Safe Drupal tools for AI agents
Shellwright is a curated, safety-first set of Drupal tools an AI agent reaches over MCP, Drush, or HTTP. Read-only by default. Guarded when it writes. It will never be a shell.
The problem
Today it is all or nothing. To let an agent touch a Drupal site, you hand it a shell: full read, full write, full destroy.
The only thing standing between "check the site" and "drop the database" is a human watching prompts. That does not scale to automation, and it is not safe to point at production.
What it does
Every capability is a bounded tool with a stable, machine-readable contract. Same answer over MCP, Drush, or HTTP.
Eight checks, one JSON contract, safe to run against production because nothing can write.
Roll up the health and security of a whole estate over HTTPS, with a scoped token and no shell on any site.
Opt-in, CLI-only operations that an agent can run only through a gateway that enforces every guard.
Any MCP client calls the tools as first-class functions, no glue code. Drush and HTTP are there too.
The guards
Writes never run except through the gateway, which enforces this order and stops at the first failure.
The line
A product is defined by its refusals. This is the one that competitors and a plain shell cannot copy.
It will never expose a shell, even over MCP.
A generic Drupal MCP could hand out all of these. Shellwright refuses. That refusal is what makes it safe to point at a production site, and it is the product.
How it connects