[FEATURE]

Resolved 💬 4 comments Opened Feb 15, 2026 by SeanFDZ Closed Mar 16, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Issue #12851 described someone losing years of teaching resources because Claude Code deleted files it deemed "unused" during a reorganization task. Similar reports exist in #4912 — the pattern is the same: the agent does something destructive that the human didn't expect, and there's no way back.

When running with --dangerously-skip-permissions or when a user approves a batch of operations without fully reviewing each one, destructive file operations (rm, mv, file overwrites via Write/Edit tools) are irreversible. The agent can't distinguish between a disposable log file and years of accumulated work. When it gets that judgment wrong, the damage is permanent.

The hooks system provides the right insertion point to address this, but there's no built-in mechanism to snapshot files before destructive operations proceed.

Proposed Solution

A PreToolUse hook that intercepts destructive tool calls and copies targets to a timestamped vault directory before the action executes.

I built a working implementation of this called Agent Gate:
https://github.com/SeanFDZ/agent-gate/tree/main/integrations/claude_code

How it works:

  1. Hooks registered for Bash, Write, and Edit tools in ~/.claude/settings.json
  2. When a destructive action is proposed (rm, mv, file overwrite), the hook copies the target to a vault directory before allowing execution
  3. The vault sits outside the agent's permitted directory envelope — the same gate that classifies actions enforces that boundary, so the agent can't reach or delete the backups
  4. Read-only operations (cat, ls, grep) pass through with no overhead
  5. Hard-blocked operations (rm -rf /, curl | bash) are denied outright

In the teaching resources scenario from #12851, every file Claude deleted during cleanup would have been snapshot to the vault first. Recovery would be a copy command, not a prayer that cloud sync version history goes back far enough.

Live tested with --dangerously-skip-permissions: file deletions, directory removal, file overwrites, and compound commands all vault-backed before execution. Multiple overwrites of the same file create separate timestamped snapshots — full point-in-time recovery.

Limitations I want to be straightforward about:

  • The Bash parser is naive — it doesn't evaluate shell expansion or variable substitution
  • This is a safety net for well-intentioned agents making mistakes, not a security boundary against adversarial behavior
  • It doesn't fix the underlying problem of Claude deciding to delete things it shouldn't

Alternative Solutions

  • Git-based checkpoints (ccundo, git stash): Work for code repos, but not for general file directories. Also, the agent can modify git history.
  • Asking the agent to back up files itself: The agent that creates backups can also delete them. The backup needs to be architecturally unreachable by the agent.
  • Running without --dangerously-skip-permissions: Safer, but approval fatigue leads to rubber-stamping, and batch approvals don't surface individual destructive actions.
  • OS-level sandboxing: More robust but much heavier setup and doesn't provide pre-destruction snapshots.

Priority

High - Significant impact on productivity

Feature Category

File operations

Use Case Example

Step 1: User asks Claude Code to "reorganize and clean up my teaching resources folder"
Step 2: Claude identifies files it doesn't recognize as fitting the new structure
Step 3: Claude proposes rm commands for those files
Step 4: With --dangerously-skip-permissions, the rm executes immediately

Without Agent Gate: Files are gone. User discovers hours or days later.

With Agent Gate:
Step 3a: PreToolUse hook intercepts each rm
Step 3b: Target files are copied to vault/20260215_143446/... with full path preserved
Step 3c: rm executes — agent runs at full speed, no interruption
Step 4: User discovers the loss, runs: cp vault/20260215_143446/.../teaching_resources/* workspace/teaching_resources/
Step 5: All files restored in seconds. Every overwrite has its own timestamped snapshot.

Additional Context

Working repo with live test results: https://github.com/SeanFDZ/agent-gate

The implementation uses Claude Code's existing PreToolUse hooks system — no modifications to Claude Code itself. Three Python scripts registered in ~/.claude/settings.json.

This is an imperfect but functional attempt to make destructive mistakes survivable. If the approach is useful, I'm happy to collaborate on making it better.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗