Show HN: Demo_CLI – snapshot before your AI agent runs rm -RF, one-command undo A developer released demo_cli, an open-source tool that snapshots files, directories, and local databases before AI agents execute destructive commands like rm -rf or DROP TABLE, enabling one-command undo. Unlike existing safety hooks that only block dangerous commands, demo_cli defaults to recovery by capturing pre-deletion state and only blocks actions it cannot reverse, such as terraform destroy or remote resource deletion. The tool runs as a hook for Claude Code and Cursor, is MIT-licensed, and operates in observe-only mode by default. Claude Code and Cursor ask you to confirm dangerous commands, or block them. Neither snapshots first, and their undo doesn't cover shell commands or databases. demo cli snapshots the real target before a destructive command runs, so a wrong call is reversible with one command. Confirming ≠ recovering. Before rm -rf , rmdir /s /q , Remove-Item -Recurse -Force , git reset --hard , or DROP TABLE executes, demo cli captures what's about to be destroyed and writes a tamper-evident receipt of the decision. If the agent gets it wrong, demo cli undo brings it back. When it can't prove recovery terraform destroy , git push --force , remote/cloud resources, or a recursive-force delete with no recoverable target , it hard-blocks instead of faking safety. The whole design in one line: recovery is the default; blocking is the fallback for the truly unrecoverable, not the default for everything. Default mode is observe-only: it logs what it would have caught and touches nothing. Run it a week on a low-stakes project, read the receipts, then decide whether to let it act. pipx install git+https://github.com/WePwn/demo cli.git@beta demo cli init shadow mode by default, observes, never blocks demo cli doctor verify the install No telemetry, it phones nobody. Verify it yourself: grep -rn "requests\|urllib\|http\|socket" src/ One small, readable, MIT-licensed codebase , read exactly what it does before you run it. Tamper-evident receipts , every decision is hash-chained and independently verifiable demo cli verify . git and Claude Code's rewind can't recover an rm -rf outside the repo, a dropped database, or an overwrite of an untracked file, they don't snapshot before shell commands run. That's the exact gap demo cli fills. Threat model:cooperative agents making mistakes, not adversarial evasion. An agent actively trying to evade protection is out of scope, no hook solves that. 0.4.0b5 , public beta. Built around one invariant: A mutating action must be recoverable andmatch its declared context, otherwise it is escalated, never silently allowed, and never falsely reported as "recovered". Most safety hooks for AI agents do one thing: pattern-match a dangerous command and block it. That stops the obvious disasters, but it also stops the agent mid-task, so you either loosen the rules until they stop catching things, or you babysit the session. demo cli starts from the opposite default: recovery, not blocking. - For anything it can prove it captured a file, a directory, a local DB , it snapshots first and lets the agent keep working. If the agent gets it wrong, demo cli undo