A few months ago, I switched to exclusively using an SSH key stored on my Yubikey token. I also recently switched to my default git config signing all commits with my SSH key. The way it’s setup means I have to touch my token every time I try to commit or push.
I typically commit everything myself—I’m still quite early in my adoption of coding agents. One of my first experience with OpenCode (which made me stop using it instantly) was when it tried to commit and force push a change after I simply asked it to look into a potential bug.
Claude Code seems to have better safeguards against this. However, I wonder how come we don’t generally run these things inside docker containers with only the current dir volume mounted or something to prevent spurious FS modifications.
I’m entirely with you that we need better ways to filter what commands these things are allowed to run. Specifically, a CLAUDE.md or “do not do this under any circumstance” as part of the prompt is a futile undertaking.
Hey always ignore boundaries. I prohibit agents from accessing version control at all. Makes sure I review code before it gets committed, and they can’t do stupid things like force-push.
A few months ago, I switched to exclusively using an SSH key stored on my Yubikey token. I also recently switched to my default git config signing all commits with my SSH key. The way it’s setup means I have to touch my token every time I try to commit or push.
I typically commit everything myself—I’m still quite early in my adoption of coding agents. One of my first experience with OpenCode (which made me stop using it instantly) was when it tried to commit and force push a change after I simply asked it to look into a potential bug.
Claude Code seems to have better safeguards against this. However, I wonder how come we don’t generally run these things inside docker containers with only the current dir volume mounted or something to prevent spurious FS modifications.
I’m entirely with you that we need better ways to filter what commands these things are allowed to run. Specifically, a CLAUDE.md or “do not do this under any circumstance” as part of the prompt is a futile undertaking.
> The irony is that the agent acknowledged the rule violation in its apology, which means it "knew"
No, the AI never "knew" anything! :)
The instructions that you give in the prompt are advisory.
You must use a security system to ensure that the access is actually limited.
Hey always ignore boundaries. I prohibit agents from accessing version control at all. Makes sure I review code before it gets committed, and they can’t do stupid things like force-push.
Prompt instructions are never sufficient for this. The tool call itself needs to be gated.
With Claude Code, tools like Bash(“git *”) always ask for permission unless you’ve allowed it.
Figure out the Cursor equivalent of that.
It happened multiple times to me on Claude Code too, next time I caught it I will try to record its history and show it here
It continues to surprise me that people continue to be surprised by this.