Claude Code can run any bash command. bash-guard intercepts dangerous ones before they execute.

What it blocks

• rm -rf /, rm -rf ~, rm -rf * (critical path deletion)
• chmod -R 777, chmod -R 000 (dangerous permissions)
• curl ... | bash, wget ... | sh (pipe to shell)
• sudo anything (privilege escalation)
• kill -9 -1, killall -9 (broad kill signals)
• dd of=/dev/sda, mkfs (disk operations)
• Redirects to /etc/, /usr/ (system writes)
• eval "$variable" (code injection)
• npm install -g (global installs)

Safe variants pass through: rm -rf ./build, chmod 644 file.txt, kill -9 12345.

Install

curl -sL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/bash-guard/install.sh | bash

Or all four hooks:

curl -sL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/install.sh | bash -s -- all

Configure

Create .bash-guard in your project:

allow: sudo
allow: pipe-to-shell

Disable: export BASH_GUARD_DISABLED=1

40 tests. Source on GitHub. DEV.to article.