Docs / Security

Destructive-command guard

A typo on a production box can wipe a database or brick a server in one keystroke — so NetShell watches the line you're about to send and stops the catastrophic ones before they leave your device.

What the guard does

The destructive-command guard is a client-side safety net built into the NetShell terminal. As you type, it assembles the current line and checks it against a set of high-risk patterns. When a match is found, NetShell intercepts the command before it reaches the wire and asks you to confirm what you're about to do. Nothing is silently rewritten and nothing is sent to the server until you decide — the guard simply gives you one deliberate pause on the commands that have no undo.

It runs entirely on your iPhone, iPad, or Mac. There's no server component, no log of your commands sent anywhere, and it works the same whether you're on a direct connection or chained through a jump host.

Which patterns are intercepted

The guard targets commands whose damage is immediate and irreversible. The current list includes, among others:

  • Recursive force deletesrm -rf and its variants, the classic way to erase a tree (or an entire filesystem) with no recovery.
  • Destructive SQLDROP TABLE and TRUNCATE TABLE, which discard schema or every row in a table instantly.
  • History-rewriting Gitgit push --force and git reset --hard, which can overwrite a shared branch or throw away uncommitted work.
  • Power and runlevel changesshutdown and reboot (and equivalent init/runlevel switches), which can take a remote machine offline where you may have no out-of-band access.
  • Cluster-scale deleteskubectl delete namespace, which can tear down everything inside a Kubernetes namespace in one command.
  • Release teardownhelm uninstall, which removes a deployed Helm release and its resources.
  • Pipe-to-shell — patterns that pipe downloaded or arbitrary content straight into a shell (| bash and similar), a common way to execute code you haven't read.

This is a representative set, not an exhaustive contract — the pattern list is curated and grows over time as new high-blast-radius commands are identified.

How confirmation works

When you type a flagged command and press return, NetShell catches it at the keystroke level rather than passing it through. The terminal reconstructs the line you assembled — accounting for backspaces and edits, so you're judged on the final command, not a half-typed draft — and surfaces a confirmation step. From there you can deliberately proceed if the command is exactly what you intended, or cancel and keep editing. Cancelling sends an interrupt so nothing partial executes on the far side.

The point is friction in exactly one place: the moment before an unrecoverable action. Ordinary commands flow through untouched, so day-to-day work in the terminal feels normal.

Tip. The guard is a seatbelt, not a substitute for backups. For genuinely destructive maintenance, snapshot first, test on staging, and read any curl ... | bash script before you run it — the guard buys you a beat to do exactly that.

Why client-side

Catching dangerous lines on your device — before they're transmitted — means the protection works even when you're operating as root, even on a server you don't control, and even when the remote shell has no safeguards of its own. The server never has a chance to act on a command you didn't mean to send, because it never receives it. It also keeps your command history private: the guard inspects the line locally and nothing about what you type is reported off-device. NetShell ships with no telemetry by default; analytics are strictly opt-in.

Limitations

The guard is one layer of defense, and it's important to understand what it does not do:

  • Pattern-based, not semantic. It recognises known dangerous shapes. A destructive action expressed in an unusual way — an alias, a custom script name, an obfuscated one-liner, or a command the list doesn't yet cover — can pass through unflagged.
  • It can't see inside scripts. Running ./deploy.sh looks harmless to the guard even if that script contains an rm -rf. It inspects the line you send, not the code it triggers remotely.
  • Not a permissions system. It won't stop a command you legitimately confirm, and it isn't a replacement for least-privilege accounts, restricted sudo, or proper backups.
  • Terminal scope. The guard applies to interactive terminal input. It is not a content scanner for files moved over SFTP or SMB.

Treat it as a last-second sanity check that turns muscle-memory accidents into deliberate decisions — not as a guarantee that every harmful command is caught.

Where it fits in NetShell's security model

The command guard sits alongside two other layers. Host verification runs at handshake time and fails closed, so your credentials are never sent to an unknown or changed host. The app-level Face ID lock reseals NetShell after idle, so an unlocked-but-unattended device still can't reach your servers. And your keys live in the hardware-backed iOS Keychain, protected by Face ID and synced only through Apple's end-to-end encrypted iCloud Keychain. Together these are designed so a single slip — a fat-fingered command, a borrowed device, a swapped server — doesn't hand over your infrastructure.

NetShell is a free SSH client for iPhone, iPad & Mac with no subscription. Download it on the App Store to try the guard in your own terminal.

Next
Host verification → Related
Privacy & telemetry →