Claude Code can run any shell command. If your project uses Terraform, kubectl, or any cloud CLI, a misunderstood prompt can trigger terraform destroy, kubectl delete namespace production, or aws ec2 terminate-instances before you see the confirmation dialog.

The permission system helps, but compound commands and multi-line scripts bypass deny rules. And if you’re running with bypassPermissions for speed, there’s no safety net at all.

What we built

bash-guard is a PreToolUse hook that evaluates every Bash command before it runs. It blocks destructive patterns across 15+ cloud platforms:

Terraform / OpenTofu: terraform destroy, terraform apply -auto-approve (without plan), tofu destroy

Kubernetes: kubectl delete namespace, kubectl delete pod --all, kubectl drain, kubectl scale --replicas=0

Helm: helm uninstall, helm delete

AWS CLI: aws ec2 terminate-instances, aws rds delete-db-instance, aws dynamodb delete-table, aws lambda delete-function, aws cloudformation delete-stack

Azure: az group delete, az vm delete, az webapp delete, az sql server delete

GCP: gcloud compute instances delete, gcloud projects delete

DigitalOcean: doctl compute droplet delete, doctl databases delete

Fly.io: flyctl destroy, fly apps destroy

Heroku: heroku apps:destroy, heroku pg:reset

Vercel / Netlify: vercel rm, netlify sites:delete

Docker: docker system prune -a, docker rm -f $(docker ps -aq)

Each pattern returns a structured JSON response that Claude sees as a hard block, not a suggestion. The command never executes.

How it works

When Claude tries to run a command, the hook receives a JSON payload with the command string. bash-guard checks it against its pattern library:

Claude runs:  terraform destroy -auto-approve
bash-guard:   {"decision":"block","reason":"terraform destroy could remove all managed infrastructure"}
Result:       Command blocked. Claude suggests terraform plan instead.

It handles compound commands too. echo "just checking" && terraform destroy gets caught because bash-guard evaluates each part of a pipeline or chain.

Install

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/bash-guard/install.sh | bash

Or install the recommended safety bundle (bash-guard + git-safe + file-guard):

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/install.sh | bash -s -- recommended

What it doesn’t cover

Hooks have limits. If you run Claude Code in cowork mode, user hooks are silently ignored due to a platform bug. And if the model decides not to use the Bash tool (piping through a language runtime instead), the hook doesn’t fire.

bash-guard catches the commands it knows about. It’s a blocklist, not a sandbox. New CLI tools or unusual invocation patterns won’t be caught until patterns are added. If you hit a gap, open an issue.

560+ tests cover the patterns listed above, including encoding bypasses, language wrappers, and compound command evaluation.