Tirith is a terminal security guardrail that inspects what you paste or run in your shell and blocks or warns on suspicious patterns before execution, addressing an area where terminals traditionally provide almost no protection. It targets real-world attack classes like Unicode homograph URLs (lookalike domains), terminal injection tricks (ANSI escape sequences and bidi overrides), and “pipe-to-shell” installation patterns such as curl | bash that attackers frequently abuse. The project emphasizes local-only analysis with no telemetry and no background daemons, so it can run offline and keep sensitive command context on-device. It integrates into popular shells via hooks (zsh, bash, fish, and PowerShell), including paste-aware protections so hidden characters or malicious rewrites get caught at the moment they enter the terminal.
Features
- Local-only detection of homograph and mixed-script domain attacks
- Terminal injection defenses against ANSI, bidi, and zero-width tricks
- Pipe-to-shell pattern detection with block-or-warn enforcement options
- Shell hook integrations for zsh, bash, fish, and PowerShell
- Policy-driven configuration via YAML with allowlists and severity overrides
- Safer script-run workflow with review prompts and receipt-based auditing