Dicklesworthstone / destructive_command_guard
The Destructive Command Guard (dcg) is for blocking dangerous git and shell commands from being executed by agents.
description README.md
dcg (Destructive Command Guard)
A high-performance hook for AI coding agents that blocks destructive commands before they execute, protecting your work from accidental deletion across Claude Code, Codex CLI, Gemini CLI, Copilot CLI, VS Code Copilot Chat, Cursor, Hermes Agent, Grok (xAI), and related tools.
Supported: Claude Code, Codex CLI 0.125.0+, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat, Cursor IDE, Hermes Agent, Grok (xAI) (native ~/.grok/hooks/ plus Claude compatibility layer), Antigravity CLI (agy) (native ~/.gemini/config/hooks.json via dcg install --agy), OpenCode (via community plugin), Pi (via extension recipe), Aider (limited—git hooks only), Continue (detection only)
Quick Install
curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.sh?$(date +%s)" | bash -s -- --easy-mode
Works on Linux, macOS, and Windows via WSL. Auto-detects your platform, downloads the right binary, and configures supported agent hooks including Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat (through VS Code's Claude-hook compatibility), Cursor IDE, Hermes Agent, and Grok (xAI) (via dcg install --grok for a native ~/.grok/hooks/dcg.json, or via the Claude compatibility layer automatically picked up by Grok). For native Windows, use the PowerShell installer below.
Windows (native, PowerShell)
& ([scriptblock]::Create((irm "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.ps1"))) -EasyMode -Verify
Installs native dcg.exe, verifies the SHA256 checksum (and the Sigstore/cosign signature when cosign is present), adds it to your User PATH (-EasyMode), runs a self-test (-Verify), and configures detected agent hooks for Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor IDE, and Hermes Agent. Copilot is configured at the user level under %COPILOT_HOME%\hooks (or %USERPROFILE%\.copilot\hooks) so every workspace is protected. On Windows the windows.filesystem and windows.system packs are on by default, so del /s, rd /s, Remove-Item -Recurse -Force, format, and vssadmin delete shadows are blocked out of the box. Pin a version with -Version vX.Y.Z.
TL;DR
The Problem: AI coding agents (Claude, Codex, Gemini, Copilot, etc.) occasionally run catastrophic commands like git reset --hard, rm -rf ./src, or DROP TABLE users—destroying hours of uncommitted work in seconds.
The Solution: dcg is a high-performance hook that intercepts destructive commands before they execute, blocking them with clear explanations and safer alternatives.
Why Use dcg?
| Feature | What It Does |
|---|---|
| Zero-Config Protection | Blocks dangerous git/filesystem commands out of the box |
| 50+ Security Packs | Databases, Kubernetes, Docker, AWS/GCP/Azure, Terraform, and more |
| Sub-Millisecond Latency | SIMD-accelerated filtering—you won't notice it's there |
| Heredoc/Inline Script Scanning | Catches python -c "os.remove(...)" and embedded shell scripts |
| Smart Context Detection | Won't block grep "rm -rf" (data) but will block rm -rf / (execution) |
| Rich Terminal Output | Human-readable denial panels, rule context, and suggestions on stderr |
| Agent-Safe Streams | Machine-readable hook output stays on stdout while rich UI stays on stderr |
| Native Codex Support | Codex CLI 0.125.0+ receives a minimal stdout JSON denial that current clients enforce reliably |
| Graceful Degradation | Plain output for CI, pipes, dumb terminals, and no-color environments |
| Scan Mode for CI | Pre-commit hooks and CI integration to catch dangerous commands in code review |
| Fail-Open Design | Never blocks your workflow due to timeouts or parse errors |
| Explain Mode | dcg explain "command" shows exactly why something is blocked |
Quick Example
# AI agent tries to run:
$ git reset --hard HEAD~5
# dcg intercepts and blocks:
════════════════════════════════════════════════════════════════
BLOCKED dcg
────────────────────────────────────────────────────────────────
Reason: git reset --hard destroys uncommitted changes
Command: git reset --hard HEAD~5
Tip: Consider using 'git stash' first to save your changes.
════════════════════════════════════════════════════════════════
Enable More Protection
# ~/.config/dcg/config.toml
[packs]
enabled = [
"database.postgresql", # Blocks DROP TABLE, TRUNCATE
"kubernetes.kubectl", # Blocks kubectl delete namespace
"cloud.aws", # Blocks aws ec2 terminate-instances
"containers.docker", # Blocks docker system prune
]
Agent-Specific Profiles
dcg automatically detects which AI coding agent is invoking it and can apply
agent-specific configuration. The trust_level field is an advisory label
recorded in JSON output and logs — it does not directly change rule evaluation.
Behavioral differences come from the other profile fields:
| Option | Effect |
|---|---|
disabled_packs | Removes rule packs from evaluation |
extra_packs | Adds rule packs to evaluation |
additional_allowlist | Adds command patterns that bypass deny rules |
disabled_allowlist | When true, ignores all allowlist entries |
# Trust Claude Code more — wider allowlist, fewer packs
[agents.claude-code]
trust_level = "high"
additional_allowlist = ["npm run build", "cargo test"]
disabled_packs = ["kubernetes"]
# Restrict unknown agents — extra rules, no allowlist bypass
[agents.unknown]
trust_level = "low"
extra_packs = ["paranoid"]
disabled_allowlist = true
See docs/agents.md for full documentation on supported agents, trust levels, and configuration options.
Codex Support
dcg now treats Codex CLI as a first-class hook target, not just a Claude-shaped
compatibility path. The installer configures Codex CLI 0.125.0+ automatically
when it detects codex on PATH or an existing ~/.codex/ directory.
| Codex behavior | dcg handling |
|---|---|
| Hook config | Merges a PreToolUse Bash hook into ~/.codex/hooks.json |
| Denied command | Exits 0 with a minimal hookSpecificOutput denial on stdout; human warning stays on stderr |
| Allowed command | Exits 0 with empty stdout and stderr |
| Existing hooks | Preserves coexisting hooks, keeps dcg first for Bash, and refuses to overwrite malformed JSON |
| Validation | Covered by subprocess protocol tests plus an opt-in real Codex E2E harness |
Codex's hook