Collaborative browser-based terminal and playbook workspace for penetration testing teams.
A shared war room where your team runs commands, documents findings, and manages credentials in one place. Side-by-side xterm.js terminal and markdown playbooks with real-time multi-user sync, variable substitution, credential vault, output intelligence, and session recording.
Authorization Required: Designed exclusively for authorized security testing with explicit written permission.
git clone https://github.com/Real-Fruit-Snacks/Riptide.git
cd Riptide
npm install
npm startOpen https://localhost:3000, create a room, set a password, and you're in. HTTPS is enabled by default with an auto-generated self-signed certificate.
# Disable HTTPS
NO_SSL=1 npm start
# Use your own certificate
SSL_KEY=/path/to/your.key SSL_CERT=/path/to/your.cert npm start
# Development mode with auto-restart
npm run dev
# Run all 675 tests
npm testA full xterm.js terminal on one side, stackable markdown note sections on the other. Fenced code blocks get Run buttons that execute directly in the terminal. Run All executes every code block in a playbook sequentially.
┌─────────────────────┬─────────────────────┐
│ Playbook (MD) │ Terminal (PTY) │
│ [Run] code blocks │ xterm.js + fit │
│ Variable inputs │ 256KB ring buffer │
└─────────────────────┴─────────────────────┘
Password-protected rooms with dual WebSocket sync. Multiple users see each other's presence, get live updates on notes, credentials, and variables. Edit locks prevent conflicts, and late-joining users see buffered terminal output.
Use <TargetIP>, <Domain>, or any custom variable in code blocks. Riptide scans playbooks, renders input fields, and substitutes values at runtime. Variables support tab-scoped (per-target) and global (room-wide) scope.
nmap -sCV -p- <TargetIP> -oN nmap_full.txtStore service/username/password/hash combos per target or globally. Click-to-reveal secrets, one-click copy, bulk export to credentials.txt, usernames.txt, or passwords_hashes.txt. Flag findings to alert the whole team.
After capturing terminal output, the parser automatically extracts IPs, URLs, emails, hashes, credentials, and nmap ports -- highlighted inline with one-click promote actions to push findings into the credential vault or scope panel.
Build a library of reusable playbooks organized by category and tags. Search, import into rooms, customize, and share across engagements. Frontmatter metadata supports title, description, category, and tags.
---
title: Network Reconnaissance
category: Recon
tags: [nmap, network, enumeration]
---A persistent, cross-room knowledge base for techniques, tools, findings, and references. Promote entries directly from playbooks, credentials, scratch notes, or alerts with one click. Search and filter by type or tag.
Record and replay terminal sessions with full timing fidelity. Every keystroke and output sequence is captured for post-engagement review and reporting.
Riptide/
├── server.js # Express + WebSocket + PTY management
├── lib/
│ ├── storage.js # File I/O, atomic JSON updates
│ └── helpers.js # Validation, hashing, frontmatter
├── routes/ # 15 Express Router modules
│ ├── rooms.js # Room CRUD, join/leave
│ ├── tabs.js # Tab management, status, scope
│ ├── notes.js # Playbook notes CRUD, ordering
│ ├── credentials.js # Credential vault (tab + global)
│ ├── variables.js # Variable management (tab + global)
│ ├── scratch-notes.js # Quick notes with severity
│ ├── history.js # Command history per tab
│ ├── files.js # File upload/download per tab
│ ├── playbooks.js # Library search and import
│ ├── alerts.js # Flagged finding alerts
│ ├── recordings.js # Terminal session recording
│ ├── chat.js # Real-time chat (global + tab)
│ ├── knowledge.js # Knowledge base CRUD
│ ├── audit.js # Audit log
│ └── session.js # Session reset, cleanup
├── public/
│ ├── css/ # Catppuccin themes (4 flavors)
│ ├── js/ # 37 frontend modules
│ └── index.html # Single-page shell
└── test/ # 675 tests across 27 files
Vanilla JavaScript with no build step. Static files served directly from public/. Dual WebSocket channels handle terminal I/O (/ws/terminal) and state broadcast (/ws/sync) independently.
| Layer | Technology |
|---|---|
| Server | Node.js, Express 4, ws |
| Terminal | node-pty (server), xterm.js 5 (client) |
| Editor | CodeMirror 6 |
| Security | helmet, express-rate-limit, DOMPurify, scrypt |
| Theming | Catppuccin (Latte, Frappe, Macchiato, Mocha) |
| Testing | Vitest, supertest |
| Feature | Linux | macOS | Windows |
|---|---|---|---|
| Terminal PTY | Full | Full | Full (requires build tools) |
| Auto-TLS generation | Full | Full | Requires openssl on PATH |
| WebSocket sync | Full | Full | Full |
| File management | Full | Full | Full |
| Session recording | Full | Full | Full |
Riptide is designed for use on trusted networks during authorized engagements.
- Authentication -- scrypt password hashing, 24-hour session expiry
- TLS -- HTTPS by default with auto-generated certs, TLS 1.2 minimum
- Transport -- helmet CSP/HSTS, WebSocket origin validation, rate limiting
- Sanitization -- DOMPurify on all rendered markdown, path traversal protection
Report vulnerabilities via SECURITY.md. Do not open public issues for security concerns.
Riptide does not:
- Encrypt room data at rest
- Provide user-level access control within rooms
- Sandbox terminal commands
- Replace a production secrets management system
MIT -- Copyright 2026 Real-Fruit-Snacks