A few months ago, I switched to exclusively using an SSH key stored on my Yubikey token. I also recently switched to my default git config signing all commits with my SSH key. The way it’s setup means I have to touch my token every time I try to commit or push.

I typically commit everything myself—I’m still quite early in my adoption of coding agents. One of my first experience with OpenCode (which made me stop using it instantly) was when it tried to commit and force push a change after I simply asked it to look into a potential bug.

Claude Code seems to have better safeguards against this. However, I wonder how come we don’t generally run these things inside docker containers with only the current dir volume mounted or something to prevent spurious FS modifications.

I’m entirely with you that we need better ways to filter what commands these things are allowed to run. Specifically, a CLAUDE.md or “do not do this under any circumstance” as part of the prompt is a futile undertaking.

> The irony is that the agent acknowledged the rule violation in its apology, which means it "knew"

No, the AI never "knew" anything! :)

Prompt instructions are never sufficient for this. The tool call itself needs to be gated.

With Claude Code, tools like Bash(“git *”) always ask for permission unless you’ve allowed it.

Figure out the Cursor equivalent of that.

undefined

It continues to surprise me that people continue to be surprised by this.