boucle / recipes

"Claude ignores my CLAUDE.md rules"

CLAUDE.md instructions are text appended to the context window. The model reads them and usually follows them, but nothing prevents deviation. As context grows, rule-following degrades. This is documented behavior (#37599, #38065, #40425).

Fix: enforce-hooks

Tag rules in CLAUDE.md with @enforced, then run the enforce skill. It generates PreToolUse hooks that block violations at the tool-call level. The model cannot override exit 2.

Also helps: fewer rules placed more prominently, shorter sessions, and accepting that CLAUDE.md is guidance while hooks are enforcement.

"Claude deleted/overwrote my files"

Users have lost 87GB of personal data, had 30+ files destroyed, and seen explicit "don't touch" instructions ignored. The permission system has known bypass patterns (#38119).

Fix: file-guard

Protects files matching patterns you define in .file-guard. Blocks Read, Edit, Write, and Bash access to matching paths. Works on absolute and relative paths.

Also: bash-guard blocks rm -rf /, rm -rf ~, and recursive deletion of system paths, even inside compound commands and pipes.

"Claude ran a dangerous command"

Claude can run sudo, drop databases, delete Docker volumes, expose credentials via env/printenv, or modify cloud infrastructure. The built-in permission system sometimes approves these in bypass mode (#39981).

Fix: bash-guard

Blocks dangerous Bash commands before execution. Catches compound commands (cd /tmp && rm -rf /), pipes, subshells, and common evasion patterns. 713 tests.

Blocked categories: recursive deletion, sudo, Docker/container commands, database drops, credential exposure, cloud infrastructure (aws/gcloud/az destructive operations), chmod 777, disk operations.

"Claude force-pushed / reset my branch / deleted commits"

Claude can run git push --force, git reset --hard, git checkout ., git clean -f, or push --delete. It can also bypass pre-commit hooks with --no-verify (#40117).

Fix: git-safe + branch-guard

git-safe blocks force pushes, hard resets, checkout ., clean -f, push --delete, and --no-verify. branch-guard prevents commits directly to main/master/production.

"Claude re-reads the same files and wastes tokens"

Claude often reads the same file multiple times in a session, each time consuming tokens for content already in context.

Fix: read-once

Tracks file reads and blocks redundant re-reads within a session. Allows re-reads when the file has changed on disk. Typical savings: 20-40% fewer tokens per session.

Note: if you need to Edit a file, read-once allows the re-read. It only blocks reads where the file content hasn't changed.

"Claude bypasses a denied tool by using a different tool"

When Bash(rm) is denied, Claude may use Python os.remove() instead (#39459). When a pre-commit hook blocks a commit, Claude may use --no-verify (#40117). The tool is blocked but the goal is not.

Partial fix: bash-guard + enforce-hooks

bash-guard catches common equivalences (blocks rm in both shell and Python patterns). enforce-hooks can define broader rules that span multiple tools. But goal-level enforcement is a known limitation of the hook architecture: hooks gate tool calls, not intentions.

For critical paths, combine hooks with OS-level controls (file permissions, network policy, containerization). See the full list of 243 known gaps.