sheeki03

sheeki03/tirith

Rust AGPL-3.0 Security

Terminal security for developers and AI agents. Intercepts homograph URLs, pipe-to-shell, ANSI injection, obfuscated payloads, data exfiltration, and malicious AI skills/configs before they execute.

2.6k stars
86 forks
active
GitHub +26 / week

2.6k

Stars

86

Forks

18

Open issues

2

Contributors

v0.3.3 19 Jun 2026

AI Analysis

Tirith is a terminal security tool written in Rust that intercepts and blocks malicious commands before execution, protecting against homograph attacks, pipe-to-shell exploits, ANSI injection, obfuscated payloads, and credential exfiltration. It's designed specifically for developers and AI agents who execute untrusted shell commands or install packages, filling a gap that browsers solved years ago but terminals have not. This tool is essential for security-conscious developers, DevOps engine...

Security Security Tool Discovery value: 6/10
Documentation 9/10
Activity 10/10
Community 8/10
Code quality 8/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

terminal-security homograph-detection supply-chain-protection unicode-attack-prevention command-interception
Actively maintained Well documented Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
2w ago

Terminal security interceptor for shell commands and AI agent execution, catching homograph attacks and injection payloads before execution

Tirith is a Rust-based security gate that intercepts shell commands, pastes, and file scans to detect 221 attack patterns across 34 categories: homograph URLs, pipe-to-shell chains, ANSI injection, base64 decode-execute, credential exfiltration, and malicious AI configs. Built for developers and AI agent operators who work with untrusted input. Created February 2026, rapidly gaining traction (2,499 stars in ~5 months, 31 gained in last week), with Vercel OSS program backing. Adoption not yet verified at scale, but README signals active maintenance and production readiness.

Origin

Launched February 2026 as a response to rising homograph and terminal injection attacks, particularly targeting developers copy-pasting commands and AI agents executing untrusted shell directives without validation. Positions itself as the terminal-equivalent of browser URL-bar security, addressing a historically under-protected attack surface.

Growth

Rapid early adoption curve (2,499 stars since February, 31 in the last 7 days as of June 2026) suggests resonance with security-conscious developer and AI-ops communities. Growth rate peaked in initial weeks, now settling into steady weekly gain (~4–5 stars/day). Vercel OSS program sponsorship (Spring 2026 cohort) indicates external validation and hosted visibility. Presence on npm, cargo, brew, apt/dnf, and mise suggests multi-ecosystem distribution strategy from launch.

In production

Adoption not verified. No GitHub discussion, blog posts, or public deployment announcements inspected. README includes no case studies, testimonials, or quantified user base. Presence on multiple package managers suggests infrastructure readiness, but does not confirm production use. Vercel OSS backing and website (tirith.sh) indicate professional project presentation, not necessarily production adoption. Early star velocity is hype signal, not proof of real-world deployment.

Code analysis
Architecture

Likely implements shell-level hooks (via `eval` in shell rc-files) that intercept command strings before execution, routes them through pattern-matching rules, and either blocks/warns or allows continuation. Based on README: supports zsh, bash, fish with near-zero latency claimed. Appears to use a signed threat intelligence database for domain/IP/package reputation. Sub-millisecond overhead implies compiled (Rust) rule engine, not interpreted scripting. No source code inspected; architecture inferred from README and use-case description.

Tests

Not documented in README. CI badge present (GitHub Actions), suggesting automated testing pipeline exists, but test count, coverage percentage, and scope not disclosed.

Maintenance

Repository active as of 2026-06-29 (last push today). CI pipeline passing. Changelog and releases tracked. Created Feb 2026, so only ~4.5 months old; maturity is early-stage but signals are positive. Weekly-to-daily commit cadence (inferred from 31-star gain in 7 days suggesting continued feature/fix work). No evidence of maintenance debt or stalled issues. AGPL-3.0 license may limit some adoption.

Honest verdict

ADOPT IF: you routinely copy-paste shell commands from untrusted sources, manage AI agents that execute arbitrary directives, work in security-sensitive environments, or operate in high-phishing-risk contexts. Zero friction on clean input and Cyrillic homograph detection alone justifies trial. AVOID IF: you operate in deeply air-gapped environments where shell performance and hook overhead are critical, or your compliance model requires approved-vendor-only tools (AGPL-3.0 license may conflict). MONITOR IF: you are a large enterprise considering adoption—real-world production case studies and adoption numbers are absent. Early-stage project with solid technical approach but unproven at scale. Re-evaluate in 6–12 months when adoption data becomes available.

Independent dimensions

Mainstream potential

4/10

Technical importance

7/10

Adoption evidence

2/10

Risks
  • Adoption not verified at scale—star count is promotional signal, not proof of production deployment. May suffer from early-project hype/churn.
  • AGPL-3.0 license may deter enterprise and closed-source tool integrations; copyleft requirement could limit ecosystem reach.
  • Rule-set maintenance burden: 221 detection rules across 34 categories require ongoing refinement. False positives or false negatives could erode trust; no evidence of third-party rule vetting or threat-intelligence partnership.
  • Shell-hook model may conflict with existing security tools, container runtimes (Docker, Podman), or restricted environments. Bypass via `TIRITH=0` weakens security guarantees if not monitored.
  • Attack surface is homophone/visual-attack focus; does not defend against supply-chain compromise of the packages themselves (only command-line execution). Orthogonal to other supply-chain defenses.
Prediction

Likely to remain a specialized, high-adoption tool within security-conscious developer and AI-ops communities. Unlikely to reach 10,000+ stars or become dominant in any broader category. More probable trajectory: niche maturity (stability, rule refinement, ecosystem integrations) than exponential growth. Success measured by integration into AI agent frameworks and corporate security policies, not raw star count. AGPL license may limit enterprise adoption; permissive relicense could accelerate mainstream adoption.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Rust
96.8%
Shell
2%
PowerShell
0.4%
Python
0.4%
TypeScript
0.1%
Nushell
0.1%
HTML
0%
Nix
0%

Information

Language
Rust
License
AGPL-3.0
Last updated
1d ago
Created
5mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

CyberStrikeus

CyberStrikeus/CyberStrike

CyberStrike is an open-source AI-powered offensive security agent that...

1.2k TypeScript Security
Eugeny

Eugeny/tabby

Tabby is a highly configurable, cross-platform terminal emulator that...

73.1k TypeScript Dev Tools
elder-plinius

elder-plinius/T3MP3ST

T3MP3ST is an autonomous multi-agent offensive security framework that...

4.2k TypeScript Security
tirrenotechnologies

tirrenotechnologies/tirreno

Tirreno is a self-hosted PHP/PostgreSQL security framework designed to detect...

1.5k PHP Security
crynta

crynta/terax-ai

Terax is a lightweight, open-source terminal-first development environment...

8.4k TypeScript Dev Tools
vs. alternatives
terax-ai (TypeScript, 7,500 stars)

Broader AI agent security surface (skills, configs, execution context). Tirith is terminal-focused; terax-ai appears to intercept at agent framework level. Different threat models; not direct replacements.

tirreno (PHP, 1,442 stars)

Smaller ecosystem. Tirith's Rust implementation and multi-language shell support position it differently; tirreno's domain/focus not clear from repo list.

Browser security (e.g., URL bar, CSP)

Tirith is terminal analogue—tackles same attack vectors (homograph, injection) but at shell/CLI layer. No overlap with deployed browser security; complementary problem space.

Supply chain scanners (e.g., Snyk, Dependabot)

Tirith intercepts *command execution*, not package dependencies. Covers different phase: pre-execution defense vs. post-install audit. Both can coexist.

Shell history/command auditing tools

Tirith is *preventive* (blocks before exec); audit tools are *post-incident* (logs after). Different security posture; Tirith is stricter.