buildwithnexus 0.8.11 → 0.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -3,124 +3,137 @@
3
3
  [![npm version](https://img.shields.io/npm/v/buildwithnexus?style=flat-square&color=blue)](https://www.npmjs.com/package/buildwithnexus)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)
5
5
 
6
- Interactive CLI for NEXUS a 56-agent autonomous software engineering organization. Tell it what to build. It figures out the rest.
7
-
8
- ## Quick Start
6
+ A hilariously fast, **agentic AI CLI harness** written in Rust. Remote models
7
+ via API key, or local models on your machine. It plans, edits files, and runs
8
+ commands, asking before each change. One static binary, four dependencies, no
9
+ runtime to babysit.
9
10
 
10
11
  ```bash
11
12
  npm install -g buildwithnexus
12
13
  buildwithnexus
13
14
  ```
14
15
 
15
- On first run you'll be prompted to set your Anthropic API key. Keys are stored in `~/.buildwithnexus/.env.keys`.
16
+ The first launch walks you through choosing a model. Then describe a task.
16
17
 
17
- ## What It Does
18
+ ## Why
18
19
 
19
- Launch an interactive shell with three execution modes:
20
+ The original `buildwithnexus` was a TypeScript CLI talking to a Python /
21
+ LangGraph backend over HTTP. This is a ground-up rewrite that keeps the *benefits*
22
+ of that engine — planning, a ReAct tool loop, approval gates, role-specialized
23
+ agents — as plain Rust control flow, with **none** of the framework weight. No
24
+ Python, no Docker, no tunnel. The orchestration that LangGraph did at runtime is
25
+ just code here, which is where the speed comes from.
20
26
 
21
- - **PLAN** Break down your request into a reviewable step-by-step plan
22
- - **BUILD**Execute directly with live agent streaming
23
- - **BRAINSTORM** Free-form exploration with the NEXUS CPO streaming their reasoning
27
+ Design bias, in order: **performance**, then **fewer lines**, then **fewer
28
+ dependencies** — never at the cost of the UX. Enums and `match` over trait
29
+ objects; flat data tables over registries; one pooled HTTP connection reused
30
+ across every step of the agent loop.
24
31
 
25
- ```
26
- ╔════════════════════════════════════════════════════════════╗
27
- ║ Nexus - Autonomous Agent Orchestration ║
28
- ║ v0.8.10 ║
29
- ╚════════════════════════════════════════════════════════════╝
32
+ ## Models
30
33
 
31
- 📝 Task: Build a REST API for user authentication
34
+ Two wire protocols cover everything. Pick a provider during setup (or `bwn init`):
32
35
 
33
- Press Enter to use PLAN or choose a mode:
34
- [1] PLAN design & break down steps
35
- [2] BUILD execute with live streaming
36
- [3] BRAINSTORM free-form explore & Q&A
37
- ```
36
+ | Provider | Kind | Key |
37
+ |----------|------|-----|
38
+ | Anthropic (Claude) | remote | `ANTHROPIC_API_KEY` |
39
+ | OpenAI | remote | `OPENAI_API_KEY` |
40
+ | OpenRouter | remote | `OPENROUTER_API_KEY` |
41
+ | Groq | remote | `GROQ_API_KEY` |
42
+ | Hugging Face | remote | `HF_TOKEN` |
43
+ | Ollama | local | — |
44
+ | llama.cpp server | local | — |
45
+ | LM Studio | local | — |
38
46
 
39
- ## Commands
40
-
41
- ### Core (Python backend required)
42
-
43
- | Command | Description |
44
- |---------|-------------|
45
- | `buildwithnexus` | Launch interactive shell (PLAN/BUILD/BRAINSTORM) |
46
- | `buildwithnexus da-init` | Set up API keys in `~/.buildwithnexus/.env.keys` |
47
- | `buildwithnexus run <task>` | Run a task directly via the backend |
48
- | `buildwithnexus brainstorm [idea]` | Brainstorm an idea with the NEXUS CPO |
49
- | `buildwithnexus server` | Start the NEXUS Python backend server |
50
- | `buildwithnexus da-status` | Check backend connectivity |
51
- | `buildwithnexus doctor` | Run diagnostics (backend health + environment) |
52
- | `buildwithnexus logs [-f]` | View server logs (stream with `-f`) |
53
- | `buildwithnexus keys list` | List configured API keys |
54
- | `buildwithnexus keys set <KEY_NAME>` | Set an API key |
55
-
56
- ### Docker infrastructure (requires Docker + full NEXUS setup)
57
-
58
- | Command | Description |
59
- |---------|-------------|
60
- | `buildwithnexus 99 [instruction]` | AI pair-programming via full NEXUS engine |
61
- | `buildwithnexus start` | Start full NEXUS Docker services |
62
- | `buildwithnexus stop` | Stop NEXUS Docker services |
63
- | `buildwithnexus status [--json]` | Show Docker container health |
64
- | `buildwithnexus dashboard` | Open the NEXUS dashboard at `localhost:4200/dashboard` |
65
- | `buildwithnexus update` | Update to the latest version |
66
- | `buildwithnexus destroy [--force]` | Remove NEXUS and all data |
67
- | `buildwithnexus ssh` | Open SSH session into the sandbox |
68
-
69
- ## Architecture
47
+ Env vars override the stored key, so CI and one-offs Just Work. Keys live in
48
+ `~/.buildwithnexus/.env.keys` (0600).
70
49
 
71
- ```
72
- buildwithnexus CLI (TypeScript/Node.js)
73
-
74
- │ SSE streaming
75
-
76
- NEXUS Backend (Python FastAPI, port 4200)
77
-
78
-
79
- LangGraph Runtime → 56-agent organization
80
- • CPO (Opus) — brainstorm + strategy
81
- • VP Engineering → 19 eng agents
82
- • Product Management → 2 agents
83
- • QA Team → 7 agents
84
- • Security Team → 3 agents
85
- • ML & Data → 6 agents
86
- • Salesforce → 10 agents
87
- • Documentation → 2 agents
88
- • Consultant → 1 agent
89
- ```
90
-
91
- ## Requirements
50
+ ## Modes
92
51
 
93
- - **Node.js** >= 18
94
- - **Anthropic API key** (`sk-ant-...`) from [console.anthropic.com](https://console.anthropic.com)
95
- - NEXUS backend running on `localhost:4200` (for PLAN/BUILD/BRAINSTORM modes)
52
+ - **PLAN** decompose the task into steps you approve or edit, then execute.
53
+ - **BUILD** the agentic ReAct loop: read/edit files, run commands, iterate.
54
+ - **BRAINSTORM** free-form chat, no tools.
96
55
 
97
- Optional:
98
- - OpenAI API key (o3 reasoning support)
99
- - Google API key (Gemini multimodal support)
56
+ ```bash
57
+ buildwithnexus # full-screen interactive session
58
+ buildwithnexus run <task> # execute a task (agentic, headless)
59
+ buildwithnexus plan <task> # decompose, approve, then execute
60
+ buildwithnexus brainstorm <q> # free-form chat
61
+ buildwithnexus init # (re)configure provider / model / key
62
+ buildwithnexus providers # list built-in providers
63
+ buildwithnexus doctor # diagnose setup (keys, tools, connectivity)
64
+ ```
100
65
 
101
- ## Environment Variables
66
+ Inside the interactive session:
102
67
 
103
- | Variable | Default | Description |
104
- |----------|---------|-------------|
105
- | `ANTHROPIC_API_KEY` | | Overrides stored key |
106
- | `OPENAI_API_KEY` | | Overrides stored key |
107
- | `GOOGLE_API_KEY` | — | Overrides stored key |
108
- | `BACKEND_URL` | `http://localhost:4200` | NEXUS backend address |
109
- | `NEXUS_BACKEND_DIR` | `~/Projects/nexus` | Path to NEXUS backend for auto-start |
68
+ ```
69
+ /model [name] hot-swap the AI model mid-session
70
+ /compact compress context (free up token budget)
71
+ /review AI code review of current git diff
72
+ /commit AI-drafted conventional commit message
73
+ /pr AI-drafted pull request title + description
74
+ /schedule <delay> <task> run a task once in the background (5s, 2m, 1h)
75
+ /loop <interval> <task> run a task repeatedly in the background
76
+ /workflows list and manage background workflows
77
+ /btw <context> inject context into the next agent turn
78
+ /config configure hooks, memory, and commands via AI
79
+ /memory view and edit session memory
80
+ /skills list skills and custom commands
81
+ ```
110
82
 
111
- ## Security
83
+ ## Permissions
84
+
85
+ Every mutating tool (`write_file`, `edit_file`, `run_command`) passes a gate:
86
+ `ask` (default), `auto` (yolo), or `readonly`. Set it during setup.
87
+
88
+ ## Hooks
89
+
90
+ Run your own commands at the same lifecycle points as Claude Code, configured in
91
+ `~/.buildwithnexus/settings.json` (user) and/or `.buildwithnexus/settings.json`
92
+ (project). User hooks are always active; **project hooks run only after you trust
93
+ that folder** (you're prompted once, and a project hook may *deny* a tool but
94
+ never *grant* one — so cloning a hostile repo can't run or unlock anything).
95
+ Events: `SessionStart`, `UserPromptSubmit`, `PreToolUse`, `PostToolUse`, `Stop`,
96
+ `SessionEnd`. Each hook command receives the event as JSON on stdin.
97
+
98
+ `PreToolUse` can gate a tool: exit code **2** (or a JSON
99
+ `permissionDecision: "deny"`) blocks it — even under `auto`. `"allow"` skips the
100
+ prompt; otherwise the normal gate applies. Matchers are `*`, an exact tool name,
101
+ or a `|`-separated list. See [`examples/settings.json`](./examples/settings.json).
102
+
103
+ ```json
104
+ {
105
+ "hooks": {
106
+ "PreToolUse": [
107
+ { "matcher": "run_command",
108
+ "hooks": [{ "type": "command", "command": "echo 'no shell on main' >&2; exit 2" }] }
109
+ ]
110
+ }
111
+ }
112
+ ```
112
113
 
113
- - API keys stored in `~/.buildwithnexus/.env.keys` with `0600` permissions
114
- - HMAC-SHA256 tamper detection on `.env.keys`
115
- - Input sanitization and output redaction via DLP layer
116
- - Backend URL validation before transmitting API keys
117
- - Audit trail at `~/.buildwithnexus/audit.log`
114
+ ## Build from source
118
115
 
119
- ## Links
116
+ ```bash
117
+ cargo build --release --manifest-path harness/Cargo.toml # → harness/target/release/buildwithnexus
118
+ bash scripts/vendor.sh # vendor deps for offline / reproducible builds
119
+ ```
120
120
 
121
- - **npm:** [npmjs.com/package/buildwithnexus](https://www.npmjs.com/package/buildwithnexus)
122
- - **Docs:** [buildwithnexus.dev](https://buildwithnexus.dev)
123
- - **GitHub:** [github.com/Garretts-Apps/buildwithnexus](https://github.com/Garretts-Apps/buildwithnexus)
121
+ The npm package is a thin wrapper: `postinstall` downloads the prebuilt binary
122
+ for your platform from the GitHub Release and **verifies its SHA-256** before
123
+ use, falling back to a `cargo` build (using vendored deps when present). Releases
124
+ also carry build-provenance attestations (`gh attestation verify`).
125
+
126
+ ## Safety
127
+
128
+ - Default permission is **ask** — every file write, edit, and command is
129
+ confirmed. `auto` ("yolo") and `readonly` are opt-in.
130
+ - File tools are confined to the working directory; reads outside it, and of
131
+ sensitive paths (the key store, `~/.ssh`, `.env`, `*.pem`), require
132
+ confirmation even in `auto`. Catastrophic commands (`rm -rf /`, `mkfs`, …) too.
133
+ - API keys are never sent to a non-HTTPS endpoint, and key-like tokens are
134
+ redacted from surfaced errors.
135
+ - In non-interactive / `--json` runs, anything that would prompt is denied
136
+ rather than blocking.
124
137
 
125
138
  ## License
126
139
 
package/SECURITY.md ADDED
@@ -0,0 +1,85 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ `buildwithnexus` is published to npm under semantic versioning. Only the latest
6
+ released minor line receives security fixes.
7
+
8
+ | Version | Supported |
9
+ |------------|--------------------|
10
+ | 0.8.x | :white_check_mark: |
11
+ | < 0.8 | :x: |
12
+
13
+ ## Reporting a Vulnerability
14
+
15
+ **Do not open a public GitHub issue for security problems.**
16
+
17
+ Report vulnerabilities privately via GitHub's coordinated-disclosure flow:
18
+
19
+ https://github.com/Garretts-Apps/buildwithnexus/security/advisories/new
20
+
21
+ Or by email to `security@buildwithnexus.dev`.
22
+
23
+ We aim to acknowledge new reports within **3 business days** and to ship a fix
24
+ or mitigation within **30 days** of acknowledgement, depending on severity. We
25
+ will credit reporters in the advisory unless they ask to remain anonymous.
26
+
27
+ ## Scope
28
+
29
+ In scope:
30
+
31
+ - The `buildwithnexus` npm package (CLI, bundled NEXUS source tarball,
32
+ installer scripts).
33
+ - The publish pipeline in `.github/workflows/publish.yml`.
34
+ - The bundled NEXUS Python source (`dist/nexus-release.tar.gz`).
35
+ - Any release artifacts attached to GitHub Releases (SBOM, checksums).
36
+
37
+ Out of scope:
38
+
39
+ - Vulnerabilities in upstream dependencies — please report those upstream first;
40
+ if exploitable through `buildwithnexus`, also notify us.
41
+ - Self-XSS or social-engineering against your own developer machine.
42
+ - Issues that require an attacker to already control your CI secrets, npm
43
+ account, or developer machine.
44
+
45
+ ## Verifying a Release
46
+
47
+ Every release on npm from `v0.9.0` onward ships with **npm provenance** — a
48
+ SLSA-Build-L3-style attestation cryptographically tying the tarball back to the
49
+ specific GitHub Actions workflow run that built it.
50
+
51
+ To verify:
52
+
53
+ ```sh
54
+ npm view buildwithnexus@<version> --json | jq .dist.attestations
55
+ ```
56
+
57
+ Or interactively in the terminal:
58
+
59
+ ```sh
60
+ npx -y npm-audit-resolver buildwithnexus
61
+ ```
62
+
63
+ The publish workflow also attaches a CycloneDX SBOM (`sbom.cdx.json`) and a
64
+ `SHA256SUMS.txt` to each GitHub Release. You can reproduce the tarball locally
65
+ by checking out the corresponding tag and running:
66
+
67
+ ```sh
68
+ git clone --branch v<version> https://github.com/Garretts-Apps/buildwithnexus
69
+ cd buildwithnexus
70
+ NEXUS_SRC=/path/to/nexus npm run build && npm run bundle
71
+ sha256sum dist/nexus-release.tar.gz
72
+ ```
73
+
74
+ ## Hardening Inside the Package
75
+
76
+ - `prepublishOnly` refuses to publish unless `NEXUS_SRC` is explicitly set to a
77
+ valid nexus checkout. No silent fall-through to a stale `/tmp/` copy.
78
+ - `postinstall` was removed. `npm install buildwithnexus` no longer executes
79
+ any project-defined lifecycle script on the user's machine.
80
+ - All GitHub Actions in our workflows are pinned to specific minor versions
81
+ (Dependabot proposes SHA-pinned bumps weekly).
82
+ - The publish workflow runs with the minimum permissions required, plus
83
+ `id-token: write` only for OIDC provenance signing.
84
+ - `npm ci --ignore-scripts` is used in CI to neutralise transitive postinstall
85
+ scripts during builds and audits.
@@ -0,0 +1,23 @@
1
+ #!/usr/bin/env node
2
+ 'use strict';
3
+ // Thin launcher: hand off to the native Rust binary with stdio inherited so the
4
+ // alternate-screen TUI works exactly as if it were invoked directly.
5
+ const { spawnSync } = require('child_process');
6
+ const { existing } = require('../scripts/resolve-binary.js');
7
+
8
+ const bin = existing();
9
+ if (!bin) {
10
+ process.stderr.write(
11
+ 'buildwithnexus: native binary not found.\n' +
12
+ ' Reinstall the package, or build it locally with Rust (https://rustup.rs):\n' +
13
+ ' npm explore buildwithnexus -- npm run build\n'
14
+ );
15
+ process.exit(1);
16
+ }
17
+
18
+ const result = spawnSync(bin, process.argv.slice(2), { stdio: 'inherit' });
19
+ if (result.error) {
20
+ process.stderr.write(`buildwithnexus: ${result.error.message}\n`);
21
+ process.exit(1);
22
+ }
23
+ process.exit(result.status === null ? 1 : result.status);