NextLevelApex is a security-focused macOS setup orchestrator for running repeatable workstation and DNS-stack tasks with drift detection, health tracking, diagnostics, and report generation.
- Developers automating macOS bootstrap and maintenance
- Operators managing local Cloudflared/Pi-hole workflows
- Teams that need repeatable CLI + API orchestration with auditability
- Canonical CLI orchestrator:
nextlevelapex/main2.py(exposed asnlx) - Compatibility shim for legacy module invocations:
nextlevelapex/main.py - Task registry and guarded discovery:
nextlevelapex/core/registry.py - State tracking and drift detection:
nextlevelapex/core/state.py - Atomic report generation:
nextlevelapex/core/report.py - API wrapper:
nextlevelapex/api/main.py(FastAPI) - Canonical web GUI (read-only v1):
dashboard/(Next.js)
The authoritative local-device DNS path for this Mac is:
This Mac -> 192.168.64.2 -> Pi-hole in Docker on Colima -> host.docker.internal#5053 -> host cloudflared on 127.0.0.1:5053 -> Cloudflare DoH
The canonical orchestrator entrypoint for that stack is the DNS Stack Setup task.
poetry run nlx --task "DNS Stack Setup" --no-reportsSupporting assumptions encoded in the repo:
192.168.64.2is the canonical Colima reachable resolver IP.- Pi-hole runs from a pinned image reference.
- cloudflared runs as a host LaunchAgent, not as a container.
- Pi-hole must use
host.docker.internal#5053as its sole upstream. - Local Unbound is not part of the canonical single-device path and should not remain installed on this Mac.
- Backup LaunchAgent artifacts such as
~/Library/LaunchAgents/com.local.doh.plist.bakare non-authoritative drift and should not remain on disk. - Legacy Unbound-based files under
docker/unbound/andtests/stack-sanity.share quarantined reference-only artifacts, not supported control paths for this Mac.
The canonical DNS Stack Setup task now handles exact-version cloudflared bootstrap deliberately:
- If the preferred binary at
/opt/homebrew/bin/cloudflaredalready matches the required version, the task reuses it. - If that binary is absent or version-mismatched, the task bootstraps the exact GitHub release asset for this Mac, caches the archive under
~/.cache/nextlevelapex/cloudflared/<version>/, and installs a stable exact-version binary link at~/.local/share/nextlevelapex/bin/cloudflared. - Bootstrapped archives are verified against the official Cloudflare GitHub release metadata SHA256 for the exact asset before extraction; if that metadata is temporarily unreachable, the task falls back to the repo-pinned SHA256 for the exact required asset so a pre-seeded archive can still be verified offline. Checksum mismatch or missing checksum still fails closed.
- The LaunchAgent is rendered against the exact binary path selected by the orchestrator, not whatever happens to be first in
PATH. - If the required release cannot be obtained or verified exactly, the task fails closed and reports the exact release URL and observed version drift in task evidence.
Recovery guidance:
- If
192.168.64.2is down when you runDNS Stack Setup, the task temporarily clears manual macOS DNS back to DHCP/defaults, repairs the canonical stack, then restores192.168.64.2only after direct validation passes. - Re-run
poetry run nlx --task "DNS Stack Setup" --no-reportsafter network/package issues are fixed. - If GitHub release download is blocked, place the exact required release where the task expects it or install that exact version at
/opt/homebrew/bin/cloudflared. A pre-seeded archive for the required asset can still be verified offline against the repo-pinned SHA256 for that exact release. - Do not use
docker/orchestrate.sh,docker/unbound/, ortests/stack-sanity.shto recover the canonical single-device stack. Those paths are legacy reference material only.
DNS Stack Sanity Check also audits:
- non-canonical host artifacts such as a lingering local Unbound install or backup LaunchAgent file
- explicit local browser DNS-over-HTTPS / TRR override settings in Chrome, Edge, and Firefox stores when those stores exist on this Mac, including Chromium browser-level
Local State
- Primary runtime target: macOS (Darwin)
- Development and most tests: macOS/Linux
install-sudoersis intentionally macOS-only
- Python 3.11+
- Poetry
- Optional for DNS stack tasks: Homebrew, Colima, Docker
git clone https://github.com/Doogie201/NextLevelApex.git
cd NextLevelApex
poetry installList commands:
poetry run nlx --helpRun orchestrator in dry-run mode without generating reports:
poetry run nlx --dry-run --no-reportsInspect discovered task states:
poetry run nlx list-tasksGenerate reports from current state:
poetry run nlx reportRun the API server:
poetry run uvicorn nextlevelapex.api.main:app --reloadRun the canonical GUI dashboard:
npm --prefix dashboard install
npm --prefix dashboard run dev -- --hostname 127.0.0.1 --port 4010GUI v1 is read-only: it supports diagnose + dry-run workflows only and ships no mutation endpoints.
NextLevelApex is hardened around least privilege and trust-boundary control:
- Task provenance gates block untrusted module execution.
- Remediation shell actions are allowlisted (no arbitrary shell payload execution).
install-sudoersvalidates interface and username formats, renders deterministic sudoers rules, and validates syntax withvisudobefore install.- Sudoers verification fails closed if
includedircannot be verified non-interactively. - State and reports use atomic writes to reduce corruption risk.
See also:
SECURITY.mdSECURITY_NOTES.md
poetry run pytest -q
poetry run ruff check .
poetry run black --check .
poetry run isort --check-only .
poetry run mypy .Poetry creates a separate virtualenv for each project path. When using git worktree, each worktree needs its own poetry install:
git worktree add ../my-worktree main
cd ../my-worktree
bash scripts/dev-setup.sh # installs Poetry deps + dashboard depsOr manually:
poetry install # Python deps + nlx entrypoint
npm --prefix dashboard ci # dashboard depsWithout this, you will see:
Warning: 'nlx' is an entry point defined in pyproject.toml, but it's not installed as a scriptModuleNotFoundError: No module named 'typer'(or other deps)
ModuleNotFoundErrorfor dependencies:- Run
poetry installthen usepoetry run ...or activate Poetry's environment. - In a git worktree, you must run
poetry installin each worktree separately.
- Run
Warning: 'nlx' is an entry point ... not installed as a script:- Run
poetry installto register the entrypoint.
- Run
install-sudoerscannot verifyincludedir:- Run
sudo visudoand ensure one of these exists:#includedir /private/etc/sudoers.d#includedir /etc/sudoers.d
- Run
- Selective task execution:
- Use
--taskfilters to target specific tasks.
- Use
See CONTRIBUTING.md for branching, checks, and PR expectations.
This project is licensed under the MIT License. See LICENSE.