A safer, smarter shell. safu intercepts destructive commands and explains what's about to happen, audits packages against known-malware and supply-chain signals before you install them, and helps you fix the command you just fumbled. Open source. Local-first. No account, no telemetry, no servers — the only network calls are an opt-out update check and the package audits you ask for.
brew install StackSatoshis/tap/safu curl -fsSL https://safu.sh/install.sh | sh safu wraps the commands you'd use anyway — no new syntax, no shell rewrite. It guards the destructive ones, vets the packages you install, speeds up the navigation you repeat, and cleans up the commands you fumble. All on your machine.
Parses the command before it runs and flags the dangerous patterns — recursive deletes, dd to a disk, wildcard rm in your home directory. Shows file counts and sizes, then asks. Soft-deletes route to a trash you can undo for 7 days.
Before pip, npm, cargo, or brew installs anything, safu checks it against the OSV malicious-package database and registry signals — age, downloads, repo health, typosquatting. Blocks confirmed malware outright.
A smarter cd. safu learns the directories you use most and lets you jump to them in a couple of keystrokes — z proj instead of a long path. The history stays on your machine and never leaves it.
Typo'd a subcommand? Forgot sudo? Type fix (or wtf) and safu suggests the correction. Unlike older tools, it never re-runs a destructive command to figure out the fix — it reads the error you already got.
A tool that intercepts your shell deserves more scrutiny than most. So we built safu to be auditable end-to-end. No account, no telemetry, no servers we operate. It makes exactly two kinds of outbound call — an opt-out update check, and the package audits you ask for, which leave with nothing but a package name — and you can turn both off.
Every line of safu is on GitHub under a permissive license. Releases are built by GitHub Actions from a tagged commit, signed, and published with SHA-256 checksums. You can clone, audit, and rebuild from source to confirm the binary you installed matches the source you read.
The guard, the trash and undo log, and the navigation history all run entirely on your machine — no telemetry, no analytics, no phone-home. Firewall the guard and nothing breaks. Only two things reach the network — the package auditor (checking whether a package is malware means asking a public database about it) and an opt-out update check — and you can disable both.
No account, no login, no cloud sync, no backend we run that could receive your commands, paths, or repo names. safu makes exactly two kinds of outbound call: an opt-out update check, and the package audits you ask for — which query public registries and OSV.dev with nothing but a package name and version, the same thing you'd disclose by installing it. Third-party scanners stay off unless you turn them on with your own key.
The shell installer pulls binaries from GitHub Releases and verifies SHA-256 checksums against the signed checksums.txt in the same release before anything touches your PATH. The Homebrew formula does the same. Refuses to install on mismatch.
The installer is a guided setup, not a black box. Before anything writes to your system, it asks what you want protected, how aggressively, and what — if anything — should be stored locally. You can re-run it any time with safu config.
Off, light, standard, or paranoid. Light only catches the catastrophic stuff — recursive deletes near root, raw dd to disks. Paranoid asks before touching anything outside the current directory.
Toggle individual interceptors — rm, git push --force, dd, chmod -R, package-manager nukes, and more. Leave the rest of your shell completely untouched.
Trash directory for soft-deletes, undo-log retention, and the directory history that powers smart jump (safu z). All optional, all on disk, all wipeable on demand — and you can exclude any path from being remembered.
There are only two outbound paths — the update check and the package auditor. Allow both, disable either, or flip on fully-offline mode and safu makes no network calls at all. The guard works the same either way.
safu keeps a log of what it did — every block, every soft-delete, every audit verdict, every undo. It's plain text, one line per event, sitting in a file you can cat and grep like any other. No database to crack open, no daemon, nothing hidden. The file is the proof that safu only does what it says.
One JSONL line per event in ~/.safu/log. Human-readable, greppable, and wipeable line-by-line with the tools you already have. Configurable retention, on by default for safu's own actions.
safu log opens a fuzzy, time-aware browser — search by command, by what safu did, or by how long ago (today, 3d, 2w). Built in. No fzf to install, works the same on every box.
Opt in at setup to record your whole command history for the same fast search — a local, plain-text answer to Atuin, with no account and no sync. Off by default, with exclude rules so secrets never hit disk.