dreadnode · l50 · May 9, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
diff --git a/.taskfiles/ec2/Taskfile.yaml b/.taskfiles/ec2/Taskfile.yaml
@@ -552,6 +552,7 @@ tasks:
         PARAMS_FILE=$(mktemp)
         trap "rm -f $PARAMS_FILE" EXIT
         START_CMD="systemctl start redis-server 2>/dev/null || systemctl start redis; sleep 1; redis-cli ping; "
+        START_CMD+="systemctl start nats-server; sleep 1; curl -fsS http://127.0.0.1:8222/varz >/dev/null && echo 'NATS OK' || echo 'NATS NOT RUNNING'; "
         START_CMD+="systemctl start $WORKER_UNITS; sleep 2; echo Worker status:; "
         START_CMD+='for role in recon credential_access cracker acl privesc lateral coercion; do '
         START_CMD+='st=$(systemctl is-active ares@${role} 2>/dev/null || echo dead); '
@@ -1036,6 +1037,7 @@ tasks:
           fi
         fi
         ENV_FILE_CMD="$ENV_FILE_CMD; echo 'ARES_DEPLOYMENT={{.EC2_DEPLOYMENT}}' >> /etc/ares/env"
+        ENV_FILE_CMD="$ENV_FILE_CMD; echo 'NATS_URL=nats://127.0.0.1:4222' >> /etc/ares/env"
         # OTEL: send traces to Alloy OTLP gateway → Tempo via HTTP/protobuf
         ENV_FILE_CMD="$ENV_FILE_CMD; echo 'OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=${OTEL_TRACES_ENDPOINT}' >> /etc/ares/env"
         ENV_FILE_CMD="$ENV_FILE_CMD; echo 'OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf' >> /etc/ares/env"
@@ -1054,6 +1056,7 @@ tasks:
         export GRAFANA_URL='${GRAFANA_URL_VAL}'
         export GRAFANA_SERVICE_ACCOUNT_TOKEN='${GRAFANA_TOKEN_VAL}'
         export ARES_REDIS_URL=redis://127.0.0.1:6379
+        export NATS_URL=nats://127.0.0.1:4222
         {{- if .LLM_MODEL}}
         export ARES_LLM_MODEL='{{.LLM_MODEL}}'
         {{- end}}

diff --git a/.taskfiles/ec2/scripts/launch-orchestrator.sh.tmpl b/.taskfiles/ec2/scripts/launch-orchestrator.sh.tmpl
@@ -2,6 +2,7 @@
 # Launch ares orchestrator with environment variables
 # Placeholders are substituted by the calling task via envsubst/sed
 export ARES_REDIS_URL=redis://127.0.0.1:6379
+export NATS_URL=nats://127.0.0.1:4222
 export RUST_LOG=info
 export ARES_OPERATION_ID='__ARES_PAYLOAD__'
 export OPENAI_API_KEY='__OPENAI_API_KEY__'

diff --git a/.taskfiles/ec2/scripts/setup.sh b/.taskfiles/ec2/scripts/setup.sh
@@ -1,7 +1,9 @@
 #!/bin/bash
-# One-time ares EC2 setup: Redis, log dirs, systemd worker template
+# One-time ares EC2 setup: Redis, NATS JetStream, log dirs, systemd worker template
 set -euo pipefail
 
+NATS_VERSION="${NATS_VERSION:-2.10.22}"
+
 echo "=== Installing Redis ==="
 if command -v redis-server >/dev/null 2>&1; then
 	redis-server --version
@@ -18,21 +20,89 @@ else
 	fi
 fi
 
+echo "=== Installing NATS JetStream server ==="
+if command -v nats-server >/dev/null 2>&1 && nats-server --version | grep -q "${NATS_VERSION}"; then
+	nats-server --version
+else
+	arch="$(uname -m)"
+	case "${arch}" in
+	x86_64) nats_arch="amd64" ;;
+	aarch64) nats_arch="arm64" ;;
+	armv7l) nats_arch="arm7" ;;
+	*)
+		echo "ERROR: Unsupported arch: ${arch}"
+		exit 1
+		;;
+	esac
+	tarball="nats-server-v${NATS_VERSION}-linux-${nats_arch}.tar.gz"
+	curl -fsSL -o "/tmp/${tarball}" \
+		"https://github.com/nats-io/nats-server/releases/download/v${NATS_VERSION}/${tarball}"
+	tar -xzf "/tmp/${tarball}" -C /tmp
+	install -m 0755 "/tmp/nats-server-v${NATS_VERSION}-linux-${nats_arch}/nats-server" /usr/local/bin/nats-server
+	rm -rf "/tmp/${tarball}" "/tmp/nats-server-v${NATS_VERSION}-linux-${nats_arch}"
+fi
+
+echo "=== Configuring NATS ==="
+getent group nats >/dev/null || groupadd --system nats
+getent passwd nats >/dev/null || useradd --system --no-create-home --shell /usr/sbin/nologin --gid nats nats
+mkdir -p /etc/nats /var/lib/nats/jetstream /var/log/nats
+chown -R nats:nats /var/lib/nats /var/log/nats
+chmod 0750 /var/lib/nats/jetstream
+
+cat >/etc/nats/nats-server.conf <<'NATS_EOF'
+host: "127.0.0.1"
+port: 4222
+http: "127.0.0.1:8222"
+server_name: "ares-nats"
+log_file: "/var/log/nats/nats-server.log"
+logtime: true
+jetstream {
+  store_dir: "/var/lib/nats/jetstream"
+  max_memory_store: 512MB
+  max_file_store: 4GB
+}
+NATS_EOF
+chown nats:nats /etc/nats/nats-server.conf
+chmod 0640 /etc/nats/nats-server.conf
+
+cat >/etc/systemd/system/nats-server.service <<'NATS_UNIT_EOF'
+[Unit]
+Description=NATS Server (Ares broker)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=nats
+Group=nats
+ExecStart=/usr/local/bin/nats-server -c /etc/nats/nats-server.conf
+ExecReload=/bin/kill -HUP $MAINPID
+LimitNOFILE=65536
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/nats/nats-server.stdout.log
+StandardError=append:/var/log/nats/nats-server.stderr.log
+
+[Install]
+WantedBy=multi-user.target
+NATS_UNIT_EOF
+
 echo "=== Creating directories ==="
 mkdir -p /var/log/ares /etc/ares
 
 echo "=== Creating systemd worker template unit ==="
 cat >/etc/systemd/system/ares@.service <<'UNIT_EOF'
 [Unit]
 Description=Ares Worker (%i)
-After=redis.service
-Wants=redis.service
+After=redis.service nats-server.service
+Wants=redis.service nats-server.service
 
 [Service]
 Type=simple
 ExecStart=/usr/local/bin/ares worker
 EnvironmentFile=-/etc/ares/env
 Environment=ARES_REDIS_URL=redis://127.0.0.1:6379
+Environment=NATS_URL=nats://127.0.0.1:4222
 Environment=ARES_WORKER_ROLE=%i
 Environment=ARES_WORKER_MODE=tool_exec
 Environment=RUST_LOG=info
@@ -42,6 +112,15 @@ RestartSec=5
 StandardOutput=append:/var/log/ares/%i.log
 StandardError=append:/var/log/ares/%i.log
 
+# Contain child processes (netexec, hashcat, nmap, etc.) within this cgroup.
+# Without these limits, runaway tool processes can OOM the entire system and
+# take down the SSM agent.
+Delegate=yes
+Slice=system-ares.slice
+MemoryHigh=1500M
+MemoryMax=2G
+TasksMax=256
+
 [Install]
 WantedBy=multi-user.target
 UNIT_EOF
@@ -63,10 +142,13 @@ if [ -d /usr/local/lib/python3.13/dist-packages/impacket ]; then
 	echo "Removed pip impacket shadow — using system package"
 fi
 
-echo "=== Enabling Redis ==="
+echo "=== Enabling services ==="
+systemctl daemon-reload
 systemctl enable redis-server 2>/dev/null || systemctl enable redis 2>/dev/null || true
 systemctl start redis-server 2>/dev/null || systemctl start redis 2>/dev/null || true
-systemctl daemon-reload
+systemctl enable nats-server
+systemctl restart nats-server
 
 echo "=== Setup complete ==="
 redis-cli ping 2>/dev/null || echo "Redis not responding"
+curl -fsS http://127.0.0.1:8222/varz >/dev/null 2>&1 && echo "NATS responding" || echo "NATS not responding"
diff --git a/.taskfiles/ec2/scripts/status.sh b/.taskfiles/ec2/scripts/status.sh
@@ -5,6 +5,14 @@ echo "=== Redis ==="
 redis-cli ping 2>/dev/null && redis-cli info server 2>/dev/null | grep -E "redis_version|uptime_in_seconds|connected_clients" || echo "Redis not running"
 echo ""
 
+echo "=== NATS ==="
+if curl -fsS http://127.0.0.1:8222/varz 2>/dev/null | grep -E '"version"|"now"|"connections"' | head -3; then
+	curl -fsS http://127.0.0.1:8222/jsz 2>/dev/null | grep -E '"streams"|"messages"|"bytes"' | head -3 || true
+else
+	echo "NATS not running"
+fi
+echo ""
+
 echo "=== Workers ==="
 for role in recon credential_access cracker acl privesc lateral coercion; do
 	st=$(systemctl is-active ares@${role} 2>/dev/null || echo dead)

diff --git a/AGENTS.md b/AGENTS.md
@@ -10,7 +10,8 @@ Local (this machine)              Remote (K8s or EC2)
 ares --k8s / --ec2        →      ares orchestrator (LLM coordination loop)
   or `task` commands              ares worker x7 (recon, credential_access,
                                     cracker, acl, privesc, lateral, coercion)
-                                  Redis (state store + message broker)
+                                  NATS JetStream (task/RPC broker)
+                                  Redis (durable state store)
 ```
 
 The orchestrator and workers are autonomous LLM agents. You do not control them directly. Submit operations, monitor state, inject data when stuck, and debug failures.
@@ -34,6 +35,7 @@ The orchestrator and workers are autonomous LLM agents. You do not control them
 --secrets-from 1password   # Fetch API keys/secrets from 1Password CLI (op)
 --env-file <path>          # Load environment variables from a specific file
 --redis-url <url>          # Override the default Redis connection
+# NATS connection comes from $NATS_URL (e.g. nats://nats:4222)
 ```
 
 ## Development Workflow