Security

Zero-Config AI handles API keys, OAuth tokens, and model inference with security as a core constraint. Keys are never stored in plaintext. Local inference keeps sensitive data on your machine.

Key Encryption

Every Gemini API key is encrypted before storage using AES-256-GCM. The encryption flow:

On first nself doctor --ai, a 256-bit Data Encryption Key (DEK) is generated.
The DEK is stored in ~/.nself/ai/dek.key with 600 permissions (owner-only).
Each API key is encrypted with the DEK before being written to PostgreSQL.
Keys are decrypted in-memory only when needed for an API call.
Decrypted keys are never logged, never written to disk, never sent to any external service.

OAuth Flow

When connecting a Google account:

OAuth uses the minimum required scopes: cloud-platform.read-only for project listing and service.management for API enablement.
The OAuth token is used only during provisioning (project creation, API enablement, key generation) and is discarded after.
The generated API key is restricted to the Gemini API only. No access to other GCP services.
ɳSelf never stores the OAuth refresh token. Re-provisioning requires a new OAuth flow.

DEK Backup and Recovery

# Export DEK for offline backup (age-encrypted)
nself license dek export --output ~/dek-backup.age

# Import DEK during disaster recovery
nself license dek import --input ~/dek-backup.age

The export uses age encryption with a passphrase you provide. Store this backup securely. Without the DEK, encrypted API keys in the database are unrecoverable.

Audit Trail

Every security-relevant operation is logged to np_ai_pool_audit:

Account added/removed
Key rotated
Key decryption events (which service, when)
OAuth flow start/complete/fail
Rate limit hits and daily resets

nself ai pool audit --last 100

Local Model Security

Ollama binds to 127.0.0.1:11434 only. Not accessible from the network.
The ɳSelf firewall setup (ufw on Linux) blocks external access to the Ollama port.
Model files are stored in Ollama's standard directory with standard filesystem permissions.
No inference data is sent anywhere. Everything stays on your machine.

Network Architecture

The AI plugin communicates only with:

127.0.0.1:11434 (Ollama, local only)
generativelanguage.googleapis.com (Gemini API, encrypted keys)
api.openai.com (if configured, user-provided key)
api.anthropic.com (if configured, user-provided key)

No telemetry, no phone-home, no third-party analytics. The AI plugin is fully self-contained.

Key Encryption

Every Gemini API key is encrypted before storage using AES-256-GCM. The encryption flow:

On first nself doctor --ai, a 256-bit Data Encryption Key (DEK) is generated.

The DEK is stored in ~/.nself/ai/dek.key with 600 permissions (owner-only).

Each API key is encrypted with the DEK before being written to PostgreSQL.

Keys are decrypted in-memory only when needed for an API call.

Decrypted keys are never logged, never written to disk, never sent to any external service.

OAuth Flow

When connecting a Google account:

OAuth uses the minimum required scopes: cloud-platform.read-only for project listing and service.management for API enablement.

The OAuth token is used only during provisioning (project creation, API enablement, key generation) and is discarded after.

The generated API key is restricted to the Gemini API only. No access to other GCP services.

ɳSelf never stores the OAuth refresh token. Re-provisioning requires a new OAuth flow.

DEK Backup and Recovery

# Export DEK for offline backup (age-encrypted) nself license dek export --output ~/dek-backup.age # Import DEK during disaster recovery nself license dek import --input ~/dek-backup.age

The export uses age encryption with a passphrase you provide. Store this backup securely. Without the DEK, encrypted API keys in the database are unrecoverable.

Local Model Security

Ollama binds to 127.0.0.1:11434 only. Not accessible from the network.

The ɳSelf firewall setup (ufw on Linux) blocks external access to the Ollama port.

Model files are stored in Ollama's standard directory with standard filesystem permissions.

No inference data is sent anywhere. Everything stays on your machine.

Network Architecture

The AI plugin communicates only with:

127.0.0.1:11434 (Ollama, local only)

generativelanguage.googleapis.com (Gemini API, encrypted keys)

api.openai.com (if configured, user-provided key)

api.anthropic.com (if configured, user-provided key)

No telemetry, no phone-home, no third-party analytics. The AI plugin is fully self-contained.