Repository iconcurepo.dev
destructive_command_guard preview

Dicklesworthstone / destructive_command_guard

ai-agentsclideveloper-toolsgit

The Destructive Command Guard (dcg) is for blocking dangerous git and shell commands from being executed by agents.

3.6k Stars
visibility13 Watchers
fork_right132 Forks
Rust
historyUpdated recently

description README.md

dcg (Destructive Command Guard)

Destructive Command Guard - Protecting your code from accidental destruction

Coverage License: MIT

A high-performance hook for AI coding agents that blocks destructive commands before they execute, protecting your work from accidental deletion across Claude Code, Codex CLI, Gemini CLI, Copilot CLI, VS Code Copilot Chat, Cursor, Hermes Agent, Grok (xAI), and related tools.

Supported: Claude Code, Codex CLI 0.125.0+, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat, Cursor IDE, Hermes Agent, Grok (xAI) (native ~/.grok/hooks/ plus Claude compatibility layer), Antigravity CLI (agy) (native ~/.gemini/config/hooks.json via dcg install --agy), OpenCode (via community plugin), Pi (via extension recipe), Aider (limited—git hooks only), Continue (detection only)

Quick Install

curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.sh?$(date +%s)" | bash -s -- --easy-mode

Works on Linux, macOS, and Windows via WSL. Auto-detects your platform, downloads the right binary, and configures supported agent hooks including Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat (through VS Code's Claude-hook compatibility), Cursor IDE, Hermes Agent, and Grok (xAI) (via dcg install --grok for a native ~/.grok/hooks/dcg.json, or via the Claude compatibility layer automatically picked up by Grok). For native Windows, use the PowerShell installer below.

Windows (native, PowerShell)

& ([scriptblock]::Create((irm "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.ps1"))) -EasyMode -Verify

Installs native dcg.exe, verifies the SHA256 checksum (and the Sigstore/cosign signature when cosign is present), adds it to your User PATH (-EasyMode), runs a self-test (-Verify), and configures detected agent hooks for Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor IDE, and Hermes Agent. Copilot is configured at the user level under %COPILOT_HOME%\hooks (or %USERPROFILE%\.copilot\hooks) so every workspace is protected. On Windows the windows.filesystem and windows.system packs are on by default, so del /s, rd /s, Remove-Item -Recurse -Force, format, and vssadmin delete shadows are blocked out of the box. Pin a version with -Version vX.Y.Z.


TL;DR

The Problem: AI coding agents (Claude, Codex, Gemini, Copilot, etc.) occasionally run catastrophic commands like git reset --hard, rm -rf ./src, or DROP TABLE users—destroying hours of uncommitted work in seconds.

The Solution: dcg is a high-performance hook that intercepts destructive commands before they execute, blocking them with clear explanations and safer alternatives.

Why Use dcg?

FeatureWhat It Does
Zero-Config ProtectionBlocks dangerous git/filesystem commands out of the box
50+ Security PacksDatabases, Kubernetes, Docker, AWS/GCP/Azure, Terraform, and more
Sub-Millisecond LatencySIMD-accelerated filtering—you won't notice it's there
Heredoc/Inline Script ScanningCatches python -c "os.remove(...)" and embedded shell scripts
Smart Context DetectionWon't block grep "rm -rf" (data) but will block rm -rf / (execution)
Rich Terminal OutputHuman-readable denial panels, rule context, and suggestions on stderr
Agent-Safe StreamsMachine-readable hook output stays on stdout while rich UI stays on stderr
Native Codex SupportCodex CLI 0.125.0+ receives a minimal stdout JSON denial that current clients enforce reliably
Graceful DegradationPlain output for CI, pipes, dumb terminals, and no-color environments
Scan Mode for CIPre-commit hooks and CI integration to catch dangerous commands in code review
Fail-Open DesignNever blocks your workflow due to timeouts or parse errors
Explain Modedcg explain "command" shows exactly why something is blocked

Quick Example

# AI agent tries to run:
$ git reset --hard HEAD~5

# dcg intercepts and blocks:
════════════════════════════════════════════════════════════════
BLOCKED  dcg
────────────────────────────────────────────────────────────────
Reason:  git reset --hard destroys uncommitted changes

Command: git reset --hard HEAD~5

Tip: Consider using 'git stash' first to save your changes.
════════════════════════════════════════════════════════════════

Enable More Protection

# ~/.config/dcg/config.toml
[packs]
enabled = [
    "database.postgresql",    # Blocks DROP TABLE, TRUNCATE
    "kubernetes.kubectl",     # Blocks kubectl delete namespace
    "cloud.aws",              # Blocks aws ec2 terminate-instances
    "containers.docker",      # Blocks docker system prune
]

Agent-Specific Profiles

dcg automatically detects which AI coding agent is invoking it and can apply agent-specific configuration. The trust_level field is an advisory label recorded in JSON output and logs — it does not directly change rule evaluation. Behavioral differences come from the other profile fields:

OptionEffect
disabled_packsRemoves rule packs from evaluation
extra_packsAdds rule packs to evaluation
additional_allowlistAdds command patterns that bypass deny rules
disabled_allowlistWhen true, ignores all allowlist entries
# Trust Claude Code more — wider allowlist, fewer packs
[agents.claude-code]
trust_level = "high"
additional_allowlist = ["npm run build", "cargo test"]
disabled_packs = ["kubernetes"]

# Restrict unknown agents — extra rules, no allowlist bypass
[agents.unknown]
trust_level = "low"
extra_packs = ["paranoid"]
disabled_allowlist = true

See docs/agents.md for full documentation on supported agents, trust levels, and configuration options.

Codex Support

dcg now treats Codex CLI as a first-class hook target, not just a Claude-shaped compatibility path. The installer configures Codex CLI 0.125.0+ automatically when it detects codex on PATH or an existing ~/.codex/ directory.

Codex behaviordcg handling
Hook configMerges a PreToolUse Bash hook into ~/.codex/hooks.json
Denied commandExits 0 with a minimal hookSpecificOutput denial on stdout; human warning stays on stderr
Allowed commandExits 0 with empty stdout and stderr
Existing hooksPreserves coexisting hooks, keeps dcg first for Bash, and refuses to overwrite malformed JSON
ValidationCovered by subprocess protocol tests plus an opt-in real Codex E2E harness

Codex's hook