rm -rf ~/ or git checkout -- . can wipe hours of uncommitted work in milliseconds. This isn’t hypothetical: a well-documented Reddit incident showed Claude CLI silently deleting an entire home directory. Adding soft instructions to a CLAUDE.md or AGENTS.md file helps, but those are guidelines the agent can misinterpret or overlook under the wrong conditions. CC Safety Net is a hard technical constraint — a PreToolUse hook that intercepts every Bash tool call and blocks destructive commands before they ever reach the shell.
How It Works
CC Safety Net registers itself as a PreToolUse hook inside your AI coding agent. Every time the agent wants to run a Bash command, the hook fires first. CC Safety Net parses and semantically analyzes the command — understanding what it actually intends to do, not just what characters it contains — and either allows it through or blocks it with a plain-language explanation returned to the agent. Because PreToolUse hooks run before the agent’s own permission system, CC Safety Net acts as the outermost layer of defense. Even if your permission rules are misconfigured or bypassed, CC Safety Net still sees the raw command and can stop it.Supported Agents
CC Safety Net works with the following AI coding agents:- Claude Code
- Codex
- Gemini CLI
- GitHub Copilot CLI
- Kimi CLI
- OpenCode
- Pi
Key Capabilities
Semantic Analysis
CC Safety Net understands command intent rather than matching against fixed string patterns. It correctly distinguishes
git checkout -b feature (safe: creates a branch) from git checkout -- file (dangerous: discards uncommitted changes) — something wildcard rules cannot do reliably.Shell Wrapper Detection
Destructive commands don’t have to appear at the top level to be caught. CC Safety Net recursively unwraps
bash -c, sh -c, and similar shell invocations up to ten levels deep, so commands hidden inside wrappers are analyzed the same way as direct calls.Interpreter One-Liners
Destructive code embedded in
python -c, node -e, ruby -e, or perl -e one-liners is detected and blocked. An agent cannot sneak os.system("rm -rf /") past the hook by wrapping it in a Python call.Custom Rules
Beyond the built-in protections, you can define your own blocking rules via rulebooks at the user level (
~/.cc-safety-net/rules/rule.json) or the project level (.cc-safety-net/rules/rule.json in your project root). Project-level overrides win over user-level overrides for the same rule key.Audit Logging
Every blocked command is written to
~/.cc-safety-net/logs/<session_id>.jsonl so you have a full audit trail of what the agent tried to do and why it was stopped. Sensitive values such as tokens, passwords, and API keys are automatically redacted before anything is written to the log.Worktree Mode
Linked git worktrees are designed to be disposable, isolated workspaces. When you enable Worktree Mode (
CC_SAFETY_NET_WORKTREE=1), local-discard rules are relaxed inside a confirmed linked worktree so you can work freely there without triggering false positives.CC Safety Net complements — it does not replace — Claude Code’s permission deny rules and native sandboxing. Each layer protects a different threat surface: deny rules offer quick, user-configurable blocks; sandboxing provides OS-level filesystem and network containment; and CC Safety Net handles known-destructive git and filesystem patterns that sandboxing permits and that pattern matching can be tricked into allowing. Running all three together gives you defense-in-depth.