git reset --hard — why AI agents must not run it unattended
git reset --hard is a high-severity command that AI coding agents run without human checkpoints. DestructGuard's default tier blocks this pattern and logs every approve-or-abort decision to a JSONL audit trail.
git reset --hard
What it does
Discards all uncommitted and staged changes in the working tree, permanently.
Why agents run it
Autonomous coding agents optimize for task completion. When refactoring, cleaning up, or syncing repositories, agents often reach for git reset --hard because it appears to solve the immediate problem — without surfacing irreversibility to the operator.
Default blocklist tier
DestructGuard's default rules tier includes git reset --hard by default. Teams on the strict tier also block adjacent patterns. Pair with git pre-commit and pre-push hooks from the Pro Pack for defense in depth.
How to allow with audit
When a blocked command is genuinely needed, DestructGuard prompts for explicit approval and records the decision. Upload the audit log to IncidentScribe to reconstruct what happened before an outage.