Terminal Guardian Buy on Gumroad

Windows • PowerShell 7+

PowerShell Safety Guide

Terminal Guardian adds deterministic runtime guardrails to PowerShell 7+ workflows on Windows — evaluating commands against policy before execution so risky operations get blocked, challenged, or logged instead of running silently.

Why PowerShell safety matters

PowerShell is the most capable shell on Windows, and that reach is the risk. A single mistyped path in a recursive delete, a pipeline run in the wrong session, or a stale script pointed at prod instead of dev can cause irreversible damage before anyone notices.

Profile-based protection is insufficient on its own — profiles can be bypassed, skipped with -NoProfile, or simply absent in automation contexts. Terminal Guardian operates as a command-interception layer, not a startup hook.

Common high-risk patterns

  • Destructive recursive deletes

    Remove-Item -Recurse -Force against a wrong path or broad wildcard.

  • Registry and system configuration writes

    Set-ItemProperty targeting HKLM:\ in automated scripts or ad-hoc sessions.

  • Unreviewed automation scripts

    CI pipelines or scheduled tasks running high-privilege PowerShell without per-command audit.

  • Secrets in command history

    Tokens and credentials passed inline to commands and logged without redaction.

What Terminal Guardian checks

Every command entered in a Terminal Guardian-protected session is evaluated against the active policy pack before execution. The evaluation is deterministic: the same command always produces the same outcome for a given policy configuration.

Allow

Command clears policy — execution proceeds.

Warn

Elevated risk — execution continues with a logged warning.

Challenge

Confirmation required before execution. Outcome is logged.

Block

Command halted. Rule name and actor written to audit trail.

Recommended operator habits

  1. 1

    Verify after every install or update

    tg-selftest
  2. 2

    Confirm the active version

    tg --version
  3. 3

    Keep the policy pack under version control

    Treat policy changes as code changes — review before deployment.

  4. 4

    Never disable guardrails to unblock a stuck task

    If a block feels wrong, investigate the policy rule — don't bypass the layer.

Related pages

Use Cases Enterprise Security FAQ Trust Model ← Homepage

Ready to add guardrails to your PowerShell workflow?

Current validated release: v2.3.0 • Windows • PowerShell 7+ only

Buy on Gumroad