Learning HubACFS Academy
Progress
0%
0 of 3333 remaining
  • 1
    Welcome & Overview5 min
  • 2
    Linux Navigation8 min
  • 3
    SSH & Persistence6 min
  • 4
    tmux Basics7 min
  • 5
    Git Essentials10 min
  • 6
    GitHub CLI8 min
  • 7
    Agent Commands10 min
  • 8
    NTM Command Center8 min
  • 9
    NTM Prompt Palette6 min
  • 10
    The Flywheel Loop10 min
  • 11
    Keeping Updated4 min
  • 12
    UBS: Code Quality Guardrails8 min
  • 13
    Agent Mail Coordination10 min
  • 14
    CASS: Learning from History8 min
  • 15
    The Memory System8 min
  • 16
    Beads: Issue Tracking8 min
  • 17
    Safety Tools: SLB & CAAM6 min
    NOW
  • 18
    The Art of Agent Direction12 min
  • 19
    Case Study: cass-memory15 min
  • 20
    Case Study: SLB12 min
  • 21
    RU: Multi-Repo Mastery10 min
  • 22
    DCG: Pre-Execution Safety8 min
  • 23
    Meta Skill: Local Skills10 min
  • 24
    SRPS: System Protection8 min
  • 25
    JFP: Prompt Library6 min
  • 26
    APR: Automated Plan Reviser8 min
  • 27
    PT: Process Triage6 min
  • 28
    XF: X Archive Search6 min
  • 29
    RCH: Remote Compilation8 min
  • 30
    WA: WezTerm Automata8 min
  • 31
    Brenner Bot: Research10 min
  • 32
    GIIL: Cloud Image Downloads6 min
  • 33
    S2P: Source to Prompt6 min
Back to Home
Back
17/33
Lesson 17
6 min

Safety Tools: SLB & CAAM

Two-person rule and account management

New to ACFS?

Complete the setup wizard first to get the most from these lessons.

Go to Choose Your OS
Goal

Use DCG, SLB and CAAM for layered safety and account management.

Safety First

AI agents are powerful but can cause damage if misused. The Dicklesworthstone stack includes three safety tools:

DCG

Pre-execution blocking of destructive commands

SLB

Two-person rule for dangerous commands

CAAM

Agent authentication switching

SLB: Simultaneous Launch Button

SLB implements a "two-person rule" for dangerous commands. Just like nuclear launch codes require two keys, SLB requires two approvals before executing risky operations.

rm -rf /Dangerous Command
↓
Agent 1
+
Agent 2
↓
Safe to ExecuteTwo approvals received

When to Use SLB

rm -rf /
Deletes entire filesystem
Requires confirmation from two agents
git push --force origin main
Overwrites shared history
Requires explicit approval
DROP DATABASE production
Destroys production data
Two-person verification
kubectl delete namespace prod
Takes down production services
Mandatory review
Warning
Never bypass SLB protections. If a command requires two approvals, there's a reason. Get a second opinion.

SLB Commands

Show pending requests
Request approval and execute when approved
Approve a pending request
Reject a pending request
Check status of a specific request

DCG: Destructive Command Guard

DCG blocks dangerous commands before they run. It inspects every command from Claude Code and stops destructive patterns like hard resets, force pushes, and recursive deletes.

If a command is safe, it runs normally. If it's risky, DCG blocks it and suggests a safer alternative.

Warning
Treat a DCG block as a safety checkpoint. Read the explanation and prefer the safer command whenever possible.

DCG Commands

Explain why a command would be blocked
List available protection packs
Register DCG as a Claude Code hook
Bypass a single approved command
Check installation and hook status

CAAM: Coding Agent Account Manager

CAAM enables sub-100ms account switching for subscription-based AI services (Claude Max, Codex CLI, Gemini Ultra). Swap OAuth tokens instantly without re-authenticating.

Token Management

Backup and restore OAuth tokens for each tool

Instant Switching

Switch accounts in under 100ms via symlink swap

Multi-Tool Support

Works with Claude, Codex, and Gemini CLIs

Profile Backup

Save profiles by email for easy restoration

CAAM Use Cases

Personal vs Work—Switch between personal and work subscriptions
Rate Limits—Rotate to a fresh account when hitting usage caps
Cost Separation—Use different subscriptions for different projects
Multi-Account—Manage multiple Claude Max / Codex accounts

CAAM Commands

List saved profiles (claude, codex, gemini)
Save current auth as a named profile
Activate a saved profile
Show currently active profile
Remove a saved profile

Integration with Agents

DCG, SLB, and CAAM integrate with Claude Code, Codex, and Gemini:

bash
# Example: DCG blocks a destructive command
$ claude "reset the repo"
> DCG: blocked git reset --hard
> Suggestion: git restore --staged .
# Example: Dangerous command triggers SLB
$ claude "delete all test files"
> SLB: This command requires approval
> Waiting for second approval...
> Run 'slb approve req-123 --session-id <sid>' from another session
# Example: Switch Claude accounts for a project
$ caam activate claude work@company.com
> Activated profile 'work@company.com' for claude
> Symlink updated in 47ms
$ claude "continue the project"
> Using profile: work@company.com

Best Practices

SLB Best Practices

Never bypass approval requirements
Review commands before approving
Use descriptive request messages
Set up notifications for pending requests

DCG Best Practices

Read the block explanation before acting
Prefer safer alternatives over allow-once
Enable only the packs you need
Re-register after updates: dcg install

CAAM Best Practices

Backup profiles before switching
Use email as profile identifier
Verify active profile with caam status
Delete old profiles when no longer needed

Quick Reference

SLB

$ slb pending$ slb run <cmd> --reason ...$ slb approve <id> --session-id ...$ slb status <id>

DCG

$ dcg test '<cmd>' --explain$ dcg packs$ dcg allow-once <code>$ dcg doctor

CAAM

$ caam ls [tool]$ caam backup <tool> <email>$ caam activate <tool> <email>$ caam status [tool]

Ready to level up?

Mark complete to track your learning progress.

Previous
Beads: Issue Tracking
Next
The Art of Agent Direction