Skip to main content

A generalized agentic contract/control-plane language for governed AI software delivery.

Project description

Nornyx

PyPI Python CI License: MIT

A generalized agentic contract/control-plane language for governed AI software delivery.

pip install nornyx

Your AI-engineering rules live scattered across AGENTS.md, a skills folder, prompt/context packs, a harness script, an eval config, policy docs, evidence templates, and approval checklists — and they drift out of sync. Nornyx makes them one checked source of truth: write a single .nyx file, then generate and validate all those artifacts from it.

one .nyx contract  ──►  AGENTS.md · skills/ · harness.yaml · policy.yaml
                        evals.yaml · context.yaml · evidence_contract.md

Nornyx does not replace Codex, Claude Code, Cursor, Copilot, CI/CD, or human review. It compiles, checks, and generates the control artifacts those execution surfaces follow.

Install

pip install nornyx          # from PyPI
# or pin from source:
pip install "nornyx @ git+https://github.com/mazinmarji/nornyx@v1.1.1"

Requires Python 3.10+. The only runtime dependency is PyYAML.

Quick start (5 minutes)

# 0. drop the bundled example contracts into ./examples/
nornyx examples

# 1. check a contract
nornyx check examples/governed_delivery_control_plane.nyx

# 2. generate the control artifacts from it
nornyx generate examples/governed_delivery_control_plane.nyx --out generated/cp

# 3. build a provenance-hashed context pack
nornyx context-build examples/governed_delivery_control_plane.nyx --repo . --out generated/context.json

# 4. inspect the schema
nornyx schema --version 1.0

(If you didn't install the console script, use python -m nornyx.cli ....)

nornyx generate writes AGENTS.md, skills/, harness.yaml, policy.yaml, evals.yaml, context.yaml, and evidence_contract.md into the output folder — regenerate any time the .nyx changes, and nornyx check keeps them honest.

Shell/editor completion

nornyx complete emits JSON completion items for .nyx documents. Nornyx does not install a shell hook by default; this command is the completion data source to wire into shell functions, editor adapters, or small helper scripts.

Top-level block suggestions:

nornyx complete --prefix con

Reference-aware suggestions:

nornyx complete examples/governed_delivery_control_plane.nyx --path agent.policy --prefix Safe

The command prints LSP-shaped objects with label, kind, detail, and insertText, so wrappers can parse the labels and present them as candidates.

A contract looks like this

nornyx: "0.1"
project:
  name: GovernedDelivery

contexts:
  - name: RepoContext
    include: ["src/**/*.py", "docs/**/*.md"]
    authority: ["docs/SECURITY.md"]
    taint:                       # trust boundaries are first-class
      repo: trusted_repo_file
      user_prompt: untrusted
      external_web: untrusted

policies:
  - name: SafeEditPolicy
    rules:
      - deny secrets_to_llm
      - require tests_if_code_changed
      - require evidence_if_harness_completed

agents:
  - name: Builder
    role: "Implement small scoped patches."
    skills: [PatchBuilder, TestRepair, EvidencePack]
    policy: SafeEditPolicy

harnesses:
  - name: DevHarness
    context: RepoContext
    flow:
      - agent: Builder
        action: implement
      - tool: tests
        action: run
      - evidence: DevEvidence
        action: pack
    gate:
      - require: tests.pass
      - require: human_approval_before_merge

Use it in your repo

Going from the demo to your own project is four steps:

# 1. scaffold a .nyx for your repo (pick a profile, default ai_coding)
nornyx init --name YourRepo --out nornyx.nyx

# 2. edit nornyx.nyx — your contexts, policies, agents, harness — then check it
nornyx check nornyx.nyx

# 3. generate the artifacts and put AGENTS.md where your agent reads it
nornyx generate nornyx.nyx --out .nornyx/
cp .nornyx/AGENTS.md AGENTS.md          # the file Claude Code / Cursor / Copilot read

# 4. commit nornyx.nyx (the source) and the artifacts you use

Keep them from drifting. Commit the generated directory and add a check that it still matches the contract — in CI or a pre-commit hook:

nornyx drift nornyx.nyx --out .nornyx   # nonzero exit if ANY artifact drifts

nornyx drift compares every generated artifact by hash (not just AGENTS.md), so a change to policy.yaml is caught too. Across many repos, declare your org policy once in a workspace manifest and verify each repo matches it:

nornyx workspace-check --manifest nornyx.workspace.yaml

Now the .nyx is the single source of truth: edit it, regenerate, and the check fails loudly if any artifact drifts. Full walkthrough: docs/USE_IN_YOUR_REPO.md.

Reference a shared policy instead of copying it

A policy can reference a canonical definition rather than copy its rules, so there is nothing to drift in the first place:

policies:
  - name: SafeDeliveryPolicy
    ref: ../governance/nornyx.workspace.yaml#SafeDeliveryPolicy   # single source

ref is <path>#<PolicyName>, resolved from a local .nyx contract or a workspace manifest. The canonical rules live in one place; edit them there and every referencing contract is updated. nornyx check and nornyx generate resolve the reference and inline the real rules into policy.yaml. See the bundled org_policies.nyx and governed_service.nyx examples.

Why Nornyx

  • One source of truth for agent/skill/harness/policy/eval/evidence artifacts — no more drift.
  • Context trust model: mark which context is trusted vs untrusted so untrusted input can't define policy, and deny secrets_to_llm at the contract level.
  • Generators + a checker: turn .nyx into the files your tools read, and verify references and required fields.
  • Generated-artifact drift gate: catch when regenerated output diverges from a committed baseline.
  • YAML-compatible syntax — no new parser to learn for v0.1.

Scope and safety

Nornyx v0.1 is an executable specification layer, not a runtime. It does not implement autonomous system modification, production deployment, destructive tool use, credential handling, or arbitrary command execution. The name Nornyx is a provisional working brand (no formal legal clearance claimed).

Learn more

Development

git clone https://github.com/mazinmarji/nornyx && cd nornyx
pip install -e ".[dev]"
python -m pytest -q

License

MIT — see LICENSE. Copyright (c) 2026 Mazin Marji and Nornyx Contributors.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nornyx-1.3.0.tar.gz (136.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nornyx-1.3.0-py3-none-any.whl (125.4 kB view details)

Uploaded Python 3

File details

Details for the file nornyx-1.3.0.tar.gz.

File metadata

  • Download URL: nornyx-1.3.0.tar.gz
  • Upload date:
  • Size: 136.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for nornyx-1.3.0.tar.gz
Algorithm Hash digest
SHA256 7e182f346ca9b036a522ea4e289459a75c6b67c2693ff7610d34d7252e7a55cd
MD5 89dfd604a695189b893c0a44901ee4d0
BLAKE2b-256 23645903e3c7c6c858f6d7f323e6f500eb71d27ecf6883217cb217dc39511fb2

See more details on using hashes here.

Provenance

The following attestation bundles were made for nornyx-1.3.0.tar.gz:

Publisher: release.yml on mazinmarji/nornyx

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nornyx-1.3.0-py3-none-any.whl.

File metadata

  • Download URL: nornyx-1.3.0-py3-none-any.whl
  • Upload date:
  • Size: 125.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for nornyx-1.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9bd7ca617ee0c977c0d8a038ec854e275534fe2a5521a6fe8a105e02351847cc
MD5 68dc0d7f615b8c1f16d4f53987c1c8ff
BLAKE2b-256 0e71df922f2c997d1001ce0e659247f1f7db5f47e293aff2fe493860a5dd257a

See more details on using hashes here.

Provenance

The following attestation bundles were made for nornyx-1.3.0-py3-none-any.whl:

Publisher: release.yml on mazinmarji/nornyx

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page