Tirith ships a Language Server so your editor flags homograph URLs, hidden instructions in AI configs, and risky patterns inline, as you open and edit files, before anything runs.
tirith lsp server#tirith lsp speaks the Language Server Protocol over stdio. On every didOpen / didChange it routes the file to a per-type analysis profile, runs the same engine as the CLI (no new rules), filters findings to that profile's allow-set, and publishes diagnostics.
Findings that carry a byte offset (e.g. an invisible-Unicode or homoglyph match) get a precise line:col range; everything else is published as a whole-document diagnostic. That's documented v1 behavior. The engine reports findings, not always positions.
The server picks a profile from the file's path and name. AI-config files are analyzed in both the file-scan and paste contexts, and the findings are unioned, so a CLAUDE.md with a suspicious URL still produces a diagnostic.
| Profile | Matches | What it analyzes |
|---|---|---|
| AiConfig | CLAUDE.md, .cursorrules, agent/skill defs, mcp.json | Hidden instructions, invisible Unicode + URL / transport / hostname checks |
| MarkdownInstallDoc | README / install docs | Pipe-to-shell and obfuscated install snippets |
| SourceCode | .py, .js, .ts, … | Obfuscated payloads, dynamic execution, secret exfiltration |
| LogFile | .log | Terminal byte-scan + prompt-injection subset (best-effort) |
Unrecognized file types are skipped. The server only emits diagnostics where it has a profile.
doctor --quick#Extensions poll a fast, read-only status mode (~30s) to show whether protection is live. It returns only four fields, skipping the expensive audit-log / threat-db / baseline probes.
Any editor that speaks LSP can launch tirith lsp as a stdio server for the file types above. To also wire up shell-hook and MCP protection for an editor's integrated terminal and AI agent, use the one-command setup:
The dedicated VS Code extension ships from a separate tirith-vscode repo on its own release cadence; this page documents the editor-agnostic language server it builds on.
.log diagnostics are best-effort. The output-stream rules fire fully only under the CLI's output-analysis path.ai_config_hidden_instruction_added, ai_config_tool_use_escalation) are diff-triggered — they need a snapshot and don't fire on a single open buffer. Use tirith ai diff for those.