A terminal command safety guardrail that intercepts and verifies dangerous shell commands before execution, supporting 8 shells, 100+ risk patterns, and AI agent integration.
shellfirm is a Rust-based terminal command safety guardrail that performs risk detection and interactive verification before commands are actually executed, via shell hook mechanisms.
Its core detection covers 100+ built-in risk patterns across 9 ecosystems—filesystem, Git, Kubernetes, Terraform, Docker, AWS/GCP/Azure CLI, Heroku, and databases—with 5 severity levels (Critical to Info) and configurable interception thresholds. The system features context-aware protection that automatically escalates verification difficulty based on runtime signals such as SSH sessions, root privileges, protected Git branches, and production K8s contexts. Blast radius detection evaluates actual impact scope (e.g., number of files to be deleted, commits a branch is behind). Compound commands connected by &&, ||, |, ; are correctly split and checked individually.
Upon interception, safer alternative commands are suggested (e.g., replacing git push --force with --force-with-lease). For team collaboration, project-level .shellfirm.yaml policy files can be committed (additive-only mode that never weakens security rules). All interception events are logged as JSON-lines audit trails, and users can author custom YAML check rules under ~/.shellfirm/checks/.
For AI coding agent scenarios, shellfirm provides an MCP server mode exposing four tools—check_command, suggest_alternative, explain_risk, and get_policy—adding a pre-execution safety layer for agents like Claude Code and Cursor, with one-shot setup via shellfirm connect claude-code.
Architecturally, it uses Rust dependency injection with all I/O abstracted through Environment and Prompter traits, paired with a 3-tier test system (pure logic, sandboxed integration, YAML decision matrix—102 cases total) enabling fully sandboxed testing with zero real system access. Modular compilation is achieved through feature flags (cli, llm, mcp, ai, wrap, tui). It is cross-platform (Linux, macOS, Windows) and supports 8 shells: Zsh, Bash, Fish, Nushell, PowerShell, Elvish, Xonsh, and Oils.
Installation is available via npm (@shellfirm/cli), Homebrew (kaplanelad/tap), Cargo (crates.io), and pre-built binaries from GitHub Releases. Quick start requires only shellfirm init to install the hook, then restart the shell.
Note: The Cargo.toml declares license = "MIT", but the root LICENSE file is actually Apache-2.0—the LICENSE file takes precedence. The README links to shellfirm.dev which currently fails DNS resolution; the URL in the GitHub About section (shellfirm.vercel.app) is accessible.