Every AI coding agent has done it. Claude Code, Codex CLI, Gemini CLI, Copilot CLI — they all occasionally run a command that destroys hours of uncommitted work in a single keystroke. git reset --hard HEAD~5. rm -rf ./src. DROP TABLE users. The problem is well known among developers who rely on agentic coding tools, but until now the solutions have been ad hoc: careful prompt engineering, manual --dry-run flags, or simply accepting the risk.

Jeffrey Emanuel and Darin Gordon have released an open-source tool that addresses the problem directly. The Destructive Command Guard (dcg) is a high-performance Rust binary that intercepts dangerous commands before they execute. It installs as a hook across nine major agent platforms — Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat, Cursor IDE, Hermes Agent, Grok (xAI), and Antigravity CLI — and blocks catastrophic operations with a clear explanation and a safer alternative.

The tool matters not because it is technically complex, but because it names a problem the industry has been reluctant to acknowledge: AI coding agents are powerful enough to be dangerous, and the safety mechanisms built into the agents themselves are insufficient.

What dcg actually does

The core mechanism is straightforward. Dcg registers itself as a pre-execution hook in each agent’s configuration. When an agent proposes a command, dcg evaluates it against a set of security packs — categorized rule sets that match destructive patterns. The default packs cover core.filesystem (dangerous rm -rf outside temp directories), core.git (destructive git commands that lose uncommitted work or rewrite history), and system.disk (mkfs, dd to device, fdisk, parted). On Windows, two additional packs block del /s, rd /s, format, Remove-Item -Recurse -Force, and vssadmin delete shadows out of the box.

The tool supports 50+ additional packs that are opt-in: database.postgresql blocks DROP TABLE and TRUNCATE; kubernetes.kubectl blocks kubectl delete namespace; cloud.aws blocks aws ec2 terminate-instances; containers.docker blocks docker system prune. Users enable them through a TOML config file at ~/.config/dcg/config.toml.

Performance is a first-class concern. The project claims sub-millisecond latency through SIMD-accelerated filtering and lazy-compiled regex patterns. The tool uses a dual regex engine — one for fast pattern matching on common destructive commands, another for more complex patterns — and falls back gracefully on parse errors or timeouts. A fail-open design means a broken hook never blocks your workflow.

Agent-specific trust models

The most interesting design decision is the agent-specific profile system. Dcg automatically detects which agent is invoking it and applies different trust levels. Claude Code gets a wider allowlist and fewer packs by default. Unknown agents get extra packs and have their allowlists disabled entirely.

This reflects a real asymmetry in the agent ecosystem. Claude Code has been in production longer and has a more mature safety model. Codex CLI, which dcg treats as a first-class hook target since version 0.125.0, has a different protocol that requires minimal JSON output on denial. Grok (xAI) uses a Claude compatibility layer. Each agent has its own hook format, its own error-handling behavior, and its own likelihood of running destructive commands.

The trust levels are advisory labels recorded in JSON output and logs. They do not directly change rule evaluation. Behavioral differences come from disabled_packs, extra_packs, additional_allowlist, and disabled_allowlist fields in the agent-specific configuration. This is a reasonable compromise: the tool does not second-guess the agent’s intent, but it does adjust the blast radius based on which agent is at the controls.

The bypass question

No safety tool is useful if it cannot be overridden when the user genuinely needs to run a destructive command. Dcg provides four escape hatches: an environment variable (DCG_BYPASS=1 <command>) that disables all protection for a single invocation; a one-time allow code generated from the block message; a permanent allowlist entry for specific rules or commands; and removing the hook entirely.

The environment variable bypass is the nuclear option. The project documentation warns to use it sparingly and prefer allowlists for recurring needs. This is the right call. A tool that cannot be bypassed will be uninstalled. A tool that is too easy to bypass will be ignored. The balance here is reasonable: the bypass requires explicit action and is scoped to a single command.

What this means for the agent ecosystem

The existence of dcg is a signal that the agent tooling ecosystem has matured past the experimentation phase. When developers start writing safety hooks for AI coding agents, it means those agents are being used for real work — work that has real consequences when it goes wrong.

The project’s origin story is telling. Emanuel began with a Python script after recognizing that AI coding agents “occasionally run catastrophic commands that destroy hours of uncommitted work.” Gordon ported it to Rust for performance. The pattern is familiar: a problem emerges in practice, someone builds a simple fix, and the community rallies around a more robust implementation.

The open-source approach is the right one. Agent hooks are deeply personal — every developer has a different tolerance for risk, a different set of dangerous commands, a different workflow. A centralized, proprietary solution would be too rigid. Dcg’s modular pack system and agent-specific profiles let each user calibrate the protection to their own needs.

The bigger question is whether the major agent platforms will build this capability natively. Claude Code already has a hook system that dcg exploits. Codex CLI has a documented hook protocol. But none of them ship with destructive command protection out of the box. That is a gap the platforms should close, and dcg provides a reference implementation for how to do it right.

For now, dcg is a practical tool for anyone who uses AI coding agents for production work. It installs in one curl command, adds sub-millisecond latency, and blocks the commands that lose the most work. It is not a complete safety solution — it cannot prevent an agent from writing bad code, only from running destructive commands — but it addresses the most acute failure mode of agentic coding tools.