Skip to main content

Recognized actions

Termyte uses deterministic recognition. The following action families receive specific semantic IDs and risk behavior.

Filesystem deletes

Recognized commands include rm, PowerShell Remove-Item, and del. Representative semantic IDs:
  • filesystem.delete.file
  • filesystem.delete.wildcard
  • filesystem.delete.recursive.force
  • filesystem.delete.recursive.force.wildcard
Termyte inspects recursion, force flags, wildcards, workspace boundaries, target count, sensitive paths, protected paths, and recoverability.

Git

Recognized behavior includes:
  • normal and force push;
  • hard reset;
  • forced clean and checkout;
  • forced branch deletion;
  • tag deletion;
  • stash drop;
  • interactive rebase;
  • reflog expiration.
Representative IDs:
  • git.push
  • git.push.force
  • git.reset.hard
  • git.clean.force
  • git.checkout.force
  • git.branch.delete.force

Package publishing

Recognized package managers:
  • npm
  • pnpm
  • Yarn
Representative ID: package.npm.publish.

Secrets and remote execution

Recognized families:
  • secret.access
  • remote-script.execute
  • privilege.escalation
Recognition uses known command and text patterns. It is not a general secret or malware scanner.

Docker and deployment

Recognized families include destructive Docker cleanup and common deployment or infrastructure mutations. Representative IDs:
  • docker.system.prune
  • docker.destructive
  • deploy.mutation

SQL

Recognized destructive SQL:
  • sql.drop-table
  • sql.truncate-table
  • sql.delete-without-where
  • sql.delete-with-where

Generic fallback

Unrecognized command forms become: 
shell.generic
Generic fallback has an allowed baseline unless policy matches it.
Recognition is intentionally deterministic and incomplete. Obfuscated, unsupported, or novel command forms may not receive the intended semantic classification.