New features
Remote sessions & recording
Once an agent is deployed, technicians can operate the endpoint from the browser — an interactive terminal, a live remote desktop (WebRTC by default, JPEG fallback), and SOCKS tunnels to services behind the machine — all over the agent’s outbound connection with no inbound firewall ports open on the customer. Sessions can be recorded and replayed as short WebM segments the agent uploads over expiring, one-shot tokens; the Recordings dashboard and each ticket’s Recordings panel seal segments into a single playable file. Every list, stream, and playback request writes a security-audit entry (who, when, IP, user agent), and cross-tenant access is blocked at the row level. See Remote sessions & recording.Device vault & FortiGate automation
Encrypted storage for network-device credentials plus AI-driven FortiGate firewall automation. API keys, usernames, and passwords are AES-256-GCM encrypted on save; list responses never return secrets. Supported actions include block IP (address object + deny policy, optionally bidirectional), create address / deny policy, enable IPS signatures, configure TLS syslog to the SIEM, and upload the tenant CA. Actions are created as Nexie security tasks inpending_approval — a technician approves (optionally a
subset), NEXOS CORE executes against the live firewall, and a posture snapshot
and audit rows are written. See Device vault & firewall control.
Infrastructure verification
A per-client asset registry — firewalls, servers, switches, access points, domain controllers, VPNs, backups, printers, cloud services, and workstations — built by hand, from a runbook CSV, or synced from Hudu. Run verification sweeps to confirm reachability by HTTP/HTTPS, SSH, LDAP, or a generic TCP port; results are cached on each device and appended to an append-only audit trail, bucketed as verified, unreachable, timeout, protocol error, or pending, with average latency. Feeds compliance, SIEM, and RMM. See Infrastructure verification.Host & service health
A real-time operations view of the NEXOS CORE platform host itself — live CPU, memory, disk, network, load averages, and uptime, plus concurrent probes of ecosystem components (HTTP, TCP, PostgreSQL, systemd process). Click a component for extended metrics — for PostgreSQL, database sizes, connections, cache-hit ratio, and top slow queries whenpg_stat_statements is available.
Operators can restart core services (nexusos-psa, postgresql, nginx,
docker) directly from the dashboard, with every restart audit-logged. See
Host & service health.
Known limitations
- Remote sessions — session recording is Windows-only; macOS and Linux capture paths are stubs. Cross-network remote desktop needs a TURN server — with STUN only it falls back to same-LAN. Concurrency is fixed at 3 sessions per agent, 50 total, with a 30-minute idle timeout.
- Device vault — FortiGate is the only supported vendor today. The
platform encryption key (
SIEM_ENCRYPTION_KEY) must be set in production — without it, credentials fall back to plaintext storage. TLS verification on the FortiGate client is off by default; enableverify_tlson the credential for strict checking. - Infrastructure verification — sweeps check reachability, not authentication — a “verified” result means the port answered, not that credentials work. Sweeps target public management endpoints only; an SSRF guard blocks private/LAN, loopback, and cloud-metadata addresses, so LAN-only gear will fail HTTP verification by design. SNMP and RMM-agent device types always report pending — they aren’t actively probed here.
- Health dashboard — most host metrics are Linux-only (they read
/procand/etc/os-release; disk also works on macOS). Service restart requires systemd with passwordless sudo and is limited to a fixed whitelist. The PostgreSQL probe checks the NEXOS CORE application database only.
