Security

Credentials are scoped to the host that holds them. A device token (at ~/.nome/device_token, mode 0600) authorizes one paired machine as a runner — it is not your account password and carries no provider credentials. BYOK keys are stored encrypted. Provider seat sign-ins live in each provider CLI's own config on the machine where you signed in; NOME never reads, copies, stores, or relays them, and never opens ~/.claude/ or ~/.codex/.

NOME cloud does not store, copy, or relay provider subscription tokens. A provider seat runs only on the host where you signed in; the cloud-workspace seat is not implemented. This is a hard boundary, not a setting: NOME refuses to forward credential-shaped environment variables into a seat spawn, and observes auth state only through each provider CLI's own status command (exit codes / status fields), never credential material.

Receipts and logs never contain raw tokens. Output is scanned for secret-shaped lines — API keys, bearer tokens, private keys — and those lines are scrubbed before anything is recorded. Seat runs record route metadata only: auth_lane, a cost_lane such as provider-subscription, the CLI and version — never the token itself.

Each tool is classified by risk tier — read, write, or danger — using structural (AST-based) parsing of shell commands rather than string matching. A tool policy matrix defines, per tool, the maximum calls per run, approval thresholds, offline behavior, cost weight, and which roles may invoke it. File access runs through permission gateways where the most restrictive rule wins, so sensitive files (.env, keys, credentials) fail safe.

Dangerous actions are approval-gated. NOME pauses and surfaces an approval request — with the proposed action, tool tier, and reason — to the approval queue, which is visible across your devices as shared truth. Nothing risky runs until you approve. Routes also fail closed: if your chosen seat, key, or model can't run, NOME stops and reports the reason instead of silently switching routes.

Any paired host can be revoked from NOME under Settings → Computers & Coding Accounts, which invalidates that machine's device token immediately. Locally, nome pair unpair removes the pairing on the machine. BYOK keys can be rotated or removed in the keys surface, and provider seat sign-ins are managed in each provider CLI on the host.

Every run produces a complete audit trail: typed tool receipts (name, tier, redacted inputs, output summary, duration, success), approval records, and artifact references, all attached to a canonical work item. NOME keeps audit and compliance trails separate from product telemetry. The receipt chain is designed for review — you can see exactly what ran, where, under which route, and with what approvals.