
A high-performance hook for AI coding agents that blocks destructive commands before they execute, protecting your work from accidental deletion across Claude Code, Codex CLI, Gemini CLI, Copilot, Cursor, Hermes Agent, Grok (xAI), and related tools.
Supported: Claude Code, Codex CLI 0.125.0+, Gemini CLI, GitHub Copilot CLI, Cursor IDE, Hermes Agent, Grok (xAI) (native ~/.grok/hooks/ plus Claude compatibility layer), Antigravity CLI (agy) (native ~/.gemini/config/hooks.json via dcg install --agy), OpenCode (via community plugin), Pi (via extension recipe), Aider (limited—git hooks only), Continue (detection only)
curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.sh?$(date +%s)" | bash -s -- --easy-mode
Works on Linux, macOS, and Windows via WSL. Auto-detects your platform, downloads the right binary, and configures supported agent hooks including Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor IDE, Hermes Agent, and Grok (xAI) (via dcg install --grok for a native ~/.grok/hooks/dcg.json, or via the Claude compatibility layer automatically picked up by Grok). For native Windows, use the PowerShell installer below.
& ([scriptblock]::Create((irm "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.ps1"))) -EasyMode -Verify
Installs native dcg.exe, verifies the SHA256 checksum (and the Sigstore/cosign signature when cosign is present), adds it to your User PATH (-EasyMode), runs a self-test (-Verify), and configures detected agent hooks for Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor IDE, and Hermes Agent. Copilot hooks are repo-local, so run the installer from each protected repo or use -EasyMode/-Force intentionally. On Windows the windows.filesystem and windows.system packs are on by default, so del /s, rd /s, Remove-Item -Recurse -Force, format, and vssadmin delete shadows are blocked out of the box. Pin a version with -Version vX.Y.Z.
The Problem: AI coding agents (Claude, Codex, Gemini, Copilot, etc.) occasionally run catastrophic commands like git reset --hard, rm -rf ./src, or DROP TABLE users—destroying hours of uncommitted work in seconds.
The Solution: dcg is a high-performance hook that intercepts destructive commands before they execute, blocking them with clear explanations and safer alternatives.
| Feature | What It Does |
|---|---|
| Zero-Config Protection | Blocks dangerous git/filesystem commands out of the box |
| 50+ Security Packs | Databases, Kubernetes, Docker, AWS/GCP/Azure, Terraform, and more |
| Sub-Millisecond Latency | SIMD-accelerated filtering—you won't notice it's there |
| Heredoc/Inline Script Scanning | Catches python -c "os.remove(...)" and embedded shell scripts |
| Smart Context Detection | Won't block grep "rm -rf" (data) but will block rm -rf / (execution) |
| Rich Terminal Output | Human-readable denial panels, rule context, and suggestions on stderr |
| Agent-Safe Streams | Machine-readable hook output stays on stdout while rich UI stays on stderr |
| Native Codex Support | Codex CLI 0.125.0+ uses the strict exit-code-2 + stderr denial path Codex expects |
| Graceful Degradation | Plain output for CI, pipes, dumb terminals, and no-color environments |
| Scan Mode for CI | Pre-commit hooks and CI integration to catch dangerous commands in code review |
| Fail-Open Design | Never blocks your workflow due to timeouts or parse errors |
| Explain Mode | dcg explain "command" shows exactly why something is blocked |
# AI agent tries to run:
$ git reset --hard HEAD~5
# dcg intercepts and blocks:
════════════════════════════════════════════════════════════════
BLOCKED dcg
────────────────────────────────────────────────────────────────
Reason: git reset --hard destroys uncommitted changes
Command: git reset --hard HEAD~5
Tip: Consider using 'git stash' first to save your changes.
════════════════════════════════════════════════════════════════
# ~/.config/dcg/config.toml
[packs]
enabled = [
"database.postgresql", # Blocks DROP TABLE, TRUNCATE
"kubernetes.kubectl", # Blocks kubectl delete namespace
"cloud.aws", # Blocks aws ec2 terminate-instances
"containers.docker", # Blocks docker system prune
]
dcg automatically detects which AI coding agent is invoking it and can apply
agent-specific configuration. The trust_level field is an advisory label
recorded in JSON output and logs — it does not directly change rule evaluation.
Behavioral differences come from the other profile fields:
| Option | Effect |
|---|---|
disabled_packs |
Removes rule packs from evaluation |
extra_packs |
Adds rule packs to evaluation |
additional_allowlist |
Adds command patterns that bypass deny rules |
disabled_allowlist |
When true, ignores all allowlist entries |
# Trust Claude Code more — wider allowlist, fewer packs
[agents.claude-code]
trust_level = "high"
additional_allowlist = ["npm run build", "cargo test"]
disabled_packs = ["kubernetes"]
# Restrict unknown agents — extra rules, no allowlist bypass
[agents.unknown]
trust_level = "low"
extra_packs = ["paranoid"]
disabled_allowlist = true
See docs/agents.md for full documentation on supported agents, trust levels, and configuration options.
dcg now treats Codex CLI as a first-class hook target, not just a Claude-shaped
compatibility path. The installer configures Codex CLI 0.125.0+ automatically
when it detects codex on PATH or an existing ~/.codex/ directory.
| Codex behavior | dcg handling |
|---|---|
| Hook config | Merges a PreToolUse Bash hook into ~/.codex/hooks.json |
| Denied command | Exits with code 2, writes the block reason to stderr, and writes no stdout JSON |
| Allowed command | Exits 0 with empty stdout and stderr |
| Existing hooks | Preserves coexisting hooks, keeps dcg first for Bash, and refuses to overwrite malformed JSON |
| Validation | Covered by subprocess protocol tests plus an opt-in real Codex E2E harness |
Codex's hook input is intentionally close to Claude Code's, but Codex rejects
unknown fields in hook output. dcg detects Codex payloads from the non-empty
turn_id field and switches to Codex's documented stderr denial path so a
blocked command is reported as blocked rather than as a failed hook. See
docs/codex-integration.md for protocol details,
manual probes, and troubleshooting.
This project began as a Python script by Jeffrey Emanuel, who recognized that AI coding agents, while incredibly useful, occasionally run catastrophic commands that destroy hours of uncommitted work. The original implementation was a simple but effective hook that intercepted dangerous git and filesystem commands before execution.
The initial Rust port by Darin maintained pattern compatibility with the original Python implementation while adding sub-millisecond execution through SIMD-accelerated filtering and lazy-compiled regex patterns. Jeffrey subsequently expanded the Rust codebase dramatically to add the features described above.
If dcg is blocking something you genuinely need to run:
| Method | Scope | How |
|---|---|---|
| Env var bypass | Single command | DCG_BYPASS=1 <command> |
| Allow-once code | Single command | Copy the short code from the block message, run dcg allow-once <code> |
| Permanent allowlist | Rule or command | dcg allowlist add core.git:reset-hard -r "reason" |
| Remove the hook | All commands | Delete or comment out the dcg entry in ~/.claude/settings.json (or equivalent for your agent) |
DCG_BYPASS=1 disables all protection for that invocation. Use it sparingly and prefer allowlists for recurring needs.
dcg uses a modular "pack" system to organize destructive command patterns by category. Packs can be enabled or disabled in the configuration file.
docs/packs/README.mddcg packs --verboseWith no config file present, dcg enables only the packs that guard against the most catastrophic, unrecoverable mistakes:
core.filesystem - Dangerous rm -rf outside temp directories (always on; cannot be disabled)core.git - Destructive git commands that lose uncommitted work, rewrite history, or destroy stashes (always on; cannot be disabled)system.disk - mkfs, dd-to-device, fdisk, parted, mdadm, lvm removal, wipefs (on by default; opt out with disabled = ["system.disk"])On Windows, two additional packs are on by default so a fresh install blocks the catastrophic native-Windows operations with no config:
windows.filesystem - cmd del /s, rd /s, format <drive>: and PowerShell Remove-Item -Recurse -Force (and aliases), Clear-Content, Clear-RecycleBin (default-on on Windows only; opt out with disabled = ["windows.filesystem"] or ["windows"])windows.system - vssadmin delete shadows / wmic shadowcopy delete (Volume Shadow Copy destruction), diskpart, Format-Volume, Clear-Disk, Remove-Partition, cipher /w, bcdedit /delete (default-on on Windows only; opt out with disabled = ["windows.system"] or ["windows"])The broader windows.misc (reg delete, net user /delete, wsl --unregister, robocopy /MIR) and
windows.powershell (registry/provider deletes, Remove-LocalUser, Disable-ComputerRestore, Remove-VM)
packs are opt-in on every platform. On Unix the windows.* packs are registered but off by default; enable
them (e.g. to scan committed .ps1/.cmd scripts in CI) via [packs] enabled = ["windows"].
Every other pack — including database.postgresql and containers.docker — is
opt-in and is not active until a config file enables it. Running dcg init
writes a starter ~/.config/dcg/config.toml whose [packs] enabled list turns on
database.postgresql and containers.docker as common examples, but that is a
generated starter config, not the no-config default. Enable any pack below by adding
it to [packs] enabled — see Enable More Protection.
storage.s3 - Protects against destructive S3 operations like bucket removal, recursive deletes, and sync --delete.storage.gcs - Protects against destructive GCS operations like bucket removal, object deletion, and recursive deletes.storage.minio - Protects against destructive MinIO Client (mc) operations like bucket removal, object deletion, and admin operations.storage.azure_blob - Protects against destructive Azure Blob Storage operations like container deletion, blob deletion, and azcopy remove.remote.rsync - Protects against destructive rsync operations like --delete and its variants.remote.scp - Protects against destructive SCP operations like overwrites to system paths.remote.ssh - Protects against destructive SSH operations like remote command execution and key management.database.postgresql - Protects against destructive PostgreSQL operations like DROP DATABASE, TRUNCATE, and dropdb.database.mysql - MySQL/MariaDB guard.database.mongodb - Protects against destructive MongoDB operations like dropDatabase, dropCollection, and remove without criteria.database.redis - Protects against destructive Redis operations like FLUSHALL, FLUSHDB, and mass key deletion.database.sqlite - Protects against destructive SQLite operations like DROP TABLE, DELETE without WHERE, and accidental data loss.$ claude mcp add destructive_command_guard \
-- python -m otcore.mcp_server <graph>