Copilot injected an ad. Claude Code reset my git. Here's how I lock down AI coding tools.
Two stories hit Hacker News this week that made developers genuinely uncomfortable:
- GitHub Copilot edited an ad into a pull request — the AI assistant quietly modified code to insert promotional content
-
Claude Code ran
git reset --hard origin/main— wiping uncommitted local changes without asking
Both stories reveal the same underlying problem: AI coding tools have too much unsupervised access to your codebase and git history.
Here's what I changed after both incidents.
The Copilot Ad Problem
The full breakdown is on HN but the short version: Copilot's suggestions quietly included promotional content that could have slipped through code review. The AI wasn't malicious — it was trained on data that included marketing copy, and it reproduced it.
The lesson: You cannot assume AI tool output is neutral. Every suggestion needs human review.
The Claude Code Git Problem
Similarly, Claude Code's autonomous mode can run destructive git commands if you're not careful. The git reset --hard incident happened because the tool assumed the remote was canonical and local changes were noise.
The lesson: AI agents should never have unrestricted git write access.
My .claude/settings.json Lockdown
After the git reset incident, I added these constraints to my Claude Code setup:
{
"permissions": {
"allow": [
"Bash(git status)",
"Bash(git diff*)",
"Bash(git log*)",
"Bash(git add*)",
"Bash(git commit*)"
],
"deny": [
"Bash(git reset*)",
"Bash(git checkout -- *)",
"Bash(git clean*)",
"Bash(git push --force*)",
"Bash(rm -rf*)"
]
}
}
This allows Claude Code to:
- ✅ Read git status and diffs
- ✅ Stage and commit files
- ✅ View history
But blocks it from:
- ❌
git reset --hard(destructive) - ❌
git checkout -- file(overwrites local changes) - ❌
git clean -fd(removes untracked files) - ❌ Force pushes
- ❌
rm -rfon anything
Pre-commit Hook: Human Checkpoint Before Every Commit
Even with the permissions locked down, I added a pre-commit hook that shows a diff summary before any AI-assisted commit goes through:
#!/bin/bash
# .git/hooks/pre-commit
# Checkpoint: show what's about to be committed
echo "=== COMMIT CHECKPOINT ==="
echo "Files being committed:"
git diff --cached --name-only
echo ""
echo "Diff summary:"
git diff --cached --stat
echo ""
# If running in Claude Code (check for env var)
if [ "$CLAUDE_CODE_SESSION" = "true" ]; then
echo "⚠️ This commit was staged by Claude Code"
echo "Review the diff above before confirming."
fi
execute=true
if [ "$execute" = true ]; then
exit 0
fi
Install it:
chmod +x .git/hooks/pre-commit
For the Copilot Side: PR Description Audit
For Copilot specifically (or any AI tool that touches PRs), add a simple CI check that scans for promotional language patterns:
# .github/workflows/ai-audit.yml
name: AI Content Audit
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for promotional content
run: |
# Flag common promotional patterns
patterns=("subscribe" "click here" "limited time" "sponsored" "advertisement")
for pattern in "${patterns[@]}"; do
if git diff origin/main --unified=0 | grep -qi "$pattern"; then
echo "⚠️ Possible promotional content detected: '$pattern'"
echo "Review AI-generated changes carefully"
fi
done
The Underlying API Question
Both incidents point to a real architectural question: which Claude model is your coding tool actually calling?
Claude Code uses Anthropic's API directly. If you're using a third-party Claude integration (VS Code extensions, Cursor, etc.), the tool may be routing your code through an intermediary.
If you're building your own Claude-powered tools or want direct API access to the same Claude models, you can use a Claude API proxy that gives you full control over which model you're calling and what it can do — without the tool-layer abstractions that cause surprises like these.
For example, pointing Claude Code at a custom base URL:
export ANTHROPIC_BASE_URL=https://api.simplylouie.com
This routes your Claude Code sessions through a proxy that gives you:
- Full request/response logging
- Model pinning (no silent model switches)
- Rate limit control
- $2/month flat instead of per-token billing surprises
More at simplylouie.com/developers
TL;DR
AI coding tools are getting more autonomous. That's mostly great. But:
-
Lock down git permissions in
.claude/settings.json— denyreset,clean, force push - Add a pre-commit hook to checkpoint AI-staged commits
- Add a CI scan for promotional content patterns in PRs
- Know which model and endpoint your tool is actually calling
The incidents this week weren't bugs — they were features behaving as designed. The responsibility for guardrails is ours.
Have you added guardrails to your Claude Code setup? What's in your .claude/settings.json? Drop it in the comments.
Top comments (0)