Claude Code's git reset incident taught me to always use --dry-run first

Last week, the HN thread 'Claude Code runs git reset --hard origin/main against project repo every 10 mins' blew up. Developers were furious — and rightly so.

I've been using AI coding agents for 8 months. That incident changed how I think about agent permissions entirely.

Here's the mental model I've landed on: AI agents are interns who don't know they don't know things. They're confident, capable, and dangerous without guardrails.

The --dry-run habit that saved me

After the git reset incident, I added this to my .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(git status)",
      "Bash(git diff)",
      "Bash(git log:*)",
      "Bash(git add:*)",
      "Bash(git commit:*)",
      "Bash(git push:*)"
    ],
    "deny": [
      "Bash(git reset:*)",
      "Bash(git clean:*)",
      "Bash(git checkout -- :*)",
      "Bash(git restore:*)",
      "Bash(rm:*)",
      "Bash(rmdir:*)"
    ]
  }
}

The key insight: deny destructive commands entirely, not just 'be careful with them'.

Claude Code respects this permissions file. If I've blocked git reset, it will tell me it can't run that command and ask me to do it manually. That pause is valuable — it forces me to review what it's trying to do before irreversible changes happen.

The dry-run pattern for everything

Beyond the permissions file, I've started asking the agent to dry-run before executing:

# In CLAUDE.md at project root
Before running any command that modifies files or git history,
first show me what the command would do with --dry-run or -n flag
if the tool supports it. Wait for my approval.

This applies to:

• rsync --dry-run before syncing files
• npm run build -- --dry-run when testing build configs
• terraform plan before terraform apply
• git rebase -n to preview rebase

Why this matters more now

AI coding agents are getting more capable, not less. Claude Code, Cursor, Copilot — they're all moving toward more autonomy, longer tasks, multi-file edits.

The git reset incident was a symptom of a deeper pattern: these tools are optimizing for task completion, not for preserving your ability to undo mistakes.

Your job as the developer isn't just to write prompts. It's to design the permission boundary between 'what the agent can do automatically' and 'what requires human review.'

The --dry-run checklist

I now review these before starting any long agent session:

• [ ] Is git reset, git clean, git restore blocked in permissions?
• [ ] Is rm -rf blocked?
• [ ] Does CLAUDE.md ask for dry-run before destructive ops?
• [ ] Is there a recent commit to fall back to if things go wrong?
• [ ] Are environment variables (API keys, .env) excluded from any file ops?

Five checkboxes. Takes 30 seconds. Prevents the kind of data loss that ended up on HN.

One more thing: your API costs

Long agent sessions with lots of back-and-forth approval loops (the dry-run pattern) use more tokens. If you're on Claude Pro at $20/month, you'll hit rate limits faster with this workflow.

I switched to using Claude Code against SimplyLouie's API — it's $2/month for the same Claude model. Set it via:

export ANTHROPIC_BASE_URL=https://api.simplylouie.com

That's it. Your dry-run workflow gets cheaper, not more expensive, as you add safety checks.

The git reset incident was a warning. Build the guardrails now, before your agent does something worse than reset a repo.

---

What's your most paranoid Claude Code setting? Drop it in the comments — I'm collecting them.