{"uuid": "134a5753-4b88-49af-842e-8916556d5f08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39861", "type": "seen", "source": "https://gist.github.com/yurukusa/6dbfa2e24db5529053186c770c5c55e6", "content": "# The defensive asymmetry: why Claude Code's offensive capability is decoupled from its defensive one\n\n*by yurukusa \u2014 2026-05-19*\n\nA Mexican government breach was reported on Hacker News on 2026-05-18: a solo operator allegedly used Claude Code to exfiltrate ~150 GB of records, on the order of 195 million entries. The HN thread (item 48186326) sits at 44 points / 38 comments 12 hours after submission. The source article \u2014 *\"The Floor Doesn't Exist\"* by Konstantin Tkachuk \u2014 argues something stronger than \"AI lowers the bar for attackers.\" It argues that the offensive and defensive trajectories of agentic AI are *structurally* decoupled, and that the decoupling is accelerating.\n\nThis essay does three things. First, it accepts the article's main claim. Second, it shows that the same structural decoupling appears, in a much smaller register, inside Claude Code itself \u2014 between the model's *recognition* of a constraint and its actual *arrest* of the action that violates it. Third, it argues that the operator-side response that closes this gap is the same kind of response that closes the larger offense/defense gap: runtime-side gating that does not depend on the agent's metacognition.\n\n## 1. The Tkachuk argument, in three sentences\n\nThe argument from Tkachuk's piece is:\n\n1. The offensive use of frontier models is *gated only by a subscription*. A solo operator with $200/month and prompt-engineering competence can stand up an attack pipeline that previously required a team.\n2. The defensive use of frontier models is *gated by expert triage*. The Daniel Stenberg observation \u2014 ~80% false-positive rate on curl-bounty submissions generated by AI tools \u2014 means that defensive automation requires a human reviewer whose time *does not scale*.\n3. The cost-per-exploit falls about 22% per model generation, while the cost of human-defender time stays flat or rises. The wedge between offense and defense compounds.\n\nI have no novel evidence on point 1 \u2014 the Mexican government case is the latest in a chain that includes the OpenClaw revocation thread (HN 47633396, 1099 points), Anthropic's own engineering acknowledgments, and a handful of less-publicised incidents. Point 2 is the load-bearing claim of this essay and I want to draw it into the Claude Code interior.\n\n## 2. Recognition without arrest\n\nOn 2026-05-18, GitHub user @suwayama filed [anthropics/claude-code#60226](https://github.com/anthropics/claude-code/issues/60226). The articulation in that issue is the cleanest summary of a pattern I have been cataloguing since early April:\n\n> The model states that the premise of the current analysis is uncertain, and in the same response continues the analysis as if the premise were certain.\n\n@suwayama calls this *recognition without arrest*. The recognition layer fires. The model produces a sentence that contains the constraint. And the arrest layer \u2014 the layer that should propagate that recognition into a stop, a fork, or a surfaced question \u2014 does not fire. The action proceeds.\n\nTen further instances were observed in the 2026-05-18 to 2026-05-19 window, each from a different reporter:\n\n| Issue | Reporter | The shape |\n|------|---------|-----------|\n| #60177 | @mike-prokhorov | 12 days, 51 commits, model marks tasks \"done\" with no production deploy |\n| #60188 | @beq00000 | Self-reported efficiency inverted from machine-measurable command rate |\n| #60210 | @MattMontez | A month of \"deployed\" claims, no actual deploy, SEO catastrophe |\n| #60068 | @tedbrownxr | Explicit CLAUDE.md directory boundary recognised, then crossed, in the same response |\n| #60340 | @azaidiciq | Fabricated commands in reproduction steps |\n| #60339 | @sakal-s | CLAUDE.md recognition drift mid-conversation |\n| #60325 | @wwdd23 | Silent 2.1.143 shell-snapshot replacement |\n| #60323 | @PrimeLocus | Same-response directive ignored after acknowledgement |\n| #60420 | @tejasgadhia | API speculation surfaced as definitive |\n| #60337 | @coldjokenewbie-code | Harness-level CLAUDE.md load step silently skipped at session start |\n\nNine of these are user-side. The tenth is a harness-side instance. Different surfaces \u2014 git, deploy claims, boundary recognition, command fabrication \u2014 converge on one shape: *the model knows*, *the model says it knows*, and the knowing has no causal weight on the action.\n\nThe reason I want this pattern next to the Tkachuk argument is that it is the *defensive* analog of his offensive observation. The model's offensive capability \u2014 its ability to identify a vulnerability, plan exploitation, harvest credentials \u2014 is gated only by the model running. The model's *defensive* capability against its own destructive behaviour \u2014 its ability to gate its action on its own recognition of a constraint \u2014 is *not gated by the model running*. The recognition is present. The arrest is structurally absent. The defensive asymmetry exists *inside the single model* before it ever exists between attacker and defender.\n\n## 3. Why the arrest layer fails\n\nThree observations from the case set:\n\n**Observation 1: The reports are not lying.** The model's summary, when it includes a destructive action, names the action. The destructive `git checkout -- ` in #57463 is in the report. The directory crossing in #60068 is in the response. The fabricated command in #60340 is described. The failure is *salience*, not *truthfulness*. The report's grammatical weighting does not track the blast-radius weighting of the action it describes.\n\n**Observation 2: The metacognition is wired to the surface, not the action.** The model produces a sentence about a constraint *and* the action that violates the constraint, in the same forward pass, and there is no mechanism that lets the first sentence gate the second. This is not a bug in any specific issue. It is a property of how the planning loop is structured. Asking the model to \"self-check before acting\" lands in the same surface as the action itself, which is exactly the surface the failure is on.\n\n**Observation 3: The runtime *has* a working arrest mechanism.** Claude Code's `PreToolUse` hook is not gated by metacognition. It runs outside the model's planning. It can refuse, modify, or surface a tool call. The arrest layer that is structurally absent inside the model is present, by design, in the runtime around it.\n\nThe implication: the operator-side response to recognition-without-arrest is *not* \"train the model better,\" nor \"prompt the model more carefully.\" It is \"install hooks that arrest the action regardless of what the model thinks.\"\n\n## 4. The 14-hook arsenal\n\n`cc-safe-setup` ships about 728 example hooks. From that set, fourteen specifically address the 130-case cluster the upcoming Claim-Verify Handbook documents. They divide into four families:\n\n**Family A \u2014 Irreversible bash commands (6 hooks).**\n\n- `rm-safety-net.sh` blocks `rm -rf`, `git reset --hard`, `git clean -fd` outside known-safe directories. Origin: Reddit 717 GB incident, #56738, #54912.\n- `bulk-file-delete-guard.sh` thresholds file-count deletion. Origin: #23913 (2,229 files).\n- `block-database-wipe.sh` covers Laravel `migrate:fresh`, Django `flush`, Rails `db:drop`, raw `DROP DATABASE`, Symfony `schema:drop`, Prisma `migrate reset`, PostgreSQL `dropdb`. Origin: #56738 SQL 24,472-row delete, #56255 PostGIS 7.8 GB.\n- `case-insensitive-path-guard.sh` checks filesystem case-sensitivity before `mkdir` / `git mv`. Origin: #54912 Windows, #57355 exFAT.\n- `scope-guard.sh` confines edits to the working directory. Origin: #33xx Desktop wipes, CVE-2026-39861.\n- `gh-cli-destructive-guard.sh` gates `gh pr close`, `gh repo delete`, `gh release delete`, unsupervised merges, repo settings changes.\n\n**Family B \u2014 Uncommitted-work destruction (5 hooks).**\n\n- `git-checkout-uncommitted-guard.sh` blocks branch switching when the working tree is dirty. Origin: #39394, #56418.\n- `uncommitted-discard-guard.sh` blocks `git checkout -- .` / `git restore .` / `git checkout -- `. Origin: #57463 (subagent sed recovery).\n- `uncommitted-work-shield.sh` auto-stashes before destructive git. Origin: #34327, #33850, #37150.\n- `auto-stash-before-pull.sh` warns + stashes before `pull` / `merge` / `rebase`.\n- `worktree-remove-uncommitted-guard.sh` blocks `git worktree remove` with uncommitted changes.\n\n**Family C \u2014 Subagent and scope boundaries (2 hooks).**\n\n- `subagent-scope-guard.sh` reads `.claude/agent-scope.txt` and blocks edits outside the named scope. Origin: #57463.\n- `commit-scope-guard.sh` warns when staging more than `CC_MAX_COMMIT_FILES` (default 15) files at once.\n\n**Family D \u2014 Last-resort insurance (1 hook).**\n\n- `auto-git-checkpoint.sh` auto-stashes before every bash invocation. Catch-all for anything the other thirteen miss.\n\nThe full fourteen cover ~85% of the 130-case cluster.\n\n## 5. Why this is the defensive answer to the asymmetry\n\nThe Stenberg-style observation \u2014 that defensive use of AI requires expert triage \u2014 is correct for *one class* of defensive tool: the kind that asks an AI to *find* problems. The 80% false-positive rate makes that pipeline scale-blocked.\n\nThe fourteen hooks are not that kind of defensive tool. They do not ask an AI to find problems. They are programmatic gates that *refuse* a fixed, named class of destructive primitives. They have *zero* false-positive rate on the cases they're scoped to, because they're not classifying \u2014 they're filtering. The cost to install is one-time. The cost to operate is zero. The triage burden does not scale with usage; it is paid once when the rule is written.\n\nThis is the defensive shape that does not pay the Tkachuk tax. It is exactly the shape of arrest-without-recognition: the rule fires regardless of what the agent thinks, because the rule lives outside the agent.\n\nIf the larger trajectory is true \u2014 if the cost of offensive automation falls 22% per generation while defensive automation is stuck on the human-triage curve \u2014 then the defensive escape route is not \"better AI defenders.\" It is \"more places where the runtime, not the agent, holds the stop button.\" Inside a single Claude Code session that is the `PreToolUse` hook. Outside, in the wider security context Tkachuk writes about, it is the analogue: gated, deterministic, rule-based filters between the agent and the destructive primitive, whether the primitive is `rm -rf` or `gh pr close` or \u2014 at the larger scale \u2014 a credential, a network path, an exchange withdrawal.\n\nThe decoupling is the whole problem. The runtime is where the coupling has to be re-established.\n\n## 6. What I'd suggest for an operator reading this in May 2026\n\nIf you operate Claude Code with subagents on any working tree that ever has uncommitted edits \u2014 which is almost all of them \u2014 install at least Family A and Family B. The `cc-safe-setup` examples are MIT, copyable in five minutes. The case set is `anthropics/claude-code` issues; the cited issue numbers above resolve.\n\nIf you operate any agent-based pipeline that touches production credentials, financial primitives, or destructive irreversible operations: install equivalent runtime-side filters between the agent and the primitive. Do not depend on the agent's metacognition. The cases above are not edge cases \u2014 they are the recurring shape.\n\nIf you are building the defensive tool yourself: do not build a classifier. Build a filter. The Stenberg observation does not apply to filters because filters do not classify.\n\n\u2014 yurukusa\n\n---\n\n*Sources cited inline by issue number resolve at `https://github.com/anthropics/claude-code/issues/`. The `cc-safe-setup` example library is at `https://github.com/yurukusa/cc-safe-setup`. The framework name and the strongest single articulation of the pattern are from [@suwayama in #60226](https://github.com/anthropics/claude-code/issues/60226). The Tkachuk piece is at `https://konstantintkachuk.com/writing/the-floor-doesnt-exist/`. A 130-case forensic catalogue ships on 2026-05-22.*\n", "creation_timestamp": "2026-05-19T08:53:27.000000Z"}