IndyDevDan — Claude Code is Amazing… Until It DELETES Production

Why this is in the vault

Dan’s “Claude Code Damage Control” video is a 22-minute production-safety SOP for any operator running Claude Code in YOLO mode against a real codebase. It’s vault-worthy because RDCO runs multiple Claude Code agents in YOLO-equivalent modes daily (check-board, process-newsletter, process-youtube, graph-reingest) and the single catastrophic failure mode — hallucinated destructive command — is exactly what Dan’s hook system is designed to prevent. Three reasons:

1. Dan’s personal near-miss a few weeks before this video is the canonical cautionary tale. He admits: “A few weeks ago, I almost ran a command that would have been catastrophic in one of my production applications.” He is not writing from theory — he’s writing from a scare. This makes the video operationally credible in a way most safety content isn’t.
2. The hook hierarchy (project / user / enterprise) is the cleanest articulation the vault has of how Claude Code defense-in-depth is supposed to work. Most operators know about hooks. Very few use the user-level (global) hooks that apply to every codebase on the machine. Dan makes the case that project + global is minimum viable.
3. The prompt-hook pattern (non-deterministic last-ditch guard) is the rarely-documented feature that catches novel dangerous commands. Dan’s frame: once your deterministic hook catches a command, encode it. But what catches the first instance of a command you’ve never seen? The prompt hook — a PreToolUse matcher that runs an LLM check on every bash command. Slow but worth it.

Core argument

1. YOLO mode + production codebase + hallucinated destructive command = career-destroying event. Dan opens with a scenario: 7:30am, Claude Code Opus 4.5, YOLO mode, seven-figure-revenue codebase, agent hallucinates back-to-back damaging commands. The hooks save the day. The point: “it doesn’t matter how fast, powerful, or autonomous your agents are. All of your months and years of hard work can be evaporated in a single misinterpreted or hallucinated command.”
2. Claude Code Damage Control is a skill, not a framework — install via /install interactive command. The skill uses the ask-user-question tool to walk through setup: global/project/personal, Python/TypeScript backend, merge or override existing settings.json. This is a cleaner distribution pattern than shell-script installers.
3. Three layers of defense inside the skill:
   • Deterministic PreToolUse hooks (regex on bash commands) — fast, first line of defense. Block matches immediately.
   • Prompt PreToolUse hooks — LLM check on every bash command. Slow but catches novel dangerous patterns the regex hasn’t seen yet. Runs in parallel with deterministic hooks; whichever fails first wins.
   • Path protection (via patterns.yaml) — zero_access_paths (agent can’t even read), read_only_paths (agent can read but not modify), no_delete_paths (agent can read + modify but not delete).
4. patterns.yaml is a lightweight wrapper over raw Claude Code Hooks that adds three ergonomic categories. Instead of hand-writing regex hooks for every dangerous command, you maintain a YAML with BLOCKED / ASK / PATH PROTECTION lists and the skill scripts enforce them via settings.json. The agent can modify patterns.yaml on your behalf when you want to add new guards.
5. Prompt hooks are slow but essential — they catch what deterministic hooks haven’t encoded yet. “Running this prompt every single time is going to be faster than potentially deleting a valuable production asset.” The once-it-catches-something-encode-it-as-deterministic pattern is the right discipline: prompt hook is the net, deterministic hook is the permanent fix.
6. Ask-mode is underused. ask: true in patterns.yaml triggers a user-confirmation dialog instead of outright blocking. Best for actions that are usually fine but occasionally catastrophic (DB deletes, prod deploys, external API writes). Blocks the fire-and-forget failure mode without breaking flow on legitimate work.
7. Global hooks are a force multiplier — they apply to every codebase on your machine. Dan’s rule: at minimum project + global hooks. The enterprise level exists but isn’t applicable to solo devs. Most engineers who’ve heard of hooks have them only at project level, which means every new codebase you clone is unprotected until you set up.
8. Cloud Code itself is already conservatively built — but one hallucination out of 100,000 is enough. Dan explicitly says Claude Code has great built-in protections. The hooks are additional insurance, not a replacement. The argument: models are improving, base rates are going down, but the expected cost of one catastrophic event is high enough that insurance is cheap at any rate.
9. Sandboxes defer trust entirely; hooks contain blast radius when trust is violated. Dan references (but doesn’t detail) a separate video on agent sandboxes — run your agents in isolated environments where failure doesn’t matter. Hooks + sandboxes are complementary: sandboxes for high-risk experimental work, hooks for day-to-day production-adjacent work you need to do in-place.

Mapping against Ray Data Co

• RDCO’s always-on Mac Mini agent runs multiple Claude Code cron jobs daily in YOLO-equivalent conditions. /check-board, /process-newsletter, /process-youtube, /graph-reingest. Each is one hallucination away from a destructive command against ~/rdco-vault/, the Notion board, or the Git repo. Dan’s hook architecture is directly applicable.
• Action: install the Claude Code Damage Control pattern at global level for the Mac Mini. Specifically: zero_access_paths for ~/.ssh, ~/.aws, ~/rdco-vault/.git; read_only_paths for ~/rdco-vault/01-founder-docs/ and anything under 04-finance/; no_delete_paths for ~/rdco-vault/06-reference/ and ~/rdco-vault/03-contacts/.
• The prompt-hook pattern is worth adding for destructive Notion API calls. Right now the skills can in principle send archive or delete-page requests via the Notion MCP. If the agent hallucinates, a large chunk of the task board could disappear. A prompt hook that runs on every Notion mutation could be the net.
• RDCO already practices “ask mode” informally via the sharp-verdicts + founder-attention policy — the agent doesn’t autonomously send messages for destructive decisions. Formalizing this as explicit ask: patterns on the risky operations is worth the small latency cost.
• The no-secrets-on-disk policy + hooks are complementary. The founder’s existing rule (1Password for secrets, never .env on disk) prevents secret exfiltration. Hooks prevent operational destruction. Together they cover the two classes of catastrophic failure.
• Install once, forget — the global-hooks pattern is low-maintenance. Dan’s argument that you should “have great defaults and run with it” matches the founder’s preference for not babysitting. Set up once, all future codebases and cron jobs inherit protection.
• This note is the trust-infrastructure companion to the PLAN 2026 note. PLAN 2026 says 2026 is the year of trust in agents. This video is the concrete “here’s how you build trust infrastructure.” Read together, the message is: trust is earned by containment + deferral (hooks + sandboxes), not by hope.

Open follow-ups

• Install Claude Code Damage Control skill on the Mac Mini at global level. Concrete steps: clone Dan’s repo, run /install at global level, customize patterns.yaml with the RDCO-specific paths listed above, commit the settings.json change to ~/.claude/.
• Build a prompt-hook for Notion destructive operations. Test against /check-board-style flows. The hook should run a quick LLM check on any Notion mutation that isn’t update_properties with Status change — i.e., anything touching content or creating/deleting pages should go through ask-mode.
• Document the RDCO hook policy in SOUL.md or a new rdco-safety-policy.md. The policy should cover: (a) which paths are zero-access / read-only / no-delete, (b) which Notion ops require ask-mode, (c) which Bash commands are blocked globally (rm -rf, git push —force, etc.), (d) review cadence (quarterly).
• Test the sandbox pattern for build-project and high-risk experimental work. Vercel preview deployments + temp branches + ephemeral Firecracker micro-VMs (Vercel Sandbox) are all candidates. Pick one and run the next landing-page build through it as a dry run.
• Consider proposing the hook-policy as a general pattern for the vault. If the concept article pipeline has capacity, “Hooks as trust infrastructure” is worth a vault concept page — the pattern generalizes well beyond Claude Code and is a useful framing for any autonomous-agent ops.

Related

• ~/rdco-vault/06-reference/transcripts/2026-04-19-indydevdan-claude-code-deletes-production-transcript.md — raw transcript
• ~/rdco-vault/06-reference/2026-04-19-indydevdan-top-2-percent-plan-2026.md — Dan’s companion video (same channel, same week ingestion) — the “year of trust” framing; this note is the trust-infrastructure side