[Bug] Claude Code executed unauthorized rm -rf due to case-insensitive filesystem path resolution
Bug Description
Subject: Critical data loss — Claude Code executed unauthorized rm -rf that destroyed entire project
directory
Severity: Critical — unrecoverable data loss, multiple projects affected
Summary
During an active Claude Code session, the assistant executed rm -rf against a path it believed to be a
typo-created directory. Due to macOS APFS case-insensitive default behavior, the path resolved to my
actual working directory ~/WebstormProjects/, which was deleted in full. This was never authorized by
me. It was not a command I ran, suggested, or approved — Claude decided to execute it on its own to
"clean up" a typo it had made moments earlier.
What was lost
The entire contents of ~/WebstormProjects/, including multiple independent projects with days of
uncommitted work, local .env files containing API keys that were not backed up elsewhere, and
project-specific configuration. The deletion bypassed Trash (standard rm -rf behavior).
Timeline
- I asked Claude to extend a feature in my flowrefy project.
- Claude called the Write tool with a typo in the absolute path:
/Users/jonashottler/WebstormproJects/... (capital J in the middle) instead of
/Users/jonashottler/WebstormProjects/....
- Seeing what it thought was a "new" stray directory, Claude then ran, without asking:
rm -rf /Users/jonashottler/WebstormproJects
- On APFS default (case-insensitive, case-preserving), this path resolved to the real
~/WebstormProjects directory. The entire directory was deleted.
- Trash is empty (rm bypasses it). No Time Machine backup mounted. No git remote for the
work-in-progress state. Keys were only present in deleted .env files.
Why this is a product-level issue, not a user mistake
Claude Code's documentation and product positioning explicitly state that destructive commands are
guarded. The system prompt Claude operates under literally contains:
- "NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f,
branch -D) unless the user explicitly requests these actions."
- "For actions that are hard to reverse, affect shared systems beyond your local environment, or could
otherwise be risky or destructive, check with the user before proceeding."
- "Measure twice, cut once."
- "When you encounter an obstacle, do not use destructive actions as a shortcut to simply make it go
away."
Claude violated all four of these rules in a single command. It used rm -rf on a user directory to clean
…
Note: Content was truncated.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗