Nexus Suite

Appearance

Telegram Security

The Telegram bridge is designed with security as a priority. All communication is end-to-end encrypted, and you have full control over what the agent can do remotely.

End-to-End Encryption

  • Key exchange: X25519 (Curve25519) during the pairing process
  • Message encryption: AES-256-GCM with keys derived from the X25519 shared secret
  • Relay server: Sees only ciphertext — cannot read your messages or commands
  • Forward secrecy: Each pairing session generates new encryption keys

Session Tokens

  • Each pairing generates a unique session token
  • Session tokens are stored as SHA-256 hashes in the database
  • Tokens expire after 24 hours — you must re-pair after expiration
  • Only one active Telegram session per user at a time

Tool Policies

The same tool approval policies apply to Telegram commands:

  • Auto-approve tools run without confirmation
  • Ask tools require confirmation via Telegram inline buttons
  • Deny tools are blocked entirely

When the agent requests a tool that requires approval, you'll see inline buttons in Telegram:

NexusCore wants to run: terminal_run("npm test")
[✅ Allow] [❌ Deny]

Tool Allowlist

You can restrict which tools are available via Telegram. This is useful for limiting remote access to read-only operations:

From NexusIDE

  1. Open Settings → NexusCore → Telegram
  2. Configure the Tool Allowlist
  3. Only listed tools will be available via Telegram

From NexusCore CLI

bash
nexus-cli telegram config --allow-tools file_read,file_list,text_search

Revoking Access

From NexusCore CLI

bash
nexus-cli telegram revoke

From NexusIDE

Click Remote Access in the title bar and select Disconnect.

From the Portal

Go to nexus-suite.dev/accountSessions and revoke the Telegram session.

Offline Handling

When your machine goes offline (NexusIDE/CLI is closed or loses internet), the Telegram bot notifies you:

⚠️ Your NexusCore instance is offline. Commands will not be processed until it reconnects.

Commands sent while offline are not queued — you'll need to resend them after reconnecting.

Best Practices

  • Use the tool allowlist to limit remote access to read-only operations when you don't need full control
  • Revoke Telegram sessions when you're done using remote access
  • Don't share your pairing code with anyone
  • Re-pair regularly — sessions expire after 24 hours for security

Released under the MIT License.

© 2024 Nexus Suite