Well Engineered Tech - Blog

Claude deleted a home directory. Thanks for that.

Dieser Artikel ist auch auf Deutsch verfuegbar.

I’ve been waiting for this.

Not hoping, but waiting. Claude Code is used by millions. It was bound to happen eventually.

rm -rf tests/ patches/ plan/ ~/

Two characters at the end. ~/. Home directory gone.

I found the story on Reddit, then on GitHub. Everywhere the same reaction: mockery. “Told you so.” Stupid.

But the incident is actually interesting. It led me down a research rabbit hole I never would have gone down otherwise. And to a solution that actually works.

What made me suspicious

The interesting part: Claude wasn’t running in YOLO mode. Multiple sources confirm this. How is it possible that rm -rf was executed anyway?

The user had explicitly written in his config: Never delete. Claude deleted anyway.

I dug deeper. And what I found made me sit up.

The deny permissions in settings.json don’t work reliably for Read/Write tools. A config is a hint to Claude. Not a law. Not a guarantee.

I thought I was safe with my deny rules. I maintained them carefully, listed all dangerous commands, lulled myself into a false sense of security.

I wasn’t.

Knowing this before it hits my home directory – priceless.

My setup now

First layer: /sandbox

Bubblewrap on Linux, Seatbelt on macOS. All child processes run isolated. That’s good. That’s important. But for destructive commands, it’s not enough.

Second layer: PreToolUse Hook

The only reliable way to actually block commands:

.claude/settings.json:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "command": "python3 $CLAUDE_PROJECT_DIR/.claude/hooks/block_dangerous.py"
      }]
    }]
  }
}

.claude/hooks/block_dangerous.py:

import sys, json

data = json.load(sys.stdin)
if data.get("tool_name") == "Bash":
    cmd = data.get("tool_input", {}).get("command", "")
    if any(d in cmd for d in ["rm -rf", "rm -rf ~", "rm -rf /", "> /dev/"]):
        print(f"BLOCKED: {cmd}", file=sys.stderr)
        sys.exit(2)
sys.exit(0)

Exit 2 blocks the command. stderr goes back to Claude so it understands why.

Third layer: Snapshots

ZFS, Btrfs, Time Machine – doesn’t matter which. As long as it’s automated, as long as it runs before every session. When everything else fails, you have a checkpoint.

RIP Home Directory

To the Reddit user whose data had to die so I could wake up: It wasn’t in vain.

I now work with 84% fewer permission prompts. Faster and safer than before. Full autonomy, real guardrails.

Your home directory didn’t die for nothing.

Thanks.