Why this matters
Most modern AI coding agents can execute shell commands on behalf of users, which makes them useful but also risky: a single git reset --hard, rm -rf, or cloud CLI delete can erase hours of work or production data. dcg sits as a pre-tool hook for agents and agent-capable IDEs to catch these catastrophic commands before they run, while keeping interactive latency negligible.
What Sets It Apart
- Low-latency hook design: quick-reject filters and lazy-compiled patterns let safe commands pass in sub-millisecond paths; an absolute analysis deadline (200 ms) enforces fail-open behavior so the hook never stalls interactive workflows.
- Modular pack system: 50+ opt-in packs (databases, Kubernetes, cloud providers, containers, CI, backups, platform CLIs, Windows-specific packs, etc.) let teams enable protections relevant to their environment without noise.
- Deep context and heredoc analysis: a three-tier pipeline (trigger regex → bounded extraction → AST pattern matching) detects destructive operations embedded in heredocs or inline scripts and recursively inspects nested shell content.
- Agent-aware integrations: native support and installer hooks for Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat, Cursor, Hermes Agent, Grok (xAI), and others, emitting the agent-specific JSON denial contracts so agents reliably recognize blocked decisions.
- Practical safety ergonomics: suggestions, allow-once short codes, project/user allowlists, scoped rebase-recovery permits, and a configurable fail-open/fail-closed policy balance protection with usability for real teams.
Who it's for and tradeoffs
Great fit if you run or test AI coding agents that can execute shell commands and you need an automated guardrail to prevent accidental destructive operations across workstations and CI. It is especially useful for teams that want per-project policies (project allowlists and packs) and machine-readable hooks for agent integrations.
Look elsewhere or complement with other tools if you need a hard enforcement boundary against malicious actors (dcg assumes well-intentioned but fallible agents), full prevention of arbitrary programmatic file writes (it focuses on command-based execution patterns), or if you require formal, centrally-enforced policies in restricted environments—dcg is a user-hook layer and can be bypassed by privileged processes or adversarial tooling. Also expect occasional configuration work to tune packs and avoid friction from conservative defaults.
Practical notes
dcg is designed as a guardrail rather than an absolute sandbox: it prioritizes never blocking legitimate work by default (fail-open), provides escape hatches (DCG_BYPASS, allow-once, env overrides), and offers CI/scan modes to catch dangerous commands committed into repositories. The project is implemented for low overhead (Rust, SIMD-accelerated quick filters, dual regex engines) and provides installer scripts and packaged binaries for common platforms, so rollout can be incremental (local developer hooks → CI scan → org-wide policies).