chore(deps): update dependency sheeki03/tirith to v0.3.1

[donbeave]

This PR contains the following updates:

Package	Update	Change
sheeki03/tirith	minor	0.2.12 → 0.3.1

---

Release Notes

sheeki03/tirith (sheeki03/tirith)

v0.3.1

Compare Source

Fixed

• AWS access-key false positive in S3 pre-signed URLs and SigV4 Authorization headers (#​101) — the credential rule no longer flags AKIA… matches that sit inside the X-Amz-Credential value of a parseable URL whose query also has X-Amz-Algorithm=AWS4-HMAC-SHA256 and a non-empty X-Amz-Signature, or inside the Credential= field of an Authorization: AWS4-HMAC-SHA256 …, Signature=… header. The carve-out is anchored to absolute byte spans of the actual SigV4 fields — a stray AKIA… elsewhere in the same URL/headers/body still fires. Bare access keys, Authorization: Bearer AKIA… without SigV4 markers, and URLs missing any SigV4 marker continue to flag. New tests cover each shape and each adversarial bypass we considered.
• tirith setup codex against current Codex CLI versions — recognises the new Error: No MCP server named 'X' found. stderr message instead of treating it as an unexpected failure, and accepts both the legacy top-level command/args JSON shape and the current nested transport.command/args shape returned by codex mcp get --json. Drift detection still works against either shape.
• Non-interactive zsh -lc ... no longer blocked by stale .zshenv guard — the guard now bakes a stable absolute path to the tirith binary at install time (resolved via PATH lookup with symlink canonicalisation, falling back to current_exe() when the PATH entry is a #! wrapper script for npm/pnpm). Previously the guard relied on the bare name tirith being on PATH, which fails before .zshrc/.zprofile populate PATH. The path is shell-quoted so spaces and apostrophes round-trip safely.
• npm shadow false positive on tirith doctor / tirith init (#​105) — Unix install via npm no longer warns that the node_modules/tirith/bin/tirith JS wrapper shadows the native binary. resolve_effective_tirith_target now detects the npm wrapper layout (after canonicalising the PATH entry through any symlinks), looks up the matching @sheeki03/tirith-{platform}-{arch}/bin/tirith sibling using the same OS+arch mapping the wrapper itself uses, and treats both paths as the same install. Unrelated tirith binaries on PATH (the documented PyPI collision case) still warn.
• Windows path-shadow false positive on Scoop installs — tirith doctor/tirith init no longer warn that the Scoop shim at ~\scoop\shims\tirith.exe shadows the real binary; the shim is resolved through its .shim sidecar to the real path before the equality check.
• Installer verify_sha256 portability — scripts/install.sh now probes whether sha256sum -c reads from stdin and falls back to shasum -a 256 -c when not (some BSDs, busybox). Regression harness added.

Security

• rand bumped to 0.9.3 (RUSTSEC-2026-0097).
• rustls-webpki bumped to a version unaffected by upstream advisories.

Docs

• README: expanded threat intel attribution table; added incident summary; added Nixpkgs install line.

Internal

• Daily threat-DB manifest direct-pushes to main instead of opening auto-merge PRs that silently no-op'd when no required checks were present, accumulating an unmerged backlog.
• Scoop helper code moved under #[cfg(windows)] to silence a clippy warning surfaced by recent toolchain versions.
• _tirith_output in the bash, fish, and zsh hooks now forwards all arguments instead of only $1 / $argv[1]. No call site passes more than one argument today, but the previous form was a footgun for any future refactor that splits a multi-line message across positional arguments.

v0.3.0

Compare Source

Added

• Bash preexec enforcement (opt-in) — set TIRITH_BASH_PREEXEC_ENFORCE=1 to get real blocking in bash preexec mode via shopt -s extdebug plus return 1 from the DEBUG trap. Whole-line fail-closed semantics; one block verdict skips the entire typed line. Install-time hostile-history check refuses to engage in shells where HISTCONTROL contains ignorespace/ignoredups/ignoreboth, any HISTIGNORE is set, or history is disabled. Runtime drift detection with cache-then-degrade downgrades the session to warn-only rather than claim protection it cannot deliver. Idempotent DEBUG trap trampoline chains through any pre-existing user DEBUG trap. Closes the "tirith says BLOCKED but the command executes" gap in #​77.
• tirith doctor live state — bash hook now exports TIRITH_BASH_EFFECTIVE_MODE and TIRITH_BASH_EFFECTIVE_PROTECTION (interactive shells only) so doctor, a child process, can read the parent shell's live state. Doctor splits requested-vs-effective onto separate lines so mid-session degrades are legible.
• First-use preexec banner — on the first command it intercepts, bash preexec prints a one-line reminder that warn-only mode does not block, with a pointer at enter mode.
• Threat intelligence database (Phases A/B/C) — tirith threatdb subcommand, threat DB compiler binary with CI workflow, signed cache format, detection rules keyed on known-bad hostnames/IPs/packages/typosquats, supplemental feed overlay with Phase B feed parsers and rule mapping, Phase C runtime API enrichment wired into check and daemon paths, auto-update and staleness reporting in doctor.
• Per-session warning accumulator with a new tirith warnings CLI command and shell exit summaries across all hooks.
• Escalation engine with cooldown and post-process verdicts, integrated into the engine, audit log, MCP gateway, check, and daemon paths.
• Strict warn mode with a new WarnAck exit code 3.
• Daemon mode with network-aware URL checks; Windows parity for network and setup features.
• tirith policy init, validate, test subcommands; tirith explain --rule for rule documentation.
• tirith doctor --fix for progressive remediation, plus --reset-bash-safe-mode flag.
• tirith setup gains copilot-cli (#​74) and kiro (#​75); scanner recognises .kiro/, .amazonq/cli-agents/, and .github/hooks/ as config paths.
• --include, --exclude, --profile scan filters.
• GitHub Action, pre-commit hook, and SARIF enrichment for CI integration.
• Text confusable detection (math alphanumerics, same-word mixed-script) plus expanded terminal/config rules.
• Detection gap analysis surfaced in tirith doctor.
• Warn-only rendering for preexec mode (#​77) — preexec verdicts now render "DETECTED (shell hook cannot block in preexec mode...)" instead of the misleading "BLOCKED" banner.
• SKILL.md for AI agent discovery.
• CLI UX: error suggestions, color module, confirm helper, normalised output flags, help examples on every subcommand.
• Tokenizer span tracking (trimmed byte range per segment) to support tighter carveouts without string scanning.
• aarch64-unknown-linux-musl target in the release pipeline.

Fixed

• Restore TIRITH=0 pipe bypass without weakening paste safety (#​78).
• Scp/rsync remote-spec parser replaced so host:/path no longer trips URL-host false positives (#​26).
• Carve out tirith inspection args so the scanner doesn't match its own prompt text (#​29).
• Wrapped commands (sudo, env, doas, command, time, nohup prefixes) now resolve through resolve_wrapped_command in the network_deny path so prefix chains cannot bypass policy.
• codefile byte slicing clamps to UTF-8 char boundaries to avoid a panic on non-ASCII code (#​76).
• Approval and warn-ack temp files are cleaned up on all paths to stop /tmp leaks (#​80).
• Close mid-session HISTCONTROL bypass; preexec cache key corrected so drift-triggering pipelines do not leak composite rules.
• Warn-only dedupe scoped to a single typed line so long pipelines no longer suppress later DETECTED banners.
• Windows CI: Finding import, daemon/setup module compilation, XDG audit spool test gated to Unix, Gemini path assertion gated to Unix.
• Platform-specific snapshot tests replaced with cross-platform assertions.
• Early signing-key check in the threat DB workflow.
• Linux bash preexec tests made deterministic; CI caps hung test job runtime.

Changed

• Stacked CI runs on the same ref are now cancelled; fuzz/target and Cargo.lock ignored in CI path filters.
• Documentation across README and docs/troubleshooting.md updated for the new enforcement matrix, threat-intel features, escalation, hidden findings, --format flag canonicalisation, and new MCP client setup guides (Gemini CLI, OpenClaw, Pi CLI).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.