HN 표시: Forgeterm – AI 코딩 에이전트용 런타임 보안 모니터

Runtime security monitor for AI coding agents. AI coding tools run commands on your machine with broad permissions. They read files, make network connections, spawn child processes. npm postinstall scripts, piped curl commands, credential file reads: it all happens in the background with no visibility. - Watches file access. Detects reads of SSH keys, AWS credentials, .env files, GPG keys, and 30+ other sensitive paths. - Monitors network connections. Flags connections to hosts not on the allowlist. - Detects dangerous commands. Reverse shells, curl | sh ,chmod 777 , crontab edits, cloud metadata access. - Correlates signals. Sensitive file read followed by a network connection within 10 seconds triggers a data exfiltration alert. - Enforces memory limits. Cgroups v2 prevents AI tools from freezing your machine. Tiered warnings before throttle or kill. - Sends desktop notifications. You see alerts without checking a dashboard. No wrappers. No proxies. You keep using Claude Code, Codex, Cursor, Gemini CLI, Aider, or any other tool normally. Forgeterm watches from the background. The forgeterm-agent daemon runs as a user service (systemd on Linux, launchd on macOS). It scans /proc every 5 seconds to discover AI coding tool processes by matching command-line patterns. Once a session is found, five monitors activate: - FileMonitor: scans /proc/pid/fd and watches sensitive directories with inotify - NetworkMonitor: parses /proc/pid/net/tcp and matches socket inodes - ProcessMonitor: tracks child process trees recursively - ResourceMonitor: reads RSS from /proc/pid/stat , detects memory leaks - OutputMonitor: watches command output for suspicious patterns All signals flow through a tokio broadcast channel to consumers: the rule engine, audit logger, alert sender, cgroup governor, and IPC server. forgeterm-agent (daemon, always running) | |-- Discovery /proc/*/cmdline scanning, pattern matching |-- File Monitor /proc/pid/fd + inotify on sensitive dirs |-- Network Monitor /proc/pid/net/tcp, socket inode matching |-- Process Monitor recursive child scanning, command patterns |-- Resource Governor cgroups v2 memory limits, leak detection |-- Correlation file access + network = exfil alert |-- Audit Logger JSON Lines to ~/.local/share/forgeterm/audit/ |-- IPC Server Unix socket, JSON-RPC (ListSessions, GetEvents, Subscribe) | |-- Config: ~/.config/forgeterm/agent.toml |-- Rules: ~/.config/forgeterm/security-rules.toml |-- Socket: ~/.local/share/forgeterm/agent.sock The optional forgeterm TUI client connects to the daemon over a Unix socket for a live dashboard with session, resource, and security views. | Tool | Detection Patterns | |---|---| | Claude Code | claude , claude-code , @anthropic/claude-code | | Codex | codex , openai-codex | | Gemini CLI | gemini , gemini-cli | | Cursor | cursor-agent , cursor | | Aider | aider | | Custom | Configurable patterns in agent.toml | | Threat | How | OWASP ASI | |---|---|---| | SSH/AWS/GPG key access | FD scanning + inotify | ASI-02 | | Writes outside project dir | Boundary detection | ASI-01 | | Unknown network connections | TCP parsing + allowlist | ASI-05 | | Data exfiltration | File + network correlation (10s window) | ASI-08 | curl | sh , reverse shells | Command pattern matching | ASI-10 | | Suspicious child processes | Recursive /proc/children scan | ASI-10 | | Memory leaks | Monotonic RSS growth detection | - | | OOM kills | cgroup memory.events monitoring | - | Three modes for memory enforcement via cgroups v2: | Mode | memory.high | memory.max | Effect | |---|---|---|---| warn | - | - | Desktop notifications only | throttle | set | - | Kernel throttles at soft limit (default) | kill | set | set | Hard OOM kill at max limit | Per-CLI defaults: Claude Code 3GB/4GB, Codex 1.5GB/2GB, Gemini CLI 2GB/3GB, Cursor 3GB/4GB. Tiered alerts: 85% warning, 95% urgent ("save your work"), 100% throttled, OOM killed. [discovery] scan_interval_secs = 5 [governor] enabled = true action = "throttle" # warn | throttle | kill warn_threshold = 0.85 urgent_threshold = 0.95 [governor.defaults] memory_high = "2GB" memory_max = "3GB" [governor.cli.ClaudeCode] memory_high = "3GB" memory_max = "4GB" [security] enabled = true scan_interval_secs = 3 exfil_window_secs = 10 Defines sensitive file paths, network allowlists, and dangerous command patterns. See config/security-rules.toml for the full default ruleset. Download and install (Linux and macOS): curl -sSf https://raw.githubusercontent.com/diemoeve/forgeterm/main/dist/install.sh | sh This installs both the daemon and the TUI, starts the background service, and adds default config files. After install, open the dashboard: forgeterm Try the demo to see alerts in action: forgeterm demo git clone https://github.com/diemoeve/forgeterm.git cd forgeterm cargo build --release cp target/release/forgeterm-agent target/release/forgeterm ~/.local/bin/ mkdir -p ~/.config/forgeterm cp config/agent.toml config/security-rules.toml ~/.config/forgeterm/ | Platf