v1.2.3

Fixed

• OpenCode plugin — Restores command blocking on OpenCode 1.16+ by migrating to the current Plugin hook API (tool.execute.before, permission.ask, event).

Upgrade

After installing/upgrading Orca:

orca plugin install opencode --scope global --yes

If install refuses to overwrite an existing plugin file, remove ~/.config/opencode/plugins/orca.ts first, then re-run install.

Strongest protection

orca run -- opencode

macOS/Linux CLI + daemon archives follow once the release workflow artifacts are published.

v1.2.2

macOS/Linux release

v1.2.0

v1.2.0 - 2026-06-19

Added

• Rust daemon (orca-daemon) — UDS IPC between Zig CLI and Rust evaluator; shell hook evaluation routed through daemon with fail-closed behavior when unavailable.
• orca evaluate — Stable machine JSON API for shell command evaluation (--json --stdin).
• orca start — Guided onboarding flow with host detection and plugin install.
• Pi extension (@orca-guard/pi-orca) — Official Pi package for bash tool-call protection via orca evaluate.
• Bundled orca-daemon in all platform release archives and install layouts.

Changed

• Zig 0.16.0 toolchain migration.
• Guided onboarding — Interactive orca setup with multi-host selection.
• Unified versioning — Core and all agent plugins aligned to 1.2.0.
• Shell PreToolUse / tool evaluation defaults route through Rust daemon when available.

Removed

• Orca Edge — Drone/edge runtime removed from public core; agent guardrails focus only.

Fixed

• Hermes Agent — Orca discovery, degraded-mode handling, and version mismatch fixes.
• Pi integration — Honor deny decisions, timeouts, cwd, and auto unavailable mode.
• Install/DX hardening — quick-install presets, orca doctor activation exports, piped install robustness.

Platform note

This release ships macOS and Linux CLI archives (darwin-amd64, darwin-arm64, linux-amd64, linux-arm64). Windows amd64 is deferred until CI or a Windows builder is available.

Orca v1.1.5

What's New

New Commands

• orca disable [host|all] [--yes] — Removes Orca plugin registrations from host agents (OpenCode, OpenClaw, Hermes, Codex, Claude) without touching the binary or policy files.
• orca uninstall [--plugins-only] [--keep-config] [--yes] — Fully removes Orca: plugins, binary, and user config. Local workspace .orca/ directories are intentionally preserved.

Artifacts

CLI (cross-platform):

• orca-v1.1.5-darwin-amd64.tar.gz
• orca-v1.1.5-darwin-arm64.tar.gz
• orca-v1.1.5-linux-amd64.tar.gz
• orca-v1.1.5-linux-arm64.tar.gz
• orca-v1.1.5-windows-amd64.zip

Plugins:

• orca-codex-plugin-v1.1.5.zip
• orca-claude-code-plugin-v1.1.5.zip
• orca-opencode-plugin-v1.1.5.zip
• orca-claude-marketplace-v1.1.5.zip

Security

• Binary removal targets only known-safe locations (self-exe path + ~/.local/bin/orca). No arbitrary PATH traversal or execution of unknown binaries.
• Both commands require TTY confirmation or explicit --yes flag.

Orca v1.1.4

Orca v1.1.4 — Unified Release

Fixed

• OpenClaw plugin: Detect and warn when api.on is a no-op for npm installs, preventing silent hook bypass.
• Core stability: Fix invalid free in redteam fixture root handling; prevent waitpid panic after watchdog kill in credentials broker.
• build.zig: Fix use-after-free in version string parsing.
• CLI: Add --ci shorthand for orca run --ci; auto-resolve fixture root via resource_root in orca redteam.

Changed

• Unified versioning: All components — core, OpenClaw, OpenCode, Hermes, Codex, and Claude Code plugins — now share version 1.1.4.

Artifacts

• CLI binaries for darwin-amd64, darwin-arm64, linux-amd64, linux-arm64, windows-amd64
• Plugin packages: Codex, Claude Code, OpenCode, Claude Marketplace
• SBOM and checksums included

Orca v1.1.1

Fix dashboard asset resolution from exe-relative paths. Bundle orca-dashboard-ui/dist in release archives. Full internal rebrand from aegis to orca.

Orca v1.1.0 — Runtime guardrails and plugins for AI agents

Orca Plugin Release Notes

Version: 1.1.0

Orca 1.1.0 introduces the first native plugin release for Codex and Claude Code. The plugins add host-native commands, hooks, and diagnostics while keeping Orca CLI as the source of truth for policy, replay, and security decisions.

Orca CLI plugin surface

Both host integrations call into the same CLI surface:

• orca plugin doctor — reports Orca version, workspace state, policy status, host binary detection, plugin directories, and platform capabilities.
• orca plugin manifest — reports the expected plugin manifest path and whether it exists.
• orca plugin install — previews or performs installation from a release artifact or local path; it defaults to --dry-run and requires --yes for a real mutation.
• orca decide — returns stable JSON decisions for commands, files, prompts, and tool calls.
• orca hook — processes host lifecycle hooks with JSON payloads on stdin.

Codex plugin

• Path: integrations/codex-plugin/
• Manifest: integrations/codex-plugin/.codex-plugin/plugin.json
• Skills: aegis-doctor, aegis-init, aegis-protect, aegis-redteam, aegis-replay
• Hooks: SessionStart, UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, Stop
• Install guide: docs/integrations/codex.md

The Codex plugin is a thin host integration. It does not reimplement policy logic or add MCP behavior.

Claude Code plugin

• Path: integrations/claude-code-plugin/
• Manifest: integrations/claude-code-plugin/.claude-plugin/plugin.json
• Skills: doctor, init, protect, redteam, replay
• Hooks: SessionStart, UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, SessionEnd
• Install guide: docs/integrations/claude-code.md

The Claude Code plugin is also a thin host integration. It delegates policy and replay to Orca CLI and does not add drone-specific plugin features.

Installation

From a release artifact

1. Download the release zip for your host:
   • orca-codex-plugin-vX.Y.Z.zip
   • orca-claude-code-plugin-vX.Y.Z.zip
2. Verify the checksum file before extracting anything:

   sha256sum -c orca-plugin-checksums.txt

3. Extract the plugin to a local directory of your choice.
4. Point Codex or Claude Code at the extracted plugin directory.

From a local path

1. Build Orca:

   zig build

2. Point your host at the repository path:
   • Codex: integrations/codex-plugin/
   • Claude Code: integrations/claude-code-plugin/
3. Confirm the plugin is visible:

   ./zig-out/bin/orca plugin doctor codex
   ./zig-out/bin/orca plugin doctor claude

Checksum verification

Always verify orca-plugin-checksums.txt before installing a release zip. The checksum file is the release gate for dist/plugins/orca-codex-plugin-vX.Y.Z.zip and dist/plugins/orca-claude-code-plugin-vX.Y.Z.zip.

Verification

Run these commands from the repository root:

zig build
zig build test
./zig-out/bin/orca plugin doctor codex
./zig-out/bin/orca plugin doctor claude
./zig-out/bin/orca plugin manifest codex
./zig-out/bin/orca plugin manifest claude
./zig-out/bin/orca plugin install codex --dry-run
./zig-out/bin/orca plugin install claude --dry-run
cat tests/plugin-fixtures/codex/pre_tool_use_command_safe.json | ./zig-out/bin/orca hook codex PreToolUse
cat tests/plugin-fixtures/claude/pre_tool_use_command_safe.json | ./zig-out/bin/orca hook claude PreToolUse
./zig-out/bin/orca redteam --ci
./zig-out/bin/orca replay --session last --verify
./scripts/package-plugins.sh

Demo

See examples/plugin-demo/ for the local demo flow.

Security model

The strongest protection remains running the agent through orca run; plugins provide native commands, hooks, and guardrails inside supported agent hosts.

Orca CLI remains the source of truth for policy decisions, replay, and audit behavior. Plugins are additive host integrations, not a replacement for supervised execution.

Known limitations

• Hooks are advisory and depend on host support.
• Official marketplace availability is not yet implemented.
• Plugin installation is preview/dry-run by default.
• No telemetry is collected.
• The plugins do not protect sessions that are not launched through Orca.
• These plugins do not add MCP server functionality or drone-specific plugin features.

Checksums

• Release checksum file: dist/plugins/orca-plugin-checksums.txt
• Verification command: sha256sum -c orca-plugin-checksums.txt
• Release zips:
  • dist/plugins/orca-codex-plugin-vX.Y.Z.zip
  • dist/plugins/orca-claude-code-plugin-vX.Y.Z.zip

Vulnerability reporting

Report security issues privately through SECURITY.md.

Contribution guidance

Read CONTRIBUTING.md, add deterministic tests or fixtures for security-sensitive changes, and verify with:

zig build
zig build test
./zig-out/bin/orca redteam --ci

Troubleshooting links

• docs/integrations/plugin-troubleshooting.md
• docs/troubleshooting.md
• docs/integrations/codex.md
• docs/integrations/claude-code.md
• PLUGIN_SECURITY_MODEL.md

Aegis Plugins v1.0.0 — Codex and Claude Code integrations

Aegis Plugin Release Notes

Version: 1.1.0

Aegis 1.1.0 introduces the first native plugin release for Codex and Claude Code. The plugins add host-native commands, hooks, and diagnostics while keeping Aegis CLI as the source of truth for policy, replay, and security decisions.

Aegis CLI plugin surface

Both host integrations call into the same CLI surface:

• aegis plugin doctor — reports Aegis version, workspace state, policy status, host binary detection, plugin directories, and platform capabilities.
• aegis plugin manifest — reports the expected plugin manifest path and whether it exists.
• aegis plugin install — previews or performs installation from a release artifact or local path; it defaults to --dry-run and requires --yes for a real mutation.
• aegis decide — returns stable JSON decisions for commands, files, prompts, and tool calls.
• aegis hook — processes host lifecycle hooks with JSON payloads on stdin.

Codex plugin

• Path: integrations/codex-plugin/
• Manifest: integrations/codex-plugin/.codex-plugin/plugin.json
• Skills: aegis-doctor, aegis-init, aegis-protect, aegis-redteam, aegis-replay
• Hooks: SessionStart, UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, Stop
• Install guide: docs/integrations/codex.md

The Codex plugin is a thin host integration. It does not reimplement policy logic or add MCP behavior.

Claude Code plugin

• Path: integrations/claude-code-plugin/
• Manifest: integrations/claude-code-plugin/.claude-plugin/plugin.json
• Skills: doctor, init, protect, redteam, replay
• Hooks: SessionStart, UserPromptSubmit, PreToolUse, PermissionRequest, PostToolUse, SessionEnd
• Install guide: docs/integrations/claude-code.md

The Claude Code plugin is also a thin host integration. It delegates policy and replay to Aegis CLI and does not add drone-specific plugin features.

Installation

From a release artifact

1. Download the release zip for your host:
   • aegis-codex-plugin-vX.Y.Z.zip
   • aegis-claude-code-plugin-vX.Y.Z.zip
2. Verify the checksum file before extracting anything:

   sha256sum -c aegis-plugin-checksums.txt

3. Extract the plugin to a local directory of your choice.
4. Point Codex or Claude Code at the extracted plugin directory.

From a local path

1. Build Aegis:

   zig build

2. Point your host at the repository path:
   • Codex: integrations/codex-plugin/
   • Claude Code: integrations/claude-code-plugin/
3. Confirm the plugin is visible:

   ./zig-out/bin/aegis plugin doctor codex
   ./zig-out/bin/aegis plugin doctor claude

Checksum verification

Always verify aegis-plugin-checksums.txt before installing a release zip. The checksum file is the release gate for dist/plugins/aegis-codex-plugin-vX.Y.Z.zip and dist/plugins/aegis-claude-code-plugin-vX.Y.Z.zip.

Verification

Run these commands from the repository root:

zig build
zig build test
./zig-out/bin/aegis plugin doctor codex
./zig-out/bin/aegis plugin doctor claude
./zig-out/bin/aegis plugin manifest codex
./zig-out/bin/aegis plugin manifest claude
./zig-out/bin/aegis plugin install codex --dry-run
./zig-out/bin/aegis plugin install claude --dry-run
cat tests/plugin-fixtures/codex/pre_tool_use_command_safe.json | ./zig-out/bin/aegis hook codex PreToolUse
cat tests/plugin-fixtures/claude/pre_tool_use_command_safe.json | ./zig-out/bin/aegis hook claude PreToolUse
./zig-out/bin/aegis redteam --ci
./zig-out/bin/aegis replay --session last --verify
./scripts/package-plugins.sh

Demo

See examples/plugin-demo/ for the local demo flow.

Security model

The strongest protection remains running the agent through aegis run; plugins provide native commands, hooks, and guardrails inside supported agent hosts.

Aegis CLI remains the source of truth for policy decisions, replay, and audit behavior. Plugins are additive host integrations, not a replacement for supervised execution.

Known limitations

• Hooks are advisory and depend on host support.
• Official marketplace availability is not yet implemented.
• Plugin installation is preview/dry-run by default.
• No telemetry is collected.
• The plugins do not protect sessions that are not launched through Aegis.
• These plugins do not add MCP server functionality or drone-specific plugin features.

Checksums

• Release checksum file: dist/plugins/aegis-plugin-checksums.txt
• Verification command: sha256sum -c aegis-plugin-checksums.txt
• Release zips:
  • dist/plugins/aegis-codex-plugin-vX.Y.Z.zip
  • dist/plugins/aegis-claude-code-plugin-vX.Y.Z.zip

Vulnerability reporting

Report security issues privately through SECURITY.md.

Contribution guidance

Read CONTRIBUTING.md, add deterministic tests or fixtures for security-sensitive changes, and verify with:

zig build
zig build test
./zig-out/bin/aegis redteam --ci

Troubleshooting links

• docs/integrations/plugin-troubleshooting.md
• docs/troubleshooting.md
• docs/integrations/codex.md
• docs/integrations/claude-code.md
• PLUGIN_SECURITY_MODEL.md