Back
22/61
Lesson 22
8 min

DCG: Pre-Execution Safety

Block dangerous commands before they cause damage

New to ACFS?

Complete the setup wizard first to get the most from these lessons.

Go to Choose Your OS
Goal

Use DCG to block destructive commands before they do damage.

What Is DCG?

DCG (Destructive Command Guard) is a Claude Code hook that blocks dangerous commands before they execute. It protects your repos from hard resets, recursive deletes, destructive database commands, and more.

Think of it as a safety interlock: if a command looks destructive, DCG stops it and suggests a safer alternative.

Pre-Execution Blocking

Stops damage before it happens

Protection Packs

Git, filesystem, database, cloud, and more

Allow-Once Codes

Explicit bypass when you know it is safe

Fail-Open Design

Errors never block your workflow

How DCG Intercepts Commands

DCG runs as a PreToolUse hook inside Claude Code. Every command is checked against a set of rules before it runs.

bash
# Example: test a command before running it
$ dcg test "git reset --hard" --explain
> BLOCKED: git.reset.hard
> Why: hard reset discards uncommitted work
> Safer: git restore --staged .

DCG Control Room

Command Guard v2.1 active

39 rules0 blocked

Select Command to Analyze

Select a command above to see DCG in action

Watch the full interception pipeline animate

Warning
If DCG blocks a command, slow down and read the explanation. It is showing you the dangerous part and a safer path.

Essential Commands

Check if a command would be blocked
Explain why a command is unsafe
List available protection packs
Register the Claude Code hook
Remove the hook (use --purge for full removal)
Bypass for a single approved command
Check installation and hook status

Uninstalling DCG

If you need to remove DCG, you can uninstall the hook and optionally purge the binary and config. You can always re-enable it later with dcg install.

bash
# Remove hook only (keeps dcg installed)
$ dcg uninstall
# Full removal (hook + binary + config)
$ dcg uninstall --purge
# Verify removal
$ dcg doctor
$ claude /hooks
Note
If you still want command safety but fewer blocks, prefer adjusting packs instead of uninstalling.

Protection Packs

Packs let you enable or disable rules based on your workflow. Keep the ones you need to avoid false positives.

config.toml
# ~/.config/dcg/config.toml
[packs]
enabled = ["git", "filesystem", "database.postgresql", "containers.docker"]
Note
Start with git and filesystem packs. Add database or cloud packs only when you use those tools.

When You See a Block

A block is a warning, not a dead end. Use it as a checkpoint:

  • Read the explanation carefully.
  • Prefer the safer alternative when possible.
  • Use allow-once only if you are confident.
  • Document the decision in your commit or notes.

DCG + SLB

DCG blocks obvious destructive commands instantly. SLB handles contextual risk that needs human approval. Together, they form a layered safety system.

Ready to level up?

Mark complete to track your learning progress.