Nexus OS - Local-first AI privacy gateway for enterprise developer workflows
Project description
Nexus OS
A local-first AI egress gateway for source code.
Nexus sits between a developer workflow and AI coding models. It inspects each request locally, removes secrets, pseudonymizes proprietary Python identifiers, chooses a local, sanitized-cloud, or blocked route, and records a tamper-evident audit event.
Current scope: a Python/FastAPI daemon, CLI, privacy pipeline, Ollama adapter, Groq/Anthropic cloud adapters, automated tests, and a VS Code/Cursor Command Center extension.
Core flow
Developer request
-> secret scan
-> Python AST symbol extraction
-> semantic pseudonymization
-> YAML policy evaluation
-> route: local_only | sanitized_cloud | blocked
-> exact egress verification before cloud use
-> local de-tokenization of the model response
-> hash-chained audit event
Why it exists
Developers in regulated or IP-sensitive environments often face a bad trade-off:
- use a strong cloud model and expose sensitive context;
- use a small local model and lose capability;
- manually scrub every prompt and slow down the workflow.
Nexus treats privacy as a routing and verification problem instead of forcing one model choice for every request.
Current capabilities
- Regex and entropy-based secret detection
- Python AST symbol extraction
- Semantic identifier pseudonymization
- YAML policy engine
- Local-only, sanitized-cloud, and blocked routes
- Ollama local inference
- Groq / Anthropic sanitized-cloud adapters with exact egress verification
- Tamper-evident audit ledger with Phase 3 truthful egress receipts
- Local hybrid repository indexing (search + repo assist)
- Repository API protected by
X-Nexus-Token - Groq and Anthropic provider adapters
- Local response de-tokenization
- SQLite hash-chained audit ledger with Phase 3 truthful egress receipts (intended vs actual provider/route, call attempts, payload hash — never raw code/secrets/maps)
- Request-scoped exact outbound payload inspection (token-gated short-lived lookup)
- VS Code/Cursor Command Center extension with live secure assist and fixture modes
- Repo-wide secure scan, human approval plan, and redacted patch preview workflow
- Dependency/generated artifact filtering for repo scans (
node_modules, lockfiles, build output, caches) nexus audit verifyandnexus audit list- FastAPI endpoints for assist, redact, route, health, audit verification, and repository indexing/search/remediation
- Local hybrid repository indexing (SQLite + FTS5) with CLI
nexus repo …commands
Important limitations
This is a hackathon prototype, not a production security boundary.
- It is a local daemon, not an operating-system kernel.
- Python is the only AST-aware language currently supported.
- Secret detection is heuristic and cannot guarantee detection of every sensitive value.
- The current hash chain is tamper-evident, not independently signed.
- OS-wide or network-wide enforcement is future work.
- The extension is an MVP demo surface, not a production policy enforcement layer.
Setup
Requires Python 3.11+.
Install from PyPI after the first release:
pip install kdg-nexus
nexus --version
nexus --help
For local development from this repository:
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -e ".[dev]"
cp .env.example .env
For local inference:
ollama serve
ollama pull llama3.2:3b
Set the model in .env when needed:
NEXUS_OLLAMA_MODEL=llama3.2:3b
Start the daemon:
uvicorn nexus.main:app --host 127.0.0.1 --port 7420
Health check:
curl http://127.0.0.1:7420/v1/health
VS Code / Cursor extension demo
The extension has two modes:
- Live (default): calls the local Nexus daemon, keeps the local Nexus token in the extension host, and shows real request evidence.
- Fixture: uses built-in UI fixtures for offline Command Center review.
For the judge-ready live path, run:
powershell -ExecutionPolicy Bypass -File scripts\run_judge_demo.ps1
Then follow docs/JUDGE_DEMO.md.
Build the extension:
cd extension
npm install
cd webview-ui
npm install
cd ..
npm run build
Start the real daemon before the live demo:
python -m uvicorn nexus.main:app --host 127.0.0.1 --port 7420
Launch the Extension Development Host:
code --extensionDevelopmentPath=C:\Users\mukhe\KDG\extension C:\Users\mukhe\KDG
In the Extension Development Host:
- Open a Python file containing synthetic sensitive code.
- Select the code, or leave the selection empty to use a bounded current-file excerpt.
- Run
Nexus: Ask Privately. - Enter a question, for example:
The intended multiplier is 1.25. Return corrected Python code containing the class and function names. - Confirm the restored answer appears in Command Center.
- Verify the
Livebadge plus request evidence: route, provider, real event timeline, exact sanitized outbound payload, receipt, and audit verification.
To use fixtures instead, set nexus.mode to fixture in VS Code settings and open Nexus: Open Command Center.
For larger codebases, run Nexus: Scan Codebase Privately from the Command
Palette. Nexus registers and indexes the open workspace locally, ranks candidate
files from indexed secret fingerprints, diagnostics, test-output hints, the
focus query, and the active editor path as ranking context. It then asks you to
approve exact indexed files from a picker before patch preview. The preview
report uses redacted diffs and never writes source files automatically.
For a richer masking demo, open
demo-repo/customer_support/secure_ticket_service.py. It contains only
synthetic fake credentials, fake personal data, normal code, and small logic
bugs. Use the prompt in demo-repo/README.md to verify that secrets and
personal data are removed before sanitized cloud assist.
Run tests:
pytest -q
API example
curl -X POST http://127.0.0.1:7420/v1/assist \
-H "Content-Type: application/json" \
-d '{
"code": "def calculate_internal_risk_score_for_loan_default(x):\n return x * 2",
"file_path": "payments/risk_engine.py",
"diagnostics": [],
"test_output": null,
"question": "Why is this calculation failing?"
}'
Hackathon winning path
The next work should happen in this order:
- Close egress gaps: sanitize and verify code, question, diagnostics, and test output as one exact outbound payload.
- Add deterministic prompt-injection blocking: demonstrate that a request to reveal redacted values makes no cloud call.
- Make the audit receipt truthful: hash the exact outbound prompt, expose provider, policy hits, leakage status, latency, and whether a network call occurred.
- Harden the VS Code extension: add packaged install flow, richer error handling, and repeatable UI automation.
- Add a golden demo: a realistic fintech bug is fixed after sanitization and the test passes.
- Benchmark utility and latency: compare raw cloud, Nexus sanitized cloud, and Nexus local-only using project-generated numbers only.
Demo story
- Show a normal AI request that would expose a fake credential and proprietary identifiers.
- Send the same request through Nexus and open the exact outbound payload.
- Receive a cloud-generated fix, restore the real names locally, and pass the failing test.
- Attempt prompt injection and show that no cloud request is made.
- Run
nexus audit verify, then demonstrate detection on a deliberately tampered copy.
CLI
nexus audit list
nexus audit verify
# Repository indexing (Phase 2.5)
nexus repo register /path/to/your/repo
nexus repo index <repo_id>
nexus repo search <repo_id> "symbol_or_query" --json
nexus repo list
nexus repo status <repo_id>
Repository indexing (Phase 2.5)
Nexus can index local repositories into isolated SQLite + FTS5 databases under
~/.nexus/indexes/ (override with NEXUS_INDEX_DB_ROOT). Search and context
retrieval run entirely on your machine — no model or network calls.
| Endpoint | Purpose |
|---|---|
POST /v1/repos |
Register a local path |
GET /v1/repos |
List repositories |
GET /v1/repos/{repo_id} |
Index status |
POST /v1/repos/{repo_id}/index |
Build or update ({"full": true} for full rebuild) |
POST /v1/repos/{repo_id}/search |
Hybrid search (no model) |
POST /v1/repos/{repo_id}/scan |
Safe repo-wide remediation candidate scan (no model) |
POST /v1/repos/{repo_id}/fix-plan |
Human approval plan for candidate files (no model) |
POST /v1/repos/{repo_id}/patch-preview |
Redacted, non-writing patch previews for approved files |
POST /v1/repos/{repo_id}/assist |
Context pack → recovery guard → privacy pipeline |
Privacy notes:
- Secrets are never stored raw in the index — only redacted chunks and HMAC-SHA256 fingerprints (key at
~/.nexus/fingerprint_key). /v1/repos*requires a local API token viaX-Nexus-Token(stored at~/.nexus/api_token). CORS is explicit loopback origins only (no*).- Git discovery includes tracked and untracked non-ignored files (
git ls-files -co --exclude-standard). - Dependency/generated artifacts are excluded from remediation candidates by default, including common package lockfiles, build output, caches, and
node_modules. full=truereprocesses every file; config drift requires a full rebuild.- Oversized files are partially indexed with bounded streaming and coverage stats.
/v1/repos/{id}/searchnever calls a provider./v1/repos/{id}/assistre-reads selected spans from disk, runs the recovery guard, then applies the sanitize/egress pipeline.- Index builds run as background jobs (per-repo lock); poll
GET /v1/repos/{id}for readiness.
Architecture: docs/architecture/REPOSITORY_INDEXING_ARCHITECTURE.md.
Measured local benchmarks: benchmarks/README.md.
Limitations (indexing v1)
Python gets AST-aware chunking; other languages use line windows. Retrieval uses import-graph one-hop expansion (no call-graph). Semantic/vector search is optional and off by default. This is a local hybrid indexer — not a claim of parity with proprietary code-search products.
Security
Never commit .env, API keys, generated databases, or real proprietary code. The committed demo fixtures contain fake values only.
Phase 4/5 additions
- Typed provider errors and fallback state machine (docs/architecture/PROVIDER_FAILURE_STATE_MACHINE.md)
- Execution event stream (docs/architecture/EXECUTION_EVENT_STREAM.md)
- Report: docs/reports/PHASE_4_5_PROVIDER_LIFECYCLE_REPORT.md
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kdg_nexus-0.1.0.tar.gz.
File metadata
- Download URL: kdg_nexus-0.1.0.tar.gz
- Upload date:
- Size: 178.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fcc38a41023515fc6c60ca3875573895f4dca3dc631325a0d98527da239cd5ef
|
|
| MD5 |
60afb14de148780b4d268c0ea4aa9939
|
|
| BLAKE2b-256 |
07fcf76eb2542f8b3dc8896db202535dc7a231bc57d3ff5b4c9c7fbe337df113
|
Provenance
The following attestation bundles were made for kdg_nexus-0.1.0.tar.gz:
Publisher:
publish.yml on ayush585/KDG
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
kdg_nexus-0.1.0.tar.gz -
Subject digest:
fcc38a41023515fc6c60ca3875573895f4dca3dc631325a0d98527da239cd5ef - Sigstore transparency entry: 2148003688
- Sigstore integration time:
-
Permalink:
ayush585/KDG@52e630bcb6458ff8f8d26f75d0aa696af273a5c8 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/ayush585
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@52e630bcb6458ff8f8d26f75d0aa696af273a5c8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file kdg_nexus-0.1.0-py3-none-any.whl.
File metadata
- Download URL: kdg_nexus-0.1.0-py3-none-any.whl
- Upload date:
- Size: 136.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ecac12f0d02ad86d85bdc5d37911090f1c464c4dc33afbb1d14a1301d195502a
|
|
| MD5 |
c7171b299ed8a5eabfa2a6aca79a86eb
|
|
| BLAKE2b-256 |
f504aba63454c07aca43c25a4bb511bd09880f4b418629a06d02cede8aea09aa
|
Provenance
The following attestation bundles were made for kdg_nexus-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on ayush585/KDG
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
kdg_nexus-0.1.0-py3-none-any.whl -
Subject digest:
ecac12f0d02ad86d85bdc5d37911090f1c464c4dc33afbb1d14a1301d195502a - Sigstore transparency entry: 2148003698
- Sigstore integration time:
-
Permalink:
ayush585/KDG@52e630bcb6458ff8f8d26f75d0aa696af273a5c8 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/ayush585
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@52e630bcb6458ff8f8d26f75d0aa696af273a5c8 -
Trigger Event:
push
-
Statement type: