Terminal Guardian
Buy on Gumroad
Windows • PowerShell 7+

Terminal
Guardian

Deterministic Guardrails for PowerShell 7+ on Windows.

Every command evaluated against policy before execution. Block destructive operations. Audit what ran. Stay local-first.

Current validated release: v2.3.0
Buy on Gumroad Download Current ZIP
See Proof of Integrity →
PowerShell 7+ — Terminal Guardian active
PS C:\Projects> Import-Module TerminalGuardian
PS C:\Projects> Get-ChildItem C:\Services\*
ALLOW risk: low • policy: default-safe
PS C:\Projects> Remove-Item C:\Prod\* -Recurse -Force
BLOCK destructive-delete-guardrail triggered
PS C:\Projects> tg --version
TerminalGuardian 2.3.0
PS C:\Projects> tg-selftest
All checks passed ✓
Windows only | PowerShell 7+ (pwsh) required | Local-first — no cloud dependency | Delivered via Gumroad

Deterministic Policy Engine

Every command is evaluated against policy before execution. No cloud calls, no ML guesswork — consistent outcomes every time.

Auditable Command Trail

Every evaluated command is logged with outcome and policy context. Secrets are redacted. Full trail for governance and incident forensics.

Local-First

Runs entirely on your machine. No external service, no telemetry, no subscription. Your policy, your environment, your control.

Four Policy Outcomes

Terminal Guardian evaluates every command and returns one of four deterministic outcomes based on your active policy pack.

ALLOW

Command clears policy. Execution proceeds normally.

WARN

Elevated risk flagged. Execution continues with a visible warning logged.

CHALLENGE

Confirmation required before execution. Logged with outcome.

BLOCK

Command halted. Policy rule name and actor logged to audit trail.

Policy + Audit in One View

Active policy packs define what gets blocked, challenged, or allowed. Every event — with redacted secrets — is captured in a searchable audit trail.

  • SHA-256 policy manifest integrity verification
  • Secret redaction on all log output
  • Destructive command guardrails active by default
  • Dry-run mode to preview policy outcome before execution
Policy + Audit Overview

Policy Pack

– destructive-delete-guardrail
– diskwipe-protection
– prod-database-guard
– challenge-threshold-high

✓ SHA-256 policy manifest active

Recent Audit Events

BLOCK  Remove-Item -Recurse -Force C:\Prod\*
Policy: destructive-delete-guardrail • Actor: build-agent-04
Redaction: token=[REDACTED]  key=[REDACTED]
CHALLENGE  Set-ItemProperty HKLM:\...
Outcome: confirm-once accepted • Session: 03f0a8
ALLOW  Get-ChildItem C:\Services\*
Risk score: low • Policy branch: default-safe

Compliance Summary

– Full event trail retained

– Secret redaction enabled for all logs

– Policy enforcement mode: strict

Install

Download from Gumroad, run one command, done.

  1. 1

    Download the ZIP from Gumroad.

    Public customer download. No GitHub release link required.

  2. 2

    Extract the ZIP.

  3. 3

    Run setup.cmd.

    Then close all PowerShell windows.

  4. 4

    Open a new pwsh window and run:

    tg-selftest

    All checks passing confirms a clean install.

Requirements

Windows PowerShell 7+ (pwsh) Windows PowerShell 5.1 — not supported

Scope Note

Terminal Guardian is a guardrail, not a vault.

It governs the PowerShell workflow it is loaded into. It is not antivirus, EDR, or a replacement for backups, endpoint controls, or change review. It does not protect other shells, WSL, or non-PowerShell processes.

Full trust model and non-scope →

Ready to add guardrails to your workflow?

Available now on Gumroad. Download, run tg-selftest, and you're protected.

Buy on Gumroad Trust Model

Current validated release: v2.3.0 • Windows • PowerShell 7+ only