Damage Control
✓ Fresh · 2026-02-24Damage Control is a safety auditing extension that intercepts dangerous bash patterns and enforces path-based access control. It provides real-time protection against destructive operations.
Overview
Running Damage Control
pi -e extensions/damage-control.tsConfiguration
Rules are defined in .pi/damage-control-rules.yaml:
# .pi/damage-control-rules.yaml
blocked_commands:
- "rm -rf"
- "git reset --hard"
- "DROP DATABASE"
- "aws s3 rm --recursive"
- "chmod 777"
- "curl | bash"
- "wget | sh"
zero_access_paths:
- ".env"
- "~/.ssh/"
- "*.pem"
- "*.key"
- "*credentials*"
read_only_zones:
- "/etc/"
- "/usr/"
- "package-lock.json"
- "yarn.lock"
- "pnpm-lock.yaml"
no_delete_zones:
- ".git/"
- "Dockerfile"
- "README.md"
- "LICENSE"
- "docker-compose.yml"
ask_rules:
- pattern: "git push"
message: "About to push to remote. Continue?"
ask: true
- pattern: "npm publish"
message: "About to publish to npm. Continue?"
ask: true
- pattern: "docker rm"
message: "About to remove Docker container. Continue?"
ask: trueRule Types
Blocked Commands
Commands that are always rejected with no override option:
blocked_commands:
- "rm -rf" # Recursive force delete
- "git reset --hard" # Discard all local changes
- "DROP DATABASE" # Database destruction
- "aws s3 rm --recursive" # Cloud storage wipeWhen a blocked command is detected, the agent receives an error message and must find an alternative approach.
Zero-Access Paths
Files and directories that the agent cannot read or write under any circumstances:
zero_access_paths:
- ".env" # Environment variables / secrets
- "~/.ssh/" # SSH keys
- "*.pem" # Certificates
- "*.key" # Private keysRead-Only Zones
Paths where the agent can read but not write:
read_only_zones:
- "/etc/" # System configuration
- "package-lock.json" # Lock files
- "yarn.lock"No-Delete Zones
Paths where the agent can read and write but cannot delete:
no_delete_zones:
- ".git/" # Git history
- "Dockerfile" # Container config
- "README.md" # Documentation
- "LICENSE" # LegalAsk Rules (Confirmation Prompts)
Commands that trigger a confirmation prompt before execution:
ask_rules:
- pattern: "git push"
message: "About to push to remote repository. Continue?"
ask: true
- pattern: "npm publish"
message: "About to publish package to npm. Continue?"
ask: trueWhen ask: true, the user must explicitly confirm before the command runs.
Rule Evaluation Order
Example Scenarios
Scenario: Agent Tries rm -rf
Agent: Running `rm -rf node_modules/`
Damage Control: BLOCKED — "rm -rf" is in the blocked commands list.
Agent: I'll use a safer alternative: `rm -r node_modules/`Scenario: Agent Tries to Read .env
Agent: Reading `.env` to check configuration...
Damage Control: BLOCKED — ".env" is a zero-access path.
Agent: I can't access .env directly. Please tell me which
environment variables are needed.Scenario: Agent Tries to Push
Agent: Running `git push origin main`
Damage Control: About to push to remote repository. Continue? [y/N]
User: y
Agent: Push completed successfully.Combining with Other Extensions
Damage Control works well stacked with monitoring extensions:
# Safety + monitoring + clean UI
pi -e extensions/damage-control.ts \
-e extensions/tool-counter.ts \
-e extensions/minimal.tsThis gives you safety rails, cost tracking, and a clean interface all at once.