Back to home
Security & Privacy

Your code stays
where it belongs.

BYOK from day one. The source never leaves your machine. Everything else is encrypted, account-isolated, and audited at the database level.

0 telemetry BYOK Local-first
Privacy for developers

What we do not see

Four guarantees that protect the individual dev workflow.

Bring Your Own Key

Your Anthropic, Gemini and OpenAI accounts, your tokens. Nest never sees or stores them.

Your code does not travel

AI queries go straight from your machine to the provider. We do not proxy, log or snapshot source code.

Voice runs locally

Whisper transcribes on your machine. No audio is uploaded anywhere.

Local-first storage

Conversations, snippets and history live on your disk. Team-shared items are explicit and visible.

Account & team isolation

How we keep accounts and teams apart

Five hardening details that hold under enterprise scrutiny.

01

OAuth tokens never hit disk. GitHub and GitLab tokens stay in memory. HTTPS clones do not write tokens to .git/config.

02

Plan enforcement at the database. Postgres RLS plus triggers. The UI nudges; the database guarantees that one team cannot read another team's data.

03

Server-side secrets only. Stripe, OAuth client secrets and webhook handlers all live in Supabase Edge Functions. The client only knows publishable keys.

04

Per-account home directory. Each Nest account has its own RAVEN_HOME. Worktrees from one account on the same machine cannot see another's.

05

Terminal Sharing requires host approval. The guest cannot send a single keystroke until the host explicitly approves the session.

Responsible disclosure

Found a vulnerability? Tell us.

Human reply within 72 hours, free Pro or Team plan as a thank-you, public credit if you want it.

Where
eliseo@nestmux.com
How fast

Acknowledgment within 72 hours, then periodic updates while we investigate.

What you get

Public credit in SECURITY-CONTRIBUTORS.md plus 12 months of Pro (any verified vuln) or Team (RCE, auth bypass, multi-user data leak).

Read the full SECURITY.md on GitHub
Roadmap & honesty

What we do not have yet

Certifications we will add as they land. We would rather say not yet than pretend.

SOC2

Not yet initiated. On the roadmap; our CISO is leading the assessment.

SAML / Enterprise SSO

Today only OAuth via GitHub and GitLab. Enterprise SSO is on the roadmap.

Admin audit logs

We have internal database logs, not yet surfaced to team admins in the UI.

Your AI workspace is waiting

Stop juggling tabs.
Start shipping.

Free during launch. No credit card. Works with the tools you already have, and the ones you didn't know you needed.

v1.2.5 stable
Local-first · No telemetry
macOS 13+ · Windows 10+ · Linux