feat(plugin): add destructive-command-guard plugin

[leszekszpunar]

Summary

• Add destructive-command-guard plugin -- a PreToolUse hook that blocks irreversible Bash commands and warns about edits to agent policy files
• Blocks dangerous mass-deletion (root, home, cwd, system paths), mass Docker operations, destructive git commands, indirect execution, and alternative deletion tools
• Warns (once per session via systemMessage) on edits to CLAUDE.md, .claude/settings.json, .claude/settings.local.json, hooks/hooks.json
• Supports multi-command chain splitting, env var disable (ENABLE_DESTRUCTIVE_GUARD=0), and session-scoped state with 30-day auto-cleanup

Closes #23871, closes #23870

Related issues

This plugin addresses or mitigates multiple open reports of destructive agent behavior:

Issue	Description	Coverage
#23871	Agent lacks detection for self-destructive operations	Direct fix -- blocks mass deletion, Docker, git destructive
#23870	Agent can overwrite/delete CLAUDE.md and policy files	Direct fix -- warns on policy file edits
#23010	Plan mode missing permission prompt for destructive rm	Blocks the rm pattern regardless of mode
#22638	Claude ignored CLAUDE.md, executed git stash drop causing data loss	Blocks git stash drop without specific ref
#18290	Destructive git checkout without confirmation	Blocks git checkout -- . pattern
#14944	docker volume rm without confirmation, Supabase data loss	Blocks mass docker volume rm $(docker volume ls -q)
#17908	CLAUDE.md rules for destructive ops not reliably followed	Plugin enforces rules at tool level, independent of model compliance
#13904	Destructive git reset --hard during test restructuring	Blocks git reset --hard without explicit target
#19874	Plan mode has no tool-level enforcement	Plugin operates at PreToolUse level, enforced regardless of mode
#17296	Dangerous destructive model behavior	Provides blocklist-based safety net
#24196	HIGH-PRIORITY Unauthorized rm -rf in chained command caused data loss	Blocks chained rm -rf via multi-command splitting (&&, ;)
#24319	Newline in command string caused rm -rf to delete project directory	Command splitter handles \n separators, checks each part independently

Not covered (out of scope for this plugin):

• SQL destructive operations via MCP (Claude Opus 4.5 executed destructive SQL UPDATE deleting 55,000 records WITHOUT asking for permission #13325) -- requires database-specific tooling
• Single-file git checkout <file> (Bug: Claude executes destructive git checkout without confirmation #18290 partial) -- cannot distinguish from branch switching without filesystem context

Security hardening

• Session ID sanitization (CWE-22 path traversal prevention)
• Debug logs in ~/.claude/ not /tmp (CWE-377 symlink attack prevention)
• Atomic state writes via tempfile + os.replace (race condition mitigation)
• Indirect execution detection (eval, sh -c, bash -c, pipe-to-shell, base64 decode)
• Path normalization (catches //, /./, /../..)
• Command splitter handles ||, newlines, &&, ;, |
• Adversarial review + two rounds of Gemini cross-verification applied

Test plan

• 102 automated tests passing (rm, Docker, git, file protection, indirect execution, find -exec, xargs, env var, session ID)
• Verify blocked commands return exit code 2 in live session
• Verify allowed commands return exit code 0 in live session
• Verify protected file edits emit systemMessage on first occurrence, silent on repeat
• Install plugin via claude --plugin-dir ./plugins/destructive-command-guard and test end-to-end

[leszekszpunar]

Update: Added git restore . / --staged . / --worktree . blocking (commit 60d3663). This closes the gap where the modern git restore equivalent of git checkout -- . was not guarded. Also covers :/ (whole-repo pathspec) and short flags (-S, -W).

[frmoretto]

Hey @leszekszpunar — nice work on the safety coverage here, clearly a lot of thought went into it.

Just wanted to flag that Hardstop (npm i hardstop) already covers this space as a published Claude Code plugin (v1.4.3), and was submitted through the official plugin submission process. It's been on npm for a while now with:

• 428 security patterns (destructive commands, credential theft, infrastructure teardown, prompt injection, indirect execution, macOS-specific vectors)
• 100% code coverage across all hooks
• Chain-aware command splitting (&&, |, ;, \n)
• LLM-assisted semantic analysis for obfuscated/edge-case commands
• Fail-closed design — blocks by default when uncertain
• Separate hardstop-patterns package for reuse in other tools
• SLSA build provenance via Sigstore

There's significant overlap between the two projects. I'd encourage the maintainers to consider the existing ecosystem work here before merging a parallel implementation. Happy to collaborate if there are gaps worth addressing together.

[leszekszpunar]

Hey @frmoretto — thanks for the heads-up, and nice work on Hardstop. I've reviewed the codebase and patterns in detail. You're right there's overlap, but I think the two plugins occupy different design points rather than being direct duplicates.

Where Hardstop clearly wins:

• Breadth of coverage — cloud CLIs (AWS/GCP/Firebase), reverse shells, credential exfiltration, macOS/Windows-specific vectors, SQL injection, IaC destructive ops. We have zero coverage there.
• Read tool protection — blocking reads of .ssh/, .aws/credentials, .env etc. We don't hook into Read at all.
• LLM semantic fallback for novel/obfuscated commands.
• Risk scoring, MITRE ATT&CK mapping, structured audit logging.
• Cross-platform (Windows/PowerShell support).

Where this plugin goes deeper:

• Git analysis — we parse flags semantically rather than pattern-match. We distinguish --force vs --force-with-lease, git clean -n (dry-run, allowed) vs git clean -fd (blocked), git reset --hard with vs without target, git restore --staged . vs specific files, git stash drop with vs without ref. Hardstop's safe allowlist blanket-allows git checkout, git restore, git merge — meaning git checkout -- . passes Layer 1 uncaught.
• Policy file protection — we warn on edits to CLAUDE.md, settings.json, hooks.json (both via Write/Edit tools and Bash redirects/sed/tee/mv). This guards against agent self-modification, which is a distinct threat vector.
• Write/Edit tool monitoring — we hook into Write, Edit, MultiEdit. Hardstop only hooks Bash/PowerShell/Read.
• Zero dependencies — Python 3.7+ stdlib only. No YAML, no npm runtime, no subprocess calls to Claude CLI. Single 820-line file.
• Path normalization — explicit handling of //, /./, /../.. before matching.
• Variable/subshell detection — explicitly blocks dynamic expansion targets like $(cmd), $VAR, backtick substitution with targeted error messages.

Different design philosophy:

• Hardstop is broad + LLM-assisted — wide coverage net with semantic fallback.
• This plugin is narrow + deep — fewer categories but more precise per-command analysis within those categories, zero external dependencies, and no API cost.

I think these are genuinely complementary. If maintainers are interested, one path forward could be combining the deep semantic analysis from this plugin (git, Docker, policy files, Write/Edit monitoring) with the broader pattern library from hardstop-patterns. Open to discussing that.

[leszekszpunar]

Hi team 👋

Friendly bump — this PR has been open for ~18 days with no review yet. It's mergeable with no conflicts.

Quick context on why this matters:

• Addresses 6+ open issues reporting destructive agent behavior (Agent lacks built-in detection for self-destructive operations (deleted working directory, mass docker removal, worktree proliferation) #23871, Agent can overwrite/delete CLAUDE.md and policy files it depends on #23870, [Bug] Plan mode missing permission prompt for destructive rm command #23010, [MODEL] Claude repeatedly ignored CLAUDE.md rules, executed destructive git command causing data loss #22638, Bug: Claude executes destructive git checkout without confirmation #18290, [BUG] Agent executed destructive docker volume rm without user confirmation, causing data loss #14944) — all still open
• Self-contained plugin (new directory under plugins/, no changes to core code except a minor docs fix also in fix(plugin-dev): add missing descriptions to AskUserQuestion option examples #23930)
• 1054 additions across 4 new files — Python hook with comprehensive test coverage against bypass vectors
• Opt-in via claude plugins install — zero impact on users who don't enable it

Would really appreciate an initial review when someone has bandwidth. Happy to address any feedback. Thanks!

[leszekszpunar]

Update (March 20): Since this PR was submitted, destructive-command incidents have continued to escalate. Recent reports from the last few days:

• [BUG] [Windows] rm -rf on pnpm project deleted entire C:\Users via NTFS junction traversal — Claude Code v2.1.51 #36339 — rm -rf on pnpm project deleted entire C:\Users via NTFS junction traversal
• Issue closed - please delete #36233 — Claude Code deleted entire Mac filesystem during security cleanup
• [MODEL] Claude ran prisma db push --force-reset on production database, wiping all data without user consent #36183 — prisma db push --force-reset on production database, wiping all data without consent
• [Bug] Agent bypasses tool restrictions and performs destructive recovery without safety checks #36413 — Agent bypasses tool restrictions, performs destructive recovery without safety checks
• Claude Code takes unauthorized destructive actions and repeated judgment failures #35584 — Claude Code takes unauthorized destructive actions

There's also growing community momentum around safety plugins — several new guard PRs since February: #34257, #33390, #31633, #30521, #30692.

This plugin remains conflict-free and opt-in. It specifically addresses git/Docker/filesystem destruction patterns — areas where broader pattern-matching approaches have documented gaps (e.g., git checkout -- ., git restore --staged .).

Would appreciate a review when the team has bandwidth. Happy to adapt to any feedback.