safety-net

CC Safety Net

A Coding Agent CLI plugin that acts as a safety net, catching destructive git and filesystem commands before they execute.

Contents

• Why This Exists
• Why Use This Instead of Permission Deny Rules?
• What About Sandboxing?
• Prerequisites
• Quick Start
  • Codex Installation
  • Claude Code Installation
  • Gemini CLI Installation
  • GitHub Copilot CLI Installation
  • Kimi Code Installation
  • OpenCode Installation
  • Pi Installation
• Status Line Integration
  • Emoji Mode Indicators
• Diagnostics
• Explain (Debug Analysis)
• Commands Blocked
• Commands Allowed
• What Happens When Blocked
• Testing the Hook
• Breaking Change: Custom Rules Migration
• Custom Rules
  • Config File Location
  • Rule Schema
  • Matching Behavior
  • Rule Examples
  • Error Handling
• Advanced Features
  • Strict Mode
  • Paranoid Mode
  • Worktree Mode
  • Shell Wrapper Detection
  • Interpreter One-Liner Detection
  • Secret Redaction
  • Audit Logging
• Development
• License

Why This Exists

We learned the hard way that instructions aren't enough to keep AI agents in check. After Claude Code silently wiped out hours of progress with a single rm -rf ~/ or git checkout --, it became evident that soft rules in an CLAUDE.md or AGENTS.md file cannot replace hard technical constraints. The current approach is to use a dedicated hook to programmatically prevent agents from running destructive commands.

Why Use This Instead of Permission Deny Rules?

Claude Code's .claude/settings.json supports deny rules with wildcard matching (e.g., Bash(git reset --hard:*)). Here's how this plugin differs:

At a Glance

	Permission Deny Rules	CC Safety Net
Setup	Manual configuration required	Works out of the box
Parsing	Wildcard pattern matching	Semantic command analysis
Execution order	Runs second	Runs first (PreToolUse hook)
Shell wrappers	Not handled automatically (must match wrapper forms)	Recursively analyzed (up to 10 levels)
Interpreter one-liners	Not handled automatically (must match interpreter forms)	Detected and blocked

Permission Rules Have Known Bypass Vectors

Even with wildcard matching, Bash permission patterns are intentionally limited and can be bypassed in many ways: