diff --git a/.continue/rules/project.md b/.continue/rules/project.md
index 38a955e..3087be2 100644
--- a/.continue/rules/project.md
+++ b/.continue/rules/project.md
@@ -11,7 +11,7 @@ description: SSHRM project conventions
 - Prefer minimal, focused changes that do not alter the intent of the existing scripts, unless the script behavior is intentionally updated.
 - Maintain `.continue/rules/project.md` whenever project conventions or script behavior change.
 - `sshrm` is implemented as a small Bash script with helper functions, while preserving host and line-number removal behavior.
-- `sshrm` should print a short usage line, support `-h`/`--help`, fail clearly on missing or invalid line-number input, and may support a dedicated `--no-backup` option with a `known_hosts.sshrm.bak` backup file.
+- `sshrm` should print a short usage line, support `-h`/`--help`, fail clearly on missing or invalid line-number input, reject extra arguments, and may support a dedicated `--no-backup` option with a `known_hosts.sshrm.bak` backup file.
 
 # Project identity
 - Main script: `sshrm`
diff --git a/README.md b/README.md
index 3d1364a..bcfa610 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ sshrm 12
 ## Notes
 
 - Line numbers must be positive integers.
+- Extra arguments are rejected.
 - The script edits `~/.ssh/known_hosts`.
 - Keep a backup if you need to recover entries.
 
diff --git a/sshrm b/sshrm
index 50409ef..7a80805 100755
--- a/sshrm
+++ b/sshrm
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -u
+set -euo pipefail
 
 readonly FILENAME="${HOME}/.ssh/known_hosts"
 readonly BACKUP_FILE="${FILENAME}.sshrm.bak"
@@ -62,9 +62,19 @@ if [ "${1-}" = "" ]; then
 	exit 1
 fi
 
+if [ "${2-}" != "" ]; then
+	error "too many arguments."
+	usage
+	exit 1
+fi
+
 check_known_hosts
 
 if is_number "$1"; then
+	if [ "$1" -eq 0 ]; then
+		error "invalid line number."
+		exit 1
+	fi
 	HOST="$(get_host_from_line "$1")"
 	if [ "${HOST}" = "" ]; then
 		error "invalid line number."
@@ -78,4 +88,7 @@ if [ "${backup}" = true ]; then
 	create_backup
 fi
 
-remove_host "$HOST"
+if ! remove_host "$HOST"; then
+	error "removal failed."
+	exit 1
+fi