Introduction
OxideTerm is a local-first SSH workspace, not just a terminal. Open a remote node once, then work around it in one place: shell, SFTP, port forwarding, trzsz transfers, lightweight editing, local shell, and BYOK-first OxideSens AI.
Built with Tauri 2.0 (Rust backend) and React 19 (TypeScript frontend), OxideTerm ships as a lightweight 25–40 MB native binary with zero Electron, zero OpenSSL, zero telemetry, zero core app subscription, and pure Rust SSH.
OxideTerm is not a cloud AI platform, hosted agent service, generic remote-protocol toolbox, or a terminal-rendering benchmark project. Many modern terminals are evolving around local shells, AI panels, or cloud agent platforms; OxideTerm focuses on the local-first SSH workspace.
Why OxideTerm?
Section titled “Why OxideTerm?”| Pain Point | OxideTerm’s Answer |
|---|---|
| SSH workspace, not just a shell | Remote node workspace: terminal, SFTP, port forwarding, trzsz, lightweight IDE, monitoring, and AI context live under the same node |
| You still need a local shell | Integrated local shell: zsh/bash/fish/pwsh/WSL2 beside SSH sessions, so local and remote tasks share one UI |
| Reconnect = lose everything | Grace Period reconnect: probes old connection 30s before killing it — your vim/htop/yazi survive when the TCP stream recovers |
| Remote file editing needs VS Code Remote | Lightweight IDE: CodeMirror 6 over SFTP with 24 languages, optional ~1 MB remote agent on Linux |
| No SSH connection reuse | Multiplexing: terminal, SFTP, forwards, and IDE share one SSH connection via a reference-counted pool |
| SSH libraries depend on OpenSSL | russh 0.59: pure Rust SSH compiled against ring — zero C dependencies |
| 100+ MB Electron apps | Tauri 2.0: native Rust backend, system WebView, 25–40 MB binary |
| You do not want telemetry or app subscriptions | Zero tracking, zero core app subscription: SSH/SFTP/port forwarding/local shell need no OxideTerm account or subscription; Cloud Sync is opt-in via plugin |
| You want AI without a platform account | BYOK-first OxideSens: target-first workspace AI for saved connections, live SSH sessions, terminal buffers, SFTP paths, settings, and knowledge base entries |
Architecture at a Glance
Section titled “Architecture at a Glance”OxideTerm uses a dual-plane architecture that separates latency-critical terminal I/O from management commands:
┌─────────────────────────────────────┐│ Frontend (React 19) ││ xterm.js 6 (WebGL) + Zustand │└──────────┬──────────────┬───────────┘ │ Tauri IPC │ WebSocket (binary) │ (JSON) │ per-session port┌──────────▼──────────────▼───────────┐│ Backend (Rust) ││ NodeRouter → SshConnectionRegistry ││ Wire Protocol v1 ││ [Type:1][Length:4][Payload:n] │└─────────────────────────────────────┘| Plane | Transport | Purpose |
|---|---|---|
| Data Plane | WebSocket (binary) | Terminal I/O — Type-Length-Payload framing, no JSON/Base64 in the hot path |
| Control Plane | Tauri IPC (JSON) | Management: connections, SFTP, port forwarding, config, AI chat |
Each SSH session gets its own WebSocket port with single-use, time-limited token authentication on the first frame. The frontend addresses remote resources by stable node identifiers; the backend resolves live connection state behind the scenes so reconnects do not invalidate SFTP, IDE, or port forwarding consumers.
Tech Stack
Section titled “Tech Stack”| Layer | Technology | Details |
|---|---|---|
| Framework | Tauri 2.0 | Native binary, 25–40 MB |
| Runtime | Tokio + DashMap | Async backend and concurrent registries |
| SSH | russh 0.59 (ring) | Pure Rust, zero OpenSSL, SSH Agent |
| Local PTY | portable-pty | ConPTY on Windows, local zsh/bash/fish/pwsh/WSL2 workflows |
| Frontend | React 19 + TypeScript | Vite, Tailwind CSS |
| State | Zustand | Specialized stores for terminal, SSH, SFTP, plugins, AI, settings |
| Terminal | xterm.js 6 + WebGL/Canvas | Adaptive rendering with software-renderer fallback |
| Editor | CodeMirror 6 | Lightweight remote editing |
| Encryption | ChaCha20-Poly1305 + Argon2id | Encrypted .oxide exports and local config sealing |
| Storage | redb | Embedded local KV store |
| i18n | i18next | 11 UI languages |
| Plugins | ESM Runtime | Official Cloud Sync, Telnet Client, and runtime extension APIs |
| CLI | JSON-RPC 2.0 | Unix Socket / Named Pipe companion |
Key Features
Section titled “Key Features”| Category | Features |
|---|---|
| Terminal | Local PTY, SSH remote, split panes, broadcast input, session recording/playback, adaptive rendering, command palette, zen mode, themes + custom editor |
| SSH & Auth | Connection pooling, ProxyJump topology, auto-reconnect with Grace Period, Agent Forwarding, password/key/certificate/SSH Agent/keyboard-interactive direct auth, Known Hosts TOFU |
| SFTP | Dual-pane browser, drag-and-drop, smart preview, transfer queue, bookmarks, archive extraction, directory transfer controls |
| IDE Mode | CodeMirror 6 editing, file tree + Git status, multi-tab workflow, conflict detection, optional remote agent |
| Port Forwarding | Local (-L), Remote (-R), Dynamic SOCKS5 (-D), auto-restore on reconnect, status and process visibility |
| AI (OxideSens) | Target-first BYOK assistant. It sees saved connections, live SSH sessions, terminal buffers, SFTP paths, settings, and knowledge base entries as workspace targets; it can diagnose remote output, run approved commands, inspect files, and explain failures without requiring an OxideTerm account |
| Plugins | Runtime ESM loading, PluginContext APIs, sidebar/status/tab contributions, official optional workflows |
| Security | OS keychain, encrypted local config at rest, encrypted .oxide exports, Touch ID gate on macOS, host key TOFU, sensitive memory zeroization |
| i18n | 11 languages: EN, 简体中文, 繁體中文, 日本語, 한국어, FR, DE, ES, IT, PT-BR, VI |
SSH Connection Pool
Section titled “SSH Connection Pool”OxideTerm uses a reference-counted SSH connection registry:
- One connection, many consumers — terminal, SFTP, port forwards, and IDE share a physical SSH connection.
- Runtime state machine —
connecting → active → idle → link_down → reconnecting. - Lifecycle management — configurable idle timeout, keepalive, link-down detection, and recovery.
- Cascade propagation — jump host failure marks downstream nodes and UI surfaces consistently.
Local-first Boundaries
Section titled “Local-first Boundaries”OxideTerm’s core SSH workflow does not require an OxideTerm account or subscription:
- SSH, SFTP, port forwarding, local shell, saved connections, and settings work locally.
- Credentials and API keys live in the OS keychain.
- AI is BYOK: provider costs belong to your chosen provider, not an OxideTerm app subscription.
- Cloud Sync is an optional official plugin, not a requirement for using the workspace.
What’s Next?
Section titled “What’s Next?”- Installation guide — download and install OxideTerm
- Terminal — learn about terminal features
- SFTP — file management over SSH
- IDE Mode — remote code editing
- Port Forwarding — SSH tunnels
- OxideSens AI — target-first BYOK AI for the SSH workspace
- Connections — auth methods, ProxyJump, SSH config import, encrypted presets
- Plugins — official plugins and the runtime extension model
- Security — encryption and credential management