⚡ State Enforcement

The core of Vigo. Define desired state in YAML, agents enforce it idempotently.

73 built-in resource types

Files, packages, services, users, cron, firewall, Docker, IIS, registry, ACLs, certificates, mounts, sysctl, network devices, and more. Each resource type checks state before acting — no unnecessary changes.

7 operating systems

Linux, macOS, FreeBSD, OpenBSD, NetBSD, illumos, and Windows. Write one config, the agent dispatches to the correct backend. 16 additional SSH-based executors for Cisco, Arista, and Juniper network devices.

Conditional resources

when: expressions with boolean logic and builtins: os_family, has_command, arch, version_ge, is_container, has_service. Server evaluates what it can, passes the rest to the agent. No plugins required.

DAG-ordered execution

depends_on creates a directed acyclic graph. Resources execute in topological order. notify and subscribes trigger re-application when a dependency changes. Circular dependencies are rejected at config load time.

Module retraction

Remove a module from a node's config and Vigo cleans up after itself: packages uninstalled, files deleted, services stopped, users removed. Opt-in per module with retract: true.

Offline convergence

Agents cache signed policy bundles in LMDB. When the server is unreachable, convergence continues using the last-known policy. Results queue locally and drain on reconnect.

Go templates in content

Template syntax in content: attributes and external files via source:. Access .Traits (system inventory) and .Vars (config variables) for dynamic file content.

Directory inheritance

common.vgo at any directory level defines modules, roles, and vars inherited by all entries in subdirectories. Parent before child in the DAG. exclude_modules: for opt-out.

Observe mode

Server-controlled dry-run. Per-node or fleet-wide. Agents report what they would change without applying anything. Safe migration path from Puppet, Ansible, Chef, or Salt.

🔒 Compliance & Security

22 regulatory frameworks mapped to enforceable controls. Honest claims — Vigo reports what it enforces vs. what it monitors vs. what requires external validation.

22 compliance frameworks

HIPAA, SOC 2, PCI DSS v4.0, NIST 800-53, ISO 27001, CIS Benchmarks (Ubuntu, RHEL, Windows), GDPR, NERC CIP, HITRUST, IEC 62443, SOX, FINRA, MiFID II, CCSS, FDA 21 CFR Part 11, Gaming Commission (NV/Malta/UKGC), DISA STIG, Cyber Essentials, ABA Cybersecurity, NY DFS 23 NYCRR 500.

Per-envoy compliance tracking

Framework coverage percentage per node. Drill into which controls are satisfied, which are missing, and which modules would close the gap. Compliance waivers with approver, reason, and expiration.

CIS benchmark enforcement

Pre-built modules for CIS Ubuntu, RHEL, and Windows Server benchmarks. 260+ Level 1 and Level 2 controls enforced through idempotent resources, not just scanned.

Risk quantification

Per-node risk scoring (0–100) from 10+ weighted factors: CVEs, hardening score, rootkits, malware, integrity, open ports, convergence status. Fleet-wide risk dashboard with 30-day trend sparklines.

CVE impact analysis

Fleet-wide CVE search from the CLI or web UI. See which nodes are affected by a specific CVE, severity breakdown, and remediation paths. Optional NVD API enrichment with CVSS scoring.

Cyber insurance attestation

Self-contained HTML report with risk posture, security controls, compliance coverage, and historical trend data. Designed for insurance underwriters and auditors.

GRC platform integration

Push compliance evidence to Vanta, Drata, ServiceNow, or any REST API on a configurable schedule. Generic JSON evidence format with per-standard control detail.

Security scanning integration

Agents collect CVE data from Trivy, Debsecan, and Windows Update. Deduplication across scanners. Severity-based filtering. Prometheus metrics for alerting.

Connwaer verification agent

Standalone agent for active compliance verification. Validates controls that can't be proven through enforcement alone: WORM storage, RNG quality, encryption at rest, network segmentation, HSM lifecycle. 18 verification capabilities.

🖥 Remote Access (Scrier)

Browser-based SSH and RDP through the agent's existing mTLS tunnel. No VPN, no bastion, no port forwarding.

SSH terminal

Full terminal via xterm.js rendered natively in the browser. No Guacamole for SSH — raw PTY bytes over WebSocket for accurate rendering and low latency.

RDP graphical desktop

Full Windows or Linux desktop via Guacamole. Fit-to-window or 1:1 scaling with scrollbars. Works with xrdp on Linux, native RDP on Windows.

Ephemeral credentials

SSH keys are generated per session and never stored on the server. Web-to-OS username mapping via CLI. No permanent credentials in the Vigo database.

Clipboard and file transfer

Paste from your local clipboard into remote sessions. Upload files directly through the browser. On-screen keyboard for mobile or restricted input devices.

Audit trail

Every session is recorded in the tamper-evident audit log: who connected, when, which protocol, which envoy. Sessions are tracked and can be terminated from the server.

Shadow / Assist mode

View and control a user's live desktop session in real time. Help desk can observe the user's screen or take control to assist. User consent prompts with configurable policies (always, once, never). Linux via x11vnc, Windows via TightVNC.

Zero additional infrastructure

Scrier tunnels through the agent's existing gRPC connection. No SSH bastion, no VPN concentrator, no jump box. One fewer attack surface to manage and audit.

🔧 Orchestration

Ad-hoc commands, reusable tasks, multi-step workflows, and rolling execution across your fleet.

Ad-hoc tasks

Dispatch commands to any envoy or group of envoys from the CLI or web UI. Results stream back in real time. Pre-dispatch validation blocks dangerous commands unless --force is specified.

Live queries

Query fleet state in real time. Ask for disk usage, running processes, package versions, or any trait across all envoys. Results aggregated and returned in seconds.

Named workflows

Multi-step orchestration with conditional branching and abort support. Define in YAML, trigger from CLI or API. Steps can wait for results before proceeding.

Rolling execution

Split targets into batches with configurable batch size and health checks between rounds. If a batch fails, the rollout stops before affecting the rest of the fleet.

22 native integrations

Slack, PagerDuty, Opsgenie, Teams, Jira, Linear, GitHub Issues, ConnectWise, Autotask, NinjaRMM, Kaseya, ServiceNow, Splunk, Datadog, Elasticsearch, and more. Event-driven alerts for security, compliance, convergence, and secret rotation.

AI assistant

Ask questions about your fleet in natural language. Backed by Claude, OpenAI, or Ollama. The assistant has tool access to query envoys, read configs, check compliance, and explain convergence results.

💻 Infrastructure

Bare metal lifecycle, system inventory, and fleet-wide visibility.

Works behind any firewall

Agents connect outbound to the server — the server never connects inbound. Laptops behind home routers, VMs behind security groups, mobile devices on cellular — all work without VPNs, port forwarding, or firewall rules. Only two outbound ports required.

33 trait collectors

OS, hardware, network, disk, CPU, GPU, firmware, security scan results, package counts, TPM, NIC drivers, and more. Custom trait collectors for site-specific inventory. All traits available in templates and when: expressions.

Sandgorgon bare metal lifecycle

Commission, provision, and decommission physical servers. Redfish BMC integration, iPXE boot, preseed/autoinstall/kickstart templates, and NIST 800-88 compliant drive sanitization with certificates.

Config trace

One command shows the complete resolution chain for any node: path inheritance, module resolution, variable overrides, dependency DAG, compliance tags, waivers, and conditional expressions — all traced to the exact source file.

Prometheus metrics

54 metrics exposed at /metrics: convergence breakdown, security posture (CVEs by severity, hardening, rootkit/malware/integrity), risk distribution, and fleet counters. Three pre-built Grafana dashboards.

Hub-spoke federation (Spanner)

When one server isn't enough, fan out enrollment, queries, and tasks across spoke servers. Each spoke manages its own fleet. The hub aggregates. No shared database.

Tamper-evident audit trail

Every administrative action — enrollment, revocation, task dispatch, secret access, config publish, Scrier session — recorded in a hash-chained audit log. Export for compliance evidence.

Swarm P2P distribution

Distribute large files across the fleet using peer-to-peer transfer over mTLS. Agents share chunks with each other — no server bottleneck. Envoy-seeded or CLI-initiated. Real-time progress tracking per envoy with chunk source visualization.

Vigosync — per-user file sync

Drop a file in ~/vigosync/ and it appears on every other machine where you have an account. No config, no commands. Built on swarm P2P transport. Cross-platform: Linux, macOS, Windows.

Features