Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From combined-engineering-skills
Set up git safety guardrails to block dangerous git commands (push, reset --hard, clean, branch -D, etc.) before they execute. Supports Claude Code and opencode. Use when user wants to prevent destructive git operations or add git safety hooks.
npx claudepluginhub ahtisamafzal/combined-engineering-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/combined-engineering-skills:git-guardrailsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Sets up guards that intercept and block dangerous git commands before they execute.
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
Sets up guards that intercept and block dangerous git commands before they execute.
git push (all variants including --force)git reset --hardgit clean -f / git clean -fdgit branch -Dgit checkout . / git restore .When blocked, the agent sees a message telling it that it does not have authority to access these commands.
Ask the user: which platform are you using — Claude Code or opencode?
Ask the user: install for this project only or all projects?
Scope paths per platform:
| Project | Global | |
|---|---|---|
| Claude Code | .claude/settings.json | ~/.claude/settings.json |
| opencode | ./opencode.json | ~/.config/opencode/opencode.json |
The bundled script is at: scripts/block-dangerous-git.sh
Copy it to the target location based on scope:
.claude/hooks/block-dangerous-git.sh~/.claude/hooks/block-dangerous-git.shMake it executable with chmod +x.
Add to the appropriate settings file:
Project (.claude/settings.json):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/block-dangerous-git.sh"
}
]
}
]
}
}
Global (~/.claude/settings.json):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "~/.claude/hooks/block-dangerous-git.sh"
}
]
}
]
}
}
If the settings file already exists, merge the hook into existing hooks.PreToolUse array — don't overwrite other settings.
Run a quick test:
echo '{"tool_input":{"command":"git push origin main"}}' | <path-to-script>
Should exit with code 2 and print a BLOCKED message to stderr.
Add the following to the appropriate config file (project opencode.json or global ~/.config/opencode/opencode.json):
{
"permission": {
"bash": {
"*": "ask",
"git push": "deny",
"git push *": "deny",
"git reset --hard *": "deny",
"git clean -f*": "deny",
"git clean -fd*": "deny",
"git branch -D *": "deny",
"git checkout .": "deny",
"git restore .": "deny"
}
}
}
Important: opencode evaluates the LAST matching rule. The broad catch-all ("*": "ask") must come first, and the specific deny rules must come last. If the catch-all were last, it would override all deny rules.
If the config file already exists, merge the permission.bash rules into the existing config. Prepend any new deny rules before the existing catch-all (if present), keeping the catch-all as the first entry.
opencode loads config once at startup. Tell the user to quit and restart opencode for the changes to take effect.
Ask if the user wants to add or remove any patterns from the blocked list.
For Claude Code: edit the copied block-dangerous-git.sh script.
For opencode: add or remove entries from the permission.bash rules in opencode.json.