NEON-CITY/CosySim and the NEXUS project ARGUS, a toolkit for reverse-engineering web APIs, has been released as part of the CosySim project. It analyzes HAR captures, V8 heap snapshots, and JavaScript bundles to map undocumented endpoints, protocols, and feature flags, feeding data into CosySim's live systems. The tool emphasizes learning over exploitation and includes a Chrome DevTools Protocol bridge for real-time protocol mapping. ARGUS—Automated Reconnaissance & General-purpose Universal Surveyor.A first-class, target-agnostic toolkit for mapping any web application’s API surface, auth, feature flags, real-time protocols, and AI-agent internals — and feeding what it learns straight back into CosySim’s live systems. CosySim is local-first, but it doesn’t live in a vacuum. It talks to a lot of undocumented web APIs — Google’s batchexecute endpoints behind NotebookLM, Gemini, and AI Studio; startup WebSocket protocols; AI-agent platforms. ARGUS is the muscle that reverse-engineers those surfaces. It lives in scripts/argus/ https://github.com/nihilistau/CosySim/blob/master/scripts/argus and is The operating philosophy, straight from scripts/argus/README.md https://github.com/nihilistau/CosySim/blob/master/scripts/argus/README.md : Knowledge is the prize. We don’t exploit — we learn.Capture everything, decode offline, never modify live state until the surface is fully mapped. ARGUS is layered: a generic core toolkit, a CLI, an MCP server so local agents can drive it, and a set of specialized analyzers/decoders/discovery modules. Layer | Module | Role | |---|---|---| Core toolkit | scripts/argus/toolkit.py | scripts/argus/analyze.py har / heap / compare / heap-diff / dir / deep subcommands analyzers/har analyzer.py analyzers/heap analyzer.py decoders/ batchexecute , grpc web , heap diffing discovery/ rpcid detector , feature flag probe , proto reconstructor , endpoint registry cdp bridge.py , network monitor.py argus mcp server.py nexus sink.py , rpcid mapper.py One captured browsing session yields every request/response pair, headers, cookies, timing, and bodies. HARAnalyzer auto-detects the protocol REST, GraphQL, gRPC-web, batchexecute , WebSocket upgrades and groups endpoints by service, decoding JWTs and pattern-matching API keys along the way. python -m scripts.argus.analyze har capture.har --report → Markdown intel report python -m scripts.argus.analyze compare loggedout.har admin.har diff roles to find gated endpoints V8 heap snapshots contain every string the JS runtime has interned — compiled-in config, unused API routes, internal gRPC service names, RPC IDs, and secrets that never transit the wire. Two engines run over them: a regex scanner with 100+ patterns mine heap and a full V8 graph walker mine heap deep that reconstructs objects and script sources. python -m scripts.argus.analyze heap snapshot.heapsnapshot python -m scripts.argus.analyze heap-diff before.heap after.heap isolate strings a single action introduced The classifier buckets strings into URLs, API endpoints, method names, service paths, RPC IDs, and credential-shaped tokens — covering JWTs, K8s .svc.cluster.local addresses, STUN/TURN servers, Statsig caches, protobuf definitions, and leaked model reasoning. A minified SPA bundle holds the entire app logic. decompile bundle extracts feature-gate enums, API route strings, environment variables VITE / NEXT PUBLIC / REACT APP , CI/CD paths, and monitoring DSNs. In one documented run, the bundle revealed 17× more URL paths than live traffic — most endpoints gate features the current user can’t reach. cdp bridge.py is a full async Chrome DevTools Protocol client Chrome on --remote-debugging-port=9223 . It enables programmatic JS execution, localStorage feature-flag injection, network capture, and WebSocket frame interception — the only way to map real-time protocols, since HAR captures only the HTTP upgrade, not the frames. python from scripts.argus.toolkit import cdp eval, inject statsig gates cdp eval "document.title", cdp port=9223 inject statsig gates "https://app.example.com", {"some gate": True} ARGUS is explicit about the distinction that matters most: client-only vs server-enforced.Flipping a Statsig gate in localStorage reveals UI, but if the endpoint checks the flag server-side, every call still 403s. Every finding is tagged accordingly — see the security-assessment checklist in the methodology guide. This is what makes ARGUS part of CosySim rather than a bolt-on scanner. Discoveries don’t sit in a report — they flow back into the running framework: HAR / heap / bundle │ decode offline ▼ rpcid detector ── compares live traffic against the known baseline │ new rpcid? ├──────────────► ArgusNexusSink → Nexus KMS category="argus" │ store new rpcid + add qa → agents query via nexus search │ └──────────────► RpcidUpdater engine/integrations/rpcid updater.py writes config/nlm rpcids.yaml + data/nlm rpc registry.json → live NLM/Gemini ops pick up new rpcids at call time When Google rotates an NLM/Gemini frontend build and rpcids change, a fresh capture run through ARGUS re-discovers them, RpcidUpdater patches both the YAML source-of-truth and the JSON runtime cache, and get rpcid resolves the new value on the next call — no code change, no redeploy. Meanwhile ArgusNexusSink files every new rpcid, endpoint, and feature flag into Nexus KMS as both a knowledge entry and a Q&A pair, so any agent can ask “what is rpcid X?” and get the answer ARGUS learned. Recon becomes institutional memory. Because ARGUS ships an in-process MCP server argus mcp server.py , FastMCP/SSE on :8010 and the CDP capabilities are also registered as MCP skills, local LMStudio agents can run reconnaissance themselves — screenshot a page and ask a vision model what it sees, navigate, click, fill, intercept. The same toolkit a human runs from the CLI is callable by an autonomous agent inside the MCP interceptor pipeline. The methodology is distilled from 370+ exploration sessions against two real targets — a voice-AI platform and a text-AI platform with a virtual OS. Headline numbers full reports in data/argus/reports/ : Metric | Target A voice | Target B text + virtual OS | |---|---|---| | API methods discovered | 53 | 20+ | | Feature flags mapped | 27 gates, 14 configs | — | | JWTs decoded | 3 | 2 | | Internal IPs found | 3 | 2 K8s | | Sub-agents extracted | 0 | 5 | | Apps / tools mapped | 0 | 12 | | Chain-of-thought fragments | 0 | 15+ | | Protobuf schemas reconstructed | 0 | 1 | | Security findings | 14 | — | python -m scripts.argus.analyze har path/to/file.har --report any HAR → report python -m scripts.argus.analyze heap path/to/file.heapsnapshot any heap snapshot python -m scripts.argus.analyze deep path/to/captures/ full automated pipeline Whenever you hand CosySim a HAR file, a heap snapshot, or a web app, ARGUS is meant to run automatically — that’s the standing convention in the project. The thirteen techniques HAR, heap, bundle, flags, CDP, WebSocket, tokens, profile CRUD, env mapping, security assessment, agent orchestration, chain-of-thought, schema extraction are written up as step-by-step playbooks you can borrow for any target. CosySim’s third pillar alongside games and services is creation : a set of tools that turn natural-language intent into game-ready assets and even entire scenes — all running on local hardware. Three things make it distinctive: AssetStudioCore.generate asset type, params routes images, portraits, voice, video, items, SVG and audio through a single, flag-gated orchestrator. @skill an agent can call, and a /api/inject to scene route lets an asset flow straight from generation into a live scene’s static folder with a hot-reload socket event. Agents create content All inference is local: image/video/portrait via ComfyUI :8188 , voice via theTTS manager, and LLM-assisted items/SVG + the VL quality inspector viaLMStudio :1234 . Nothing leaves the machine. The Asset Studio scene content/scenes/asset studio/ is a Flask/Socket.IO front end over engine/asset studio/ . The architectural heart is AssetStudioCore engine/asset studio/studio core.py , a singleton that owns the whole lifecycle: python from engine.asset studio import get studio core core = get studio core result = core.generate "portrait", {"character id": "aria", "mood": "happy"} → routes to PortraitGenerator → registers in AssetLibrary → caches to Nexus → emits asset generated over Socket.IO → returns {url, prompt, asset id, ...} generate does five things in order: route to the right generator lazy-loaded from GENERATOR MAP , register the result in the SQLite asset library, optionally cache metadata to Nexus KMS, emit an asset generated socket event for live scenes, and return a normalized dict. Every asset type is gated by config feature flags so a deployment can disable, say, video or adult content without touching code: Asset type | Generator | Backend | Required flag s | |---|---|---|---| image | ImageGenerator | ComfyUI | asset studio.comfyui enabled | portrait | PortraitGenerator | ComfyUI + PortraitCache | asset studio.comfyui enabled | video | VideoGenerator | ComfyUI Wan 2.2 | comfyui enabled + video enabled | voice | VoiceGenerator | TTS manager | asset studio.tts enabled | item | ItemGenerator | LMStudio + ComfyUI icon | asset studio.lms enabled | svg | SvgGenerator | LMStudio | asset studio.lms enabled | audio | AudioGenerator | synthesized | — always on | core.health rolls up live status of ComfyUI /system stats , the TTS backends, LMStudio readiness, and per-type library counts — exactly the kind of monitoring hook the project’s conventions require. AssetLibrary engine/asset studio/asset library.py is a thread-safe SQLite catalogue data/asset library.db . Every generated asset is registered with full provenance — asset type , scene , character id , mood , preset id , the exact positive/negative prompt , duration ms , a cached flag, and JSON metadata — and indexed by type/scene/character/recency. It supports filtered+paginated list assets , full-text search over title/prompt, favorites, bulk delete, and stats . Because the prompt and preset are stored, any asset is reproducible. Generators don’t take raw prompts. PromptBuilder prompt builder.py composes them from a subject , a scene-context template penthouse, lounge, tavern, casino, neoncity, arena, … , a mood modifier 14 moods from neutral to seductive , and style/negative tags from a StylePreset . Portraits additionally pull a character’s physical description from Nexus KMS get nexus client .ask ... so a portrait actually looks like the character. PresetManager ships 8 built-in presets — dark renaissance the v1.58 default , cyberpunk , fantasy , noir , anime , photorealistic , pixel art , minimal — and users can store custom presets in Nexus. WorkflowManager workflow manager.py is the full ComfyUI client: node/model discovery via /object info cached 5 min , capability checks has node "FaceDetailer" , priority-based select model , and the complete queue → poll /history → download outputs lifecycle — all degrading gracefully when ComfyUI is offline. The graphs themselves are built dynamically by workflow builder.py , which exposes 15 professional workflows in WORKFLOW REGISTRY each with label, category, resolution, speed, and requires nodes for capability gating : portrait fast , portrait hires auto-selected when FaceDetailer + UltralyticsDetectorProvider are present , portrait refiner dual-pass: base → 1.5× upscale → img2img refiner . scene background widescreen cinematic , character card full-body 832×1216 , message image 8-step Lightning . UnetLoaderGGUF + two-stage KSamplerAdvanced : video wan t2v , video wan i2v , video wan landscape , video wan portrait fast , video wan character hq — e.g. 272×352 portrait, 105 frames @16fps ~6.5s .LoRA stacking is handled by composable chain helpers build lora chain for SDXL, build video lora chain for Wan , and portraits push their result URL into PortraitCache so live scenes display the new art immediately. This is the part worth borrowing. WorkflowManager.check image quality base64-encodes a generated image, sends it to a local Qwen3-VL model via LMStudio, and parses a structured verdict: { "score": 0-10, "issues": , "strengths": , "suggestion": "..." } The TuningEngine tuning engine.py builds on this to do automated parameter search . You give it a base param set and a sweep {"cfg": 1.0, 1.5, 2.0 , "steps": 8, 20 } ; it generates the Cartesian product of variants in a background thread, scores each with Qwen3-VL, persists every run to a metrics DB data/asset studio/tuning metrics.db , and picks the best variant by VL score falling back to fastest on ties . It ships with 6 “proven profiles” seeded from real working ComfyUI exports e.g. proven portrait fast : lcm/exponential, cfg 1.5, 20 steps, Lightning 8-step LoRA , and get best settings workflow id returns the top-N tuned param sets from history. The result is a studio that learns which settings produce good images on your models — no human eyeballing a grid. Content creation here is built for autonomous agents as a first-class user: asset studio skills.py registers generate image , generate portrait , generate voice , create game item , generate svg , list assets , and studio health as @skill -decorated functions categories MEDIA / GAME / SYSTEM , with cooldowns and costs — so any CharacterAgent governed by the MCP pipeline can create assets mid-conversation. IMAGE:prompt stream tag means an LLM can emit an image request inline in its reply and have it rendered. POST /api/inject to scene copies a generated asset into content/scenes/{scene}/static/img/ and emits scene asset updated for live reload — closing the loop from If the Asset Studio makes the contents , the Creation Kit content/scenes/creation kit/ makes the containers . It’s a visual, drag-and-drop scene editor backed by engine/creation/ : component registry.py — asset hint metadata so portrait/image components know to pull from the Asset Studio. Reuse over reinvention: components render the same markup the hand-built scenes use. data/layouts/ , with live preview and pre-shipped rebuilds of real scenes tavern, grid, arena, lounge, casino plus templates chat room, dashboard, shop, dungeon, terminal, … . export helpers turn a layout into a working scene, and create scene scene template.py scaffolds the directory control plane registry.py and config/launcher.yaml — so an exported scene is immediately launchable via python launcher.py