Taming Your Shell for LLMs (ricardoanderegg.com)

A developer frustrated by Codex’s all-or-nothing sandboxing built a practical shell-level filter so LLM CLI agents can run commands freely while you retain fine-grained control. The solution uses Bash’s DEBUG trap to intercept every command via the $BASH_COMMAND variable, calling a small Python “command-monitor” that allows or blocks commands (returning non‑zero to prevent execution). The monitor uses a simple allowlist (e.g., cat, ls, grep) with startswith matching and can be extended to read lists from a file, consult another LLM for approval, or prompt for confirmation — all without changing your normal interactive shell workflow. Key technical details: add a trap like trap 'python3 /some/script.py "$BASH_COMMAND" || exit 1' DEBUG (or gated by an INSIDE_LLM_AGENT=true env var) so the script runs before each command. For non-interactive shells (what Codex uses) the trick is to generate a BASH_ENV file that sets the DEBUG trap and configure your LLM wrapper to pass it (e.g., shell_environment_policy.set = { BASH_ENV = "..."}). This approach is portable to other LLMs that spawn shells but isn’t as feature-rich as Claude Code’s UI and isn’t a complete security solution — it’s a pragmatic, extensible middle ground for safer LLM-driven CLI automation.