An ultra-fast, automated security auditor for your codebase.
Euxis verifies code the way a human security auditor would — except in under three minutes — and ships a Sigstore-signed evidence pack any regulator can verify offline.
When a software team needs to prove their app meets SOC 2, ISO 27001, NIST, OWASP, or any of fourteen other frameworks, they normally pay a human expert to spend weeks reading code, running checks, and writing reports. Euxis is a single binary you drop into your CI pipeline: every time the code changes, it runs the same audit a human would, and emits a tamper-proof, regulator-ready evidence pack.
The evidence pack is a Sigstore Bundle v0.3 — an in-toto Statement v1 wrapped in a SLSA v1.2 provenance predicate, DSSE-signed with Ed25519, and bundled with the SARIF findings, CycloneDX 1.6 + SPDX 3.0.1 SBOMs, and OpenVEX exception document. A verifier (auditor, regulator, SOC) checks the chain offline with euxis verify or any sigstore-compatible tool — no contact to a vendor service required. See docs/evidence-packs/anatomy.md for the full anatomy and docs/evidence-packs/verifying-a-bundle.md for the verification run-book.
The same engine ships as an embeddable C++23 SDK across sixteen libraries, so teams building agentic verification systems can wire it directly into their own product — see Embedding euxis in C++ below.
| Phrase you'll see | What it actually means |
|---|---|
| Cryptographically-signed evidence pack | A tamper-proof digital receipt. Guarantees to regulators that the audit results are real and haven't been faked. Re-run the same audit next quarter against the same code: same bytes, same digest. |
| Native speed / C++23 static binary | One clean binary that runs instantly. No Python runtime to warm up, no per-turn JIT lag, no interpreter in the agent loop. |
| Swarm of agents | A group of AI assistants working simultaneously to read and test different parts of your code, coordinated by a single controller. |
| FinOps router | A smart budget manager. Routes easy tasks to cheap models (Ollama, Haiku) and hard tasks to expensive ones (Opus, GPT-5), so you don't overpay. |
| A2A v0.2 agent meshes | A standardised wire protocol that lets independent agents trade tasks. Open spec; not Euxis-specific. |
| CI pipeline integration | Drop it into GitHub Actions / GitLab CI / Jenkins. Runs every time someone pushes code. Fails the build if a compliance gate breaks. |
| Forensic mode | The deepest review mode (euxis review --forensic). Adds supply-chain audit, dependency provenance, and admission-policy enforcement. ~3 minutes vs ~45 seconds for triage. |
euxis triage . # 45-second bounded scan
euxis check . # standard verification, ~3 min
euxis review . --forensic # forensic depth + supply-chain audit
euxis certify-readiness . --framework soc2 # SOC 2 readiness report
euxis sbom . --format=both # CycloneDX 1.6 + SPDX 3.0.1
euxis slopsquatting . # LLM-hallucinated-package guard
euxis attest evidence.tar.gz # Sigstore-signed evidence bundle
euxis verify evidence.tar.gz.sigstore.json # offline signature check
euxis cache stats # incremental scan cachePipe the output into your CI gate, or hand the evidence pack to a regulator. See docs/compliance/cra.md for the EU Cyber Resilience Act mapping and docs/compliance/dora.md for DORA / TLPT.
Getting started
- Install — prerequisites, build, verify
- Quick start — first verification in five minutes
- Ten-minute tour —
vulndb+sbom+ multi-agent triage, with the actual output
Command surface
- Core commands — daily-driver verbs
- Command groups — the full eight groups
SDK / Library reference
- Embedding euxis in C++ — the SDK example
- Public libraries — sixteen-library matrix
- Build options — CMake feature flags
- Provider strategy — FinOps router defaults
Evidence and compliance
- Anatomy of an evidence pack — bundle layout, top to bottom
- Verifying a bundle — operational run-book
- EU Cyber Resilience Act mapping — CRA Article 13 / 14
- DORA / TLPT mapping — financial-services workflow
- Benchmark methodology — how the scan + evidence numbers are measured
Operational
- Architecture — directory layout at a glance
- Why this approach? — design rationale
- Building from source — make targets
- Benchmarks — two harnesses, two jobs
- Documentation — all reference docs
- Contributing
- License
Choose one of three paths. The first is the recommended default; the build-from-source path stays available for developers.
curl -fsSL https://raw.githubusercontent.com/sebastienrousseau/euxis/main/scripts/release/install.sh | shDetects the platform, downloads the matching tarball from the GitHub Release, verifies the SHA-256, optionally verifies the cosign keyless signature if cosign is on PATH, and drops the binary at ~/.local/bin/euxis. Set EUXIS_VERSION=v0.1.x to pin a specific tag, or EUXIS_INSTALL_DIR=/usr/local/bin to install system-wide.
| Channel | Install |
|---|---|
| Homebrew (personal tap) | brew tap sebastienrousseau/tap && brew install euxis |
Debian / Ubuntu (.deb) |
curl -fsSL -O https://github.com/sebastienrousseau/euxis/releases/latest/download/euxis-linux-amd64.deb && sudo dpkg -i euxis-linux-amd64.deb |
RHEL / Fedora / openSUSE (.rpm) |
sudo rpm -i https://github.com/sebastienrousseau/euxis/releases/latest/download/euxis-linux-amd64.rpm |
| Docker (GHCR, multi-arch) | docker run --rm ghcr.io/sebastienrousseau/euxis:latest --version |
The .deb / .rpm packages and the multi-arch Docker image are produced by .github/workflows/release.yml on every v* tag push, signed via Sigstore keyless OIDC, and attested with GitHub-native SLSA build provenance.
Build from source when you need an unreleased commit, want a custom build mode (sanitizers, gbench, GUI), or are running a platform without a pre-built tarball (FreeBSD, NixOS, Windows-native).
| Tool | Minimum | Check |
|---|---|---|
| CMake | 3.28 | cmake --version |
| C++ compiler | GCC 14+ or Clang 18+ | g++ --version or clang++ --version |
| Git | 2.x | git --version |
| libsodium | 1.0.18+ | pkg-config --modversion libsodium |
| SQLite | 3.x | sqlite3 --version |
Optional, only when the corresponding feature is enabled:
| Tool | Required by | Install |
|---|---|---|
| Qt6 | apps/etx desktop GUI |
brew install qt / pacman -S qt6-base |
| Doxygen | EUXIS_BUILD_DOCS=ON (default ON) |
pacman -S doxygen graphviz |
| Google Benchmark | fetched automatically when EUXIS_BUILD_GBENCH=ON |
— |
| Platform | Command |
|---|---|
| macOS (Homebrew) | brew install cmake gcc libsodium sqlite |
| Ubuntu / Debian / WSL2 | sudo apt update && sudo apt install -y cmake g++-14 git libsodium-dev libsqlite3-dev |
| Arch / CachyOS | sudo pacman -S cmake gcc git libsodium sqlite |
git clone https://github.com/sebastienrousseau/euxis.git ~/.euxis
cd ~/.euxis
make cpp-build # Release + LTO, parallel
make cpp-test # ctest, all suites
sudo ln -sf ~/.euxis/cmake-build/apps/cli/euxis-cli /usr/local/bin/euxiseuxis doctoreuxis triage . # 45-second bounded triage
euxis check . # standard verification, ~3 min
euxis review . --forensic # forensic depth + supply-chain audit
euxis certify-readiness . --framework soc2 # SOC 2 readiness report
euxis compare . # triage vs deep, side-by-side
euxis stats --last 5 # recent metrics + drift historyThe triage path is bounded for CI. The full review path is bounded for human review. The certification path emits a reproducible evidence pack.
For a step-by-step tour with real output — doctor, vulndb query, sbom --enrich, and the multi-agent verdict — see docs/getting-started.md.
The Core group is the daily-driver surface. Aliases map to the canonical command.
| Command | Alias | What it does |
|---|---|---|
euxis check [target] |
— | Standard verification. The default mode. |
euxis triage [target] |
euxis quick |
Fast bounded triage, ~45 seconds. |
euxis review [target] |
euxis deep |
Deep verification, standard or --forensic. |
euxis certify-readiness [target] --framework <name> |
— | Certification readiness across 18 domains. |
euxis compare <target> |
— | Diff triage results against deep verification. |
euxis stats |
euxis metrics |
Validation metrics + drift history. |
euxis policy <subcommand> |
— | Policy inspection and enforcement. |
euxis playbook <name> |
euxis pb |
Run a multi-step verification pipeline. |
euxis combo run <pipeline> "<goal>" |
— | Multi-agent execution graph. |
euxis doctor |
euxis diag |
Environment diagnostics. |
Euxis ships sixty commands across eight groups: Core, Lifecycle, System, Fleet, Knowledge, Infrastructure, Development, Specialized. The full inventory lives in docs/reference/cli-reference.md; euxis --help enumerates every command and flag at the terminal.
| Group | Headline commands |
|---|---|
| Core | check, triage, review, certify-readiness, compare, stats, policy, playbook, doctor |
| Lifecycle | session and run-state management |
| System | host inspection and configuration |
| Fleet | agent roster, routing, and assignment |
| Knowledge | corpus and reference data |
| Infrastructure | gateway and deployment surfaces |
| Development | development-only helpers (lint, fmt, format-check) |
| Specialized | targeted workflows for specific frameworks |
The same libraries the CLI uses ship as a public SDK under libs/. The minimal end-to-end example lives at docs/examples/cpp/a2a_minimal_server/ and builds an A2A v0.2 server handler in under 100 lines of C++23.
cmake -B cmake-build -DEUXIS_BUILD_EXAMPLES=ON
cmake --build cmake-build --target euxis_example_a2a_minimal_server
./cmake-build/docs/examples/cpp/a2a_minimal_server/euxis_example_a2a_minimal_serverExpected output is the full A2A task lifecycle: agent/card, capabilities/list, task/create, task/get, task/cancel, task/get again. See the example's own README.md for the annotated walk-through.
Sixteen static libraries ship from libs/. Link only what the application uses.
| Library | Public header | Purpose |
|---|---|---|
euxis-a2a-cpp |
<euxis/a2a/agent_card.hpp> |
A2A v0.2 protocol — cards, tasks, JSON-RPC server |
euxis-a2a-types-cpp |
<euxis/a2a/message.hpp> |
Shared message + transport types |
euxis-runtime-cpp |
<euxis/runtime/agent_session.hpp> |
Agent session, lifecycle, tool registry |
euxis-core-cpp |
<euxis/core/contracts.hpp> |
FinOps router, supervisor, swarm orchestrator |
euxis-crypto-cpp |
<euxis/crypto/aes_gcm.hpp> |
AES-256-GCM, Ed25519, BLAKE2b key derivation |
euxis-identity-cpp |
<euxis/identity/did.hpp> |
DID, ERC-8004 attestation, credentials |
euxis-network-cpp |
<euxis/network/mcp_client.hpp> |
MCP client, WebSocket transport, resilience |
euxis-bridge-cpp |
<euxis/bridge/admission.hpp> |
External-tool admission, audit, verification |
euxis-metrics-cpp |
<euxis/metrics/analyzer.hpp> |
mdspan telemetry, validation pipeline |
euxis-memory-cpp |
<euxis/memory/store.hpp> |
SQLite-backed persistent memory |
euxis-inference-cpp |
<euxis/inference/engine.hpp> |
Local inference via llama.cpp, ollama |
euxis-adapters-cpp |
<euxis/adapters/adapter.hpp> |
Outbound channel adapters (Slack, Discord, Telegram) |
euxis-security-cpp |
<euxis/security/errors.hpp> |
Threat detection, policy enforcement |
euxis-platform-cpp |
<euxis/platform/platform.hpp> |
OS abstraction (macOS, Linux, WSL2) |
euxis-publisher-cpp |
<euxis/publisher/publisher.hpp> |
Document rendering and export |
euxis-bench-cpp |
<euxis/bench/runner.hpp> |
Benchmark harness and result matrix |
The full API reference is generated by cmake --build cmake-build --target docs (requires doxygen; falls back to a no-op when absent). Output lands in cmake-build/docs/html/ styled with doxygen-awesome-css.
All optional features are off by default unless noted. Enable only what the application needs.
| Option | Default | What it enables |
|---|---|---|
EUXIS_BUILD_EXAMPLES |
OFF |
First-party SDK examples under docs/examples/cpp/ |
EUXIS_BUILD_GBENCH |
OFF |
Google Benchmark statistical harness for the performance suite |
EUXIS_BUILD_DOCS |
ON |
Doxygen API reference target (auto-skips if doxygen absent) |
EUXIS_NATIVE_ARCH |
OFF |
Use -march=native for dev builds |
EUXIS_COVERAGE |
OFF |
Enable gcov instrumentation |
EUXIS_DISABLE_SANITIZERS |
OFF |
Skip ASan/UBSan in debug builds |
# Example: examples + statistical bench + documentation
cmake -B cmake-build \
-DCMAKE_POLICY_VERSION_MINIMUM=3.5 \
-DEUXIS_BUILD_EXAMPLES=ON \
-DEUXIS_BUILD_GBENCH=ONEuxis routes inference work to the optimal provider based on task class. The mapping is configurable per environment via data/config/provider_strategy.json and overridable at runtime through environment variables.
| Task class | Default provider | Fallbacks |
|---|---|---|
| Research / synthesis | OpenAI | Gemini, Claude |
| Coding / architecture / audit | Claude | Gemini, Ollama |
| Deep research / security | Gemini | OpenAI, Claude |
| Private / local | Ollama | — |
| Surgical edits | Aider | Claude, Ollama |
| Terminal automation | Kiro | ShellGPT, Claude |
Environment overrides: EUXIS_DEFAULT_RESEARCH_PROVIDER, EUXIS_DEFAULT_CODING_PROVIDER, EUXIS_DEFAULT_SECURITY_PROVIDER.
The FinOpsRouter in libs/core/src/router.cpp picks within each class using a Structure-of-Arrays scoring loop — branchless, SIMD-vectorizable, deterministic. The swarm priority cycles through providers via an atomic round-robin counter.
apps/ Application layer
cli/ Command-line interface — 60 commands, 8 groups
etx/ Qt6 desktop GUI — 17 screens
gateway/ HTTP/WebSocket server
publisher/ Document rendering engine
libs/ SDK layer — 16 static libraries
a2a/ A2A v0.2 protocol implementation
a2a-types/ Shared message and transport types
adapters/ Outbound channel adapters
bench/ Benchmark harnesses (custom + optional Google Benchmark)
bridge/ CLI bridge for external-tool execution + admission
core/ FinOps router, supervisor, swarm orchestrator
crypto/ AES-256-GCM, Ed25519, BLAKE2b, Argon2id
identity/ DID, ERC-8004 attestation, credential management
inference/ Local inference via llama.cpp, ollama
memory/ Persistent memory store, SQLite-backed
metrics/ mdspan telemetry, fast collector, validation pipeline
network/ MCP client, WebSocket transport, resilience patterns
platform/ OS abstraction (macOS, Linux, WSL2)
publisher/ Document export
runtime/ Agent session, lifecycle, tool manifest, validator
security/ Threat detection, policy enforcement, errors
data/ Configuration, agent prompts, playbooks, docs
docs/ Documentation site sources + SDK examples
Euxis is a multi-agent code certification CLI built native, not a wrapper around an interpreted runtime. The implementation is C++23 throughout — header files use std::expected for error handling (61 sites across libs/), std::mdspan for metric collection, and concepts for adapter interfaces. The same binary runs the entire agent loop in-process: no Python startup, no JIT warm-up, no per-turn marshalling cost.
Three architectural choices motivate the rewrite from interpreted equivalents:
-
Cryptographic provenance is in the hot path. Every verification carries an Ed25519 attestation. The AES-256-GCM context (
libs/crypto/aes_gcm.hpp) caches the key schedule once and amortizes it across calls — measured at 1.54 GiB/s on x86_64-v3 versus 1.50 GiB/s for the simple API, with both well above the 50,000 ops/sec SLO target. Interpreted runtimes pay the schedule per call. -
A2A is first-class, not glued on.
libs/a2aimplements the v0.2 protocol surface end-to-end — agent cards, validation, JSON-RPC server, HTTP and WebSocket transports, msgpack binary serialization at 30 M ops/sec. The minimum-viable embedding is the SDK example atdocs/examples/cpp/a2a_minimal_server/main.cpp. -
No dynamic plugin loading. Every library under
libs/is statically linked into the apps that use it. Configuration changes never require relinking, but the capability surface of any euxis binary is determined entirely at build time. This is a feature for an audit tool: builds are deterministic and reproducible, and a verification cannot be silently extended by a runtime-loaded plugin.
The trade-off is that euxis does not match the plugin-loader ergonomics of personal-AI-assistant frameworks (OpenClaw, Hermes Agent). That is intentional — the product is verification, not extensibility.
make cpp-configure # CMake configure (Release, LTO, _FORTIFY_SOURCE=3)
make cpp-build # Build all targets
make cpp-test # Run test suite (ctest)
make cpp-clean # Remove build artifacts
make cpp-format # clang-format pass
make cpp-coverage # Build with coverage (requires gcovr, lcov)
make cpp-clang-tidy # Static analysisOverride parallelism with make cpp-build CPP_BUILD_JOBS=8. The repository pins -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to accommodate vendored third-party CMake files that predate the modern minimum-version policy.
Two complementary harnesses ship with euxis. See libs/bench/README.md for the full guide.
| Harness | Use for | Output |
|---|---|---|
Custom (euxis-bench-cpp) |
CI smoke tests against hardcoded SLO targets across five suites | JSON via ResultMatrix |
Google Benchmark (euxis_perf_gbench, opt-in) |
Statistical analysis of the performance suite; trend tracking |
benchmark:: console / JSON / CSV |
Initial run on GCC 16 / x86_64-v3 (euxis_perf_gbench --benchmark_min_time=0.1s):
| Benchmark | Time | Throughput |
|---|---|---|
BM_CryptoThroughput_Simple |
0.640 us | 1.50 GiB/s |
BM_CryptoThroughput_Cached |
0.622 us | 1.54 GiB/s |
BM_KeyDerivation_FastPath |
0.203 us | — |
BM_AgentCardMsgpackRoundTrip |
33.1 ns | 30.3 M ops/sec |
Synthetic microbenchmarks measure library overhead, not user-visible performance. Before optimizing a hot path that a bench identifies, profile a real euxis-cli workload (perf record euxis-cli triage .) and confirm the function appears in the production call graph.
| Guide | Content |
|---|---|
| Quick start | Clone to verified, in five minutes |
| User guide | Complete CLI reference and modes |
| CLI reference | Every command, flag, and example |
| Fleet guide | Agent roster and routing |
| Bench harnesses | Custom vs. Google Benchmark, when to use which |
| SDK example | Minimal A2A v0.2 server |
| API reference | Build locally: cmake --build cmake-build --target docs |
Hosted documentation lives at sebastienrousseau.github.io/euxis.
Issues and pull requests are welcome. See CONTRIBUTING.md for the development setup, commit-signing policy, and review process. All commits must be cryptographically signed.
For sweeping changes (formatting passes, warning-flip drives, coverage drives), open an issue first to align on scope before sending a PR.
Security disclosures: see SECURITY.md for the coordinated-disclosure policy.
AGPL-3.0 — see LICENSE.
Euxis v0.1.3 · euxis.co