YAML policy files configure how tirith responds to detected threats.
Tirith discovers policy files by walking up the directory tree from the current working directory to the nearest .git boundary, looking for:
.tirith/policy.yaml (then .yml)~/.config/tirith/policy.yamlControls behavior when the engine encounters an error. open allows execution to proceed, closed blocks execution on error. Default: open.
A list of glob patterns for domains and URLs that should be excluded from findings. Matching URLs will not trigger any rules. Supports wildcards.
A list of glob patterns for domains that should always be blocked, regardless of rule results. Blocklist overrides allowlist when both match.
Override the default severity for specific rule IDs. Valid values: block, warn, info. This lets you tune which rules block execution vs. just warn.
When true, users can set TIRITH_BYPASS=1 to skip blocking. Default: false. Useful for CI environments where a human has reviewed the command.
Team and Enterprise tiers can manage policies centrally through the admin console. The CLI fetches the active policy from the server on startup and caches it locally. Local policy files are merged with the server policy, with the server taking precedence.