DEV.co
Open-Source DevOps · kaplanelad

shellfirm

shellfirm is a Rust-based safety tool that intercepts dangerous shell commands before execution, protecting both human users and AI agents from destructive operations. It offers context-aware risk detection across 100+ patterns, supports 8 shells, and integrates with AI tools via MCP protocol.

Source: GitHub — github.com/kaplanelad/shellfirm
920
GitHub stars
33
Forks
Rust
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykaplanelad/shellfirm
Ownerkaplanelad
Primary languageRust
LicenseApache-2.0 — OSI-approved
Stars920
Forks33
Open issues2
Latest releasev0.3.10 (2026-05-07)
Last updated2026-05-15
Sourcehttps://github.com/kaplanelad/shellfirm

What shellfirm is

shellfirm implements pre-execution command interception through shell hooks, pattern-matching against 100+ risky command signatures across 9 ecosystems (filesystem, git, Kubernetes, Terraform, Docker, AWS/GCP/Azure, databases), with context-aware severity escalation based on SSH session, root privilege, git branch protection, and Kubernetes cluster state. Exposes MCP tools for AI agent integration and audit logging via JSON-lines.

Quickstart

Get the shellfirm source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kaplanelad/shellfirm.gitcd shellfirm# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

AI Coding Agent Safety

Prevents Claude Code, Cursor, and other LLM-based agents from executing destructive commands (force-push, rm -rf, cluster deletions). MCP integration allows agents to query risk before acting.

DevOps Team Risk Reduction

Shared `.shellfirm.yaml` policies enforce team-wide safety rules across CI/CD pipelines, Kubernetes deployments, and infrastructure-as-code workflows; context-aware escalation increases friction for risky operations on production branches.

Human Operator Mistake Prevention

Captcha-style challenges intercept dangerous shell commands in real-time (rm -rf, git --force, database drops), with alternative command suggestions inline.

Implementation considerations

  • Shell hook installation via `shellfirm init` is required; verify compatibility with your primary shells (8 supported: Zsh, Bash, Fish, Nushell, PowerShell, Elvish, Xonsh, Oils).
  • Project-level policies are defined in `.shellfirm.yaml` and are additive-only (cannot weaken parent policies); plan policy inheritance for multi-team deployments.
  • Challenge thresholds and severity levels are configurable; set realistic bars to avoid alert fatigue while maintaining safety; test tuning in a non-critical team first.
  • Audit logging is enabled by default (JSON-lines output); ensure your logging pipeline can ingest and alert on suspicious command patterns.
  • MCP server mode requires explicit setup and must be connected to your AI tool (Claude Code, Cursor); verify MCP endpoint security and network isolation.

When to avoid it — and what to weigh

  • Requires Deep Hook Integration — Systems where shell hook injection is blocked, restricted, or incompatible (some hardened CI/CD platforms, containers with custom shells) may bypass or weaken shellfirm enforcement.
  • Zero-Trust Threat Model — If your threat model assumes a compromised terminal or shell, shellfirm's hook-based interception is not sufficient; it does not protect against attackers who modify shell rc files or bypass the hook directly.
  • High-Throughput Automation — Systems requiring fully non-interactive, deterministic command execution may conflict with shellfirm's challenge prompts; agent mode exists but requires explicit configuration and LLM integration.
  • Minimal Dependency Footprint — If your shell environment is extremely constrained (embedded, minimal distro, no Rust runtime), the pre-compiled binary adds deployment overhead; native shell-only solutions would be simpler.

License & commercial use

Apache-2.0 license: permissive, OSI-approved. Allows commercial use, modification, distribution, and private use with mandatory attribution and liability/warranty disclaimers.

Apache-2.0 is a permissive open-source license that explicitly permits commercial use without royalty or proprietary restrictions. You may use shellfirm in commercial products, charge for services built around it, and modify it for internal use. Ensure you retain Apache-2.0 notices and disclaimers. No commercial support, SLA, or indemnification is stated; evaluate vendor support separately if required.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

shellfirm adds a pre-execution checkpoint via shell hooks, raising friction for destructive commands and providing auditable intent capture (JSON-lines logging). However, security depends on shell hook integrity: a compromised terminal or shell rc file can bypass shellfirm. It is not a sandbox and does not isolate execution. Context-aware escalation (SSH, root, production Kubernetes) increases challenge difficulty but relies on accurate environment detection. MCP server exposure to AI agents should be network-isolated and authenticated; specific TLS/auth configuration is not detailed in the excerpt.

Alternatives to consider

sudo / Permission-Based Controls

Traditional Unix permissions restrict who can run destructive commands but do not prevent mistakes by authorized users; shellfirm adds human-aware interception without changing permission models.

Teleport / bastion hosts with audit

Session recording and centralized command logging provide post-facto audit trails for compliance but do not prevent dangerous commands in real-time; shellfirm blocks before execution.

Custom shell aliases / wrapper scripts

Team-maintained bash/zsh wrappers can enforce dangerous-command checks but lack portability across shells, context-aware severity escalation, MCP agent integration, and centralized policy management that shellfirm provides.

Software development agency

Build on shellfirm with DEV.co software developers

Integrate shellfirm into your team's workflow to block risky operations (rm -rf, force-push, cluster deletion) in real-time. Works with AI agents via MCP and supports 8 shells. Install now: npm i -g @shellfirm/cli

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

shellfirm FAQ

Does shellfirm protect against attackers who bypass the shell hook?
No. shellfirm is a human-facing safety tool, not a security boundary. If an attacker modifies shell rc files or uses a different shell/entry point, shellfirm is circumvented. Use filesystem permissions, SELinux, or AppArmor for security-critical isolation.
Can I whitelist or allowlist certain commands?
Not clearly stated in the excerpt. Configuration docs mention severity thresholds and custom checks, but allowlist/exemption mechanism is not detailed. Requires review of full configuration documentation.
Does shellfirm work in CI/CD pipelines?
Yes, shellfirm supports non-interactive agent mode (documented in 'Agents & Automation' section) and hooks work in containerized CI/CD workflows. Automation may require specific configuration or agent mode enabled to avoid blocking interactive challenges.
What happens if shellfirm gets out of sync with my team's policies?
Policies are stored in `.shellfirm.yaml` (project-level, git-tracked) and are additive-only, preventing accidental weakening. Policy inheritance and team synchronization rely on normal git workflows; no centralized policy server is mentioned.

Work with a software development agency

DEV.co helps companies turn open-source tools like shellfirm into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.

Prevent Destructive Commands Before They Execute

Integrate shellfirm into your team's workflow to block risky operations (rm -rf, force-push, cluster deletion) in real-time. Works with AI agents via MCP and supports 8 shells. Install now: npm i -g @shellfirm/cli