Destructive Command Guard
A high-performance Claude Code hook that intercepts and blocks destructive commands before they execute. Written in Rust with SIMD-accelerated filtering via the memchr crate and Aho-Corasick multi-pattern matching for sub-millisecond latency. Assumes agents are well-intentioned but fallible.
Overview
DCG uses a whitelist-first architecture: safe patterns are checked before destructive patterns, and unrecognized commands are allowed by default (fail-safe). This ensures legitimate workflows are never broken while known dangerous patterns are always blocked. DCG runs as a PreToolUse hook in Claude Code, receiving JSON on stdin for each Bash tool invocation and returning exit code 0 (allow) or 2 (block). It only inspects direct Bash tool invocations, not contents of shell scripts.
The processing pipeline has four stages: JSON parsing, command normalization (strips absolute paths like /usr/bin/git), SIMD quick-reject filter (skips regex for commands without git or rm), and pattern matching. The memchr crate provides hardware-accelerated substring search (SSE2/AVX2 on x86_64, NEON on ARM), while Aho-Corasick handles multi-pattern matching in O(n) time regardless of pattern count.
DCG supports 49+ modular security packs organized by category (git, filesystem, databases, containers, Kubernetes, cloud providers, infrastructure tools). Core packs (core.git, core.filesystem) are always enabled; additional packs are configured via ~/.config/dcg/config.toml or the DCG_PACKS environment variable. The dcg scan subcommand can also audit files for destructive command contexts, suitable for CI integration.
DCG is not published on crates.io; it is installed from GitHub via cargo +nightly install or prebuilt binaries for Linux, macOS, and Windows WSL. The threat model assumes agents are well-intentioned but fallible; DCG catches honest mistakes, not adversarial attacks.
Quick Reference
| Category | Blocked Commands |
|---|
| Uncommitted work | git reset --hard, git checkout -- <file>, git restore <file>, git clean -f |
| Remote history | git push --force / -f, git branch -D |
| Stashed work | git stash drop, git stash clear |
| Filesystem | rm -rf (outside /tmp, /var/tmp, $TMPDIR) |
| Category | Allowed Commands |
|---|
| Safe git | git status, git log, git diff, git add, git commit, git push, git pull, git fetch, git branch -d, git stash, git stash pop |
| Safe patterns | git checkout -b, git restore --staged, git clean -n, git push --force-with-lease |
| Temp dirs | rm -rf /tmp/*, rm -rf $TMPDIR/* |
| Setting | Value |
|---|
| Exit code (safe) | 0 |
| Exit code (blocked) | 2 |
| Default behavior | Allow (fail-safe) |
| Pattern priority | Safe checked first, then destructive |
| Safe patterns | 34 |
| Destructive patterns | 16 |
| Pack Category | Examples |
|---|
| Core (default) | core.git, core.filesystem |
| Database | database.postgresql, database.mysql, database.mongodb |
| Containers | containers.docker, containers.compose, containers.podman |
| Kubernetes | kubernetes.kubectl, kubernetes.helm, kubernetes.kustomize |
| Cloud | cloud.aws, cloud.gcp, cloud.azure |
| Infrastructure | infrastructure.terraform, infrastructure.ansible |
| System | system.disk, system.permissions, system.services |
| Other | strict_git, package_managers |
| Environment Variable | Purpose |
|---|
DCG_PACKS | Enable packs (comma-separated) |
DCG_DISABLE | Disable specific packs |
DCG_VERBOSE | Verbose output |
DCG_BYPASS | Bypass DCG entirely (escape hatch) |
DCG_COLOR | Color mode (auto, always, never) |
| Installation Method | Command |
|---|
| Quick install | curl -fsSL ".../install.sh" | bash -s -- --easy-mode |
| From source | cargo +nightly install --git https://github.com/Dicklesworthstone/destructive_command_guard destructive_command_guard |
| Prebuilt binaries | Linux x86_64, Linux ARM64, macOS Intel, macOS Apple Silicon, Windows WSL |
| Processing Stage | Description |
|---|
| JSON parsing | Reads PreToolUse hook input, allows non-Bash tools |
| Normalization | Strips absolute paths (/usr/bin/git becomes git) |
| SIMD quick-reject | memchr substring search skips regex for irrelevant commands |
| Pattern matching | Safe patterns first, then destructive, default allow |
Common Mistakes
| Mistake | Correct Pattern |
|---|
| Forgetting to restart Claude Code after adding the hook | Always restart Claude Code after modifying ~/.claude/settings.json |
Using DCG_BYPASS=1 permanently in shell profile | Only set bypass temporarily for a single command, then remove it |
| Assuming DCG inspects commands inside scripts | DCG only inspects direct Bash tool invocations, not contents of ./deploy.sh |
Blocking git branch -d (lowercase) thinking it is destructive | Lowercase -d is safe (merge-checked); only uppercase -D force-deletes |
| Not enabling database or cloud packs for production environments | Configure relevant packs in ~/.config/dcg/config.toml for your stack |
| Expecting DCG to stop malicious actors | DCG catches honest mistakes; determined users can always bypass the hook |
Running cargo install without nightly toolchain | DCG requires Rust nightly (edition 2024); use cargo +nightly install |
Delegation
- Audit which destructive commands an agent session has attempted: Use
Explore agent
- Set up DCG with custom packs for a new project environment: Use
Task agent
- Plan a layered safety architecture combining DCG with other guardrails: Use
Plan agent
References