Skip to content

Damage Control

✓ Fresh · 2026-02-24

Damage Control is a safety auditing extension that intercepts dangerous bash patterns and enforces path-based access control. It provides real-time protection against destructive operations.

Overview

Running Damage Control

bash
pi -e extensions/damage-control.ts

Configuration

Rules are defined in .pi/damage-control-rules.yaml:

yaml
# .pi/damage-control-rules.yaml

blocked_commands:
  - "rm -rf"
  - "git reset --hard"
  - "DROP DATABASE"
  - "aws s3 rm --recursive"
  - "chmod 777"
  - "curl | bash"
  - "wget | sh"

zero_access_paths:
  - ".env"
  - "~/.ssh/"
  - "*.pem"
  - "*.key"
  - "*credentials*"

read_only_zones:
  - "/etc/"
  - "/usr/"
  - "package-lock.json"
  - "yarn.lock"
  - "pnpm-lock.yaml"

no_delete_zones:
  - ".git/"
  - "Dockerfile"
  - "README.md"
  - "LICENSE"
  - "docker-compose.yml"

ask_rules:
  - pattern: "git push"
    message: "About to push to remote. Continue?"
    ask: true
  - pattern: "npm publish"
    message: "About to publish to npm. Continue?"
    ask: true
  - pattern: "docker rm"
    message: "About to remove Docker container. Continue?"
    ask: true

Rule Types

Blocked Commands

Commands that are always rejected with no override option:

yaml
blocked_commands:
  - "rm -rf"           # Recursive force delete
  - "git reset --hard" # Discard all local changes
  - "DROP DATABASE"    # Database destruction
  - "aws s3 rm --recursive"  # Cloud storage wipe

When a blocked command is detected, the agent receives an error message and must find an alternative approach.

Zero-Access Paths

Files and directories that the agent cannot read or write under any circumstances:

yaml
zero_access_paths:
  - ".env"         # Environment variables / secrets
  - "~/.ssh/"      # SSH keys
  - "*.pem"        # Certificates
  - "*.key"        # Private keys

Read-Only Zones

Paths where the agent can read but not write:

yaml
read_only_zones:
  - "/etc/"                # System configuration
  - "package-lock.json"    # Lock files
  - "yarn.lock"

No-Delete Zones

Paths where the agent can read and write but cannot delete:

yaml
no_delete_zones:
  - ".git/"              # Git history
  - "Dockerfile"         # Container config
  - "README.md"          # Documentation
  - "LICENSE"            # Legal

Ask Rules (Confirmation Prompts)

Commands that trigger a confirmation prompt before execution:

yaml
ask_rules:
  - pattern: "git push"
    message: "About to push to remote repository. Continue?"
    ask: true
  - pattern: "npm publish"
    message: "About to publish package to npm. Continue?"
    ask: true

When ask: true, the user must explicitly confirm before the command runs.

Rule Evaluation Order

Example Scenarios

Scenario: Agent Tries rm -rf

Agent: Running `rm -rf node_modules/`
Damage Control: BLOCKED — "rm -rf" is in the blocked commands list.
Agent: I'll use a safer alternative: `rm -r node_modules/`

Scenario: Agent Tries to Read .env

Agent: Reading `.env` to check configuration...
Damage Control: BLOCKED — ".env" is a zero-access path.
Agent: I can't access .env directly. Please tell me which
       environment variables are needed.

Scenario: Agent Tries to Push

Agent: Running `git push origin main`
Damage Control: About to push to remote repository. Continue? [y/N]
User: y
Agent: Push completed successfully.

Combining with Other Extensions

Damage Control works well stacked with monitoring extensions:

bash
# Safety + monitoring + clean UI
pi -e extensions/damage-control.ts \
   -e extensions/tool-counter.ts \
   -e extensions/minimal.ts

This gives you safety rails, cost tracking, and a clean interface all at once.

Pi Coding Agent SOP Documentation