Terminal Guardian Buy on Gumroad

Windows • PowerShell 7+

Terminal Guardian FAQ

Practical answers for developers, IT admins, and evaluators. If you have a question not covered here, reach out at [email protected].

What does Terminal Guardian protect against?

Destructive and high-risk PowerShell command execution in protected sessions. Every command is evaluated against the active policy pack before it runs. Depending on the rule matched, the outcome is one of four deterministic results: allow, warn, challenge, or block.

What does it NOT protect against?

Terminal Guardian is a guardrail, not a vault. It governs the PowerShell 7+ session it is loaded into. It does not protect:

  • Non-PowerShell shells (cmd.exe, bash, WSL)
  • Processes that don't pass through the guarded session
  • Privilege escalation outside of PowerShell
  • Malware already running as your user
  • Antivirus, EDR, or endpoint detection functions

It is not a replacement for backups, endpoint controls, or a change-review process.

Does it work on Windows PowerShell 5.1?

No. Terminal Guardian requires PowerShell 7+ (pwsh). Windows PowerShell 5.1 is not supported. If you don't have PowerShell 7 installed, you can add it with:

winget install --id Microsoft.PowerShell -s winget

Does it work on Linux or macOS?

No. Terminal Guardian is Windows only. Current production scope is Windows + PowerShell 7+. There is no Linux or macOS version.

Does it require cloud access or an internet connection?

No. Terminal Guardian operates entirely on your local machine. Policy evaluation is local. There is no telemetry, no cloud calls, and no subscription service required to use it after purchase. Your policy and your command data stay on your machine.

How does it behave when a risky command is detected?

Evaluation is deterministic: the same command always produces the same outcome for a given policy configuration. The four possible outcomes are:

Allow

Command clears policy. Execution proceeds normally.

Warn

Elevated risk flagged. Execution continues with a visible warning logged.

Challenge

Confirmation required before execution. Outcome is logged.

Block

Command halted. Policy rule name and actor written to audit trail.

How are policy outcomes logged?

Every evaluated command is written to a local audit trail that includes the outcome, the matched policy rule name, and actor context. Secrets — tokens, credentials, and sensitive values — are redacted from log output before storage. The log stays on your machine; no data is sent externally.

Can teams standardize policy behavior across machines?

Yes. Policy packs are JSON-based and portable. Teams can version-control their policy files and apply the same configuration across individual machines. The same policy pack produces the same outcomes everywhere it is deployed.

Roadmap

Centralized policy distribution with tamper-evident SHA-256 manifests for fleet-scale change traceability.

Can it help with AI-generated PowerShell commands?

Yes. AI coding tools — Copilot, ChatGPT, and others — produce syntactically valid PowerShell that can include destructive patterns. Terminal Guardian evaluates every command before execution, regardless of how it was produced. AI-generated commands get the same guardrail treatment as anything you type manually. The policy doesn't know or care where the command came from.

How do I verify installation after setup?

Open a new pwsh window after running setup.cmd and run:

Verify all checks pass

tg-selftest

Confirm active version

tg --version

All checks passing from tg-selftest confirms correct installation and policy load.

Related pages

Use Cases Enterprise Security PowerShell Safety Guide Trust Model ← Homepage

Have a question not listed here?

Contact us at [email protected] or review the Trust Model for scope details.

Buy on Gumroad