dcg (Destructive Command Guard)
A high-performance CLI hook that intercepts and blocks destructive shell and git commands before AI coding agents execute them, protecting your work from accidental deletion.
At a Glance
About dcg (Destructive Command Guard)
dcg (Destructive Command Guard) is a Rust-based PreToolUse hook that sits between AI coding agents and the shell, blocking catastrophic commands like git reset --hard, rm -rf ./src, or DROP TABLE users before they execute. Originally written in Python by Jeffrey Emanuel and ported to Rust by Darin Gordon, the project has grown into a comprehensive modular guard with 50+ security packs covering databases, Kubernetes, cloud providers, CI/CD systems, and more. The repository has accumulated over 5,000 GitHub stars since its creation in January 2026.
What It Is
dcg is a command-line safety hook designed specifically for the AI coding agent era, where tools like Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, Cursor, and Hermes Agent autonomously execute shell commands on behalf of users. The core problem it solves: agents occasionally issue catastrophic, unrecoverable commands that destroy hours of uncommitted work in seconds. dcg intercepts every shell command as a JSON payload on stdin, evaluates it through a multi-stage pipeline, and either allows it silently or blocks it with a human-readable explanation and safer alternatives on stderr.
How the Evaluation Pipeline Works
Every command passes through a four-stage pipeline designed for sub-millisecond latency:
- JSON Parsing: Validates the hook payload from Claude, Codex, Gemini, Copilot, or other agent variants and extracts the command string. Non-shell tools are immediately allowed.
- Normalization: Strips absolute binary paths (
/usr/bin/git→git) while preserving arguments. - Quick Reject: SIMD-accelerated substring search (via the
memchrcrate using SSE2/AVX2/NEON) filters out irrelevant commands in under 1μs. Commands without keywords like "git" or "rm" skip regex matching entirely. - Pattern Matching: Safe patterns (allowlist) are checked first — a match immediately allows. Destructive patterns are checked second — a match blocks with explanation. No match on either defaults to allow.
A sophisticated context classification system (SpanKind) distinguishes Executed tokens from Comment, Data, HeredocBody, and InlineCode spans, dramatically reducing false positives. Heredoc and inline script scanning uses a three-tier AST pipeline: trigger detection (<100μs), content extraction (<1ms), and AST pattern matching (<5ms) with recursive shell analysis for nested commands like bash -c "git reset --hard".
Modular Pack System
dcg organizes destructive command patterns into a modular "pack" system. Two core packs — core.filesystem and core.git — are always on and cannot be disabled. Additional packs are opt-in and cover:
- Databases: PostgreSQL, MySQL, MongoDB, Redis, SQLite, Snowflake, Supabase
- Containers & Orchestration: Docker, Docker Compose, Podman, kubectl, Helm, Kustomize
- Cloud Providers: AWS, Azure, GCP
- Infrastructure: Terraform, Ansible, Pulumi, Atmos
- Secrets Management: Vault, Doppler, 1Password, AWS Secrets Manager
- CI/CD: GitHub Actions, GitLab CI, CircleCI, Jenkins
- Messaging, Search, Backup, Monitoring, Payment, DNS, CDN, and more
Category IDs expand to all sub-packs (e.g., "database" enables all database.* packs). Custom organization-specific packs can be authored in YAML and loaded from user or project-local paths.
Agent Support and Deployment
dcg supports a wide range of AI coding agents through their native hook protocols:
- Claude Code:
PreToolUsehook via~/.claude/settings.json - Codex CLI 0.125.0+: Merges a
PreToolUseBash hook into~/.codex/hooks.json; emits minimal documentedhookSpecificOutputJSON on stdout with exit code 0 - Gemini CLI / Antigravity (
agy):BeforeToolhook via~/.gemini/settings.jsonor~/.gemini/config/hooks.json - GitHub Copilot CLI: User-level hook at
${COPILOT_HOME:-~/.copilot}/hooks/dcg.json - VS Code Copilot Chat: Picked up automatically via the Claude Code hook compatibility layer
- Cursor IDE:
beforeShellExecutionhook via~/.cursor/hooks.json - Hermes Agent, Grok (xAI), OpenCode, Pi, Aider, Continue: Varying levels of native support
The quick-install script auto-detects the platform, downloads the correct binary, verifies SHA256 checksums and optional minisign signatures, and configures all detected agent hooks in one step. Prebuilt binaries are available for Linux x86_64 (musl), Linux ARM64, macOS Intel, macOS Apple Silicon, Windows x64, and Windows ARM64.
Update: v0.6.7 and Active Development
The latest release is v0.6.7, published July 15, 2026. The repository was last pushed on July 18, 2026, indicating active development. Notable recent additions include first-class Codex CLI support (0.125.0+), native Grok (xAI) hook integration, Antigravity CLI (agy) support, a rebase-recovery mode that safely relaxes checkout/restore blocks during active git rebase state, a bounded failure policy with configurable fail-closed mode, and Windows-native packs (windows.filesystem, windows.system) enabled by default on Windows. The project uses a pinned Rust nightly toolchain (nightly-2026-06-06) and requires Rust 1.95+.
Tradeoffs and Design Principles
dcg uses a default-allow policy for unrecognized commands to avoid breaking legitimate workflows — only known dangerous patterns are blocked. Safe patterns are checked before destructive ones (whitelist-first architecture) to prevent false positives on commands like git checkout -b. An absolute 200ms hook deadline ensures no command hangs the terminal; exhausting the budget produces an explicit indeterminate result rather than a silent allow. The license is MIT with an additional rider explicitly excluding OpenAI and Anthropic from use rights.
Community Discussions
Be the first to start a conversation about dcg (Destructive Command Guard)
Share your experience with dcg (Destructive Command Guard), ask questions, or help others learn from your insights.
Pricing
Open Source
Fully free and open source under MIT license (with OpenAI/Anthropic rider). Download prebuilt binaries or build from source.
- All 50+ security packs
- Prebuilt binaries for Linux, macOS, and Windows
- Full agent hook support (Claude Code, Codex, Gemini, Copilot, Cursor, etc.)
- Repository scanning and CI integration
- Custom pack authoring
Capabilities
Key Features
- Blocks destructive git and shell commands before execution
- 50+ modular security packs (databases, Kubernetes, cloud, CI/CD, etc.)
- Sub-millisecond latency with SIMD-accelerated filtering
- Heredoc and inline script scanning with three-tier AST pipeline
- Context classification to reduce false positives (SpanKind system)
- Agent-specific profiles with trust levels and pack overrides
- Supports Claude Code, Codex CLI, Gemini CLI, Copilot, Cursor, Hermes, Grok, and more
- Repository scanning mode for CI/CD pre-commit integration
- Explain mode with per-stage timing traces
- Allow-once temporary exception system with short codes
- Rebase recovery mode for safe git rebase workflows
- Configurable fail-closed mode for strict environments
- Custom YAML pack authoring for organization-specific rules
- Layered configuration hierarchy (env vars, user, system, project)
- Prebuilt binaries for Linux, macOS, and Windows (x64 and ARM64)
- Dual regex engine (linear O(n) + backtracking for lookahead patterns)
- Aho-Corasick keyword pre-filtering for pack relevance
- SARIF output for dcg scan CI integration
- Accessibility themes including colorblind-safe and high-contrast modes
- Windows-native packs for cmd.exe and PowerShell destructive commands
