Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.termyte.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Privacy & Security

Local Redaction, Global Safety

Termyte v0.1 introduces a high-integrity privacy layer that ensures your sensitive data never leaves your environment, even while leveraging the power of the Termyte Cloud.
  • Automatic Sanitization: The Termyte MCP Bridge includes a robust redaction engine that scans every tool call for secrets (AWS keys, Stripe tokens, GitHub credentials, etc.) before transmission.
  • Payload Hashing: We primarily store deterministic hashes and normalized trajectories, not raw code or data.
  • Zero-Persistence Local Buffer: Any data stored locally is temporary and only exists to ensure resilience during network outages.

The Termyte Ledger

The Audit Ledger is hosted in the Termyte Cloud to enable institutional memory sharing, but it is built on a “Need-to-Know” basis.
  1. Redacted Entries: Only sanitized trajectories are recorded.
  2. Encrypted Transport: All communication between your local bridge and the Cloud Runtime is encrypted via TLS/HTTPS.
  3. Strict Isolation: Your organization’s causal memory is strictly isolated from others, ensuring your proprietary workflows remain yours.

Transparency & Auditability

You can audit exactly what Termyte is doing at any time:
  1. Local Logs: Run npx termyte log to see a real-time audit trail of every governance decision and execution outcome.
  2. Terminal Dashboard: Termyte provides a clean, ASCII-based dashboard for developers who live in the terminal.
  3. Real-time Summary: The MCP bridge outputs a summary of every interception and redaction event to its standard error stream.

Security Controls

  • Device ID Authentication: Secure association between your local environment and the Cloud Runtime via TERMYTE_DEVICE_ID.
  • Fail-Closed Governance: If the cloud is unreachable, Termyte defaults to a safe state, ensuring no ungoverned actions are taken on sensitive commands.
  • Sandboxed Execution: Every command is executed via a secure execFile sandbox that prevents shell-expansion vulnerabilities.
Agent Integration | Architecture