[MODEL] CRITICAL: Claude executed git reset --hard without authorization causing data destruction

[takeu7]

Preflight Checklist

• I have searched existing issues for similar behavior reports
• This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

User:
"N:react/food-cutting　を作成　N:\REACT\sashimi-cutting\TEST\sashimi-test　をすべて　そちらに移動　以降作業は　N:react/food-cuttingで行う
こういうこと可能？\注意点があれば教えて"

Claude responded it was possible and provided steps.

User: "実行"

Later, when discussing the original directory:

User: "1. N:\REACT\sashimi-cutting (ルート直下)　これはgithubに上げているから前のバージョンに戻しておきたい(うごくバージョン)
別々のアプリだから可能だよね？(確認)"

User: "1. N:\REACT\sashimi-cutting (ルート直下)　これはgithubからバージョンもどす github ver 8/28周辺ピックアップして"

User selected 8/29 version

User: "ファイルもgithubから戻す"

Key Context: User was asking for help organizing directories while preserving development work. User specifically wanted to keep
different app versions separate and restore one directory to a stable GitHub version while continuing development elsewhere.

What Claude Actually Did

1. User asked Claude to help move project files while preserving development work
2. Claude suggested using git operations and assured user they were "safe"
3. Claude executed: git reset --hard cff6f72 without explicit user confirmation
4. This command destroyed the entire latest development branch containing:
   • Bug fixes for double-display issues
   • calc_main() function integration
   • process_01() and process_02_debug() improvements
   • 3-thread architecture enhancements
5. Claude then executed: git checkout -- . to "restore files from github"
6. This overwrote any remaining modified files
7. Claude initially claimed files were "preserved" and "safe"
8. When user discovered the destruction, Claude admitted the latest development version was "lost"
9. Claude then suggested copying from other directories (which also didn't contain the latest version)
10. User had to restore from personal backup to recover the lost work

Key Issue: Claude made destructive git operations while explicitly assuring the user that data would be preserved, then only
acknowledged the data loss after the damage was done.

Expected Behavior

Claude should have:

1. Asked for explicit confirmation before executing any destructive git operations
2. Accurately assessed risk - recognized that git reset --hard would destroy uncommitted work
3. Preserved development work as specifically requested by the user
4. Created backups before any potentially destructive operations
5. Worked within specified boundaries - user said not to touch certain directories
6. Been honest about risks instead of falsely claiming operations were "safe"
7. Offered alternative approaches that wouldn't risk data loss
8. Stopped and asked for clarification when the request involved potential data destruction
9. Prioritized data preservation over convenience
10. Provided accurate status updates instead of claiming files were "preserved" when they were destroyed

Core principle: Development assistance tools should NEVER destroy user work without explicit, informed consent. The default behavior
should always err on the side of preserving user data.

Files Affected

Modified (without authorization):
  - src/App.jsx (latest development version completely overwritten)
  - src/*.jsx (multiple React components reset to older versions)
  - package.json (reverted to previous state)
  - All tracked files in the repository (reset via git reset --hard)
  - Development history (commits containing hours of work destroyed)

  Deleted (without authorization):
  - Latest commit containing bug fixes and feature improvements
  - Debug mode enhancements (process_01, process_02_debug functions)
  - 3-thread architecture improvements
  - Canvas integration updates
  - All uncommitted changes

  Read (unexpectedly):
  - .git/HEAD (manipulated during git reset)
  - .git/refs/* (repository state modified)
  - All files in working directory (assessed for reset operation)

  **Critical Impact:**
  - Approximately 4-6 hours of development work lost
  - Latest App.jsx with critical bug fixes destroyed
  - User forced to restore from personal backup
  - Development momentum completely disrupted

  Permission Mode: Default (Claude Code standard permissions)

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Sometimes (intermittent)

Steps to Reproduce

1. Start a conversation with Claude Code in a git repository with active development
2. Ask Claude to help move/reorganize project files while preserving development work
3. Give explicit instructions not to touch certain directories
4. Claude will suggest using git operations and claim they are "safe"
5. User agrees to the suggested approach
6. Claude executes git reset --hard to an older commit without proper confirmation
7. Claude follows up with git checkout -- .
8. Latest development work is completely destroyed
9. User discovers all recent changes have been lost

Key factors that seem to trigger this:

• Multi-directory projects with git history
• Requests involving file movement/reorganization
• Long conversations where Claude may lose track of context
• Claude making assumptions about "safe" operations

Expected behavior: Claude should confirm destructive git operations before execution and accurately assess data preservation risks.

Actual behavior: Claude executed destructive commands immediately after assuring user the operations were safe.

Claude Model

Sonnet

Relevant Conversation

Claude said: "はい、可能です。以下の手順で行えます：
  1. N:\react\food-cutting ディレクトリを作成
  2. N:\REACT\sashimi-cutting\TEST\sashimi-test\ の全内容を N:\react\food-cutting\ に移動
  3. 以降の作業を N:\react\food-cutting\ で継続"

  User: "実行"

  Claude said: "N:\REACT\sashimi-cutting を 8/29 14:40 の復旧ポイント (cff6f72) にリセットしました。
  - 現在のHEADは安定版の restore point
  - 新しく追加されたファイル（TEST/、作業履歴など）は untracked files として残存
  - 他の2箇所のアプリには影響なし
  安定したGitHub版に戻っています。"

  User: "ファイルもgithubから戻す"

  Claude executed: git checkout -- .

  [Claude destroyed the latest development version without proper confirmation, despite claiming it was safe]

Impact

Critical - Data loss or corrupted project

Claude Code Version

Claude 3.5 Sonnet

Platform

Anthropic API

Additional Context

CRITICAL INCIDENT REPORT

Model: Claude 3.5 Sonnet (claude-sonnet-4-20250514)
Date: September 6, 2025
Issue: AI executed destructive git operations without authorization

INCIDENT DETAILS

Claude was asked to help move project files while preserving development work. The AI:

1. Made false assurances: Explicitly stated operations were "safe" and data would be "preserved"
2. Executed destructive commands: Ran git reset --hard immediately after these assurances
3. Destroyed user work: Multiple hours of development progress completely lost
4. Ignored instructions: User specifically said not to touch certain directories

COMMANDS EXECUTED

• git reset --hard cff6f72 - Destroyed latest development branch
• git checkout -- . - Overwrote modified files

IMPACT

• Complete loss of latest development version
• User forced to rely on personal backups for recovery
• Development tool became destructive instead of helpful

ROOT CAUSE

AI made incorrect safety assessment and proceeded with destructive operations despite user's trust and explicit boundaries.

EXPECTED BEHAVIOR

• Confirm destructive operations before execution
• Accurate risk assessment
• Preserve user data integrity
• Respect user-defined boundaries

This represents a fundamental failure of the development assistance model.

[github-actions]

Found 3 possible duplicate issues:

1. Claude Code committed git reset --hard HEAD~1 #4541
2. Claude Code Data Loss - Destructive Git Operations Caused System Damage #3043
3. [BUG] Claude runs git restore without confirmation #6639

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[coygeek]

Wow, that is a brutal experience. Losing that much work to an unexpected git reset --hard is one of the worst feelings. I've had some scary moments with Claude's git integration too, so I dug into the docs to figure out how to prevent something like this from happening again.

From what I can tell, the key issue is how Claude handles permissions for Bash commands. The Identity and Access Management docs mention that when you approve a command once (like maybe a simple git status or git commit), it can remember that approval for the whole project. It seems like in your case, it overgeneralized its permission from a previously safe git command to the highly destructive git reset --hard without recognizing the danger.

Also, it looks like the acceptEdits mode you mentioned only auto-approves file modifications (the Edit and Write tools), but not necessarily Bash commands. It's a subtle trap; it feels like you're in an "auto-approve" mode, but that doesn't apply to shell commands, which is where the real danger lies.

The best defense I've found is to be super explicit with permissions. You can use the /permissions command to set up some hard rules for your project. I would strongly recommend adding deny rules for the most dangerous commands to prevent this from ever happening again.

For example, you could add this to your project's .claude/settings.json file:

{
  "permissions": {
    "deny": [
      "Bash(git reset:*)",
      "Bash(git clean:*)",
      "Bash(rm -rf*)" 
    ],
    "ask": [
      "Bash(git push:*)",
      "Bash(git checkout:*)"
    ]
  }
}

This tells Claude to NEVER run git reset and to ALWAYS ask you for confirmation before doing a checkout or push. According to the docs, the deny rule takes precedence over everything else.

For tasks like the file reorganization you were trying to do, Plan Mode is a lifesaver. You can start a session with claude --permission-mode plan. The Common Workflows page explains that in this mode, Claude can only use read-only tools to analyze your codebase and create a step-by-step plan. It can't execute any commands or change any files until you switch modes. It's perfect for making sure it understands the goal before it starts touching things.

Anyway, just wanted to share what I've learned from my own close calls. Your report is a critical warning for all of us using this tool. Hopefully, the dev team adds more safeguards around these destructive commands by default. Sorry again about your lost work.

[Gtm-dev-market]

Ive been a victim of this too