/guard — Catch risky actions before they run

Guard evaluates commands before the agent executes them. Block rules run before the allowlist, so a safe binary with a dangerous argument still gets stopped.

How it works

/guard installs a PreToolUse hook that intercepts every shell command before execution. The hook checks the command through the six tiers below and either allows it, blocks it with an alternative, or warns and asks for confirmation. Write, Edit, and MultiEdit go through a separate hook for protected paths.

/guard

Guard activated. Block rules and allowlist loaded.
Mode: careful (warn on matches, block on critical)

The hook runs in the agent's process. No daemon, no background service. Hard blocking depends on the host. Claude Code can enforce through hooks. Other verified adapters may run the same workflow as guided instructions or reported checks, depending on their capability file.

Six tiers of protection

Tier 1: Block rules

Block rules run first. They cover mass deletion, history destruction, database drops, remote code execution, secret reads, and safety bypasses. A safe binary with a dangerous argument still gets stopped, so cat .envstill hits the secrets check even though cat is fine for normal files.

Tier 2: Allowlist

Safe commands such as git status, ls, cat, jq, and npm test continue only after block rules clear. The allowlist is intentionally short.

Tier 3: In-project

Repo-local changes stay inside the project boundary. If an agent tries to write to /etc/hosts or ~/.ssh/, that is blocked regardless of what the command does. Writes must target the project directory or /tmp.

Tier 4: Phase-aware concurrency

Read-only phases block writes, including registered custom phases. Running npm publish during the build phase is blocked. During /ship, it is allowed (if your config enables it). The hook reads the phase graph and concurrency metadata from the sprint state.

Tier 5: Phase gate

Commit and push wait for fresh review, security, and qa artifacts where host enforcement supports it. The gate reads the resolver output, so it stays consistent with the rest of the sprint state.

Tier 6: Budget gate

An optional sprint budget stops non-allowlisted work when the threshold is reached, so a runaway agent does not silently burn through tokens.

Write, Edit, and MultiEdit parity

Write, Edit, and MultiEdit go through their own hook. It blocks protected paths, credential files, credential JSON basenames, and system secret directories after resolving symlinks. Safe templates such as .env.example and credentials.example.json remain usable.

Example flow

Agent: Running "rm -rf node_modules dist build"

Guard: BLOCKED (G-001: Mass deletion pattern)
  Matched: rm -rf with multiple targets
  Alternative: rm -rf node_modules && rm -rf dist && rm -rf build
  Reason: Individual deletions are easier to audit and recover from.

Agent: Retrying with individual deletions...
  Running "rm -rf node_modules" ✓
  Running "rm -rf dist" ✓
  Running "rm -rf build" ✓

The agent receives the block reason and the suggested alternative. Most agents retry automatically with the safer version.

Deny and continue

When a command is blocked, the agent does not stop the sprint. It receives a structured response with the denial reason and proceeds with its next action. If the blocked command was critical to the task, the agent will report that it could not complete the step and explain why.

This is different from a crash. The sprint stays intact, artifacts are preserved, and the agent can still complete other phases.

Activate and deactivate

/guard              # activate with default rules
/guard --careful    # warn mode (asks before blocking)
/guard off          # deactivate

Guard state does not persist between sessions. Start each session with /guard if you want protection active.

PreviousIntensity modesNextBlock rules