Quick Configuration
Configure challenge types, severity thresholds, and check groups
shellfirm stores its configuration at ~/.config/shellfirm/settings.yaml. You can edit this file directly or use the CLI commands below.
Challenge type
Choose what kind of confirmation shellfirm asks for:
shellfirm config challenge <type>| Challenge | How it works | Best for |
|---|---|---|
Math | Solve a simple math problem (e.g., "5 + 3 = ?") | Default -- forces you to pause and think |
Enter | Just press Enter to confirm | Teams that want awareness without friction |
Yes | Type the word "yes" to confirm | High-security environments |
Example:
shellfirm config challenge YesNote: By default, shellfirm automatically escalates challenges based on check severity — Critical severity commands require typing "yes", and High severity commands require pressing Enter, even on a local machine. See Severity Levels for details.
Escalation overrides
You can set minimum challenge types per group or per check ID:
shellfirm config escalation severity --high Yes # High severity → Yes
shellfirm config escalation group fs Yes # All fs checks → Yes
shellfirm config escalation check git:force_push Yes # Specific check → YesSee Challenge Types for the full escalation pipeline.
Severity threshold
Control which severity levels trigger a challenge:
shellfirm config severity <level>There are four practical presets you can think of:
| Preset | min_severity | What triggers | Description |
|---|---|---|---|
| Paranoid | all (not set) | Everything | All checks fire, including Info and Low |
| Balanced | Medium | Medium, High, Critical | Skips informational and low-severity checks |
| Chill | High | High, Critical | Only the risky stuff |
| YOLO | Critical | Critical only | Just the commands that can destroy everything |
Examples:
# Balanced mode -- Medium and above
shellfirm config severity Medium
# Chill mode -- High and above
shellfirm config severity High
# Paranoid mode -- everything (remove the threshold)
shellfirm config severity allCheck groups
Enable or disable entire categories of checks:
# Disable specific groups
shellfirm config groups --disable kubernetes --disable terraform
# Enable specific groups
shellfirm config groups --enable aws --enable docker
# Interactive multi-select to toggle groups
shellfirm config groupsThe 16 available check groups are:
| Group | Ecosystem | Examples |
|---|---|---|
fs | Filesystem | rm -rf, mkfs, dd |
fs-strict | Filesystem (strict) | Any rm, chmod, rmdir |
git | Git | push --force, reset, clean -fd |
git-strict | Git (strict) | add ., commit -a, rebase |
docker | Docker | system prune, rm -f, volume rm |
kubernetes | Kubernetes | delete namespace, delete resource |
kubernetes-strict | Kubernetes (strict) | scale, rollout, set |
aws | AWS | ec2 terminate, s3 rb, rds delete |
azure | Azure | group delete, vm delete |
gcp | GCP | projects delete, instances delete |
terraform | Terraform | destroy, apply -auto-approve |
database | SQL | DROP DATABASE, DELETE FROM |
mongodb | MongoDB | db.dropDatabase(), collection.drop() |
mysql | MySQL | mysql -e DROP |
psql | PostgreSQL | psql -c DROP |
redis | Redis | FLUSHALL, FLUSHDB |
base | System | Fork bomb, reboot, shutdown |
network | Network | iptables -F, ufw disable |
heroku | Heroku | apps:destroy, addons:destroy |
All groups are enabled by default. The strict variants (fs-strict, git-strict, kubernetes-strict) provide broader coverage for teams that want more protection.
Viewing your configuration
To see a human-readable summary of all settings:
shellfirm config showFor a more detailed status view including context detection:
shellfirm statusResetting to defaults
To reset your configuration to the shellfirm defaults:
shellfirm config resetThis will prompt you to either overwrite or create a backup of your existing configuration.
Next steps
- Learn about context-aware protection to configure branch and environment detection
- Set up team policies with
.shellfirm.yaml - Explore the full configuration reference