From pro-workflow
Prevents destructive ops in Claude Code via /safe-mode: cautious warns on rm -rf/SQL drops/git force-push; lockdown restricts edits to one dir; clear resets.
npx claudepluginhub rohitg00/pro-workflow --plugin pro-workflowThis skill uses the workspace's default tool permissions.
Three levels of protection against destructive operations during AI coding sessions.
Blocks destructive commands like rm -rf, git force-push, kubectl delete on production systems and autonomous agents. Locks file edits to specific directories.
Blocks destructive commands like rm -rf, git --force, DROP TABLE, docker prune, and restricts file edits to specified directories. Use on production systems and with autonomous agents.
Installs 695 pre-built safety hooks for Claude Code preventing file deletions, credential leaks, git disasters, and token waste in autonomous AI coding sessions. Use for safe AI-driven development.
Share bugs, ideas, or general feedback.
Three levels of protection against destructive operations during AI coding sessions.
Note: These hooks are skill-scoped — they only activate when you invoke
/safe-mode. The globalpermission-request.jshook in hooks.json provides always-on alerting for dangerous commands. Safe-mode adds opt-in blocking and directory restrictions on top of that.
/safe-mode cautious
Intercepts Bash commands before execution. Warns on dangerous patterns but does not block — the user decides.
Flagged patterns:
| Pattern | Risk |
|---|---|
rm -rf / rm -r | Recursive deletion |
DROP TABLE / DROP DATABASE | SQL data loss |
TRUNCATE | SQL data destruction |
git push --force / git push -f | Remote history rewrite |
git reset --hard | Local history loss |
git clean -f | Untracked file deletion |
git checkout . / git restore . | Discard all changes |
chmod 777 | World-writable permissions |
curl | sh / wget | sh | Piped remote execution |
> /dev/sda / dd if= | Disk-level operations |
:(){ :|:& };: | Fork bombs |
sudo rm | Elevated deletion |
What happens:
WARNING: Destructive operation detected
Command: rm -rf ./build
Pattern: rm -rf (recursive forced deletion)
Risk: Permanently deletes ./build and all contents
Proceed? The command will execute as-is if you continue.
The warning goes to stderr. Claude sees it and asks for confirmation before proceeding.
/safe-mode lockdown <path>
Restricts Edit and Write operations to a single directory tree. Prevents accidental changes to unrelated code.
How it works:
LOCKDOWN ACTIVE: Edits restricted to src/api/
Blocked: Edit to src/utils/helpers.ts
Reason: File is outside the lockdown path (src/api/)
To edit files outside the lockdown, run: /safe-mode clear
Use cases:
Scope: Session-scoped. Resets when the session ends.
/safe-mode clear
Removes all restrictions for the current session. Both cautious warnings and lockdown restrictions are disabled.
SAFE MODE: All restrictions cleared for this session.
The hook inspects tool_input.command before every Bash execution:
const DANGEROUS_PATTERNS = [
{ pattern: /\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*\s|--recursive|--force)/, label: "rm with -rf flags" },
{ pattern: /\bDROP\s+(TABLE|DATABASE|INDEX|VIEW)\b/i, label: "DROP SQL statement" },
{ pattern: /\bTRUNCATE\b/i, label: "TRUNCATE SQL statement" },
{ pattern: /\bgit\s+push\s+(-[a-zA-Z]*f|--force)/, label: "git force-push" },
{ pattern: /\bgit\s+reset\s+--hard\b/, label: "git hard reset" },
{ pattern: /\bgit\s+clean\s+-[a-zA-Z]*f/, label: "git clean -f" },
{ pattern: /\bgit\s+(checkout|restore)\s+\./, label: "git discard all changes" },
{ pattern: /\bchmod\s+777\b/, label: "chmod 777" },
{ pattern: /\bcurl\b.*\|\s*(sh|bash)\b/, label: "piped remote execution" },
{ pattern: /\bwget\b.*\|\s*(sh|bash)\b/, label: "piped remote execution" },
{ pattern: /\bsudo\s+rm\b/, label: "elevated deletion" },
];
Match found → emit warning to stderr. No match → pass through silently.
The hook checks tool_input.file_path against the lockdown path:
function isInsideLockdown(filePath, lockdownPath) {
const resolved = fs.realpathSync(path.resolve(filePath));
const allowed = fs.realpathSync(path.resolve(lockdownPath));
const rel = path.relative(allowed, resolved);
return rel === '' || (!rel.startsWith('..') && !path.isAbsolute(rel));
}
Inside lockdown path → pass through. Outside → block with explanation.
Mode state lives in a session-scoped temp file (keyed by session ID to avoid cross-session leaks):
$TMPDIR/pro-workflow/safe-mode-<sessionId>.json
{
"mode": "lockdown",
"lockdownPath": "/Users/dev/project/src/api",
"sessionId": "abc123",
"activatedAt": "2026-03-28T10:00:00Z"
}
Cleared by /safe-mode clear. State persists until explicitly cleared or the temp file is manually removed. Each session has its own state file.
Cautious and lockdown can run simultaneously:
/safe-mode cautious
/safe-mode lockdown src/api/
Now you get:
src/api/ onlyClear removes both.
| Situation | Mode |
|---|---|
| Working on production-adjacent code | Cautious |
| Focused refactoring of one module | Lockdown |
| Unfamiliar codebase, feeling cautious | Cautious |
| Pair programming, limiting AI scope | Lockdown |
| Done with restrictions | Clear |