Destructive command safety guardrails. Warns before dangerous operations in production and shared environments.
Pre-execution safety guardrails that warn before dangerous operations. Prevents accidental destruction of infrastructure, data, and shared state. Inspired by gstack's careful/guard methodology.
| Pattern | Risk | Alternative |
|---|---|---|
terraform destroy | Destroys all managed resources | Target specific resources with -target |
terraform state rm | Removes resource from state (orphans it) |
Use terraform state mv for renames |
terraform force-unlock | Breaks state lock | Verify lock holder first |
terraform apply -auto-approve | No review of changes | Remove -auto-approve, review plan |
terraform import (to wrong state) | Corrupts state | Verify state file and resource first |
| Pattern | Risk | Alternative |
|---|---|---|
aws s3 rm --recursive | Deletes all objects in bucket | Use --dryrun first |
aws s3 rb --force | Deletes bucket and all contents | Empty bucket first, review |
aws rds delete-db-instance | Deletes database | Verify snapshot exists first |
aws ec2 terminate-instances | Terminates instances permanently | Stop first, verify instance ID |
aws iam delete-role | Removes IAM role | Check what depends on it first |
aws route53 change-resource-record-sets DELETE | Removes DNS records | Verify record and impact |
aws ecs update-service --desired-count 0 | Stops all tasks | Verify it's the right service/cluster |
aws cloudformation delete-stack | Deletes entire stack | Review stack resources first |
aws organizations remove-account | Removes account from org | Verify account ID |
| Pattern | Risk | Alternative |
|---|---|---|
git push --force | Overwrites remote history | Use --force-with-lease |
git reset --hard | Discards all uncommitted changes | git stash first |
git branch -D | Deletes branch even if unmerged | git branch -d (safe delete) |
git checkout . | Discards all working changes | git stash first |
git clean -fd | Deletes untracked files | git clean -fdn (dry run) first |
| Pattern | Risk | Alternative |
|---|---|---|
DROP TABLE / DROP DATABASE | Permanent data loss | Backup first, use IF EXISTS |
TRUNCATE TABLE | Deletes all rows | Verify table and environment |
DELETE FROM without WHERE | Deletes all rows | Add WHERE clause |
ALTER TABLE DROP COLUMN | Permanent data loss | Backup table first |
| Pattern | Risk | Alternative |
|---|---|---|
rm -rf / or rm -rf * | Destroys filesystem | Be specific with paths |
kill -9 on production PIDs | Abrupt process termination | kill -15 (graceful) first |
chmod -R 777 | Opens permissions wide | Use specific permissions |
These are always safe to delete/clean (build artifacts):
node_modules/, .next/, dist/, build/__pycache__/, .cache/, .turbo/coverage/, .terraform/ (NOT .terraform.lock.hcl)*.pyc, *.pyo, *.oAutomatically engage careful mode when detecting:
prod, production, org, managementprod or productionmain, master, productionENV=production, NODE_ENV=productionWhen a dangerous command is detected:
WARNING: DESTRUCTIVE OPERATION DETECTED
Command: terraform destroy -target=aws_rds_instance.main
Risk: This will permanently delete the RDS instance and all its data.
Environment: production (account 049005703416)
Before proceeding:
1. Verify you have a recent snapshot/backup
2. Confirm this is the correct resource
3. Verify no other services depend on this resource
Proceed? [y/N]
When maximum protection is needed, combine careful with directory scoping:
Useful for:
ship skillShip should inherit careful's guardrails. If careful would warn, ship should too.
investigate skillAlways enable careful mode during incident investigation to prevent making things worse.
review skillReview should flag the same destructive patterns that careful guards against.