Self-hosted, your data never transits our anything (there is no our-anything). Zero dependencies for security review. Hard budget caps for finance. Append-only journals for compliance. Approval gates for everyone who's read the news lately. OpenTelemetry traces into the SIEM or APM you already run, and per-customer run tags that attribute every dollar of model spend.
Each one: the workflow today → how Nexus integrates → what changes → the value mechanism. Expand your industry.
A support bot either can't act (deflection-only) or acts unsupervised, and support bots inventing policy is a documented, reputation-burning failure mode.
Agent reads tickets and drafts freely; issue_refund, change_subscription, send_email are approval-gated. Policy auto-approves refunds under $50; Slack notification carries bigger ones to a human. Budget caps each ticket's spend.
The bot resolves end-to-end instead of deflecting; humans review only the consequential 10%. Every promise made to a customer is journaled, attributed, replayable.
Exposure per run is capped at your policy threshold + budget. Disputes are settled by the journal, not by memory.
approvalPolicy: ({ toolName, arguments: a }) =>
toolName === 'issue_refund' && a.amountUsd < 50
? 'approve' : 'ask',
budget: { maxUsd: 0.25 } // per ticket
Wrap your existing helpdesk MCP server (Zendesk/Intercom-style) with mcpTools(), no changes to it. Approvals via Slack webhook; audit via nexus serve.
Teams building agent products re-implement the same plumbing, state, retries, approvals, cost tracking, badly, under deadline, per project.
Nexus is the execution layer; your product is the agent definitions and UX. Every customer-visible run inherits durability, budgets, and an audit story.
Your differentiation budget goes to the product, not the plumbing. "What did the agent do for customer X" becomes a file you can open.
Months of infra work replaced by an MIT dependency with zero transitive packages to clear through security review.
const run = await runtime.run('analyst', task); // per-tenant budgets, per-run journals, // OAR files your customers can export, // lock-in-free is a feature you can sell
Coding/ops agents run with broad credentials. The documented 2025-26 failure mode: an agent finds an over-privileged token and deletes production in seconds.
deploy, terraform_apply, delete_*, rotate_credentials are approval-gated; read-only tools flow freely. Kill the runner mid-deploy; resume it after lunch. Every run streams OpenTelemetry spans into your existing SIEM or APM, so security ops sees agent activity in the same pane as everything else.
Destructive actions get a mandatory human pause, enforced by the runtime, not by pleading with the model in ALL CAPS (which demonstrably does not work).
One prevented production-database deletion pays for the integration forever. The journal turns postmortems from archaeology into reading.
tools: [readLogs, runTests,
{ ...terraformApply, requiresApproval: true },
{ ...dropDatabase, requiresApproval: true }]
// the runtime enforces the pause.
// the model's opinion is not consulted.
RPA breaks on anything unstructured; LLM scripts handle the unstructured but are unauditable and die on restarts, losing mid-flight work.
Long-running back-office runs (procurement, onboarding, reconciliation) survive deploys and restarts; steps that touch money or records pause for sign-off; the journal is the process record.
Automations span days and approvals without a workflow cluster. The run record doubles as the compliance artifact.
Durable multi-day processes with human checkpoints, previously a Temporal-sized project, become a library import.
// day 1: run pauses at 'post_journal_entry' // day 3: controller approves from the dashboard // same run, same journal, zero re-work await runtime.approve(runId, callId);
Adding "AI features" means eating unbounded model costs per tenant and answering "what did your AI do to my data?" with a shrug.
Per-run budgets become per-tenant cost ceilings, and per-run tags attribute every dollar of model spend to the tenant that caused it. OAR journals become a customer-facing audit trail. Local-model support (Ollama) serves data-residency-sensitive tenants.
AI COGS become a capped, modelable number. Enterprise procurement gets the audit answer it demands.
Prevents margin-destroying runaway usage (a documented pattern: an org burned ~$81k in a week; another reportedly ~$500M in a month with no caps).
budget: {
maxUsd: tenant.plan === 'pro' ? 0.40 : 0.10,
}
// enforced before each call, not on the invoice
runtime.run('agent', input, { tags: { tenantId: tenant.id } });
// every dollar attributed to the tenant
Agents could triage referrals, draft prior-auths, chase claims, but PHI can't leave the building and "the AI decided" is not an answer any regulator accepts.
Fully self-hosted with local models via Ollama. PHI never crosses the perimeter. Every patient-affecting action is approval-gated to a clinician; the journal records who approved what, when, at what cost.
AI moves from "banned by compliance" to "operating inside compliance," because the audit artifact exists by construction.
Staff hours reclaimed from paperwork while the accountability chain stays human. Caveat we volunteer: Nexus is infrastructure, not a HIPAA compliance program, your BAA, access controls, and clinical validation still apply.
provider: new OllamaProvider(), // on-prem, air-gapped model: 'llama3.3-70b', // PHI stays home. Journal stays forever.
FINRA's 2026 oversight report flags AI-agent hallucinations and missing decision trails as compliance risks; explainability tops bank regulatory concerns. Meanwhile the business wants agents reconciling, screening, drafting.
Four-eyes enforcement in one line: money-moving tools pause for a second human. Policy thresholds mirror your existing delegation-of-authority matrix. The OAR journal maps to books-and-records retention.
"Show us every action the agent took in Q3, who approved each, and reproduce run #4417" becomes: here are the files; here's the replay.
Agent adoption without a new recordkeeping gap, the record is the execution, not a best-effort log beside it.
approvalPolicy: ({ toolName, arguments: a }) =>
toolName === 'execute_payment'
? (a.amountUsd < 500 ? 'approve' : 'ask')
: 'ask',
// decidedBy: 'policy' | 'human', journaled
Courts sanctioned lawyers repeatedly in 2025-26 for unverified AI output, up to $110,000 in one case, with 1,300+ hallucination incidents tracked in court filings. The pattern is always the same: no verification gate between the model and the filing.
Research agents work freely; file_document, send_to_client, cite_authority are approval-gated to a responsible attorney. The journal proves the review happened, by name, with a timestamp.
The verification step stops being a policy memo and becomes a runtime invariant. Rule 11 diligence gets an evidentiary record.
Sanctions avoided, and frankly, malpractice-insurer conversations get easier when review is enforced by infrastructure. Caveat: Nexus can't detect a hallucinated citation; it guarantees a human was accountably in the loop.
{ ...fileWithCourt, requiresApproval: true }
// journal: approval_decision
// decidedBy: 'human'
// toolName: 'file_with_court'
// at: 2026-07-04T14:02:19Z
Agents handle catalog ops, pricing, and order exceptions, where one bad bulk action (mispriced SKUs, mass cancellation) is instantly expensive, and prank/adversarial input is a documented reality.
Bulk mutations above a threshold pause for a merchandiser. Budgets cap per-run spend during traffic spikes. Replay lets you test a new pricing prompt against last month's real runs before it touches the catalog.
Agents operate the long tail of exceptions; humans set thresholds once instead of reviewing everything or nothing.
Blast radius of any single run is bounded by policy + budget; regression replay catches behavior drift before customers do.
approvalPolicy: ({ toolName, arguments: a }) =>
toolName === 'update_prices' && a.skuCount > 100
? 'ask' : 'approve',
Agents could triage maintenance tickets, order parts, adjust schedules, but plants run air-gapped networks and nothing touching production lines goes unreviewed, ever.
Zero-dependency runtime + local models = deployable on isolated plant networks with a security review your OT team can actually complete. Schedule changes and parts orders above threshold pause for the plant manager.
AI reaches the shop floor within existing change-control culture instead of fighting it.
Downtime-relevant decisions accelerate; the journal slots into existing quality-system documentation (audits already work this way).
// air-gapped: no cloud, no telemetry, no phone-home // (there is nothing to phone home to) storage: new SqliteStorage('/plant/agents.db')
Most public bodies know they should use AI and have no map for where it is safe to start. The map is the same in Washington, Brussels, London, Riyadh and Abu Dhabi: begin on low-risk, high-volume back-office work, keep a named human accountable for every decision that touches a citizen, keep an immutable record of what happened, and run it inside your own boundary so nothing leaves. That is the exact shape of this runtime.
The 2025 federal AI memo names high-impact AI and requires, before it can affect the public: an impact assessment, real-world testing, ongoing monitoring, human oversight, and a public inventory. Gates, the journal, budgets and the kill switch are the runtime half of that list.
High-risk public-service AI falls under Art. 12 (automatic logging, kept six months), Art. 14 (effective human oversight with a stop control) and Art. 27 (a fundamental-rights impact assessment). The journal is the log, the gate is the oversight, cancelAll() is the stop.
The AI Playbook (Feb 2025) and the mandatory Algorithmic Transparency Recording Standard expect departments to record where an algorithm informs a decision and keep a human answerable. A journal entry per step is that record, produced as a side effect of running.
The US DoD's responsible-AI principles include Traceable (a documented, auditable trail) and Governable (the ability to disengage). Append-only journals and cancelAll() are those two words in code. Infrastructure, not an ATO.
The PDPL is enforced by SDAIA and expects personal data to stay in-Kingdom; the Generative AI guidelines ask for human review and record-keeping. Self-hosting keeps data inside the boundary and the journal is the record. Residency is wherever you choose to run it, which is your call, not ours.
The UAE leads on ambition: a Minister for AI since 2017, Chief AI Officers across every Dubai entity, Abu Dhabi's pledge to be AI-native by 2027. Its Charter for the Development and Use of AI is principles, not certification. A gated, journaled runtime is a way to put those principles into the machinery.
Ordered the way we would actually deploy it: highest-volume, lowest-blast-radius work first. Expand one.
Revenue agencies drown in correspondence, refund checks and eligibility questions, and automating the judgement is exactly where it goes catastrophically wrong: Robodebt raised billions in unlawful debts by letting an algorithm decide who owed money.
The agent drafts the assessment, reconciles the documents and prepares the letter freely; issuing a demand, changing a liability or offsetting a refund is gated to a named officer. Every figure it relied on is journaled. Budgets cap overnight batch runs.
Caseworkers clear the routine backlog; the irreversible decision keeps a human signature and a paper trail.
A demand can always be traced to the officer who approved it and the evidence in front of them. That artefact is precisely what Robodebt never had.
approvalPolicy: ({ toolName }) =>
['raise_debt', 'issue_assessment',
'offset_refund'].includes(toolName)
? 'ask' : 'approve',
Wrap the case-management system as an MCP server; approvals route to the assessing officer; the journal maps to statutory records retention.
The toeslagenaffaire wrongly flagged tens of thousands of families through opaque risk scoring, with no accountable human and no explainable record. The failure was not that a model scored, it was that adverse action followed with nobody answerable.
Score and triage freely; suspending a payment, opening a fraud case or denying a claim pauses for a caseworker, by name. The journal shows exactly what data drove the flag.
Throughput on the routine 90%, a human on the 10% that can ruin a life, with the reasoning attached.
Every adverse action is explainable and attributable, which is what the inquiries demanded and the original systems could not produce.
// the score is advice; the sanction is gated { ...suspendPayment, requiresApproval: true }, { ...openFraudCase, requiresApproval: true } // journal records the features behind each flag
Nuclear, grid, water and aviation regulators run on enormous document sets: licensing submissions, inspection reports, safety-case reviews, deviation logs. AI can triage and draft the paperwork. Nothing it does may go anywhere near a control system.
The agent cross-references a licensing submission against the regulation, drafts the inspector's findings and flags gaps; filing a determination is gated to the licensed reviewer. Air-gapped install with local models, so nothing leaves the facility. It stays firmly in the filing cabinet, never the plant.
Reviewers spend their hours judging, not collating.
A determination cites the sources the agent surfaced and the human who signed it. Hard line: this is document work behind the safety boundary, never a safety-instrumented function.
// inside the boundary: no cloud, no egress storage: new SqliteStorage('/secure/reg.db'), approvalPolicy: () => 'ask' // every filing // the model reads regs; it never actuates.
Backlogs of records requests, redaction and case-file summarisation. The failure mode is releasing the wrong document, or an unreviewed summary, into the public record.
The agent finds responsive records, proposes redactions and drafts the response; release is gated to the records officer. The journal is the disclosure log that transparency regimes already require you to keep.
The queue moves at machine speed; the release decision stays human and recorded.
"Who released this, and on what basis" becomes a query against the journal, not an internal investigation.
{ ...releaseDocument, requiresApproval: true }
// proposed redactions journaled per document;
// the sign-off is the officer, by name
The workloads that most need AI are often the ones that can never touch a cloud API. FedRAMP is cloud-only; classified enclaves (IL5/IL6) are physically isolated by design.
Zero dependencies and local models mean the entire runtime installs inside the enclave with a security review your team can actually finish. No phone-home, because there is nothing to phone home to. The journal stays on your storage, under your accreditation.
AI reaches the air-gapped side of the house without a cloud waiver.
The governance layer inherits your enclave's boundary. Caveat: inheriting a boundary is not the same as holding an authorisation; the ATO is still yours to earn.
// no transitive dependencies to clear, // no telemetry, no outbound network at all model: ollama('llama3'), // on-box storage: new FileStorage('/enclave/runs')
The Gulf is moving fastest of anyone on government AI: Abu Dhabi's AI-native-by-2027 programme, Chief AI Officers across Dubai, Saudi Arabia's HUMAIN and the sovereign Arabic LLM ALLaM. At the same time data-protection law is tightening, with the Saudi PDPL enforced by SDAIA and an expectation that personal data stays in-Kingdom.
Run a sovereign Arabic model on in-country hardware; the runtime keeps every step inside the boundary and journals it, in the language of record. Citizen service, licensing and correspondence handling get a gated, recorded path that matches the residency rules.
The ambition gets a governance layer under it, instead of a pilot with no audit story.
Data never leaves the jurisdiction and every citizen-facing action has a named approver. Caveat: self-hosting is not a sovereign cloud and not a certification, and Arabic accuracy is the model's job, not the runtime's. We keep the record and the human; the ministry keeps the accreditation.
// in-Kingdom box, sovereign Arabic model model: ollama('allam'), approvalPolicy: ({ toolName }) => toolName.startsWith('citizen_') ? 'ask' : 'approve',
You do not rewrite anything. Nexus wraps the agent you already run. Do it by hand in an afternoon, or point an AI at your repository, let it find the risky calls, and approve its proposal. Either path lands in the same place: destructive actions pause for a named human, every step is recorded, spend is capped, and it all runs inside your own boundary.
For teams who want to place every gate themselves. The API is small on purpose.
// 1. install (zero transitive deps to review) npm i @nexusaiframework/runtime // 2. wrap the tools you already have; flag // the irreversible ones defineTool({ name: 'deploy', requiresApproval: true }) // 3. register your agent with a budget runtime.register(defineAgent({ name: 'ops', tools, budget: { maxUsd: 2 } })) // 4. pick storage; this file is your journal new NexusRuntime({ storage: new FileStorage('.nexus') }) // 5. approvals dashboard nexus serve
The full surface is on the docs page.
If you would rather not hunt for the risky calls yourself, this is the recommended first pass. Point Claude Code, Cursor, or any coding agent at your repository with the prompt below. It reads your agent's toolset, classifies every capability by blast radius, and proposes a gate map, a budget, and journal wiring as a diff. It changes nothing until you approve. You read the proposal, push back on anything that looks wrong, then let it apply. The audit itself is the sales pitch: you see exactly how much of your agent was ungoverned.
The proposal, your approval, then the change. The same shape as the runtime it installs.
Paste this into your coding agent
Audit this repository to adopt the Nexus agent runtime
(@nexusaiframework/runtime). Do NOT change behaviour yet. Produce a proposal.
1. Find every place an LLM or agent calls a tool, function,
or external API.
2. Classify each capability by blast radius:
- IRREVERSIBLE or costly: delete, deploy, pay, email, publish,
change a customer or citizen record -> propose requiresApproval
- READ-ONLY or cheap -> leave it ungated, so throughput stays high
3. Propose, as a diff:
- one approvalPolicy (or a requiresApproval list) covering group one
- a pre-flight budget { maxUsd } per run
- a storage adapter so every step is journaled
4. For each gated tool, one sentence on why it is irreversible.
5. Stop. Show me the diff and wait for approval before applying anything.
In April 2026 an agent at PocketOS found an over-privileged token and took out the database and its backups in nine seconds (The Register). Here is that same agent, before and after an AI-audited adoption.
// broad token, runs unsupervised const agent = new Agent({ tools: [readLogs, deploy, dropDatabase], }); await agent.run(task); // one over-privileged call erased the // database and its backups in 9 seconds. // no pause. no record. no way back.
// same tools, wrapped once. logic unchanged. runtime.register(defineAgent({ name: 'ops', tools: [readLogs, { ...deploy, requiresApproval: true }, { ...dropDatabase, requiresApproval: true }], budget: { maxUsd: 2 } })); await runtime.run('ops', task); // the delete now pauses, journaled, with a // Slack ping out, going nowhere until a named // human says yes. blast radius: bounded.
The audit flagged deploy and dropDatabase as irreversible, proposed the two gates and a $2 cap, and opened it as a diff. A human read it, approved it, and it applied. Nothing about the agent's reasoning changed. The only new thing is a boundary it cannot cross alone, and a journal that would have shown the attempt. That is the whole difference between a nine-second catastrophe and a paused run waiting for a signature.
Irreversible calls pause for a named human, enforced by the runtime, not by instructions the model can ignore.
An append-only journal per run. The audit trail is a side effect of running, not a feature you have to remember to wire up.
It is a wrapper. It adds no transitive dependencies and runs self-hosted. Remove it and you are exactly where you started, so adoption carries no lock-in.
Installing a library is the easy 20%. These are the runtime-level controls that make an agent safe to run unattended, the ones a security review actually checks for.
On-call needs to stop everything in seconds, and the EU AI Act (Art. 14) and FINRA's 2026 report require exactly that.
await runtime.cancelAll(); disableAgent('support', 'incident #42'); // or: nexus cancel-all --agent support
The quiet way human-in-the-loop agents die is a pause nobody answers. Watch the SLA and page someone.
watchStaleApprovals(runtime, { olderThanMs: 30 * 60_000, onStale: (run) => pd.page(run.id) }); // nexus runs --stale 30m
Scrub PII from the audit journal on the way out. The live record keeps real content so the run can still resume; pair with encryption-at-rest.
new NexusRuntime({ storage, redactStep: (t, d) => redactPii(d) });
Every incident below is public and cited. For each: what a durable, gated, budgeted runtime would have changed, and what it wouldn't. We include the caveats because credibility is the product.
requiresApproval cannot execute until a human decides, the runtime enforces the pause regardless of what the model believes. The deletion attempt would sit as a waiting_approval journal entry: visible, deniable, and evidence of exactly what the agent tried to do.halted_budget, resumable, journaled. The $81k week becomes a $50 halt and a notification. This is the capability our July 2026 competitive research could not find in any other open runtime we tested. And run tags attribute spend per customer or tenant, so "the bill doubled but nothing says who" stops being a question.INSERT of stolen secrets pauses for a human holding the actual context. Every call is journaled, so exfiltration attempts leave evidence. And the runtime adding the gates has zero dependencies to poison.Incidents compiled July 2026 from public reporting; each links its sources. None of these organizations are Nexus users, these are architectural analyses of public events, not testimonials.
Open an issue on GitHub, the maintainers respond, or start with the pitch deck for your stakeholders.
Talk to the maintainers → View the pitch deck