Skip to content
Nexus Control

Reference

Development

Section titled “Development”

Prerequisites

Section titled “Prerequisites”
  • Python 3.11 or later
  • pip with editable install support

Setup

Section titled “Setup”
Terminal window
# Clone the repository
git clone https://github.com/mcp-tool-shop-org/nexus-control
cd nexus-control


# Install with dev dependencies
pip install -e ".[dev]"

Running tests

Section titled “Running tests”

Nexus Control has 636 tests across 23 test files:

Terminal window
# Run the full test suite
pytest


# Type check (strict mode)
pyright


# Lint
ruff check .

Storage

Section titled “Storage”

By default, NexusControlTools uses in-memory SQLite. Pass a db_path to persist decisions to disk:

tools = NexusControlTools(db_path="decisions.db")

The SQLite store is implemented in store.py and manages both the decisions header table and the decision_events append-only log.

Security and data scope

Section titled “Security and data scope”

Data touched

Section titled “Data touched”
  • In-memory approval policies
  • Execution audit logs with SHA-256 integrity
  • Tool call metadata

All data is ephemeral unless explicitly exported via bundles or audit packages.

Data NOT touched

Section titled “Data NOT touched”
  • No network requests beyond nexus-router communication
  • No filesystem writes (audit exports go to caller-specified paths)
  • No OS credentials
  • No telemetry

Permissions required

Section titled “Permissions required”

None beyond standard Python process permissions. Nexus Control does not require elevated privileges, network access, or filesystem write access for its core operations.

Vulnerability reporting

Section titled “Vulnerability reporting”

See SECURITY.md for the vulnerability reporting process.

Project structure

Section titled “Project structure”
nexus-control/
├── nexus_control/
│   ├── __init__.py          # Public API + version
│   ├── tool.py              # MCP tool entrypoints (11 tools)
│   ├── store.py             # SQLite event store
│   ├── events.py            # Event type definitions
│   ├── policy.py            # Policy validation + router compilation
│   ├── decision.py          # State machine + replay
│   ├── lifecycle.py         # Blocking reasons, timeline, progress
│   ├── template.py          # Named immutable policy templates
│   ├── export.py            # Decision bundle export
│   ├── import_.py           # Bundle import with conflict modes
│   ├── bundle.py            # Bundle types + digest computation
│   ├── audit_package.py     # Audit package types + verification
│   ├── audit_export.py      # Audit package export + rendering
│   ├── canonical_json.py    # Deterministic serialization
│   ├── integrity.py         # SHA-256 helpers
│   └── attestation/         # Cryptographic attestation subsystem
│       ├── _signing.py      # Ed25519 signing + verification
│       ├── intent.py        # Attestation intent declarations
│       ├── receipt.py       # Attestation receipts + status
│       ├── narrative.py     # Human-readable attestation narratives
│       ├── queue.py         # Async attestation processing queue
│       └── xrpl/            # XRPL witness backend
├── schemas/                 # JSON schemas for tool inputs
├── tests/                   # 636 tests across 23 test files
├── ARCHITECTURE.md          # Mental model + design guarantees
├── QUICKSTART.md
├── README.md
└── pyproject.toml

Key modules

Section titled “Key modules”
ModuleResponsibility
tool.pyMCP tool entrypoints — all 11 tools are defined here
store.pySQLite event store with append-only semantics
events.pyTyped event definitions (DECISION_CREATED, APPROVAL_GRANTED, etc.)
policy.pyPolicy validation and router constraint compilation
decision.pyState machine with event replay — computes current state from events
lifecycle.pyBlocking reasons (triage-ladder ordered), timeline, and progress
template.pyNamed immutable policy templates with creation metadata
export.py / import_.pyBundle export and import with conflict modes
bundle.pyBundle types and SHA-256 digest computation
audit_package.pyAudit package types and 6-check verification
audit_export.pyAudit package export with reference and embedded modes
canonical_json.pyDeterministic JSON serialization for digest stability
integrity.pySHA-256 helpers for content-addressable hashing
attestation/Cryptographic attestation subsystem with Ed25519 signing, intents, receipts, and async queue
attestation/xrpl/XRPL witness backend for on-ledger attestation anchoring

Scorecard

Section titled “Scorecard”

Nexus Control passes all shipcheck gates:

CategoryScore
A. Security10/10
B. Error Handling10/10
C. Operator Docs10/10
D. Shipping Hygiene10/10
E. Identity (soft)10/10
Overall50/50

Assessed with @mcptoolshop/shipcheck.