buildwithnexus Security
buildwithnexus is a single static binary that runs entirely on your machine. There is no server, no daemon, and no account. The security model is the security model of a local CLI: keep your keys safe, keep the agent confined to the project you point it at, and never let an automated run do something destructive without a human in the loop.
The model at a glance
~/.buildwithnexus/.env.keys at 0600, or come from the environment. Never transmitted except to your chosen provider over HTTPS.Where your keys live
API keys for remote providers (Anthropic, OpenAI, OpenRouter, Groq, Hugging Face) are stored on disk in your home directory, not in the project, and not on any server.
~/.buildwithnexus/.env.keys0600 — owner read/write onlyANTHROPIC_API_KEY, OPENAI_API_KEY, etc. to skip the file entirelyIf you prefer to keep keys out of any file, export them in your shell — environment variables take precedence over .env.keys:
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."
buildwithnexus
Local providers (Ollama, llama.cpp server, LM Studio) need no key at all. They are detected automatically at setup and run on your own hardware, so nothing leaves the machine.
Filesystem confinement
The agent's file tools — read_file, list_dir, write_file, edit_file — are scoped to the working directory you launched in. A path that resolves outside the project tree is rejected before the tool runs. The agent cannot wander up into your home directory, read unrelated repositories, or write files outside the folder you handed it.
Permission modes
Every run operates under one of three permission modes. The default, ask, puts a human in the loop before anything changes.
What stays gated, even in auto
auto mode is a convenience, not a blank check. Two classes of action always pause for a human:
~/.ssh, .env files, *.pem keys, or the buildwithnexus key store requires explicit confirmation regardless of mode.Hooks: trusted, and deny-only
buildwithnexus supports Claude-Code-compatible lifecycle hooks — SessionStart, UserPromptSubmit, PreToolUse, PostToolUse, Stop, and SessionEnd — configured in settings.json:
~/.buildwithnexus/settings.json.buildwithnexus/settings.jsonBecause a project's hooks ship inside a repository you may have just cloned, they are treated as untrusted code. Project hooks run only after you explicitly trust the folder (tracked in ~/.buildwithnexus/trusted.json). Until then they are inert.
Even once trusted, hooks are strictly deny-only. A PreToolUse hook can block a tool call — by exiting with code 2, or by returning a JSON permissionDecision of deny — but it can never grant a permission the user hasn't. A hook can tighten the policy; it can never loosen it.
// .buildwithnexus/settings.json — deny edits to the lockfile
{
"hooks": {
"PreToolUse": [
{
"matcher": "edit_file",
"command": "test \"$TOOL_INPUT_PATH\" != \"package-lock.json\""
// non-zero / exit 2 -> the edit is denied
}
]
}
}
Network behavior
There is no listening socket, no localhost server, and no background process. The only outbound traffic is the request to the model provider you configured:
API keys are never sent to a non-HTTPS endpoint. If you point a keyed provider at a plaintext URL, the request is refused rather than leaking the credential.
Where data lives on disk
Everything buildwithnexus writes stays under ~/.buildwithnexus/. Session transcripts are plain files you own — they are not uploaded anywhere.
0600continue, resume)Practical guidance
auto for tasks you understand and trust; use readonly when you only want analysis..env.keys out of version control, or use environment variables on shared machines..buildwithnexus/settings.json.Reporting a vulnerability
If you find a security issue, please do not open a public issue. Report it privately through the repository's security policy at github.com/Garretts-Apps/buildwithnexus so it can be fixed before disclosure. buildwithnexus is open source under the MIT license.