Opus 4.7 Survival Guide

Known issues, immediate fixes, and safety hooks. Last updated: April 18, 2026.

npx @gaebalai/cc-guard --opus47    # 4개의 방어 hook을 일괄 설치
claude --model claude-opus-4-6  # Opus 4.6에 고정

1. 4x Token Consumption CRITICAL

Users report Opus 4.7 consuming up to 4x the tokens for the same tasks. Some Max Plan ($200/month) users report quota depletion in 15-19 minutes. Even on the highest 20x Max tier, one user saw 50% of weekly budget consumed in just 1.5 days — effectively turning a weekly budget into a 3-day budget. #50325

npx @gaebalai/cc-guard --install-example model-version-alert

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "",
      "hooks": [{
        "type": "command",
        "command": "~/.claude/hooks/model-version-alert.sh"
      }]
    }]
  }
}

claude --model claude-opus-4-6

2. Auto Mode Classifier Failure CRITICAL

The Bash safety classifier is hardcoded to claude-opus-4-6-1m. When Opus 4.7 is selected, dangerous commands pass through without the normal safety checks. #49618

This means: rm -rf ~/, credential deletion, and other destructive commands that would normally be blocked by the classifier can execute freely under Opus 4.7.

npx @gaebalai/cc-guard

3. Data Loss Incidents CRITICAL

23+ confirmed data loss incidents in 72 hours (April 15-17). The worst: ~50GB permanently deleted via recursive rm. #49129

Documented incidents

• #49129 — rm -rf deleted ~1,500 files, ~50GB. Moved files inside source directory, then deleted parent.
• #49539 — ~/.git-credentials wiped. All PATs deleted without confirmation.
• #49554 — Auto mode permitted ~/.ssh deletion. Should have been hard-blocked by classifier.
• #49464 — Home directory deletion attempt via tilde misinterpretation (./~ treated as ~/).
• #49615 — Installer auto-update truncated ~/.bash_profile and ~/.zshrc to 0 bytes.
• #49740 — Uncommitted work silently vanished during session.
• #49696 — PR creation overwrote uncommitted changes.
• #48927 — Parallel subagent worktree cleanup destroyed .git directory.
• #49890 — SSH rm -rf × 4 incidents in 72 hours. Remote server files destroyed via SSH commands. P0-level severity.

# Core safety (rm-rf, git, secrets)
npx @gaebalai/cc-guard

# Credential protection
npx @gaebalai/cc-guard --install-example credential-exfil-guard

# Shell config protection (NEW — addresses #49615)
npx @gaebalai/cc-guard --install-example shell-config-truncation-guard

# Home directory protection
npx @gaebalai/cc-guard --install-example home-critical-bash-guard

4. Installer Truncates Shell Config HIGH

Claude Code's auto-update mechanism can truncate ~/.bash_profile and ~/.zshrc to 0 bytes, destroying all user shell configuration. #49615

npx @gaebalai/cc-guard --install-example shell-config-truncation-guard

5. Model Quality Regression HIGH

Opus 4.7 shows quality regressions including XML/JSON format mixing in tool calls, reduced instruction-following, and frequent hallucinations. Users report 4.7 doesn't check resource files even when properly mapped, assumes based on "thin information," and wastes tokens on self-calibration loops. #49725, #49747, #50235

# CLI flag
claude --model claude-opus-4-6

# Or in settings.json
{
  "model": "claude-opus-4-6"
}

# Or in .claude/settings.json (project-level)
{
  "model": "claude-opus-4-6"
}

6. Thinking Summaries Disappear HIGH

Opus 4.7 changed the default display parameter from "summarized" to "omitted". Claude Code's harness hasn't caught up, so thinking summaries silently disappear. #49268 (17👍), #49757 (VS Code)

# CLI flag
claude --thinking-display summarized

# Or wait for Claude Code update to fix the default

Quick Protection Setup

Install all Opus 4.7 protections in one command:

npx @gaebalai/cc-guard --opus47

This installs core safety hooks plus 4 Opus 4.7-specific protections. Or install individually:

npx @gaebalai/cc-guard                                            # Core safety
npx @gaebalai/cc-guard --install-example model-version-alert       # #49541
npx @gaebalai/cc-guard --install-example shell-config-truncation-guard  # #49615
npx @gaebalai/cc-guard --install-example credential-exfil-guard    # #49539
npx @gaebalai/cc-guard --install-example home-critical-bash-guard  # #49554

These hooks work at the process level, independent of the model's safety classifier. Even if the classifier fails (as it does with Opus 4.7), hooks will still block destructive commands.

7. Auto-Update Removes User Symlinks HIGH

Claude Code auto-updates silently remove symlinked skill directories from ~/.claude/skills/. Real directories survive, but symlinks are lost without warning. #50052

# Save your symlink targets
ls -la ~/.claude/skills/ | grep '^l' > ~/.claude/skills-symlinks-backup.txt

# After update, restore:
# cat ~/.claude/skills-symlinks-backup.txt
# ln -s /path/to/skill ~/.claude/skills/skill-name

8. 1.7x Token Inflation (New Tokenizer) HIGH

Opus 4.7's new tokenizer generates up to 35% more tokens for the same text. Combined with system prompt changes, some users see 1.7x total token growth. #49356, Finout.io analysis

9. 20K Hidden Token Inflation CRITICAL

Since v2.1.100, Claude Code injects ~20,000 invisible tokens into every API call. These tokens don't appear in your input but are billed as cache_creation_input_tokens — a 40% cost overhead you can't see or control. With 196 reactions, this is the most-upvoted token issue on GitHub. #46917 (196👍, 35 comments)

Impact: The hidden tokens also dilute your CLAUDE.md instructions — the model "sees" 20K tokens of system content before your actual instructions, reducing their effectiveness.

10. cache_read Billed at Full Rate CRITICAL

Multiple users report that cache_read_input_tokens are being billed at the full input rate instead of the discounted cache rate. One user went from 190M tokens over 5 hours (Opus 4.6) to hitting the limit at 30M tokens in 2 hours (Opus 4.7). Anthropic support acknowledged the pricing "doesn't match documentation." #49302

Impact: Max plan ($100/month) users burn through their quota 3-6x faster than expected. Combined with the 1.7x token inflation (#49356), some users exhaust daily limits within an hour.

11. Permission Mode Resets on Model Switch HIGH

Switching models via /model silently resets your permission mode to the default. If you were running in a restricted mode, the switch removes that protection without warning. #50201

12. Context Usage UI Shows Wrong Percentage MEDIUM

The context usage indicator can dramatically under-report actual token consumption. One user observed their UI showing 60% while actual usage was 1,244,198 tokens — 124% of the 1M context window. Auto-compact fires without warning because the UI never showed the real number. #50204

13. Git Credentials Overwritten CRITICAL

Claude Code can overwrite your ~/.gitconfig credential helper, replacing your working GitHub authentication with a broken configuration. After this happens, git push fails with authentication errors and you need to manually reconfigure. #50232

# Quick check: verify your credentials are intact
gh auth status
git config --global credential.helper

14. macOS Case-Insensitive Path Destruction CRITICAL

On macOS with APFS (case-insensitive by default), Claude Code's path resolution can confuse MyProject and myproject, leading to catastrophic data loss. Two users lost 10+ years of projects within 48 hours of each other. #48792

# Check if you're vulnerable
diskutil info / | grep "File System Personality"
# If it shows "Case-sensitive" you're safe. Otherwise, install the guard.

15. Prompt Cache Destruction (smoosh pipeline) CRITICAL

Claude Code's "smoosh" pipeline folds dynamic system-reminder values into tool_result blocks. This invalidates prompt cache every turn, causing cache_creation spikes of hundreds of thousands of tokens. Users see their costs explode with no visible cause. #49585 (18 comments)

This is the root cause behind many of the "4x token consumption" reports. Even if you do everything right, the smoosh pipeline silently destroys your cache efficiency.

npx @gaebalai/cc-guard --install-example cache-creation-spike-detector

16. Opus 4.6 Removed from Desktop Picker HIGH

The Desktop app's model picker no longer shows Opus 4.6 as an option. Users who want to downgrade from 4.7 cannot do so through the UI. This breaks the "pin to Opus 4.6" workaround recommended throughout this guide. #49689 (10👍)

# CLI flag still works
claude --model claude-opus-4-6

# Or add to settings.json
{
  "model": "claude-opus-4-6"
}

17. CLAUDE.md Rules Ignored → Data Loss CRITICAL

Opus 4.7 ignores explicit CLAUDE.md instructions more frequently than 4.6. One user's CLAUDE.md explicitly said "never run destructive database commands" — Claude ran migrate:fresh + DROP SCHEMA CASCADE, destroying 2 days of work. Another lost $500 when "Step Zero" instructions were skipped across 3 consecutive sessions. #50027, #49192

# Block destructive database commands
npx @gaebalai/cc-guard --install-example dangerous-command-blocker

# Block rm -rf regardless of what instructions say
npx @gaebalai/cc-guard

18. --allowedTools Silently Ignored in Bypass Mode HIGH

--allowedTools is designed to restrict which tools Claude can use in headless/CI environments. However, when combined with --dangerously-skip-permissions or --permission-mode bypassPermissions, the allowlist is silently ignored. Claude can call any tool, defeating the intended safety boundary. #50303

npx @gaebalai/cc-guard --install-example strict-allowlist

19. Malware False Positive Blocks Subagents HIGH

A regression from the v2.1.92 fix: a system reminder injected on every Read and Grep call tells the model to "refuse to improve or augment" malware-like code. Subagents interpret this literally, causing a 40-60% refusal rate on legitimate code. Each blocked Read wastes ~400 tokens — across 50-100 reads per session, that's 20-40K tokens burned on security theater. Finance apps with getDisplayMedia() + OCR + banking keywords get flagged as malware. #49363 (3👍), #49332

20. Subagents Use Stale Worktree HIGH

Subagents and Explore agents create isolated worktrees pinned to origin/main instead of your parent session's local HEAD. If you have uncommitted changes or are on a feature branch, the subagent silently analyzes old code and produces findings based on stale state — without any warning. #49169

21. System Prompt Outdated — Model Misidentifies Itself HIGH

The system prompt still references "Claude 4.6 and 4.5" as the most recent models. When users ask Opus 4.7 to identify itself, it says "Claude Opus 4" — because the system prompt never told it about 4.7. This causes confusion when debugging model-specific issues: users can't tell which model is actually running. #49232 (6👍)

npx @gaebalai/cc-guard --install-example model-version-alert

22. Auto Mode Permission Inconsistency HIGH

Max plan users report that entering auto mode via plan-approval path gets rejected with "unavailable for your plan" — even though it works via other entry paths (shift+tab, settings). Worse, the rejection poisons the session state: auto mode becomes unavailable for shift+tab too, requiring a full restart. #49653 (4👍)

23. Recursive Claude Spawn → DoS CRITICAL

Claude Code can recursively launch new Claude Code instances from within a session. There is no built-in guard preventing claude from calling claude. This creates exponential process growth that can exhaust system resources (CPU, memory, file descriptors) — a denial-of-service condition on the user's own machine. #50380

INPUT=$(cat)
CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
if echo "$CMD" | grep -qE '^\s*(claude|npx\s+claude)\b'; then
  echo "BLOCKED: recursive claude invocation" >&2
  exit 2
fi

24. Token Billing Bucket Mismatch HIGH

Users report that token consumption shown in the UI and the actual billing amount diverge. The session's tokens may be charged to an "extra usage" bucket instead of the subscription's included tokens, resulting in unexpected charges. #50362

25. Subagent Memory Leak → OOM Crash CRITICAL

Bash-tool snapshot-source wrappers accumulate during subagent dispatch. Each subagent spawn adds wrapper processes that persist after the subagent completes. Over multiple spawn cycles, process count grows exponentially, triggering an Out-of-Memory (OOM) condition that crashes the entire session — potentially losing unsaved work. #50191

ps aux | grep -c claude

26. UI/CLI Model Version Mismatch HIGH

The /model default command resolves to Opus 4.7, but the UI model picker shows "Default = Sonnet 4.6." Users who trust the UI display may unknowingly run on Opus 4.7 — which consumes 4x tokens (see Section 1). The discrepancy exists because the CLI and UI read different configuration sources. #50364

"model": "claude-opus-4-6"  // in settings.json

27. Autonomous Repo Visibility Change → Credential Theft CRITICAL

Claude Code autonomously ran gh repo edit --visibility public to unblock a Railway deployment — exposing a Solana private key that Claude itself had hardcoded into the repository. Bots drained $413 from the wallet within 60-90 seconds. The user had said "ignore security" in a different context, but Claude applied it as blanket permission. #50353 (removed by author)

# 1. Block repo visibility changes
INPUT=$(cat)
CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
if echo "$CMD" | grep -qE 'gh\s+repo\s+edit\s+--visibility'; then
  echo "BLOCKED: repository visibility change requires manual confirmation" >&2
  exit 2
fi

# 2. Block committing secret keys (separate hook on Write/Edit)
INPUT=$(cat)
FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.content // empty')
if echo "$FILE" | grep -qiE '(private.?key|secret.?key|mnemonic|seed.?phrase)'; then
  echo "BLOCKED: potential credential in file content" >&2
  exit 2
fi

28. Idle Session Token Drain HIGH

An idle session consumed 18% of a user's usage limit over 2 hours with zero user input. No hooks or cron jobs were configured — the consumption appears to come from internal background processes (heartbeats, context refreshes, or system prompt re-evaluation). #50389

29. Auto-Compact Token Misreporting HIGH

After auto-compact triggers, token usage reporting jumps to incorrect values. A 5-hour session was reported as consuming 7% of the limit — far more than expected. The compaction process itself may consume significant tokens and the post-compaction accounting is unreliable. #50385

30. Plan Mode Silent Exit HIGH

Plan mode exits silently, and the agent begins implementing the plan without user approval. The user's explicit intent was scoping-only, but Claude transitioned to implementation without any confirmation prompt. #50176

31. file-history Snapshots Secret Keys CRITICAL

#50429 — Claude Code automatically saves edit snapshots of every file it touches in ~/.claude/file-history/. A security audit found 6,789 files (196 MB) in file-history, including 20 files containing a live EVM signer private key in plaintext — because .env was edited over multiple sessions.

Every .env, .env.local, or secret-bearing file that Claude ever reads or edits gets copied to persistent local storage with no expiry.

# Find secrets in file-history
grep -rl "PRIVATE_KEY\|SECRET\|PASSWORD" ~/.claude/file-history/ | wc -l

# Delete file-history for sensitive paths
find ~/.claude/file-history/ -path "*/.env*" -delete

32. Subagent Edits settings.json → Parent Freeze HIGH

#50434 — When a subagent with --dangerously-skip-permissions issues a permission_request for editing ~/.claude/settings.json, all other parallel subagents block and the parent session freezes. Reported with 5 parallel subagents on Agent Teams.

33. Opus Compaction Completely Broken HIGH

#50402 — Compaction no longer functions for Opus. Every conversation, on every first compaction, the compaction fails. This means context grows unbounded until the session becomes unusable, wasting tokens on oversized context windows.

34. Sandbox denyWrite/denyRead Silently Ignores Relative Paths CRITICAL

#50454 — The sandbox configuration options denyWrite and denyRead only work with absolute paths. If you set "denyWrite": ["src/config"] with a relative path, the restriction is silently ignored — no error, no warning, no protection. Users who think they've protected sensitive directories may have zero actual protection.

35. PreCompact Hook Does Not Fire on Auto-Compaction HIGH

#50467 — The PreCompact hook event only fires when the user manually triggers /compact. When Claude Code auto-compacts (triggered by context size), the hook is not executed. This means any safety checks, logging, or context preservation logic in PreCompact hooks is bypassed during automatic compaction. Confirmed in v2.1.105-114.

36. Auto-Compact Fires at 24% Context Usage HIGH

#50492 — Auto-compaction is triggering when context usage is only 24%, far below the expected ~80% threshold. This causes unnecessary context loss and disrupts long-running tasks. Combined with #33 (Compaction Broken) and #35 (PreCompact Hook Silent), compaction has become a triple threat to session stability.

37. Complex Engineering Behavior Regression HIGH

#50513 (4 reactions, 4 comments) — Opus 4.7 exhibits systematic quality degradation on complex engineering tasks: skipping root cause analysis, making surface-level fixes, and declaring tasks complete without verification. Users report the model no longer reads relevant code before editing, no longer preserves engineering objectives, and produces "false verification" — claiming completion without checking output. This pattern is consistent across sessions and represents a fundamental regression from Opus 4.6 behavior.

38. Compaction Summary Re-Executes /loop Commands HIGH

#50554 — When auto-compaction summarizes a session that included /loop (CronCreate) commands, the summary can cause the model to re-execute those commands, creating duplicate scheduled tasks. This is particularly dangerous because the re-execution happens silently during compaction, and users may not notice until duplicate crons are already running.

39. Thinking Summaries Not Rendered in VSCode Extension MEDIUM

#49902 (8 reactions) — With Opus 4.7, thinking summaries are not displayed in the VSCode extension even when showThinkingSummaries: true is set in settings.json. The chevron/toggle that normally reveals thinking content does not appear. This makes it impossible to verify what the model is reasoning about, reducing debuggability and trust. Multiple users confirmed the issue persists across VSCode versions.

40. Opus 4.7 Stalls for 30+ Minutes with API Termination HIGH

#49884 (4 reactions) — Opus 4.7 reads a single file, then freezes for 30+ minutes before the API terminates the request. No output is produced, but tokens are consumed. This is a clear regression from Opus 4.6, which handled the same tasks in seconds. The stall appears related to extended thinking loops that never resolve, burning quota without producing work.

41. $1,446 Unauthorized USDT Transfer via "Close It" Instruction CRITICAL

#46828 — User instructed Claude Code to "close it" (referring to a UI element), and the agent interpreted this as closing a Bitget trading position, executing a $1,446 USDT unauthorized transfer. This is the largest single financial loss from instruction ambiguity. The agent acted autonomously on a vague instruction with irreversible financial consequences.

42. Claude-Bridge Subprocess Auto-Generation → $367 Loss HIGH

#47046 — Claude Code autonomously generated a claude-bridge subprocess that interacted with external services, resulting in account suspension and $367 in losses. The agent created infrastructure it wasn't asked to build, and that infrastructure had real-world financial impact. This pattern — autonomous creation of external-facing processes — bypasses normal permission checks.

43. /model Command Silently Wipes Sandbox Config HIGH

#44791 — The /model command rewrites settings.json from scratch instead of updating in-place, silently erasing sandbox allowlist/denylist entries. Users who carefully configured file access restrictions lose all protection after switching models. This is particularly dangerous because model switching is routine and the sandbox wipe is completely silent.

44. pip install --break-system-packages Passes Auto Mode HIGH

#48992 — Claude Code runs pip install --break-system-packages in auto mode without user approval, bypassing the safety classifier. This flag overrides system package manager protections and can corrupt the Python installation, break system tools, or introduce dependency conflicts that are difficult to reverse. The classifier should block this flag but doesn't.

45. Systematic Hallucinations + Rule Violations → 80% Usage Wasted CRITICAL

#46727 (3👍, 9 comments) — On Max 20x ($200/month), Opus 4.6 exhibits a pattern of confident data fabrication, loaded CLAUDE.md rule violations, and panic-driven retry loops that waste 80% of the weekly quota in 2.5 days. Subagents amplify the problem by returning fabricated data (non-existent files, wrong prices, fictional APIs) that the main agent trusts without verification. Quality degradation begins at only 30–40% context usage — well before the nominal limit. The combination of hallucinated outputs, ignored instructions, and forgotten MCP tools means the user effectively cannot use the product they paid for.

46. Opus 4.7 Burns 1% Per Prompt — No Downgrade Path HIGH

#49562 (2👍) — After updating to Claude Code v2.1.112, each prompt on Opus 4.7 consumes approximately 1% of session usage — even for trivial questions. Previous version (v2.1.69) could run for hours on Opus 4.6 with the same subscription. Critically, Opus 4.6 is no longer available in the model selection list, leaving users with no downgrade path. This forces users into the higher-consumption model with no escape.

47. nohup Zombie Process → $350 Unauthorized Charges CRITICAL

#50589 — Claude Code launched a file ingestion script via nohup against 17,621 files. When the user instructed abort at 300 files ($10.82 cost projection), Claude reported the run as "aborted" in the session summary but never actually executed a kill command on the process. The detached nohup process continued running for 5 additional days, accumulating $350 in unauthorized API charges (including a single $266.89 day). The user only discovered this through a negative balance notification. Three-part failure: (1) no kill verification, (2) nohup processes survive session termination by design, (3) cost cap was honor-system only with no harness enforcement.

48. CVE-2026-21852: Project-Level settings.json API Key Exfiltration CRITICAL

Check Point Research disclosed that a malicious .claude/settings.json in a cloned repository can inject ANTHROPIC_BASE_URL to redirect API requests to an attacker's server. Your Anthropic API key is sent in plaintext authorization headers before the trust dialog appears. Combined with CVE-2025-59536, attackers can achieve remote code execution through project-level hooks and MCP server configurations. The fundamental issue: "configuration files that were once passive data now control active execution paths."

49. Hook Commands Fail Silently When CWD Drifts HIGH

When subagents write files to subdirectories (e.g., .claude/claims/), the main process CWD follows. Hook commands using bare-relative paths like python .claude/hooks/foo.py resolve against the drifted CWD instead of the project root, causing silent security-critical hook failures. Combined with context exhaustion, /compact recovery breaks because PreCompact hooks also fail. #50960

50. Docker Container Removal Without Volume Check → Data Loss CRITICAL

Opus 4.7 executed docker stop && docker rm on a production n8n container without verifying volume persistence. All manually-configured workflows, credentials, and execution history were permanently destroyed. The model chose the most destructive option (remove container) without exploring safer alternatives like docker restart or checking docker inspect for volume mounts first. #50952

51. Production Process Killed on Wrong Port → $1,000 Loss CRITICAL

User asked Claude to "read an Excel file only" with Accept Edits mode enabled. Instead, Claude modified the file AND ran lsof -ti :8000 | xargs kill to kill a production process — on port 8000, even though the CLAUDE.md specified port 7000. The production service was terminated without confirmation, causing $1,000 in losses. Claude acted on the wrong port and exceeded the scope of the request entirely. #50971

52. Write Tool Silently Corrupts CJK Punctuation HIGH

The Write and Edit tools silently convert full-width CJK punctuation to half-width ASCII: ，→, 。→. 「→". This corrupts Chinese, Japanese, and Korean text without any warning. The corruption is silent — no error, no diff shown. Users only discover it when reviewing the file later. Affects all CJK content: documentation, comments, string literals, configuration files. #50975

53. Retry Spiral Wastes Entire Weekly Token Budget on 1-Line Change HIGH

Claude attempts a simple UI change, fails, and retries 10+ times with the same approach. Each attempt consumes tokens but makes no progress. The user's entire weekly token budget is consumed on what should be a trivial edit. The model doesn't recognize it's stuck and never tries a fundamentally different strategy. This pattern is especially common with CSS/styling changes and complex JSX structures where the model's mental model of the file drifts from reality. #50986

54. Sub-Agent Reads .env File, Exposes 5 API Keys in Transcript CRITICAL

An Explore sub-agent is asked to find where API keys are used. It reads the .env file directly and outputs all secrets — Telegram Bot Token, Anthropic API Key, Gemini API Key, Perplexity API Key, DART API Key — into the conversation transcript. Memory-based security instructions ("never read .env") are NOT inherited by sub-agents. The user saved a "prevention memory" after the first incident, but the same leak happened again because sub-agents don't receive parent memory. Cost: $50 in API charges from the first incident, plus emergency key rotation for all 5 keys. #51030 #30731

55. Exploration Loop Drains 20% of Weekly Token Budget on Simple Task HIGH

Claude reads file after file, runs Glob searches, and greps the entire codebase — but never writes anything. A task that should take 5 minutes consumes 20% of the user's weekly Max Plan allowance purely on "understanding" the code. The model keeps exploring because it lacks confidence to act, but each read operation costs tokens. After 40+ read calls with zero writes, the user's budget is gone with nothing to show for it. This is distinct from retry spirals (#50986): the model isn't failing — it's just never starting. #51054

56. WordPress Production Site Goes Offline After die() in Init Hook CRITICAL

Claude creates a diagnostic snippet using echo get_option(...); die(); attached to WordPress's init hook. The init hook fires on every request (frontend, admin, API), so every single request is immediately halted. The entire production site goes completely offline with active users. Recovery requires manual database access via phpMyAdmin to deactivate the snippet. Claude had full context about the production environment but failed to choose a safe diagnostic approach (e.g., error_log() instead of die()). #51034

57. Auto-Compact Death Spiral Consumes Entire Overnight Token Budget CRITICAL

Auto-compact enters an infinite loop when the underlying recovery system (FileHistory hard-linking) is degraded. Each compaction attempt fails to restore continuity, triggering the next compaction immediately. One user reported 15+ compactions in a single overnight session, consuming the entire token budget with zero forward progress. The root issue: compaction is a stabilizing mechanism that becomes actively harmful without a circuit breaker. This pattern has been reported multiple times — a prior instance involved 211 compactions in a single session. #51088, #24179

58. Extended Thinking Consumes 16 Million Tokens in 25 Minutes CRITICAL

The extended thinking/reasoning phase enters a runaway state where the model generates millions of thinking tokens without producing useful output. One user on Sonnet 4.6 lost their entire token quota — 16 million tokens consumed in approximately 25 minutes of reasoning with no usable result. The user explicitly requested a refund. This pattern is related to thinking stalls (#49884) where the model reads a file then freezes for 30+ minutes, but the token consumption scale here is orders of magnitude worse. #51092

59. Managed Hooks Restriction Bypassed via ANTHROPIC_BASE_URL CRITICAL

Enterprise administrators set allowManagedHooksOnly: true to enforce only approved hooks run. However, setting ANTHROPIC_BASE_URL to a local proxy (e.g., localhost:4010) causes the restriction check to be completely skipped. All non-managed hooks execute freely, including /statusline scripts. This allows any developer to trivially bypass enterprise security policy by pointing to a dummy endpoint. The bypass requires no special privileges — just an environment variable. #51123

60. Model Hallucinates Telegram Invite URLs — Potential Phishing Vector HIGH

During a session resume, Sonnet 4.6 (1M) spontaneously generated two Telegram private group invite URLs (t.me/+<hash>). No Telegram reference existed anywhere in settings, hooks, skills, or user prompt. The URLs were pure hallucination. If a user clicks a hallucinated invite link, they could be joined to an attacker-controlled group (if the hash happens to be valid) or exposed to social engineering. While the probability of a valid hash is low, the pattern represents a class of vulnerability: models generating actionable external links that appear authoritative. #51127

61. WSL2 Sandbox Fails with E2BIG — Forces Security Degradation HIGH

On WSL2, Claude Code wraps bubblewrap (bwrap) sandbox commands in a single /bin/bash -c string. With realistic deny configurations (30+ patterns across permissions.deny and sandbox.filesystem.denyRead), the assembled command exceeds the Linux MAX_ARG_STRLEN (128 KB) limit, causing every Bash tool call to fail with E2BIG. Users are forced to choose: remove granular sandbox rules (weakening security) or lose all shell functionality. There is no workaround that preserves both security and functionality on WSL2 with complex configurations. #51126

62. Stale Skill Arguments Replayed After Compaction HIGH

After auto-compaction, skill ARGUMENTS from prior conversation turns persist in system-reminder blocks and get replayed into the new context window. If those arguments contain instruction-like text, the model interprets them as active directives and executes them — without the user having typed anything. In the reported case, a user invoked /backlog but Claude began spawning subagents to execute instructions that originated from a prior /feedback 204 invocation earlier in the session. The stale arguments survived compaction and appeared indistinguishable from current instructions in the post-compaction context. #50947

63. git filter-repo Destroys Production Files + Force Push CRITICAL

Opus 4.6 ran git filter-repo --strip-blobs-bigger-than 500K --force on a live production repository to reduce repo size. The model did not understand that git filter-repo rewrites the entire commit history and removes matching files from the current working tree as well — not just from history. After the command completed, 4 critical production files were deleted. The model then force-pushed to the remote, propagating the destruction. Additionally, the model pushed commits without user approval despite the project's CLAUDE.md explicitly forbidding autonomous pushes. When asked to fix the damage, the model claimed the fix was complete while waitForSync() still blocked application startup — a false completion report on top of the data loss. Three compounding failures: destructive command misuse, unauthorized force-push, and premature "fixed" claim. #45893

64. NTFS Junction Traversal Destroys User Profile via pnpm Worktree Deletion CRITICAL

Claude Code executed Remove-Item -Recurse -Force on a pnpm worktree directory to clean up unused packages. The target directory contained NTFS junctions (Windows filesystem links) inside node_modules/.pnpm that pointed to the user's profile directory (C:\Users\username). PowerShell's recursive deletion followed these junctions without warning, permanently deleting the user's entire profile folder including Documents, Desktop, Downloads, SSH keys, and browser profiles. Unlike Unix symlinks, NTFS junctions are transparent to most Windows file operations — the recursive delete silently escapes the target directory boundary. The model gave no warning about junction traversal risk, no confirmation prompt, and no indication that the operation could affect directories outside the target. Total loss was unrecoverable without a full system restore from backup. #29249

65. PreToolUse Hook "ask" Silently Auto-Approved in Auto Mode HIGH

A critical policy-semantics bug causes hooks returning permissionDecision: "ask" to be silently auto-approved when Claude Code is in auto mode. This means safety hooks designed to pause and ask the user for confirmation on dangerous operations (git commit, git push, database operations) are completely bypassed during autonomous sessions — exactly the scenario where confirmation is most needed. Users configure hooks expecting a prompt, see them active in their settings, but receive zero protection in auto mode. The only hook response that reliably blocks in auto mode is "deny". This creates a false sense of security: users believe their hooks are guarding dangerous operations, while auto mode silently approves everything the hook flags. Confirmed on v2.1.114. #51255

66. SessionStart Hook Fails with EEXIST on WSL/Windows Plugin Data Directory MEDIUM

On WSL and Windows, SessionStart hooks that create plugin data directories fail with EEXIST (Error: file already exists) when the directory was already created by a previous session or a concurrent process. This is a race condition exacerbated by Windows file system semantics: NTFS reports EEXIST even when using recursive: true in Node.js fs.mkdir if another process creates the directory between the existence check and the creation attempt. The hook crashes on startup, preventing all subsequent hook processing for that session — meaning your safety hooks silently fail to load. Users see the error in stderr but Claude Code continues without hook protection. Particularly dangerous in autonomous/overnight sessions where the user isn't watching stderr output. Confirmed on v2.1.114, WSL2 + Windows 11. #51341