diff --git a/home/hosts/work/default.nix b/home/hosts/work/default.nix
index 9407f0e..b8ab593 100644
--- a/home/hosts/work/default.nix
+++ b/home/hosts/work/default.nix
@@ -100,6 +100,7 @@ in
   comms.teams.enable = true;
   ai-tools = {
     claude-code.enable = true;
+    tirith.enable = true;
     opencode.enable = true;
   };
   database.mssql.enable = true;
diff --git a/home/modules/ai-tools/default.nix b/home/modules/ai-tools/default.nix
index ae741fc..973c4b7 100644
--- a/home/modules/ai-tools/default.nix
+++ b/home/modules/ai-tools/default.nix
@@ -11,6 +11,7 @@ in
 {
   options.ai-tools = {
     claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
+    tirith.enable = lib.mkEnableOption "tirith shell security guard";
     opencode.enable = lib.mkEnableOption "opencode";
   };
 
@@ -70,6 +71,15 @@ in
         mcp-nixos
       ];
     })
+    (lib.mkIf cfg.tirith.enable {
+      home.packages = with pkgs; [
+        tirith
+      ];
+
+      programs.bash.initExtra = ''
+        eval "$(tirith init --shell bash)"
+      '';
+    })
     (lib.mkIf cfg.opencode.enable {
       home.packages = with pkgs; [
         opencode