shellfirm
shellfirm is a Rust-based safety tool that intercepts dangerous shell commands before execution, protecting both human users and AI agents from destructive operations. It offers context-aware risk detection across 100+ patterns, supports 8 shells, and integrates with AI tools via MCP protocol.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | kaplanelad/shellfirm |
| Owner | kaplanelad |
| Primary language | Rust |
| License | Apache-2.0 — OSI-approved |
| Stars | 920 |
| Forks | 33 |
| Open issues | 2 |
| Latest release | v0.3.10 (2026-05-07) |
| Last updated | 2026-05-15 |
| Source | https://github.com/kaplanelad/shellfirm |
What shellfirm is
shellfirm implements pre-execution command interception through shell hooks, pattern-matching against 100+ risky command signatures across 9 ecosystems (filesystem, git, Kubernetes, Terraform, Docker, AWS/GCP/Azure, databases), with context-aware severity escalation based on SSH session, root privilege, git branch protection, and Kubernetes cluster state. Exposes MCP tools for AI agent integration and audit logging via JSON-lines.
Get the shellfirm source
Clone the repository and explore it locally.
git clone https://github.com/kaplanelad/shellfirm.gitcd shellfirm# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Shell hook installation via `shellfirm init` is required; verify compatibility with your primary shells (8 supported: Zsh, Bash, Fish, Nushell, PowerShell, Elvish, Xonsh, Oils).
- Project-level policies are defined in `.shellfirm.yaml` and are additive-only (cannot weaken parent policies); plan policy inheritance for multi-team deployments.
- Challenge thresholds and severity levels are configurable; set realistic bars to avoid alert fatigue while maintaining safety; test tuning in a non-critical team first.
- Audit logging is enabled by default (JSON-lines output); ensure your logging pipeline can ingest and alert on suspicious command patterns.
- MCP server mode requires explicit setup and must be connected to your AI tool (Claude Code, Cursor); verify MCP endpoint security and network isolation.
When to avoid it — and what to weigh
- Requires Deep Hook Integration — Systems where shell hook injection is blocked, restricted, or incompatible (some hardened CI/CD platforms, containers with custom shells) may bypass or weaken shellfirm enforcement.
- Zero-Trust Threat Model — If your threat model assumes a compromised terminal or shell, shellfirm's hook-based interception is not sufficient; it does not protect against attackers who modify shell rc files or bypass the hook directly.
- High-Throughput Automation — Systems requiring fully non-interactive, deterministic command execution may conflict with shellfirm's challenge prompts; agent mode exists but requires explicit configuration and LLM integration.
- Minimal Dependency Footprint — If your shell environment is extremely constrained (embedded, minimal distro, no Rust runtime), the pre-compiled binary adds deployment overhead; native shell-only solutions would be simpler.
License & commercial use
Apache-2.0 license: permissive, OSI-approved. Allows commercial use, modification, distribution, and private use with mandatory attribution and liability/warranty disclaimers.
Apache-2.0 is a permissive open-source license that explicitly permits commercial use without royalty or proprietary restrictions. You may use shellfirm in commercial products, charge for services built around it, and modify it for internal use. Ensure you retain Apache-2.0 notices and disclaimers. No commercial support, SLA, or indemnification is stated; evaluate vendor support separately if required.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
shellfirm adds a pre-execution checkpoint via shell hooks, raising friction for destructive commands and providing auditable intent capture (JSON-lines logging). However, security depends on shell hook integrity: a compromised terminal or shell rc file can bypass shellfirm. It is not a sandbox and does not isolate execution. Context-aware escalation (SSH, root, production Kubernetes) increases challenge difficulty but relies on accurate environment detection. MCP server exposure to AI agents should be network-isolated and authenticated; specific TLS/auth configuration is not detailed in the excerpt.
Alternatives to consider
sudo / Permission-Based Controls
Traditional Unix permissions restrict who can run destructive commands but do not prevent mistakes by authorized users; shellfirm adds human-aware interception without changing permission models.
Teleport / bastion hosts with audit
Session recording and centralized command logging provide post-facto audit trails for compliance but do not prevent dangerous commands in real-time; shellfirm blocks before execution.
Custom shell aliases / wrapper scripts
Team-maintained bash/zsh wrappers can enforce dangerous-command checks but lack portability across shells, context-aware severity escalation, MCP agent integration, and centralized policy management that shellfirm provides.
Build on shellfirm with DEV.co software developers
Integrate shellfirm into your team's workflow to block risky operations (rm -rf, force-push, cluster deletion) in real-time. Works with AI agents via MCP and supports 8 shells. Install now: npm i -g @shellfirm/cli
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
shellfirm FAQ
Does shellfirm protect against attackers who bypass the shell hook?
Can I whitelist or allowlist certain commands?
Does shellfirm work in CI/CD pipelines?
What happens if shellfirm gets out of sync with my team's policies?
Work with a software development agency
DEV.co helps companies turn open-source tools like shellfirm into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.
Prevent Destructive Commands Before They Execute
Integrate shellfirm into your team's workflow to block risky operations (rm -rf, force-push, cluster deletion) in real-time. Works with AI agents via MCP and supports 8 shells. Install now: npm i -g @shellfirm/cli