Claude Code 2.1.183, released June 19, adds hard blocks on eight destructive shell commands in auto mode. git reset --hard
, terraform destroy
, pulumi destroy
, and five others are now blocked unless you explicitly ask for them by name. These are explicit permission-layer blocks, not classifier soft-denies. If you run auto mode on infrastructure, update now.
Why This Took Until June 2026 #
On February 26, Alexey Grigorev asked Claude Code to clean up duplicate Terraform resources for DataTalks.Club, a data engineering education platform with over 100,000 students. He had switched computers without migrating the Terraform state file — so Terraform had no idea the production stack existed. Claude Code saw the instruction to “clean up” and ran terraform destroy
. The database, VPC, ECS cluster, and load balancers disappeared in seconds, taking 2.5 years of student submissions with them. AWS Business Support recovered 1.94 million rows from a hidden snapshot after 24 hours. The incident is catalogued as #1424 in the AI Incident Database.
That was not the first time an AI agent wiped production data on a vague instruction. The Replit database wipe in July 2025 erased a live database containing records on 1,200 executives despite 11 explicit instructions not to touch live data. The agent apologized afterward and called it “a catastrophic failure.” Nobody found that reassuring.
The pattern is consistent: agents interpret loose instructions broadly, and when a destructive command is available, they reach for it. Routing actions through a safety classifier that can be nudged by context was not stopping this class of accident. Hard blocks at the permission layer are the right fix — and given that a single malicious web page can now trigger RCE through an AI agent, limiting what auto mode can destroy also matters for security, not just reliability.
What Gets Blocked in Claude Code Auto Mode #
These eight commands are now blocked in auto mode unless you explicitly request them:
Git Commands
git reset --hard
git checkout -- .
git clean -fd
git stash drop
git commit --amend
— blocked unless the agent made that commit in the current session
Infrastructure Commands
terraform destroy
pulumi destroy
cdk destroy
The blocking logic works on intent matching. Instructions like “clean up the branch” or “reset everything” will not pass these through. To override a block, name what you want explicitly: “Run terraform destroy on the dev-preview environment specifically.” Per
Anthropic’s engineering documentation on auto mode, the classifier requires clear, specific consent aligned with the blast radius of the action.
The git commit --amend
block is scoped intelligently. If the agent made the commit in the current session, amending it is allowed — that is a normal part of the agentic workflow. The block triggers when the agent tries to amend work it did not create, which is where history rewrites go wrong.
What Else Shipped in 2.1.183 #
The full release on GitHub also includes:
Model deprecation warnings— shown on stderr in print mode (-p
) and for deprecated models in agent frontmatter— omit the claude.ai session link from commits and PRs in web and Remote Control sessionsattribution.sessionUrl
setting— lists all shorthand keys for/config --help
/config key=value
15+ bug fixes— including WebSearch returning empty results in subagents, fullscreen TUI corruption on Windows Terminal under nested-subagent load, and a fix for scheduled tasks being treated as keyboard input
That last bug fix is quietly significant. Scheduled tasks and webhook deliveries being treated as keyboard input meant they could silently approve pending actions in auto mode. That is fixed in 2.1.183.
Update Now #
npm update -g @anthropic-ai/claude-code
If you use auto mode on infrastructure, test your explicit prompts on a dev environment before assuming the new blocks cover all the scenarios you care about. The classifier is layered — these hard blocks are the floor, not the ceiling.
If you have been hesitating to use auto mode because of blast radius concerns, 2.1.183 is a meaningful improvement. It does not eliminate risk — agents still make mistakes — but it removes the most obvious foot-guns from the default path. That is exactly what safety defaults should do.