Allows destructive operations within your project but blocks them outside the project directory. Built for --dangerously-skip-permissions mode where Claude doesn't ask — this plugin is your safety net.
- claude-code-safety-net — blocks
rmeverywhere; Project Boundary allows it inside the project so refactoring works normally. - destructive-command-guard — only distinguishes
/tmpvs everything else; Project Boundary uses$CLAUDE_PROJECT_DIRas the actual boundary. - claude-code-damage-control — requires manually listing protected paths; Project Boundary automatically protects everything outside the project.
| Operation | Inside project | Outside project |
|---|---|---|
rm, rm -rf |
Allowed | Blocked |
mv (source and destination) |
Allowed | Blocked |
cp (source and destination) |
Allowed | Blocked |
ln (source and target) |
Allowed | Blocked |
chmod / chown |
Allowed | Blocked |
> / >> redirect |
Allowed | Blocked |
tee / tee -a |
Allowed | Blocked |
curl -o / curl --output |
Allowed | Blocked |
wget -O / wget --output-document |
Allowed | Blocked |
find -delete / find -exec rm |
Allowed | Blocked |
dd of= |
Allowed | Blocked |
install (source and destination) |
Allowed | Blocked |
rsync (source and destination) |
Allowed | Blocked |
tar -C / --directory= |
Allowed | Blocked |
unzip -d / cpio -D |
Allowed | Blocked |
| Edit tool (file edits) | Allowed | Blocked |
| MultiEdit tool (multi-file edits) | Allowed | Blocked |
| Write tool (file creation) | Allowed | Blocked |
| Command | Reason |
|---|---|
bash -c "..." / sh -c "..." |
Nested shell — cannot inspect inner command |
eval '...' |
Cannot safely parse evaluated code |
Piping to sh / bash |
Inner commands invisible to guard |
xargs rm/mv/cp/... |
Arguments cannot be validated |
$(...) / backticks (outside single quotes) |
Command substitution target is uninspectable. Single-quoted forms like '$(cmd)' and arithmetic expansion $((2+2)) are allowed. |
- Chained commands — splits on
;,&&,||,|and checks each sub-command independently cwdawareness — usescwdfrom the hook event, so commands run outside the project (without an explicitcd) are also guardedcdtracking —cd /tmp && rm -rf somethingis blocked becausecdleft the project;cd $PROJECT && rm fileis allowed even if the eventcwdwas outside- Destructive subcommands outside project — when running outside the project (via event
cwdorcd), these are blocked:git clean -f,git checkout .,git restore .,git reset --hard,git push --force,git stash drop/clear,git branch -D,git reflog expire,rails db:drop/reset,rake db:drop/reset. Safe commands likegit status,git log,rails routesremain allowed. sudoprefix — stripped before checking, sosudo rm /etc/passwdis still blockedfindoptions — handles-L,-H,-Pbefore the search path- Path traversal —
..segments are resolved before boundary check ~and$HOMEexpansion —rm ~/fileandrm $HOME/fileare correctly detected as outside-project- Symlink resolution — handles macOS
/var→/private/var, dereferences symlink chains in Edit/Write/MultiEdit (fail-closed after 20 hops)
- Paths with spaces work when properly quoted (single or double quotes). Unquoted paths with spaces are not supported.
- Heredoc body contents are not inspected (only the first line of the command, where redirects are handled normally)
- Brace expansion (
{a,b,c}) is not enumerated — literal match only ~user/(home of another user) is not expanded; only~/(current user) is handled
Direct:
claude --plugin-dir /path/to/claude-code-project-boundary
From marketplace:
/plugin marketplace add davepoon/buildwithclaude
/plugin install project-boundary@buildwithclaude
Pure-bash PreToolUse hooks for Bash, Edit, MultiEdit, and Write tools. The Bash hook splits chained commands and resolves target paths (handling symlinks, .., ~, $HOME); the Edit, MultiEdit, and Write hooks perform file path boundary checks against $CLAUDE_PROJECT_DIR. Dependencies: bash + jq.
bash tests/test_guard.sh
Full test suite covering all guard scenarios. CI runs on Ubuntu and macOS.
MIT