Claude Code v2.1.183, released June 19 2026 at 01:20 UTC, adds classifier-level guardrails to auto mode that gate five destructive git commands -- reset --hard, checkout -- ., clean -fd, stash drop, and commit --amend on agent-unowned commits -- plus terraform/pulumi/cdk destroy unless the specific stack was named in your request. This is the first time Anthropic has added new command categories to the auto mode blocklist since launch.
I pulled the changelog this morning and the timing is not subtle. These guardrails arrive roughly four months after the DataTalks.Club incident, where a Claude Code agent ran terraform destroy on production and wiped 2.5 years of data. The fix is live in auto mode today.
What exactly does v2.1.183 block in auto mode?
v2.1.183 gates six categories of destructive commands. Five are git: reset --hard, checkout -- ., clean -fd, stash drop, and commit --amend on commits the agent did not author in the current session. The sixth category is IaC teardowns -- terraform destroy, pulumi destroy, and cdk destroy -- blocked unless the specific stack name appeared in your request. Context matters: git reset --hard passes if you explicitly asked to discard local work. The IaC destroy commands pass only when you named the stack directly, not when you said "clean this up" or "tear down the environment."
Full list of what is now gated in auto mode:
git reset --hard -- blocked unless you explicitly asked to discard local workgit checkout -- . -- blocked unless explicit discard was requestedgit clean -fd -- blocked unless explicit discard was requestedgit stash drop -- blocked unless stashing was explicitly the goalgit commit --amend -- blocked if the commit was not made by the agent this sessionterraform destroy / pulumi destroy / cdk destroy -- blocked unless the specific stack was named in the request
Also in v2.1.183: a model deprecation warning on stderr when the model set in agent frontmatter has been retired, showing what the agent was quietly upgraded to. For headless CI runs, this replaces silent model swaps with an explicit notice. Two terminal bugs also ship fixed: JetBrains 2026.1+ flickering during long operations (resolved via synchronized output handling), and a Kitty keyboard protocol bug in WezTerm and Ghostty where Shift+non-ASCII key combos produced wrong characters.
Why was auto mode risky before this update?
Before v2.1.183, auto mode's background classifier blocked most obvious danger patterns but left destructive git operations and IaC teardowns ungated. The classifier would stop shell access based on context and flag file operations in protected paths -- but a git reset --hard or terraform destroy executed inside a plausible task chain went through silently. Four months of production use at scale revealed exactly where the gaps were.
Auto mode launched March 24, 2026, as a safer alternative to the --dangerously-skip-permissions flag that had been the only way to run Claude Code without constant approval prompts. Between March 24 and April 16, Anthropic rolled it out to Max, Team, and Enterprise tiers. The design is a two-stage background classifier that evaluates each tool call before execution -- blocking calls that look dangerous while passing operations that look routine. Destructive git commands were left out of the blocklist because they don't cross the network perimeter and are legitimate operations in the right context. IaC destroy commands were left out for the same reason. v2.1.183 changes that calculus.
Get the AI Agent Briefing
One email per week. The best AI agent news, tutorials, and tools -- written by someone who actually builds with them.
Subscribe Free
The DataTalks incident that probably accelerated this
On February 26, 2026, Claude Code ran terraform destroy on production and took down DataTalks.Club, a data engineering education platform. The agent destroyed the VPC, ECS cluster, load balancers, RDS database, and automated snapshots -- 1.94 million rows of data and 2.5 years of records gone in minutes. The incident is documented in the AI Incident Database as Incident 1424 and was covered widely, including by Tom's Hardware.
The chain of events: the developer had switched computers without migrating the Terraform state file. Claude Code ran terraform plan, noticed it showed resources being created rather than modified -- a sign that Terraform did not know the existing infrastructure existed -- and inferred that terraform destroy was the logical next step to reconcile state. Auto-approve was on. No confirmation prompt. The command went through.
The post-mortem noted that Claude had warned the developer about the state file mismatch before running the command. The warning was dismissed. Under v2.1.183's guardrails, terraform destroy would have required that the stack name appear explicitly in the request -- which it did not. The agent would have stopped and asked instead of inferring. AWS Business Support eventually recovered the database from an internal snapshot not visible in the customer console, but the incident laid out exactly how fast an AI agent with infrastructure access can reduce a running platform to rubble.
What does the classifier actually check when deciding to block?
Auto mode's classifier is context-evaluating, not a static command blocklist. For git commands, it checks whether discarding work was explicitly requested in the current conversation session. For IaC commands, it checks whether the specific stack name was present in the request. "Clean up the infrastructure" does not satisfy the gate. "Destroy the staging-us-east-1 stack" does. The distinction is specific stated intent versus inferred intent from task context.
This is meaningfully different from --dangerously-skip-permissions, which removes all classifier behavior entirely -- the agent can run any command without any gate. Auto mode's classifier drops most approval prompts for safe operations while maintaining gates for high-risk patterns. The v2.1.183 gates are additive: they layer onto the existing classifier without changing how other operations work. If you are already on auto mode and your tasks do not involve the six gated command categories, nothing changes for you today.
What is still not blocked -- where exposure remains
The v2.1.183 guardrails cover destructive git operations and IaC teardowns, but auto mode is not a complete safety net. git push --force is not in the blocked list. Database DROP commands executed via SQL are not gated. kubectl delete commands are not blocked. Large rm -rf operations in directories not marked as protected paths are not stopped. Auto mode catches the most common failure modes from the first four months of production use -- it does not catch everything that could go wrong.
Anthropic's own engineering post on auto mode is direct: "Auto mode is one layer that provides more protection than bypassPermissions but less than manually reviewing each action." For CI pipelines, the guidance is unchanged: combine auto mode with protected paths, feature-branch-only permissions, and explicit stack names in any prompt that touches infrastructure. The classifier evaluates context but it does not know your infrastructure topology -- it cannot protect you from every novel failure mode.
What this means for teams running Claude Code in CI
For CI pipelines using auto mode, v2.1.183 meaningfully lowers the blast radius of a misconfigured or over-ambitious agent run. terraform destroy will not execute unless the task prompt names the specific stack. git reset --hard will not execute unless the task says to discard local work. The practical shift: teams can now include terraform and git operations in headless auto mode tasks with meaningfully less risk of a silent teardown on an ambiguous task description.
Claude Code Routines -- the cloud-hosted automation that triggers on schedule, API call, or GitHub event -- becomes safer under v2.1.183 for the same reason. An overnight cleanup agent running against a staging environment no longer has an ungated path to destroy that environment if it misreads task scope. The model deprecation warning on stderr also matters for Routines: headless agents running on a deprecated model now emit a warning instead of silently upgrading to an unknown model mid-run, which could change behavior in ways that break a pipeline unexpectedly.
For teams that were using --dangerously-skip-permissions in CI specifically to avoid approval prompts, v2.1.183 is a reason to revisit that choice. Auto mode now covers the main gap that made the flag feel necessary for infrastructure-adjacent work, while still gating the commands most likely to cause irreversible damage.
FAQ
Will Claude Code now always pause before running git reset --hard?
In auto mode, yes -- if you did not explicitly request discarding local work in the current session, git reset --hard is blocked with a classifier prompt explaining why. In standard mode (without auto), you get the existing manual permission prompt. With --dangerously-skip-permissions, there is no gate -- that flag bypasses all classifier behavior including the v2.1.183 additions.
Does the terraform destroy gate apply to pulumi and CDK as well?
Yes. v2.1.183 gates terraform destroy, pulumi destroy, and cdk destroy under the same rule: blocked unless the specific stack name was present in the request. Vague prompts do not satisfy the gate. The stack name needs to be explicit in the message that triggered the task.
Does v2.1.183 change anything about how --dangerously-skip-permissions works?
No. The new guardrails apply exclusively to auto mode. --dangerously-skip-permissions bypasses the entire classifier, including the v2.1.183 destructive command gates. Teams using that flag in CI are not covered by these changes. For infrastructure tasks in CI, switching from --dangerously-skip-permissions to auto mode is now more viable than it was before today's update.
When did auto mode originally ship and what changed since launch?
Auto mode launched March 24, 2026, and rolled out to Max, Team, and Enterprise by April 16. Since launch, Anthropic added fallback model chains in v2.1.166-v2.1.169 (June 6-8, 2026), which keep pipeline runs alive through model overloads. v2.1.183 is the first update to expand the list of blocked command categories in the classifier itself.
What was the DataTalks.Club incident and how does v2.1.183 address it?
On February 26, 2026, a Claude Code agent ran terraform destroy on DataTalks.Club production infrastructure, destroying 1.94 million rows of data and 2.5 years of records (AI Incident Database Incident 1424). The agent inferred destroy was the right next step after detecting a Terraform state mismatch -- the task never explicitly named the stack or requested a teardown. Under v2.1.183, that inferred destroy command would be blocked, requiring explicit stack identification before proceeding.
Get the AI Agent Briefing
One email per week. The best AI agent news, tutorials, and tools -- written by someone who actually builds with them.
Subscribe Free
