Security
The Hallaxius CLI is built with security as a priority. Your credentials are protected, your files are verified, and updates are trusted.
Security Features
- DPAPI Encryption — Your API key is encrypted with Windows Data Protection API (DPAPI) before being saved to disk. Only your Windows user account can decrypt it — no other user or process can access your key.
- SHA-256 File Hashing — Every file is hashed with SHA-256 before upload. This ensures file integrity during transfer and provides verifiable proof that the uploaded file matches the original.
- MIME Type Validation — When uploading from a URL, the downloaded file is validated against a blocklist of dangerous MIME types (executables, installers, scripts, etc.) to prevent accidental upload of malicious content.
- Verified Updates — Auto-updates are verified with SHA-256 hash comparison before installation. Previous versions are backed up to %APPDATA%\HallaxiusCli\backup for rollback if needed.
- NO_COLOR Support — The CLI respects the NO_COLOR environment variable for non-interactive and accessibility-friendly environments, ensuring output is clean and readable.
Data at Rest
| Path | Description | Protected |
|---|
%APPDATA%\HallaxiusCli\hallaxius.config.json | Config and encrypted API key | DPAPI |
%APPDATA%\HallaxiusCli\resume\ | Pending upload states | User-only |
%APPDATA%\HallaxiusCli\backup\ | Version backups | User-only |
%LOCALAPPDATA%\HallaxiusCli\ | Global install directory | User-only |
Best Practices
- Never share your API key or commit
hallaxius.config.json to version control. - Use
hallaxius reset to clear your key if you suspect it has been compromised. - Keep the CLI updated with
hallaxius update --install to get security patches. - Verify URL sources before uploading — blocked MIME types provide a safety net, but human verification is always best.