Nucleus MCP: Local-First AI Agent Security & Identity

Purpose and Significance

Nucleus MCP represents a fundamental shift in how developers manage AI agent security and context persistence. Built as a local-first agentic operating system, Nucleus addresses a critical gap in the current AI development landscape: agents that operate without persistent memory, proper access controls, or cross-session identity. Rather than relying on cloud-based solutions that introduce latency and privacy concerns, Nucleus runs entirely on your local machine, giving AI agents like Cursor, Claude, and Windsurf a unified, sovereign identity layer. This architecture enables developers to build more sophisticated agentic workflows while maintaining complete control over security policies, execution history, and long-term memory—all stored directly in project repositories using Git-native patterns.

Key Features

• Hypervisor with Intention-Aware Security: Command approval system with real-time audit logging prevents agents from executing destructive operations without explicit consent. Resource locking ensures agents cannot modify critical files simultaneously.
• Engrams (Git-Native Long-Term Memory): Context and learned patterns persist across sessions and sync naturally with your version control workflow. Memory lives in your project repo, not a proprietary cloud database.
• Recursive Mounting: Orchestrate complex tool meshes connecting services like Stripe, Postgres, and custom APIs. Agents can compose multi-step workflows across integrated tools without manual configuration.
• Local-First Architecture: Zero cloud dependencies mean no data leaves your machine, eliminating latency and privacy concerns while enabling offline operation.
• Cross-Agent Identity: Single persistent identity layer syncs context between Cursor, Claude Desktop, and Windsurf, preventing redundant explanations across tools.
• Auto-Configuration: The nucleus-init command detects installed AI tools and automatically configures MCP server settings.

Getting Started

Installation begins with the nucleus-init setup command, which scans your system for compatible AI tools and generates appropriate configuration files. The system integrates with Claude Desktop, Cursor, and Windsurf through the Model Context Protocol standard. Once initialized, Nucleus operates as a background service managing agent permissions, memory persistence, and tool orchestration. Developers configure security policies through a declarative YAML format specifying which filesystem paths, network resources, and external services each agent can access. The engram system automatically captures valuable context—API patterns, project conventions, debugging insights—storing them as versioned artifacts in your .nucleus/ directory.

Configuration Example

Security policies define resource boundaries at the agent level. A typical configuration might restrict one agent to read-only filesystem access while allowing another to execute database migrations through mounted Postgres tools. The hypervisor enforces these boundaries at runtime, prompting for approval when agents attempt operations outside their granted permissions. Audit logs capture every command execution with timestamps, affected resources, and approval decisions, creating a complete security trail.

Who It's For

Nucleus MCP serves developers building production MoltGuard: Prompt Injection Detection for AI Agents workflows who need stronger guarantees around security, context persistence, and tool integration. Teams experimenting with autonomous coding assistants will find the hypervisor's approval system essential for preventing accidental destructive changes—the exact scenario that motivated Nucleus's creation when an agent deleted a critical Docker configuration. prompt engineering practitioners benefit from engrams that preserve effective prompt patterns and learned project conventions across sessions. Engineering leads implementing AI-assisted development workflows gain audit trails and resource controls necessary for enterprise compliance requirements.

The local-first architecture particularly appeals to developers working with sensitive codebases, proprietary algorithms, or regulated data where cloud-based AI services introduce unacceptable risks. Freelancers and consultants managing multiple client projects appreciate the per-repository memory isolation, ensuring context from one engagement never leaks into another.

Architecture and Technical Design

Nucleus implements the Model Context Protocol specification, positioning itself as an MCP server that AI clients connect to for enhanced capabilities. The engram system leverages Git's content-addressable storage model to version memory artifacts alongside source code. When an agent learns a useful pattern—say, your team's preferred error handling approach—that knowledge gets serialized as a structured document, committed to version control, and becomes available to all agents accessing that repository.

The recursive mounting feature enables sophisticated tool composition. Rather than manually wiring together APIs, databases, and external services for each agent interaction, developers declare tool meshes that Nucleus automatically orchestrates. An agent might invoke a high-level "process payment" capability that Nucleus translates into a sequence of Stripe API calls, database updates, and notification dispatches—all managed through a single unified interface.

Security Model

The hypervisor operates as a mandatory access control layer between agents and system resources. Every filesystem operation, network request, and tool invocation passes through intention analysis that compares requested actions against granted permissions. When conflicts arise, Nucleus pauses execution and prompts the developer for approval, explaining what the agent intends to do and why. This human-in-the-loop approach balances agent autonomy with safety, preventing the "runaway agent" scenarios that plague unsupervised automation.

Integration Ecosystem

Nucleus supports the growing ecosystem of MCP-compatible tools emerging around the Model Context Protocol standard. Developers can mount database tools for Postgres and MySQL, API integrations for services like Stripe and Twilio, and custom internal tools following the MCP specification. The recursive mounting system handles dependency resolution—if a mounted tool requires another tool, Nucleus automatically provisions the dependency chain.

Current integrations focus on development workflows: filesystem access, Git operations, terminal command execution, and web search. The roadmap includes expanded AI infrastructure tooling for observability, testing frameworks, and deployment pipelines. Community contributions are adding mount points for popular services, with standardized patterns emerging for authentication, rate limiting, and error handling.

Community and Resources

The project maintains an active Discord community where developers share agent architectures, debug configuration issues, and contribute mount implementations for new tools. The team offers 1-on-1 architecture audits helping developers design secure agent workflows tailored to their specific use cases. Video demonstrations on YouTube walk through real-world scenarios like multi-agent refactoring tasks and complex tool orchestration patterns.

Technical documentation covers the engram serialization format, hypervisor policy syntax, and mount development guide for creating custom tool integrations. A detailed architecture deep-dive on Dev.to explains the design decisions behind Git-native memory and the security considerations for local agentic systems. The GitHub repository includes example configurations for common development scenarios and reference implementations demonstrating best practices.

Getting Involved

Developers can start by installing Nucleus and connecting their existing AI tools to experience persistent memory and security controls firsthand. The open-source codebase welcomes contributions ranging from mount implementations for new services to improvements in the hypervisor's intention detection algorithms. Early adopters are documenting their agent architectures and security policies, building a knowledge base of patterns for safe agentic development.

Source: Product Hunt launch page and official Nucleus OS documentation