AlphaBitCore
AlphaBitCore Nexus AI Gateway · Apache 2.0 · Available on AWS Marketplace

AI needs to be safe
and governed.

Start at the foundation. We open-sourced it.

The AlphaBitCore Nexus AI Gateway governs the bottom two layers of the AlphaBitCore stack — network and models. Every enterprise LLM call intercepted, every provider selection policy-checked, every prompt audited, every model invocation routed through one compliance engine. We believe these foundation layers should belong to the open-source community. Take them. Run them. Contribute.

One-click deploy via AWS Marketplace, or clone the repo and self-host. Both are free.

The AI stackbottom → top
AgentsPrime
WorkflowsPrime
SkillsPrime
ToolsPrime
ModelsNexus AI Gateway · open source
NetworkNexus AI Gateway · open source
The AI stack

Network and models are the foundation. Secure those, at minimum.

Every enterprise AI deployment sits on a stack: network, models, tools, skills, workflows, agents. The higher layers are where the magic happens; the bottom two are where the leaks happen. Unsanctioned providers, shadow keys, untracked model spend, prompts that should never have left the perimeter, costs nobody can attribute. If you do nothing else, govern the foundation.

Agents
Prime

Goal-directed workers that plan, execute, and report under policy.

Workflows
Prime

Multi-step procedures that orchestrate skills, tools, and models into governed pipelines.

Skills
Prime

Reusable, governed capabilities composed from tools and models.

Tools
Prime

MCPs, internal APIs, data systems — every effectful action.

Models
Nexus AI Gateway

Provider selection, routing, caching, and quota across hosted and self-hosted foundation models.

Network
Nexus AI Gateway

Where traffic to AI providers actually leaves your perimeter.

The AlphaBitCore Nexus AI Gateway covers the network and model layers and is fully open source. Tools, skills, workflows, and agents are governed by the full AlphaBitCore platform (AlphaBitCore Prime).

What the AI Gateway does

One compliance engine. One audit pipeline. Three pipes to choose from.

Three intercept modes

SDK, network, or OS.

AI Gateway intercepts OpenAI-shaped SDK traffic on /v1. Compliance Proxy intercepts arbitrary HTTPS at the network layer via transparent TLS bump. Desktop Agent intercepts at the OS layer (pf / iptables / WinDivert). Pick one or run all three — every pipe runs the same hooks pipeline.

20 provider codecs

Write OpenAI shape. Route to anything.

First-class codecs for OpenAI, Anthropic, Gemini, Vertex, Azure, Bedrock, Cohere, MiniMax, GLM, Replicate, and Voyage. OpenAI-compatible passthrough for DeepSeek, Moonshot, Mistral, Groq, Fireworks, Together, Perplexity, xAI, and HuggingFace.

Multi-tier cache

Exact, semantic, in-flight.

Valkey-backed exact-match response cache. Semantic vector cache via valkey-search with poison guard and circuit breaker. In-flight singleflight folds concurrent identical prompts into one upstream call. Anthropic and Gemini provider-native cache accounting surfaced in billing.

Cost & quota control

Multi-axis budgets, real time.

Per-organization, per-virtual-key, per-provider, per-model budgets. Token or USD. Hard and soft limits. Sliding-window enforcement. Counters update on every event — no batch lag. Seven routing strategies: single, fallback, loadbalance, conditional, A/B split, policy, smart.

Compliance pipeline

PII, classification, audit, kill-switch.

PII detection, data classification, keyword filtering, content safety, rate limiting, IP allowlists, request-size validation, webhook forwarders, per-stage audit, SIEM forwarding, three-tier kill switch, and emergency passthrough flags for break-glass.

Enterprise governance

IAM, virtual keys, OIDC, vault.

RBAC + ABAC with an NRN resource model. Virtual keys with per-key model scope. OIDC federation with JIT user provisioning. Organization / project hierarchy. AES-256-GCM credential vault with key rotation. Agent fleet management via Hub.

Benchmarked · The Cost of Governance

Governance is the differentiator — not raw speed.

We ran a reproducible, seven-gateway head-to-head on identical AWS hardware, then put the audit gateways through a 30-minute endurance soak with the database cut mid-run. One gateway forwards bytes faster than Nexus — as a bare proxy that keeps no record. Among gateways that durably audit under load, Nexus leads throughput. And when the database dropped, Nexus lost zero of nine million audit records.

Realistic chat · 550-token prompts · non-streaming · sustained req/s
agentgatewaybare proxy · keeps no record76,421
Nexus AI Gateway39,754
Bifrost23,080
TensorZero21,735
Kong19,566
Portkey9,042
LiteLLM1,134

The record has to survive the moment you need it most.

A 30-minute soak at 5,000 req/s, with the backend database cut for 30 seconds mid-run. Nexus lost nothing; the best-effort loggers shed most of theirs.

30-min soak · 5,000 req/s · database cut for 30 s mid-runAudit records lost · lower is better
Nexus AI Gatewayzero-drop, spills to disk and replays00.0%
agentgatewaynear-lossless; store fails at higher rates710.0008%
Bifrostbest-effort logging · 99% lost on streaming7,482,91583.14%
LiteLLM25× lighter load · OOM at 1,000 req/s7,5372.09%

Records lost in a 30-minute endurance soak with the backend PostgreSQL stopped for 30 s at minute 15. Nexus persisted all 9,000,000 records. LiteLLM could not sustain 5,000 req/s (OOM at 1,000) and was soaked at 200 req/s — 25× lighter load — so its rate is not directly comparable.

0

Audit records lost in a 30-minute soak through a database outage — of 9,000,000.

39,754req/s

Sustained governed throughput at the chat tier (median of five rounds), full zero-drop audit on.

72%ahead

Faster than Bifrost, the nearest gateway that also durably audits under load.

30–51%

The honest, measured cost of inline PII + policy content scanning — opt in per route.

Sustained req/s on identical AWS c6i.4xlarge hardware against a shared instant mock upstream; the 550-token Nexus figure is the median of a five-round series. Nexus-authored, fully reproducible rig. agentgateway ran as a bare proxy with its request-log store disabled — its throughput is a pure-forwarding ceiling, not a governed comparison. Durability figures are from a separate 30-minute soak at 5,000 req/s with the backend database cut for 30 s mid-run.

The only gateway faster than Nexus keeps nothing

agentgateway led raw throughput (~2× Nexus) with its request-log store disabled — because enabling it exhausts memory at benchmark-scale rates. Read that number as a pure-forwarding ceiling with nothing persisted, not a governed gateway. Turn its audit on and it can't sustain the load.

Zero records lost through a database outage

In a 30-minute soak at 5,000 req/s with PostgreSQL cut for 30 seconds mid-run, Nexus persisted all 9,000,000 audit records. Bifrost's logging lost 83% (99% on streaming); LiteLLM ran out of memory at 1,000 req/s. Nexus recovers the outage by spilling to its on-disk buffer and replaying — the cut costs latency, not records.

Fastest of the gateways that actually audit

Among gateways that durably audit under load, Nexus leads: 39,754 req/s at the chat tier — the median of a five-round series — 72% ahead of Bifrost, the nearest such competitor, while carrying virtual-key auth, quota accounting, and full zero-drop audit on the hot path.

An honest, measured tradeoff

Turning on inline PII + policy content scanning (≈423 rules, full-body, request and response) costs roughly 30–51% of non-streaming throughput. We quantify it here rather than hide it — you opt into it per route. Full-body audit capture, separately, is nearly free because it happens off the request path.

Architecture in one minute

Five Go services, one control console, one compliance pipeline.

AI Gateway (:3050), Compliance Proxy (:3128), Desktop Agent (local), Nexus Hub (:3060), Control Plane API (:3001), and a React UI (:3000) — the six services that make up the AlphaBitCore Nexus AI Gateway. Storage is PostgreSQL 16, Valkey 8, and NATS JetStream. The three intercept pipes are independent — each runs the full hooks pipeline on its own traffic — and the Agent can stamp an Ed25519-signed attestation so the Compliance Proxy skips re-MITM on traffic the Agent already governed.

  • Apache 2.0 — fork it, vendor it, ship it
  • Pre-GA · active development · public CI on main
  • Go 1.25+, Node 20+, Docker; one-shot dev bootstrap script
  • Self-host in your VPC, on-prem, or air-gapped
Why we open-sourced it

Foundation-layer governance shouldn't be a vendor lock-in.

Governing AI at the network and model layers is table stakes. Every enterprise should have an audited, policy-enforcing gateway in front of their LLM traffic and their provider selection — and it shouldn't matter whether they buy from us, build it themselves, or fork ours.

The full AlphaBitCore platform — Control Plane, EAC issuance, deterministic replay, the Investment & Wealth Workbench — is where we earn our living. The foundation layers are where the community deserves an open default.

The AlphaBitCore Nexus AI Gateway is shipped Apache 2.0. Run it standalone. Vendor it into your platform. Contribute back. When you're ready to govern the rest of the stack — tools, skills, workflows, agents — the upgrade path to AlphaBitCore Prime is in-place.


Take the foundation. The rest of the stack is here when you need it.

Deploy from the AWS Marketplace for one-click setup, or clone the repo and run ./scripts/dev-start.sh for a governed AI gateway covering network and model traffic running locally in minutes. When you're ready to extend governance to tools, skills, workflows, and agents, we sell three offerings.