Nexus Fleet 1.0.9 — mTLS, at-rest encryption & RBAC
The biggest hardening release yet: mutual TLS on the manager API, encrypted event fields at rest, and role-based access control for the admin token.
Version 1.0.9 focuses on the parts of the platform that handle your most sensitive data: the transport between agents and the manager, the data stored on disk, and who is allowed to read it. Everything here is opt-in friendly — existing Free deployments keep working unchanged.
Mutual TLS for the manager API
On top of the HMAC-SHA256 signing that already protects every agent message, the manager can now require client certificates. Point it at a CA bundle and only enrolled, certificate-bearing agents and admins can connect.
nexus-manager run --host 0.0.0.0 --port 8765 \
--tls-cert server.pem --tls-key server.key \
--tls-client-ca ca.pem # require mTLSEncryption at rest
Sensitive event fields are now encrypted with Fernet before they touch SQLite, and the database runs in WAL mode for safer concurrent writes. A leaked database file no longer means leaked findings.
Role-based access control
- admin — full control: policy, licensing, active response
- analyst — read alerts, acknowledge and resolve incidents
- read-only — dashboards and reports, no mutations
Security tooling should fail closed. 1.0.9 makes the secure path the default path.
Upgrade with a single command — your agents reconnect automatically once the manager is back up.
pip install --upgrade nexus-fleet