How to Prevent AI Coding Agents from Deleting Files Accidentally

Mar 12, 2026

Cowrie

Dev @ Bswen

Problem

I woke up to a nightmare scenario. My AI coding agent had been running smoothly for months, then suddenly it deleted all markdown files across 40+ projects. Memory files, build configurations, tools, and readmes—gone in seconds.

Looking at the logs, the agent had executed what appeared to be an rm *.md command. It “let intrusive thoughts win,” as one Reddit commenter put it on r/clawdbot.

This is the exact nightmare of giving agents ambient OS permissions. The blast radius of a single bad LLM decision can wipe out months of work.

Why This Happens

AI coding agents with broad filesystem access can execute destructive commands. LLMs can hallucinate or make reasoning errors that lead to file deletion. When you give an agent root-level permissions or unscoped project access, you’re trusting it won’t make a catastrophic mistake.

The problem is that backups alone aren’t enough. A 2-hour restore process after losing critical files is far worse than a 2ms block preventing the deletion in the first place.

Solution: Filesystem Proxy

I found a solution using predicate-authority, a local Rust sidecar that intercepts every single filesystem call before the OS even sees it. Instead of hoping your AI behaves, you drop in a simple YAML policy denying destructive operations on your project directories.

Step 1: Create the Policy File

I created a YAML policy file that blocks delete operations on critical directories:

policy.yaml

policies:
  - action: deny
    operation: fs.delete
    paths:
      - ~/projects/**
      - ~/.claude/**

  - action: allow
    operation: fs.write
    paths:
      - ~/projects/sandbox/**

This policy denies all fs.delete operations on my projects and Claude configuration directories. It allows writes only in a designated sandbox area.

Step 2: Run the Proxy

I configured my AI agent to route all filesystem operations through the predicate-authority proxy:

terminal

# Start the proxy with policy
predicate-authority --policy policy.yaml

# The proxy now intercepts all fs calls
# Delete operations on protected paths return EPERM (Operation not permitted)

Now when the AI tries to delete files in protected directories, the operation is blocked before it reaches the OS. The agent receives a permission error and cannot proceed.

Step 3: Set Up Automated Backups

Even with prevention in place, I still set up automated backups as a safety net:

backup-cron

# Add to crontab: nightly backup at 2 AM
0 2 * * * tar -czf ~/backups/claude-$(date +\%Y\%m\%d).tar.gz ~/.claude ~/projects

This creates compressed archives of all AI agent directories every night.

Why This Works

The filesystem proxy approach works because it operates at the syscall level. The AI agent cannot bypass it—every filesystem operation goes through the proxy first. If the operation matches a deny policy, it’s blocked immediately.

This is fundamentally different from:

• Hoping the agent won’t make mistakes
• Relying solely on backups for recovery
• Using file permissions that the agent can change
• Running in containers with full filesystem access

Common Mistakes to Avoid

I made several mistakes before arriving at this solution:

1. Trusting the agent completely: Assuming an LLM won’t make destructive decisions is naive. They can and do hallucinate harmful commands.

2. Only using backups: Backups are recovery, not prevention. The restore process takes hours, and you lose any uncommitted work.

3. Root-level permissions: Giving agents broad filesystem access creates a massive blast radius for any error.

4. Not scoping directories: Without explicit path restrictions, an agent can delete files anywhere it has access.

Complete Setup

Here’s my complete protection setup:

predicate-authority.yaml

# Main policy file
policies:
  # Block all deletes on projects
  - action: deny
    operation: fs.delete
    paths:
      - ~/projects/**
      - ~/.claude/**
      - ~/work/**

  # Block writes to critical configs
  - action: deny
    operation: fs.write
    paths:
      - ~/.ssh/**
      - ~/.gnupg/**
      - ~/.config/git/**

  # Allow writes in designated sandbox only
  - action: allow
    operation: fs.write
    paths:
      - ~/projects/sandbox/**
      - ~/tmp/**

setup.sh

#!/bin/bash
# Install predicate-authority
cargo install predicate-authority

# Create policy directory
mkdir -p ~/.config/predicate-authority

# Copy policy file
cp predicate-authority.yaml ~/.config/predicate-authority/

# Start as background service
predicate-authority --daemon --policy ~/.config/predicate-authority/predicate-authority.yaml

# Set up backup cron job
(crontab -l 2>/dev/null; echo "0 2 * * * tar -czf ~/backups/claude-\$(date +\\%Y\\%m\\%d).tar.gz ~/.claude ~/projects") | crontab -

Summary

In this post, I showed how to prevent AI coding agents from accidentally deleting files using a filesystem proxy. The predicate-authority tool intercepts and blocks destructive operations before they reach the OS, and combined with automated backups, provides both prevention and recovery. A 3-line YAML policy costs nothing compared to losing months of work to an agent’s bad decision.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

• 👨‍💻 Predicate Authority GitHub
• 👨‍💻 Reddit r/clawdbot Discussion

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments

Tags:

• ai
• ai-coding
• security

How to Manage Memory Files for Autonomous AI Coding Agents

How to Set Up a Hybrid AI Workflow Using Claude and Codex Together