Runtime security monitor for AI coding agents.

AI coding tools run commands on your machine with broad permissions. They read files, make network connections, spawn child processes. npm postinstall scripts, piped curl commands, credential file reads: it all happens in the background with no visibility.

• Watches file access. Detects reads of SSH keys, AWS credentials, .env files, GPG keys, and 30+ other sensitive paths.
• Monitors network connections. Flags connections to hosts not on the allowlist.
• Detects dangerous commands. Reverse shells, curl | sh, chmod 777, crontab edits, cloud metadata access.
• Correlates signals. Sensitive file read followed by a network connection within 10 seconds triggers a data exfiltration alert.
• Enforces memory limits. Cgroups v2 prevents AI tools from freezing your machine. Tiered warnings before throttle or kill.
• Sends desktop notifications. You see alerts without checking a dashboard.

No wrappers. No proxies. You keep using Claude Code, Codex, Cursor, Gemini CLI, Aider, or any other tool normally. Forgeterm watches from the background.

The forgeterm-agent daemon runs as a user service (systemd on Linux, launchd on macOS). It scans /proc every 5 seconds to discover AI coding tool processes by matching command-line patterns. Once a session is found, five monitors activate:

• FileMonitor: scans /proc/pid/fd and watches sensitive directories with inotify
• NetworkMonitor: parses /proc/pid/net/tcp and matches socket inodes
• ProcessMonitor: tracks child process trees recursively
• ResourceMonitor: reads RSS from /proc/pid/stat, detects memory leaks
• OutputMonitor: watches command output for suspicious patterns

All signals flow through a tokio broadcast channel to consumers: the rule engine, audit logger, alert sender, cgroup governor, and IPC server.

forgeterm-agent (daemon, always running)
|
|-- Discovery         /proc/*/cmdline scanning, pattern matching
|-- File Monitor      /proc/pid/fd + inotify on sensitive dirs
|-- Network Monitor   /proc/pid/net/tcp, socket inode matching
|-- Process Monitor   recursive child scanning, command patterns
|-- Resource Governor  cgroups v2 memory limits, leak detection
|-- Correlation        file access + network = exfil alert
|-- Audit Logger       JSON Lines to ~/.local/share/forgeterm/audit/
|-- IPC Server         Unix socket, JSON-RPC (ListSessions, GetEvents, Subscribe)
|
|-- Config: ~/.config/forgeterm/agent.toml
|-- Rules:  ~/.config/forgeterm/security-rules.toml
|-- Socket: ~/.local/share/forgeterm/agent.sock

The optional forgeterm TUI client connects to the daemon over a Unix socket for a live dashboard with session, resource, and security views.

Three modes for memory enforcement via cgroups v2:

Per-CLI defaults: Claude Code 3GB/4GB, Codex 1.5GB/2GB, Gemini CLI 2GB/3GB, Cursor 3GB/4GB.

Tiered alerts: 85% warning, 95% urgent ("save your work"), 100% throttled, OOM killed.

[discovery]
scan_interval_secs = 5

[governor]
enabled = true
action = "throttle"       # warn | throttle | kill
warn_threshold = 0.85
urgent_threshold = 0.95

[governor.defaults]
memory_high = "2GB"
memory_max = "3GB"

[governor.cli.ClaudeCode]
memory_high = "3GB"
memory_max = "4GB"

[security]
enabled = true
scan_interval_secs = 3
exfil_window_secs = 10

Defines sensitive file paths, network allowlists, and dangerous command patterns. See config/security-rules.toml for the full default ruleset.

Download and install (Linux and macOS):

curl -sSf https://raw.githubusercontent.com/diemoeve/forgeterm/main/dist/install.sh | sh

This installs both the daemon and the TUI, starts the background service, and adds default config files.

After install, open the dashboard:

forgeterm

Try the demo to see alerts in action:

forgeterm demo

git clone https://github.com/diemoeve/forgeterm.git
cd forgeterm
cargo build --release
cp target/release/forgeterm-agent target/release/forgeterm ~/.local/bin/
mkdir -p ~/.config/forgeterm
cp config/agent.toml config/security-rules.toml ~/.config/forgeterm/

See CONTRIBUTING.md.

Apache-2.0. See LICENSE.