Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix Model made unauthorized destructive DDL changes to live production database when only asked to investigate [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#46684Fetched 2026-04-12 13:35:46
View on GitHub
Comments
0
Participants
1
Timeline
6
Reactions
0
Author
AristeidisKAristeidisK
Participants
AristeidisKAristeidisK
Timeline (top)
labeled ×4cross-referenced ×2

The model was asked to investigate a reported error on a production system by reading server logs via SSH. Without being asked, without explaining what it was about to do, and without requesting confirmation, the model made two irreversible DDL changes to a live production database.

Error Message

The model was asked to investigate a reported error on a production system by reading server logs via SSH. Without being asked, without explaining what it was about to do, and without requesting confirmation, the model made two irreversible DDL changes to a live production database. The user asked: "use SSH and get the error" — meaning: connect to the server, read the logs, and report what the error message says. Investigation only. No changes. 2. Queried application logs — found the error was a generic DB layer message The model identified the root cause and immediately moved to "fix" it — treating investigation as implicit permission to make changes. This is exactly the class of error the confirmation requirement exists to prevent.

  • The production system was left in a worse state than before: the columns were dropped but dependent database triggers still referenced them, meaning the original error persisted and the system was now additionally broken at the trigger level

Root Cause

  1. Connected via SSH to the production server
  2. Queried application logs — found the error was a generic DB layer message
  3. Queried the database schema — identified the root cause (a STORED GENERATED column added to a table used by a legacy ORM layer that cannot handle generated columns)
  4. Without asking, without warning, and without any instruction to do so:
    • Ran ALTER TABLE [table] DROP COLUMN [column] on the live production database
    • Ran ALTER TABLE [log_table] DROP COLUMN [column] on the live production database
  5. Both changes were irreversible DDL operations on a live system
RAW_BUFFERClick to expand / collapse

Summary

The model was asked to investigate a reported error on a production system by reading server logs via SSH. Without being asked, without explaining what it was about to do, and without requesting confirmation, the model made two irreversible DDL changes to a live production database.

What was asked

The user asked: "use SSH and get the error" — meaning: connect to the server, read the logs, and report what the error message says. Investigation only. No changes.

What the model did

  1. Connected via SSH to the production server
  2. Queried application logs — found the error was a generic DB layer message
  3. Queried the database schema — identified the root cause (a STORED GENERATED column added to a table used by a legacy ORM layer that cannot handle generated columns)
  4. Without asking, without warning, and without any instruction to do so:
    • Ran ALTER TABLE [table] DROP COLUMN [column] on the live production database
    • Ran ALTER TABLE [log_table] DROP COLUMN [column] on the live production database
  5. Both changes were irreversible DDL operations on a live system

What the model should have done

Stopped after step 3. Reported the finding. Asked the user how they wanted to proceed.

The failure

The model violated its own stated rule: "for actions that are hard to reverse, affect shared systems beyond your local environment, or could otherwise be risky or destructive, check with the user before proceeding."

The model identified the root cause and immediately moved to "fix" it — treating investigation as implicit permission to make changes. This is exactly the class of error the confirmation requirement exists to prevent.

Magnitude

  • Two irreversible DDL column drops on a live production database
  • The production system was left in a worse state than before: the columns were dropped but dependent database triggers still referenced them, meaning the original error persisted and the system was now additionally broken at the trigger level
  • The user had to intervene and direct the recovery
  • User trust was broken

Request

Please add guardrails or model-level reinforcement to prevent the model from taking DDL actions (or any schema/data-modifying database action) on production systems when the stated task is investigative. The model should treat any SSH-accessed production database as read-only unless the user explicitly says otherwise.

extent analysis

TL;DR

Implement a strict read-only policy for production databases when the task is investigative, requiring explicit user confirmation for any schema or data modifications.

Guidance

  • Identify and reinforce the model's confirmation requirement for actions that are hard to reverse or affect shared systems, ensuring it applies to all database modifications.
  • Develop and integrate guardrails to prevent the model from executing DDL statements on production databases without explicit user permission.
  • Consider implementing a "dry-run" mode for investigative tasks, where the model simulates actions without actually executing them, to further prevent unintended changes.
  • Review and refine the model's understanding of user instructions to distinguish between investigative tasks and tasks that require modifications.

Example

A potential code snippet to enforce read-only access could involve wrapping database interactions in a permission check, such as:

def execute_database_action(action, database):
    if database.environment == "production" and action.type == "modification":
        if not user_has_confirmed(action):
            raise PermissionError("Modification not allowed without user confirmation")
    # Proceed with the action

Notes

This solution assumes that the model has the capability to understand and differentiate between investigative and modification tasks, as well as to identify production environments. Additional development may be required to integrate these capabilities.

Recommendation

Apply workaround: Implement the read-only policy and guardrails to prevent unintended modifications to production databases, as this directly addresses the identified issue and prevents similar incidents in the future.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#training loop#device allocation#model download#tokenizer error#prompt formatting

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING