A high-performance command interception hook for AI coding agents that blocks destructive commands before execution, protecting working directories and infrastructure from accidental destruction.
Core Positioning#
dcg addresses the critical problem of AI coding agents (Claude Code, Codex CLI, Gemini CLI, etc.) accidentally executing irreversible destructive commands like rm -rf, git reset --hard, DROP TABLE, or kubectl delete namespace during autonomous shell command execution. It integrates into agent execution pipelines as a Pre-Tool-Use Hook, completing interception and decision-making before commands reach the shell.
Capability Boundary: dcg does not replace sandboxing or permission isolation mechanisms, but serves as the last line of defense after a command is issued but before execution. It covers 50+ security packs spanning git file operations, databases, container orchestration, cloud resources, CI/CD, and more, with a three-layer scanning pipeline capable of detecting dangerous commands hidden in heredocs and inline scripts. For timeout or parse failure scenarios, it defaults to Fail-Open to ensure workflows are not blocked.
Command Interception & Detection#
- Zero-config protection: Out-of-the-box interception of dangerous git/filesystem commands
- 50+ Security Packs: Covering databases (PostgreSQL, etc.), Kubernetes, Docker, AWS/GCP/Azure, Terraform, backup tools, message queues, monitoring, payments, search engines, CI/CD, and more
- Three-layer scanning pipeline: Tier 1 Trigger (<100μs, RegexSet) → Tier 2 Extract (<1ms, content extraction) → Tier 3 AST (<5ms, syntax tree matching)
- Heredoc / inline script scanning: Detects dangerous operations in
python -c "os.remove(...)"and embedded shell scripts - Recursive shell analysis: Extracted bash content recursively re-enters the full evaluation pipeline
- Smart context detection: Distinguishes data context (e.g.,
grep "rm -rf") from execution context (e.g.,rm -rf /)
Performance & Reliability#
- Sub-millisecond latency: SIMD-accelerated fast path filtering, nearly imperceptible hook overhead
- Dual regex engine + RegexSet: O(n) batch matching with lazy-compiled lazy compilation
- Fail-Open design: Default passthrough on timeout/parse errors (configurable to strict mode)
- Configurable timeout:
DCG_HOOK_TIMEOUT_MScontrols hook timeout budget (default 200ms)
AI Agent Adaptation#
- Multi-agent support: Claude Code, Codex CLI (0.125.0+), Gemini CLI, GitHub Copilot CLI, Cursor IDE, OpenCode, Aider (limited), Continue (detection)
- Agent-specific profiles: Per-agent trust_level configuration for different allowlist/pack strategies
- Agent protocol adaptation: Auto-detection of hook payload format differences (e.g., Codex's
turn_idfield, exit code 2 protocol)
Operations & Workflow Features#
- Allow-Once temporary bypass: Short code generation for 24-hour or one-time bypass of blocked commands
- Rebase Recovery Mode: Auto-detection of rebase in-progress state, temporary passthrough for recovery commands like
git checkout -- . - Explain mode: Full decision chain display showing why a command was blocked or allowed
- Repository scan mode:
dcg scanunderstands file structures (Dockerfile, GitHub Actions, Makefile, etc.), extracts executable commands and evaluates them - pre-commit integration: One-click installation via
dcg scan install-pre-commit
Configuration System#
- Layered configuration: System-level (
/etc/dcg/config.toml) → User-level (~/.config/dcg/config.toml) → Project-level (.dcg.toml) → Environment variables (DCG_*), with cascading override - Custom Packs: YAML-based creation of organization-specific rule packs
- Global decision mode:
DCG_POLICY_DEFAULT_MODEconfigurable as deny/warn/log
Architecture & Implementation#
Built with Rust Edition 2024 (nightly toolchain required), replacing the original Python implementation. The three-layer scanning pipeline progressively deepens analysis only when the previous layer triggers a match, ensuring minimal latency for common safe commands. Extracted bash content recursively re-enters the full pipeline. The modular Pack system organizes rules by category (core / database / kubernetes / cloud / containers, etc.) with YAML-based custom pack creation. The repository includes fuzz/ (fuzzing), benches/ and perf/baselines/ (performance benchmarks), and action/ (suspected GitHub Action integration, details TBD).
Installation & Quick Start#
Quick install (recommended):
curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.sh?$(date +%s)" | bash -s -- --easy-mode
Easy Mode auto-detects platform, downloads pre-built binaries, and configures hooks for all supported AI agents.
Build from source (Rust nightly required):
git clone https://github.com/Dicklesworthstone/destructive_command_guard
cd destructive_command_guard
cargo build --release
cp target/release/dcg ~/.local/bin/
Supported platforms: Linux (x86_64/ARM64), macOS (Intel/Apple Silicon), Windows (WSL)
Key Environment Variables#
| Variable | Purpose |
|---|---|
DCG_BYPASS=1 | Single-command bypass of all protections |
DCG_PACKS | Comma-separated enabled packs |
DCG_DISABLE | Comma-separated disabled packs |
DCG_VERBOSE | Log verbosity level 0-3 |
DCG_CONFIG | Specify config file path |
DCG_POLICY_DEFAULT_MODE | Global default decision mode (deny/warn/log) |
DCG_HOOK_TIMEOUT_MS | Hook timeout budget (default 200ms) |
Unconfirmed Information#
- License type: LICENSE file exists but specific type not stated in README
- Latest release version: README mentions v0.5.0, v0.2.7 etc., current latest needs Releases page check
- Standalone website/docs site: Documentation maintained in-repo via
docs/directory, no external docs site found - GitHub Action integration details:
action/directory exists, specific usage TBD - Native Windows support: Currently WSL only, native support plans TBD
- Aider/Continue support level: Marked as "limited" and "detection" level, exact boundaries TBD