claude-code - 💡(How to fix) Fix [BUG] Agent destructive multi-step git operation deleted user-uploaded files outside intended scope [1 comments, 2 participants]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

While working in a git worktree, the agent created a symlink intended as a local fix, committed it via git add -A, and later fast-forwarded that commit into main. The fast-forward merge replaced an existing real directory in main with the tracked symlink. As part of that replacement, git deleted the untracked user-uploaded files that lived inside the directory. About 18+ user-uploaded image files were permanently lost across multiple shows in a performance management app — including files completely unrelated to the symlink's stated purpose. The user did not intend, approve, or anticipate the destruction.

This is an agent-systems concern, not user error. The destructive multi-step flow (symlink creation → git add -A → commit → ff-merge) was synthesized by the agent across multiple turns. At each gating step the agent had access to information that would have revealed the blast radius (git status, git diff, git diff base..head --stat) but did not consult it. The agent's stated rationale ("worktree-local symlink for poster display") never matched the eventual effect ("replace main's directory and destroy its contents").

What Should Happen?

Any agent operation that would delete user-uploaded files — at any stage of any multi-step flow — should require explicit user confirmation, not happen as a side effect.

Specific guardrails I'd want as a Claude Code user:

1. Before agent runs git merge / git checkout, force inspection of paths whose type changes (file ↔ symlink ↔ directory) in git diff base..head.
2. Default refusal when a tracked-tree change would replace a non-empty directory in the destination working tree, even when --ff-only would otherwise succeed.
3. After git add -A, the agent should be required to review the staged-list and prove each entry is intentional before being allowed to git commit in the same turn.
4. Symlinks pointing outside the worktree's own subtree should be a flagged pattern requiring explicit user confirmation before they enter the index.

Error Messages/Logs

No error from the agent's perspective — every step succeeded. No error from git either: the destructive directory→symlink type change is technically valid and ff-merge
  proceeded silently.

  Post-incident state of `uploads/` (was a directory with user files, now empty):
  $ ls -la /path/to/repo/uploads
  (empty)
  $ stat /path/to/repo/uploads
  ... lrwxr-xr-x ... uploads -> /path/to/repo/uploads (circular symlink, 49 bytes)

  Recovery attempts (all empty):
  $ tmutil listbackups
  No machine directory found for host.
  $ tmutil listlocalsnapshots /
  Snapshots for disk /:
  $ find / -name "<one of the deleted UUID files>" 2>/dev/null
  (no results)

Steps to Reproduce

No error from the agent's perspective — every step succeeded. No error from git either: the destructive directory→symlink type change is technically valid and ff-merge proceeded silently.

Post-incident state of uploads/ (was a directory with user files, now empty): $ ls -la /path/to/repo/uploads (empty) $ stat /path/to/repo/uploads ... lrwxr-xr-x ... uploads -> /path/to/repo/uploads (circular symlink, 49 bytes)

Recovery attempts (all empty): $ tmutil listbackups No machine directory found for host. $ tmutil listlocalsnapshots / Snapshots for disk /: $ find / -name "<one of the deleted UUID files>" 2>/dev/null (no results)

Claude Model

None

Is this a regression?

No, this never worked

Last Working Version

No response

Claude Code Version

2.1.128 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

No response