{"slug": "neon-city-cosysim-and-the-nexus-project", "title": "NEON-CITY/CosySim and the NEXUS project", "summary": "ARGUS, a toolkit for reverse-engineering web APIs, has been released as part of the CosySim project. It analyzes HAR captures, V8 heap snapshots, and JavaScript bundles to map undocumented endpoints, protocols, and feature flags, feeding data into CosySim's live systems. The tool emphasizes learning over exploitation and includes a Chrome DevTools Protocol bridge for real-time protocol mapping.", "body_md": "ARGUS—Automated Reconnaissance & General-purpose Universal Surveyor.A first-class, target-agnostic toolkit for mapping any web application’s API surface, auth, feature flags, real-time protocols, and AI-agent internals — and feeding what it learns straight back into CosySim’s live systems.\n\nCosySim is local-first, but it doesn’t live in a vacuum. It talks to a lot of undocumented web APIs — Google’s `batchexecute`\n\nendpoints behind NotebookLM, Gemini, and AI Studio; startup WebSocket protocols; AI-agent platforms. ARGUS is the muscle that reverse-engineers those surfaces. It lives in [ scripts/argus/](https://github.com/nihilistau/CosySim/blob/master/scripts/argus) and is\n\nThe operating philosophy, straight from [ scripts/argus/README.md](https://github.com/nihilistau/CosySim/blob/master/scripts/argus/README.md):\n\nKnowledge is the prize. We don’t exploit — we learn.Capture everything, decode offline, never modify live state until the surface is fully mapped.\n\nARGUS is layered: a generic core toolkit, a CLI, an MCP server so local agents can drive it, and a set of specialized analyzers/decoders/discovery modules.\n\nLayer |\nModule |\nRole |\n|---|---|---|\nCore toolkit |\n`scripts/argus/toolkit.py` |\n\n`scripts/argus/analyze.py`\n\n`har`\n\n/ `heap`\n\n/ `compare`\n\n/ `heap-diff`\n\n/ `dir`\n\n/ `deep`\n\nsubcommands`analyzers/har_analyzer.py`\n\n`analyzers/heap_analyzer.py`\n\n`decoders/`\n\n`batchexecute`\n\n, `grpc_web`\n\n, `heap_diffing`\n\n`discovery/`\n\n`rpcid_detector`\n\n, `feature_flag_probe`\n\n, `proto_reconstructor`\n\n, `endpoint_registry`\n\n`cdp_bridge.py`\n\n, `network_monitor.py`\n\n`argus_mcp_server.py`\n\n`nexus_sink.py`\n\n, `rpcid_mapper.py`\n\nOne captured browsing session yields every request/response pair, headers, cookies, timing, and bodies. `HARAnalyzer`\n\nauto-detects the protocol (REST, GraphQL, gRPC-web, `batchexecute`\n\n, WebSocket upgrades) and groups endpoints by service, decoding JWTs and pattern-matching API keys along the way.\n\n```\npython -m scripts.argus.analyze har capture.har --report # → Markdown intel report\npython -m scripts.argus.analyze compare loggedout.har admin.har # diff roles to find gated endpoints\n```\n\nV8 heap snapshots contain *every string the JS runtime has interned* — compiled-in config, unused API routes, internal gRPC service names, RPC IDs, and secrets that never transit the wire. Two engines run over them: a regex scanner with **100+ patterns** (`mine_heap`\n\n) and a full V8 graph walker (`mine_heap_deep`\n\n) that reconstructs objects and script sources.\n\n```\npython -m scripts.argus.analyze heap snapshot.heapsnapshot\npython -m scripts.argus.analyze heap-diff before.heap after.heap # isolate strings a single action introduced\n```\n\nThe classifier buckets strings into URLs, API endpoints, method names, service paths, RPC IDs, and credential-shaped tokens — covering JWTs, K8s `*.svc.cluster.local`\n\naddresses, STUN/TURN servers, Statsig caches, protobuf definitions, and leaked model reasoning.\n\nA minified SPA bundle holds the *entire* app logic. `decompile_bundle()`\n\nextracts feature-gate enums, API route strings, environment variables (`VITE_*`\n\n/ `NEXT_PUBLIC_*`\n\n/ `REACT_APP_*`\n\n), CI/CD paths, and monitoring DSNs. In one documented run, the bundle revealed **17× more URL paths than live traffic** — most endpoints gate features the current user can’t reach.\n\n`cdp_bridge.py`\n\nis a full async Chrome DevTools Protocol client (Chrome on `--remote-debugging-port=9223`\n\n). It enables programmatic JS execution, `localStorage`\n\nfeature-flag injection, network capture, and **WebSocket frame interception** — the only way to map real-time protocols, since HAR captures only the HTTP upgrade, not the frames.\n\n``` python\nfrom scripts.argus.toolkit import cdp_eval, inject_statsig_gates\ncdp_eval(\"document.title\", cdp_port=9223)\ninject_statsig_gates(\"https://app.example.com\", {\"some_gate\": True})\n```\n\nARGUS is explicit about the distinction that matters most:\n\nclient-only vs server-enforced.Flipping a Statsig gate in`localStorage`\n\nreveals UI, but if the endpoint checks the flag server-side, every call still 403s. Every finding is tagged accordingly — see the security-assessment checklist in the methodology guide.\n\nThis is what makes ARGUS *part of* CosySim rather than a bolt-on scanner. Discoveries don’t sit in a report — they flow back into the running framework:\n\n```\nHAR / heap / bundle\n │ decode offline\n ▼\n rpcid_detector ── compares live traffic against the known baseline\n │ new rpcid?\n ├──────────────► ArgusNexusSink → Nexus KMS (category=\"argus\")\n │ store_new_rpcid() + add_qa() → agents query via nexus_search\n │\n └──────────────► RpcidUpdater (engine/integrations/rpcid_updater.py)\n writes config/nlm_rpcids.yaml + data/nlm_rpc_registry.json\n → live NLM/Gemini ops pick up new rpcids at call time\n```\n\nWhen Google rotates an NLM/Gemini frontend build and rpcids change, a fresh capture run through ARGUS re-discovers them, `RpcidUpdater`\n\npatches both the YAML source-of-truth and the JSON runtime cache, and `get_rpcid()`\n\nresolves the new value on the next call — no code change, no redeploy. Meanwhile `ArgusNexusSink`\n\nfiles every new rpcid, endpoint, and feature flag into Nexus KMS as both a knowledge entry and a Q&A pair, so any agent can ask *“what is rpcid X?”* and get the answer ARGUS learned. Recon becomes institutional memory.\n\nBecause ARGUS ships an in-process MCP server (`argus_mcp_server.py`\n\n, FastMCP/SSE on `:8010`\n\n) and the CDP capabilities are also registered as MCP skills, **local LMStudio agents can run reconnaissance themselves** — screenshot a page and ask a vision model what it sees, navigate, click, fill, intercept. The same toolkit a human runs from the CLI is callable by an autonomous agent inside the MCP interceptor pipeline.\n\nThe methodology is distilled from 370+ exploration sessions against two real targets — a voice-AI platform and a text-AI platform with a virtual OS. Headline numbers (full reports in `data/argus/reports/`\n\n):\n\nMetric |\nTarget A (voice) |\nTarget B (text + virtual OS) |\n|---|---|---|\n| API methods discovered | 53 | 20+ |\n| Feature flags mapped | 27 gates, 14 configs | — |\n| JWTs decoded | 3 | 2 |\n| Internal IPs found | 3 | 2 (K8s) |\n| Sub-agents extracted | 0 | 5 |\n| Apps / tools mapped | 0 | 12 |\n| Chain-of-thought fragments | 0 | 15+ |\n| Protobuf schemas reconstructed | 0 | 1 |\n| Security findings | 14 | — |\n\n```\npython -m scripts.argus.analyze har path/to/file.har --report # any HAR → report\npython -m scripts.argus.analyze heap path/to/file.heapsnapshot # any heap snapshot\npython -m scripts.argus.analyze deep path/to/captures/ # full automated pipeline\n```\n\nWhenever you hand CosySim a HAR file, a heap snapshot, or a web app, ARGUS is meant to run *automatically* — that’s the standing convention in the project. The thirteen techniques (HAR, heap, bundle, flags, CDP, WebSocket, tokens, profile CRUD, env mapping, security assessment, agent orchestration, chain-of-thought, schema extraction) are written up as step-by-step playbooks you can borrow for any target.\n\nCosySim’s third pillar (alongside *games* and *services*) is **creation**: a set of tools that turn natural-language intent into game-ready assets and even entire scenes — all running on local hardware. Three things make it distinctive:\n\n`AssetStudioCore.generate(asset_type, params)`\n\n) routes images, portraits, voice, video, items, SVG and audio through a single, flag-gated orchestrator.`@skill`\n\nan agent can call, and a `/api/inject_to_scene`\n\nroute lets an asset flow straight from generation into a live scene’s static folder with a hot-reload socket event. Agents create content All inference is local: image/video/portrait via\n\nComfyUI(`:8188`\n\n), voice via theTTS manager, and LLM-assisted items/SVG + the VL quality inspector viaLMStudio(`:1234`\n\n). Nothing leaves the machine.\n\nThe Asset Studio scene (`content/scenes/asset_studio/`\n\n) is a Flask/Socket.IO front end over `engine/asset_studio/`\n\n. The architectural heart is `AssetStudioCore`\n\n(`engine/asset_studio/studio_core.py`\n\n), a singleton that owns the whole lifecycle:\n\n``` python\nfrom engine.asset_studio import get_studio_core\ncore = get_studio_core()\nresult = core.generate(\"portrait\", {\"character_id\": \"aria\", \"mood\": \"happy\"})\n# → routes to PortraitGenerator → registers in AssetLibrary → caches to Nexus\n# → emits `asset_generated` over Socket.IO → returns {url, prompt, asset_id, ...}\n```\n\n`generate()`\n\ndoes five things in order: **route** to the right generator (lazy-loaded from `_GENERATOR_MAP`\n\n), **register** the result in the SQLite asset library, optionally **cache** metadata to Nexus KMS, **emit** an `asset_generated`\n\nsocket event for live scenes, and **return** a normalized dict. Every asset type is gated by config feature flags so a deployment can disable, say, video or adult content without touching code:\n\nAsset type |\nGenerator |\nBackend |\nRequired flag(s) |\n|---|---|---|---|\n`image` |\n`ImageGenerator` |\nComfyUI | `asset_studio.comfyui_enabled` |\n`portrait` |\n`PortraitGenerator` |\nComfyUI + PortraitCache | `asset_studio.comfyui_enabled` |\n`video` |\n`VideoGenerator` |\nComfyUI (Wan 2.2) | `comfyui_enabled` + `video_enabled` |\n`voice` |\n`VoiceGenerator` |\nTTS manager | `asset_studio.tts_enabled` |\n`item` |\n`ItemGenerator` |\nLMStudio + ComfyUI icon | `asset_studio.lms_enabled` |\n`svg` |\n`SvgGenerator` |\nLMStudio | `asset_studio.lms_enabled` |\n`audio` |\n`AudioGenerator` |\nsynthesized | — (always on) |\n\n`core.health()`\n\nrolls up live status of ComfyUI (`/system_stats`\n\n), the TTS backends, LMStudio readiness, and per-type library counts — exactly the kind of monitoring hook the project’s conventions require.\n\n`AssetLibrary`\n\n(`engine/asset_studio/asset_library.py`\n\n) is a thread-safe SQLite catalogue (`data/asset_library.db`\n\n). Every generated asset is registered with full provenance — `asset_type`\n\n, `scene`\n\n, `character_id`\n\n, `mood`\n\n, `preset_id`\n\n, the exact positive/negative `prompt`\n\n, `duration_ms`\n\n, a `cached`\n\nflag, and JSON `metadata`\n\n— and indexed by type/scene/character/recency. It supports filtered+paginated `list_assets()`\n\n, full-text search over title/prompt, favorites, bulk delete, and `stats()`\n\n. Because the prompt and preset are stored, any asset is reproducible.\n\nGenerators don’t take raw prompts. `PromptBuilder`\n\n(`prompt_builder.py`\n\n) composes them from a **subject**, a **scene-context template** (penthouse, lounge, tavern, casino, neoncity, arena, …), a **mood modifier** (14 moods from `neutral`\n\nto `seductive`\n\n), and **style/negative tags** from a `StylePreset`\n\n. Portraits additionally pull a character’s physical description from Nexus KMS (`get_nexus_client().ask(...)`\n\n) so a portrait actually looks like the character. `PresetManager`\n\nships 8 built-in presets — `dark_renaissance`\n\n(the v1.58 default), `cyberpunk`\n\n, `fantasy`\n\n, `noir`\n\n, `anime`\n\n, `photorealistic`\n\n, `pixel_art`\n\n, `minimal`\n\n— and users can store custom presets in Nexus.\n\n`WorkflowManager`\n\n(`workflow_manager.py`\n\n) is the full ComfyUI client: node/model discovery via `/object_info`\n\n(cached 5 min), capability checks (`has_node(\"FaceDetailer\")`\n\n), priority-based `select_model()`\n\n, and the complete **queue → poll /history → download outputs** lifecycle — all degrading gracefully when ComfyUI is offline.\n\nThe graphs themselves are built dynamically by `workflow_builder.py`\n\n, which exposes **15 professional workflows** in `WORKFLOW_REGISTRY`\n\n(each with label, category, resolution, speed, and `requires_nodes`\n\nfor capability gating):\n\n`portrait_fast`\n\n, `portrait_hires`\n\n(auto-selected when `FaceDetailer`\n\n+ `UltralyticsDetectorProvider`\n\nare present), `portrait_refiner`\n\n(dual-pass: base → 1.5× upscale → img2img refiner).`scene_background`\n\n(widescreen cinematic), `character_card`\n\n(full-body 832×1216), `message_image`\n\n(8-step Lightning).`UnetLoaderGGUF`\n\n+ two-stage `KSamplerAdvanced`\n\n):`video_wan_t2v`\n\n, `video_wan_i2v`\n\n, `video_wan_landscape`\n\n, `video_wan_portrait_fast`\n\n, `video_wan_character_hq`\n\n— e.g. 272×352 portrait, 105 frames @16fps (~6.5s).LoRA stacking is handled by composable chain helpers (`_build_lora_chain`\n\nfor SDXL, `_build_video_lora_chain`\n\nfor Wan), and portraits push their result URL into `PortraitCache`\n\nso live scenes display the new art immediately.\n\nThis is the part worth borrowing. `WorkflowManager.check_image_quality()`\n\nbase64-encodes a generated image, sends it to a local **Qwen3-VL** model via LMStudio, and parses a structured verdict:\n\n```\n{ \"score\": 0-10, \"issues\": [], \"strengths\": [], \"suggestion\": \"...\" }\n```\n\nThe `TuningEngine`\n\n(`tuning_engine.py`\n\n) builds on this to do **automated parameter search**. You give it a base param set and a sweep (`{\"cfg\": [1.0, 1.5, 2.0], \"steps\": [8, 20]}`\n\n); it generates the Cartesian product of variants in a background thread, scores each with Qwen3-VL, persists every run to a metrics DB (`data/asset_studio/tuning_metrics.db`\n\n), and picks the **best variant by VL score** (falling back to fastest on ties). It ships with **6 “proven profiles”** seeded from real working ComfyUI exports (e.g. `proven_portrait_fast`\n\n: lcm/exponential, cfg 1.5, 20 steps, Lightning 8-step LoRA), and `get_best_settings(workflow_id)`\n\nreturns the top-N tuned param sets from history. The result is a studio that learns which settings produce good images on *your* models — no human eyeballing a grid.\n\nContent creation here is built for autonomous agents as a first-class user:\n\n`asset_studio_skills.py`\n\nregisters `generate_image`\n\n, `generate_portrait`\n\n, `generate_voice`\n\n, `create_game_item`\n\n, `generate_svg`\n\n, `list_assets`\n\n, and `studio_health`\n\nas `@skill`\n\n-decorated functions (categories `MEDIA`\n\n/`GAME`\n\n/`SYSTEM`\n\n, with cooldowns and costs) — so any `CharacterAgent`\n\ngoverned by the MCP pipeline can create assets mid-conversation.`[IMAGE:prompt]`\n\nstream tag means an LLM can emit an image request inline in its reply and have it rendered.`POST /api/inject_to_scene`\n\ncopies a generated asset into `content/scenes/{scene}/static/img/`\n\nand emits `scene_asset_updated`\n\nfor live reload — closing the loop from If the Asset Studio makes the *contents*, the **Creation Kit** (`content/scenes/creation_kit/`\n\n) makes the *containers*. It’s a visual, drag-and-drop scene editor backed by `engine/creation/`\n\n:\n\n`component_registry.py`\n\n) — `asset_hint`\n\nmetadata so portrait/image components know to pull from the Asset Studio. Reuse over reinvention: components render the same markup the hand-built scenes use.`data/layouts/`\n\n), with live preview and pre-shipped rebuilds of real scenes (tavern, grid, arena, lounge, casino) plus templates (chat room, dashboard, shop, dungeon, terminal, …).`export_*`\n\nhelpers turn a layout into a working scene, and `create_scene()`\n\n(`scene_template.py`\n\n) scaffolds the directory `control_plane_registry.py`\n\nand `config/launcher.yaml`\n\n— so an exported scene is immediately launchable via `python launcher.py `\n\nand even gets a generated test file.`character_wizard.py`\n\n: Archetype → Appearance → Voice → Stats → Story → Memory Seed) exposed over `/api/wizard/*`\n\n, producing a fully registered `CharacterAgent`\n\nwith personality, backstory, and seeded RAG memories — ready to drop into any scene.`/api/assets/combined`\n\nmerges the Asset Studio library and the creation `asset_registry`\n\n, so a builder picks from everything generated across the project.Every scene ships with a hand-crafted **Dark Renaissance** UI kit. A sample of the 12 design kits that drive the live scenes:\n\nPlus 18 game scenes in all — Club Noir, The Colosseum, The Velvet Pit, The Rusty Anchor, The Obscura, The Shattered Throne, The Lab, The Arcade, Lab Break, Cyberspace, The Auction House, and more — each a live local-agent simulation. Run\n\n`python launcher.py --list`\n\nto see every target.\n\n```\nengine/ core: lmstudio · nexus · world · agents · mcp · skills · training · observability · integrations\ncontent/ scenes/ (35 targets) · shared/ (Neon HUD v2, design system)\napps/ standalone entry points + multi-protocol proxy + unified CLI surface\nscripts/ argus/ (recon toolkit) · oracle.py · smart_test.py · browser_test.py\nconfig/ default.yaml (+ example secret templates)\ndocs/ deep-dive documentation — start at docs/INDEX.md\ntests/ pytest suite (plain assert, mocked external services)\n```\n\nArea |\nDoc |\n|---|---|\n| Index of everything |\n`docs/INDEX.md` |\n\n`docs/ARCHITECTURE.md`\n\n`docs/MCP_FRAMEWORK.md`\n\n`docs/NEXUS.md`\n\n`docs/OPERATIONS.md`\n\n`docs/ARGUS_METHODOLOGY.md`\n\n`docs/DESIGN_SYSTEM_V2.md`\n\n`CHANGELOG.md`\n\nLarge parts of CosySim — including this README — were produced through **agentic coding**: fleets of AI agents reading the codebase, designing changes, implementing them across disjoint files, and verifying their own work with tests. The project is deliberately structured to be legible to both people and agents (consistent docstrings, version-stamped change logs, an observability spine in the Oracle, and a knowledge base that compounds). If you’re exploring what agent-built software can look like, this whole repository is the example.\n\nSee [ LICENSE](https://github.com/nihilistau/CosySim/blob/master/LICENSE). Built to be learned from and borrowed — take what’s useful.", "url": "https://wpnews.pro/news/neon-city-cosysim-and-the-nexus-project", "canonical_source": "https://discuss.huggingface.co/t/neon-city-cosysim-and-the-nexus-project/176853#post_4", "published_at": "2026-06-16 08:43:09+00:00", "updated_at": "2026-06-16 08:53:47.813603+00:00", "lang": "en", "topics": ["developer-tools", "ai-agents", "ai-research"], "entities": ["Google", "NotebookLM", "Gemini", "AI Studio", "Statsig", "Chrome DevTools Protocol", "CosySim", "ARGUS"], "alternates": {"html": "https://wpnews.pro/news/neon-city-cosysim-and-the-nexus-project", "markdown": "https://wpnews.pro/news/neon-city-cosysim-and-the-nexus-project.md", "text": "https://wpnews.pro/news/neon-city-cosysim-and-the-nexus-project.txt", "jsonld": "https://wpnews.pro/news/neon-city-cosysim-and-the-nexus-project.jsonld"}}