Skip to content

Nexus Fleet

Local Registry MVP — 2026-06-08

Nexus Fleet is the cluster profile — an 8–40MB system for multi-node deployments, distributed computing, and edge infrastructure.

Current implementation status: the hosted production Fleet portal UI is still planned. The local nexus fleet CLI can already consume runtime proof images, register devices, show installed package CIDs, diff package drift, verify a local Ed25519 boot attestation, enforce local DID/VC trust and revocation policy, push signed HTTPS/UTCP device snapshots, complete HTTPS/UTCP remote-attestation challenge-response sessions, enforce a hardware-sealed attestation profile with dev-sealed evidence or imported TPM2/TEE-shaped physical quote evidence, and roll a device record back to a previous recorded generation with a local NXS boot activation record. The collector also exposes a signed local nexus-fleet-portal-status/v1 status artifact; that is not a hosted production portal.

Target Hardware

  • Rack servers (x86_64, ARM64)
  • Edge computing nodes
  • Distributed sensor networks
  • Quantum computing farms (future)

What's Included

Everything in Nexus Core, plus:

  • Rumkv hypervisor (mandatory for multi-tenant isolation)
  • NexFS Mesh with federation extensions
  • UTCP with tensor extensions for AI workloads
  • ProvChain Network (distributed audit trail)
  • Mesh topology and peer discovery (HyParView)
  • Federation economics (Kinetic Tokens, $STASIS Bonds)

Cluster Features

Mesh Storage

NexFS nodes in a Fleet cluster form a storage mesh:

  • Content-addressable deduplication across nodes
  • DAG-based version synchronization
  • Automatic data placement based on access patterns
  • Vouch ceremony for node admission

Distributed ProvChain

Fleet nodes maintain a distributed ProvChain:

  • Each node's audit trail is replicated to peers
  • Consensus on system state across the cluster
  • Tamper detection through cross-node verification

UTCP Tensor Extensions

For AI/ML workloads, Fleet includes UTCP extensions for:

  • Soft-RDMA for large tensor transfers
  • Zero-copy scatter/gather for distributed training
  • Priority scheduling for gradient synchronization

Build

sh
nexus build --profile=fleet --arch=x86_64 --nodes=16
nexus build --profile=fleet --arch=aarch64 --variant=edge

Local Fleet Registry Proof

Create a runtime proof image from a local package proof, then register devices:

bash
nexus forge npk-proof hello-npk
nexus build --edition=micro --arch=x86_64 --local-proof
nexus runtime install-proof \
  --local hello-npk \
  --image ~/.nexus/artifacts/nexus-micro-x86_64.img \
  --output ./runtime-hello.img

nexus fleet register --device=qemu-a --runtime-image ./runtime-hello.img
nexus fleet register --device=qemu-b --runtime-image ./runtime-hello.img
nexus fleet list
nexus fleet show qemu-a
nexus fleet diff qemu-a qemu-b
nexus fleet attest qemu-a

Fleet state is written to:

text
$NEXUS_HOME/registry/fleet-devices.json

Each device generation records:

  • local Ed25519 device identity key id
  • local did:nexus:device:* resolution record
  • NexusDeviceIdentityCredential device VC
  • local Fleet trust-root and revocation policy status
  • runtime image Variant-CID
  • installed package Variant-CIDs
  • NRP installed-package paths
  • read-only NexFS /sysro paths
  • capability policy from the runtime proof manifest
  • boot attestation measurements and signature

Update and rollback are generation-based:

bash
nexus fleet update --device=qemu-a --runtime-image ./runtime-next.img
nexus fleet rollback --device=qemu-a

Rollback verifies the target generation, repoints local nxs current to the target runtime proof generation, and writes:

text
$NEXUS_HOME/boot/fleet-activation/<device>.json
$NEXUS_HOME/boot/next-generation.json

Those records bind the Fleet generation, runtime Variant-CID, NXS generation, NexFS /sysro/generations/... path, NexFS TimeWarp CAS root, registry TX, bootloader nexus.cas_root / nexus.registry_tx parameters, NRP installed path, and boot attestation BLAKE3.

The pending activation is boot-consumable through the local NXS handoff:

bash
nexus nxs boot verify
nexus nxs boot apply
nexus nxs boot status
nexus nxs boot kernel-intent
nexus nxs boot execute-rollback
nexus nxs boot export-handoff --output ./nexusboot-handoff.json
nexus nxs boot validate-handoff ./nexusboot-handoff.json
nexus nxs boot consume-handoff ./nexusboot-handoff.json --output ./consumed-handoff.json
nexus nxs boot verify-consumption ./consumed-handoff.json
nexus nxs boot install-consumption ./consumed-handoff.json --output ./installed-handoff.json
nexus nxs boot verify-install ./installed-handoff.json
nexus nxs boot install-media ./installed-handoff.json --media-root ./nexusboot-media --output ./media-install.json
nexus nxs boot verify-media-install ./media-install.json
nexus nxs boot activate-media ./media-install.json --output ./media-activation.json
nexus nxs boot verify-media-activation ./media-activation.json
nexus nxs boot execute-media-rollback ./media-activation.json --output ./media-rollback.json
nexus nxs boot verify-media-rollback ./media-rollback.json
nexus nxs boot status-media-rollback ./media-rollback.json --output ./rollback-status.json
nexus nxs boot verify-media-rollback-status ./rollback-status.json
nexus nxs boot attest-media-firmware ./rollback-status.json --output ./media-firmware-proof.json
nexus nxs boot verify-media-firmware ./media-firmware-proof.json
nexus nxs boot export-media-recovery ./rollback-status.json --output-dir ./media-recovery
nexus nxs boot verify-media-recovery ./media-recovery
nexus nxs boot confirm
nexus nxs boot failback

apply writes:

text
$NEXUS_HOME/boot/applied-generation.json
$NEXUS_HOME/boot/nexfs-selection.json
$NEXUS_HOME/boot/loader/nexus-next.cmdline
$NEXUS_HOME/boot/nexus/boot.kdl
$NEXUS_HOME/boot/nexus/default.kdl

kernel-intent writes:

text
$NEXUS_HOME/boot/nexfs-rollback-intent.json

That intent binds the selected TimeWarp BLAKE3 CAS root, the published snapshot-node BLAKE3 CID, the local NexFS snapshot CAS index, the resolved node path, the decoded 32-byte root payload, registry TX, snapshot manifest, boot-selection BLAKE3, and the Membrane execute_snap_rollback / nexfs_snap_rollback(Blake3Hash) consumer path. The current Membrane parser is core/rumpk/libs/membrane/fs/sovereign/boot_intent.nim; it validates the artifact, validates the root bytes, returns the snapshot CID as the typed Blake3Hash payload, and dispatches it to a rollback executor boundary. Production builds expose the real execute_snap_rollback path when the NexFS sovereign FFI is linked. On the NexFS side, rollbackToSnapshotRoot now proves the mutable rollback mechanism: once a TimeWarp snapshot has been resolved to a root CID, NexFS can atomically commit that root through the dual-copy Root Register. resolveSnapshotRollbackTarget authenticates CAS-loaded snapshot bytes against their BLAKE3 CID and decodes the DAG snapshot root before rollback. The exported nexfs_snap_rollback(Blake3Hash) path now executes when the sovereign FFI is bound to a live FlashInterface, rollback buffers, and a CAS snapshot reader. NexFS.init can bind that sovereign runtime from mount configuration for Sovereign-profile volumes. nexus nxs boot execute-rollback now resolves the published snapshot node by BLAKE3 CID through the local NexFS snapshot CAS index, runs the active Fleet intent against local Sovereign NexFS media, verifies the Root Register current root equals the selected BLAKE3 root, and writes:

text
$NEXUS_HOME/boot/nexfs-rollback-execution.json

export-handoff writes a signed nexus-fleet-boot-handoff-bundle/v1 bundle that binds the active NexusBoot KDL files, command line, applied generation, boot selection, rollback intent/execution artifacts when present, NexFS TimeWarp CAS root, snapshot CID, CAS index, CAS record BLAKE3, registry TX, and boot-selection BLAKE3. validate-handoff verifies the bundle BLAKE3, Ed25519 signature, key id, artifact BLAKE3s, command-line parameters, and NexusBoot KDL state before firmware or an operator treats it as the selected boot contract. consume-handoff verifies that same signed bundle and writes a local nexus-firmware-boot-handoff-consumption/v1 decision proof plus $NEXUS_HOME/boot/firmware/next-entry.kdl. verify-consumption revalidates the decision BLAKE3, handoff bundle, firmware entry, command line, NexusBoot selection, and NexFS TimeWarp fields. install-consumption verifies the consumption proof, installs the selected entry into $NEXUS_HOME/boot/nexus/installed-next-entry.kdl, and writes a signed nexusboot-installed-handoff/v1 manifest binding the installed entry, consumption proof, signed handoff, command line, NexusBoot KDL files, and NexFS TimeWarp fields. verify-install revalidates the manifest BLAKE3, Ed25519 signature, installed artifact BLAKE3s, and selected boot parameters. install-media verifies that signed install manifest, copies the selected NexusBoot entry, bootloader command line, KDL files, firmware entry, consumption proof, handoff bundle, and copied install manifest onto an explicit operator-supplied media root, and writes signed nexusboot-media-install/v1 proof. verify-media-install revalidates the media manifest BLAKE3, Ed25519 signature, source install payload BLAKE3, copied source-install file BLAKE3, copied media file BLAKE3s, media-root containment, selected command line, NexusBoot KDL state, and NexFS TimeWarp fields. activate-media reads the media-root install proof and boot-visible NexusBoot files, then writes signed nexusboot-media-activation/v1. verify-media-activation revalidates the activation BLAKE3, Ed25519 signature, media install BLAKE3, boot-file BLAKE3s, command-line binding, NexusBoot KDL state, firmware entry, and NexFS TimeWarp fields. The activation policy records firmware_execution=not-claimed. execute-media-rollback verifies the activation, writes <media-root>/boot/proofs/nexfs-media-rollback-intent.json, formats <media-root>/boot/nexfs-rollback-media.img, runs the NexFS rollback proof against that explicit media root, and writes signed nexus-nexfs-media-rollback-execution/v1. verify-media-rollback revalidates the activation, install proof, rollback intent, media-root containment, selected BLAKE3 root commit, snapshot CID consumption, execution digest, and firmware_execution=not-claimed policy. status-media-rollback writes boot-visible <media-root>/boot/nexus/rollback-status.kdl plus signed nexusboot-media-rollback-status/v1. verify-media-rollback-status revalidates the status manifest BLAKE3, Ed25519 signature, media rollback execution binding, media activation binding, KDL file BLAKE3, selected root/snapshot fields, and firmware_execution=not-claimed policy. attest-media-firmware reads the boot-visible media-root command line, NexusBoot KDL files, firmware entry, rollback status KDL, and selected rollback fields, then writes <media-root>/boot/firmware/rollback-proof.kdl plus signed nexusboot-media-firmware-proof/v1. verify-media-firmware revalidates the rollback status binding, media activation binding, boot-visible file BLAKE3s, firmware proof KDL, selected root/snapshot fields, Ed25519 signature, and policy: firmware_execution=operator-media-read-proof, production_firmware_execution=false, and rollback_source=operator-media-root. export-media-recovery writes signed nexusboot-media-recovery-bundle/v1, copying the media install proof, media activation proof, rollback intent, rollback execution proof, rollback status proof, boot-visible rollback status KDL, rollback media image, and selected NexusBoot boot files into an operator recovery bundle. verify-media-recovery revalidates the copied artifact BLAKE3s, original media-root source artifact BLAKE3s, underlying install/activation/execution/status validators, Ed25519 signature, and policy: NexusBoot bootloader, operator-media-root recovery scope, firmware_execution=not-claimed, and relocatable_execution=false.

Production firmware execution on production-owned media and hosted production rollout beyond the local CAS host-service boot proof remain future work.

The applied selection starts as pending-confirmation. nexus nxs boot confirm marks it confirmed. Before confirmation, nexus nxs boot failback restores the previous Fleet/NXS generation, rewrites the NexusBoot KDL handoff to that restored generation, and writes $NEXUS_HOME/boot/failback-generation.json. This is a local boot-selection handoff with signed export/install paths, not production firmware execution.

Fleet v2 snapshots can be exported, verified offline, or pushed to local collectors:

bash
nexus fleet snapshot export --device=qemu-a --transport=https --output ./qemu-a.json
nexus fleet snapshot ingest ./qemu-a.json
nexus fleet serve --transport=https --host=127.0.0.1 --port=8791 --tls-cert ./fleet.crt --tls-key ./fleet.key
nexus fleet serve --transport=utcp --host=127.0.0.1 --port=8792
nexus fleet snapshot push ./qemu-a.json --url=https://127.0.0.1:8791/api/v1/snapshots --insecure
nexus fleet snapshot push ./qemu-a.json --url=utcp://127.0.0.1:8792/api/v1/snapshots
nexus fleet portal export-status --output ./fleet-portal-status.json
nexus fleet portal verify-status ./fleet-portal-status.json
nexus fleet transport export-profile --transport=https --host=127.0.0.1 --port=8791 --tls-cert ./fleet.crt --tls-key ./fleet.key --output ./fleet-https-profile.json
nexus fleet transport verify-profile ./fleet-https-profile.json
nexus fleet transport export-profile --transport=utcp --host=127.0.0.1 --port=8792 --output ./fleet-utcp-profile.json
nexus fleet transport verify-profile ./fleet-utcp-profile.json
nexus fleet transport export-l2-handoff --profile ./fleet-utcp-profile.json --output ./fleet-l2-utcp-handoff.json
nexus fleet transport verify-l2-handoff ./fleet-l2-utcp-handoff.json

The collector exposes the same signed local status at GET /api/v1/portal/status and through the UTCP portal.status frame. The status binds summary counts, backing registry BLAKE3s, the Fleet CAS signing key, and explicit non-claims for hosted production UI, kernel-native/L2 UTCP, production TPM/TEE drivers, and production firmware execution. Its accepted DID lanes remain deliberately narrow: Libertaria SKH, Libertaria DID/VC, and Mosaic IOP DID only.

fleet transport export-profile writes a signed nexus-fleet-transport-profile/v1 for the whole local collector surface, not only the CAS route. It binds HTTPS routes, UTCP ops, state roots, accepted DID lanes, BKDL evidence policy, hardware-sealed enforcement when requested, TLS BLAKE3s for HTTPS, the nexus fleet serve command line, and explicit non-claims for hosted production UI, kernel-native/L2 UTCP through NetSwitch/ION rings, production TPM/TEE vendor quote parsing, and production firmware execution.

fleet transport export-l2-handoff writes a signed nexus-fleet-l2-utcp-handoff/v1 contract for the next NetSwitch/ION step. It binds the signed UTCP transport profile, UTCP op-map BLAKE3, NetSwitch interface descriptor, ION RX/TX ring names, ring sizing, frame MTU, boot-visible $NEXUS_HOME/boot/transport/fleet-l2-utcp-handoff.kdl, BLAKE3/BKDL policy, and accepted DID lanes. verify-l2-handoff rejects tampering and keeps the claim boundary explicit: kernel_native_l2_utcp=false and production_kernel_execution=false. The Membrane proof module core/rumpk/libs/membrane/transport/l2_utcp_handoff.nim now parses the signed artifact, checks the boot-visible KDL bindings, rejects kernel-native or production-kernel execution claims, and dispatches a typed NetSwitch/ION ring descriptor to a host-test consumer.

The same TimeWarp snapshot node can move as a portable NexFS CAS bundle:

bash
nexus fleet cas export-snapshot --device=qemu-a --output ./qemu-a.nexfs-cas.json
nexus fleet cas verify-snapshot ./qemu-a.nexfs-cas.json
nexus fleet cas import-snapshot ./qemu-a.nexfs-cas.json
nexus fleet cas push-snapshot ./qemu-a.nexfs-cas.json --url=https://127.0.0.1:8791/api/v1/cas/nexfs/snapshots --insecure
nexus fleet cas fetch-snapshot --snapshot-cid=blake3:<cid> --url=https://127.0.0.1:8791/api/v1/cas/nexfs/snapshots --output ./fetched.nexfs-cas.json --insecure
nexus fleet cas push-snapshot ./qemu-a.nexfs-cas.json --url=utcp://127.0.0.1:8792/api/v1/cas/nexfs/snapshots
nexus fleet cas fetch-snapshot --snapshot-cid=blake3:<cid> --url=utcp://127.0.0.1:8792/api/v1/cas/nexfs/snapshots --output ./fetched-utcp.nexfs-cas.json
nexus fleet cas export-service --transport=https --host=127.0.0.1 --port=8791 --tls-cert ./fleet.crt --tls-key ./fleet.key --output ./fleet-cas-service.json
nexus fleet cas verify-service ./fleet-cas-service.json
nexus fleet cas export-service-bundle ./fleet-cas-service.json --output-dir ./fleet-cas-service-bundle
nexus fleet cas verify-service-bundle ./fleet-cas-service-bundle
nexus fleet cas install-service ./fleet-cas-service-bundle --name fleet-cas --force
nexus fleet cas verify-service-install fleet-cas
nexus fleet cas enable-service-boot fleet-cas --force
nexus fleet cas verify-service-boot fleet-cas
nexus fleet cas apply-service-boot fleet-cas
nexus fleet cas status-service-boot fleet-cas
nexus fleet cas stop-service fleet-cas

The bundle schema is nexus-fleet-nexfs-snapshot-cas-bundle/v1. Export embeds the snapshot node bytes, source CAS record, source index BLAKE3, TimeWarp CAS root, registry TX, NXS generation, package Variant-CID, bundle BLAKE3, and an Ed25519 signature. Import verifies the bundle, writes the node into the destination $NEXUS_HOME/cas/nexfs/snapshots/... tree, and creates a fresh local nexus-cas-nexfs-snapshot-record/v1 in the destination snapshot-index.json. The same Fleet collector accepts CAS bundle push/fetch over HTTPS and UTCP at /api/v1/cas/nexfs/snapshots, storing accepted bundles in $NEXUS_HOME/registry/fleet-nexfs-cas-bundles.json. export-service writes a signed nexus-fleet-cas-service-deployment/v1 manifest binding transport, host, port, TLS material when HTTPS is used, API routes, state paths, DID lane policy, and serve command. verify-service revalidates the manifest BLAKE3, Ed25519 signature, TLS BLAKE3s, endpoints, and state roots. export-service-bundle then writes a signed nexus-fleet-cas-service-bundle/v1 NXS/TruthDB deployment bundle with a service Cell manifest, desired TruthDB object, boot-cell registry KDL, launcher, file BLAKE3s, service deployment binding, Ed25519 signature, and accepted DID lane policy. verify-service-bundle revalidates those file bindings, the embedded service manifest, generation activation, serve command, bundle BLAKE3, and tamper rejection. install-service installs the signed CAS collector bundle under $NEXUS_HOME/services/fleet-cas/<name>, copies and revalidates all file BLAKE3 bindings, writes a signed nexus-fleet-cas-host-service/v1 local host-service manager record, and binds the installed service deployment, endpoint, process state files, launch command, and accepted DID lanes. start-service, status-service, and stop-service execute the installed CAS collector through the local Nexus host-service manager. enable-service-boot writes a signed nexus-fleet-cas-host-service-boot/v1 activation under $NEXUS_HOME/boot/services/fleet-cas/<name> plus the shared nexus-boot-services-next/v1 index. apply-service-boot starts the installed collector through the local boot-service activation path and writes signed applied-service records; status-service-boot verifies the activation and live service status. This is a Nexus-native service-cell plus local host-service boot proof, not a hosted production rollout.

Remote attestation uses the same collectors. The collector issues a nonce challenge and stores an accepted session only after the device signs the challenge, selected attestation profile, current snapshot payload BLAKE3, boot attestation payload BLAKE3, and current DID/VC-shaped identity binding:

bash
nexus fleet remote-attest \
  --device=qemu-a \
  --url=https://127.0.0.1:8791/api/v1 \
  --insecure

nexus fleet remote-attest \
  --device=qemu-a \
  --url=utcp://127.0.0.1:8792/api/v1

The default attestation profile is local-software. A collector can require the stronger hardware profile:

bash
nexus fleet serve \
  --transport=https \
  --host=127.0.0.1 \
  --port=8793 \
  --tls-cert ./fleet.crt \
  --tls-key ./fleet.key \
  --require-hardware-sealed

nexus fleet remote-attest \
  --device=qemu-a \
  --url=https://127.0.0.1:8793/api/v1 \
  --profile=hardware-sealed \
  --insecure

nexus fleet hardware-key enroll \
  --device=qemu-a \
  --public-key ./qemu-a.hardware-ak.pub.pem \
  --quote-format=tpm2-quote \
  --output ./qemu-a.hardware-key.json
nexus fleet hardware-key verify ./qemu-a.hardware-key.json

nexus fleet hardware-quote export-parser \
  --name vendor-tpm2-normalizer \
  --command ./collect-hardware-quote \
  --quote-format=tpm2-quote \
  --output ./vendor-tpm2-parser.json
nexus fleet hardware-quote verify-parser ./vendor-tpm2-parser.json

nexus fleet remote-attest \
  --device=qemu-a \
  --url=https://127.0.0.1:8793/api/v1 \
  --profile=hardware-sealed \
  --hardware-evidence ./qemu-a.tpm2-quote.json \
  --insecure

nexus fleet remote-attest \
  --device=qemu-a \
  --url=https://127.0.0.1:8793/api/v1 \
  --profile=hardware-sealed \
  --hardware-backend ./collect-hardware-quote \
  --hardware-parser ./vendor-tpm2-parser.json \
  --insecure

That response carries nexus-fleet-hardware-attestation-evidence/v1, including runtime, manifest, BKDL, ledger-sector measurements, hardware evidence BLAKE3, and signed binding to the attestation session. Without --hardware-evidence, the evidence mode is dev-sealed. With --hardware-evidence, Fleet imports a signed nexus-fleet-physical-attestation-quote/v1 TPM2/TEE-shaped quote envelope from a file. With --hardware-backend, Fleet passes a canonical nexus-fleet-hardware-attestation-backend-request/v1 JSON request to a local backend command, accepts the backend's signed quote on stdout, verifies the same physical quote envelope, records hardware_evidence_mode=physical, and records whether the source was file or backend. With --hardware-parser, the canonical backend request and accepted session also bind a signed nexus-fleet-hardware-quote-parser/v1 manifest, including parser command BLAKE3, accepted input/output schemas, BKDL evidence policy, and explicit driver_claim=not-claimed / vendor_parser_claim=operator-provided boundaries.

hardware-key enroll writes signed nexus-fleet-hardware-key-enrollment/v1 and records it in $NEXUS_HOME/registry/fleet-hardware-keys.json. Physical quotes from an enrolled device must be signed by the enrolled hardware attestation public key and use an allowed quote format. This proves operator-enrolled hardware key ownership for Fleet evidence. Production kernel TPM/TEE drivers and vendor-certified quote parsers are still future work.

Initial external identity acceptance is deliberately narrow. Fleet's local resolver policy accepts only:

  • Libertaria SKH: did:skh:*
  • Libertaria DID/VC: did:nexus:* plus Nexus VC profiles
  • Mosaic IOP DID: the Mosaic/IOP stack in /home/markus/zWork/_Dlabs/mosaic-trust-network/iop-rs, iop-ts, and iop-dart

Generic DID methods are not initial trust inputs. The local proof accepts configured did:nexus:*, did:skh:machine:*, and did:iop:* identities through trust-root policy, and rejects generic did:web:*.

Trust and revocation policy can now move as a BLAKE3-bound identity bundle:

bash
nexus fleet identity export-bundle --output ./fleet-identity.json
nexus fleet identity import-bundle ./fleet-identity.json
nexus fleet identity sync ./fleet-identity.json
nexus fleet identity sync https://127.0.0.1:8791/api/v1/identity/bundle --insecure
nexus fleet identity sync utcp://127.0.0.1:8792/api/v1/identity/bundle
nexus fleet identity resolve did:nexus:device:qemu-a:<key> --output ./qemu-a.did.json
nexus fleet identity resolve did:nexus:device:qemu-a:<key> --url=https://127.0.0.1:8791/api/v1/identity/resolve --output ./qemu-a.https.did.json --insecure
nexus fleet identity resolve did:nexus:device:qemu-a:<key> --url=utcp://127.0.0.1:8792/api/v1/identity/resolve --output ./qemu-a.utcp.did.json
nexus fleet identity import-resolution ./qemu-a.skh.did.json --output ./qemu-a.skh.import.json
nexus fleet identity import-resolution https://127.0.0.1:8791/api/v1/identity/resolve --did=did:iop:mosaic:qemu-a --output ./qemu-a.iop.import.json --insecure
nexus fleet identity export-resolver-backends --output ./fleet-did-resolver-backends.json
nexus fleet identity verify-resolver-backends ./fleet-did-resolver-backends.json
nexus fleet identity export-resolver-service --transport=https --host=127.0.0.1 --port=8791 --tls-cert ./fleet.crt --tls-key ./fleet.key --output ./fleet-did-resolver.json
nexus fleet identity verify-resolver-service ./fleet-did-resolver.json
nexus fleet identity export-resolver-daemon --service ./fleet-did-resolver.json --backends ./fleet-did-resolver-backends.json --output ./fleet-did-resolver-daemon.json
nexus fleet identity verify-resolver-daemon ./fleet-did-resolver-daemon.json
nexus fleet identity start-resolver-daemon ./fleet-did-resolver-daemon.json
nexus fleet identity status-resolver-daemon ./fleet-did-resolver-daemon.json
nexus fleet identity stop-resolver-daemon ./fleet-did-resolver-daemon.json
nexus fleet identity export-resolver-daemon-bundle ./fleet-did-resolver-daemon.json --output-dir ./fleet-did-resolver-daemon-bundle
nexus fleet identity verify-resolver-daemon-bundle ./fleet-did-resolver-daemon-bundle
nexus fleet identity install-resolver-host-service ./fleet-did-resolver-daemon-bundle --name fleet-did-resolver --force
nexus fleet identity verify-resolver-host-service fleet-did-resolver
nexus fleet identity start-resolver-host-service fleet-did-resolver
nexus fleet identity status-resolver-host-service fleet-did-resolver
nexus fleet identity stop-resolver-host-service fleet-did-resolver
nexus fleet identity enable-resolver-host-service-boot fleet-did-resolver --force
nexus fleet identity verify-resolver-host-service-boot fleet-did-resolver
nexus fleet identity apply-resolver-host-service-boot fleet-did-resolver
nexus fleet identity status-resolver-host-service-boot fleet-did-resolver
nexus fleet identity export-resolver-supervisor --host-service fleet-did-resolver --output ./fleet-did-resolver-supervisor.json
nexus fleet identity verify-resolver-supervisor ./fleet-did-resolver-supervisor.json
nexus fleet identity status-resolver-supervisor ./fleet-did-resolver-supervisor.json --output ./fleet-did-resolver-supervisor-status.json
nexus fleet identity export-resolver-supervisor-deployment --service ./fleet-did-resolver.json --output ./fleet-did-resolver-supervisor-deployment.json
nexus fleet identity verify-resolver-supervisor-deployment ./fleet-did-resolver-supervisor-deployment.json
nexus fleet identity status-resolver-supervisor-deployment ./fleet-did-resolver-supervisor-deployment.json --output ./fleet-did-resolver-supervisor-deployment-status.json --insecure
nexus fleet identity plan-resolver-supervisor-deployment ./fleet-did-resolver-supervisor-deployment.json --status ./fleet-did-resolver-supervisor-deployment-status.json --output ./fleet-did-resolver-supervisor-run-plan.json
nexus fleet identity verify-resolver-supervisor-run-plan ./fleet-did-resolver-supervisor-run-plan.json
nexus fleet identity apply-resolver-supervisor-deployment ./fleet-did-resolver-supervisor-run-plan.json --output ./fleet-did-resolver-supervisor-apply.json
nexus fleet identity verify-resolver-supervisor-apply ./fleet-did-resolver-supervisor-apply.json

The bundle schema is nexus-fleet-identity-bundle/v1. Import/sync verifies the bundle BLAKE3, policy BLAKE3, Ed25519 signature, and the approved resolver-lane boundary before installing $NEXUS_HOME/registry/fleet-device-trust-policy.json. nexus fleet serve exposes the current signed bundle over HTTPS at /api/v1/identity/bundle and over UTCP with identity.fetch, so revocation and trust-root updates can move between Fleet nodes without widening the accepted DID lanes. nexus fleet identity resolve emits a signed nexus-fleet-did-resolution-envelope/v1; the Fleet collector exposes the same resolver over HTTPS at /api/v1/identity/resolve and over UTCP with identity.resolve. export-resolver-service writes a signed nexus-fleet-did-resolver-service/v1 manifest binding endpoint routes, TLS BLAKE3s for HTTPS, accepted resolver lanes, rejected generic DID methods, default reject policy, serve command, Ed25519 signature, and manifest BLAKE3. import-resolution imports signed SKH/Nexus/Mosaic DID resolution envelopes from file, HTTPS, or UTCP sources, rechecks them against the active narrow resolver policy, and records them in $NEXUS_HOME/registry/fleet-did-resolutions.json with resolution BLAKE3, active policy BLAKE3, source, and envelope. export-resolver-backends writes signed nexus-fleet-did-resolver-backends/v1 evidence for the approved local backend roots: Libertaria SKH paper/spec/test vectors, Libertaria DID paper files, and Mosaic iop-rs, iop-ts, and iop-dart. verify-resolver-backends rechecks the per-file BLAKE3s, per-root BLAKE3s, active resolver policy, default reject posture, and Ed25519 signature. export-resolver-daemon writes a signed nexus-fleet-did-resolver-daemon/v1 lifecycle manifest binding the service manifest, backend evidence, endpoint, PID file, state file, log file, start command, daemon BLAKE3, and Ed25519 signature. start-resolver-daemon starts a long-running local resolver through nexus fleet serve; status-resolver-daemon checks PID and endpoint health; stop-resolver-daemon terminates it and writes a stopped state. export-resolver-daemon-bundle writes a signed nexus-fleet-did-resolver-daemon-bundle/v1 NXS/TruthDB service-cell deployment bundle containing the daemon manifest, service manifest, backend evidence, service Cell KDL, desired TruthDB object, boot-cells KDL, launcher, file BLAKE3s, accepted DID lanes, bundle BLAKE3, and Ed25519 signature. install-resolver-host-service installs that bundle under $NEXUS_HOME/services/fleet-identity/<name> as a signed nexus-fleet-did-resolver-host-service/v1 local host-service manager record. The record binds installed file BLAKE3s, source bundle BLAKE3, resolver daemon BLAKE3, resolver service BLAKE3, backend BLAKE3, endpoint, process state files, and manager identity. start-resolver-host-service, status-resolver-host-service, and stop-resolver-host-service execute the installed resolver through the local Nexus host-service manager. enable-resolver-host-service-boot writes a signed nexus-fleet-did-resolver-host-service-boot/v1 activation under $NEXUS_HOME/boot/services/fleet-identity/<name> plus boot-visible KDL and a nexus-boot-services-next/v1 index. apply-resolver-host-service-boot starts the installed resolver through the local Nexus boot-service activation path and writes applied-service records; status-resolver-host-service-boot verifies the activation, applied record, and service health. export-resolver-supervisor writes a signed nexus-fleet-did-resolver-local-supervisor/v1 local supervisor policy that binds the installed host service, resolver daemon, backend evidence, endpoint, process state files, accepted DID lanes, BLAKE3 digest policy, and BKDL evidence policy. Its explicit non-claims keep the proof scoped to local host-service supervision: no production non-local supervisor, no cluster orchestrator, and no automatic repair without operator policy. verify-resolver-supervisor rejects tampering, including weakened non-claims. status-resolver-supervisor writes a signed nexus-fleet-did-resolver-local-supervisor-status/v1 observation binding supervisor BLAKE3, endpoint health, service status, restart decision, policy, and non-claims. export-resolver-supervisor-deployment writes a signed nexus-fleet-did-resolver-supervisor-deployment/v1 profile for supervising a resolver through its signed HTTPS/UTCP service manifest instead of a local host-service path. It binds the resolver service BLAKE3, endpoint map, TLS BLAKE3s for HTTPS, accepted DID lanes, rejected DID methods, default reject policy, BLAKE3 digest policy, BKDL evidence policy, remote health thresholds, and explicit non-claims for production orchestrator execution, automatic remote restart, kernel service management, and hosted Fleet rollout. status-resolver-supervisor-deployment writes a signed nexus-fleet-did-resolver-supervisor-deployment-status/v1 remote health observation binding the deployment BLAKE3, endpoint health, restart decision, policy, and non-claims. plan-resolver-supervisor-deployment writes a signed nexus-fleet-did-resolver-supervisor-run-plan/v1 operator-gated plan from the deployment and status artifacts. Healthy endpoints produce observe-healthy; unhealthy endpoints produce operator-confirmed-restart-required. authorize-resolver-supervisor-restart signs nexus-fleet-did-resolver-supervisor-restart-authorization/v1 for unhealthy restart-required plans, binding the run plan BLAKE3, deployment BLAKE3, status BLAKE3, resolver service BLAKE3, operator approval, BLAKE3/BKDL policy, and remote_restart_performed=false. apply-resolver-supervisor-deployment writes a signed nexus-fleet-did-resolver-supervisor-apply/v1 apply record. Healthy plans apply as no-op; restart-required plans require either --operator-confirmed or the signed authorization artifact and still record remote_restart_performed=false.

This remains a local proof of Fleet artifact identity, snapshot collection, signed local portal status, and signed NexusBoot handoff consumption. It does not yet claim hosted production Fleet UI, production automatic remote restart execution for the DID resolver daemon, production kernel TPM/TEE drivers, vendor quote parsers, kernel-native/L2 UTCP collection through NetSwitch/ION rings, production firmware execution on production-owned media, or hosted production rollout of the collector beyond the local transport profile, L2 handoff contract, Membrane handoff parser, and CAS host-service boot proof. The current NexusBoot media-root install proof is an explicit operator-media artifact check, not a claim that production firmware has executed it from production-owned media. The media activation proof reads the boot-visible files back from that operator media root and signs the selected boot contract while explicitly recording that production firmware execution is not claimed. The media rollback proof executes the selected NexFS rollback against the operator media root selected by that activation proof; it is still not a claim that production firmware has booted that media. The rollback status proof gives NexusBoot a boot-visible KDL status artifact for that media root while preserving the same claim boundary. The media firmware proof signs what NexusBoot firmware can read from that operator media root and records production_firmware_execution=false; it is still not a claim that production firmware executed from production-owned media. The recovery bundle packages that media-root proof chain for operator inspection and transport, but it remains bound to the original operator media root and does not claim relocatable execution.