⚡ State Enforcement

The core of Vigo. Define desired state in YAML, agents enforce it idempotently.

69 resource types

Files, packages, services, users, cron, firewall, Docker, IIS, registry, ACLs, certificates, mounts, sysctl, network devices, and more — 68 built-in, plus a user-supplied custom executor for your own logic. Each resource type checks state before acting — no unnecessary changes.

7 operating systems

Linux, macOS, FreeBSD, OpenBSD, NetBSD, illumos, and Windows. Write one config, the agent dispatches to the correct backend, including 16 SSH-based executors for Cisco, Arista, and Juniper network devices.

Conditional logic & templating

when: expressions with boolean logic and builtins (os_family, has_command, arch, version_ge, is_container, has_service) gate any resource — the server evaluates what it can and passes the rest to the agent. Go templates in content: and external source: files render .Traits and .Vars for dynamic config. No DSL, no plugins.

DAG-ordered execution

depends_on creates a directed acyclic graph. Resources execute in topological order. notify and subscribes trigger re-application when a dependency changes. Circular dependencies are rejected at config load time.

Configcrate retraction

Declare state: absent on a configcrate and Vigo reverses what it applied on the next check-in: files deleted, packages uninstalled, services stopped and disabled, commands undone through their declared rollback. It's just config — declarative, version-controlled, and resolved most-specific-first, so you can retract fleet-wide and hold one host on present. Server-side; no agent redeploy. For a resource that can't be auto-reversed, Vigo generates a .retract to review and publish.

Offline convergence

Agents cache signed policy bundles in LMDB. When the server is unreachable, convergence continues using the last-known policy. Results queue locally and drain on reconnect.

Observe mode

Server-controlled dry-run. Per-node or fleet-wide. Agents report what they would change without applying anything. A safe migration path from your existing configuration management.

Per-envoy rendered YAML showing a cis-ubuntu-access configcrate with the 5.1.1-cron-enabled service resource and 5.1.2-crontab-permissions exec resource — exactly what the agent received after path inheritance and merge

Per-envoy rendered config — no guessing what the agent will enforce

Vigo server config page showing 11 enabled and 29 available server sections — server, database, auth, checkin, watcher, secrets, bootstrap, spanner, tuning, smtp, ai, backup, export, publish, rate_limit, maintenance — each with enable/disable toggles

Server config — 29 toggleable sections, live-reload

🔒 Compliance & Security

22 regulatory frameworks mapped to enforceable controls. Honest claims — Vigo reports what it enforces vs. what it attests vs. what requires external validation.

22 compliance frameworks

HIPAA, SOC 2, PCI DSS v4.0, NIST 800-53, ISO 27001, CIS Benchmarks (Ubuntu, RHEL, Windows), GDPR, NERC CIP, HITRUST, IEC 62443, SOX, FINRA, MiFID II, FDA 21 CFR Part 11, Cyber Essentials Plus, CCSS, UKGC, Nevada GCB, MGA, NY DFS 23 NYCRR 500.

Per-envoy compliance tracking

Framework coverage percentage per node. Drill into which controls are satisfied, which are missing, and which configcrates would close the gap. Compliance waivers with approver, reason, and expiration.

CIS benchmark enforcement

Pre-built configcrates for CIS Ubuntu, RHEL, and Windows Server benchmarks. 260+ Level 1 and Level 2 controls enforced through idempotent resources, not just scanned.

Risk quantification

Per-node risk scoring (0–100) from seven weighted factors: CVEs, hardening, rootkits, integrity, open ports, convergence, and connectivity. Fleet-wide risk dashboard with 30-day trend sparklines.

CVE impact analysis

Agents collect CVE data from Trivy, Debsecan, and Windows Update — deduplicated across scanners. Search the fleet from the CLI or web UI: which nodes a given CVE affects, severity breakdown, and remediation paths. Optional NVD enrichment with CVSS scoring.

AI-drafted remediation

Click Ask Claude on any CVE or hardening finding. The assistant reads your fleet state and drafts a remediation strategy — the exact .vgo configcrate to publish, upgrade order, version constraints, and dependency notes. No blank-page moments for your ops team.

Connwaer verification agent

Standalone agent for active compliance verification. Validates controls that can't be proven through enforcement alone: WORM storage, RNG quality, encryption at rest, network segmentation, HSM lifecycle. 18 verification capabilities.

Vigo CVE impact detail drawer grouping 7 affected packages by CVE, with Trivy / Debsecan / Lynis / rkhunter / ClamAV / AIDE scanner columns and Ask AI remediation buttons

🖥 Remote Access (Scrier)

Browser-based SSH and RDP through the agent's existing mTLS tunnel. No VPN, no bastion, no port forwarding.

SSH terminal — browser or CLI

Full terminal in the browser via xterm.js — raw PTY bytes over WebSocket, no Guacamole for SSH. Or run vigocli scrier ssh <envoy> from your workstation over the same tunnel: native TTY, window resizes, exit codes. Either way, no inbound port on the envoy and no SSH bastion to run.

RDP graphical desktop

Full Windows or Linux desktop via Guacamole. Fit-to-window or 1:1 scaling with scrollbars. Works with xrdp on Linux, native RDP on Windows.

Ephemeral credentials

SSH keys are generated per session and never stored on the server. Web-to-OS username mapping via CLI. No permanent credentials in the Vigo database.

Audit trail

Every session is recorded in the tamper-evident audit log: who connected, when, which protocol, which envoy. Sessions are tracked and can be terminated from the server.

Shadow / Assist mode

View and control a user's live desktop session in real time. Help desk can observe the user's screen or take control to assist. User consent prompts with configurable policies (always, once, never). Linux via x11vnc, Windows via TightVNC.

Zero additional infrastructure

Scrier tunnels through the agent's existing gRPC connection. No SSH bastion, no VPN concentrator, no jump box. One fewer attack surface to manage and audit.

🔧 Orchestration

Ad-hoc commands, reusable tasks, multi-step workflows, and rolling execution across your fleet.

Ad-hoc tasks

Dispatch commands to any envoy or group of envoys from the CLI or web UI. Results stream back in real time. Pre-dispatch validation blocks dangerous commands unless --force is specified.

Live queries

Query fleet state in real time. Ask for disk usage, running processes, package versions, or any trait across all envoys. Results aggregated and returned in seconds.

Named workflows

Multi-step orchestration with conditional branching and abort support. Define in YAML, trigger from CLI or API. Steps can wait for results before proceeding.

Rolling execution

Split targets into batches with configurable batch size and health checks between rounds. If a batch fails, the rollout stops before affecting the rest of the fleet.

11 native integrations + webhooks to anything

Slack, PagerDuty, Opsgenie, Teams, ConnectWise, Autotask, ServiceNow, Splunk, Datadog, Elastic, and Loki — plus HMAC-signed outbound webhooks to anything else. Event-driven alerts for security, compliance, convergence, and secret rotation.

AI assistant

Ask questions about your fleet in natural language. Backed by Claude, OpenAI, or Ollama. The assistant has tool access to query envoys, read configs, check compliance, and explain convergence results.

Vigo integrations page showing native integrations grouped by category — Alerting/Chat, ITSM/PSA, SIEM/Observability — with per-integration enable/config controls

💻 Infrastructure

Bare metal lifecycle, system inventory, and fleet-wide visibility.

Works behind any firewall

Agents connect outbound to the server — the server never connects inbound. Laptops behind home routers, VMs behind security groups, mobile devices on cellular — all work without VPNs, port forwarding, or firewall rules. Only two outbound ports required.

50 trait collectors

OS, hardware, network, disk, CPU, GPU, firmware, security scan results, package counts, TPM, NIC drivers, and more. Custom trait collectors for site-specific inventory. All traits available in templates and when: expressions.

Config trace

One command shows the complete resolution chain for any node: path inheritance, configcrate resolution, variable overrides, dependency DAG, compliance tags, waivers, and conditional expressions — all traced to the exact source file.

Prometheus metrics

80+ metrics exposed at /metrics: convergence breakdown, security posture (CVEs by severity, hardening, rootkit/malware/integrity), risk distribution, and fleet counters. Five pre-built Grafana dashboards.

Hub-spoke federation (Spanner)

When one server isn't enough, fan out enrollment, queries, and tasks across spoke servers. Each spoke manages its own fleet. The hub aggregates. No shared database.

Tamper-evident audit trail

Every administrative action — enrollment, revocation, task dispatch, secret access, config publish, Scrier session — recorded in a hash-chained audit log. Export for compliance evidence.

Vigo inventory page with fleet counts (envoys, OS families, OS versions) and an interactive trait search exploring blockdevices.nvme0n1.readonly with per-hostname results

Fleet inventory — interactive trait search

Vigo per-envoy page for girlslaptop with Converged status, enrollment date, Drift History / Recent Runs / Traits / View Config / Config Trace / Standards Compliance / Attack Surface / Sessions tabs, and SSH / RDP / Shadow action buttons

Per-envoy drill-down — drift history, traits, config trace, remote access

🕸 Peer-to-Peer (Swarm)

An envoy-only peer-to-peer fabric — content distribution, file sync, private git, artifacts, and an ordered log, served directly between your own machines with no server in the data path.

Swarm — the P2P substrate

Content-addressed blobs chunked by SHA256 and served peer-to-peer over mTLS, with rarest-first scheduling, adaptive bandwidth throttling, and multicast peer discovery on the LAN. No server in the data path — everything below rides on Swarm.

Filecast — administrator-pushed file distribution

Push arbitrary payloads from the operator to the fleet. Seed a file with vigocli swarm filecast distribute (or from the admin UI), and every targeted envoy pulls it peer-to-peer over Swarm. Real-time progress tracking per envoy with chunk source visualization.

Longdrawer — per-user LAN file sync

Drop a file in ~/longdrawer/ and it appears on every other machine where you have an account. Delete it and it disappears everywhere. LAN-only, fully peer-to-peer, no server involvement, no config, no commands.

Lockbox — per-user encrypted file sync

Like Longdrawer but ciphertext at rest on every envoy. Drop a plaintext file on the primary, lockbox encrypts it to every peer's public key and fans out the ciphertext. Unlock with vigo swarm puddle unlock to decrypt. Pick this for anything you want to stay unreadable on a stolen machine.

Gitback — your source code stays on your network

If you'd rather not push proprietary code to a third-party git host, Gitback mirrors your repos across envoys you already run. Run vigo swarm gitback project init in any repo; every push fans out as a bundle to your other envoys over mTLS. If your workstation dies, git clone gitback://<your-name>/<repo> from another machine pulls the full history back. No external git service, no webhooks, no code leaving your network.

Curator — content-addressed artifact registry

A peer-to-peer registry for binaries and container images, rooted in per-user puddle identity. Artifacts are content-addressed and served across envoys over Swarm — no external registry, no server in the data path.

Poolq — ordered append-only fleet log

An ordered, append-only log and queue shared across the fleet, rooted in per-user puddle identity. Producers append, consumers read in order — all peer-to-peer over Swarm.

Features