I’ve been building Nucleus because most “agent security” is still policy-only: a config file that says “don’t do bad things,” while the agent can still do them.
Nucleus is an OSS experiment that pairs a small, compositional permission model with runtime enforcement: *side effects are only reachable through an enforcing tool proxy*, inside a Firecracker microVM. The envelope is *non-escalating*: it can only tighten or terminate, never silently relax.
What works today:
* MCP tool proxy with *read / write / run* (enforced inside the microVM) * default-deny egress + DNS allowlist + iptables drift detection (fail-closed) on Linux * time + budget caps enforced * hash-chained audit log + HMAC approval tokens (scoped, expiring) for gated ops
What’s missing (being upfront):
* web/search tools exist in the model but aren’t wired to MCP yet * remote append-only audit storage + attestation are still roadmap * early/rough; targeting “safe to run against sensitive codebases,” not “replace your local terminal”
Most of the code was written with Anthropic tools; I’ve been leaning on tests/fuzzing/proptests to keep it honest.
Would love feedback on: (1) dangerous capability combinations beyond the lethal trifecta, (2) what enforcement gaps you’d want closed first, (3) how you’d evaluate this vs gateway-only approaches.