I built a CLI tool and Rust crate that solves a problem I kept running into shell escaping breaking commands when piping them through SSH, Docker exec, kubectl exec, or cron.
The idea is simple. Instead of fighting with nested quotes and backslashes, you pipe your command through entrouter, which base64-encodes it locally, sends it to the target, decodes it there, and executes it. The command never touches an intermediate shell, so quotes, JSON, special characters all arrive intact.
echo 'curl -s -X POST -H "Content-Type: application/json" -d {"key":"value"} http://localhost:3000/api' | entrouter ssh root@your-vps
No escaping. First try. Every time.
What it does:
entrouter ssh - run commands on remote machines without escaping
entrouter docker - run commands inside containers without escaping
entrouter kube - run commands inside Kubernetes pods without escaping
entrouter cron [schedule] - encode commands into cron-safe lines (no % breakage)
entrouter exec - decode and execute locally (safe command storage)
entrouter encode/decode/verify - base64 + SHA-256 fingerprinting for data integrity
entrouter raw-encode/raw-decode - plain base64 for piping
Beyond the CLI, the library side gives you four integrity tools:
Envelope - wrap data in base64 with a SHA-256 fingerprint. Four flavors: standard, URL-safe, compressed, and TTL (self-expiring).
Chain - cryptographic audit trail where each link references the previous fingerprint. Tamper with one link and everything after it breaks.
UniversalStruct - per-field integrity verification. Tells you exactly which field was tampered with, not just "something broke."
Guardian - checkpoint data at every layer of your pipeline. Tells you exactly which layer corrupted it.
28 tests covering SQL injection strings, null bytes, unicode edge cases, emoji, XSS payloads, Redis protocol characters, path traversal, format strings, and zero-width characters.
A few things that might matter to you:
Single static binary, no runtime. No Python, no Node, no dependencies. cargo install and done.
Multi-host support. `
shell
echo 'systemctl restart nginx' | entrouter ssh root@web1,root@web2,root@web3
`, runs sequentially, shows output per host.
Connection multiplexing built in. First SSH takes normal time, subsequent calls to the same host reuse the connection and complete near-instantly. Handy if you're scripting a bunch of commands against the same box.
Integrity verification. Every encoded payload gets a SHA-256 fingerprint, so you can verify nothing got mangled in transit if you're paranoid like me. It's ~3MB. That's it. That's the whole tool.
I know heredoc and base64 piping exist, I've done that dance too. This just wraps it into something I don't have to think about anymore. If you manage boxes and regularly SSH commands with gnarly quoting, give it a look.
`cargo install entrouter-universal`
GitHub: https://github.com/Entrouter/entrouter-universal
crates.io: https://crates.io/crates/entrouter-universal
Docs: https://docs.rs/entrouter-universal
Would love to hear feedback or ideas for other transports worth supporting.
Just looking to see if this could be helpful for anyone.
Thanks
Top comments (0)