buildover-setup

This integration guide is not itself code, but it documents installing and running a CLI (buildover) that performs sensitive actions: reverse-proxying a dev server, injecting a client-side widget, and enabling an AI agent to edit project source files in real time. Those capabilities are legitimate for the stated purpose but carry non-trivial supply-chain and data-exposure risks: installing unverified npm packages, forwarding an ANTHROPIC_API_KEY, granting broad filesystem write access, and optionally exposing the dev server to the public via a tunnel. The document omits important security controls and provenance details (pinned versions, where keys and chat data are transmitted/stored, access controls, audit/logging, and guidance to avoid committing secrets). I assess this as a medium-to-high security risk integration that requires careful review before use — verify package sources, avoid global installs unless vetted, protect API keys (do not commit .env), and be cautious when exposing the proxy publicly.