The scariest AI coding accident is not always wrong code. Sometimes it is deleted files.
Tools such as Codex, Claude Code, and Cursor can read and write project files, run commands, refactor in batches, and move directories. If the context is misunderstood or permissions are too broad, they can delete files, overwrite config, clear generated output, or remove uncommitted work.
So the first safety rule is not “make the AI smarter.” It is: do not give it the chance to do destructive work in the wrong scope.
This article gives a practical workflow for reducing accidental deletion risk and recovering quickly when it still happens.
Quick Answer: Use Layers of Protection
Do not rely on one sentence such as “do not delete files.” Use multiple layers:
| Layer | What to do | Problem solved |
|---|---|---|
| Git workspace | Check git status before edits; commit at important points |
Recovery after deletion |
| Directory isolation | Let AI operate only in the current project or temporary branch | Avoid unrelated files |
| Dangerous-command confirmation | Human confirmation before delete, overwrite, or mass move | Prevent automatic destructive commands |
| Read-only review | Ask AI to analyze impact before editing | Reduce broad mistakes |
| Ignore rules | Exclude caches, build output, secrets, data directories | Avoid touching wrong files |
| Recovery flow | Prepare git restore, recycle bin, backups, snapshots |
Stay calm after accidents |
Most important: before AI can edit files, the project must be recoverable.
Common Deletion Traps
1. “Clean up the project”
This phrase is risky. AI may interpret it as deleting unused files, old components, duplicate scripts, old Markdown, tmp, dist, build, or public.
But “looks unused” and “is unused” are different. Some files are referenced by CI, deployment scripts, dynamic imports, plugin systems, or documentation.
Safer prompt:
|
|
2. “Refactor the directory structure”
Moving files affects imports, static assets, framework conventions, CI/CD, docs links, multilingual content, and deployment output.
Safer flow:
- Generate a migration plan.
- List files to move.
- List references to update.
- Execute in small batches.
- Check after each batch.
- Delete old paths only after confirmation.
3. “Delete everything unused”
“Unused” needs evidence. Otherwise AI may guess from filenames, timestamps, or search results.
Use:
|
|
Then ask:
|
|
Step 1: Check Git Status Before Editing
Before AI edits, run:
|
|
If the workspace already has many uncommitted changes, risk is higher. You may not know what AI deleted versus what already existed.
Rules:
- Clean workspace: safer for AI edits.
- Few known changes: continue, but mark files AI must not touch.
- Many uncommitted changes: commit, stash, or back up first.
- Important untracked files: add them to Git or back them up.
Untracked files are especially risky:
|
|
If deleted, git restore cannot bring them back.
Step 2: Create Small Recovery Points
Before a large AI change, make a safety commit:
|
|
Or stash including untracked files:
|
|
The -u matters because it includes untracked files. In daily work, small commits are often clearer than long-lived stash entries.
Step 3: Limit AI to the Right Directory
Do not run AI coding tools from your home directory, Downloads, or Desktop root.
Use the project root:
|
|
Then say:
|
|
For temporary files:
|
|
For high-risk changes, use a Git worktree or temporary clone:
|
|
Step 4: Confirm Dangerous Commands
Be careful with:
|
|
They are not always forbidden, but the target path, impact, and recovery path must be clear.
In Windows PowerShell, this is especially dangerous:
|
|
Safer rule:
|
|
Step 5: Review Before Deleting
AI is good at finding deletion candidates. It should not decide alone.
Ask for a table:
| File | AI reason | Risk | Delete? |
|---|---|---|---|
old-script.js |
No static reference | Medium | Needs confirmation |
dist/ |
Build output | Low | Can delete if rebuildable |
legacy-config.json |
Looks old | High | Do not delete directly |
Then ask it to check whether files may be used by config, CI, deployment scripts, dynamic imports, or docs.
If you use Claude Code subagents, a read-only cleanup-reviewer can list candidates without editing. See: /en/2026/07/10/claude-code-subagent-project-fit-guide/.
Step 6: Put File Safety Rules in AI Memory Files
Add rules to AGENTS.md, CLAUDE.md, or another project instruction file:
|
|
Chinese projects can use Chinese rules:
|
|
This is not perfect protection, but it reduces unilateral action.
If you maintain project memory, store “directories not to touch,” “commands requiring confirmation,” and “generated files” there. Related: /en/2026/07/08/claude-code-multi-project-memory-team-workflow/.
Step 7: Separate Source, Generated Files, and User Data
Many deletions come from unclear file identity.
| Type | Examples | Can AI delete? |
|---|---|---|
| Source | src/, app/, content/ |
Not directly |
| Config | .env.example, config/, package.json |
High risk |
| Generated | dist/, build/, public/ |
Only if rebuildable |
| Cache | .cache/, .next/cache/ |
Usually yes |
| User data | uploads/, data/, notes/ |
Default no |
| Local secrets | .env, *.key, secrets/ |
Do not read or modify |
Write directory notes:
|
|
Step 8: Know the Recovery Flow
If files are deleted, stop broad AI edits first.
Restore Tracked Files
|
|
Restore From History
|
|
If the File Was Untracked
Check, in order:
- editor local history;
- Windows Recycle Bin;
- OneDrive, Dropbox, Syncthing version history;
- NAS snapshots or backups;
- file recovery tools;
- AI conversation history.
This is why git stash push -u or a small commit matters before big changes.
Step 9: Require a Diff Before Deletion
Before deleting, ask AI to show:
|
|
It should explain:
- which files will be deleted;
- which files will be moved;
- which files are only modified;
- which files are untracked;
- how to recover after deletion.
Be careful with:
|
|
D means tracked deletion. ?? means untracked; Git cannot restore it automatically.
After AI edits, check status again.
Step 10: Tool-Specific Notes
Codex
- Check
git statusfirst. - Explicitly forbid deleting untracked files.
- Ask for a plan before large changes.
- Stop before
Remove-Item,rm -rf,git clean, orgit reset. - Ask for a final list of actual changed files.
Claude Code
- Put file safety rules in
CLAUDE.md. - Use read-only subagents for review.
- Avoid destructive scripts in hooks.
- Mark commands requiring human confirmation.
Cursor and IDE Tools
- Do not accept broad deletions at once.
- Inspect file tree changes.
- Confirm deleted files one by one.
- Trust Git more than IDE undo for important projects.
Safe Prompt Template
For cleanup, refactor, or migration:
|
|
When executing:
|
|
Final Thought
AI coding does not mean never deleting files. Projects do need cleanup.
The rule is that deletion should be evidence-based, listed, confirmed, verified, and recoverable. Git, small commits, read-only review, permission confirmation, project rules, backups, and recovery procedures turn accidental deletion from a disaster into a recoverable incident.
If your AI Agent often runs long tasks, also record the state, changed scope, and recovery point for each phase. That reduces the chance of repeating dangerous commands after interruption. See: /en/2026/07/10/ai-agent-long-task-resume-guide/.