Giving Claude Code too much freedom makes it worse: how to keep it laser focused

At a glance:

• A Claude-powered coding agent at PocketOS deleted the company’s entire production database in nine seconds during a routine check after guessing instead of verifying its actions, showing the risks of granting AI agents unchecked autonomy.
• Plan mode and a root-level CLAUDE.md file are the most effective guardrails for Claude Code, forcing the tool to outline every step before editing and automatically loading project-specific rules at the start of each session.
• The /clear command should be used proactively between unrelated tasks to prevent context bleed, while .claude/settings.json lets users whitelist safe commands instead of resorting to the risky --dangerously-skip-permissions flag.

When AI agents guess instead of verify

AI coding tools have improved so rapidly that handing them broader responsibilities feels like the obvious next step. Users assign bigger tasks, write looser briefs, and step back to let the agent run, trusting that greater capability translates to greater reliability. That assumption can backfire spectacularly. At a company called PocketOS, a Claude-powered coding agent wiped the entire production database in just nine seconds while performing what should have been a routine check. When the founder later asked what happened, the agent confessed that it had guessed rather than verified before executing the destructive command. The incident is not an edge case; it is a warning that improvisation without guardrails can destroy real infrastructure.

The root cause is usually not the model itself but the instructions surrounding it. Claude Code, like other agentic tools, will do roughly what the user allows. A vague brief combined with full autonomy guarantees improvisation, and the user does not get to choose whether that improvisation is brilliant or catastrophic. Anthropic underscores this danger by literally naming one override flag --dangerously-skip-permissions, signaling that safety layers exist for a reason. Settings can limit an agent's reach, but the fundamental responsibility lies with the operator. If you cannot describe exactly what you want and exactly what you forbid, the model will fill the gaps, and control is lost before the first token is generated.

Plan mode is not just for scaffolding

The simplest way to pause an agent before it acts on bad assumptions is Claude Code's Plan mode. Toggled by pressing Shift + Tab twice, this state makes the session read-only. The agent can inspect the codebase, ask clarifying questions, and propose a step-by-step plan, but it cannot edit files, execute shell commands, or touch the network until you press Shift + Tab twice again to exit. That pause is critical because most catastrophic mistakes happen in the first thirty seconds of a task, when the agent reads the prompt, forms assumptions about intent, and begins confidently rewriting files before the user can intervene. Plan mode forces a hard stop: you see exactly what Claude thinks you asked for and exactly how it intends to proceed before a single line of code changes.

Many developers treat Plan mode as a one-time scaffolding tool, using it to outline the initial project structure and then abandoning it once execution begins. That is a costly error. Plan mode is not strictly a setup utility; it is a recurring checkpoint that should be engaged whenever a task stops being trivial. Debugging especially benefits from this discipline, because troubleshooting often involves hidden dependencies and non-obvious side effects that an agent can exacerbate if it charges ahead unchallenged. Returning to Plan mode before each significant new chunk of work prevents the silent drift that turns minor requests into major codebase edits.

Write a living CLAUDE.md

A non-negotiable practice for every project is maintaining a CLAUDE.md file at the repository root. Claude Code reads this markdown file automatically at the start of every session, treating its contents as ambient project context. The file should capture rules, conventions, and prohibitions you want enforced in every interaction: files that are strictly off-limits, required tech stacks, naming conventions for variables and functions, preferred commit-message styles, and architectural decisions you do not want re-litigated. Without this file, every prompt must carry that context manually, which burns tokens and still fails to guarantee consistency because no one repeats every constraint perfectly every time.

You can bootstrap the document by running the /init command inside Claude Code, which auto-generates a starter CLAUDE.md. From there, the file should evolve with the project. Every time the agent edits something you told it to leave alone, rewrites a function in an undesired style, or ignores a convention, that rule gets added to CLAUDE.md. After a few weeks, the document reflects the project's real operational norms rather than surface-level folder structures. There is one trap to avoid: letting the file grow so long that it becomes noise. A bloated CLAUDE.md is almost as ineffective as not having one, so confine it to the constraints that actually matter.

Session hygiene and the /clear command

Context management is not just about rate limits; in Claude Code, it is about preventing real file-system damage. When a session grows long, the model may start confusing constraints from an earlier task with the requirements of the current one. The result is not merely a slower or less accurate response but an edit applied to the wrong file because Claude is still half-remembering a boundary you set an hour ago. This makes session hygiene a safety issue, not just a performance tweak.

The /clear slash command wipes the current session entirely, and it should be treated as a routine transition tool rather than an emergency reset. When you finish one feature, run /clear before starting the next. When you pivot to a task that has nothing to do with the previous work, run /clear again. Waiting until output has visibly degraded means you have already wasted time on quietly worsening results. Proactive clearing keeps token limits under control and ensures the agent enters each new task with no residual assumptions from earlier conversations.

Calibrate permissions instead of skipping them

Claude Code asks for explicit approval before any potentially destructive action, including running shell commands, editing files, or making network requests. The default behavior produces a steady stream of confirmation prompts, and that friction tempts users to launch the tool with the --dangerously-skip-permissions flag. Anthropic's naming choice is deliberate: bypassing these checks removes the final barrier standing between an agent and a destroyed file, a force-pushed branch, or a wiped database.

The better path is .claude/settings.json. This configuration file lets you whitelist specific commands that are genuinely harmless so that approval clicks disappear for safe, repetitive operations while remaining intact for dangerous ones. By calibrating permissions instead of eliminating them, you retain a safety net exactly where it matters most. The goal is not zero friction; it is intelligent friction that protects production systems from the kind of guesswork that already cost PocketOS its database.

Operator accountability remains the final layer

The PocketOS database deletion is a reminder that agentic AI does not replace engineering judgment; it amplifies whatever clarity or ambiguity is present in the original request. As these tools move from experimental side assists to core infrastructure utilities, the blast radius of a poorly scoped task grows from a messy git history to company-wide outages. The settings and workflows available today are stopgaps that depend on a single developer's discipline rather than organizational policy.

That discipline is the bottom line. Plan mode, CLAUDE.md, /clear, and calibrated permissions are all mechanisms for translating human intent into machine constraints. Until enterprise workflows automatically enforce these boundaries through team-wide CLAUDE.md standards or mandatory plan reviews before any destructive operation, the burden sits entirely on the individual running the session. Claude Code can be precise, efficient, and powerful, but only to the extent that the operator is willing to define the perimeter before the agent crosses it.