Paste a file of code. Nucleus runs Semgrep, Bandit, Gitleaks, OSV-Scanner and a sandboxed compile, then returns a signed in-toto attestation you can verify offline. No signup, no storage — this demo is ephemeral.
Four scanners + a sandboxed compile run in ~5 seconds. You get det_hash, proof_pack_hash, per-scanner findings, and a downloadable DSSE envelope. Nothing is stored.
The public key is published at /.well-known/nucleus-pubkey.json. Every certificate Nucleus signs is recorded in the transparency log. To verify offline with just PyNaCl, download verify_nucleus.py.