Think before you execute.

Humans make mistakes. AI agents make them faster. shellfirm intercepts dangerous commands before the damage is done — for both.

~ -- zsh -- 80x24
user@mac:~$ rm -rf /
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Description: Recursive force-delete from root directory
Alternative: rm -rf ./tmp/build
(Targets only the tmp/build directory instead of the entire filesystem.)
? Solve the challenge:: 14 + 23 = ? Esc to cancel ›
agent -- Claude Code
[agent] Running cleanup task...
$ kubectl delete namespace production
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Context: k8s=production
Action: DENIED
{ "allowed": false, "risk_level": "critical" }

Two commands. You're protected.

Works with every shell. No configuration required.

Install for Humans

~ -- zsh
# Install
$ npm install -g @shellfirm/cli
# Hook into your shell
$ shellfirm init zsh
shellfirm is now protecting your terminal.

Connect AI Agents

~ -- zsh
$ shellfirm connect claude-code
Hooks → pre-tool-use safety net
MCP → on-demand analysis tools
Claude Code is now protected.

That's it. Try rm -rf /tmp/test. shellfirm has your back.

View DocumentationStar on GitHubView Releases

shellfirm. A safety net for every command.

The same engine analyzes every command — whether a human typed it or an AI agent generated it.

Human Terminal

~ -- zsh -- 80x24
user@mac:~$ rm -rf /
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Blast Radius: CATASTROPHIC -- Entire filesystem at risk
Description: Recursive force-delete from root
Alternative: rm -rf ./tmp/build
(Targets only the tmp/build directory instead of the entire filesystem.)
? Solve the challenge:: 14 + 23 = ? Esc to cancel ›

AI Agent / MCP

agent -- mcp-server
> check_command("rm -rf /")
{
"allowed": false,
"risk_level": "critical",
"blast_radius": "catastrophic",
"alternatives": [
"rm -rf ./tmp/build"
],
"action": "deny"
}

Blast Radius Detection -- shellfirm evaluates runtime context (SSH sessions, root access, production environments, git branches) to calculate the true danger of every command.

Same engine. Same rules. Humans get a challenge. Agents get a structured response. Nothing slips through.

Claude Code? One command. Protected.

Hooks block risky commands automatically. MCP gives Claude deeper analysis. Both install with a single command.

Connect

~ -- zsh
$ shellfirm connect claude-code
shellfirm — connecting Claude Code integration
Hooks → ~/.claude/settings.json (pre-tool-use safety net)
MCP → ~/.claude/settings.json (on-demand analysis tools)
Claude Code is now protected by shellfirm.

In action

agent -- Claude Code
[hook] PreToolUse → Bash
$ rm -rf /
============ BLOCKED BY SHELLFIRM ============
Severity: CRITICAL
Reason: Recursive force-delete from root
Exit: 2 (command blocked)
Claude Code automatically used safer alternative.

Hooks — automatic safety net

Fires on every Bash tool call. Exit code 2 blocks the command before it runs. Zero configuration needed from Claude.

MCP — on-demand analysis

Claude can call shellfirm tools to explain risks, suggest alternatives, and check project policies before acting.

Now imagine your AI agent does it.
Or an autonomous agent. With full shell access.

AI coding agents, deployment scripts, cron jobs — they all run shell commands without hesitation. No typos — just confident, unreviewed destruction.

agent -- Claude Code
[claude-code] Cleaning up unused namespaces...
$ kubectl delete namespace staging
namespace "staging" deleted
$ kubectl delete namespace production
namespace "production" deleted
[claude-code] Done. All clean.
agent -- Cursor
[cursor] Optimizing infra costs, removing idle resources...
$ terraform destroy -auto-approve
# Wrong workspace.
# Current workspace: production
aws_rds_instance.main: Destroying...
aws_ecs_cluster.api: Destroying...
Destroy complete! 47 resources destroyed.
  • AI agents don't hesitate. They execute immediately.
  • CI pipelines run unattended. No one reviews every command.
  • Cron jobs at 3am have no human in the loop.
  • One misconfigured prompt can cascade through your infrastructure.

You need a safety layer that works for humans, agents, AND automation.

One typo. Everything gone.

It takes one character, one wrong tab, one moment of autopilot.

~ -- zsh
$ rm -rf / tmp/build
347 files. Gone in 0.3 seconds.
# A single space between / and tmp/build.
~ -- git
$ git push origin main --force
48 commits from your team. Overwritten.
# No --force-with-lease. No warning.

These aren't hypotheticals. They happen every day. To everyone.

9 ecosystems. 100+ patterns. Zero config.

shellfirm ships with built-in protection for the tools you use every day.

📁

Filesystem

$ rm -rf /

Deletes everything. Recursively. Without asking.

🔀

Git

$ git push --force

Overwrites your team's commit history permanently.

☸️

Kubernetes

$ kubectl delete namespace production

Every pod, service, and secret in production. Gone.

🗄

Databases

$ DROP DATABASE production;

Millions of rows. No confirmation dialog.

☁️

AWS

$ aws ec2 terminate-instances

Terminates running instances. No undo.

🏗️

Terraform

$ terraform apply -auto-approve

Applies infrastructure changes without review.

🐳

Docker

$ docker rm -f $(docker ps -aq)

Force-removes every container on the host.

🔵

Azure

$ az group delete

Deletes an entire resource group and everything in it.

🔴

GCP

$ gcloud compute instances delete

Permanently deletes compute instances.

It knows when you're in danger.

shellfirm doesn't just match patterns. It understands your runtime context and adjusts protection accordingly.

Context-Aware Escalation

  • !

    SSH sessions

    Escalates challenges when you're connected remotely

  • !

    Root access

    Higher severity when running as root or with sudo

  • !

    Main / master branch

    Blocks force-pushes to protected branches

  • !

    Production Kubernetes

    Detects production namespaces and clusters

  • !

    NODE_ENV=production

    Recognizes production environment variables

Agent & Automation Guardrails

  • >

    MCP Protocol

    Native Model Context Protocol server for AI agents

  • >

    CI/CD Gate

    Drop-in check for deployment pipelines

  • >

    Auto-Deny

    Critical commands blocked without human approval

  • >

    LLM Analysis

    Optional AI-powered risk assessment for ambiguous commands

  • >

    Audit Trail

    JSON-lines log of every intercepted command

From solo dev to engineering org.

shellfirm scales with your team. Define policies, audit everything, protect interactive sessions.

Project Policies

.shellfirm.yaml
min_severity: Low
deny:
- terraform apply
- kubectl delete
escalate_challenge: Yes
# Committed to repo. Team-wide.

Audit Trail

~/.shellfirm/audit.log
{
"ts": "2025-01-15T14:32:01Z"
"cmd": "rm -rf /var/data"
"severity": "critical"
"action": "challenged"
"result": "cancelled"
}

Interactive Wrapper

shellfirm wrap -- psql
$ shellfirm wrap -- psql prod
psql (15.4)
production=# DROP TABLE users;
============ RISKY COMMAND DETECTED ============
Severity: CRITICAL
Description: Dropping a production table is irreversible
Alternative: ALTER TABLE users RENAME TO users_backup
(Renames the table instead of deleting it, so data can be recovered.)
? Type `yes` to continue Esc to cancel ›