Security & permissions
Nexus runs autonomous agents that touch real repos and clusters. Security is defense in depth across four layers.
Layers
| Layer | Enforces |
|---|---|
| Nexus Core | Whether an agent may be dispatched with a given tool/permission set; raises approvals for gated actions. |
| Runner | Refuses any action the run config didn't grant. |
| Kubernetes RBAC | The run's service account can only touch what its role allows. |
nexus-auth crate | Admin users, API keys, agent tokens, tool/project permissions. |
A permission must be granted at every layer for an action to succeed.
Identity & tokens
- Admin users — JWT (
jsonwebtoken), passwords hashed withargon2. - API keys — for machine clients.
- Agent tokens — short-lived tokens minted per run so a pod can report back to Core, scoped to that run only.
- Telegram allowlist — only known user IDs may issue commands.
Permission model
agent.can_create_branch · agent.can_commit · agent.can_open_pr · agent.can_merge
agent.can_delete_files · agent.can_use_kubectl · agent.can_apply_k8s
agent.can_write_memory · agent.can_create_plane_task
Approval gates
Agents declare actions that always need a human:
requires_human_approval_for:
- production_deploy
- dependency_upgrade
- database_migration
Gated attempts raise an approval request.
Kubernetes isolation
- Each run is an isolated Job in a dedicated agent namespace.
- Core's service account can create Jobs only there:
verbs: [create, get, list, watch, delete]
resources: [jobs, pods, pods/log]
- Agent pods get least-privilege service accounts (e.g. read-only kubectl only
if
can_use_kubectlis granted). - Secrets are mounted per-run, never baked into images.
Memory safety
Agents cannot write permanent shared memory unattended at first — proposals go to a review queue and a human approves them. See Memory.
Secrets
.envnever committed.- Production secrets from a secrets manager; LLM keys, Plane key, Telegram token, and JWT signing key rotated on a schedule.