Nexus

Nexus is the operations platform for the Noveria ecosystem. OpenClaw is an adapter-backed agent runtime, not a dependency of the frontend or domain model.

Current foundation

• Vue 3, TypeScript, Pinia, Vue Router and Tailwind CSS
• ASP.NET Core 10 REST API
• Entity Framework Core and PostgreSQL
• JWT owner authentication with rotating refresh sessions
• IAgentRuntime abstraction with an OpenClaw adapter
• IModelProvider abstractions for Ollama and NVIDIA
• Responsive dark-mode operations dashboard
• Container-only entry point on 127.0.0.1:18880

Local/container start

cp .env.example .env
# Replace every placeholder, especially POSTGRES_PASSWORD, JWT_KEY,
# OWNER_EMAIL and OWNER_PASSWORD.
docker compose up --build -d
curl http://127.0.0.1:18880/health

On an empty database the API creates exactly one owner from OWNER_EMAIL, OWNER_PASSWORD and OWNER_DISPLAY_NAME. The password must contain at least 14 characters. Existing databases are never overwritten by the bootstrap process.

The web service is loopback-only. Public reverse-proxy activation for nexus.noveria.net remains a separate infrastructure change and must terminate TLS before forwarding to port 18880.

Authentication

• Passwords use versioned PBKDF2-SHA256 hashes with random salts and 210,000 iterations.
• Access tokens expire after 15 minutes and are held only in browser memory.
• Refresh tokens are random, stored only as SHA-256 hashes in PostgreSQL, rotated on use and checked for reuse.
• The browser receives the refresh token only as a HttpOnly, Secure, SameSite=Strict cookie.
• Login and refresh endpoints are rate-limited per forwarded client IP.
• All /api/v1 operations routes require a valid access token; /health remains public.
• Swagger is enabled only in the Development environment.

Security

• Never commit .env.
• Generate JWT_KEY from at least 32 random bytes.
• Rotate any credential that has appeared in chat before using it.
• Do not expose PostgreSQL or the API container directly.
• Keep OpenClaw behind the IAgentRuntime contract.
• Keep the API reachable only through the bundled web proxy or another trusted reverse proxy.

Implemented Phase 1 modules

The SPA uses history-mode routes:

• /login owner login
• /dashboard operations snapshot
• /projects project portfolio
• /tasks task board
• /agents runtime and agent inventory
• /models provider routing status
• /activity audit timeline
• /chat mobile owner-chat preview
• /settings runtime and provider overview

The API currently exposes:

• POST /api/v1/auth/login
• POST /api/v1/auth/refresh
• POST /api/v1/auth/logout
• GET /api/v1/auth/me
• GET /api/v1/operations/snapshot
• GET|POST /api/v1/projects
• GET|POST /api/v1/tasks
• PATCH /api/v1/tasks/{id}/state
• GET /api/v1/activity
• GET /api/v1/agents
• GET /api/v1/models
• GET /health

Project and task mutations create activity records. The API applies committed EF Core migrations after PostgreSQL becomes healthy. No destructive endpoints are implemented.

Runtime chat and model routing

POST /api/v1/chat routes authenticated owner messages through the IAgentRuntime contract. The browser never receives a Gateway password or model provider key. Conversation IDs are stable per browser and Iris is the default agent target.

The configured model-routing policy is:

1. qwen3:4b through Ollama for routine and monitoring work
2. moonshotai/kimi-k2.6 through NVIDIA for primary work
3. gpt-5.5 through OpenClaw for strategic and critical review

The Settings module reports runtime and provider state without exposing credentials.