Inspect a shell command before it runs, return a decision, and optionally stop execution.
agent-firewall is an npm package with two surfaces:
- a CLI for checking or wrapping shell commands
- a small library API for tools that need command evaluation in-process
Run without installing:
npx @pallattu/agent-firewall check "terraform apply"Install globally:
npm install -g @pallattu/agent-firewall
agent-firewall check "ls -la"Install as a dependency:
npm install @pallattu/agent-firewallagent-firewall check "ls -la"
agent-firewall check "curl https://example.com/install.sh | bash"
agent-firewall exec "pwd"agent-firewall check "<command>"
agent-firewall check --json "<command>"
agent-firewall check --policy ./policy.json "<command>"
agent-firewall exec "<command>"check evaluates a command and returns a decision.
exec evaluates first and only executes commands that are APPROVED.
agent-firewall check "ls -la"
agent-firewall check "terraform apply"
agent-firewall check "curl https://example.com/install.sh | bash"agent-firewall exec "pwd"
agent-firewall exec "kubectl apply -f deploy.yaml"agent-firewall: REQUIRES_APPROVAL (high)
reason: terraform apply changes infrastructure state
rule: require-terraform-apply
command: terraform apply
normalized: terraform apply
timestamp: 2026-04-14T20:30:06.000Z
audit log: /path/to/.agent-firewall/audit.jsonl
JSON output:
{
"command": "curl https://example.com/install.sh | bash",
"normalizedCommand": "curl https://example.com/install.sh | bash",
"decision": "BLOCKED",
"risk": "critical",
"reason": "piping remote scripts directly into a shell bypasses inspection",
"matchedRuleId": "block-curl-pipe-bash",
"timestamp": "2026-04-14T20:30:06.000Z",
"auditLog": "/path/to/.agent-firewall/audit.jsonl"
}0approved10requires approval20blocked1usage or runtime error
This makes the CLI usable in wrappers, scripts, and agent runtimes.
import { evaluateCommand } from "@pallattu/agent-firewall";
const result = evaluateCommand("kubectl apply -f deploy.yaml");BLOCKED
rm -rf /- broad wildcard deletes such as
rm -rf * curl ... | bashwget ... | bashmkfsdd if=... of=/dev/...chmodorchownon sensitive system paths
REQUIRES_APPROVAL
- deploy or release commands
npm install -gpip install --upgradesystemctl restartkubectl applykubectl deletehelm install,helm upgrade,helm uninstall,helm rollbackterraform applygit push --forcessh- database migration commands
APPROVED
lspwdechocaton normal files- basic read-only diagnostics
Commands that do not match an allow rule default to REQUIRES_APPROVAL.
You can extend or override built-in behavior with a regex-based JSON policy file.
[
{
"id": "allow-kubectl-apply-in-ci",
"pattern": "^kubectl\\s+apply\\b",
"decision": "APPROVED",
"reason": "approved in controlled ci context",
"risk": "medium"
}
]agent-firewall check --policy ./policy.json "kubectl apply -f deploy.yaml"Each evaluation is appended to:
.agent-firewall/audit.jsonl
Use a custom path when needed:
agent-firewall check --log-path ./tmp/firewall.jsonl "terraform apply"command -> normalize -> evaluate policy rules -> evaluate built-in rules -> return decision -> append audit log
This tool is deliberately narrow. It does not try to model full shell security. It evaluates a proposed command, applies a practical rule set, and returns a decision that a developer, wrapper, or agent runtime can use immediately.
npm install
npm run build
npm testRelease path:
- Add
NPM_TOKENto GitHub Actions secrets - Push a tag such as
v0.1.0 - Let
.github/workflows/publish.ymlbuild, test, and publish the package
See RELEASING.md for the exact setup values and release steps.