AI needs to be safe
and governed.
Start at the foundation. We open-sourced it.
The AlphaBitCore Nexus AI Gateway governs the bottom two layers of the AlphaBitCore stack — network and models. Every enterprise LLM call intercepted, every provider selection policy-checked, every prompt audited, every model invocation routed through one compliance engine. We believe these foundation layers should belong to the open-source community. Take them. Run them. Contribute.
One-click deploy via AWS Marketplace, or clone the repo and self-host. Both are free.
Network and models are the foundation. Secure those, at minimum.
Every enterprise AI deployment sits on a stack: network, models, tools, skills, workflows, agents. The higher layers are where the magic happens; the bottom two are where the leaks happen. Unsanctioned providers, shadow keys, untracked model spend, prompts that should never have left the perimeter, costs nobody can attribute. If you do nothing else, govern the foundation.
Goal-directed workers that plan, execute, and report under policy.
Multi-step procedures that orchestrate skills, tools, and models into governed pipelines.
Reusable, governed capabilities composed from tools and models.
MCPs, internal APIs, data systems — every effectful action.
Provider selection, routing, caching, and quota across hosted and self-hosted foundation models.
Where traffic to AI providers actually leaves your perimeter.
The AlphaBitCore Nexus AI Gateway covers the network and model layers and is fully open source. Tools, skills, workflows, and agents are governed by the full AlphaBitCore platform (AlphaBitCore Prime).
One compliance engine. One audit pipeline. Three pipes to choose from.
SDK, network, or OS.
AI Gateway intercepts OpenAI-shaped SDK traffic on /v1. Compliance Proxy intercepts arbitrary HTTPS at the network layer via transparent TLS bump. Desktop Agent intercepts at the OS layer (pf / iptables / WinDivert). Pick one or run all three — every pipe runs the same hooks pipeline.
Write OpenAI shape. Route to anything.
First-class codecs for OpenAI, Anthropic, Gemini, Vertex, Azure, Bedrock, Cohere, MiniMax, GLM, Replicate, and Voyage. OpenAI-compatible passthrough for DeepSeek, Moonshot, Mistral, Groq, Fireworks, Together, Perplexity, xAI, and HuggingFace.
Exact, semantic, in-flight.
Valkey-backed exact-match response cache. Semantic vector cache via valkey-search with poison guard and circuit breaker. In-flight singleflight folds concurrent identical prompts into one upstream call. Anthropic and Gemini provider-native cache accounting surfaced in billing.
Multi-axis budgets, real time.
Per-organization, per-virtual-key, per-provider, per-model budgets. Token or USD. Hard and soft limits. Sliding-window enforcement. Counters update on every event — no batch lag. Seven routing strategies: single, fallback, loadbalance, conditional, A/B split, policy, smart.
PII, classification, audit, kill-switch.
PII detection, data classification, keyword filtering, content safety, rate limiting, IP allowlists, request-size validation, webhook forwarders, per-stage audit, SIEM forwarding, three-tier kill switch, and emergency passthrough flags for break-glass.
IAM, virtual keys, OIDC, vault.
RBAC + ABAC with an NRN resource model. Virtual keys with per-key model scope. OIDC federation with JIT user provisioning. Organization / project hierarchy. AES-256-GCM credential vault with key rotation. Agent fleet management via Hub.
Governance is the differentiator — not raw speed.
We ran a reproducible, seven-gateway head-to-head on identical AWS hardware, then put the audit gateways through a 30-minute endurance soak with the database cut mid-run. One gateway forwards bytes faster than Nexus — as a bare proxy that keeps no record. Among gateways that durably audit under load, Nexus leads throughput. And when the database dropped, Nexus lost zero of nine million audit records.
The record has to survive the moment you need it most.
A 30-minute soak at 5,000 req/s, with the backend database cut for 30 seconds mid-run. Nexus lost nothing; the best-effort loggers shed most of theirs.
Records lost in a 30-minute endurance soak with the backend PostgreSQL stopped for 30 s at minute 15. Nexus persisted all 9,000,000 records. LiteLLM could not sustain 5,000 req/s (OOM at 1,000) and was soaked at 200 req/s — 25× lighter load — so its rate is not directly comparable.
Audit records lost in a 30-minute soak through a database outage — of 9,000,000.
Sustained governed throughput at the chat tier (median of five rounds), full zero-drop audit on.
Faster than Bifrost, the nearest gateway that also durably audits under load.
The honest, measured cost of inline PII + policy content scanning — opt in per route.
Sustained req/s on identical AWS c6i.4xlarge hardware against a shared instant mock upstream; the 550-token Nexus figure is the median of a five-round series. Nexus-authored, fully reproducible rig. agentgateway ran as a bare proxy with its request-log store disabled — its throughput is a pure-forwarding ceiling, not a governed comparison. Durability figures are from a separate 30-minute soak at 5,000 req/s with the backend database cut for 30 s mid-run.
The only gateway faster than Nexus keeps nothing
agentgateway led raw throughput (~2× Nexus) with its request-log store disabled — because enabling it exhausts memory at benchmark-scale rates. Read that number as a pure-forwarding ceiling with nothing persisted, not a governed gateway. Turn its audit on and it can't sustain the load.
Zero records lost through a database outage
In a 30-minute soak at 5,000 req/s with PostgreSQL cut for 30 seconds mid-run, Nexus persisted all 9,000,000 audit records. Bifrost's logging lost 83% (99% on streaming); LiteLLM ran out of memory at 1,000 req/s. Nexus recovers the outage by spilling to its on-disk buffer and replaying — the cut costs latency, not records.
Fastest of the gateways that actually audit
Among gateways that durably audit under load, Nexus leads: 39,754 req/s at the chat tier — the median of a five-round series — 72% ahead of Bifrost, the nearest such competitor, while carrying virtual-key auth, quota accounting, and full zero-drop audit on the hot path.
An honest, measured tradeoff
Turning on inline PII + policy content scanning (≈423 rules, full-body, request and response) costs roughly 30–51% of non-streaming throughput. We quantify it here rather than hide it — you opt into it per route. Full-body audit capture, separately, is nearly free because it happens off the request path.
Five Go services, one control console, one compliance pipeline.
AI Gateway (:3050), Compliance Proxy (:3128), Desktop Agent (local), Nexus Hub (:3060), Control Plane API (:3001), and a React UI (:3000) — the six services that make up the AlphaBitCore Nexus AI Gateway. Storage is PostgreSQL 16, Valkey 8, and NATS JetStream. The three intercept pipes are independent — each runs the full hooks pipeline on its own traffic — and the Agent can stamp an Ed25519-signed attestation so the Compliance Proxy skips re-MITM on traffic the Agent already governed.
- Apache 2.0 — fork it, vendor it, ship it
- Pre-GA · active development · public CI on main
- Go 1.25+, Node 20+, Docker; one-shot dev bootstrap script
- Self-host in your VPC, on-prem, or air-gapped
Foundation-layer governance shouldn't be a vendor lock-in.
Governing AI at the network and model layers is table stakes. Every enterprise should have an audited, policy-enforcing gateway in front of their LLM traffic and their provider selection — and it shouldn't matter whether they buy from us, build it themselves, or fork ours.
The full AlphaBitCore platform — Control Plane, EAC issuance, deterministic replay, the Investment & Wealth Workbench — is where we earn our living. The foundation layers are where the community deserves an open default.
The AlphaBitCore Nexus AI Gateway is shipped Apache 2.0. Run it standalone. Vendor it into your platform. Contribute back. When you're ready to govern the rest of the stack — tools, skills, workflows, agents — the upgrade path to AlphaBitCore Prime is in-place.
Take the foundation. The rest of the stack is here when you need it.
Deploy from the AWS Marketplace for one-click setup, or clone the repo and run ./scripts/dev-start.sh for a governed AI gateway covering network and model traffic running locally in minutes. When you're ready to extend governance to tools, skills, workflows, and agents, we sell three offerings.