Python · PyPI

Governance before execution, verified after.

Request / Review / Approve / Execute with N-of-M approvals, cryptographic audit packages, and XRPL-anchored witness proofs. Every decision is exportable, verifiable, and replayable.

Quick start Read the Handbook

Install

pip install nexus-attest # Python 3.11+

Request

from nexus_attest import NexusControlTools from nexus_attest.events import Actor tools = NexusControlTools(db_path="decisions.db") result = tools.request( goal="Rotate production API keys", actor=Actor(type="human", id="alice@example.com"), min_approvals=2, )

Verify

from nexus_attest import verify_audit_package verification = verify_audit_package(package) assert verification.ok # 6 independent checks print(verification.binding_digest) # sha256:...

What nexus-attest adds

The governance layer that nexus-router does not have.

Event-sourced governance

Every state — request, approval, execution, failure — is derived by replaying an immutable append-only log. No mutable state. No hidden writes. Full timeline always available.

Cryptographic audit packages

A binding_digest (SHA-256) ties the decision, policy, approvals, execution identity, and the control-router link into one tamper-evident bundle. If any component changes, the digest breaks.

XRPL witness proofs

Attestation intents are anchored to the XRP Ledger for third-party verifiability. Self-verifying narrative reports include receipt timelines, PASS/FAIL/SKIP integrity checks, and on-chain witness data.

11 MCP tools

Full governance surface exposed via the Model Context Protocol.

Tool

What it does

nexus-attest.request

Create an execution request with goal, policy, and approvers

nexus-attest.approve

Approve a request — supports N-of-M distinct actors

nexus-attest.execute

Execute an approved request via nexus-router

nexus-attest.status

Get request state and linked run status

nexus-attest.inspect

Read-only introspection with human-readable output

nexus-attest.template.create

Create a named, immutable policy template

nexus-attest.template.get / .list

Retrieve or list templates with optional label filtering

nexus-attest.export_bundle

Export a decision as a portable, integrity-verified bundle

nexus-attest.import_bundle

Import a bundle with conflict modes and replay validation

nexus-attest.export_audit_package

Export audit package binding governance to execution

Quick start

1. Create a request

tools = NexusControlTools(db_path="decisions.db")
result = tools.request(
    goal="Rotate production API keys",
    actor=Actor(type="human", id="alice@example.com"),
    min_approvals=2,
    labels=["prod", "security"],
)
request_id = result.data["request_id"]

2. Collect N-of-M approvals

tools.approve(request_id, actor=Actor(type="human", id="alice@example.com"))
tools.approve(request_id, actor=Actor(type="human", id="bob@example.com"))

3. Execute and get audit proof

result = tools.execute(
    request_id=request_id,
    adapter_id="subprocess:mcpt:key-rotation",
    actor=Actor(type="system", id="scheduler"),
    router=your_router,
)
audit = tools.export_audit_package(request_id)
print(audit.data["digest"])  # sha256:...

4. Verify — 6 independent checks

verification = verify_audit_package(package)
assert verification.ok
# Checks: binding_digest, control_bundle_digest,
# binding_control_match, binding_router_match,
# binding_link_match, router_digest

Design guarantees

35 modules. 22 test files. 632 tests.

No short-circuiting

All 6 verification checks run regardless of failures — every issue is reported. Policies are validated at execution time, not just at approval time.

Portable bundles

Export decisions as canonical JSON bundles for cross-system transfer. Three conflict modes on import: reject_on_conflict, new_decision_id, overwrite. Replay after import is optional.

Policy templates

Named, immutable policy bundles for repeatable approval patterns. Override individual fields per-request without mutating the template.