Releases: Reeflex-io/reeflex
Release list
v0.1.10
v0.1.9
reeflex v0.1.9 — n8n-nodes-reeflex 0.1.1 (provenance) + n8n CI releas…
v0.1.8 — SIEM telemetry enrichment + syslog keepalive
Clean-image cut of the reeflex-core now running on the api-dev eval endpoint. No functional change to the decision path vs v0.1.5 — verdicts (allow / require_approval + hold / deny) are identical.
Note:
v0.1.7was the WordPress-adapter hold fan-out patch (reeflex-gate0.1.7), wherereeflex-corestayed at v0.1.5. This is the next core-code change.
Added
- Decision telemetry enrichment for SIEM. The syslog decision event now carries
srcip(caller IP, named so Wazuh GeoIP can enrich it),namespace+agent_id(the originating module/adapter — wordpress / claude / n8n), andtarget_ref+params(the executed command). The fire-and-forget, non-blocking decision-path invariant is unchanged.
Fixed
- Syslog TCP keepalive.
SO_KEEPALIVE(+ LinuxTCP_KEEPIDLE/TCP_KEEPINTVL/TCP_KEEPCNT, ~30s detection) so a restarted syslog collector is detected and delivery resumes, instead of silently dropping events on a half-open connection until the container is restarted.
Image
ghcr.io/reeflex-io/reeflex-core:v0.1.8 (also :latest) — manifest digest sha256:9d8e2879c62b988455389f31820e70bfb5402d751b0895d5f597ff0aa44903a4. Built from this tag; runs on api-dev.reeflex.io.
v0.1.7 — WordPress adapter: hold fan-out fix
Reeflex v0.1.7 — WordPress adapter: hold fan-out fix
Patch release for the WordPress adapter (reeflex-gate → 0.1.7). Other
components are unchanged from v0.1.6: reeflex-claude 0.1.6 + reeflex-holds
0.1.0 on PyPI, n8n-nodes-reeflex 0.1.0 on npm, reeflex-core v0.1.5 on GHCR.
Fixed
- Hold fan-out. A single gated action triggered one
/v1/decidecall —
and, when held, one hold — per registered ability instead of once,
producing duplicate "Pending approvals" rows. A request-scoped decision memo
now collapses the permission-callback fan-out to exactly one decision (one
hold) per action. The guarantees are unchanged: actor ≠ approver, single-use
holds, and the double-execution dedup from 0.1.5.
Assets
reeflex-gate-wordpress-standard.zip/reeflex-gate-wordpress-mu.zip— the
plugin in both install forms (reeflex-gate 0.1.7).reeflex-verify.zip— the operator CLI.reeflex-test-abilities.zip— safe
test abilities to exercise the gate. (Both unchanged.)SHA256SUMS.
Install the rest from their registries: pip install reeflex-claude ·
pip install reeflex-holds · npm i n8n-nodes-reeflex.
v0.1.6 — dedup fix + holds MCP & n8n node first release
Reeflex v0.1.6 — multi-channel: Claude adapter, holds MCP server, n8n node
Released: 2026-07-05
Branch: release/v0.1.6 (git tag pending release)
Core image: unchanged — reeflex-core has no changes in 0.1.6, so the GHCR
image stays ghcr.io/reeflex-io/reeflex-core:v0.1.5
(digest sha256:ca6f0488290721db16db5c9ff3b1af8acb3b14010a7f0f2e5d37d87abab3a2ac).
Highlight
First multi-channel release. The Claude adapter, the holds MCP server, and the
n8n community node ship to PyPI / npm alongside the GitHub release and the GHCR core
image — three new approval/enforcement surfaces around the same deterministic core.
What's in it
Added
reeflex-holdsMCP server (first release). A FastMCP server exposing
list_holds/get_hold/resolve_hold/get_freeze_statusover reeflex-core's
Holds API, so an MCP client (e.g. Claude Desktop) can be the approval surface.
Env-configured (REEFLEX_CORE_URL/REEFLEX_TOKEN/REEFLEX_PRINCIPAL/
REEFLEX_VERIFY_SSL); TLS-verify opt-out at parity with the adapters.n8n-nodes-reeflexcommunity node (first release). The "Reeflex Gate" node
(allow / hold / deny outputs) + "Reeflex API" credential, plus five importable,
story-driven demo workflows preconfigured against the public api-dev eval endpoint —
each with an embedded GIF of a real run.- reeflex-claude:
REEFLEX_VERIFY_SSL+REEFLEX_CORE_TOKEN. TLS-verify opt-out
(user's risk, default on) and bearer auth, at parity with the WordPress adapter;
enables dev/self-signed + authenticated core endpoints (e.g.api-dev.reeflex.io).
Fixed
- WordPress adapter — double-gating dedup (reeflex-gate 0.1.5). An MCP-originated
action gated twice (the ability's own gate + the MCP adapter layer) created two holds
for one call; approving both re-ran the action twice. The adapter now deduplicates by
canonical envelope hash + session within a tight creation-time window, so a
double-gated action executes at most once — the second approval closes its record
without re-executing. Corrected the wp-admin docblock/notice that wrongly claimed the
companion approval never executes. Regression test (hold-dedup-regression-demo.php,
D1–D8) added. - n8n demo 3 (approval loop). Resolves holds with a
humanprincipal (api-dev's
default resolution policy is human-only) with an id distinct from the actor (avoids
actor_is_approver), and regeneratesmeta.nonceon resubmit (core rejects a reused
nonce as a replay) — so the decide → hold → resolve → resubmit → allow loop runs
end-to-end out of the box in a real n8n.
Artifacts in this release
reeflex-gate-wordpress-standard.zip— WordPress reference adapter, standard-plugin
form (reeflex-gate 0.1.5, carries the dedup fix).reeflex-gate-wordpress-mu.zip— same adapter, mu-plugin form.reeflex_claude-0.1.6-py3-none-any.whl/reeflex_claude-0.1.6.tar.gz— the Claude
Code hook adapter (PyPI).reeflex_holds-0.1.0-py3-none-any.whl/reeflex_holds-0.1.0.tar.gz— the holds MCP
server (PyPI).n8n-nodes-reeflex-0.1.0.tgz— the n8n community node (npm). Shipsdist/only; the
five demo workflows travel with the GitHub repo, not the npm tarball.reeflex-verify.zip/reeflex-test-abilities.zip— conformance/verify tooling,
unchanged since v0.1.5.
Scope
Adapters and surfaces only. reeflex-core and the /v1/decide decision path are
unchanged; zero LLM in the decision path is unchanged. The agent principal type on
the holds resolution surface is AIL (an operator-designated AI judge, audited) — the
first decision (OPA/Rego) remains fully deterministic.
v0.1.5 — HIL Phase 1: holds queue + resolution API
Reeflex v0.1.5 — HIL Phase 1: holds queue + resolution API
HOLD becomes operational. A require_approval verdict now materializes a persistent hold; a principal the operator designates resolves it; an approved action can be re-submitted and allowed exactly once.
The first decision is deterministic. The second decision is yours. Core provides the mechanism — the holds API, the audit of the handover — never the gray-zone judgment. Core still never executes actions.
What's in it
- Holds queue — event-sourced append-only JSONL store + in-memory index, lazy expiry, single-use, TTL (default 4h). Each hold binds the sha256 of the action-defining projection ({action, axes, magnitude, target}) — a modified action cannot ride an old approval.
- Holds API (same bearer as
/v1/decide):GET /v1/holds,GET /v1/holds/{id},POST /v1/holds/{id}/resolve. - Approval principals — human | agent (AIL) | automation. Resolution policy is the operator's, per rule (shipped default: human-only).
actor != approverenforced in core; the systemic rule stays a terminal deny (resolvable by no one).decided_byrecordstype:identityverbatim — the EU AI Act Art. 14 oversight-allocation evidence. Zero LLM in the FIRST decision path. - Kill-switch —
REEFLEX_FREEZE=truedenies all non-read verbs instantly; reads pass; flips audited. - Outbound hold webhook —
hold.created/hold.resolved/hold.expired/freeze.flipped; fire-and-forget, bounded queue, at-most-once, never blocks/v1/decide. Makes BPMN/SOAR/n8n integration possible without vendor connectors — core builds the socket, not the engines.
Pull
docker pull ghcr.io/reeflex-io/reeflex-core:v0.1.5
Digest: sha256:ca6f0488290721db16db5c9ff3b1af8acb3b14010a7f0f2e5d37d87abab3a2ac (also latest).
Verified
- CI green: 207 core tests (1 intentional platform skip) + 9/9 OPA policy.
- Anonymous GHCR pull confirmed for both tags (digest match).
- Live smoke on the release image: a bulk-delete returns
require_approval+hold_id+expires_ts; the full handover (decide → hold → resolve → resubmit-with-approval → allow → consumed) is proven end-to-end over HTTP.
Docs
reeflex-core/README.md (Holds & human-in-the-loop) and reeflex-spec/SPEC.md (approval object). Full changelog: CHANGELOG.md.
Core-only. Adapters unchanged. Phase 2 = adapter re-submission + surfaces (WordPress admin, Slack, CLI, MCP holds server).
v0.1.4 — SIEM syslog telemetry
Reeflex v0.1.4 — SIEM syslog telemetry
The SOC cannot see AI agents today: agent actions happen inside apps, invisible to security telemetry. Reeflex now turns every agent action into a standard security event — before it executes.
reeflex-core streams every decision to a configured syslog endpoint:
- RFC 5424 over UDP (default), TCP (RFC 6587 octet-counted), or TLS (RFC 5425)
- payload as structured JSON (default) or CEF
- one socket, zero vendor connectors — Splunk, QRadar, Wazuh, FortiSIEM, Graylog, Grafana Loki, Datadog and friends all consume syslog
The invariant: telemetry is fire-and-forget — a bounded in-memory queue, drop-on-overflow with a dropped-events counter, all I/O on a background daemon thread. It can never block or fail /v1/decide ("fail-closed for decisions, fail-open for telemetry"); the append-only audit JSONL stays authoritative. Verified: a dead / slow / unreachable endpoint adds zero decision latency.
Disabled by default (REEFLEX_SYSLOG_ENABLED=false); configured entirely by env. Python stdlib only — no new dependencies.
Pull
docker pull ghcr.io/reeflex-io/reeflex-core:v0.1.4
Digest: sha256:acfd9f8d91db4c756da6229b215875d3f7622aef787aedba56e0f4f5bcfc453a (also tagged latest).
Verified
- CI green: 127 core tests (1 intentional platform skip) + 9/9 OPA policy.
- Anonymous GHCR pull confirmed for both tags (digest match).
- Live syslog smoke: allow / require_approval / deny received over syslog in JSON and CEF (RFC 5424 PRI 134 / 132 / 131).
Docs
docs/siem.md — quickstart, event schema, CEF mapping, and consuming guides for 11 platforms (guides only, no vendor code).
Full changelog: CHANGELOG.md. Adapters unchanged (remain at v0.1.3).
v0.1.3 — Observe mode
Reeflex Gate 0.1.3 — Observe mode (HIL-DESIGN §8, Phase 0)
Adds an enforcement mode to both adapters. Default stays enforce (unchanged). The new observe mode records every verdict to the audit log but enforces nothing — the action always proceeds — so you can calibrate on real data before turning enforcement on. In observe a core outage fails OPEN (never blocks the site), the opposite of enforce's fail-closed. Zero core changes — mode is an adapter-side audit annotation.
WordPress adapter (reeflex-gate 0.1.3)
REEFLEX_MODEconstant (enforce|observe, defaultenforce) + a Enforcement mode dropdown on Settings > Reeflex Gate, with the same locked-field precedence as the other settings (a wp-config constant locks the field read-only).- Observe short-circuit in both hooks; audit records gain a
modefield carrying the would-be verdict. - Plugin Check clean. Enforce behaviour byte-for-byte unchanged.
Claude adapter (reeflex-claude)
REEFLEX_MODE=observeenv → the PreToolUse hook emitsallowwhile the JSONL audit records the would-be verdict +mode=observe; same fail-open. 146 unit tests pass.
reeflex-verify
- New
--expect-observeflag: asserts every action PROCEEDs (allow) while the audit still shows the would-be verdicts.
Assets
| File | Use |
|---|---|
reeflex-gate-wordpress-standard.zip |
Standard plugin (Plugins > Add New > Upload) |
reeflex-gate-wordpress-mu.zip |
Must-use form (wp-content/mu-plugins/, wp-config constants) |
reeflex-verify.zip |
CLI conformance/verification tool |
reeflex-test-abilities.zip |
Test-only plugin registering sample abilities |
Full changelog: see CHANGELOG.md and reeflex-wordpress/readme.txt.
v0.1.2
Tooling + docs release. The decision engine and the WordPress gate are unchanged from v0.1.1; this release ships the reproducibility fix for the operator verify tool and re-emits the full package set so "latest" carries everything.
Changed
reeflex-verify— fresh agent session per run. The CLI now sends a uniqueMcp-Session-Idon every run (override with--session-idto pin one). The core binds cumulative anti-fragmentation policy state tosession_id(SPEC §4.1); without a fresh session, repeated runs against the same site accumulate into one per-session delete budget and eventually the gate holds even read-only actions (rulereeflex.policy/session_delete_budget) — producing false mismatches. Validated 5/5 on a live WordPress site in both the standard and must-use (mu) install forms.
Docs
reeflex-verify/README.mdshows a real clean-run screenshot.ROADMAP.mdrecords the open policy decision on R5 scope (all-verbs vs destructive-verbs-only).
Packages
reeflex-gate-wordpress-standard.zip— WordPress gate, standard plugin form (Upload Plugin UI + Settings page).reeflex-gate-wordpress-mu.zip— WordPress gate, must-use form (drop intowp-content/mu-plugins/, config viawp-config.phpconstants).reeflex-verify.zip— the operator verify CLI, with the fresh-session-per-run fix.reeflex-test-abilities.zip— safe test abilities to exercise the gate.
Reeflex v0.1.1
WordPress adapter: admin Settings page (API URL, Token, Verify TLS) + optional verify_ssl for dev/staging certs. reeflex-verify CLI (WAF-traversing curl transport, cross-platform) validated 5/5 live. Full package set: gate standard + mu, reeflex-verify, test-abilities. Private preview.