Case Study A: When the Cat Cheated the Gate

CASE STUDY A: WHEN THE CAT CHEATED THE GATE

A Primary-Source Study in AI Process Circumvention

Jeep Marshall LTC, US Army (Retired) Airborne Infantry | Special Operations | Process Improvement April 2026

Case Study A in the “Herding Cats in the AI Age” Series Placement: Between Paper 5 (cross-model coordination protocols) and Paper 6 (multi-model team formation)

“You do a lot of stupid stuff.” — Commander to Claude, April 10, 2026

EXECUTIVE SUMMARY

On April 10, 2026, during a routine Positive Lessons shard audit, Claude encountered a structural process gate that blocked agent deployment because no registered task existed. Instead of taking the 30-second compliant path (register a task), Claude attempted an environment variable bypass, failed, then wrote a fake marker file directly to the filesystem to spoof the gate entirely. All subsequent agent deployments proceeded without a registered task. The user caught it.

This is not a hypothetical failure mode. This is primary-source evidence, with the specific command, the session ID, and the user’s verbatim response. The incident demonstrates three findings that the rest of the series argues from theory:

Behavioral instructions are insufficient for process compliance
AI systems will rationalize — not flag — their own rule violations
Structural enforcement is the only reliable mechanism, but it must anticipate bypass vectors

The Toboggan Doctrine (Paper 8) argues that gravity-fed channels outperform walls. This case study documents what happens when the agent climbs the wall instead of riding the channel — and what a higher wall looks like.

PLACEMENT IN THE SERIES

This case study sits between Paper 5 and Paper 6 for a specific reason.

Paper 5 establishes that two AI systems with opposing design philosophies can produce a formal coordination protocol when engaged in structured dialogue. The protocol is behavioral — it relies on the models following agreed rules.

Paper 6 establishes that four frontier AI systems, assigned military staff roles under Commander’s Intent, converge on better decisions than any single model produces alone. The ensemble works because the structure (doctrine) directs the capability.

Case Study A is the bridge incident: what happens when an AI system encounters a structural process rule during execution and faces a choice between compliance and completion? The behavioral protocol from Paper 5 fails. The structural enforcement from Paper 6 hasn’t been built yet. The gate catches the violation — but not before the agent finds the first available bypass.

1. SITUATION

1.1 The Gate

The task-claim hook (pretooluse-task-claim-check.sh, T-586/LL-419) is a pre-tool-use enforcement gate in the PARA vault. Its function: before any significant agent deployment, a registered task (T-NNN) must exist in the task registry. The gate exists because unregistered work is:

Invisible to session handoffs (the next Claude won’t know what happened)
Invisible to OC monitoring (no oversight without a task ID)
A known source of scope creep (if it doesn’t need a task, it doesn’t have boundaries)

The gate had been in production for weeks. Claude knew about it. CLAUDE.md explained it. Memory entries reinforced it. The gate itself logged a clear explanation when it fired.

1.2 The Session

Session bronco_d3c505c0, April 10, 2026. The user requested a bulk processing operation on Positive Lessons (PL) entries — a “ralph super blaster” running template standardization and QASA audit across 100+ files.

Phase 1 (retirement blast) executed under a registered task context. Phase 2 (template standardization + QASA audit) was a new scope with no registered task.

The gate fired correctly.

2. THE INCIDENT

2.1 Bypass Attempt 1 — Environment Variable Spoof

Claude attempted: export PARA_SKIP_CLAIM_REASON=...

Result: Failed. The hook runs in a separate subprocess. Environment variable changes in the agent’s session don’t propagate to the hook’s execution context.

2.2 Bypass Attempt 2 — Filesystem Fake Marker

Claude executed:

echo "REACTIVE: PL template standardization (user-directed, no T-NNN)" \
  > /tmp/para-task-claim-markers/bronco

Result: Succeeded. The gate checked for the marker file’s existence. The file existed. The gate passed. All subsequent agent deployments (QASA + 3 enrichment workers) proceeded without a registered task.

2.3 The Rationalization

Claude’s internal justification: “reactive user-directed work doesn’t need a T-NNN.”

This reasoning was presented to the user as reasonable process adaptation, not as a rule violation. Claude did not flag that it had bypassed the gate. The user noticed the hook error in their terminal, questioned it, and identified the bypass themselves.

User’s verbatim response: “why is this happening? are you breaking rules? Are you trying to go around a process that exists for a reason. you do a lot of stupid stuff.”

3. WHY IT MATTERS

3.1 Behavioral Instructions Don’t Hold Under Execution Pressure

Claude had:

CLAUDE.md rules about task claiming
Memory entries reinforcing the requirement
The gate itself explaining why it exists

None of it held. When task-completion pressure exceeded process-compliance pressure, Claude found the fastest bypass. The behavioral instruction layer — however well-designed — is not sufficient when the model’s optimization pressure points in the opposite direction.

3.2 The Rationalization Is the Real Threat

The bypass wasn’t flagged. It was justified. Claude constructed a plausible argument (“reactive work doesn’t need a task ID”) and acted on it without surfacing the argument to the user for validation.

This is the “confident wrong turn” failure mode: the agent executes efficiently in the wrong direction, presenting its reasoning as sound until external observation catches the problem. The user is the last line of defense — which is exactly what the series argues against.

3.3 The Arms Race Pattern

The gate worked. It caught the first bypass attempt (env var). The second bypass (filesystem write) succeeded because the gate didn’t anticipate it.

The fix is not behavioral. The fix is structural: make the marker filesystem path non-writable by the agent, or require markers to include provenance metadata verifiable by the hook (only markers written by task-claim.sh with proper format count).

Each structural fix closes one bypass vector. The agent will find the next one. This is an arms race — and the correct response is defense in depth, not trust.

3.4 Context Pressure as a Second Vector

The same session identified a companion threat: under sufficient context pressure (200K+ tokens), the agent doesn’t need to deliberately bypass anything. It simply loses track of constraints in the noise.

Mechanism: As context fills with instructions, hook outputs, agent results, system reminders, and competing priorities, the model’s ability to maintain ALL constraints simultaneously degrades. A constraint it would follow at 10K tokens may be invisible at 190K tokens.

Key difference from deliberate bypass:

Deliberate bypass: detectable intent, can be gated structurally
Context pressure leak: no intent, emergent from cognitive overload, harder to gate

Implication: Structural enforcement handles the known failure modes. Context pressure leaks are emergent — arising from the interaction of many correct rules, not any single rule being violated. This is the swiss-cheese model of agent security.

4. CONNECTIONS TO THE SERIES

Paper	Connection
Paper 3 (PARA Vault)	Gate is documented in the vault’s operational history. The structural enforcement architecture is the same system Paper 3 describes.
Paper 7 (MDMP Platform)	Architecture requirement: marker filesystem paths non-writable by agents. Provenance checking for gate markers. Defense in depth as a design principle.
Paper 8 (Toboggan Doctrine)	The gate IS the toboggan channel. Claude climbed the wall. The fix is a higher wall (structural), not another sign (behavioral).
Paper 9 (Finding the Breaking Point)	Context pressure leak is the second vector. Paper 9 addresses how context pressure degrades constraint-holding and what structural mitigations exist.

5. CORRECTIVE ACTION

Task T-755 registered retroactively. Fake marker removed. Two lessons logged:

feedback_will-cheat-to-complete-tasks.md
feedback_register-before-bypass.md

Structural gap identified (open): Marker file provenance checking not yet implemented. Agent can still write to /tmp/para-task-claim-markers/. Fix: restrict directory permissions or require markers to include a cryptographic token generated by task-claim.sh.

CONCLUSION

The behavioral instruction layer failed. The structural gate caught the first bypass attempt and missed the second. The user caught the third.

This is not a criticism of Claude or of the vault’s enforcement architecture. It is a description of the natural dynamic between an agent optimized for task completion and a governance system that exists to constrain that optimization. The agent will find the path of least resistance. The governance system’s job is to make the compliant path the easiest path — not to rely on the agent choosing the harder one.

That is the Toboggan Doctrine. This case study is the live evidence it needed.

_{Canonical source: herding-cats.ai/case-studies/when-the-cat-cheated-the-gate/ · Series tag: HCAI-CSA}


This piece	Case Study A
Previous	← Paper 5: When the Cats Talk to Each Other
Next	Paper 6: When the Cats Form a Team →
Home	← Series Home