DCG: Pre-Execution Safety

Goal

Use DCG to block destructive commands before they do damage.

What Is DCG?

DCG (Destructive Command Guard) is a Claude Code hook that blocks dangerous commands before they execute. It protects your repos from hard resets, recursive deletes, destructive database commands, and more.

Think of it as a safety interlock: if a command looks destructive, DCG stops it and suggests a safer alternative.

Pre-Execution Blocking

Stops damage before it happens

Protection Packs

Git, filesystem, database, cloud, and more

Allow-Once Codes

Explicit bypass when you know it is safe

Fail-Open Design

Errors never block your workflow

How DCG Intercepts Commands

DCG runs as a PreToolUse hook inside Claude Code. Every command is checked against a set of rules before it runs.

bash

# Example: test a command before running it
$ dcg test "git reset --hard" --explain
> BLOCKED: git.reset.hard
> Why: hard reset discards uncommitted work
> Safer: git restore --staged .

Warning

If DCG blocks a command, slow down and read the explanation. It is showing you the dangerous part and a safer path.

Essential Commands

Check if a command would be blocked

Explain why a command is unsafe

List available protection packs

Remove the hook (use --purge for full removal)

Bypass for a single approved command

Check installation and hook status

Uninstalling DCG

If you need to remove DCG, you can uninstall the hook and optionally purge the binary and config. You can always re-enable it later with dcg install.

bash

# Remove hook only (keeps dcg installed)
$ dcg uninstall
# Full removal (hook + binary + config)
$ dcg uninstall --purge
# Verify removal
$ dcg doctor
$ claude /hooks

Note

If you still want command safety but fewer blocks, prefer adjusting packs instead of uninstalling.

Protection Packs

Packs let you enable or disable rules based on your workflow. Keep the ones you need to avoid false positives.

config.toml

# ~/.config/dcg/config.toml
[packs]
enabled = ["git", "filesystem", "database.postgresql", "containers.docker"]

Note

Start with git and filesystem packs. Add database or cloud packs only when you use those tools.

When You See a Block

A block is a warning, not a dead end. Use it as a checkpoint:

Read the explanation carefully.
Prefer the safer alternative when possible.
Use allow-once only if you are confident.
Document the decision in your commit or notes.

DCG + SLB

DCG blocks obvious destructive commands instantly. SLB handles contextual risk that needs human approval. Together, they form a layered safety system.

Goal

Use DCG to block destructive commands before they do damage.

What Is DCG?

Think of it as a safety interlock: if a command looks destructive, DCG stops it and suggests a safer alternative.

Pre-Execution Blocking

Stops damage before it happens

Protection Packs

Git, filesystem, database, cloud, and more

Allow-Once Codes

Explicit bypass when you know it is safe

Fail-Open Design

Errors never block your workflow

How DCG Intercepts Commands

DCG runs as a PreToolUse hook inside Claude Code. Every command is checked against a set of rules before it runs.

bash

# Example: test a command before running it
$ dcg test "git reset --hard" --explain
> BLOCKED: git.reset.hard
> Why: hard reset discards uncommitted work
> Safer: git restore --staged .

Warning

If DCG blocks a command, slow down and read the explanation. It is showing you the dangerous part and a safer path.

Essential Commands

Check if a command would be blocked

Explain why a command is unsafe

List available protection packs

Remove the hook (use --purge for full removal)

Bypass for a single approved command

Check installation and hook status

Uninstalling DCG

If you need to remove DCG, you can uninstall the hook and optionally purge the binary and config. You can always re-enable it later with dcg install.

bash

# Remove hook only (keeps dcg installed)
$ dcg uninstall
# Full removal (hook + binary + config)
$ dcg uninstall --purge
# Verify removal
$ dcg doctor
$ claude /hooks

Note

If you still want command safety but fewer blocks, prefer adjusting packs instead of uninstalling.

Protection Packs

Packs let you enable or disable rules based on your workflow. Keep the ones you need to avoid false positives.

config.toml

# ~/.config/dcg/config.toml
[packs]
enabled = ["git", "filesystem", "database.postgresql", "containers.docker"]

Note

Start with git and filesystem packs. Add database or cloud packs only when you use those tools.

When You See a Block

A block is a warning, not a dead end. Use it as a checkpoint:

Read the explanation carefully.
Prefer the safer alternative when possible.
Use allow-once only if you are confident.
Document the decision in your commit or notes.

DCG + SLB

DCG blocks obvious destructive commands instantly. SLB handles contextual risk that needs human approval. Together, they form a layered safety system.

New to ACFS?

What Is DCG?

Pre-Execution Blocking

Protection Packs

Allow-Once Codes

Fail-Open Design

How DCG Intercepts Commands

Essential Commands

Uninstalling DCG

Protection Packs

When You See a Block

DCG + SLB

Ready to level up?

DCG: Pre-Execution Safety

New to ACFS?

What Is DCG?

Pre-Execution Blocking

Protection Packs

Allow-Once Codes

Fail-Open Design

How DCG Intercepts Commands

Essential Commands

Uninstalling DCG

Protection Packs

When You See a Block

DCG + SLB

Ready to level up?