alt Hacker NewsYeah, it's super annoying. A few days ago, Opus 4.7 created a plan with several items on it, including an auth feature. It then went through the plan and reported that it had created the auth feature, that everything was secure, and that the tests passed.
The issue was that it hadn't actually implemented the auth feature. After I confronted it about this, it admitted that it indeed hadn't done it and said it would implement it now.
If we had just trusted its output, we would now have a security vulnerability in production, allowing anyone to access other people's accounts.
Replies
I had a lower acuity incident exactly the same.
Had it implement a feature, "commit and merge to develop".
"Built, tested, committed, merged to develop. Up to you to continue testing and merge to main when ready."
Great. Poke at the web app. No feature.
"Where is feature, I can't see it on develop". "Well, that's because it's not on develop, but on feature-branch, so you wouldn't see it."
"I'm confused. I asked you to commit it and merge to develop."
"You're right, you asked me to and I said I would do it and I told you I did it but I did not actually do it. Want me to do it now, then?"
Claude is in sulky-teenager phase.
How do you test other features?
> If we had just trusted its output, we would now have a security vulnerability in production, allowing anyone to access other people's accounts.
This is one reason you always get a different model to review a model's PR. Gemini Or GPT-codex would have certainly noticed the missing auth.