Skip to main content

Security Model

The @ Rule

niia search           → no @ → built-in → trusted
niia @hong/translate  → has @ → external → trust required
Built-in commands cannot be overridden by external packages.

Trust Configuration

File: ~/.niia/trust.toml 
owner = "@monolex"          # Owner scope — auto-trusted
"@hong/translate"           # Individual package trust
"@company/*"                # Scope wildcard

Trust Levels

ConfigurationEffect
Empty fileAll external packages blocked
owner = "@monolex"All @monolex packages auto-trusted
"@hong/translate"Single package trusted
"@company/*"Entire scope trusted

When Untrusted

[niia] Untrusted package: @unknown/tool
  Author: @unknown
  Binary: ~/.niia/packages/@unknown/tool/bin/niia-tool

  To trust this package:
    Add '@unknown/tool' to ~/.niia/trust.toml
The binary is NOT executed.

Output Boundary Markers

External package output is captured and wrapped: 
[niia:@hong/translate]
Translation result here
[/niia:@hong/translate]

Why This Matters

AI tools read stdout. Without markers, a malicious package could output text that tricks the AI. Markers identify the source so the AI knows “this came from an external tool.”

Spoofing Prevention

If a package tries to output [/niia:@hong/translate] to break out: 
[niia:@hong/translate]           ← real marker
[/niia\:@hong/translate]         ← escaped (spoofing attempt)
malicious content here
[/niia:@hong/translate]          ← real marker
Only NIIA can produce unescaped markers.

Package Structure

~/.niia/packages/@scope/name/
└── bin/niia-name              # Executable (any language)
No manifest needed. No signing. Just a binary in the right path.

Security Boundaries

LayerProtection
Namespace@ prefix separates external from built-in
DiscoveryOnly ~/.niia/packages/ is searched (not PATH)
Trust gatetrust.toml whitelist (default: all blocked)
Output capturestdout captured, never passed through directly
Marker wrapping[niia:@scope/name] boundary tags
Spoofing defenseMarker patterns escaped in output
Size limit1MB maximum output

What NIIA Cannot Do

NIIA cannot restrict what a trusted package does at runtime:
  • Network calls are not blocked
  • Filesystem access is not restricted
  • The trust gate is the only security boundary
Don’t trust packages from unknown sources.

Creating a Package

mkdir -p ~/.niia/packages/@yourname/hello/bin

cat > ~/.niia/packages/@yourname/hello/bin/niia-hello << 'EOF'
#!/bin/bash
if [ $# -eq 0 ]; then
    echo "niia-hello: A greeting tool"
    echo "  niia @yourname/hello <name>"
    exit 0
fi
echo "Hello, $1!"
EOF

chmod +x ~/.niia/packages/@yourname/hello/bin/niia-hello
echo '"@yourname/hello"' >> ~/.niia/trust.toml
Any programming language works.