Shell integration
Require approval for every command in Bash, Zsh, or PowerShell
What shell integration does
When you press Enter on a command, the shell
plugin sends it to Airlock (via airlock-cli). A notification appears on your Airlock mobile app. You
tap Approve or Reject. If
you approve, the command runs; if you reject or don't respond
in time, it does not run. You get a second check before
risky commands (e.g. git push, rm -rf, production deploys) execute.
Supported shells: Bash, Zsh, PowerShell (Windows). Each requires airlock-cli to be installed, signed in, and paired first.
Bash
Opt-in Bash integration that intercepts Enter, calls airlock-cli approve, and only runs the command when the CLI exits 0.
Prerequisites
- Bash (interactive session)
- airlock-cli on your PATH (or set
AIRLOCK_CLI) -
Signed in and paired:
airlock-cli sign-inandairlock-cli pair
Installation
mkdir -p ~/.airlock/shell
# Copy plugin from repo: src/shells/bash/airlock.plugin.bash
cp /path/to/airlock/src/shells/bash/airlock.plugin.bash ~/.airlock/shell/
Add to ~/.bashrc:
export AIRLOCK_CLI="${AIRLOCK_CLI:-$HOME/.airlock/bin/airlock-cli}"
export AIRLOCK_ENABLED=1
export AIRLOCK_FAIL_MODE=open
source "$HOME/.airlock/shell/airlock.plugin.bash"
Then source ~/.bashrc or open a new Bash session.
Zsh
Same behavior as Bash: intercept Enter, call airlock-cli approve, run command only when approved.
Prerequisites
- Zsh (macOS default or Linux install)
- airlock-cli on PATH or
AIRLOCK_CLI - Signed in and paired
Installation
mkdir -p ~/.airlock/shell
cp /path/to/airlock/src/shells/zsh/airlock.plugin.zsh ~/.airlock/shell/
Add to ~/.zshrc:
export AIRLOCK_CLI="$HOME/.airlock/bin/airlock-cli"
export AIRLOCK_ENABLED=1
export AIRLOCK_FAIL_MODE=open
source "$HOME/.airlock/shell/airlock.plugin.zsh"
Then source ~/.zshrc or open a new Zsh session.
PowerShell (Windows)
PowerShell profile that intercepts Enter and sends the
command to airlock-cli. Requires PSReadLine (usually present by default).
Prerequisites
- PowerShell 5 or PowerShell Core (pwsh) on Windows
- airlock-cli (e.g.
airlock-cli.exe) on PATH or in a known folder - Signed in and paired
Installation
New-Item -ItemType Directory -Force -Path "$HOME\.airlock\shell"
Copy-Item "path\to\airlock\src\shells\posh\airlock.profile.ps1" "$HOME\.airlock\shell\"
Open your PowerShell profile (create if needed): notepad $PROFILE. Add:
$env:AIRLOCK_CLI = "$HOME\.airlock\bin\airlock-cli.exe"
$env:AIRLOCK_ENABLED = "1"
$env:AIRLOCK_FAIL_MODE = "open"
. "$HOME\.airlock\shell\airlock.profile.ps1"
Reload: . $PROFILE or reopen PowerShell.
Environment variables (all shells)
| Variable | Default | Description |
|---|---|---|
AIRLOCK_CLI | airlock-cli | Path to the airlock-cli binary |
AIRLOCK_ENABLED | 1 | Set to 0 to disable interception |
AIRLOCK_FAIL_MODE | open | open =
run the command when CLI fails/timeout; closed = block |
Quick reference
- Use Airlock on every command — Keep
AIRLOCK_ENABLED=1and source the plugin in your rc/profile. - Run without approval temporarily — Set
AIRLOCK_ENABLED=0and reload your config. - Block when CLI fails — Set
AIRLOCK_FAIL_MODE=closedbefore sourcing the plugin.
Full user guides and implementation details: shells (bash, zsh, posh).