Skip to main content

Check commands without executing them

termyte check is the recommended first workflow. It evaluates command text, applies policy and memory, writes a local decision event, and never runs the command. 
termyte check "cat .env"
termyte check "git push --force origin main"
termyte check "npm publish"
termyte check "npm test"

Understand the output

A check includes:
  • final decision: allow, warn, ask, or block;
  • risk band and score;
  • semantic action ID;
  • explanation;
  • matched policy rules and their sources;
  • exact memory matches;
  • Executed: false.
Use JSON output for automation: 
termyte check "npm publish" --json
A blocked check exits nonzero. Warn, ask, and allow checks currently exit zero because no execution occurs.

What Termyte recognizes

Current recognition includes:
  • destructive filesystem deletes;
  • force pushes and destructive Git history actions;
  • package publishing;
  • secret access;
  • remote script execution;
  • privilege escalation;
  • destructive Docker operations;
  • deployment mutations;
  • destructive SQL.
Unknown command forms fall back to a generic shell action and may be allowed. See recognized actions for the current coverage.

Check policy without writing a log

termyte policy test "cat .env"
policy test uses the stable policy engine but does not apply user memory and does not write a check event. Use it when authoring or reviewing policy.

Review checks

termyte logs
termyte logs --blocked
termyte logs --warned
termyte logs --today
termyte logs --json