buildwithnexus 0.8.11 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +93 -98
- package/SECURITY.md +85 -0
- package/bin/buildwithnexus.js +23 -0
- package/harness/Cargo.lock +1140 -0
- package/harness/Cargo.toml +38 -0
- package/harness/src/agent.rs +627 -0
- package/harness/src/config.rs +366 -0
- package/harness/src/hooks.rs +373 -0
- package/harness/src/lib.rs +391 -0
- package/harness/src/local.rs +81 -0
- package/harness/src/main.rs +5 -0
- package/harness/src/onboarding.rs +116 -0
- package/harness/src/provider.rs +843 -0
- package/harness/src/report.rs +166 -0
- package/harness/src/session.rs +145 -0
- package/harness/src/tools.rs +544 -0
- package/harness/src/tui.rs +888 -0
- package/package.json +32 -46
- package/scripts/postinstall.js +137 -0
- package/scripts/resolve-binary.js +38 -0
- package/dist/bin.js +0 -4263
- package/dist/nexus-release.tar.gz +0 -0
package/README.md
CHANGED
|
@@ -3,124 +3,119 @@
|
|
|
3
3
|
[](https://www.npmjs.com/package/buildwithnexus)
|
|
4
4
|
[](https://opensource.org/licenses/MIT)
|
|
5
5
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
6
|
+
A hilariously fast, **agentic AI CLI harness** — written in Rust. Remote models
|
|
7
|
+
via API key, or local models on your machine. It plans, edits files, and runs
|
|
8
|
+
commands, asking before each change. One static binary, four dependencies, no
|
|
9
|
+
runtime to babysit.
|
|
9
10
|
|
|
10
11
|
```bash
|
|
11
12
|
npm install -g buildwithnexus
|
|
12
13
|
buildwithnexus
|
|
13
14
|
```
|
|
14
15
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
## What It Does
|
|
16
|
+
The first launch walks you through choosing a model. Then describe a task.
|
|
18
17
|
|
|
19
|
-
|
|
18
|
+
## Why
|
|
20
19
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
The original `buildwithnexus` was a TypeScript CLI talking to a Python /
|
|
21
|
+
LangGraph backend over HTTP. This is a ground-up rewrite that keeps the *benefits*
|
|
22
|
+
of that engine — planning, a ReAct tool loop, approval gates, role-specialized
|
|
23
|
+
agents — as plain Rust control flow, with **none** of the framework weight. No
|
|
24
|
+
Python, no Docker, no tunnel. The orchestration that LangGraph did at runtime is
|
|
25
|
+
just code here, which is where the speed comes from.
|
|
24
26
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
╚════════════════════════════════════════════════════════════╝
|
|
27
|
+
Design bias, in order: **performance**, then **fewer lines**, then **fewer
|
|
28
|
+
dependencies** — never at the cost of the UX. Enums and `match` over trait
|
|
29
|
+
objects; flat data tables over registries; one pooled HTTP connection reused
|
|
30
|
+
across every step of the agent loop.
|
|
30
31
|
|
|
31
|
-
|
|
32
|
+
## Models
|
|
32
33
|
|
|
33
|
-
|
|
34
|
-
[1] PLAN design & break down steps
|
|
35
|
-
[2] BUILD execute with live streaming
|
|
36
|
-
[3] BRAINSTORM free-form explore & Q&A
|
|
37
|
-
```
|
|
34
|
+
Two wire protocols cover everything. Pick a provider during setup (or `bwn init`):
|
|
38
35
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
|
44
|
-
|
|
45
|
-
|
|
|
46
|
-
|
|
|
47
|
-
|
|
|
48
|
-
|
|
|
49
|
-
| `buildwithnexus server` | Start the NEXUS Python backend server |
|
|
50
|
-
| `buildwithnexus da-status` | Check backend connectivity |
|
|
51
|
-
| `buildwithnexus doctor` | Run diagnostics (backend health + environment) |
|
|
52
|
-
| `buildwithnexus logs [-f]` | View server logs (stream with `-f`) |
|
|
53
|
-
| `buildwithnexus keys list` | List configured API keys |
|
|
54
|
-
| `buildwithnexus keys set <KEY_NAME>` | Set an API key |
|
|
55
|
-
|
|
56
|
-
### Docker infrastructure (requires Docker + full NEXUS setup)
|
|
57
|
-
|
|
58
|
-
| Command | Description |
|
|
59
|
-
|---------|-------------|
|
|
60
|
-
| `buildwithnexus 99 [instruction]` | AI pair-programming via full NEXUS engine |
|
|
61
|
-
| `buildwithnexus start` | Start full NEXUS Docker services |
|
|
62
|
-
| `buildwithnexus stop` | Stop NEXUS Docker services |
|
|
63
|
-
| `buildwithnexus status [--json]` | Show Docker container health |
|
|
64
|
-
| `buildwithnexus dashboard` | Open the NEXUS dashboard at `localhost:4200/dashboard` |
|
|
65
|
-
| `buildwithnexus update` | Update to the latest version |
|
|
66
|
-
| `buildwithnexus destroy [--force]` | Remove NEXUS and all data |
|
|
67
|
-
| `buildwithnexus ssh` | Open SSH session into the sandbox |
|
|
68
|
-
|
|
69
|
-
## Architecture
|
|
70
|
-
|
|
71
|
-
```
|
|
72
|
-
buildwithnexus CLI (TypeScript/Node.js)
|
|
73
|
-
│
|
|
74
|
-
│ SSE streaming
|
|
75
|
-
▼
|
|
76
|
-
NEXUS Backend (Python FastAPI, port 4200)
|
|
77
|
-
│
|
|
78
|
-
▼
|
|
79
|
-
LangGraph Runtime → 56-agent organization
|
|
80
|
-
• CPO (Opus) — brainstorm + strategy
|
|
81
|
-
• VP Engineering → 19 eng agents
|
|
82
|
-
• Product Management → 2 agents
|
|
83
|
-
• QA Team → 7 agents
|
|
84
|
-
• Security Team → 3 agents
|
|
85
|
-
• ML & Data → 6 agents
|
|
86
|
-
• Salesforce → 10 agents
|
|
87
|
-
• Documentation → 2 agents
|
|
88
|
-
• Consultant → 1 agent
|
|
89
|
-
```
|
|
36
|
+
| Provider | Kind | Key |
|
|
37
|
+
|----------|------|-----|
|
|
38
|
+
| Anthropic (Claude) | remote | `ANTHROPIC_API_KEY` |
|
|
39
|
+
| OpenAI | remote | `OPENAI_API_KEY` |
|
|
40
|
+
| OpenRouter | remote | `OPENROUTER_API_KEY` |
|
|
41
|
+
| Groq | remote | `GROQ_API_KEY` |
|
|
42
|
+
| Hugging Face | remote | `HF_TOKEN` |
|
|
43
|
+
| Ollama | local | — |
|
|
44
|
+
| llama.cpp server | local | — |
|
|
45
|
+
| LM Studio | local | — |
|
|
90
46
|
|
|
91
|
-
|
|
47
|
+
Env vars override the stored key, so CI and one-offs Just Work. Keys live in
|
|
48
|
+
`~/.buildwithnexus/.env.keys` (0600).
|
|
92
49
|
|
|
93
|
-
|
|
94
|
-
- **Anthropic API key** (`sk-ant-...`) from [console.anthropic.com](https://console.anthropic.com)
|
|
95
|
-
- NEXUS backend running on `localhost:4200` (for PLAN/BUILD/BRAINSTORM modes)
|
|
50
|
+
## Modes
|
|
96
51
|
|
|
97
|
-
|
|
98
|
-
-
|
|
99
|
-
-
|
|
52
|
+
- **PLAN** — decompose the task into steps you approve or edit, then execute.
|
|
53
|
+
- **BUILD** — the agentic ReAct loop: read/edit files, run commands, iterate.
|
|
54
|
+
- **BRAINSTORM** — free-form chat, no tools.
|
|
100
55
|
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
| `NEXUS_BACKEND_DIR` | `~/Projects/nexus` | Path to NEXUS backend for auto-start |
|
|
56
|
+
```bash
|
|
57
|
+
buildwithnexus # full-screen interactive session
|
|
58
|
+
buildwithnexus run <task> # execute a task (agentic, headless)
|
|
59
|
+
buildwithnexus plan <task> # decompose, approve, then execute
|
|
60
|
+
buildwithnexus brainstorm <q> # free-form chat
|
|
61
|
+
buildwithnexus init # (re)configure provider / model / key
|
|
62
|
+
buildwithnexus providers # list built-in providers
|
|
63
|
+
```
|
|
110
64
|
|
|
111
|
-
##
|
|
65
|
+
## Permissions
|
|
66
|
+
|
|
67
|
+
Every mutating tool (`write_file`, `edit_file`, `run_command`) passes a gate:
|
|
68
|
+
`ask` (default), `auto` (yolo), or `readonly`. Set it during setup.
|
|
69
|
+
|
|
70
|
+
## Hooks
|
|
71
|
+
|
|
72
|
+
Run your own commands at the same lifecycle points as Claude Code, configured in
|
|
73
|
+
`~/.buildwithnexus/settings.json` (user) and/or `.buildwithnexus/settings.json`
|
|
74
|
+
(project). User hooks are always active; **project hooks run only after you trust
|
|
75
|
+
that folder** (you're prompted once, and a project hook may *deny* a tool but
|
|
76
|
+
never *grant* one — so cloning a hostile repo can't run or unlock anything).
|
|
77
|
+
Events: `SessionStart`, `UserPromptSubmit`, `PreToolUse`, `PostToolUse`, `Stop`,
|
|
78
|
+
`SessionEnd`. Each hook command receives the event as JSON on stdin.
|
|
79
|
+
|
|
80
|
+
`PreToolUse` can gate a tool: exit code **2** (or a JSON
|
|
81
|
+
`permissionDecision: "deny"`) blocks it — even under `auto`. `"allow"` skips the
|
|
82
|
+
prompt; otherwise the normal gate applies. Matchers are `*`, an exact tool name,
|
|
83
|
+
or a `|`-separated list. See [`examples/settings.json`](./examples/settings.json).
|
|
84
|
+
|
|
85
|
+
```json
|
|
86
|
+
{
|
|
87
|
+
"hooks": {
|
|
88
|
+
"PreToolUse": [
|
|
89
|
+
{ "matcher": "run_command",
|
|
90
|
+
"hooks": [{ "type": "command", "command": "echo 'no shell on main' >&2; exit 2" }] }
|
|
91
|
+
]
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
```
|
|
112
95
|
|
|
113
|
-
|
|
114
|
-
- HMAC-SHA256 tamper detection on `.env.keys`
|
|
115
|
-
- Input sanitization and output redaction via DLP layer
|
|
116
|
-
- Backend URL validation before transmitting API keys
|
|
117
|
-
- Audit trail at `~/.buildwithnexus/audit.log`
|
|
96
|
+
## Build from source
|
|
118
97
|
|
|
119
|
-
|
|
98
|
+
```bash
|
|
99
|
+
cargo build --release --manifest-path harness/Cargo.toml # → harness/target/release/buildwithnexus
|
|
100
|
+
bash scripts/vendor.sh # vendor deps for offline / reproducible builds
|
|
101
|
+
```
|
|
120
102
|
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
103
|
+
The npm package is a thin wrapper: `postinstall` downloads the prebuilt binary
|
|
104
|
+
for your platform from the GitHub Release and **verifies its SHA-256** before
|
|
105
|
+
use, falling back to a `cargo` build (using vendored deps when present). Releases
|
|
106
|
+
also carry build-provenance attestations (`gh attestation verify`).
|
|
107
|
+
|
|
108
|
+
## Safety
|
|
109
|
+
|
|
110
|
+
- Default permission is **ask** — every file write, edit, and command is
|
|
111
|
+
confirmed. `auto` ("yolo") and `readonly` are opt-in.
|
|
112
|
+
- File tools are confined to the working directory; reads outside it, and of
|
|
113
|
+
sensitive paths (the key store, `~/.ssh`, `.env`, `*.pem`), require
|
|
114
|
+
confirmation even in `auto`. Catastrophic commands (`rm -rf /`, `mkfs`, …) too.
|
|
115
|
+
- API keys are never sent to a non-HTTPS endpoint, and key-like tokens are
|
|
116
|
+
redacted from surfaced errors.
|
|
117
|
+
- In non-interactive / `--json` runs, anything that would prompt is denied
|
|
118
|
+
rather than blocking.
|
|
124
119
|
|
|
125
120
|
## License
|
|
126
121
|
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
`buildwithnexus` is published to npm under semantic versioning. Only the latest
|
|
6
|
+
released minor line receives security fixes.
|
|
7
|
+
|
|
8
|
+
| Version | Supported |
|
|
9
|
+
|------------|--------------------|
|
|
10
|
+
| 0.8.x | :white_check_mark: |
|
|
11
|
+
| < 0.8 | :x: |
|
|
12
|
+
|
|
13
|
+
## Reporting a Vulnerability
|
|
14
|
+
|
|
15
|
+
**Do not open a public GitHub issue for security problems.**
|
|
16
|
+
|
|
17
|
+
Report vulnerabilities privately via GitHub's coordinated-disclosure flow:
|
|
18
|
+
|
|
19
|
+
https://github.com/Garretts-Apps/buildwithnexus/security/advisories/new
|
|
20
|
+
|
|
21
|
+
Or by email to `security@buildwithnexus.dev`.
|
|
22
|
+
|
|
23
|
+
We aim to acknowledge new reports within **3 business days** and to ship a fix
|
|
24
|
+
or mitigation within **30 days** of acknowledgement, depending on severity. We
|
|
25
|
+
will credit reporters in the advisory unless they ask to remain anonymous.
|
|
26
|
+
|
|
27
|
+
## Scope
|
|
28
|
+
|
|
29
|
+
In scope:
|
|
30
|
+
|
|
31
|
+
- The `buildwithnexus` npm package (CLI, bundled NEXUS source tarball,
|
|
32
|
+
installer scripts).
|
|
33
|
+
- The publish pipeline in `.github/workflows/publish.yml`.
|
|
34
|
+
- The bundled NEXUS Python source (`dist/nexus-release.tar.gz`).
|
|
35
|
+
- Any release artifacts attached to GitHub Releases (SBOM, checksums).
|
|
36
|
+
|
|
37
|
+
Out of scope:
|
|
38
|
+
|
|
39
|
+
- Vulnerabilities in upstream dependencies — please report those upstream first;
|
|
40
|
+
if exploitable through `buildwithnexus`, also notify us.
|
|
41
|
+
- Self-XSS or social-engineering against your own developer machine.
|
|
42
|
+
- Issues that require an attacker to already control your CI secrets, npm
|
|
43
|
+
account, or developer machine.
|
|
44
|
+
|
|
45
|
+
## Verifying a Release
|
|
46
|
+
|
|
47
|
+
Every release on npm from `v0.9.0` onward ships with **npm provenance** — a
|
|
48
|
+
SLSA-Build-L3-style attestation cryptographically tying the tarball back to the
|
|
49
|
+
specific GitHub Actions workflow run that built it.
|
|
50
|
+
|
|
51
|
+
To verify:
|
|
52
|
+
|
|
53
|
+
```sh
|
|
54
|
+
npm view buildwithnexus@<version> --json | jq .dist.attestations
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
Or interactively in the terminal:
|
|
58
|
+
|
|
59
|
+
```sh
|
|
60
|
+
npx -y npm-audit-resolver buildwithnexus
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
The publish workflow also attaches a CycloneDX SBOM (`sbom.cdx.json`) and a
|
|
64
|
+
`SHA256SUMS.txt` to each GitHub Release. You can reproduce the tarball locally
|
|
65
|
+
by checking out the corresponding tag and running:
|
|
66
|
+
|
|
67
|
+
```sh
|
|
68
|
+
git clone --branch v<version> https://github.com/Garretts-Apps/buildwithnexus
|
|
69
|
+
cd buildwithnexus
|
|
70
|
+
NEXUS_SRC=/path/to/nexus npm run build && npm run bundle
|
|
71
|
+
sha256sum dist/nexus-release.tar.gz
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
## Hardening Inside the Package
|
|
75
|
+
|
|
76
|
+
- `prepublishOnly` refuses to publish unless `NEXUS_SRC` is explicitly set to a
|
|
77
|
+
valid nexus checkout. No silent fall-through to a stale `/tmp/` copy.
|
|
78
|
+
- `postinstall` was removed. `npm install buildwithnexus` no longer executes
|
|
79
|
+
any project-defined lifecycle script on the user's machine.
|
|
80
|
+
- All GitHub Actions in our workflows are pinned to specific minor versions
|
|
81
|
+
(Dependabot proposes SHA-pinned bumps weekly).
|
|
82
|
+
- The publish workflow runs with the minimum permissions required, plus
|
|
83
|
+
`id-token: write` only for OIDC provenance signing.
|
|
84
|
+
- `npm ci --ignore-scripts` is used in CI to neutralise transitive postinstall
|
|
85
|
+
scripts during builds and audits.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
'use strict';
|
|
3
|
+
// Thin launcher: hand off to the native Rust binary with stdio inherited so the
|
|
4
|
+
// alternate-screen TUI works exactly as if it were invoked directly.
|
|
5
|
+
const { spawnSync } = require('child_process');
|
|
6
|
+
const { existing } = require('../scripts/resolve-binary.js');
|
|
7
|
+
|
|
8
|
+
const bin = existing();
|
|
9
|
+
if (!bin) {
|
|
10
|
+
process.stderr.write(
|
|
11
|
+
'buildwithnexus: native binary not found.\n' +
|
|
12
|
+
' Reinstall the package, or build it locally with Rust (https://rustup.rs):\n' +
|
|
13
|
+
' npm explore buildwithnexus -- npm run build\n'
|
|
14
|
+
);
|
|
15
|
+
process.exit(1);
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
const result = spawnSync(bin, process.argv.slice(2), { stdio: 'inherit' });
|
|
19
|
+
if (result.error) {
|
|
20
|
+
process.stderr.write(`buildwithnexus: ${result.error.message}\n`);
|
|
21
|
+
process.exit(1);
|
|
22
|
+
}
|
|
23
|
+
process.exit(result.status === null ? 1 : result.status);
|