dynexo
Book a call

Nova9 v2 — full endpoint agents and EU model routing

Release notes for Nova9 v2 — Endpoint Agents on macOS and Linux, EU model routing with hard region guarantees, new audit export for DORA reports.

·4 min. ·dynexo
Nova9 Release Endpoint Agents DORA

What it's about

Nova9 v2 has been in production since 20 May 2026. This release closes three gaps we carried from the first twelve months of v1: endpoint coverage beyond Windows, hard EU model guarantees, and an audit export that produces DORA reports without post-processing.

Endpoint Agents on macOS and Linux

Until now, Endpoint Agents were production-ready on Windows only. With v2, macOS (Sonoma+) and Linux (Ubuntu 22.04+, RHEL 9+) are GA. The architecture is the same: local agent, signed actions, audit sent to the central instance. What differs are the system hooks — we had to validate cleanly per platform what may be decided locally and what must go to the backend.

Practical consequence: one mandate from the education sector (Linux workstations) was able to move patch workflow onto the same controls the Windows floor already uses. A week's worth of migration.

EU model routing with hard guarantees

The LLM Gateway now routes to model pools with hard region guarantees. If you configure "EU only", no token leaves to a US-hosted model — not even on fallback. Previously this was best-effort. Now it is contractual.

Technically:

  • Model pools are classified by region (eu-cloud, de-dc, on-prem, air-gapped).
  • A request specifies allowed pools.
  • If no model in the allowed pool answers, the request explicitly fails — it does not silently wander elsewhere.

For DORA-relevant mandates v2 also ships a routing audit: every request logs which model in which region answered. Auditors get exactly the proof they want.

Audit export for DORA

DORA requires periodic reports to oversight. v2 exports directly:

  • All tool calls over a period
  • Model calls with region
  • Incidents with escalation path
  • Anomalies (auto-rollback, override actions)

Format: PDF + signed JSON. We have validated the export against the templates from two BaFin-supervised mandates — it is accepted without post-processing.

Migration from v1

Existing v1 instances are migrated in a one-hour maintenance slot. Configuration and audit history are preserved. If you operate a clone instance on your own hardware, we ship the migration bundle as signed packages.

What's next

In progress for v2.1 (Q3 2026):

  • Sentinel-360 as a module inside Nova9 — today standalone, becoming pluggable
  • Multilingual audit reports — supervisors in AT and CH need slightly different formats
  • Self-service clone — mandates will be able to pull the snapshot themselves, no engineering slot needed

Questions, requests, comments: write to us.