Tirith protects AI coding agents at every layer, from the configs they read to the commands they execute.
Run tirith mcp-server or use tirith setup <tool> --with-mcp to register tirith as an MCP server. AI agents can call these tools before taking action:
tirith_check_commandAnalyze shell commands for pipe-to-shell, homograph URLs, env injection, and more.
tirith_check_urlScore URLs for homograph attacks, punycode tricks, shortened URLs, raw IPs.
tirith_check_pasteCheck pasted content for ANSI escapes, bidi controls, zero-width characters.
tirith_scan_fileScan a file for hidden content, invisible Unicode, config poisoning.
tirith_scan_directoryRecursive directory scan with AI config file prioritization.
tirith_verify_mcp_configValidate MCP configs for insecure servers, shell injection in args, wildcard tools.
tirith_fetch_cloakingDetect server-side cloaking (different content for bots vs browsers).
tirith scan detects prompt injection and hidden payloads in AI config files. It prioritizes and scans 50+ known AI config file patterns:
Skill activation triggers, permission bypass attempts, safety dismissal, identity reassignment, cross-tool override instructions.
Zero-width characters, bidi controls, soft hyphens, Unicode tags hiding instructions.
Insecure HTTP connections, raw IP servers, shell metacharacters in args, duplicate server names, wildcard tool access.
Beyond one-shot scanning, tirith ai tracks how your AI config files change over time. Record a baseline snapshot, then diff against it to catch instructions or capabilities that were quietly added, the kind of edit a human reviewer skims past.
ai_config_hidden_instruction_added · HIGHA diff adds a hidden or invisible instruction to an AI config since the last snapshot. Markdown is normalized first, so a pure reformat fires nothing.
ai_config_tool_use_escalation · HIGHA diff grants an agent new tool-use capabilities (filesystem write, network, or secrets access) in a config or agent definition.
tirith ai quarantine copies a suspect file aside and leaves the original untouched. --move is the destructive opt-in.
Drift rules are diff-triggered. They need a baseline and don't fire on a single open buffer (including in the editor LSP). Run tirith ai snapshot first.
Detects content invisible to humans but readable by AI in HTML, Markdown, and PDF:
| Technique | Details |
|---|---|
| CSS hiding | display:none, visibility:hidden, opacity:0, font-size:0, off-screen positioning |
| Color hiding | White-on-white text, similar foreground/background (contrast ratio < 1.5:1) |
| HTML/MD comments | Long comments hiding instructions for AI agents |
| PDF hidden text | Sub-pixel rendered text (font-size < 1px) invisible to readers but parseable by LLMs |
tirith fetch compares server responses across 6 user-agents to detect when servers serve different content to AI bots vs browsers:
Use tirith setup <tool> for one-command configuration:
For detailed per-tool setup guides, see MCP Integration.