{"id":50990835,"url":"https://github.com/jpvelasco/nyx","last_synced_at":"2026-06-20T02:31:12.073Z","repository":{"id":361979567,"uuid":"1247924552","full_name":"jpvelasco/nyx","owner":"jpvelasco","description":"Validate live network behavior against a YAML intent spec — VLAN isolation, VPN routing, host discovery, DNS, and more.","archived":false,"fork":false,"pushed_at":"2026-06-17T07:23:03.000Z","size":880,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-17T09:17:15.587Z","etag":null,"topics":["cli","homelab","network-audit","npm","vlan"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/nyx-audit-cli","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jpvelasco.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-24T00:51:11.000Z","updated_at":"2026-06-17T00:01:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jpvelasco/nyx","commit_stats":null,"previous_names":["jpvelasco/nyx"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/jpvelasco/nyx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpvelasco%2Fnyx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpvelasco%2Fnyx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpvelasco%2Fnyx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpvelasco%2Fnyx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jpvelasco","download_url":"https://codeload.github.com/jpvelasco/nyx/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpvelasco%2Fnyx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34555494,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-20T02:00:06.407Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","homelab","network-audit","npm","vlan"],"created_at":"2026-06-20T02:31:10.190Z","updated_at":"2026-06-20T02:31:12.067Z","avatar_url":"https://github.com/jpvelasco.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/jpvelasco/nyx/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/jpvelasco/nyx/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/jpvelasco/nyx/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/jpvelasco/nyx\" alt=\"Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/jpvelasco/nyx/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/github/license/jpvelasco/nyx\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/jpvelasco/nyx/blob/main/go.mod\"\u003e\u003cimg src=\"https://img.shields.io/github/go-mod/go-version/jpvelasco/nyx\" alt=\"Go\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/nyx-audit-cli\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/nyx-audit-cli\" alt=\"npm\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# nyx\n\nYour homelab should be doing what you think it's doing. **nyx** proves it.\n\nValidate your network behavior against a declared YAML intent model — VLAN isolation, VPN routing, host counts, route correctness — all verified with live network checks. When something drifts, nyx tells you exactly what changed and how to fix it.\n\nEvery command produces structured JSON for automation and AI agent consumption.\n\n**Install from npm:** [`nyx-audit-cli`](https://www.npmjs.com/package/nyx-audit-cli) — `npm install -g nyx-audit-cli`\n\n## Quick Start\n\n```bash\n# Install prebuilt binary (recommended)\nnpm install -g nyx-audit-cli\n\n# If npm blocked the postinstall script (Ubuntu 26+, hardened envs), just run nyx once —\n# it detects the missing binary and downloads it automatically. Or manually:\n#   node $(npm root -g)/nyx-audit-cli/install.js\n\n# Or build from source (requires Go 1.22+)\ngit clone https://github.com/jpvelasco/nyx.git \u0026\u0026 cd nyx \u0026\u0026 make build\n\n# Discover hosts on a subnet\nsudo nyx discover --subnet 10.0.10.0/24\n\n# Run a full audit from a spec file\nsudo nyx audit --spec examples/homelab.yaml\n\n# Check environment health\nnyx doctor\n```\n\n### Longer-Term Confidence\n\nOnce you've verified your network is behaving correctly, lock in that baseline. Future drift checks will show you exactly what changed — new failures, degradations, or fixes — so you can sleep at night knowing your segmentation and policies are still holding.\n\n```bash\n# After a clean audit, save the baseline from the persisted snapshot\nsudo nyx audit --spec examples/homelab.yaml\nnyx snapshot list\nnyx snapshot baseline ~/.nyx/snapshots/snapshot-YYYYMMDD-HHMMSS.json\n\n# Days or weeks later, re-audit and check drift\nsudo nyx audit --spec examples/homelab.yaml \u0026\u0026 nyx drift status\n```\n\nFor the full story of what this feels like on a real multi-VLAN homelab (including when things go wrong and drift catches it), see [docs/walkthrough.md](docs/walkthrough.md).\n\n## Prerequisites\n\n- **Go 1.22+** — to build from source\n- **nmap** — required for `discover` and `subnet_discovery` assertions\n\n  nyx does not bundle nmap. Install it for your platform:\n\n  | Platform | Command |\n  |----------|---------|\n  | Ubuntu/Debian | `sudo apt install nmap` |\n  | Fedora/RHEL | `sudo dnf install nmap` |\n  | Arch Linux | `sudo pacman -S nmap` |\n  | macOS | `brew install nmap` |\n  | Windows | `winget install nmap` |\n\n  If nmap is missing, `nyx doctor` will show the exact install command for your system.\n\n- Root/sudo — required for nmap subnet scans on some platforms\n\n## Commands\n\n| Command | Description | Backends Used |\n|---------|-------------|---------------|\n| `discover` | Discover hosts in a subnet via nmap ping sweep | nmap |\n| `check-routes` | Validate route and gateway to a target IP | system (ip route) |\n| `check-vpn` | Verify traffic routes through a VPN tunnel | system (ip route) |\n| `verify-isolation` | Check that a target is unreachable (isolation) | system (ping) |\n| `audit` | Run all assertions from a YAML spec file | nmap + system |\n| `doctor` | Check environment health and optional spec validation | all |\n| `provider` | Provider management (`list` subcommand) | all |\n| `omada` | Omada SDN vendor commands (`info`, `import`, `check`) | omada backend |\n| `opnsense` | OPNsense vendor commands (`info`, `import`, `check`) | opnsense backend |\n| `snapshot` | Manage audit history (`baseline`, `list`, `delete`, `clear-baseline`) | — |\n| `drift` | Detect drift in audit results (`status`, `compare`) | — |\n| `mcp serve` | Start MCP server for AI agent integration | all |\n| `version` | Print version | — |\n\n### Global Flags\n\n```\n--json            Output as JSON (available on all commands)\n--output \u003cpath\u003e   Write output to file instead of stdout\n--spec \u003cfile\u003e     Path to YAML spec file (used by audit)\n--verbose         Verbose output with additional evidence\n--timeout \u003cdur\u003e   Timeout for operations (default 60s)\n```\n\n## YAML Spec Format\n\nnyx validates your network against a declared intent model:\n\n```yaml\nversion: 1\nsite: home-lab\n\nnetworks:\n  - name: trusted\n    cidr: 10.0.10.0/24\n    gateway: 10.0.10.1\n    zone: trusted\n    vlan: 10\n  - name: iot\n    cidr: 10.0.60.0/24\n    gateway: 10.0.60.1\n    zone: iot\n    vlan: 60\n  # ... more VLANs\n\nvpn:\n  - name: home-wg\n    type: wireguard\n    interface: wg0\n    expected_routes:\n      - 10.0.0.0/8\n    mode: split-tunnel\n\npolicies:\n  - name: iot-to-trusted-deny\n    from: iot\n    to: trusted\n    action: deny\n\nassertions:\n  - type: subnet_discovery\n    network: trusted\n    expect_hosts_min: 10\n    expect_hosts_max: 30\n  - type: isolation\n    from: iot\n    to: trusted\n    expect: deny\n  - type: vpn_route\n    vpn: home-wg\n    target: 10.0.20.50\n    expect_tunnel: true\n  - type: route_check\n    target: 10.0.10.1\n```\n\nSee `examples/homelab.yaml` for the complete realistic 7-VLAN example used throughout this document.  \nSee the [full structured spec reference](docs/spec.html) (modern HTML).  \nSee `docs/walkthrough.md` for the full narrative — what it actually feels like to land on a complex network, hit real problems, get useful recommendations, and use drift to sleep better at night.\n\n### Assertion Types\n\n| Type | Description | Key Fields |\n|------|-------------|------------|\n| `subnet_discovery` | Count hosts in a network | `network`, `expect_hosts_min`, `expect_hosts_max` |\n| `isolation` | Verify zone-to-zone unreachability | `from`, `to`, `expect: deny` |\n| `vpn_route` | Check traffic routes through VPN | `vpn`, `target`, `expect_tunnel` |\n| `route_check` | Verify route exists to target | `target` |\n| `port_check` | Verify TCP ports are open | `target`, `ports`, `expect: open` |\n| `dns_check` | Verify DNS resolution | `query`, `expect_ip`, `server` |\n| `network_health` | Verify latency and packet loss | `target`, `expect_latency_ms`, `expect_loss_pct` |\n| `acl_check` | Verify controller policy enforcement | `provider`, `policy`, `expect: enforced` |\n\n## Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| 0 | All checks passed |\n| 1 | One or more assertions failed |\n| 2 | Execution error or invalid configuration |\n| 3 | One or more warnings |\n\n## Snapshot \u0026 Drift Detection\n\nAfter a clean audit, save the result as a baseline:\n\n```bash\nnyx snapshot baseline\n```\n\nLater, after re-running an audit, check what changed:\n\n```bash\nnyx drift status\n```\n\nThe drift report shows new failures, degradations, fixes, and improvements with a clear net change summary. You can also restore a previous baseline from a saved snapshot:\n\n```bash\nnyx snapshot baseline ~/.nyx/snapshots/snapshot-20250601-140000.json\n```\n\n### Snapshot Commands\n\n| Command | Description |\n|---------|-------------|\n| `nyx snapshot baseline` | Set current audit as baseline |\n| `nyx snapshot baseline \u003cfile\u003e` | Restore baseline from saved snapshot |\n| `nyx snapshot list` | List all saved snapshots |\n| `nyx snapshot delete [name]` | Delete a snapshot (or all if no name given) |\n| `nyx snapshot clear-baseline` | Remove the current baseline |\n| `nyx drift status` | Compare latest audit against baseline |\n| `nyx drift compare \u003csnap1\u003e \u003csnap2\u003e` | Compare any two snapshots |\n\nSnapshots are stored in `~/.nyx/snapshots/` with automatic rotation at 50 snapshots.\n\n## MCP Server\n\nnyx includes a Model Context Protocol server for AI agent integration:\n\n```bash\nnyx mcp serve --transport stdio\n```\n\n### Claude Code Integration\n\nAdd to your MCP config:\n\n```json\n{\n  \"mcpServers\": {\n    \"nyx\": {\n      \"command\": \"/path/to/nyx\",\n      \"args\": [\"mcp\", \"serve\"]\n    }\n  }\n}\n```\n\n### Available MCP Tools\n\n| Tool | Description |\n|------|-------------|\n| `discover_subnet` | Discover hosts in a subnet (supports `scan_timing`, `scan_min_rate`) |\n| `check_routes` | Check route to a target — returns CheckResult |\n| `check_vpn` | Check VPN tunnel routing — returns CheckResult |\n| `verify_isolation` | Verify network isolation |\n| `run_audit` | Run full audit from spec |\n| `load_spec` | Load and validate a spec file |\n| `get_interfaces` | List network interfaces |\n| `ping_target` | Ping a target |\n| `run_doctor` | Check environment health + optional spec validation |\n| `provider_list` | List registered providers |\n\n## Providers\n\nnyx supports multiple network backends via a provider system. Vendors register at startup and expose vendor-specific commands.\n\n### List Providers\n\n```bash\nnyx provider list\n```\n\n### Omada SDN\n\nOmada provider supports Omada SDN controller 6.x. Pass your controller address (usually on your management VLAN):\n\n```bash\n# Example using a typical management IP\nnyx omada info --host 192.168.11.20\n\n# Generate spec from controller\nnyx omada import --host 192.168.11.20 --username admin --password password\n\n# Import and audit in one step\nnyx omada check --host 192.168.11.20 --username admin --password password --spec examples/homelab.yaml\n```\n\nCredentials can be passed via flags or env vars: `OMADA_HOST`, `OMADA_USERNAME`, `OMADA_PASSWORD`.\n\n### OPNsense\n\nOPNsense provider supports info, import, and check. Use your OPNsense address (typically the LAN or a management IP):\n\n```bash\n# Example using a typical management IP\nnyx opnsense info --host 192.168.11.1 --api-key \u003ckey\u003e --api-secret \u003csecret\u003e\n\n# Generate spec from OPNsense\nnyx opnsense import --host 192.168.11.1 --api-key \u003ckey\u003e --api-secret \u003csecret\u003e\n\n# Import and audit in one step\nnyx opnsense check --host 192.168.11.1 --api-key \u003ckey\u003e --api-secret \u003csecret\u003e --spec examples/homelab.yaml\n```\n\n## Project Structure\n\n```\nnyx/\n  cmd/nyx/              # CLI entry point\n  internal/\n    cli/                # Cobra command definitions\n    models/             # Result envelope, report types\n    intent/             # YAML spec loader and validation\n    audit/              # Audit engine\n    backends/\n      nmap/             # Nmap subprocess wrapper\n      system/           # Platform-specific system commands\n      omada/            # Omada SDN client (low-level)\n      batfish/          # Stub, planned for v2\n    providers/          # Provider interface + registry\n      omada/            # Omada provider (wraps backends/omada)\n      opnsense/         # OPNsense provider\n    mcp/                # MCP stdio server\n    report/             # Output renderers\n    recommendations/    # Failure analysis and remediation hints\n    snapshot/           # Audit history and drift detection\n    logger/             # JSON-lines rotating logger (~/.nyx/nyx.log)\n    version/            # Single-source version constant\n  examples/             # Example YAML specs\n  testdata/             # Test fixtures\n  .github/workflows/    # CI/CD\n```\n\n## Development\n\n```bash\nmake build    # Build binary\nmake test     # Run tests\nmake vet      # Run go vet\nmake clean    # Remove built binaries\nmake release  # Cross-compile for all platforms\n```\n\n## Platform Support\n\n| Platform | Status | Commands Used |\n|----------|--------|---------------|\n| Linux | Full support | `ip route`, `ip route get`, `ip addr show`, `ping -c -W`, `traceroute -n` |\n| macOS | Full support | `netstat -rn`, `route -n get`, `ifconfig`, `ping -c -t`, `traceroute -n` |\n| Windows | Full support | `route print`, `ping -n -w`, `tracert -d`, Go `net.Interfaces()` |\n\nAll three platforms cross-compile from any OS. Platform-specific code uses Go build tags.\n\n## Distribution \u0026 Releases\n\nOfficial binaries are published automatically on every `v*` tag via GitHub Releases.\n\n```bash\n# Build from source (recommended for development)\nmake build\n\n# Or install via npm (once a release exists)\nnpm install -g nyx-audit-cli\n```\n\nThe npm package (`nyx-audit-cli`) is a thin platform-aware wrapper that downloads the matching prebuilt binary from the GitHub Release.\n\nSee [CONTRIBUTING.md](.github/CONTRIBUTING.md) (or the release workflow) for the exact tagging process.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpvelasco%2Fnyx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpvelasco%2Fnyx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpvelasco%2Fnyx/lists"}