TermyteAlpha
Local-first command control

Give coding agents room to work.
Keep dangerous commands under control.

Termyte checks risky command text, applies local policy, records decisions, and remembers unsafe actions without putting a cloud service or LLM in the decision path.

View quickstart GitHub
stable / non-executing
$ termyte check "npm test"ALLOW
$ termyte check "npm publish"WARN
$ termyte check "cat .env"BLOCK
selectedcat .envmatched policyblock secret accessriskhigh / 60executedfalse
1,200balanced benchmark actions0false-safe fixture results
100%local check decision path
MITopen-source license
3limited agent runners

Benchmark results apply to the checked-in labeled fixture suite.

The autonomy bottleneck

Blind trust keeps capable agents on a short leash.

Termyte gives recognized risky actions deterministic decisions and local receipts, so teams can grant more room without pretending every command is safe.

Without a control layer

Review every step manually or discover a risky command after the damage.

With Termyte

Check command text, apply local policy, record the decision, then choose the next move.

One deterministic path

A decision you can inspect.

A command becomes a decision through explicit local signals. Stable checks never execute the command.

01command
02parse
03resolve targets
04risk + policy
05memory
06decision
Stable check decision logged / executed: false
Limited runner session prepared / interception not guaranteed
Decision explorer

The label is only useful when the reason is visible.

Explore verified examples from the packaged CLI. Every stable check shows the decision, risk, source, and non-executing result.

$ termyte check "npm test"ALLOW
Reason
no risky pattern detected
Risk
low / 0
Policy source
no matched rule
Executed
false
Governance benchmark1,200

Deterministic actions. Balanced by decision.

The stable non-executing check path currently classifies every checked-in fixture correctly.

Read the methodology
Allow400
Warn400
Block400
Pred. allowPred. warnPred. blockActual allow40000Actual warn04000Actual block00400

This validates labeled fixtures, not complete command coverage, sandbox isolation, or guaranteed interception.

Policy as local code

Defaults immediately. YAML when you need control.

Built-in policy works without initialization. Global and local YAML add deterministic rules, with local policy taking priority.

deterministic policy previewlocal > global > built-in
$ termyte policy local add \
  "Ask before touching auth or payments" --dry-run

rules:
  - name: "ask-auth-payment-changes"
    action: ask
    match:
      paths:
        - "src/auth/**"
        - "src/payments/**"
        - "src/billing/**"
Logs + memory

Local receipts that improve the next decision.

Filter warned and blocked checks. Mark exact command patterns safe or unsafe. Memory can strengthen a future check, but it never weakens a block.

.termyte/logs.jsonlstable check
BLOCK cat .envWARN   npm publishALLOW npm test
termyte mark-unsafe "npm publish"
future check

unsafe memory match recorded

Storage boundary

Stable check logs + memory: repo-local JSONL

Experimental runtime ledger: SQLite

Agent runner

Prepare the session. Be honest about the boundary.

Termyte launches Codex, Claude Code, and Aider after checking local readiness. Runtime mode remains limited and full subprocess interception is not guaranteed.

TERMYTE / AGENT SESSIONruntime mode: limited
repo
./product
agent
codex
session
tym_84f2c
policy
built-in + global + local
logs / memory
ready / ready
termyte run codextermyte run claudetermyte run aider
Local-first architecture

The critical check path stays on your machine.

Command text, policy, stable logs, and explicit user memory remain local. No cloud service or LLM is required to reach a decision.

YOUR MACHINE
Termyte check
command text
YAML policy
JSONL logs
JSONL memory
Threat model

Useful because the boundary is explicit.

Termyte reduces recognized accidental damage. It does not make agents safe.

Designed to reduce

Accidental destructive commands, secret access, force pushes, publishing mistakes, destructive SQL, and repeated unsafe actions.

Outside the boundary

Bypasses, malware, root attackers, all obfuscation, direct API calls outside monitored surfaces, and sandbox isolation.

Read threat model Review alpha limitations