Back
17/61
Lesson 17
6 min

Safety Tools: SLB & CAAM

Two-person rule and account management

New to ACFS?

Complete the setup wizard first to get the most from these lessons.

Go to Choose Your OS
Goal

Use DCG, SLB and CAAM for layered safety and account management.

Safety First

AI agents are powerful but can cause damage if misused. The Dicklesworthstone stack includes three safety tools:

DCG

Pre-execution blocking of destructive commands

SLB

Two-person rule for dangerous commands

CAAM

Agent authentication switching

SLB: Simultaneous Launch Button

SLB implements a "two-person rule" for dangerous commands. Just like nuclear launch codes require two keys, SLB requires two approvals before executing risky operations.

Safety Control Room
DCG Terminaldestructive-command-guard v3.1
bash

Click a command below to test DCG...

SLB Launch Consoletwo-person rule

Critical Command Pending

kubectl delete namespace production
Two approvals required to execute
Security Events
LIVE
[14:31:02]blockedrm -rf /
[14:31:15]allowedgit status
[14:31:28]approvedslb approve req-42

When to Use SLB

rm -rf /
Deletes entire filesystem
Requires confirmation from two agents
git push --force origin main
Overwrites shared history
Requires explicit approval
DROP DATABASE production
Destroys production data
Two-person verification
kubectl delete namespace prod
Takes down production services
Mandatory review
Warning
Never bypass SLB protections. If a command requires two approvals, there's a reason. Get a second opinion.

SLB Commands

Show pending requests
Request approval and execute when approved
Approve a pending request
Reject a pending request
Check status of a specific request

DCG: Destructive Command Guard

DCG blocks dangerous commands before they run. It inspects every command from Claude Code and stops destructive patterns like hard resets, force pushes, and recursive deletes.

If a command is safe, it runs normally. If it's risky, DCG blocks it and suggests a safer alternative.

Warning
Treat a DCG block as a safety checkpoint. Read the explanation and prefer the safer command whenever possible.

DCG Commands

Explain why a command would be blocked
List available protection packs
Register DCG as a Claude Code hook
Bypass a single approved command
Check installation and hook status

CAAM: Coding Agent Account Manager

CAAM enables sub-100ms account switching for subscription-based AI services (Claude Max, Codex CLI, Gemini Ultra). Swap OAuth tokens instantly without re-authenticating.

Token Management

Backup and restore OAuth tokens for each tool

Instant Switching

Switch accounts in under 100ms via symlink swap

Multi-Tool Support

Works with Claude, Codex, and Gemini CLIs

Profile Backup

Save profiles by email for easy restoration

CAAM Use Cases

Personal vs WorkSwitch between personal and work subscriptions
Rate LimitsRotate to a fresh account when hitting usage caps
Cost SeparationUse different subscriptions for different projects
Multi-AccountManage multiple Claude Max / Codex accounts

CAAM Commands

List saved profiles (claude, codex, gemini)
Save current auth as a named profile
Activate a saved profile
Show currently active profile
Remove a saved profile

Integration with Agents

DCG, SLB, and CAAM integrate with Claude Code, Codex, and Gemini:

bash
# Example: DCG blocks a destructive command
$ claude "reset the repo"
> DCG: blocked git reset --hard
> Suggestion: git restore --staged .
# Example: Dangerous command triggers SLB
$ claude "delete all test files"
> SLB: This command requires approval
> Waiting for second approval...
> Run 'slb approve req-123 --session-id <sid>' from another session
# Example: Switch Claude accounts for a project
$ caam activate claude work@company.com
> Activated profile 'work@company.com' for claude
> Symlink updated in 47ms
$ claude "continue the project"
> Using profile: work@company.com

Best Practices

SLB Best Practices

Never bypass approval requirements
Review commands before approving
Use descriptive request messages
Set up notifications for pending requests

DCG Best Practices

Read the block explanation before acting
Prefer safer alternatives over allow-once
Enable only the packs you need
Re-register after updates: dcg install

CAAM Best Practices

Backup profiles before switching
Use email as profile identifier
Verify active profile with caam status
Delete old profiles when no longer needed

Quick Reference

SLB

$ slb pending$ slb run <cmd> --reason ...$ slb approve <id> --session-id ...$ slb status <id>

DCG

$ dcg test '<cmd>' --explain$ dcg packs$ dcg allow-once <code>$ dcg doctor

CAAM

$ caam ls [tool]$ caam backup <tool> <email>$ caam activate <tool> <email>$ caam status [tool]

Ready to level up?

Mark complete to track your learning progress.