Git Commands
These git operations are blocked because they discard uncommitted work, destroy recovery history, or rewrite shared state.| Command Pattern | Why It’s Blocked |
|---|---|
git checkout -- <files> | Discards uncommitted changes permanently |
git checkout --force / -f | Force-discards uncommitted changes |
git checkout <ref> -- <path> | Overwrites working tree with ref version |
git checkout <ref> <path> | May overwrite working tree when Git disambiguates ref vs pathspec |
git checkout --pathspec-from-file | Can overwrite multiple files from a file list |
git restore <files> | Discards uncommitted changes (use --staged to only unstage) |
git restore --worktree / -W | Explicitly discards working tree changes |
git switch --discard-changes | Discards uncommitted changes when switching branches |
git switch --force / -f | Discards uncommitted changes (force switch) |
git reset --hard | Destroys all uncommitted changes |
git reset --merge | Can lose uncommitted changes |
git clean -f / --force | Removes untracked files permanently |
git push --force / -f | Destroys remote history (use --force-with-lease) |
git branch -D | Force-deletes branch without merge check |
git rebase --abort | Discards rebase conflict resolutions |
git merge --abort | Discards merge conflict resolutions |
git tag -d / --delete | Permanently deletes tags |
git reflog delete | Removes recovery history |
git stash drop | Permanently deletes stashed changes |
git stash clear | Deletes ALL stashed changes |
git worktree remove --force | Force-deletes worktree without checking for changes |
git checkout -Bf, git switch -Cf --discard-changes) are treated as forced branch resets and blocked.
Git SSH environment overrides
Git acceptsGIT_SSH_COMMAND, GIT_SSH, and GIT_SSH_VARIANT to run an arbitrary program during network operations. CC Safety Net blocks any of these overrides when combined with a network subcommand, because they can execute arbitrary commands:
| Blocked pattern | Why It’s Blocked |
|---|---|
GIT_SSH_COMMAND=... git clone | SSH override can execute arbitrary commands during network ops |
GIT_SSH=... git fetch / pull / push | Same — applies to fetch, pull, push |
GIT_SSH_VARIANT=... git ls-remote / submodule | Same — applies to ls-remote and submodule |
Filesystem Commands
| Command Pattern | Why It’s Blocked |
|---|---|
rm -rf /, ~, $HOME | Root/home deletion is extremely dangerous and always blocked |
rm -rf . (the cwd itself) | Deleting the whole working directory is treated as outside-cwd |
rm -rf on dynamic targets | Targets containing $ or backticks can’t be verified and are blocked |
rm -rf outside the cwd | Recursive deletion of absolute, parent, or non-temp paths outside the cwd is blocked |
rm -rf while the cwd is your home | Blocked — change into a project directory first |
find ... -delete | Permanently removes files matching criteria (use -print to preview) |
find -exec rm -rf ... | Recursive-force delete inside a find exec block is blocked |
xargs rm -rf | Dynamic input makes targets unpredictable |
xargs <shell> -c | Can execute arbitrary commands |
parallel rm -rf | Dynamic input makes targets unpredictable |
parallel <shell> -c | Can execute arbitrary commands |
rm -rf is classified by target: root/home, dynamic, cwd-self (.), home-cwd, and outside-cwd targets are blocked; temp paths (/tmp, /var/tmp, the system temp dir, $TMPDIR) and paths inside the current working directory are allowed. See Commands Allowed for the safe variants.
Commands like
dd, mkfs, and shred are not blocked as bare top-level commands. They are only caught when they appear inside an interpreter one-liner or unparseable command text that CC Safety Net scans for dangerous patterns. A bare dd if=/dev/zero of=/dev/sda is allowed through — if you need these blocked in your environment, add a custom rule.Shell Wrappers and Interpreter One-Liners
Commands wrapped in shell interpreters likebash -c or sh -c are also blocked. CC Safety Net recursively analyzes nested wrappers up to 10 levels deep, so there is no bypass through indirection.
-c or -e flag and scans it for embedded destructive operations, so an agent cannot sneak os.system("rm -rf /") past the hook by wrapping it in a Python or Node call.
python, python2, python3, node, ruby, and perl. It is the embedded destructive command that triggers the block — the one-liner form alone is allowed by default.
Blocking all interpreter one-liners
If you want to block interpreter one-liners outright regardless of their content, setCC_SAFETY_NET_PARANOID_INTERPRETERS=1. Every python -c, node -e, ruby -e, and perl -e one-liner is then blocked, even if it contains no dangerous code. See Modes.
The
explain command lets you trace exactly why CC Safety Net blocks or allows any specific command. See the CLI Commands reference.