Auto-Deny Configuration

When AI agents or automated scripts run without human supervision, they cannot solve interactive challenges. shellfirm's auto-deny feature automatically blocks commands that meet or exceed a configurable severity threshold.

How it works

In agent mode, shellfirm evaluates every command against the check pattern database. If any matched pattern has a severity at or above the auto-deny threshold, the command is denied. Commands below the threshold are allowed.

Command: "git push --force origin main"
  Matched: git:force_push (High)
  Auto-deny threshold: High
  Result: DENIED ("Severity HIGH meets or exceeds agent auto-deny threshold HIGH")

Command: "git stash drop"
  Matched: git:stash_drop (Medium)
  Auto-deny threshold: High
  Result: ALLOWED (Medium < High)

Command: "echo hello"
  Matched: (none)
  Result: ALLOWED (no matches)

Configuration

Set the auto-deny threshold in ~/.shellfirm/settings.yaml:

agent:
  auto_deny_severity: High

Severity levels

The available severity levels, from lowest to highest:

Level	Description
`Info`	Informational, nearly always safe
`Low`	Minor risk, usually safe
`Medium`	Moderate risk, could cause limited damage
`High`	Significant risk, could cause substantial damage
`Critical`	Extreme risk, could cause catastrophic damage

Choosing a threshold

Threshold	Effect	Use case
`Info`	Denies everything that matches any pattern	Maximum safety, minimal agent autonomy
`Low`	Denies Low and above	Very conservative
`Medium`	Denies Medium and above	Balanced safety
`High`	Denies High and above (default)	Allows routine operations, blocks dangerous ones
`Critical`	Only denies Critical severity	Maximum agent autonomy, blocks only the most dangerous

The default is High, which blocks dangerous operations like force pushes, recursive deletes, and namespace deletions while allowing routine operations.

Deny lists take priority

Commands matching patterns on the deny list are always denied, regardless of severity or auto-deny threshold. Deny lists come from two sources:

Global deny list in ~/.shellfirm/settings.yaml:

deny_patterns_ids:
  - "git:force_push"
  - "fs:format_filesystem"

Project deny list in .shellfirm.yaml:

version: 1
deny:
  - "kubernetes:delete_namespace"
  - "database:drop_database"

Human approval flag

For workflows where denied commands should be escalated to a human rather than simply blocked, enable the require_human_approval flag:

agent:
  auto_deny_severity: High
  require_human_approval: true

When enabled, the risk assessment includes requires_human_approval: true for denied commands. Your agent or automation framework can use this flag to route the command to a human for review instead of silently blocking it.

Per-environment configuration

You can use different auto-deny thresholds in different environments by maintaining separate settings files:

# Development: lenient
# ~/.shellfirm/settings.yaml
agent:
  auto_deny_severity: Critical

# Production server: strict
# /etc/shellfirm/settings.yaml
agent:
  auto_deny_severity: Medium

Examples

Agent tries a high-severity command

// check_command("git push --force origin main")
{
  "allowed": false,
  "severity": "High",
  "matched_rules": [{
    "id": "git:force_push",
    "description": "Force push can overwrite remote history.",
    "severity": "High",
    "group": "git"
  }],
  "denial_reason": "Severity HIGH meets or exceeds agent auto-deny threshold HIGH",
  "alternatives": [{
    "command": "git push --force-with-lease",
    "explanation": "Prevents overwriting others' work",
    "source": "regex-pattern"
  }]
}

Agent tries a medium-severity command (allowed)

// check_command("git stash drop")
{
  "allowed": true,
  "severity": "Medium",
  "matched_rules": [{
    "id": "git:stash_drop",
    "description": "Drops a stash entry permanently",
    "severity": "Medium",
    "group": "git"
  }],
  "denial_reason": null,
  "alternatives": []
}