Technical Documentation · v1.9.6

Nexus Hub — Tech Docs

Architecture, security, integrations, and troubleshooting reference for IT, DevOps, and platform engineering teams evaluating or operating Nexus Hub.

01 Architecture overview

Nexus Hub is a two-tier system:

Frontend extension — TypeScript SPA bundled with Webpack, runs as iframes inside Azure DevOps hubs (Backlog IQ, Predictive Analytics, Manual, Overview). Communicates with Azure DevOps via the official VSS Web Extension SDK.
Backend API — Python (FastAPI) service hosted on Hugging Face Spaces (EU region). Exposes REST endpoints for: NLP analysis, Monte Carlo simulation, subscription state, and Stripe integration.

The frontend never connects directly to OpenAI, Anthropic, or other third-party model providers. All AI/NLP processing happens in our backend, which uses spaCy (open-source) for semantic analysis.

🔒 Stateless design — no work item content is persisted. Work item title, description, and acceptance criteria are processed in-memory per HTTP request and discarded immediately after the response is returned. The backend holds no copy, no cache, no log, and no backup of work item content. The only data persisted is your subscription state (organization ID, project ID, plan tier).

02 System requirements

Requirement	Value
Azure DevOps	Services (cloud, dev.azure.com) Required
Azure DevOps Server (on-prem)	Not currently supported
Browser	Chrome ≥ 100 · Edge ≥ 100 · Firefox ≥ 100 · Safari ≥ 15
Network	Outbound HTTPS to `marketplace.visualstudio.com` and `*.hf.space`
Permissions	Organization administrator (for installation only)
Work Item types	User Story · Bug · Feature · Epic · Task · Issue
Process templates	Agile · Scrum · CMMI · Basic (custom processes supported)

03 Permissions & scopes

The extension requests the following Azure DevOps OAuth scopes:

Scope	Access	Purpose
`vso.work`	Read	Fetch Work Items (titles, descriptions, AC, history) for analysis
`vso.project`	Read	Discover teams, area paths, iterations for grouping in dashboards

No write scopes requested. The extension cannot modify, delete, or create Work Items — it only reads.

04 Data handling

Nexus Hub follows a strict stateless processing model. The backend never writes work item content to disk and never replicates it to logs or backups.

What we send to the backend (per request, in-memory only)

Work item title (string)
Work item description (HTML stripped)
Acceptance criteria (HTML stripped)
Work item type (e.g., "User Story")
Organization ID + Project ID (for licensing context)

What we DO NOT send

Work item ID, URL, or any identifier that links back to your ADO instance
User identities, emails, or PII
Comments, attachments, or revision history beyond what you explicitly analyze
Source code from linked Repos / Pipelines

What we persist

Subscription state — Organization ID, Project ID, plan tier, trial start date, Stripe customer ID. SQLite database on Hugging Face persistent storage (EU region).
Aggregate counters — total Monte Carlo simulations per project (for rate limiting on Free plan).

What we DO NOT persist

Work item titles, descriptions, or acceptance criteria
NLP analysis outputs (returned to the client and discarded server-side)
Monte Carlo throughput history (computed on-the-fly per request from your live ADO data)
User-level activity, identifiers, or behavioral telemetry

Backend lifecycle: Each analysis request creates a short-lived in-memory object that is garbage-collected as soon as the HTTP response is flushed. There is no caching layer, no message queue retention, and no persistent log of work item content. See Privacy Policy for the data controller statement.

05 Security model

Transport: All communication is HTTPS/TLS 1.3.
Authentication: Azure DevOps native OAuth (handled by VSS SDK). The extension never sees your password or PAT.
Tenant isolation: Each request includes X-Nexus-Org-ID and X-Nexus-Project-Id headers; the backend enforces tenant isolation per (organization, project) tuple before serving any subscription or counter data.
Stripe webhook validation: All Stripe webhooks are signature-verified using HMAC-SHA256 against the endpoint secret.
No third-party trackers: The extension does not load Google Analytics, Hotjar, or similar in the iframe.
Content Security Policy: The extension inherits Azure DevOps CSP — no inline scripts, no eval.
Secrets management: Stripe keys, webhook secrets, and database credentials live in Hugging Face Spaces encrypted secrets — never bundled in the frontend.
Dependency hygiene: Backend dependencies pinned and scanned for CVEs on each release.

06 API integration

The backend exposes the following REST endpoints. All endpoints require the X-Nexus-Org-ID and X-Nexus-Project-Id headers and are served over HTTPS.

Endpoint	Method	Purpose
`/api/v1/analisar_batch`	POST	Batch INVEST analysis of work items
`/api/v1/monte-carlo`	POST	Run delivery date forecast
`/subscription/status`	GET	Current plan tier & trial days remaining
`/checkout/create-session`	POST	Create Stripe checkout session
`/portal/create-session`	POST	Create Stripe customer portal session

Generic request contract

All POST endpoints accept application/json and respond with application/json. Request bodies follow the documented schema (full OpenAPI spec available on request); responses include a request_id for correlation.

Generic response shape

{
  "request_id": "req_8e2…",
  "status": "ok",
  "data": { /* endpoint-specific payload */ },
  "meta": {
    "plan": "pro",
    "trial_days_left": 9
  }
}

Backend base URL: https://jonathas3837-ato-agile-intelligence.hf.space

Note: These endpoints are designed for the Nexus Hub extension client. Direct API access for custom integrations (CI pipelines, in-house dashboards) is available on request — contact support for credentials and the OpenAPI spec.

Source code: This document describes the public API contract only. The proprietary backend implementation (NLP pipeline, Monte Carlo engine, scoring weights) is not distributed and is not part of the published extension.

07 Billing & licensing

Granularity: Per Azure DevOps Project (not per organization, not per user).
Trial: 14 days of Pro access, automatically activated when a project first opens Nexus Hub.
Payment: Stripe Checkout (cards, Apple Pay, Google Pay, debit). Stripe is PCI-DSS Level 1.
Currency: USD ($19/month per project).
Invoicing: Stripe automatically generates invoices and sends them to the billing email on file.
Cancellation: Self-service via the Stripe Customer Portal (linked from the extension). Effective at end of current period.
Refunds: Full refund within 7 days of upgrade if not satisfied — email support.

08 Performance & limits

Operation	Free plan	Pro plan
INVEST analysis (per item)	~300ms	~300ms
Monte Carlo simulations / week	1	Unlimited
Monte Carlo iteration count	10,000	10,000
Monte Carlo runtime (typical)	~2s	~2s
Backlog IQ batch size	50 items	500 items
API rate limit	30 req/min/project	120 req/min/project
Backend cold start (HF Spaces)	~10s if idle > 30min	~10s if idle > 30min

09 Troubleshooting

Extension doesn't load / shows blank screen

Check browser console (F12) for errors.
Verify outbound HTTPS to *.hf.space is not blocked by corporate proxy.
Hard refresh: Ctrl+Shift+R.
Try in incognito mode (rules out browser extension conflicts).

Theme doesn't match Azure DevOps theme

Click the toggle button in the hub header (sun/moon icon) to manually pick Light or Dark. The extension persists the choice in localStorage.

Trial expired earlier than expected

The trial is per project. Each project gets its own 14 days from first open. Check Predictive Analytics → trial banner shows exact days remaining.

"Subscription not active" error after paying

Stripe webhooks may take up to 60s to propagate. Refresh after 1 minute. If persistent, contact support with your Stripe receipt number.

Backend timeout / 504 Gateway Timeout

Backend hibernates on Hugging Face Spaces if idle > 30min. The first request after hibernation triggers a cold start (~10s). Retry the operation.

Monte Carlo forecast says "history too sparse"

The team needs at least 6 weeks of throughput data with non-zero weeks > 25%. Either expand the sample window or wait for more data.

10 Compliance

GDPR: Data Controller is TRX22 Consultoria. Data is processed in the EU region (Hugging Face Spaces, Frankfurt). Right to access, rectification, and deletion via contato@trx22.com.br. Because work item content is never persisted, deletion requests typically only affect subscription state.
LGPD (Brazil): Compliant. CNPJ 60.094.571/0001-64. DPO contact same as above.
Stripe (payments): PCI-DSS Level 1 certified. We do not store card data.
Hugging Face (hosting): SOC 2 Type II. huggingface.co/security
Microsoft Marketplace: Extension passed Marketplace validation including security scanning.

← User Manual · Back to Support →