Skip to content

Releases: Reeflex-io/reeflex

v0.1.10

Choose a tag to compare

@github-actions github-actions released this 06 Jul 19:25
93d7f28
reeflex v0.1.10 — reeflex-claude 0.1.7 + reeflex-holds 0.1.1: first P…

v0.1.9

Choose a tag to compare

@github-actions github-actions released this 06 Jul 18:27
99d7cc9
reeflex v0.1.9 — n8n-nodes-reeflex 0.1.1 (provenance) + n8n CI releas…

v0.1.8 — SIEM telemetry enrichment + syslog keepalive

Choose a tag to compare

@leodavidsec leodavidsec released this 06 Jul 10:50
a3203ac

Clean-image cut of the reeflex-core now running on the api-dev eval endpoint. No functional change to the decision path vs v0.1.5 — verdicts (allow / require_approval + hold / deny) are identical.

Note: v0.1.7 was the WordPress-adapter hold fan-out patch (reeflex-gate 0.1.7), where reeflex-core stayed at v0.1.5. This is the next core-code change.

Added

  • Decision telemetry enrichment for SIEM. The syslog decision event now carries srcip (caller IP, named so Wazuh GeoIP can enrich it), namespace + agent_id (the originating module/adapter — wordpress / claude / n8n), and target_ref + params (the executed command). The fire-and-forget, non-blocking decision-path invariant is unchanged.

Fixed

  • Syslog TCP keepalive. SO_KEEPALIVE (+ Linux TCP_KEEPIDLE/TCP_KEEPINTVL/TCP_KEEPCNT, ~30s detection) so a restarted syslog collector is detected and delivery resumes, instead of silently dropping events on a half-open connection until the container is restarted.

Image

ghcr.io/reeflex-io/reeflex-core:v0.1.8 (also :latest) — manifest digest sha256:9d8e2879c62b988455389f31820e70bfb5402d751b0895d5f597ff0aa44903a4. Built from this tag; runs on api-dev.reeflex.io.

v0.1.7 — WordPress adapter: hold fan-out fix

Choose a tag to compare

@leodavidsec leodavidsec released this 05 Jul 17:12
14153b5

Reeflex v0.1.7 — WordPress adapter: hold fan-out fix

Patch release for the WordPress adapter (reeflex-gate0.1.7). Other
components are unchanged from v0.1.6: reeflex-claude 0.1.6 + reeflex-holds
0.1.0 on PyPI, n8n-nodes-reeflex 0.1.0 on npm, reeflex-core v0.1.5 on GHCR.

Fixed

  • Hold fan-out. A single gated action triggered one /v1/decide call —
    and, when held, one hold — per registered ability instead of once,
    producing duplicate "Pending approvals" rows. A request-scoped decision memo
    now collapses the permission-callback fan-out to exactly one decision (one
    hold) per action. The guarantees are unchanged: actor ≠ approver, single-use
    holds, and the double-execution dedup from 0.1.5.

Assets

  • reeflex-gate-wordpress-standard.zip / reeflex-gate-wordpress-mu.zip — the
    plugin in both install forms (reeflex-gate 0.1.7).
  • reeflex-verify.zip — the operator CLI. reeflex-test-abilities.zip — safe
    test abilities to exercise the gate. (Both unchanged.)
  • SHA256SUMS.

Install the rest from their registries: pip install reeflex-claude ·
pip install reeflex-holds · npm i n8n-nodes-reeflex.

v0.1.6 — dedup fix + holds MCP & n8n node first release

Choose a tag to compare

@leodavidsec leodavidsec released this 05 Jul 08:58
fe4178e

Reeflex v0.1.6 — multi-channel: Claude adapter, holds MCP server, n8n node

Released: 2026-07-05
Branch: release/v0.1.6 (git tag pending release)
Core image: unchanged — reeflex-core has no changes in 0.1.6, so the GHCR
image stays ghcr.io/reeflex-io/reeflex-core:v0.1.5
(digest sha256:ca6f0488290721db16db5c9ff3b1af8acb3b14010a7f0f2e5d37d87abab3a2ac).

Highlight

First multi-channel release. The Claude adapter, the holds MCP server, and the
n8n community node ship to PyPI / npm alongside the GitHub release and the GHCR core
image — three new approval/enforcement surfaces around the same deterministic core.

What's in it

Added

  • reeflex-holds MCP server (first release). A FastMCP server exposing
    list_holds / get_hold / resolve_hold / get_freeze_status over reeflex-core's
    Holds API, so an MCP client (e.g. Claude Desktop) can be the approval surface.
    Env-configured (REEFLEX_CORE_URL / REEFLEX_TOKEN / REEFLEX_PRINCIPAL /
    REEFLEX_VERIFY_SSL); TLS-verify opt-out at parity with the adapters.
  • n8n-nodes-reeflex community node (first release). The "Reeflex Gate" node
    (allow / hold / deny outputs) + "Reeflex API" credential, plus five importable,
    story-driven demo workflows preconfigured against the public api-dev eval endpoint —
    each with an embedded GIF of a real run.
  • reeflex-claude: REEFLEX_VERIFY_SSL + REEFLEX_CORE_TOKEN. TLS-verify opt-out
    (user's risk, default on) and bearer auth, at parity with the WordPress adapter;
    enables dev/self-signed + authenticated core endpoints (e.g. api-dev.reeflex.io).

Fixed

  • WordPress adapter — double-gating dedup (reeflex-gate 0.1.5). An MCP-originated
    action gated twice (the ability's own gate + the MCP adapter layer) created two holds
    for one call; approving both re-ran the action twice. The adapter now deduplicates by
    canonical envelope hash + session within a tight creation-time window, so a
    double-gated action executes at most once — the second approval closes its record
    without re-executing. Corrected the wp-admin docblock/notice that wrongly claimed the
    companion approval never executes. Regression test (hold-dedup-regression-demo.php,
    D1–D8) added.
  • n8n demo 3 (approval loop). Resolves holds with a human principal (api-dev's
    default resolution policy is human-only) with an id distinct from the actor (avoids
    actor_is_approver), and regenerates meta.nonce on resubmit (core rejects a reused
    nonce as a replay) — so the decide → hold → resolve → resubmit → allow loop runs
    end-to-end out of the box in a real n8n.

Artifacts in this release

  • reeflex-gate-wordpress-standard.zip — WordPress reference adapter, standard-plugin
    form (reeflex-gate 0.1.5, carries the dedup fix).
  • reeflex-gate-wordpress-mu.zip — same adapter, mu-plugin form.
  • reeflex_claude-0.1.6-py3-none-any.whl / reeflex_claude-0.1.6.tar.gz — the Claude
    Code hook adapter (PyPI).
  • reeflex_holds-0.1.0-py3-none-any.whl / reeflex_holds-0.1.0.tar.gz — the holds MCP
    server (PyPI).
  • n8n-nodes-reeflex-0.1.0.tgz — the n8n community node (npm). Ships dist/ only; the
    five demo workflows travel with the GitHub repo, not the npm tarball.
  • reeflex-verify.zip / reeflex-test-abilities.zip — conformance/verify tooling,
    unchanged since v0.1.5.

Scope

Adapters and surfaces only. reeflex-core and the /v1/decide decision path are
unchanged; zero LLM in the decision path is unchanged. The agent principal type on
the holds resolution surface is AIL (an operator-designated AI judge, audited) — the
first decision (OPA/Rego) remains fully deterministic.

v0.1.5 — HIL Phase 1: holds queue + resolution API

Choose a tag to compare

@leodavidsec leodavidsec released this 04 Jul 10:16

Reeflex v0.1.5 — HIL Phase 1: holds queue + resolution API

HOLD becomes operational. A require_approval verdict now materializes a persistent hold; a principal the operator designates resolves it; an approved action can be re-submitted and allowed exactly once.

The first decision is deterministic. The second decision is yours. Core provides the mechanism — the holds API, the audit of the handover — never the gray-zone judgment. Core still never executes actions.

What's in it

  • Holds queue — event-sourced append-only JSONL store + in-memory index, lazy expiry, single-use, TTL (default 4h). Each hold binds the sha256 of the action-defining projection ({action, axes, magnitude, target}) — a modified action cannot ride an old approval.
  • Holds API (same bearer as /v1/decide): GET /v1/holds, GET /v1/holds/{id}, POST /v1/holds/{id}/resolve.
  • Approval principals — human | agent (AIL) | automation. Resolution policy is the operator's, per rule (shipped default: human-only). actor != approver enforced in core; the systemic rule stays a terminal deny (resolvable by no one). decided_by records type:identity verbatim — the EU AI Act Art. 14 oversight-allocation evidence. Zero LLM in the FIRST decision path.
  • Kill-switchREEFLEX_FREEZE=true denies all non-read verbs instantly; reads pass; flips audited.
  • Outbound hold webhookhold.created / hold.resolved / hold.expired / freeze.flipped; fire-and-forget, bounded queue, at-most-once, never blocks /v1/decide. Makes BPMN/SOAR/n8n integration possible without vendor connectors — core builds the socket, not the engines.

Pull

docker pull ghcr.io/reeflex-io/reeflex-core:v0.1.5

Digest: sha256:ca6f0488290721db16db5c9ff3b1af8acb3b14010a7f0f2e5d37d87abab3a2ac (also latest).

Verified

  • CI green: 207 core tests (1 intentional platform skip) + 9/9 OPA policy.
  • Anonymous GHCR pull confirmed for both tags (digest match).
  • Live smoke on the release image: a bulk-delete returns require_approval + hold_id + expires_ts; the full handover (decide → hold → resolve → resubmit-with-approval → allow → consumed) is proven end-to-end over HTTP.

Docs

reeflex-core/README.md (Holds & human-in-the-loop) and reeflex-spec/SPEC.md (approval object). Full changelog: CHANGELOG.md.

Core-only. Adapters unchanged. Phase 2 = adapter re-submission + surfaces (WordPress admin, Slack, CLI, MCP holds server).

v0.1.4 — SIEM syslog telemetry

Choose a tag to compare

@leodavidsec leodavidsec released this 03 Jul 21:20

Reeflex v0.1.4 — SIEM syslog telemetry

The SOC cannot see AI agents today: agent actions happen inside apps, invisible to security telemetry. Reeflex now turns every agent action into a standard security event — before it executes.

reeflex-core streams every decision to a configured syslog endpoint:

  • RFC 5424 over UDP (default), TCP (RFC 6587 octet-counted), or TLS (RFC 5425)
  • payload as structured JSON (default) or CEF
  • one socket, zero vendor connectors — Splunk, QRadar, Wazuh, FortiSIEM, Graylog, Grafana Loki, Datadog and friends all consume syslog

The invariant: telemetry is fire-and-forget — a bounded in-memory queue, drop-on-overflow with a dropped-events counter, all I/O on a background daemon thread. It can never block or fail /v1/decide ("fail-closed for decisions, fail-open for telemetry"); the append-only audit JSONL stays authoritative. Verified: a dead / slow / unreachable endpoint adds zero decision latency.

Disabled by default (REEFLEX_SYSLOG_ENABLED=false); configured entirely by env. Python stdlib only — no new dependencies.

Pull

docker pull ghcr.io/reeflex-io/reeflex-core:v0.1.4

Digest: sha256:acfd9f8d91db4c756da6229b215875d3f7622aef787aedba56e0f4f5bcfc453a (also tagged latest).

Verified

  • CI green: 127 core tests (1 intentional platform skip) + 9/9 OPA policy.
  • Anonymous GHCR pull confirmed for both tags (digest match).
  • Live syslog smoke: allow / require_approval / deny received over syslog in JSON and CEF (RFC 5424 PRI 134 / 132 / 131).

Docs

docs/siem.md — quickstart, event schema, CEF mapping, and consuming guides for 11 platforms (guides only, no vendor code).

Full changelog: CHANGELOG.md. Adapters unchanged (remain at v0.1.3).

v0.1.3 — Observe mode

Choose a tag to compare

@leodavidsec leodavidsec released this 03 Jul 12:57
148ef19

Reeflex Gate 0.1.3 — Observe mode (HIL-DESIGN §8, Phase 0)

Adds an enforcement mode to both adapters. Default stays enforce (unchanged). The new observe mode records every verdict to the audit log but enforces nothing — the action always proceeds — so you can calibrate on real data before turning enforcement on. In observe a core outage fails OPEN (never blocks the site), the opposite of enforce's fail-closed. Zero core changes — mode is an adapter-side audit annotation.

WordPress adapter (reeflex-gate 0.1.3)

  • REEFLEX_MODE constant (enforce | observe, default enforce) + a Enforcement mode dropdown on Settings > Reeflex Gate, with the same locked-field precedence as the other settings (a wp-config constant locks the field read-only).
  • Observe short-circuit in both hooks; audit records gain a mode field carrying the would-be verdict.
  • Plugin Check clean. Enforce behaviour byte-for-byte unchanged.

Claude adapter (reeflex-claude)

  • REEFLEX_MODE=observe env → the PreToolUse hook emits allow while the JSONL audit records the would-be verdict + mode=observe; same fail-open. 146 unit tests pass.

reeflex-verify

  • New --expect-observe flag: asserts every action PROCEEDs (allow) while the audit still shows the would-be verdicts.

Assets

File Use
reeflex-gate-wordpress-standard.zip Standard plugin (Plugins > Add New > Upload)
reeflex-gate-wordpress-mu.zip Must-use form (wp-content/mu-plugins/, wp-config constants)
reeflex-verify.zip CLI conformance/verification tool
reeflex-test-abilities.zip Test-only plugin registering sample abilities

Full changelog: see CHANGELOG.md and reeflex-wordpress/readme.txt.

v0.1.2

Choose a tag to compare

@leodavidsec leodavidsec released this 02 Jul 12:24

Tooling + docs release. The decision engine and the WordPress gate are unchanged from v0.1.1; this release ships the reproducibility fix for the operator verify tool and re-emits the full package set so "latest" carries everything.

Changed

  • reeflex-verify — fresh agent session per run. The CLI now sends a unique Mcp-Session-Id on every run (override with --session-id to pin one). The core binds cumulative anti-fragmentation policy state to session_id (SPEC §4.1); without a fresh session, repeated runs against the same site accumulate into one per-session delete budget and eventually the gate holds even read-only actions (rule reeflex.policy/session_delete_budget) — producing false mismatches. Validated 5/5 on a live WordPress site in both the standard and must-use (mu) install forms.

Docs

  • reeflex-verify/README.md shows a real clean-run screenshot.
  • ROADMAP.md records the open policy decision on R5 scope (all-verbs vs destructive-verbs-only).

Packages

  • reeflex-gate-wordpress-standard.zip — WordPress gate, standard plugin form (Upload Plugin UI + Settings page).
  • reeflex-gate-wordpress-mu.zip — WordPress gate, must-use form (drop into wp-content/mu-plugins/, config via wp-config.php constants).
  • reeflex-verify.zip — the operator verify CLI, with the fresh-session-per-run fix.
  • reeflex-test-abilities.zip — safe test abilities to exercise the gate.

Reeflex v0.1.1

Choose a tag to compare

@leodavidsec leodavidsec released this 02 Jul 11:05
696543f

WordPress adapter: admin Settings page (API URL, Token, Verify TLS) + optional verify_ssl for dev/staging certs. reeflex-verify CLI (WAF-traversing curl transport, cross-platform) validated 5/5 live. Full package set: gate standard + mu, reeflex-verify, test-abilities. Private preview.