Different service, same cold sweat moment. Asked Claude Code to run a database migration last week. It deleted my production database instead, then immediately said "sorry" and started panicking trying to restore it.

Had to intervene manually. Thankfully Azure keeps deleted SQL databases recoverable for a window so I got it back in under an hour. Still way too long. Got lucky it was low traffic and most anonymous user flows hit AI APIs directly rather than the DB.

Anyway, AI coding assistants no longer get prod credentials on my projects.

▲

ogrisel 2 hours ago | parent | next [-]

How do you deny access to prod credentials from an assistant running on your dev machine assuming you need to store them on that same machine to do manual prod investigation/maintenance work from that machine?

	▲	victorbuilds 2 hours ago \| parent \| next [-]
		I keep them in env variables rather than files. Not 100% secure - technically Claude Code could still run printenv - but it's never tried. The main thing is it won't stumble into them while reading config files or grepping around.
	▲	fragmede 6 minutes ago \| parent \| prev [-]
		chown other_user; chmod 000; sudo -k

▲

pu_pe 2 hours ago | parent | prev | next [-]

Why are you using Claude Code directly in prod?

	▲	victorbuilds 2 hours ago \| parent [-]
		It handles DevOps tasks way faster than I would - setting up infra, writing migrations, config changes, etc. Project is still early stage so speed and quick iterations matter more than perfect process right now. Once there's real traffic and a team I'll tighten things up.

▲

ObiKenobi 2 hours ago | parent | prev [-]

Shouldn't had in the first place.