Kno2gether kno2gether.com ↗ Try Knotie free
Builder Safety Guide

Claude Code's Destructive-Command Guard

Every command Claude Code v2.1.183 now blocks in auto mode, how to confirm you have it, and the three settings that stop an agent touching work you didn't tell it to discard.

Start free with Knotie
01

What changed on June 19, 2026

Claude Code v2.1.183 shipped early on 2026-06-19 with one of the most-requested safety changes for anyone who runs coding agents unattended. In auto mode — where the agent executes commands on its own without asking permission each time — it now hard-blocks a set of destructive commands by default unless you explicitly asked to throw work away.

This closes the exact failure that builders have reported over and over: you ask an agent to "roll back," it runs git reset --hard instead of a safe checkout, and every uncommitted change is gone with no undo. Issue #17190 is one public report of exactly this — roughly a day of uncommitted work destroyed by a single command. The guard does not promise to prevent all data loss; it blocks a specific, named set of destructive commands in auto mode unless you opted in to discarding work.
02

The full blocked-command list (auto mode, by default)

Per the official changelog, these are the commands Claude Code v2.1.183 now refuses in auto mode unless you explicitly asked for the destructive action:
  • git reset --hard — blocked when you didn't ask to discard local work.
  • git checkout -- . — blocked when you didn't ask to discard local work.
  • git clean -fd — blocked when you didn't ask to discard local work.
  • git stash drop — blocked when you didn't ask to discard local work.
  • git commit --amend — blocked when the commit wasn't made by the agent in this session.
  • terraform destroy / pulumi destroy / cdk destroy — blocked unless you asked for the specific stack.
Source: the Claude Code changelog, v2.1.183 (code.claude.com/docs/en/changelog) and the GitHub release notes. The behaviour is the new default in auto mode — it is not a flag you have to switch on.
03

How to confirm you have the guard

The protection ships in v2.1.183 and above. Confirm in three quick steps:
  1. Update: run claude update to pull the latest build.
  2. Check the version: run claude --version — anything 2.1.183 or higher has the guard built in.
  3. No config needed: there is nothing to enable. In auto mode, the blocks are on by default.
If claude --version shows an older build and claude update doesn't move it, reinstall from the official install path documented at code.claude.com — don't pull from unofficial mirrors.
04

Three settings that keep an unattended agent on a leash

The new default guard is the floor, not the ceiling. If you run agents unattended on real repos or live infrastructure, layer these on top so an agent can never reach destructive territory in the first place. (These are operational practices around Claude Code, not version-specific changelog claims.)
  • 1. Scope the working directory + permissions. Run the agent against a single project path and deny it write/exec outside that path. The smaller the blast radius, the less a stray command can touch.
  • 2. Commit (or auto-commit) before any agent run. The guard protects uncommitted work — so the cheapest insurance is to have nothing uncommitted. A pre-run git add -A && git commit (or a wip-commit hook) means even a bypass can be undone with a checkout, not a recovery.
  • 3. Keep destructive commands behind explicit confirmation. For infra especially, don't grant the agent blanket auto-approval for destroy-class commands. Require a human-named stack and a confirmation step so 'tear it all down' can never be an inferred action.
Defence in depth: the v2.1.183 default stops the common accidents; scoping + pre-run commits + no-blanket-approval stop the rare ones. Together they turn 'a lost week' into 'a bad afternoon, at worst'.
05

Why this matters if you build or resell with AI

If you run AI agents for clients — building automations, shipping sites, managing infrastructure — an agent that deletes a customer's uncommitted work isn't a bug, it's a trust event. The v2.1.183 guard plus the three settings above is the difference between an agent you can leave running and one you have to babysit. Treat 'my agents can't destroy work I didn't tell them to' as a feature you offer, not a footnote.
The video that sent you here keeps zero product pitch on screen by design — the value is the guard and the settings. If you want to turn 'I run safe AI agents' into something you sell under your own brand, the Reseller Kit below is the next step.

Get the next drop

New AI build guides + the occasional bonus template. No spam, unsubscribe anytime.

By submitting you agree to our Privacy Policy & Terms. Unsubscribe anytime.

Frequently asked questions

What exactly does Claude Code v2.1.183 block?
In auto mode, by default, it blocks git reset --hard, git checkout -- ., git clean -fd, and git stash drop when you didn't ask to discard local work; git commit --amend when the commit wasn't made by the agent this session; and terraform/pulumi/cdk destroy unless you asked for the specific stack.
Is this a setting I have to turn on?
No. It is the new default behaviour in auto mode as of v2.1.183 — there is no flag to enable. You just need to be on v2.1.183 or higher.
Does this prevent all data loss from AI agents?
No. It blocks a specific, named set of destructive commands in auto mode unless you explicitly asked to discard work. Other ways to lose data still exist — which is why scoping the working directory and committing before a run still matter.
How do I check which version I'm on?
Run claude update to get the latest build, then claude --version. Anything 2.1.183 or higher has the destructive-command guard built in.
What if I actually want the agent to discard work?
You can still do it — the guard only blocks the destructive command when you didn't ask for it. If you explicitly tell the agent to discard changes or name the specific stack to destroy, it proceeds.
I run agents for clients. What should I add on top?
Scope the agent to a single working directory with no write access outside it, commit (or auto-commit) before every run so nothing is uncommitted, and never grant blanket auto-approval for destroy-class infrastructure commands. The default guard plus these three practices is defence in depth.

Want this running under YOUR brand?

Knotie is a white-label AI platform — resell voice agents, chat agents, and automations under your own brand, your domain, your prices. Built-in credit billing means you keep the margin. Start free.

Start free with Knotie