Setup Git Guardrails
Sets up a PreToolUse hook that intercepts and blocks dangerous git commands before Claude executes them.
What Gets Blocked
-
git push (all variants including --force )
-
git reset --hard
-
git clean -f / git clean -fd
-
git branch -D
-
git checkout . / git restore .
When blocked, Claude sees a message telling it that it does not have authority to access these commands.
Steps
- Ask scope
Ask the user: install for this project only (.claude/settings.json ) or all projects (~/.claude/settings.json )?
- Copy the hook script
The bundled script is at: scripts/block-dangerous-git.sh
Copy it to the target location based on scope:
-
Project: .claude/hooks/block-dangerous-git.sh
-
Global: ~/.claude/hooks/block-dangerous-git.sh
Make it executable with chmod +x .
- Add hook to settings
Add to the appropriate settings file:
Project (.claude/settings.json ):
{ "hooks": { "PreToolUse": [ { "matcher": "Bash", "hooks": [ { "type": "command", "command": ""$CLAUDE_PROJECT_DIR"/.claude/hooks/block-dangerous-git.sh" } ] } ] } }
Global (~/.claude/settings.json ):
{ "hooks": { "PreToolUse": [ { "matcher": "Bash", "hooks": [ { "type": "command", "command": "~/.claude/hooks/block-dangerous-git.sh" } ] } ] } }
If the settings file already exists, merge the hook into existing hooks.PreToolUse array — don't overwrite other settings.
- Ask about customization
Ask if user wants to add or remove any patterns from the blocked list. Edit the copied script accordingly.
- Verify
Run a quick test:
echo '{"tool_input":{"command":"git push origin main"}}' | <path-to-script>
Should exit with code 2 and print a BLOCKED message to stderr.