Architecture · Microkernel + Plugins

Cyber resilience by design, not by retrofit.

A small, stable update-server kernel. Opt-in plugins for AI, compliance, and vulnerability data. Two database isolation tiers. Built so the system keeps working through incidents, and so the operator can keep working with it under pressure. CRA compliance follows from the engineering. So does whichever other regulatory framework matters where you operate.

PatternMicrokernel + plugins

Storageγ → β migration path

PostureResilience-first

StatusArchitecture v1

Early access

Stay in the loop.

Fleet is in early access. Leave your email and we'll keep you posted — new capabilities, CRA milestones, and your invitation when a demo instance opens up.

The premise

Resilience first. Compliance follows.

The question for any infrastructure operator is no longer how to keep adversaries out. It is whether the system keeps working anyway, and whether the operator can keep working with it when the pressure peaks. Fleet is built for both halves of that answer.

Resilience. A microkernel that stays small and stable. Plugins that can fail without bringing the rest down. An event bus the system uses to observe itself and recover without ceremony. Compile-time safety properties so the kinds of bugs that normally let attackers in (a forgotten permission check, an unredacted prompt going out to an LLM, an AI verdict promoted without a human signature) are caught by the Rust type system before the code ships. They become build failures, not production breaches.

Usability under pressure. Day-to-day usability matters. Under-pressure usability matters more. Fleet is the system an operator reaches for when they are pushing emergency updates during an active attack, when the dashboard is the difference between containment and escalation, when wrong clicks have real consequences. The interfaces, the flows, the amount of thinking required at each step are all designed for that moment, not the calm one.

And the operator should not be thinking about documentation while the fire is still burning. When Fleet detects an incident, a black box opens. Every action, every decision, every system response, every artefact gets captured automatically. The operator's job is to put the fire out. Fleet's job is to keep the record that protects them afterwards. Liability cover. Insurance cover. The evidence a notified body wants to see when they ask what happened. None of it asks the operator to remember to write anything down.

Compliance as consequence. The CRA and every other regulatory framework Fleet reaches codifies what auditors and regulators have learned about how things actually break. A system genuinely built to keep working through breakage, and to let its operators stay effective under pressure, will look conformant to those frameworks without trying. It will also adapt as the frameworks evolve, because nothing in the design is bolted to a fixed version of any of them.

Fleet, like the CRA, is a work in progress. The architecture described here is the current shape, not a final state. We are looking for partners to work with on the resilience, the compliance, and the usability this kind of product needs. If you are an operator, a regulator, a security team, or a design partner working in this space, talk to us.

Architecture · part one

Fleet has three AI surfaces.

Each faces a different direction. Each serves a different purpose. Conflating them produces audit pain and architectural confusion. Separating them is the first move toward a resilient AI posture.

Inbound

MCP server

External AI drives Fleet. Claude Code, Cursor, Continue, Copilot, future agents call tools through Fleet's MCP server. 49 tools across 4 tiers (read · write · admin · cra). Each plugin contributes its own tools to a shared registry.

"AI is external, Fleet is the tool it drives."

Onboard

The advisor

Fleet's own internal AI module. Does CRA work, scan explanation, patch notes, risk triage. A contained box: redact, prompts, validate, providers, audit chain, response cache, Ed25519 signing. Returns advisories, never verdicts. Promotion to a signed conformity artefact passes through a human-signature gate.

The advisor's tools can optionally be exposed through the inbound MCP server when appropriate, or kept onboard-only for sensitive paths.

Outbound

Fleet as client

Fleet calls external services. Two flavours. The advisor talks HTTPS to LLM providers (Anthropic, OpenAI, Ollama, vLLM, LM Studio) for its consultations. The MCP layer talks MCP-as-client to external MCP servers: cybersec MCP, knowledge MCPs, databases, potentially other Fleet instances.

The fleet-mcp crate is bidirectional: SERVER face handles inbound, CLIENT face handles outbound MCP.

v1.0 starting point

γ Architecture. Two logical databases, one PostgreSQL instance.

Strict isolation between the update server's data (fleet_core) and the plugins' data (fleet_plugins). Plugin queries to update-server data are physically impossible. PostgreSQL does not permit cross-database queries. The event bus is the only path.

Option γ. Kernel + update-server + four plugins. Two logical databases. v1.0 starting point.

Option γ — Fleet Microkernel Architecture

"The bus is a dumb, strong relay. It does one thing: deliver events from publishers to subscribers within the same process. This keeps the bus dumb and fast. The intelligence is in the subscribers." — src/events.rs

The kernel and the plugins

Kernel. Two small, stable crates. fleet-bus is the broadcast relay: at-most-once delivery, subscribers persist their own jobs. fleet-core holds the shared primitives every plugin needs. Types, auth middleware, db connection pools, principal threading, config, error types. No domain logic. The interface freezes early and changes slowly.

Update-server. fleet-update is the original product. Release management, applications, downloads, assets, users, billing, S3, notifications, GitHub webhooks, SBOM, scans, findings, evidence. It publishes events to the bus; everything else subscribes. It owns the fleet_core database. This crate ships alone as the lean update-server-only product.

The plugins

Plugin	Purpose	Owns / contributes
`fleet-mcp`	Bidirectional MCP gateway. SERVER face for inbound external AI; CLIENT face for outbound calls to external MCP servers.	Tool registry. Each plugin contributes its own tools. Principal threading enforced at the crate boundary. No schema; serves `/mcp`.
`fleet-advisor`	Onboard AI funnel. The contained box: redact, prompts, validate, providers, audit chain, response cache, Ed25519 signing.	Returns `Advisory`, never `FindingStatus`. Owns the `advisor` schema in `fleet_plugins`.
`fleet-cra`	First regulatory plugin. EU Cyber Resilience Act. 23 Annex I requirements, risk classification, evidence collection, retention policy, ENISA 24h/72h/14d reporting state machine.	Owns the `compliance` schema. First consumer of `fleet-advisor`.
`fleet-cybersec`	Vulnerability data ingestion. OSV.dev, NVD, vendor feeds. Three deployment modes (local, managed, hybrid; see plugin pattern below).	Owns the `cybersec` schema. Feeds `fleet-cra`.

The event bus

The API contract between the update-server and the plugins. fleet-update publishes release.published, scan.completed, release.deleted, and so on. Plugins subscribe to the events they care about. The bus is the only way plugins learn about update-server state changes. No plugin queries fleet_core.

Migration target

β Architecture. Failure-isolated, two physical PostgreSQL hosts.

Same kernel, same update-server, same four plugins, same bus, same external surfaces. The storage tier is where γ and β differ. The difference matters operationally when failure isolation, independent retention regimes, or geographic separation become real requirements.

Option β. Same shape as γ. Two physically-separate PostgreSQL instances. Migration target.

Option β — Fleet Microkernel Architecture (failure-isolated)

What β gives you that γ doesn't

Failure isolation. If fleet-core-pg goes down for maintenance, the plugin tier doesn't crash. If fleet-plugins-pg goes down, the update server keeps shipping releases; CRA workflows pause but core distribution continues.
Independent backup regimes. fleet-plugins-pg carries the 10-year CRA retention burden; it can be on cheaper, slower disk with daily snapshots to cold storage. fleet-core-pg can be on fast disk with continuous WAL streaming for low RPO.
Independent scaling. The plugin tier handles audit-chain writes for every advisor consult; it can be scaled independently of the update server.
Provable isolation for regulators. A notified body asking "where does the audit chain live, who can write to it?" gets a one-sentence answer: a separate database on a separate host that the update-server cannot reach.

Migration γ → β is config-only

The application is already written assuming the two pools are independent. Migrating γ → β is operational, not architectural:

Stand up fleet-plugins-pg host
pg_dump fleet_plugins | pg_restore to the new host
Switch FLEET_PLUGINS_DB_URL to point at the new host
Restart Fleet
Drop the old fleet_plugins database from the original host

Total downtime: minutes. Zero application code changes.

Extensibility

The plugin pattern generalises.

Two stories sit underneath the architecture. Both fall out of the kernel + plugin shape. Both matter commercially.

Cybersec. Three deployment modes from one crate.

Vulnerability data exists in two real-world forms, and the architecture supports both as deployment modes of the same fleet-cybersec plugin:

Mode	Where the data lives	Who it's for
Local	`fleet-cybersec` owns the `cybersec` schema. Periodic ingestion of OSV.dev / NVD / vendor feeds. All lookups local.	Air-gapped customers, sovereignty requirements, regulated environments
Managed	No local schema. `fleet-cybersec` is a thin client that calls CrabNebula's hosted cybersec MCP via `fleet-mcp::client`. Always state-of-the-art.	SaaS-tier customers who pay for always-current vulnerability intelligence
Hybrid	Local schema for cached lookups plus outbound MCP for queries that miss cache or require state-of-the-art context.	Mixed-trust environments and enterprises with intermittent connectivity

One crate. Mode selected via FLEET_CYBERSEC_MODE=local|managed|hybrid. The interface exposed to fleet-cra is the same regardless of mode. fleet-cra does not know or care where the CVE data came from.

Regulatory frameworks. CRA is the first, not the only.

The architectural shape of fleet-cra is the shape of every regulatory framework. Same components (requirement catalogue, workflow state machine, evidence collection, retention policy, reporting deadlines) bound to different jurisdictional specifics.

Plugin	Framework	Region / Domain
`fleet-cra`	EU Cyber Resilience Act	European market. First regulatory plugin, target Sept 2026.
`fleet-soc`	SOC 2	US service organisations
`fleet-fedramp`	FedRAMP	US federal procurement
`fleet-iso27001`	ISO/IEC 27001	International information security
`fleet-hipaa`	HIPAA Security Rule	US healthcare
`fleet-pci`	PCI DSS	Payment card industry
`fleet-essential8`	Essential Eight	Australia (ASD)
`fleet-…`	any framework	added by the same plugin shape

The advisor, audit chain, and signing surface together make up the compliance kernel. Each regulatory framework is a framework plugin riding on that kernel. A customer needing EU and US compliance enables both fleet-cra and fleet-soc. Same machine, same advisor, same audit infrastructure, two reporting outputs.

Regulatory grounding

Update Server. Built toward CRA's secure-update standards.

The CRA's secure-update standards are not yet finalised. The prEN 40000 series is in active drafting. Vertical standards reuse a cross-cutting framework that is itself still being shaped in EU working groups. Mohamad Hajj's CRA — Secure update package for vertical standards, v02 (13 April 2026), is the latest published version of that framework. Fleet's update server tracks the standard as it gets written. We build toward the published version, re-measure against each new draft, and design the architecture to absorb whatever comes next.

Architectural posture. Credentials for critical infrastructure.

Fleet's architectural choices were made before the Hajj framework crystallised. They have continued to line up with it as it has developed, not because they were retrofitted to match. The credentials a critical-infrastructure pitch should cite:

Zero cryptographic signing keys on the server. A server breach does not enable forgery, only replay of what the developer has already signed. Signing key material lives in the developer's CI environment, never on the Fleet server.
Rigorous dependency-reduction workflow. 542 audited crates, 4 banned in deny.toml, 2 vendored. Hand-written S3 client replacing approximately 10,000 lines of third-party code. cargo audit and cargo deny green.
TLS termination outsourced to a purpose-built reverse proxy rather than handled in-process. rustls in-tree; OpenSSL banned at the dependency policy level.
CRA Article 23 ten-year retention already encoded in the evidence schema (migration 004, enforced by 006).
On-premises only. No freemium hosting. The customer owns the distribution data. Fleet deploys natively inside air-gapped networks, with no outbound calls in the core delivery path.

Hajj scenarios A–E. Fleet's support.

Scenario	What it covers	Status	Note
A · Package signature verification by product	Product holds trust anchor, verifies signature locally before installing.	🟢	Full for Tauri consumers via in-band signature delivery. Supported for non-Tauri consumers via the generic download path.
B · Integrity-only verification	Product verifies update integrity via hash. Authenticity via compensating controls. For CLI tools, firmware, IoT.	🟡	Path to v1.0: `content_sha256` on the `assets` table, plus a response surface to expose it.
C · Authenticated secure-channel update delivery	Product accepts updates only via authenticated secure channel (TLS, mTLS, PSK).	🟢	Correctly outsourced to reverse proxy in default deployment (Caddy, TLS 1.3, HSTS, hostname validation).
D · Closed-enclave / air-gapped-network deployment	Updates via controlled local/offline mechanisms.	🟢	Fleet's on-premises-only, no-outbound-calls, S3-via-local-MinIO architecture is what defence, NATO, and critical-infrastructure operators need for closed-network deployment.
E · Platform-managed signature verification	Trusted OS component (dpkg, rpm, msiexec) verifies signature on behalf of the product.	🟢	Passive conformance. Fleet is a neutral blob host for `.deb`, `.rpm`, `.msi`.

Hajj common requirements: R-SU-2, R-SU-3, R-SU-4

ID	Requirement	Status	Note
R-SU-1	Baseline. Authenticity and integrity verification prior to installation.	🟢	Delegated to product by design. Zero key material on server.
R-SU-2	Anti-rollback / version control on every public path	🟡	Policy engine implemented; v1.0 wiring across every public wire path.
R-SU-3	Authorized rollback (when supported by use case)	🟡	Handler scaffolding present; v1.0 makes it operational across every policy variant.
R-SU-4	Atomic update / recovery mode	🟢	Product-side concern; Fleet's contribution is the availability tail of the delivery process.

Assessment methodology. Fleet's secure-update posture has been measured against the Hajj framework via a 12-pass source-verified inventory and cross-model verification (Claude internal audit + Gemini Inspector General). Every claim above is anchored at file:line in the codebase. Notified bodies and customer security teams can request the full inventory and the cross-model verification trail.

A moving target, and Fleet's posture toward it.

The Hajj framework v02 (April 2026) is not the final word. The prEN 40000 series is in active drafting. The CRA's vertical standards are being shaped in working groups across the EU. ENISA guidance shifts. Notified bodies are still calibrating their assessment criteria. This is normal for regulation reaching a market this large.

Fleet's posture toward the moving target:

Continuous measurement against the latest published version. Currently Hajj v02. Every new draft and guidance release is reviewed within the development cycle that follows it. The internal source-verified inventory gets re-run against the new criteria.
Architecture engineered to absorb framework evolution. The kernel and plugin shape means regulatory plugins (fleet-cra, fleet-soc, and the rest) can be revised independently of the update server. The compliance kernel (advisor, audit chain, Ed25519 signing) is framework-agnostic. It serves whatever workflow each plugin requires.
Conformance evidence structured for re-assessment. Audit records are immutable and retention-policy-tagged. When the standards shift, prior assessments don't have to be regenerated. They get re-validated against the new criteria.

Fleet's bet is on infrastructure that moves with the standards rather than freezing against any single snapshot of them. The moving target is treated as a feature of the operating environment, not a bug to wait out.

What this means for customers.

The update server is not a turn-key path to CRA compliance. CRA conformance is the manufacturer's responsibility under Module A, and the standards governing it are still being written. What Fleet provides is the distribution infrastructure CRA-aligned operations require. An architecture built toward Hajj's framework as it gets written. Re-measured against the latest published draft. Deployed on-premises, within the customer's own control.

Plug Fleet into a CRA-aligned product process and the digital-distribution leg is well-served by the architecture. The evidence trail Fleet produces (release artefacts, signature provenance, SBOMs, audit chain) is what a notified body wants to see today, and what re-validates cleanly as the assessment criteria mature.

Compliance with any framework is the consequence, not the goal. The goal is the system that keeps the lights on through every kind of incident, learns from each one, and adapts as the standards governing it shift. Frameworks are codified versions of what keeps the lights on. Fleet is built for that. Conformance follows.

Shippable

Editions. What's compiled when.

The workspace is structured as kernel + update-server + opt-in plugins. Each composition is a different product edition, compiled from the same source via cargo features.

Edition	Crates linked	Use case
Fleet Distribution	`fleet-bus` + `fleet-core` + `fleet-update` + dashboard	Release management, updates, licensing, fleet visibility. Tracks CRA's evolving secure-update standards. No AI, no compliance workflow plugins.
Fleet AI	+ `fleet-advisor` + `fleet-mcp`	Customers who want AI assistance (advisor) and MCP integration (Claude Code, Cursor, etc. drive Fleet).
Fleet CRA	+ `fleet-cra` + `fleet-cybersec`	EU customers needing full CRA conformity infrastructure: assessment workflow, evidence collection, ENISA reporting state machine, vulnerability intelligence.
Fleet Multi-Framework	+ `fleet-soc` / `fleet-fedramp` / `fleet-iso27001` / etc.	Customers operating across multiple jurisdictions, sharing one advisor + audit infrastructure across all frameworks.
Fleet CLI only	`fleet-cli-bin` only	A developer using `fleet` to publish releases from CI. No server-side dependencies.

Compile-time enforced

Architectural safety properties.

The kernel + plugin split is not just organisational. It makes several whole-product safety properties enforceable at the compile level, not at the developer-discipline level. Compile-time impossibility rather than runtime hope.

Safety property	How the architecture enforces it
Authorization is uniform across all surfaces.	The auth middleware and Principal type live in `fleet-core`. Every plugin's HTTP routes, MCP tools, and CLI handlers consume them. Privilege escalation through a forgotten scope check becomes a compile-time impossibility rather than a developer discipline.
Redaction precedes every outbound LLM call.	The `AdvisorBackend` trait in `fleet-advisor` takes `RedactedRequest`, not `AnalysisRequest`. A new backend that forgets to redact does not compile. Type-system enforcement rather than runtime hope.
Audit is written before every advisory returns.	The `AdvisorEngine::consult()` function is the single entry point. It writes the audit record before returning. If the audit write fails, the call fails. Audit is part of the contract, not an afterthought.
Schema isolation is enforced at the database boundary.	The update-server's pool can only see `fleet_core`. Plugin pools can only see `fleet_plugins`. Cross-database queries are not possible. PostgreSQL forbids them. Schema-level grants stop plugins writing to each other's tables. The boundaries are physical, not policy.
The advisor returns advisories, never verdicts.	The `Advisory` and `FindingStatus` types live in different modules with no `From` impl between them. There is no code path from an advisor consultation to a signed conformity artefact that does not pass through the `verify_and_promote()` Ed25519 gate. The architecture maps directly to the human-signature requirement of CRA Module A (internal control, Annex VIII), and will hold as the harmonised standards refine it.
Cross-tier traffic is observable.	The bus is the only path between the update server and the plugins. Every cross-tier event is published, persisted (outbox pattern), and replay-able. There is no hidden coupling for compliance auditors to discover.