Think before you execute.

Humans make mistakes. AI agents make them faster. shellfirm intercepts dangerous commands before the damage is done — for both.

~ -- zsh -- 80x24
user@mac:~$ rm -rf /
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Description: Recursive force-delete from root directory
Alternative: rm -rf ./tmp/build
(Targets only the tmp/build directory instead of the entire filesystem.)
? Solve the challenge:: 14 + 23 = ? Esc to cancel ›
agent -- Claude Code
[agent] Running cleanup task...
$ kubectl delete namespace production
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Context: k8s=production
Action: DENIED
{ "allowed": false, "risk_level": "critical" }

Now imagine your AI agent does it.
Or an autonomous agent. With full shell access.

AI coding agents, deployment scripts, cron jobs — they all run shell commands without hesitation. No typos — just confident, unreviewed destruction.

agent -- Claude Code
[claude-code] Cleaning up unused namespaces...
$ kubectl delete namespace staging
namespace "staging" deleted
$ kubectl delete namespace production
namespace "production" deleted
[claude-code] Done. All clean.
agent -- Cursor
[cursor] Optimizing infra costs, removing idle resources...
$ terraform destroy -auto-approve
# Wrong workspace.
# Current workspace: production
aws_rds_instance.main: Destroying...
aws_ecs_cluster.api: Destroying...
Destroy complete! 47 resources destroyed.
  • AI agents don't hesitate. They execute immediately.
  • CI pipelines run unattended. No one reviews every command.
  • Cron jobs at 3am have no human in the loop.
  • One misconfigured prompt can cascade through your infrastructure.

You need a safety layer that works for humans, agents, AND automation.

One typo. Everything gone.

It takes one character, one wrong tab, one moment of autopilot.

~ -- zsh
$ rm -rf / tmp/build
347 files. Gone in 0.3 seconds.
# A single space between / and tmp/build.
~ -- git
$ git push origin main --force
48 commits from your team. Overwritten.
# No --force-with-lease. No warning.

These aren't hypotheticals. They happen every day. To everyone.

shellfirm. A safety net for every command.

The same engine analyzes every command — whether a human typed it or an AI agent generated it.

Human Terminal

~ -- zsh -- 80x24
user@mac:~$ rm -rf /
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Blast Radius: CATASTROPHIC -- Entire filesystem at risk
Description: Recursive force-delete from root
Alternative: rm -rf ./tmp/build
(Targets only the tmp/build directory instead of the entire filesystem.)
? Solve the challenge:: 14 + 23 = ? Esc to cancel ›

AI Agent / MCP

agent -- mcp-server
> check_command("rm -rf /")
{
"allowed": false,
"risk_level": "critical",
"blast_radius": "catastrophic",
"alternatives": [
"rm -rf ./tmp/build"
],
"action": "deny"
}

Blast Radius Detection -- shellfirm evaluates runtime context (SSH sessions, root access, production environments, git branches) to calculate the true danger of every command.

Same engine. Same rules. Humans get a challenge. Agents get a structured response. Nothing slips through.

9 ecosystems. 100+ patterns. Zero config.

shellfirm ships with built-in protection for the tools you use every day.

📁

Filesystem

$ rm -rf /

Deletes everything. Recursively. Without asking.

🔀

Git

$ git push --force

Overwrites your team's commit history permanently.

☸️

Kubernetes

$ kubectl delete namespace production

Every pod, service, and secret in production. Gone.

🗄

Databases

$ DROP DATABASE production;

Millions of rows. No confirmation dialog.

☁️

AWS

$ aws ec2 terminate-instances

Terminates running instances. No undo.

🏗️

Terraform

$ terraform apply -auto-approve

Applies infrastructure changes without review.

🐳

Docker

$ docker rm -f $(docker ps -aq)

Force-removes every container on the host.

🔵

Azure

$ az group delete

Deletes an entire resource group and everything in it.

🔴

GCP

$ gcloud compute instances delete

Permanently deletes compute instances.

It knows when you're in danger.

shellfirm doesn't just match patterns. It understands your runtime context and adjusts protection accordingly.

Context-Aware Escalation

  • !

    SSH sessions

    Escalates challenges when you're connected remotely

  • !

    Root access

    Higher severity when running as root or with sudo

  • !

    Main / master branch

    Blocks force-pushes to protected branches

  • !

    Production Kubernetes

    Detects production namespaces and clusters

  • !

    NODE_ENV=production

    Recognizes production environment variables

Agent & Automation Guardrails

  • >

    MCP Protocol

    Native Model Context Protocol server for AI agents

  • >

    CI/CD Gate

    Drop-in check for deployment pipelines

  • >

    Auto-Deny

    Critical commands blocked without human approval

  • >

    LLM Analysis

    Optional AI-powered risk assessment for ambiguous commands

  • >

    Audit Trail

    JSON-lines log of every intercepted command

From solo dev to engineering org.

shellfirm scales with your team. Define policies, audit everything, protect interactive sessions.

Project Policies

.shellfirm.yaml
min_severity: Low
deny:
- terraform apply
- kubectl delete
escalate_challenge: Yes
# Committed to repo. Team-wide.

Audit Trail

~/.shellfirm/audit.log
{
"ts": "2025-01-15T14:32:01Z"
"cmd": "rm -rf /var/data"
"severity": "critical"
"action": "challenged"
"result": "cancelled"
}

Interactive Wrapper

shellfirm wrap -- psql
$ shellfirm wrap -- psql prod
psql (15.4)
production=# DROP TABLE users;
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Description: Dropping a production table is irreversible
Alternative: ALTER TABLE users RENAME TO users_backup
(Renames the table instead of deleting it, so data can be recovered.)
? Type `yes` to continue Esc to cancel ›

Two commands. You're protected.

Works with every shell. No configuration required.

Install for Humans

~ -- zsh
# Install
$ npm install -g @shellfirm/cli
# Hook into your shell
$ shellfirm init zsh
shellfirm is now protecting your terminal.

Setup for AI Agents

mcp-config.json
{
"mcpServers": {
"shellfirm": {
"command": "shellfirm",
"args": ["mcp"]
}
}
}

That's it. Try rm -rf /tmp/test. shellfirm has your back.

View DocumentationStar on GitHubView Releases