Security

Last updated: June 15, 2025

Security is foundational to Nexus Suite. We designed the system with a local-first, zero-knowledge architecture so your code and data stay under your control. This page describes our security practices, encryption standards, and how to report vulnerabilities.

1. Zero-Knowledge Sync

When Pro and Studio tier users enable sync, all data — settings, skills, and memory — is encrypted on the client device before being transmitted to our servers. The encryption key is derived from your password and never leaves your device.

Our servers store only encrypted blobs. We cannot decrypt, read, or access the plaintext content of your synced data. This zero-knowledge architecture means that even in the event of a server breach, your synced data remains protected.

2. Authentication

JWT-based authentication

All authenticated API requests use JSON Web Tokens (JWT) signed with RS256 asymmetric keys. Access tokens expire after 15 minutes. Refresh tokens are valid for 30 days and are rotated on each use — the previous token is immediately invalidated.

Password security

Passwords are hashed using Argon2id with 64 MB memory cost, 3 iterations, and a unique 16-byte salt per password. We enforce a minimum password length of 12 characters. Accounts are temporarily locked after 5 failed login attempts within 15 minutes.

Device code flow

NexusIDE and NexusCore CLI authenticate using the OAuth 2.0 Device Code Flow. Users authorize in a browser, and credentials are stored in the operating system's secure credential storage (macOS Keychain, Windows Credential Manager, Linux Secret Service).

Enterprise SSO

Studio tier organizations can configure SAML 2.0 Single Sign-On with their corporate identity provider. All SSO authentication events are logged to the audit log.

3. Encryption Standards

  • Data at rest: AES-256 encryption for all stored data
  • Data in transit: TLS 1.2+ for all connections
  • Password hashing: Argon2id (64 MB memory, 3 iterations, 1 parallelism)
  • Token signing: RS256 (RSA with SHA-256) for JWTs
  • API key storage: AES-256-GCM encryption for stored cloud provider API keys
  • Sync encryption: Client-side encryption with user-derived keys (zero-knowledge)
  • Telegram bridge: End-to-end encryption via X25519 key exchange + AES-256-GCM

4. Infrastructure Security

  • API rate limiting per user tier and per IP address to prevent abuse
  • Redis-backed JWT blacklist for immediate token revocation
  • Stripe webhook signature verification on all payment events
  • Idempotent webhook processing to prevent duplicate operations
  • Structured logging and monitoring with alerting on anomalies
  • Regular dependency updates and vulnerability scanning

5. Cloud Model Brokering

When using cloud model brokering (Pro and Studio tiers), Nexus Suite proxies requests to cloud AI providers. We do not store or log the content of your requests or responses — the service operates as a pass-through proxy. Your API keys are stored encrypted at rest using AES-256-GCM.

6. Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in any Nexus Suite product or service, please report it responsibly.

How to report

Email security@nexus-suite.dev with a description of the vulnerability, steps to reproduce, and any relevant proof-of-concept code.

What to expect

  • Acknowledgment within 48 hours
  • Regular updates on our investigation progress
  • Credit in our security advisories (if desired)
  • We will not take legal action against researchers who follow responsible disclosure practices

Scope

The following are in scope: api.nexus-suite.dev, nexus-suite.dev, NexusCore CLI, NexusIDE, and all official Nexus Suite GitHub repositories.

7. Audit Logging

Studio tier organizations have access to comprehensive audit logs covering all security-relevant events: sign-in/sign-out, subscription changes, team membership changes, role assignments, SSO configuration, MCP server provisioning, and skill publishing. Audit logs are retained for a minimum of 1 year and can be exported in JSON or CSV format.

8. Contact

For security questions or concerns, contact us at security@nexus-suite.dev.

Changelog

  • June 15, 2025Initial publication of Security page.