Skip to content

Claude/Fable policy refusal is parsed as JSON findings output #92

Description

@tim-gq

What happened

While running deepsec process with the Claude backend and Claude's new Fable model, some investigation batches failed because Claude Code returned a policy-refusal API error instead of the JSON findings array DeepSec expected.

The public-safe shape of the local debug dump is:

# deepsec parse-failure debug dump
# phase: investigate
# agentType: claude-agent-sdk
# error: Error: Agent produced output that wasn't a parseable JSON findings array: Unexpected token 'A', "API Error:"... is not valid JSON. First 400 chars: API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). Try rephrasing the request or attempting a different approach. Request ID: ...
# batch (5 files):

The terminal-level error I saw for the same class of failure was:

Agent SDK error: Claude Code returned an error result: API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). Try rephrasing the request or attempting a different approach.

In this run there were multiple parse-failure debug dumps with the policy-refusal text. Later in the same run I also hit a normal Claude session limit:

You've hit your session limit · resets ...

That rate limit was legitimate and is not the bug I am reporting here. It did prevent me from rerunning the affected batch to see whether the Fable policy refusal was deterministic or whether the same batch would pass on retry.

Expected vs actual

Expected:

  • DeepSec should recognize a Claude Code policy-refusal API error as an upstream agent refusal/error, not as malformed JSON.
  • The affected files/batch should be left in a clearly retryable/error state with an actionable message.
  • The end-of-run output should distinguish this from parse failures, quota/session limits, and normal model refusals.

Actual:

  • The policy-refusal text was passed to the JSON findings parser.
  • The debug dump reports Agent produced output that wasn't a parseable JSON findings array.
  • The resulting failure mode looks like an output formatting problem even though the root cause is Claude Code refusing the request before producing findings JSON.

Reproduction

I cannot share the private target repo publicly, but the local run was:

pnpm deepsec process --agent claude --model <Claude Fable model> ...

The failing batches were normal source-file investigation batches, not an intentional policy-test input. The affected files in the first failing batch were application MCP tool files.

Environment

  • deepsec version: 2.0.12
  • Agent backend: claude-agent-sdk / --agent claude
  • Model: Claude Fable model
  • @anthropic-ai/claude-agent-sdk: 0.3.163
  • Node: v24.14.1
  • OS: macOS ARM64 (Darwin 24.6.0)
  • Observed: 2026-06-10

Notes

This looks related in shape to parse-failure/retry handling, but distinct from:

In this case Claude Code returned an API/policy refusal string. The rate limit occurred afterward and only blocked rerun verification.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions