Roadmap: v2.1 — Windows-DPAPI removal, Linux & macOS self-hosting

[waelouf]

Hi everyone,

Quick status update and a roadmap announcement after a quieter-than-we-wanted couple of months.

Where v2.0.1 stands

v2.0.1 has been our maintenance baseline since January. It's healthy:

• 478 automated tests, zero failures
• All five platforms operational — Kafka, Redis, RabbitMQ, AWS SQS/SNS, Azure Service Bus
• Backend coverage above 70%, frontend at 81%
• Zero open critical defects

The repo's been quiet because the code's been stable, not because the project is. We held the next milestone until we had the right one to commit to. That decision is now made.

v2.1 is "Self-Host Anywhere"

The single most common piece of feedback we've heard — both in issues and from operators trying to deploy Nanuq outside Windows — is that AES-256 credential encryption requires Windows because we use DPAPI for key derivation. Removing that dependency is v2.1.

Concretely:

Pluggable key-protector providers

• Windows — DPAPI (unchanged, backward compatible with existing v1 ciphertexts)
• macOS — Keychain Services
• Linux — libsecret / Secret Service
• Universal — env-var or file-based master key for Docker, Kubernetes, CI environments

Cipher upgrade

• AES-256-GCM (authenticated encryption) for all new ciphertexts
• Versioned envelope format so future key rotation is straightforward
• Transparent read of v1 ciphertexts during upgrade — no manual migration needed
• One-shot nanuq credentials reencrypt command for operators who want to force rotation

Self-hosting docs

• Updated guides for Linux, macOS, Docker, and Kubernetes
• End-to-end validated K8s deployment path (the manifests have been in the repo unvalidated; that gets closed)

Heads-up on security
We also want to be transparent: the v1 Linux/macOS code path uses a weak key derivation (hostname + username based) that we'll be retiring. We'll publish a security advisory alongside v2.1 with details and the upgrade path. Low severity (it requires local shell access to exploit), but we want it disclosed in the open rather than buried.

Sequencing

Version	Theme	Target
v2.1	Cross-platform encryption + self-hosting	2026-06-30
v2.2	OpenTelemetry instrumentation across all transports	Q3 2026
v2.3+	Transport features — Kafka real-time browse, Redis Pub/Sub, Azure Event Hub — driven by your votes in this thread	Q4 2026

How you can help

• 👍 react below on the v2.3 candidates you most want — that's how the post-v2.2 work gets ordered.
• Drop a comment if you've been waiting on Linux or macOS support; sizing the demand directly shapes which OS keyring providers ship in v2.1 GA vs. v2.1.x patches.
• A v2.1 tracking issue with engineering subtasks goes up next week — PRs welcome.

Thanks for sticking around through the quiet stretch. Roadmap from here on out will be public.

— The Nanuq maintainers