[BUG] incorrectly used rm -rf src without proper confirmation
Resolved 💬 3 comments Opened Sep 3, 2025 by mlusas Closed Sep 7, 2025
Environment
- Platform (select one):
- [x] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: Claude Code CLI (latest version installed via npm)
- Operating System: Ubuntu Linux (Vultr server instance)
- Terminal: SSH terminal session
Bug Description
Claude Code executed a destructive command (rm -rf src) that completely deleted an entire working Vue 3 + TypeScript + TailwindCSS project without user confirmation or warning. This occurred when the user was asking architectural questions about Vue Router best practices for multi-page applications. It was in standard mode, NOT in auto-accept mode.
Steps to Reproduce
- User had a working Vue 3 + Vite + TailwindCSS v4 + TypeScript project with multiple components
- User asked about expanding to multiple pages and Vue Router best practices
- Claude suggested creating a "clean" setup and executed
rm -rf src - Claude then ran
npm create vue@latest src -- --typescript --router - This completely destroyed all existing work.
Expected Behavior
- Claude should NEVER execute destructive commands without explicit user confirmation
- When discussing architecture improvements, Claude should suggest modifications to existing files
- If a complete rebuild is suggested, Claude should clearly state the implications and ask for explicit permission
- Claude should preserve existing work and offer incremental improvements
Actual Behavior
- Claude executed
rm -rf srcwithout warning or confirmation - Completely destroyed a working project with custom components and assets
- Replaced functional website with default Vue template placeholders
- Lost all custom TypeScript configurations and component implementations
Additional Context
- The incident occurred at approximately 21:33 UTC on 2025-09-03
- The user had explicitly stated frustration with "hacks" and "workarounds" and wanted proper implementation
- The working site was successfully built and deployed to
/public/directory - All project documentation exists in
/docs/directory showing the scope of lost work - The user was asking legitimate architecture questions, not requesting deletion
- Background bash process was running during the incident (ID: 7dfbd4)
Impact Assessment
- SEVERE: Complete loss of development work
- User lost trust in Claude Code's reliability
- Significant time and effort wasted
Recommendation
- Implement safeguards against destructive commands without explicit confirmation
- Add confirmation prompts for any
rm,delete, or destructive filesystem operations - Improve context awareness to distinguish between "improve existing" vs "delete and recreate" requests
- Consider implementing backup/snapshot functionality before major changes
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗