Terminal Guardian Buy on Gumroad

Windows • PowerShell 7+

Enterprise Terminal Security

Terminal Guardian adds deterministic command governance to PowerShell 7+ sessions in regulated and high-risk Windows environments — giving teams auditable control over what runs, and why.

Why command governance matters in PowerShell environments

PowerShell is the primary administrative shell on Windows, and it runs with the user's full privileges. There is no built-in execution gate between typing a command and running it. In environments where audit evidence, change control, and incident forensics matter, that gap is real.

Terminal Guardian closes it with a per-command policy evaluation layer: every command is assessed before execution, every outcome is logged, and the evaluation is deterministic — the same command always produces the same result for a given policy configuration.

Compliance and audit value

  • Per-command audit trail

    Every evaluated command logged with outcome, matched policy rule, and actor context.

  • Secret redaction

    Tokens, credentials, and sensitive values are redacted from log output before storage.

  • Local log retention

    No data leaves the machine. Supports governance reviews, incident forensics, and internal audits.

  • Deterministic outcomes

    Policy evaluation is consistent — not probabilistic or ML-based. Reviewable and predictable.

Roadmap

SIEM template integration for forwarding audit events to external log platforms.

Policy standardization and change control

  • Portable JSON policy packs

    Policy files are human-readable JSON — versionable, diffable, and reviewable through normal code review workflows.

  • Consistent cross-machine behavior

    The same policy pack produces the same outcomes on every machine it is deployed to.

  • Policy as code

    Policy changes can follow the same review, approval, and deployment gates as software changes.

Roadmap

Tamper-evident SHA-256 policy manifests for change traceability and integrity verification at scale.

Rollout model: today vs roadmap

Available Today

  • Per-machine install via setup.cmd
  • Local JSON policy packs
  • Four deterministic policy outcomes
  • Local audit trail with secret redaction
  • tg-selftest integrity verification
  • No cloud dependency

Roadmap

  • GPO / Intune packaging for fleet deployment
  • Centralized policy distribution
  • Manifest integrity checks at scale
  • SIEM template integration

Scope Note

Terminal Guardian is a guardrail, not a vault.

It governs the PowerShell 7+ session it is loaded into. It is not:

  • Antivirus or EDR software
  • A replacement for backups or endpoint controls
  • A control plane for non-PowerShell shells or processes
  • A network or kernel-level security control
Full trust model and non-scope documentation →

AI-generated command risk

AI coding tools — Copilot, ChatGPT, and others — generate syntactically correct PowerShell that can include destructive patterns. A developer pasting an AI-generated script into a production shell has the same risk surface as any other unreviewed command.

Terminal Guardian evaluates every command regardless of origin — typed, scripted, or AI-generated. The policy layer doesn't distinguish between sources; it evaluates the command itself. Teams that permit or encourage AI-assisted scripting benefit from the same guardrail coverage they get for manually authored commands.

Related pages

Use Cases FAQ PowerShell Safety Guide Trust Model ← Homepage

Evaluate Terminal Guardian for your environment.

Current validated release: v2.3.0 • Windows • PowerShell 7+ only

Buy on Gumroad