Safety Guard

1---2name: safety-guard3description: Use this skill to prevent destructive operations when working on production systems or running agents autonomously.4origin: ECC5---6 7# Safety Guard — Prevent Destructive Operations8 9## When to Use10 11- When working on production systems12- When agents are running autonomously (full-auto mode)13- When you want to restrict edits to a specific directory14- During sensitive operations (migrations, deploys, data changes)15 16## How It Works17 18Three modes of protection:19 20### Mode 1: Careful Mode21 22Intercepts destructive commands before execution and warns:23 24```25Watched patterns:26- rm -rf (especially /, ~, or project root)27- git push --force28- git reset --hard29- git checkout . (discard all changes)30- DROP TABLE / DROP DATABASE31- docker system prune32- kubectl delete33- chmod 77734- sudo rm35- npm publish (accidental publishes)36- Any command with --no-verify37```38 39When detected: shows what the command does, asks for confirmation, suggests safer alternative.40 41### Mode 2: Freeze Mode42 43Locks file edits to a specific directory tree:44 45```46/safety-guard freeze src/components/47```48 49Any Write/Edit outside `src/components/` is blocked with an explanation. Useful when you want an agent to focus on one area without touching unrelated code.50 51### Mode 3: Guard Mode (Careful + Freeze combined)52 53Both protections active. Maximum safety for autonomous agents.54 55```56/safety-guard guard --dir src/api/ --allow-read-all57```58 59Agents can read anything but only write to `src/api/`. Destructive commands are blocked everywhere.60 61### Unlock62 63```64/safety-guard off65```66 67## Implementation68 69Uses PreToolUse hooks to intercept Bash, Write, Edit, and MultiEdit tool calls. Checks the command/path against the active rules before allowing execution.70 71## Integration72 73- Enable by default for `codex -a never` sessions74- Pair with observability risk scoring in ECC 2.075- Logs all blocked actions to `~/.claude/safety-guard.log`