File-guard, Bash-guard, and Git-safe: Essential AI Agent Data Loss Prevention

This review examines three open-source tools designed to prevent accidental data loss from AI agents like Claude Code. We analyze their approach to safeguarding critical files and Git history.

TL;DR

Best for: Developers using AI agents for code manipulation who need a robust, low-level defense against accidental data loss and destructive Git operations. Skip if: Your workflow does not involve AI agents interacting directly with your filesystem or Git repository, or if you prefer purely manual oversight for all commands. Bottom line: File-guard, bash-guard, and git-safe offer a critical, pre-execution layer of protection, addressing fundamental flaws in AI agent permission systems that can lead to irreversible data loss.

METHODOLOGY

This v0 review draws on the founder's published claims and code examples presented in the dev.to article "Claude Code Deleted 92 Images Without Asking. This Happens More Than You Think." The tools under review are file-guard, bash-guard, and git-safe, as of the article's publication date, accessed on 2026-05-25. We cover the problem scenarios detailed by the author, the proposed solutions, and the specific installation and configuration steps provided. What is not covered in this initial review includes independent performance benchmarks, long-term workflow integration, or comprehensive testing of edge cases beyond those highlighted in the source material. Update cadence: re-tested when claims diverge from observed behavior or new versions are released.

WHAT IT DOES

The dev.to article by devto highlights critical data loss scenarios stemming from AI agents like Claude Code. The author, based on a catalog of 640 entries with 42 critical failures, presents three open-source tools from the Boucle framework designed to prevent these issues by intercepting destructive commands at a low level.

File-guard blocks I/O access

file-guard is designed to prevent AI agents from deleting or modifying specified files and directories. It operates by blocking Read, Write, and Bash access to paths defined in a .file-guard configuration file. The author cites a case where Claude Code deleted 92 AI-generated artwork images using rm -rf during a project cleanup. Standard CLAUDE.md rules were ineffective because Claude's judgment about what constitutes "artwork" was applied after the command was approved. file-guard intercepts these operations at the tool level, denying them before Claude can act, regardless of its internal reasoning. Installation involves a simple curl command followed by adding paths to .file-guard.

Bash-guard intercepts shell commands

bash-guard acts as a protective layer against potentially destructive shell commands. The article details a scenario where Claude ran git restore lib/ without confirmation, permanently discarding 40+ files of uncommitted work. The standard approval prompt was insufficient because git restore lib/ appears innocuous without understanding its irreversible consequences. bash-guard blocks commands like git restore, git checkout --, and git clean at the hook level, preventing them from ever reaching the shell. This ensures that even if an AI agent proposes a destructive command and a user overlooks its implications, the command is never executed.

Git-safe protects repository history

Complementing bash-guard, git-safe specifically targets destructive Git operations. While bash-guard provides a general shell command guard, git-safe focuses on Git commands that can lead to irreversible loss of repository history or uncommitted changes. The author mentions a case where a remote Claude Code agent executed a force-push, deleting 17 tracked files. git-safe works by blocking these commands at the hook level, similar to bash-guard, ensuring that critical Git operations are prevented before they can cause data loss, especially in unattended or automated agent contexts.

WHAT'S INTERESTING / WHAT'S NOT

What's interesting about these tools is their pragmatic, low-level approach to AI agent safety. The author correctly identifies a fundamental flaw in current AI agent permission systems: the reliance on the agent's internal reasoning or a human's real-time interpretation of potentially destructive commands. The CLAUDE.md approach fails because it's a guideline, not an enforcement mechanism, and the approval prompt fails because it presents raw commands without context on their irreversible consequences. The guard tools, by contrast, implement a pre-execution block. This is a meaningful improvement, shifting safety from AI interpretation or human vigilance to a hard technical barrier. The concrete examples of 92 images deleted and 40+ files of uncommitted work lost underscore the severity of the problem these tools aim to solve. Their open-source nature and simple curl | bash installation make them immediately accessible.

What's not explicitly detailed in the source is the specific implementation of these