Security Model

Nestor is designed with a security-first architecture. Every layer, from the Rust core to the Docker sandbox, is built to prevent AI agents from causing harm.

Security Layers

Nestor applies defense in depth with multiple security layers:

Rust Security Core — Low-level protection via N-API bindings
Docker Sandbox — Process isolation with minimal capabilities
Guardrails — Configurable rules for tool access and approvals
Trust Scoring — Behavioral monitoring and grading
Cost Budgets — Hard limits on spending per session/day
Secret Redaction — Automatic detection and masking of sensitive data

Rust Security Core

The nestor-core crate is compiled to a native Node.js addon via N-API. It provides security primitives that are impossible to bypass from JavaScript:

SSRF Protection

All outgoing HTTP requests are validated against SSRF attacks:

DNS pinning to prevent rebinding attacks
Blocking of private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Blocking of link-local and metadata endpoints (169.254.169.254)
Protocol allowlisting (only http/https)

Path Traversal Prevention

File operations are validated to prevent escaping the working directory:

Canonical path resolution before any file I/O
Blocking of .. traversal sequences
Symlink resolution and validation
Configurable allowlist/blocklist for file patterns

Approval System

Sensitive operations require cryptographic approval tokens that cannot be forged by the agent.

Docker Sandbox

When Docker is available, agent commands run inside an isolated container:

# Docker sandbox configuration
sandbox:
  enabled: true
  image: nestor-sandbox:latest
  capabilities:
    drop: [ALL]           # drop all Linux capabilities
  filesystem:
    read_only: true       # read-only root filesystem
    tmpfs: /tmp           # writable temp directory
    bind_mounts:
      - src: ./src
        dst: /workspace/src
        read_only: false  # agent can write to src/
  network: none           # no network access by default
  memory_limit: 512m
  cpu_limit: 1.0
  timeout: 300            # kill after 5 minutes

Important: The Docker sandbox is optional but strongly recommended for production use. Without it, agents execute commands directly on the host system with guardrails as the only protection.

Sandbox Modes

Mode	Network	Filesystem	Use Case
`strict`	None	Read-only	Untrusted agents, security review
`standard`	None	Working dir writable	Code editing, file manipulation
`relaxed`	Allowed	Working dir writable	Web search, API calls

Guardrails

Guardrails are configurable rules that constrain agent behavior:

Tool-Level Guardrails

guardrails:
  # Require human approval for these tools
  require_approval:
    - file_write
    - shell_exec

  # Block specific shell commands
  blocked_commands:
    - rm -rf
    - sudo
    - curl | sh
    - chmod 777

  # Restrict file write patterns
  file_restrictions:
    blocked_paths:
      - .env
      - .nestor/config.yaml
      - node_modules/
    blocked_extensions:
      - .exe
      - .sh

Behavioral Guardrails

guardrails:
  # Limit the agent loop
  max_iterations: 25
  max_tokens_per_turn: 8192

  # Dry-run mode: preview all actions
  dry_run: false

  # Auto-approve safe operations
  auto_approve:
    - file_read
    - web_search

Trust Score System

The trust score is a composite metric (0-100, grade A-F) computed from an agent's execution history:

Score Components

Component	Weight	What It Measures
Accuracy	35%	Correctness of outputs and tool usage
Safety	30%	Guardrail compliance, no blocked actions attempted
Efficiency	20%	Token usage relative to task complexity
Reliability	15%	Consistency across similar tasks

Trust-Based Permissions

Agents can be granted or restricted permissions based on their trust score:

# Higher trust = more autonomy
trust_policies:
  A:
    auto_approve: [file_write, shell_exec]
    max_budget: 50.00
  B:
    auto_approve: [file_write]
    require_approval: [shell_exec]
    max_budget: 20.00
  C:
    require_approval: [file_write, shell_exec]
    max_budget: 5.00
  D:
    dry_run: true
    max_budget: 1.00

Secret Redaction

Nestor automatically detects and redacts secrets from agent outputs and logs. The Rust core includes 30+ patterns for:

API keys (AWS, GCP, Azure, Anthropic, OpenAI, Stripe, etc.)
OAuth tokens and JWT tokens
Database connection strings
SSH private keys
Passwords in URLs
Credit card numbers
Custom patterns via regex configuration

# Custom redaction patterns
security:
  redaction:
    enabled: true
    custom_patterns:
      - name: internal_api_key
        pattern: "MYAPP-[A-Za-z0-9]{32}"
      - name: internal_token
        pattern: "tok_[a-f0-9]{40}"

Network Security

The server component includes multiple network security layers:

Rate limiting — Configurable per-endpoint rate limits
CORS — Strict origin validation
Security headers — CSP, HSTS, X-Frame-Options, etc.
Authentication — Token-based auth for the Studio API
Input validation — Schema validation on all API inputs

Security Best Practices

Always use the Docker sandbox in production environments
Set cost budgets to prevent runaway spending
Require approval for file_write and shell_exec on new agents
Monitor trust scores and restrict low-trust agents
Use dry-run mode when testing new skills or workflows
Review agent outputs before deploying to production
Keep Nestor updated to get the latest security patches
Configure custom redaction patterns for your organization's secrets

Security Notice: AI agents can behave unpredictably. Never grant an agent access to production systems, financial accounts, or sensitive data without thorough testing and appropriate guardrails. Always apply the principle of least privilege.