What it does

shellfirm sits between you and your shell, pattern-matching commands against 100+ risky patterns across filesystem, git, K8s, Terraform, Docker, cloud CLIs, and databases. When it catches something dicey, it throws up a friction layer — a simple math challenge you must solve to proceed — and shows the blast radius plus a safer alternative. It also logs every interception as JSON for later forensics.

The interesting bit

The project treats human fallibility and AI agent recklessness as the same problem, just at different speeds. The MCP server integration is the tell: shellfirm exposes itself as a tool that Claude Code or Cursor can call to check commands before generating them, not just after. The “additive-only” team policy file (.shellfirm.yaml) is a nice trust model — anyone can tighten rules, nobody can loosen them centrally.

Key highlights

• 100+ detection patterns across 9 ecosystems, 8 shells supported
• Context-aware escalation: harder challenges when root, SSH’d, on protected git branches, or in prod K8s clusters
• Runtime blast-radius detection — e.g., “Deletes 347 files (12.4 MB)”
• MCP server with four tools: check_command, suggest_alternative, explain_risk, get_policy
• One-command Claude Code integration: shellfirm connect claude-code
• Distributed via npm, Homebrew, and Cargo

Caveats

• The math challenge is cute but thin; determined users or simple agents could parse and solve it programmatically
• No mention of how the 100+ patterns are maintained or versioned — unclear if they auto-update
• The README claims “blocked” for AI hooks but “intercepted” for humans; the actual enforcement mechanism isn’t fully specified

Verdict

Worth a look if you manage a team where juniors, tired seniors, or AI agents touch production. Skip it if you already have rigorous command review in CI or if your threat model includes malicious insiders — this is a safety rail, not a lock.