Network boundary
nablr makes exactly one category of outbound network call: license validation tonablr-api.nablrco.workers.dev.
| Request | When | What’s sent |
|---|---|---|
POST /validate | First prompt after 4-hour cache TTL | device_id (UUID), Authorization: Bearer <key> |
GET /assets/manifest | On key activation | Authorization: Bearer <key> |
GET /{type}/{path} | Asset pre-cache (activation only) | Authorization: Bearer <key> |
Firewall allowlist
If your environment blocks outbound traffic, allowlist:Airgap proof
Run the included airgap verification script to confirm no unexpected outbound calls:Offline / airgap operation
After activating a key, all paid assets are downloaded to~/.nablr_cache/assets/. Subsequent prompt generation requires zero network calls.
Cache layout:
chmod 600 — readable only by the current user.
Key security
- Keys are sent only in the
Authorization: Bearerheader — never in request bodies or URLs - Keys are stored at
~/.nablr_cache/license_key.jsonwithchmod 600 - The last 4 characters are logged when
NABLR_AUDIT_LOG=1is set — full key is never logged