diff --git a/dev-docs/CLAUDE_CODE_TOOLING.md b/dev-docs/CLAUDE_CODE_TOOLING.md
index 49a72afd..c73b3abd 100644
--- a/dev-docs/CLAUDE_CODE_TOOLING.md
+++ b/dev-docs/CLAUDE_CODE_TOOLING.md
@@ -48,7 +48,7 @@ Everything except `settings.local.json` is checked in.
 | Event | Matcher | Script | Behaviour | Fail mode |
 |---|---|---|---|---|
 | PreToolUse | `Edit\|Write\|MultiEdit` | `protect-files.sh` | Blocks edits to secrets, lock files, default migrations, the deleted `apps/admin/`, `.claude/` itself, and `dev-docs/SCHEMA.md`. | Exit 2 with reason on stderr. |
-| PreToolUse | `Bash` | `block-dangerous-bash.sh` | Blocks `git reset --hard`, force pushes, blanket dependency updates, and database wipes that aren't scoped to `--env=testing`. | Exit 2 with reason on stderr. |
+| PreToolUse | `Bash` | `block-dangerous-bash.sh` | Blocks `git reset --hard`, force pushes, blanket dependency updates, database wipes that aren't scoped to `--env=testing`, and `rm -rf` on absolute paths outside `/tmp`, `/var/folders`, and `$HOME`. | Exit 2 with reason on stderr. |
 | PostToolUse | `Edit\|Write\|MultiEdit` | `post-edit-pint.sh` | Runs `vendor/bin/pint --dirty` from `api/` after any `.php` edit. | Exit 0 silently — formatting failures never block. |
 | PostToolUse | `Edit\|Write\|MultiEdit` | `post-edit-eslint.sh` | Runs `pnpm eslint --fix` inside the matching SPA dir for `.vue/.ts/.tsx/.js` files under `apps/app/` or `apps/portal/`. | Exit 0 silently. |
 | SessionStart | `compact` | `inject-sprint-context.sh` | Prints branch, last 10 commits, and the top of `BACKLOG.md` so Claude resumes with sprint context after auto-compaction. | Exit 0; output is appended to context. |