$ shellfirm
Interactive Wrapper

Custom Tools

Use shellfirm wrap with any interactive CLI tool

shellfirm wrap works with any interactive command-line tool, not just databases. You can wrap custom REPLs, infrastructure CLIs, and any tool where you type commands interactively.

Basic usage

shellfirm wrap <command> [args...]

Any command that reads input interactively can be wrapped:

# MongoDB shell
shellfirm wrap mongosh "mongodb://prod.mongo.com/myapp"

# Terraform console
shellfirm wrap terraform console

# AWS CLI interactive mode
shellfirm wrap aws cloudshell

# Any custom REPL
shellfirm wrap ./my-admin-tool --env production

Configuring custom tools

Add per-tool configuration in ~/.shellfirm/settings.yaml:

wrappers:
  tools:
    mongosh:
      delimiter: ";"
      check_groups:
        - mongodb
        - database

    terraform:
      delimiter: "\n"
      check_groups:
        - terraform

    my-admin-tool:
      delimiter: "\n"
      check_groups:
        - base

Choosing a delimiter

The delimiter determines when shellfirm checks the accumulated input:

DelimiterUse when
;SQL-like tools where statements end with semicolons
\nLine-oriented tools where each line is a command

If you are not sure, use \n (newline). This checks every line of input, which is the safest option.

Choosing check groups

By default, all enabled check groups are active. For wrapped tools, you usually want to limit checks to relevant groups to avoid false positives:

wrappers:
  tools:
    mongosh:
      check_groups:
        - mongodb    # MongoDB-specific patterns
        - database   # Generic database patterns

Adding custom patterns for your tools

If your tool has specific dangerous commands that are not covered by built-in patterns, add custom checks:

# In ~/.shellfirm/settings.yaml or .shellfirm.yaml
checks:
  - id: "custom:admin_reset"
    from: base
    test: "admin\\s+reset\\s+--all"
    severity: Critical
    description: "Resets all admin settings to defaults"

  - id: "custom:purge_data"
    from: base
    test: "purge\\s+--force"
    severity: High
    description: "Purges data without confirmation"
    filters:
      - type: NotContains
        value: "--dry-run"
    alternative: "purge --dry-run"
    alternative_info: "Preview what would be purged first"

Examples

MongoDB

shellfirm wrap mongosh "mongodb://prod.mongo.com/myapp"
// Safe operations work normally:
myapp> db.users.find({active: true}).count()
14523

// Dangerous operations are intercepted:
myapp> db.users.drop()
// ============ RISKY COMMAND DETECTED ============
// Severity: CRITICAL

Custom admin CLI

shellfirm wrap ./admin-cli --env production
admin> list-users
(results displayed)

admin> delete-all-users --force
// ============ RISKY COMMAND DETECTED ============
// Severity: CRITICAL

Wrapping non-interactive commands

While shellfirm wrap is designed for interactive sessions, you can also use it with semi-interactive tools that accept piped input:

echo "DROP TABLE users;" | shellfirm wrap psql -h prod.db.com

However, for non-interactive usage, shellfirm check is usually more appropriate:

shellfirm check --command "DROP TABLE users;" --test

Redis

Protect live Redis sessions with shellfirm wrap for redis-cli

Configuration

Complete reference for shellfirm settings and configuration options

On this page

Basic usageConfiguring custom toolsChoosing a delimiterChoosing check groupsAdding custom patterns for your toolsExamplesMongoDBCustom admin CLIWrapping non-interactive commands