SecureShell uses a three-tier risk classification system to categorize commands before they reach the gatekeeper.
Commands that are safe and read-only.
Examples:
ls,dir- List filespwd,cd- Navigate directoriescat,type- Read filesecho- Print textwhoami- Show current userdate,time- Display timeenv- Show environment variables (read-only)
Behavior:
- No gatekeeper evaluation - Executes immediately
- Still subject to sandbox path restrictions
- Logged in audit trail
Commands that modify state but are
typically safe with oversight.
Examples:
mkdir- Create directorytouch- Create empty filecp,copy- Copy filesmv,move,ren- Move/renamegit add,git commit- Version controlnpm install- Install dependenciespython script.py- Run scripts
Behavior:
- Gatekeeper evaluates before execution
- Requires reasoning from agent
- May be allowed, denied, or challenged
- Logged with gatekeeper decision
Commands that can cause irreversible damage or security issues.
Examples:
rm -rf /,del /f /s /q- Recursive deletedd- Disk operationsmkfs,format- Format driveschmod 777- Dangerous permissionscurl ... | bash- Execute remote code:(){ :|:& };:- Fork bombssudocommands - Privilege escalation
Behavior:
- Gatekeeper evaluates with high scrutiny
- Almost always denied unless strong reasoning
- Requires explicit approval in some templates
- Heavily logged
The risk classifier uses regex patterns to match commands:
// TypeScript example
const classifier = new RiskClassifier();
const tier = classifier.classify('rm -rf /');
// Returns: RiskTier.RED# Python example
classifier = RiskClassifier()
tier = classifier.classify('rm -rf /')
# Returns: RiskTier.REDYou can customize risk classification (advanced):
// TypeScript
const shell = new SecureShell({
config: {
// Treat all npm commands as GREEN
customGreenPatterns: ['^npm (list|ls|view)'],
// Treat specific commands as RED
customRedPatterns: ['^dangerous-tool']
}
});Set minimum risk level that triggers gatekeeper:
const shell = new SecureShell({
config: {
riskThreshold: 'YELLOW' // Only evaluate YELLOW and RED
}
});Options:
'GREEN'- Evaluate everything (very strict)'YELLOW'- Evaluate YELLOW and RED (default)'RED'- Only evaluate RED commands (permissive)
^(ls|dir)(\s|$) # List files
^pwd$ # Print working directory
^echo\s # Echo command
^cat\s+[^\|>] # Cat without pipes^(mkdir|md)(\s|$) # Make directory
^git\s+(add|commit) # Git operations
^npm\s+install # Package install
^(cp|copy)\s # Copy files^rm\s+-rf\s+/ # Recursive delete root
^dd\s+if= # Disk operations
^chmod\s+777 # Dangerous permissions
\|\s*bash$ # Pipe to bashSome commands may be misclassified. Use gatekeeper reasoning:
// Command classified as RED but is actually safe
await shell.execute(
'rm -rf ./test-output',
'Cleaning up test directory - only removing ./test-output folder'
);
// Gatekeeper will evaluate context and may allowSecurity templates can override risk behavior:
Paranoid Template:
- GREEN commands still pass through gatekeeper
- YELLOW and RED almost always denied
Development Template:
- GREEN commands execute immediately
- YELLOW commands usually allowed with basic reasoning
- RED commands require strong reasoning
See Security Templates for details.
All commands are logged with their risk tier:
{
"timestamp": "2026-01-30T01:00:00.000Z",
"command": "ls -la",
"risk_tier": "GREEN",
"gatekeeper_decision": null,
"success": true
}{
"timestamp": "2026-01-30T01:00:05.000Z",
"command": "rm -rf /tmp/cache",
"risk_tier": "RED",
"gatekeeper_decision": "ALLOW",
"gatekeeper_reasoning": "Removing temporary cache folder is safe",
"success": true
}- Trust the classification - Don't bypass it without good reason
- Provide context - Good reasoning helps gatekeeper make better decisions
- Review logs - Check audit logs for misclassifications
- Start strict - Use
paranoidtemplate initially, relax as needed - Test safely - Test command patterns in safe environment first
- Zero-Trust Gatekeeper - How commands are evaluated
- Audit Logging - Understanding the audit trail
- Security Templates - Pre-configured risk policies