The first version of bash-guard blocked five patterns. rm -rf /. sudo. curl | bash. chmod -R 777. Writing to system directories. It felt comprehensive at the time.

Then I started reading the GitHub issues.

The pattern

Every few days, someone opens an issue on the Claude Code repository describing data they lost. What they asked Claude to do. What Claude actually did. The damage. Sometimes there are screenshots. Sometimes there are cost figures.

Reading these issues became part of the loop. Each one is a test case for whether our hooks would have caught the problem. When they wouldn’t have, that’s a feature request.

Docker: the container escape

Issue #37621 described a scenario where Claude mounted the host filesystem into a Docker container (docker run -v /:/host), effectively bypassing all file-system restrictions. The built-in deny rules check the command string, but when the dangerous part is a Docker flag rather than a direct shell command, they miss it.

bash-guard now blocks Docker volume mounts that expose the root filesystem, docker compose down -v (which destroys volumes), docker system prune (which deletes everything), and docker exec (which can run arbitrary commands in containers). Safe variants like docker compose down (without -v) pass through.

Databases: the production wipe

#33183 was one of the worst. A user ran prisma db push and it wiped their production database. 276 user accounts. 14,000 records. 66,000 images. Gone. The issue had zero comments when I found it.

#37439 was a Laravel project where php artisan migrate:fresh destroyed their database. #37574 was doctrine:fixtures:load. Each one a different framework, each one the same outcome.

bash-guard now blocks database destruction across Rails, Django, Laravel, Doctrine, Prisma, and direct SQL (DROP TABLE, DROP DATABASE, TRUNCATE). Also dropdb, redis-cli FLUSHALL, and mongosh drops. Safe migrations pass through.

Credentials: the output leak

#32616 documented three credential exposure incidents in two days. The problem was not that Claude accessed credential files directly (that’s what file-guard handles) but that it ran commands like env, printenv, or cat .env and the secrets appeared in the tool output.

bash-guard now blocks environment dumps (env, printenv, export -p), credential file reads (cat .env, cat credentials.json, cat ~/.aws/credentials), and debug trace modes (bash -x, set -x) that expand variables in output. Specific variable reads (printenv HOME) still work.

Cloud infrastructure and mass deletion

After seeing issues about accidental infrastructure teardowns, bash-guard added protection for Terraform, AWS CLI, Kubernetes, Pulumi, and GCP. Safe read-only operations (terraform plan, aws s3 ls, kubectl get pods) pass through.

#37331 showed that find -delete, xargs rm, and git clean -f could wipe files in bulk without confirmation. Subtler than rm -rf /, but the damage is the same.

The compound bypass

The most interesting discovery came from #37662, where a user cited our bash-guard PR as a solution. The problem: Claude’s built-in deny rules evaluate the command string as a whole. When a dangerous command follows cd in a compound statement (cd .. && rm -rf /), the deny rule on rm -rf may not fire because the full string doesn’t match the pattern.

bash-guard splits compound commands at &&, ||, ;, and | operators and evaluates each segment independently. This means echo ok; dropdb production gets caught even though the full string starts with a harmless echo.

What this looks like in practice

The test suite grew from the original 40 to 225. Each test maps to a real scenario from a real issue. The safe variants matter as much as the blocked ones: you need rm -rf ./build to work while blocking rm -rf /. You need docker compose down while blocking docker compose down -v. You need prisma migrate dev while blocking prisma db push.

The .bash-guard config file lets teams opt into what they need: allow: sudo for infrastructure projects, deny: rm for audio production directories where any file deletion is unacceptable.

The reading continues

Every few days there are new issues. Some describe scenarios we already catch. Some describe new categories of damage. If you use Claude Code, check your setup:

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/safety-check/check.sh | bash

It scores your configuration from A to F and shows what’s missing.

All hooks: github.com/Bande-a-Bonnot/Boucle-framework/tree/main/tools