MCPcopy Index your code
hub / github.com/Dicklesworthstone/destructive_command_guard

github.com/Dicklesworthstone/destructive_command_guard @v0.6.5

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.6.5 ↗ · + Follow
7,196 symbols 23,268 edges 266 files 648 documented · 9%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

dcg (Destructive Command Guard)

Destructive Command Guard - Protecting your code from accidental destruction

Coverage License: MIT

A high-performance hook for AI coding agents that blocks destructive commands before they execute, protecting your work from accidental deletion across Claude Code, Codex CLI, Gemini CLI, Copilot, Cursor, Hermes Agent, Grok (xAI), and related tools.

Supported: Claude Code, Codex CLI 0.125.0+, Gemini CLI, GitHub Copilot CLI, Cursor IDE, Hermes Agent, Grok (xAI) (native ~/.grok/hooks/ plus Claude compatibility layer), Antigravity CLI (agy) (native ~/.gemini/config/hooks.json via dcg install --agy), OpenCode (via community plugin), Pi (via extension recipe), Aider (limited—git hooks only), Continue (detection only)

Quick Install

curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.sh?$(date +%s)" | bash -s -- --easy-mode

Works on Linux, macOS, and Windows via WSL. Auto-detects your platform, downloads the right binary, and configures supported agent hooks including Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor IDE, Hermes Agent, and Grok (xAI) (via dcg install --grok for a native ~/.grok/hooks/dcg.json, or via the Claude compatibility layer automatically picked up by Grok). For native Windows, use the PowerShell installer below.

Windows (native, PowerShell)

& ([scriptblock]::Create((irm "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.ps1"))) -EasyMode -Verify

Installs native dcg.exe, verifies the SHA256 checksum (and the Sigstore/cosign signature when cosign is present), adds it to your User PATH (-EasyMode), runs a self-test (-Verify), and configures detected agent hooks for Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor IDE, and Hermes Agent. Copilot hooks are repo-local, so run the installer from each protected repo or use -EasyMode/-Force intentionally. On Windows the windows.filesystem and windows.system packs are on by default, so del /s, rd /s, Remove-Item -Recurse -Force, format, and vssadmin delete shadows are blocked out of the box. Pin a version with -Version vX.Y.Z.


TL;DR

The Problem: AI coding agents (Claude, Codex, Gemini, Copilot, etc.) occasionally run catastrophic commands like git reset --hard, rm -rf ./src, or DROP TABLE users—destroying hours of uncommitted work in seconds.

The Solution: dcg is a high-performance hook that intercepts destructive commands before they execute, blocking them with clear explanations and safer alternatives.

Why Use dcg?

Feature What It Does
Zero-Config Protection Blocks dangerous git/filesystem commands out of the box
50+ Security Packs Databases, Kubernetes, Docker, AWS/GCP/Azure, Terraform, and more
Sub-Millisecond Latency SIMD-accelerated filtering—you won't notice it's there
Heredoc/Inline Script Scanning Catches python -c "os.remove(...)" and embedded shell scripts
Smart Context Detection Won't block grep "rm -rf" (data) but will block rm -rf / (execution)
Rich Terminal Output Human-readable denial panels, rule context, and suggestions on stderr
Agent-Safe Streams Machine-readable hook output stays on stdout while rich UI stays on stderr
Native Codex Support Codex CLI 0.125.0+ uses the strict exit-code-2 + stderr denial path Codex expects
Graceful Degradation Plain output for CI, pipes, dumb terminals, and no-color environments
Scan Mode for CI Pre-commit hooks and CI integration to catch dangerous commands in code review
Fail-Open Design Never blocks your workflow due to timeouts or parse errors
Explain Mode dcg explain "command" shows exactly why something is blocked

Quick Example

# AI agent tries to run:
$ git reset --hard HEAD~5

# dcg intercepts and blocks:
════════════════════════════════════════════════════════════════
BLOCKED  dcg
────────────────────────────────────────────────────────────────
Reason:  git reset --hard destroys uncommitted changes

Command: git reset --hard HEAD~5

Tip: Consider using 'git stash' first to save your changes.
════════════════════════════════════════════════════════════════

Enable More Protection

# ~/.config/dcg/config.toml
[packs]
enabled = [
    "database.postgresql",    # Blocks DROP TABLE, TRUNCATE
    "kubernetes.kubectl",     # Blocks kubectl delete namespace
    "cloud.aws",              # Blocks aws ec2 terminate-instances
    "containers.docker",      # Blocks docker system prune
]

Agent-Specific Profiles

dcg automatically detects which AI coding agent is invoking it and can apply agent-specific configuration. The trust_level field is an advisory label recorded in JSON output and logs — it does not directly change rule evaluation. Behavioral differences come from the other profile fields:

Option Effect
disabled_packs Removes rule packs from evaluation
extra_packs Adds rule packs to evaluation
additional_allowlist Adds command patterns that bypass deny rules
disabled_allowlist When true, ignores all allowlist entries
# Trust Claude Code more — wider allowlist, fewer packs
[agents.claude-code]
trust_level = "high"
additional_allowlist = ["npm run build", "cargo test"]
disabled_packs = ["kubernetes"]

# Restrict unknown agents — extra rules, no allowlist bypass
[agents.unknown]
trust_level = "low"
extra_packs = ["paranoid"]
disabled_allowlist = true

See docs/agents.md for full documentation on supported agents, trust levels, and configuration options.

Codex Support

dcg now treats Codex CLI as a first-class hook target, not just a Claude-shaped compatibility path. The installer configures Codex CLI 0.125.0+ automatically when it detects codex on PATH or an existing ~/.codex/ directory.

Codex behavior dcg handling
Hook config Merges a PreToolUse Bash hook into ~/.codex/hooks.json
Denied command Exits with code 2, writes the block reason to stderr, and writes no stdout JSON
Allowed command Exits 0 with empty stdout and stderr
Existing hooks Preserves coexisting hooks, keeps dcg first for Bash, and refuses to overwrite malformed JSON
Validation Covered by subprocess protocol tests plus an opt-in real Codex E2E harness

Codex's hook input is intentionally close to Claude Code's, but Codex rejects unknown fields in hook output. dcg detects Codex payloads from the non-empty turn_id field and switches to Codex's documented stderr denial path so a blocked command is reported as blocked rather than as a failed hook. See docs/codex-integration.md for protocol details, manual probes, and troubleshooting.


Origins & Authors

This project began as a Python script by Jeffrey Emanuel, who recognized that AI coding agents, while incredibly useful, occasionally run catastrophic commands that destroy hours of uncommitted work. The original implementation was a simple but effective hook that intercepted dangerous git and filesystem commands before execution.

  • Jeffrey Emanuel - Original concept and Python implementation (source); substantially expanded the Rust version with the modular pack system (50+ security packs), heredoc/inline-script scanning, the three-tier architecture, context classification, allowlists, scan mode, and the dual regex engine
  • Darin Gordon - Initial Rust port with performance optimizations

The initial Rust port by Darin maintained pattern compatibility with the original Python implementation while adding sub-millisecond execution through SIMD-accelerated filtering and lazy-compiled regex patterns. Jeffrey subsequently expanded the Rust codebase dramatically to add the features described above.

Escape Hatch / Bypass

If dcg is blocking something you genuinely need to run:

Method Scope How
Env var bypass Single command DCG_BYPASS=1 <command>
Allow-once code Single command Copy the short code from the block message, run dcg allow-once <code>
Permanent allowlist Rule or command dcg allowlist add core.git:reset-hard -r "reason"
Remove the hook All commands Delete or comment out the dcg entry in ~/.claude/settings.json (or equivalent for your agent)

DCG_BYPASS=1 disables all protection for that invocation. Use it sparingly and prefer allowlists for recurring needs.

Modular Pack System

dcg uses a modular "pack" system to organize destructive command patterns by category. Packs can be enabled or disabled in the configuration file.

  • Full pack ID index: docs/packs/README.md
  • Canonical descriptions + pattern counts: dcg packs --verbose

Enabled by default (no config file)

With no config file present, dcg enables only the packs that guard against the most catastrophic, unrecoverable mistakes:

  • core.filesystem - Dangerous rm -rf outside temp directories (always on; cannot be disabled)
  • core.git - Destructive git commands that lose uncommitted work, rewrite history, or destroy stashes (always on; cannot be disabled)
  • system.disk - mkfs, dd-to-device, fdisk, parted, mdadm, lvm removal, wipefs (on by default; opt out with disabled = ["system.disk"])

On Windows, two additional packs are on by default so a fresh install blocks the catastrophic native-Windows operations with no config:

  • windows.filesystem - cmd del /s, rd /s, format <drive>: and PowerShell Remove-Item -Recurse -Force (and aliases), Clear-Content, Clear-RecycleBin (default-on on Windows only; opt out with disabled = ["windows.filesystem"] or ["windows"])
  • windows.system - vssadmin delete shadows / wmic shadowcopy delete (Volume Shadow Copy destruction), diskpart, Format-Volume, Clear-Disk, Remove-Partition, cipher /w, bcdedit /delete (default-on on Windows only; opt out with disabled = ["windows.system"] or ["windows"])

The broader windows.misc (reg delete, net user /delete, wsl --unregister, robocopy /MIR) and windows.powershell (registry/provider deletes, Remove-LocalUser, Disable-ComputerRestore, Remove-VM) packs are opt-in on every platform. On Unix the windows.* packs are registered but off by default; enable them (e.g. to scan committed .ps1/.cmd scripts in CI) via [packs] enabled = ["windows"].

Every other pack — including database.postgresql and containers.docker — is opt-in and is not active until a config file enables it. Running dcg init writes a starter ~/.config/dcg/config.toml whose [packs] enabled list turns on database.postgresql and containers.docker as common examples, but that is a generated starter config, not the no-config default. Enable any pack below by adding it to [packs] enabled — see Enable More Protection.

Storage Packs

  • storage.s3 - Protects against destructive S3 operations like bucket removal, recursive deletes, and sync --delete.
  • storage.gcs - Protects against destructive GCS operations like bucket removal, object deletion, and recursive deletes.
  • storage.minio - Protects against destructive MinIO Client (mc) operations like bucket removal, object deletion, and admin operations.
  • storage.azure_blob - Protects against destructive Azure Blob Storage operations like container deletion, blob deletion, and azcopy remove.

Remote Packs

  • remote.rsync - Protects against destructive rsync operations like --delete and its variants.
  • remote.scp - Protects against destructive SCP operations like overwrites to system paths.
  • remote.ssh - Protects against destructive SSH operations like remote command execution and key management.

Database Packs

  • database.postgresql - Protects against destructive PostgreSQL operations like DROP DATABASE, TRUNCATE, and dropdb.
  • database.mysql - MySQL/MariaDB guard.
  • database.mongodb - Protects against destructive MongoDB operations like dropDatabase, dropCollection, and remove without criteria.
  • database.redis - Protects against destructive Redis operations like FLUSHALL, FLUSHDB, and mass key deletion.
  • database.sqlite - Protects against destructive SQLite operations like DROP TABLE, DELETE without WHERE, and accidental data loss.
  • `database.supab

Extension points exported contracts — how you extend this code

LegacySafePattern (Interface)
Trait for legacy safe patterns. [1 implementers]
src/evaluator.rs
RichThemeExt (Interface)
Extension trait for Theme to provide rich_rust integration. [1 implementers]
src/output/rich_theme.rs
ToExitCode (Interface)
Trait for converting evaluation results to exit codes. Implement this trait for types that represent command evaluation
src/exit_codes.rs
LegacyDestructivePattern (Interface)
Trait for legacy destructive patterns. [1 implementers]
src/evaluator.rs

Core symbols most depended-on inside this repo

push
called by 685
src/context.rs
len
called by 529
src/context.rs
is_empty
called by 410
src/context.rs
path
called by 360
src/history/schema.rs
get
called by 308
src/packs/mod.rs
insert
called by 289
src/sarif.rs
as_str
called by 215
src/suggest.rs
find
called by 129
src/packs/regex_engine.rs

Shape

Function 5,793
Method 857
Class 396
Enum 146
Interface 4

Languages

Rust100%
Python1%

Modules by API surface

src/cli.rs490 symbols
src/config.rs334 symbols
src/scan.rs283 symbols
src/evaluator.rs265 symbols
src/history/schema.rs250 symbols
src/context.rs182 symbols
src/heredoc.rs170 symbols
src/packs/mod.rs165 symbols
src/allowlist.rs165 symbols
tests/cli_e2e.rs164 symbols
src/ast_matcher.rs154 symbols
src/hook.rs128 symbols

Datastores touched

(mysql)Database · 1 repos
(mongodb)Database · 1 repos
appDatabase · 1 repos
prodDatabase · 1 repos

For agents

$ claude mcp add destructive_command_guard \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page