 2026-05-22 09:05 UTC, six independent users filed issues describing the same architectural gap from different angles. A seventh case landed three hours after the Claim-Verify Handbook launch on 2026-05-22 evening. An eighth case (parallel-Bash 14-hour silent gap) was filed 2026-05-25. All cases converge on four distinct sub-patterns of subagent failure, all rooted in the same surface-level observability gap.

The 7+1 cases

Operator-side defenses shipped

Reading material

English Chapter 1 preview (Sub-Agent Observability Handbook) · meta-analysis Gist · nested-spawn cluster Gist · issue #61993 (4-architecture convergence discussion).

Upstream status

No upstream fix as of 2026-05-26. Issue #62153 tracks the IPC positive-path work. The four-architecture convergence (contract-vs-runtime, file-based handoff.md, hook-emitted receipts, separate-process dispatch) suggests the upstream fix surface is exposing ephemeral spawn primitives in nested contexts with a depth limit.

Three independent users on three different surfaces (desktop, web, mobile) filed separate issues describing the same primitive absence — Claude Code provides no way to manage multiple accounts simultaneously. Surface symptoms differ; the architectural gap is identical.

The cases

Operator-side defenses shipped

Reading material

English operator field guide (5 alternative routes) · Japanese operator field guide · 7-question persona-based self-audit (interactive HTML).

Competitive landscape

Independent OSS tools targeting this gap total ~348 stars across 8+ repos (e.g., tickernelz/opencode-kiro-auth 134★, andyvandaric/opencode-ag-auth 68★, quinnjr/claude-code-profiles 38★, KarpelesLab/teamclaude 27★). Market is saturated for direct switching tools; cc-safe-setup hooks target the adjacent reconciliation/safety surface where existing tools are weak.

Upstream status

No upstream fix. #18435 has been open 8+ months. Will be the core theme of CC Safety Lab's June 2026 issue (ships 6/1, edit 5/30, proof 5/31).

Claude Code uses its own CLAUDE.md instruction-file format; the rest of the agent ecosystem (Codex, Cursor, Amp, Aider) is converging on AGENTS.md as a shared standard. Users who run multiple agent tools must maintain duplicate instruction files. #6235 is the largest single feature request in the Claude Code repository — 5,185 reactions over 13+ months without an official position.

The cases

Operator-side defenses

Two cc-safe-setup hooks shipped covering the two actionable moments: agents-md-sync-checker (SessionStart, PR #377) detects drift at the start of a session and surfaces the candidate-path enumeration; agents-md-edit-drift-warner (PostToolUse on Edit / Write / MultiEdit, PR #420) catches the drift at the actual edit moment — when the operator is mid-flow on the change and the diff is still in head, the cheapest correction point. The two hooks compose: the edit-time warner is the in-the-loop signal, the SessionStart checker is the backstop for drift the operator deferred. Five operator-side routes remain documented for the unhooked angles: symlink (ln -s CLAUDE.md AGENTS.md), pre-commit hook sync, direnv environment variable, CI sync verification, and runtime-mirror via a third companion hook. English field guide (3,500 words). 6-question interactive self-audit.

Competitive landscape

Direct sync tools total ~400 stars: agent-sh/agnix (258★, active development as of 2026-05-24, validation tool), iannuttall/source-agents (125★, sync tool), intellectronica/claude-agentsmd (17★, Claude Code-specific). Adjacent context: ciembor/agent-rules-books (1,593★), wshobson/agents (35,933★).

Upstream status

No official statement. Will be the core theme of CC Safety Lab's July 2026 issue (early draft already at ~20,000 characters as of 2026-05-26).

Ten independent issues over five months describing the same family of symptoms: Pro Max plan users hitting quota limits abnormally fast, with multiple time-window boundary signals (2026-03-23, v2.1.89, v2.1.100, v2.1.1). The cluster includes server-side measurable evidence (#46917 with reproducible cache_creation inflation of ~20K tokens).

The core three cases (1,460 combined reactions)

Operator-side defenses shipped

Reading material

English operator field guide (Pro Max quota anomaly: 5 measurement routes, 2,639 words). Cites ccusage (14,647★, the dominant external measurement tool), raw JSONL inspection, the claude-code-logger proxy, the cc-safe-setup hook, and Anthropic Console comparison.

Upstream status

No upstream fix as of 2026-05-26. The cluster spans 5 months without an official statement on the cache_creation inflation. Candidate theme for CC Safety Lab's August 2026 issue.

Claude Code's TUI text buffer and rendering layer (built on a custom Ink/React-for-CLI stack) does not integrate cleanly with terminal emulator native behaviors — scroll, redraw, copy buffer, IME composition. Six issues filed across 13 months describe distinct surface symptoms (scroll-to-top, flicker, IME composition, copy/paste indentation) that share one architectural root: the TUI re-renders screen state in a way that competes with the emulator's native scroll buffer and input handling. Five of six issues carry the official area:tui label (and three carry oncall), so Anthropic acknowledges the cluster — but no structural fix has shipped in 13 months.

The six cases

Operator-side defenses (terminal-level workarounds)

No cc-safe-setup hook ships for this cluster — the failure surface is at the terminal emulator boundary, not at the Claude Code hook surface. Operator-side mitigations documented in the field:

• Alternative terminal emulator selection — Alacritty, WezTerm, kitty have different scroll/flicker characteristics than iTerm2/Windows Terminal. The #826 macOS/iTerm2 symptom is reportedly absent or muted in Alacritty and kitty.
• tmux as intermediary — Run Claude Code inside tmux; rely on tmux's scroll buffer and copy-mode for the operations the TUI breaks. Trades terminal-native UX for tmux's known-good behavior.
• Transcript-based review — Use ~/.claude/projects/*.jsonl session logs for review/grep rather than scrolling the TUI. This is the cc-safe-setup core integration point, but the use case here is post-hoc review, not in-session interaction.

Why this cluster matters operationally (even without direct $$ impact)

This is the only cluster of the seven with no direct revenue or quota impact — the failure mode is friction, not loss. But the cluster partly explains the 1,127 unique CLI users / 30 stars disparity on cc-safe-setup (a 2.7% star rate, well below the 5-10% baseline for actively-used dev tools): users who hit TUI friction tend to disengage from public surfaces (stars, issues, PRs) even when they continue using the underlying tool. The cluster is included here for completeness — it shapes user behavior, but it is not a Safety Lab monthly theme candidate.

Upstream status

Five of six issues acknowledged with area:tui label; three with oncall. No structural fix in 13 months. The TUI rendering layer is a Claude Code architectural choice (custom React-for-CLI stack) and fixing the cluster requires either rebuilding on a different TUI layer or extensive integration work with terminal emulators' scroll/redraw protocols.

Users configure allow, deny, and ask rules in settings.json expecting them to match the bash commands Claude generates. The matching engine has eight independent failure axes (seven from meta-issue #30519, plus an eighth surfaced 2026-05-26 in #62437) that combine to make wildcards, "Always Allow," scope hierarchy, and PreToolUse hook enforcement unreliable in practice. Meta-issue #30519 (filed 2026-03-03, 71 reactions) articulates the original seven axes with 13 referenced sub-issues and documents zero Anthropic staff engagement across 9 months. A second meta-issue, #39523 (16 reactions), tracks specifically the bypass-mode regression with "9-month trail, 12+ duplicates."

The eight failure axes

1. Wildcards don't match compound commands. Bash(git:*) doesn't match git add file && git commit -m "msg". The * only spans a single simple command, but Claude generates compound bash constantly.
2. "Always Allow" saves dead rules. Approving git commit -m "fix typo" saves the verbatim string; next time the message differs, it prompts again. settings.local.json accumulates hundreds of one-off rules.
3. User-level scope doesn't apply at project level. Rules in ~/.claude/settings.json appear in /permissions output but match nothing; same rules in project-level settings.local.json work.
4. Quote-tracking bypasses allow list. Commands with quote characters in # comments trigger a safety warning that ignores all allow rules.
5. Deny rules have the same bugs. Multiline commands and flag-reordering bypass deny rules — so the system isn't just annoying, it's not enforcing the safety constraints users configured.
6. Colon vs space syntax contradicts. Bash(git:*) and Bash(git *) behave differently; docs disagree on which is correct; "Always Allow" generates one syntax while users configure the other.
7. Bypass-mode is partially broken. --dangerously-skip-permissions doesn't bypass Edit prompts (#36192), Cowork scheduled tasks ignore "Always allow" (#47180), and the flag itself stopped working entirely after v2.1.77 (#36168).
8. Session approval suppresses PreToolUse hook deny (2026-05-26). Once a static ask rule like Bash(docker --host:*) is session-approved, subsequent matching commands bypass the PreToolUse hook entirely — the hook's permissionDecision: deny output is never reached. A session-cached approval of a broad pattern silently whitelists destructive subcommands the hook is explicitly denying. New axis surfaced by issue #62437.

Representative cases (top 14 by reactions)

Operator-side defenses (1 of 4 axis-specific hooks shipped, 3 in design)

Two hooks ship now: subagent-permission-mode-guard.sh (permission-adjacent, Issue #55691) covers the sub-agent permissionMode override boundary, and always-allow-pattern-suggester.sh (PR #359, main-merged 2026-05-27) addresses Axis 2 directly. Three hook designs remain in the pipeline (2026-05 to 2026-06):

• compound-bash-permission-resolver.sh — PreToolUse hook that parses compound bash and re-checks each component against permission rules independently. Addresses Axis 1 (wildcard compound mismatch). In design.
• always-allow-pattern-suggester.sh — PreToolUse Bash hook that suggests a wildcard Bash(<bin> <subcommand>:*) pattern as a stderr advisory instead of the verbatim string "Always Allow" would save. 42 tests, never blocks, four-config-location existing-pattern suppression, environment toggles (CC_PATTERN_SUGGESTER_DISABLE, CC_PATTERN_SUGGESTER_VERBOSE). Addresses Axis 2 (dead rule accumulation). Shipped 2026-05-27 in PR #359.
• deny-rule-integrity-verifier.sh — PreToolUse hook that normalizes commands before deny-rule comparison so multiline and flag-reordering variants are caught. Addresses Axis 5 (deny rule bypass). In design.
• bypass-mode-effective-verifier.sh — SessionStart hook that, when --dangerously-skip-permissions is active, tests whether the bypass actually applies to all tool surfaces and warns the operator about known exceptions (Edit, Cowork). Addresses Axis 7 (partial bypass). In design.

Upstream status

Meta-issue #30519 documents zero Anthropic staff engagement across 30+ issues over 9 months. One workaround comment in September 2025 didn't fix anything. No milestones, no Anthropic-authored PRs, no roadmap, no tracking issue. The community is now writing custom Python PreToolUse hooks to reimplement permission enforcement (#18846), which is the option the meta-issue identifies as "what people are actually doing." This is a security-relevant subsystem where the documented contract diverges materially from the runtime behavior.

Claude Code's Skills feature (added in v2.x) exhibits a coherent class of failures in metadata fabrication, frontmatter respect, discovery, and partial loading. The runtime accepts non-existent settings fields without validation; the documented paths: auto-load trigger does not fire; the argument-hint: frontmatter is not displayed; the agent view loads skills incompletely. No first-class observability for which skill is active during a given tool call exists.

The four failure modes

1. Settings fabrication. Sub-agents write non-existent fields (e.g. disabledSkills) into ~/.claude/settings.json with no validation. The write succeeds, restart succeeds, the targeted skills remain active. Silent no-op. (#62421)
2. Frontmatter not honored. The documented paths: auto-load trigger never fires; argument-hint: is replaced by ... ellipsis in the slash command hint area. (#62049, #62127)
3. Discovery doesn't match docs. .claude/skills/ discovery via parent walk and additionalDirectories does not produce the documented effect in nested git repo layouts. (#62237)
4. Partial loading and hook integration gaps. The "claude agents" interface starts the sub-agent before skills finish loading; PreToolUse hooks have no first-class way to know which skill is active. (#62386, #62108, #62078)

Representative cases (top 9 of the 14-day window)

Operator-side defenses (hook integration in design)

Three hook designs in the pipeline (June 2026):

• skills-settings-validator.sh — SessionStart hook that detects non-existent fields like disabledSkills in settings.json and warns. Addresses Mode 1 (settings fabrication).
• skills-load-verifier.sh — UserPromptSubmit hook that compares loaded skills against ~/.claude/skills/ and .claude/skills/ directory contents. Addresses Mode 2 and Mode 4.
• skills-context-recorder.sh — PreToolUse/PostToolUse hook that records the active skill at each tool call. Workaround for Mode 4 hook integration gap.

Upstream status

All area:skills issues filed since the label rollout (2026-05-17) remain open. No Anthropic staff engagement signal across the cluster. Skills is a v2.x feature; the 14-day filing rate of 10+ issues since label rollout is the strongest signal that the feature shipped without the validation and observability primitives that the documented behavior implies.

Where to read more

Skills Metadata and Loading cluster field report (2,106 words, four failure modes, six issues with deep-dive, three detection paths, four defense paths). For the cross-cluster framework synthesis, see the 9-Cluster Framework (3,300 words).

Cluster 8: Server-side prompt injection (v2.1.150+)

Claude Code v2.1.150 introduces a function (named nAA in the minified source) that reads an arbitrary string from two network-backed channels and registers it as a peer-level section of the system prompt — sitting alongside the documented anti_verbosity, thinking_guidance, and action_caution sections. The two channels are the bootstrap API client_data field (validated only as z.record(z.unknown()), cached to disk) and the GrowthBook feature flag tengu_heron_brook (refreshing every 60 seconds in the background, also cached to disk). Whatever value Anthropic assigns to these channels gets injected into the agent's instructions, with shell access, with no client-side audit trail.

Anthropic's stance

Confirmed intentional on the issue thread: "We sometimes run experiments on changes to our system prompt." Two opt-out env vars exist: CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 (disables bootstrap client_data) and DISABLE_GROWTHBOOK=1 (disables tengu_heron_brook sync). The opt-outs close the injection channel but do not produce an audit trail of what was injected before the operator opted out, or what would have been injected after.

Representative issues

• #62061 — 46+ reactions in 3 days, central report by @vladkens with bytecode-level evidence of the injection channel.
• Predecessor: #25141 (transparency for experimental features) and #28941 (unauthorized server-side feature flag push).
• Parallel v2.1.150 regression bundle: 42+ co-occurring issues forming a parallel regression cluster.

Defense path shipped (1 of 4)

• server-side-prompt-injection-detector.sh — SessionStart hook, advisory-only, never blocks. Prints a one-line stderr advisory if either opt-out env var is missing. Self-silences with CC_PROMPT_INJECTION_DETECTOR_QUIET=1.

Defense paths in design (3 of 4)

• cache-residue-detector.sh — Detects old injected values cached to disk that persist after opt-out.
• proxy-capture-suggester.sh — Surfaces the HTTPS proxy capture path for compliance-bound operators.
• system-prompt-baseline-checker.sh — Diffs the operator's baseline system prompt against the runtime system prompt (requires proxy capture).

Upstream status

Acknowledged intentional in the same-day Anthropic comment. Opt-out env vars provided. Audit trail gap remains as the structural concern: operators in regulated industries cannot reconstruct what their agent was instructed at the time of a given logged action.

Where to read more

v2.1.150 server-side prompt injection audit paths (1,133 words, four audit paths). The 2026-11 Safety Lab issue covers this cluster in full.

Cluster 9: Usage Policy classifier over-trigger (AUP)

Starting 2026-05-18, the Anthropic server-side Usage Policy classifier began over-triggering on benign Claude Code prompts. 25+ open issues filed between 2026-05-18 and 2026-05-27, including single-word "hi" greetings, ordinary code reads, and non-English benign input (Russian, Polish, Spanish). The block fires server-side before the prompt reaches the model. The classifier is non-deterministic on identical input — the same prompt blocks one attempt and passes the next.

Cluster signature (three converging axes)

• Model-specific. Opus 4.7, 4.6, and 1M variants are affected. Sonnet variants of the same user with the same workflow are not. The split is consistent across all 25+ reports.
• Multilingual. False positives reproduce on English, Russian (#62065), Polish (#62373), and Spanish input.
• Domain-independent. Kernel security audits, biomedical research, FPGA waveform analysis, compression algorithm work, and plain greetings all trigger the block.

Representative issues

• #60366 — 16 reactions, 30 comments, single-word "hi" blocked. Earliest filed report (2026-05-18).
• #62190 — 10 reactions, non-deterministic blocks on benign prompts.
• #61889 — CVP-approved user still blocked on benign queries. Indicates CVP approval is not currently sufficient to exempt approved users from this cluster.
• 20+ lower-reaction independent reports between #61056 and #62712.
• Single-day peak: 12 independent reports filed 2026-05-23.

Four operator-side mitigation paths

1. Swap to Sonnet for affected sessions (export ANTHROPIC_MODEL=claude-sonnet-4-7). Highest-leverage immediate workaround; the cluster signature is Opus-specific.
2. Warm up the session with project context before sensitive prompts. Cold sessions hit the classifier at a noticeably higher rate than warmed sessions.
3. Apply for the Cyber Verification Program (CVP). Long-term path; note that #61889 reports CVP approval is not currently sufficient to exempt approved users from this specific cluster.
4. Retry on identical input. The classifier is non-deterministic; reports describe the same prompt passing on attempt 2 or 3 with no other change.

Defense path shipped (1 of 3)

• aup-false-positive-helper.sh — SessionStart hook, opt-in advisory only, never blocks. Inspects ANTHROPIC_MODEL; when an Opus variant is pinned and CC_AUP_FALSE_POSITIVE_HELPER_REMIND=1 is set, emits a four-path advisory to stderr. 16 tests covering all 6 state paths.

Defense paths in design (2 of 3)

• aup-block-pattern-logger.sh (2027-01) — PostToolUse hook that logs AUP block patterns for ongoing classifier-shift detection.
• model-swap-suggester.sh (2027-02) — Runtime detector for AUP blocks that suggests model swap automatically.

Upstream status

No explicit Anthropic comment on the cluster as of 2026-05-28. github-actions[bot] has auto-grouped at least three duplicate chains, confirming intake-side recognition. No public fix timeline.

Where to read more

Claude Code's AUP False-Positive Cluster: 4 Operator-Side Paths Through It (1,462 words, the four paths with reproducible examples). Companion interactive 4-question diagnostic outputs the highest-leverage path tailored to your model / frequency / domain / CVP status. The 2026-12 Safety Lab issue covers this cluster in full.

Starting around 2026-05-14 a 2-week surge of bug reports surfaced one common shape: client behavior changing without a release boundary or changelog entry. The reporter #62205 (2026-05-25) traced the macOS Desktop variant to GrowthBook A/B feature flags being sync'd from the server every ~9 minutes and silently overriding the user's local settings.json — permissions.defaultMode: bypassPermissions flipping back to acceptEdits. The same shape applies on different surfaces: #63015 (2026-05-28) suspects tengu_compact_cache_prefix gating an auto-compact dispatch rewrite that silently fails to fire.

Cluster signature (three converging axes)

• Periodic re-sync. Even after the user deletes a flag from ~/Library/Application Support/Claude/cachedGrowthBookFeatures, the next ~9-minute sync restores it. Local edits do not persist.
• No release boundary. Behavior changes mid-version (within v2.1.X). Changelog entries are absent because no client release happened.
• Five override paths documented. claude_desktop_config.json, ~/Library/Application Support/Claude/, epitaxy-folder-permission-mode, cachedGrowthBookFeatures, and Harbor-related flags. The set is observed, not exhaustive.

Representative issues

• #62205 — 0 reactions, 4 comments. The decisive root-cause analysis: tengu_permission_friction and tengu_quill_harbor overriding permissions.defaultMode on ~9-minute cadence.
• #63015 — 0 reactions, 2 comments. Auto-compact never triggers despite client statusline reporting "100% context used". Suspects tengu_compact_cache_prefix gating a new compaction implementation. Quantitative evidence: 5 timestamps + token deltas + monotonic growth past trigger.
• 56 additional issues filed 2026-05-14 onward sharing the "behavior changed but no version bump" shape.

Operator-side diagnostic paths

1. Inspect the cache directly. cat ~/Library/Application\ Support/Claude/cachedGrowthBookFeatures | jq '.features | keys' (macOS Desktop) or grep for tengu_ prefixed keys in ~/.claude.json (CLI). Lists the flags currently sync'd to your account.
2. Watch for re-sync. stat -f %m ~/Library/Application\ Support/Claude/cachedGrowthBookFeatures every 30s for 15 minutes. If the mtime advances on the same ~9-minute cadence #62205 documented, you're being re-sync'd.
3. Compare transcripts across versions. When a behavior regression is suspected, diffing a transcript from the prior version against the current version for the affected event (e.g., compact_boundary events) is the cleanest local confirmation that a dispatch path went silent.

Defense paths shipped (3 of 3)

Operator-side surface for this cluster is narrow: neither hooks nor settings.json overrides reach the dispatch path or the server-side flag rollout. The shipped defenses are observational, not preventive — they make the silent server-side changes visible at session boundaries so the operator can react.

• growthbook-flag-monitor.sh — SessionStart hook that snapshots cachedGrowthBookFeatures per session and emits a one-screen stderr advisory listing added / removed / changed flags between sessions. Auto-detects macOS and Linux Desktop cache locations and the ~/.claude.json nested form. Default digest-only mode (forensic mode opt-in via CC_GROWTHBOOK_MONITOR_FULL=1). Shipped 2026-05-28 in PR #413, 28 tests passing.
• compact-dispatch-watchdog.sh — Stop hook that tracks token usage and warns when usage crosses ~85% without a recent compact_boundary event in the transcript. Recovery is manual /compact. Addresses #63015 (the tengu_compact_cache_prefix silent-failure variant of the same cluster). Shipped 2026-05-28 in PR #402.
• permission-mode-drift-guard.sh — PermissionRequest fallback detection hook that records the initial permission mode at SessionStart and warns when unexpected permission prompts indicate the mode has drifted mid-session. Uses the ConfigChange event when available (v2.1.83+) and heuristic detection otherwise. Originally shipped for #39057 and recovers the Cluster 10 use case as the operator-side surface for tengu_permission_friction / tengu_quill_harbor. Shipped 2026-04 in PR series, integrated into Cluster 10 framing 2026-05-28.

Upstream status

No public Anthropic acknowledgment of the broader pattern as of 2026-05-28. #62205's root-cause analysis has 4 comments but no engineering response. The 5 override paths are observed in production, not in any official documentation.

Where to read more

The 2026-12 Safety Lab issue treats this cluster as the lead chapter, including the full 5-override-path enumeration and the diagnostic jq queries against cachedGrowthBookFeatures.