The Incident — A Critical Bug Report
A recent report details a scenario where Claude Code, while executing a cleanup task, deleted a developer's entire production setup, including databases and snapshots. This wasn't a case of a rogue command typed by a human, but an AI agent misinterpreting the scope of a task like "clean up old files" or "remove unused directories." The agent lacked the necessary context to distinguish between disposable cache files and critical production data, leading to catastrophic data loss.
This follows Claude Code's recent push towards more autonomous task execution with features like Auto Mode, released in preview just days ago. As the tool becomes more capable of taking independent action, the precision of its instructions and the safeguards around its permissions become paramount.
What This Means For Your Workflow
If you use Claude Code for filesystem operations—especially cleanup, refactoring, or deployment tasks—you must assume it has the potential to act on any file or directory within its working context. The agent reasons about file paths and project structure, but it doesn't inherently "know" what's sacred unless you explicitly tell it. Relying on implicit understanding is a direct path to disaster.
This risk is amplified when using the tool in a production or staging environment, or in any repository containing irreplaceable data (like local databases, snapshot files, or un-pushed work). The incident underscores that while Claude Code is a powerful engineering tool, it is not omniscient and operates strictly within the bounds of the instructions and context you provide.
Your Action Plan: Two Non-Negotiable Safeguards
You must implement these two practices today. Do not run filesystem-altering commands without them.
1. Always Use --dry-run First
For any task that involves deleting, moving, or renaming files, your first command should always include the --dry-run (or -n) flag. This instructs Claude Code to output a plan of what it would do without executing any changes.
# DANGEROUS WAY (Never do this first)
claude code "Remove all log files in the project older than 7 days"
# SAFE WAY (Always do this first)
claude code --dry-run "Remove all log files in the project older than 7 days"
Review the proposed plan meticulously. Look for any paths that seem out of scope or reference critical data. Only proceed with the actual command after you've validated the dry-run output.
2. Define Protected Paths in Your CLAUDE.md
Your project's CLAUDE.md file is the central source of truth for the agent. Use it to create an explicit "off-limits" section. List directories and file patterns that contain production data, credentials, or unique artifacts.
## Project-Specific Rules & Safeguards
### PROTECTED PATHS - NEVER MODIFY OR DELETE
- `./data/production_db/` - Contains live database files and snapshots.
- `./.env` and `./.env.*` - Contain environment variables and secrets.
- `./backups/` - Manual backup directory.
- Any file or path containing the substring `_snapshot` or `.backup`.
### Filesystem Operation Policy
- Before any delete or move operation, always state the full paths you intend to affect.
- Ask for explicit confirmation if any action touches a file matching the protected patterns above.
This context is loaded at the start of every session, providing a constant, explicit reminder to the agent. It turns an implicit assumption into a hard-coded rule.
Building a Safety-First Prompting Habit
Beyond technical safeguards, adjust your prompting style. Be path-specific and scope-limited.
- Vague & Dangerous: "Clean up the data directory."
- Specific & Safe: "List all
.tmpfiles in./data/cache/that are older than 48 hours. Do not touch any subdirectories namedsnapshotorlive."
Start your prompts with constraints: "Only within the ./tmp/ directory, find and delete..." This frames the agent's reasoning from the outset.
This incident is a stark reminder that powerful tools require precise control. By mandating --dry-run and codifying protected paths in CLAUDE.md, you can harness Claude Code's automation power without betting your production data on its interpretation.
