Fewshell: A Self-Hosted SSH Copilot That Refuses to Run Commands Without Human Approval
Fewshell is a collaborative, self-hosted mobile+desktop SSH copilot designed for on-calls, DevOps, MLOps, AI researchers, sysadmins, and self-hosting enthusiasts. Its core design principle: AI will never run any command without human approval. There is no setting to enable command auto-approval – by design, to eliminate any risk of accidental misconfiguration.
Why It Exists
The author, an ex-Amazon Sr. SDE for Alexa AI now working on AI safety research for agentic RLVR, created Fewshell after seeing high-profile incidents where an AI agent deleted a production database. The tool is intended to be the opposite of an autonomous agent. Use cases include:
- Quickly restart, fix, or update an autonomous agent (e.g., OpenClaw) remotely, without using the agent itself (e.g., if it fails to start).
- Start a long-running command from desktop and check on it from mobile.
- Manage a self-hosted server and run admin commands on the go.
- Run serverless infrastructure and fix things remotely via a bastion.
- Keep a full transcript of every command you've ever run on your infrastructure, useful for postmortems.
- Share a terminal with a collaborator (e.g., two-person rule).
Architecture & Security
Fewshell is self-hosted, with no cloud dependency. Communication between client and server uses an SSH tunnel. Secrets are stored in the system keychain and are redacted before being sent to the LLM. The server holds secrets in memory for command use and replication across authenticated devices, and the private SSH key never leaves the client device.
Optional features include push notifications for long-running commands via a relay service, and SSH public key provisioning during initial device pairing.
Features
- Cross-platform GUI clients: iOS, macOS, Linux, Android (Windows planned).
- Built in Flutter – low memory footprint, native execution.
- Secret management: user and per-project secrets stored in keychain with per-secret LLM visibility control.
- Cross-device sync using your own server.
- Command snippet library for reusable commands injected into LLM context.
- Session archival – full transcripts for postmortems.
- BYOM (Bring Your Own Model): supports OpenAI, Anthropic, Google, DeepSeek, Ollama, Groq, xAI, OpenRouter, and more.
- Custom agent instructions: user and per-project system prompts with template variables.
Quick Start
tl;dr – Using SSH on mobile is painful. Modern AI is really good at shell commands, but letting AI control infrastructure is dangerous. Fewshell's three core principles: secure defaults (mandatory SSH and secrets management), must be self-hosted (cloudless desktop-mobile sync), and human-first (AI will not run any command without approval).
To get started, visit the GitHub repo or get.fewshell.com for download links.
📖 Read the full source: HN AI Agents
👀 See Also
Reflect MCP Server Implements Reflexion Paper for Persistent Coding Agent Memory
A developer implemented the Reflexion paper (Shinn et al., NeurIPS 2023) as an MCP server to give local coding agents persistent memory of their mistakes. The system uses regex-based pattern matching on error messages and stores lessons in SQLite with FTS5.
Multi-Model Council Workflow for AI Coding Agents
A developer built a web tool that runs coding tasks through three AI models—GPT-4o as architect, Claude as skeptic, and Gemini as synthesizer—before passing them to coding agents. The tool generates a PLAN.md with explicit constraints and requires users to bring their own API keys.
A2P: An MCP Server That Enforces Engineering Discipline for AI Coding Agents
A2P (Architect-to-Product) is an AI engineering framework packaged as an MCP server that enforces a gated workflow: Architecture → Plan → Build → Audit → Security → Deploy, with each feature slice requiring RED → GREEN → REFACTOR → SAST → DONE progression.
AIDA: Open-Source Platform for AI-Powered Penetration Testing
AIDA is an open-source platform that provides AI agents with a full penetration testing environment via MCP connection to a Docker container. The latest version replaces the 40GB Exegol requirement with a purpose-built 1GB container containing essential security tools.