Anthropic: Claude Code v2.1.183 Blocks Destructive Git and Infrastructure Commands in Auto Mode

Anthropic released Claude Code v2.1.183 on June 19, 2026 — a new version of its agentic CLI tool for programming — with a focus on the security of the so-called auto mode, the operating mode in which the agent executes commands without individual user approval. The change directly targets the risk of an autonomous agent accidentally triggering an irreversible operation.

What Changes in Auto Mode

In the new version, Claude Code in auto mode blocks destructive git commands without explicit user request: git reset --hard, git checkout -- ., git clean -fd and git stash drop. It also blocks git commit --amend when the last commit was not made by the agent itself, protecting the user’s existing history. The restriction extends to infrastructure as code: terraform destroy, pulumi destroy and cdk destroy are not executed unless a specific stack is specified.

How It Differs from Previous Versions

Earlier versions of auto mode relied mainly on user-defined deny lists, placing the responsibility for blocking dangerous commands on the user. Version v2.1.183 embeds these protections as built-in defaults, so the agent refuses irreversible operations even without manual configuration. The attribution.sessionUrl setting and the /config --help command were also added.

Bug Fixes

Alongside the security changes, v2.1.183 resolves several bugs. Fixed are error 400 (“Extra inputs are not permitted”) that crashed WebSearch in subagents, fullscreen TUI interface corruption in Windows Terminal, and MCP authentication leakage. The set of changes positions Claude Code closer to “secure by default” behavior for teams that let the agent independently execute commands in production repositories.