OACB v0.2.1 (beta)
Pre-releaseBeta release. OACB is under active development. Interfaces may change before
v1.0.0. Pin a specific tag (v0.2.1) in fleet deployments.
Hotfix from v0.2.0
This release fixes a critical regression in v0.2.0: unbound oacb apply --agent claude-code (CLI install path) failed open silently on every Bash tool call because oacb-enforce.sh sourced its shared core from /usr/local/share/oacb/shared (MDM-only path) that CLI installs don't populate. The hook errored exit 1, which Claude Code treats as a soft error — the command proceeded.
What changed:
baseline/claude-code/hooks/oacb-enforce.shnow falls back to the directory containing the hook script itself when the MDM default is unavailable. MDM deployments retain existing behavior.- A diagnostic audit-log entry (
rule: OACB-MDM-FALLBACK) + stderr breadcrumb fires when the fallback triggers, so fleet operators can detect mis-configured MDM paths. Suppress withOACB_DISABLE_FALLBACK_WARN=1. - All hook
OACB_VERSIONstrings + managed-settings_oacb.versionfields bumped0.2.0→0.2.1for forensic consistency.
A companion unbound-cli PR (#44) installs the shared core for claude-code and sets OACB_SHARED_DIR in the settings.json env block — belt-and-suspenders coverage for both old and new hook code paths.
Upgrade path: unbound oacb apply --agent claude-code --tier <your-tier> will fetch v0.2.1 hooks once unbound-cli is bumped to consume the new tag (or set OACB_PINNED_REF=v0.2.1 explicitly).
What's Changed
- docs: mark v0.2.0 as beta in README by @thatcatfromspace in #7
- fix(claude-code): fallback shared-core resolution + bump to 0.2.1 by @thatcatfromspace in #8
Full Changelog: v0.2.0...v0.2.1