Claim-Verify Audit

A free, read-only, 11-check diagnostic for Claude Code. MIT licensed. Runs in under a second.

What it does: scans your local Claude Code configuration for 11 known May 2026 failure-mode patterns where tools or agents claim success while the system state diverges. Each finding cites the source GitHub issue and the book chapter where the structural prevention is documented.

One-liner

curl -fsSL https://gist.githubusercontent.com/yurukusa/e2fb2b2dadab456c5396704a485b789c/raw | bash

Read the script first if you prefer (recommended). The full source is at the Gist. The script never writes, never sends network requests, never reads outside ~/.claude/, ~/.cache/claude-cli-nodejs/, the platform-specific Windows config dirs, and the directory you run it from.

What it checks (May 17, 2026)

Check 1. Settings file presence and JSON validity (issue #57491 family)
Check 2. Windows 8.3 short-name allow-rule bypass (issue #58614)
Check 3. Skill bloat — per-session token tax (Reddit 1tbbove)
Check 4. Session backup state (issue #58608)
Check 5. Sub-agent .env inheritance (issue #57068)
Check 6. Auto-compact configuration drift (issues #57490, #58373)
Check 7. bypassPermissions remote override (issue #57810)
Check 8. Cache references to deleted session storage (issue #58608 forensic trail)
Check 9. voice:pushToTalk multi-key silent collapse (issue #59896, v2.1.141 boundary)
Check 10. Stale TaskCreate accumulation across sessions (issue #59900)
Check 11. Custom .claude/agents/ files unresolvable as subagents (issue #59881)

Checks 9, 10, 11 were added 2026-05-17 to cover the v2.1.141–143 release wave. The script is versioned by gist commit hash; pin a specific version if you want a reproducible audit run.

Output

The script writes a colored text report to stdout. Each finding has a severity (HIGH / MEDIUM / LOW / INFO), a one-line title, a detail paragraph (the source issue and what's structurally going on), and a fix paragraph (what to do now plus the book chapter for structural prevention).

=== Check 10: stale task accumulation ===

[MEDIUM]  10 task files >30 days old still flagged 'in_progress'
          Issue #59900: the task primitive has no aging, no session scoping...
          Fix: Bulk-update old in_progress tasks to 'completed' or 'deleted'...

For CI integration, pass --json:

bash claim-verify-audit.sh --json

Exit code 1 if any HIGH-severity finding, 0 otherwise.

What it does NOT do

The script does not modify any file, run any Claude Code tool call, send any network request, or read any file outside the directories listed at the top. All checks are local and read-only. Bash strict mode. No eval of config content. All reads use grep and jq.

Why the checks are what they are

Each check targets a structural failure pattern that has been observed in public GitHub issues against anthropics/claude-code. The pattern is the unit of analysis, not the specific bug: even after Anthropic fixes a specific issue, the underlying structural pattern (silent regression, trust-boundary collapse, docs-vs-implementation mismatch) tends to recur in adjacent subsystems on the next release wave.

The script's coverage corresponds to the seven failure-mode layers documented in the Claim-Verify Handbook (May 22, 2026). It does not claim to detect every possible bug; it claims to detect specific configurations and state patterns that map to documented failure-mode layers.

Structural prevention reference

The audit script catches specific patterns. For the structural framework — why these patterns recur, how to design defenses that survive release waves, and the 14 prevention defenses mapped per case — see the Claim-Verify Handbook (ships May 22, 2026, USD 19, 125+ cases across 81 pages).

Free preview Gists (no signup): 日本語 · English

Runtime prevention (hooks)

The audit is a one-shot diagnostic. For runtime prevention of the same patterns (block destructive operations, detect silent regressions before they fire, catch hook contract violations at the moment they happen), see cc-safe-setup — an MIT-licensed collection of 730+ PreToolUse and PostToolUse hooks.

Patches and feedback

The script is intentionally small (one bash file, no dependencies beyond jq and grep). To add a check or fix a false positive, open an issue or PR on the Gist. Each check should reference a public GitHub issue and identify the failure-mode layer it targets.