Terminal Guardian is a lightweight PowerShell module that intercepts high-risk commands using AST analysis, configurable rules, and an audit trail—so accidents stay hypothetical.
Terminal Guardian hooks into your PowerShell profile and evaluates every command before the shell runs it.
Each command is parsed into a PowerShell Abstract Syntax Tree, giving Terminal Guardian a structured understanding of the command’s intent—not just pattern matching on strings.
The parsed command is checked against a configurable rule set. Rules can block, warn, or allow specific commands and patterns. You control the policy.
Blocked commands are stopped with a clear message. Warnings prompt for confirmation. Every action—including forced bypasses—is written to an audit log with secrets redacted.
Built for developers and small teams who want a safety net without changing their workflow.
Commands are parsed into an Abstract Syntax Tree for structural understanding, reducing false positives compared to regex-only approaches.
Ship with sensible defaults for destructive deletes, disk operations, and risky patterns. Add, modify, or remove rules to fit your environment.
Every block, warning, and forced bypass is logged with timestamps. Secrets and credentials are automatically redacted before they reach the log file.
Installs as a standard PowerShell module via your profile. No shell replacement, no elevated permissions required for daily use.
When you genuinely need to run a blocked command, append --TG-Force. The bypass is logged for accountability, so there’s always a record.
Passwords, API keys, PEM blocks, and other sensitive values are automatically replaced with [REDACTED] in all log output.
See what happens when Terminal Guardian is active.
# Accidentally wipe a drive root Remove-Item -Recurse -Force C:\ ... files are gone. No undo.
# Same command, safety net active Remove-Item -Recurse -Force C:\ ⚠ BLOCKED by Terminal Guardian Rule: destructive-delete-root Use --TG-Force to override (logged). Nothing was deleted. Crisis averted.
The following are illustrative examples, not real customer quotes.
“I fat-fingered a recursive delete on our build server. Terminal Guardian caught it before anything happened. It paid for itself on day one.”— Example: DevOps Engineer at a mid-size SaaS company
“We rolled it out to our junior devs as a guardrail. The audit log alone saves us during incident reviews.”— Example: Team Lead, 12-person engineering team
“Simple to install, zero friction in daily use. It only speaks up when something is actually risky.”— Example: Full-stack developer, freelance
Quick answers to common questions about Terminal Guardian.
Not currently. Terminal Guardian v1 is designed for Windows PowerShell (5.1+). It does not support macOS, Linux, cmd.exe, or WSL shells.
Terminal Guardian adds a small amount of processing time per command for AST parsing and rule evaluation. In typical use the overhead is not noticeable, though results may vary depending on your system and rule set size.
Yes. Rules are defined in a JSON file that ships with sensible defaults. You can add, modify, or remove rules to match your team’s needs and environment.
No. Terminal Guardian only evaluates commands in the local PowerShell session where the profile hook is installed. Commands inside SSH or other remote shells are not intercepted.
Append --TG-Force to the command. The override and the full (redacted) command are recorded in the audit log for accountability.
Terminal Guardian redacts passwords, API keys, PEM blocks, and other recognized secret patterns before writing to the log. However, no redaction system is exhaustive—avoid passing secrets directly on the command line when possible.
No safety tool is perfect. Terminal Guardian reduces risk but cannot guarantee prevention of all harmful commands. It does not replace backups, proper access controls, or careful judgment. You are ultimately responsible for the commands you run. Always test in a non-production environment first.