v0.6.6

🔥 ACP Cutover Complete — tmux is Gone

Aegis v0.6.6 stable removes the tmux runtime entirely and replaces it with the Agent Control Protocol (ACP) — JSON-RPC over stdio. No terminal parsing, no VT100 screen emulation, no tmux dependency.

⚡ What's New

12 ACP-Native MCP Tools:

• acp_send_prompt, acp_respond_approval — drive sessions from your tools
• acp_pause_session, acp_resume_session, acp_cancel_session — lifecycle control
• acp_claim_driver, acp_release_driver, acp_transfer_driver — multi-agent driver management
• acp_get_events, acp_get_chat, acp_get_timeline, acp_get_terminal_debug — observability

New REST Endpoints:

• Control actions: POST /v1/sessions/:id/pause, /resume, /intervention/start, /intervention/complete
• Event replay: GET /v1/sessions/:id/events, POST /v1/sessions/:id/events/replay
• Route aliases: /input, /kill, /stop, /stream

Dashboard Rebuilt for ACP:

• Pause/Intervention controls
• Chat view with thinking deltas and token usage
• Tool-call & diff cards
• Driver/Observer controls for multi-agent sessions
• Operator timeline with filters
• Terminal debug tab

Security Hardening:

• Rate limiting active in no-auth localhost mode
• Timing-safe comparison (no length-leak side-channel)
• hookSecret redacted from all API responses
• Separate auth/unauth rate-limit buckets
• Hardened CSP with worker-src blob for xterm.js

Performance:

• Vendor chunk splitting (recharts/d3 and lucide-react isolated)
• Reduced memory growth in IP rate limiter
• Auto-prune and max-records cap on metering

Backend Reliability:

• Circuit breaker for StopFailure infinite loop
• File-level mutex on JsonFileStore (TOCTOU race prevention)
• Atomic Redis saves with MULTI/EXEC
• Race condition fix for 404 on session /read
• Premature termination detection for background agents

CI & Release Pipeline:

• SLSA provenance and publish gate
• Release Please on release branches with tag overwrite protection
• CODEOWNERS precedence fix for workflow/release config

💥 Breaking Changes

tmux-specific endpoints and MCP tools have been removed:

• Endpoints: /pane, /bash, /discover-commands
• MCP tools: send_bash, capture_pane
• Error codes: TMUX_TIMEOUT → ACM_TIMEOUT, TMUX_ERROR → ACM_ERROR

Use the new ACP endpoints and acp_* tools instead. See the Migration Guide.

📦 Install

npm install @onestepat4time/aegis@0.6.6

🔗 Links

• Full Changelog (v0.6.6-preview.1 → v0.6.6)
• Preview.1 Changelog (v0.5.3-alpha → v0.6.6-preview.1)
• Migration Guide
• ClawHub

Full Changelog: v0.6.6-preview.1...v0.6.6

v0.6.6-preview.1

What's Changed

• build(deps): bump fastify from 5.8.4 to 5.8.5 by @dependabot[bot] in #1873
• build(deps): bump hono from 4.12.8 to 4.12.14 by @dependabot[bot] in #1890
• build(deps): bump dompurify from 3.3.3 to 3.4.0 in /dashboard by @dependabot[bot] in #1891
• build(deps): bump protobufjs from 7.5.4 to 7.5.5 by @dependabot[bot] in #1960
• build(deps): bump @fastify/static from 9.1.0 to 9.1.1 by @dependabot[bot] in #1907
• chore(release): dashboard-perfection v0.6.0-preview by @OneStepAt4time in #2063
• chore(release): prepare 0.6.1-preview by @OneStepAt4time in #2076
• build(deps): bump @opentelemetry/exporter-trace-otlp-http from 0.214.0 to 0.215.0 by @dependabot[bot] in #2199
• build(deps): bump @fastify/static from 9.1.1 to 9.1.3 by @dependabot[bot] in #2198
• build(deps): bump lucide-react from 1.8.0 to 1.11.0 in /dashboard by @dependabot[bot] in #2197
• build(deps-dev): bump vite from 8.0.8 to 8.0.10 in /dashboard by @dependabot[bot] in #2195
• build(deps-dev): bump @types/node from 25.5.2 to 25.6.0 by @dependabot[bot] in #2194
• build(deps): bump react-router-dom from 7.13.2 to 7.14.2 in /dashboard by @dependabot[bot] in #2193
• build(deps): bump @opentelemetry/auto-instrumentations-node from 0.72.0 to 0.73.0 by @dependabot[bot] in #2192
• build(deps): bump @tanstack/react-virtual from 3.13.23 to 3.13.24 in /dashboard by @dependabot[bot] in #2190
• build(deps): bump postcss from 8.5.8 to 8.5.12 in /dashboard by @dependabot[bot] in #2205
• build(deps-dev): bump @vitest/coverage-v8 from 4.1.4 to 4.1.5 by @dependabot[bot] in #2196
• build(deps): bump googleapis/release-please-action from 4 to 5 by @dependabot[bot] in #2189
• build(deps): bump azure/setup-helm from 4 to 5 by @dependabot[bot] in #2188
• build(deps-dev): bump postcss from 8.5.9 to 8.5.12 by @dependabot[bot] in #2207
• build(deps-dev): bump postcss from 8.5.8 to 8.5.12 in /.github/actions/auto-label by @dependabot[bot] in #2206
• chore: promote develop to main — sync 457 commits (Phase 2 + VT100 epic) by @OneStepAt4time in #2216
• chore: promote v0.6.5-preview to main by @OneStepAt4time in #2403
• chore: promote v0.6.5-preview.3 to main by @OneStepAt4time in #2411
• chore: promote release hardening to main by @OneStepAt4time in #2418
• chore: promote CI failure alert fix to main by @OneStepAt4time in #2420
• chore: promote release preflight hardening to main by @OneStepAt4time in #2422
• chore: promote release flow redesign to main by @OneStepAt4time in #2425
• chore: promote Release Please CLI fix to main by @OneStepAt4time in #2429
• chore: promote release branch identity fix to main by @OneStepAt4time in #2431
• fix(release): promote manifest baseline fix to main by @OneStepAt4time in #2435
• chore(release): promote 0.6.6-preview to main by @OneStepAt4time in #2438
• fix(release): make ClawHub publish best effort by @OneStepAt4time in #2440
• chore(release): promote v0.6.6-preview.1 to main by @OneStepAt4time in #2499
• fix(ci): skip tag-freshness check for recovery releases by @OneStepAt4time in #2516

Full Changelog: v0.5.3-alpha...v0.6.6-preview.1

v0.6.6-preview

What's Changed

• build(deps): bump fastify from 5.8.4 to 5.8.5 by @dependabot[bot] in #1873
• build(deps): bump hono from 4.12.8 to 4.12.14 by @dependabot[bot] in #1890
• build(deps): bump dompurify from 3.3.3 to 3.4.0 in /dashboard by @dependabot[bot] in #1891
• build(deps): bump protobufjs from 7.5.4 to 7.5.5 by @dependabot[bot] in #1960
• build(deps): bump @fastify/static from 9.1.0 to 9.1.1 by @dependabot[bot] in #1907
• chore(release): dashboard-perfection v0.6.0-preview by @OneStepAt4time in #2063
• chore(release): prepare 0.6.1-preview by @OneStepAt4time in #2076
• build(deps): bump @opentelemetry/exporter-trace-otlp-http from 0.214.0 to 0.215.0 by @dependabot[bot] in #2199
• build(deps): bump @fastify/static from 9.1.1 to 9.1.3 by @dependabot[bot] in #2198
• build(deps): bump lucide-react from 1.8.0 to 1.11.0 in /dashboard by @dependabot[bot] in #2197
• build(deps-dev): bump vite from 8.0.8 to 8.0.10 in /dashboard by @dependabot[bot] in #2195
• build(deps-dev): bump @types/node from 25.5.2 to 25.6.0 by @dependabot[bot] in #2194
• build(deps): bump react-router-dom from 7.13.2 to 7.14.2 in /dashboard by @dependabot[bot] in #2193
• build(deps): bump @opentelemetry/auto-instrumentations-node from 0.72.0 to 0.73.0 by @dependabot[bot] in #2192
• build(deps): bump @tanstack/react-virtual from 3.13.23 to 3.13.24 in /dashboard by @dependabot[bot] in #2190
• build(deps): bump postcss from 8.5.8 to 8.5.12 in /dashboard by @dependabot[bot] in #2205
• build(deps-dev): bump @vitest/coverage-v8 from 4.1.4 to 4.1.5 by @dependabot[bot] in #2196
• build(deps): bump googleapis/release-please-action from 4 to 5 by @dependabot[bot] in #2189
• build(deps): bump azure/setup-helm from 4 to 5 by @dependabot[bot] in #2188
• build(deps-dev): bump postcss from 8.5.9 to 8.5.12 by @dependabot[bot] in #2207
• build(deps-dev): bump postcss from 8.5.8 to 8.5.12 in /.github/actions/auto-label by @dependabot[bot] in #2206
• chore: promote develop to main — sync 457 commits (Phase 2 + VT100 epic) by @OneStepAt4time in #2216
• chore: promote v0.6.5-preview to main by @OneStepAt4time in #2403
• chore: promote v0.6.5-preview.3 to main by @OneStepAt4time in #2411
• chore: promote release hardening to main by @OneStepAt4time in #2418
• chore: promote CI failure alert fix to main by @OneStepAt4time in #2420
• chore: promote release preflight hardening to main by @OneStepAt4time in #2422
• chore: promote release flow redesign to main by @OneStepAt4time in #2425
• chore: promote Release Please CLI fix to main by @OneStepAt4time in #2429
• chore: promote release branch identity fix to main by @OneStepAt4time in #2431
• fix(release): promote manifest baseline fix to main by @OneStepAt4time in #2435
• chore(release): promote 0.6.6-preview to main by @OneStepAt4time in #2438

Full Changelog: v0.5.3-alpha...v0.6.6-preview

v0.6.5-preview.3

What's Changed

• refactor(dashboard): add i18n to Analytics, Audit, Cost, and Metrics pages by @OneStepAt4time in #2399
• fix(release): prepare preview.3 workflow fixes by @OneStepAt4time in #2410

Full Changelog: v0.6.5-preview.2...v0.6.5-preview.3

v0.6.5-preview.2

What's Changed

• refactor(dashboard): fix ESLint unused-var and no-require-imports errors by @OneStepAt4time in #2398
• test(state): add PostgresStore unit tests with mocked pg.Pool by @OneStepAt4time in #2397
• docs: update i18n section — add batch 2 localized pages by @OneStepAt4time in #2405
• fix(release): unblock preview publish workflow by @OneStepAt4time in #2406

Full Changelog: v0.6.5-preview.1...v0.6.5-preview.2

v0.6.5-preview.1

What's Changed

• ci: bootstrap develop rollout and tiered CI by @OneStepAt4time in #1242
• fix(security): harden auto-issue-label workflow (#1174) by @OneStepAt4time in #1243
• build(deps): bump @modelcontextprotocol/sdk from 1.28.0 to 1.29.0 by @dependabot[bot] in #1237
• build(deps-dev): bump @types/node from 20.19.37 to 25.5.2 by @dependabot[bot] in #1236
• build(deps): bump actions/download-artifact from 4 to 8 by @dependabot[bot] in #1235
• build(deps): bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in #1234
• fix(dashboard): surface message fetch errors in TerminalPassthrough instead of silently swallowing by @OneStepAt4time in #1244
• build(deps): bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #1233
• build(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in #1232
• docs: add MCP Tools Reference (25 tools, 3 prompts) by @OneStepAt4time in #1245
• test: add integration tests for critical paths (#1205) by @OneStepAt4time in #1239
• fix: resolve 11 macOS test failures and add macos-latest to CI by @OneStepAt4time in #1230
• test(#1194): enable Windows CI by removing skipIf and fixing paths by @OneStepAt4time in #1246
• perf(dashboard): add vendor splitting with manual chunks and route-level code splitting by @OneStepAt4time in #1249
• perf: cache hook cleanup to avoid redundant disk I/O (#1134) by @OneStepAt4time in #1250
• fix(#1134): include new session ID in activeIds before cleanup by @OneStepAt4time in #1253
• fix(tmux): remove unused windowExistsCache duplicate (#1126) by @OneStepAt4time in #1254
• fix(monitor): clean per-session Maps on signal shutdown (#1115) by @OneStepAt4time in #1255
• fix(permission): handle ? as single-char wildcard in globToRegExp (#1124) by @OneStepAt4time in #1256
• fix(ws-terminal): stop poll timer immediately on session death (#1122) by @OneStepAt4time in #1257
• fix(ci): fix continue-on-error asymmetry in ClawHub publish workflow (#1128) by @OneStepAt4time in #1259
• fix(ci): harden GitHub Actions permissions to least privilege (#1172) by @OneStepAt4time in #1260
• ci(governance): add mandatory production approval gate for release publish by @OneStepAt4time in #1258
• feat(webhook): keep session.id and name in redactPayload (#1123) by @OneStepAt4time in #1261
• perf(tmux): batch 3 window setup calls into 1 process spawn (#1116) by @OneStepAt4time in #1262
• perf(dashboard): incremental transcript rendering in TerminalPassthrough by @OneStepAt4time in #1264
• fix(dashboard): add Zod validation to SSE/WebSocket message handlers by @OneStepAt4time in #1265
• feat(ci): publish SHA256 checksums as GitHub release asset (#1171) by @OneStepAt4time in #1266
• fix(dashboard): skip retries for validation failures in API client by @OneStepAt4time in #1267
• feat(ci): generate and publish SPDX SBOM as release asset (#1169) by @OneStepAt4time in #1268
• fix(dashboard): wire onFork prop in SessionHeader and add Fork button by @OneStepAt4time in #1269
• fix(config): add Zod schema validation for config file (#1109) by @OneStepAt4time in #1270
• fix(server): use Fastify decorateRequest for type-safe authKeyId (#1108) by @OneStepAt4time in #1271
• fix(security): add TLS/key/credential patterns to .gitignore (#1106) by @OneStepAt4time in #1272
• fix(ci): add dashboard to Dependabot coverage (#1110) by @OneStepAt4time in #1273
• fix(monitor): only fast-poll when hooks are configured (#1097) by @OneStepAt4time in #1274
• fix(server): replace blocking execFileSync with async execFileAsync (#1096) by @OneStepAt4time in #1275
• fix(session): use stored byteOffset in detectWaitingForInput (#1095) by @OneStepAt4time in #1276
• fix(session): check dangerous env prefixes before name regex (#1093) by @OneStepAt4time in #1279
• fix(dashboard): add connected/heartbeat to GlobalSSEEventType enum by @OneStepAt4time in #1283
• docs: fix broken dashboard image reference by @OneStepAt4time in #1284
• ci(governance): enforce feat minor-bump approval gate by @OneStepAt4time in #1285
• fix(security): normalize paths before prefix check (#1081) by @OneStepAt4time in #1286
• fix(security): use exact path match for SSE route detection (#1089) by @OneStepAt4time in #1287
• fix(security): use timing-safe comparison for hook secrets (#1085) by @OneStepAt4time in #1288
• fix(security): require auth when binding to non-localhost (#1080) by @OneStepAt4time in #1289
• fix(security): reject all Telegram users when allowlist is empty (#1087) by @OneStepAt4time in #1290
• fix(security): correct isLocalhostBinding negation in auth guard (#1080 regression) by @OneStepAt4time in #1300
• fix(server): call process.exit() after signal cleanup completes (#1090) by @OneStepAt4time in #1303
• feat(build): add ESLint flat config + Prettier + lint CI step (#1104) by @OneStepAt4time in #1280
• fix: resolve ESLint warnings across src/ by @OneStepAt4time in #1309
• fix(ci): use Homebrew to install tmux on macOS runners (#1311) by @OneStepAt4time in #1313
• docs: add module-level AI context and ADR documentation by @OneStepAt4time in #1316
• fix: exclude .claude-internals from vitest test discovery by @OneStepAt4time in #1321
• fix: detect stall during CC extended thinking mode by @OneStepAt4time in #1329
• fix: rename npm package to @onestepat4time/aegis by @OneStepAt4time in #1331
• docs: fix tool counts, stale version refs, and inconsistencies by @OneStepAt4time in #1332
• chore: rename npm package to @onestepat4time/aegis by @OneStepAt4time in #1334
• ci(governance): automate issue lifecycle and release readiness by @OneStepAt4time in #1335
• chore: update release workflow for @onestepat4time/aegis by @OneStepAt4time in #1336
• docs: enterprise-grade documentation overhaul by @OneStepAt4time in #1342
• fix(ci): use GitHub App token for release-please by @OneStepAt4time in #1343
• refactor(dashboard): enterprise UI quick wins — ConfirmDialog, a11y, keyboard shortcuts by @OneStepAt4time in #1348
• fix(ci): use proper secrets syntax in release.yml if conditions by @OneStepAt4time in #1349
• docs: enterprise-grade documentation overhaul by @OneStepAt4time in #1353
• docs: restructure CLAUDE.md per Claude Code best practices by @OneStepAt4time in #1354
• test: increase coverage for auth, permission-evaluator, hooks to >97% (#1305) by @OneStepAt4time in #1357
• docs: complete Getting Started guide with real examples by @OneStepAt4time in #1355
• docs: refresh README with new docs links and migration notice by @OneStepAt4time in #1356
• docs: docs-sync skill — TSDoc coverage audit + README auto-update by @OneStepAt4time in #1360
• feat: add OpenAPI 3.1 spec at openapi.yaml by @OneStepAt4time in #1524
• feat(dashboard): add login page with token auth (E6-1) by @OneStepAt4time in #1525
• feat(dashboard): add audit trail UI page (E6-2) by @OneStepAt4time in https://github.com/OneStepAt4time...

v0.6.1-preview

What's Changed

• build(deps): bump fastify from 5.8.4 to 5.8.5 by @dependabot[bot] in #1873
• build(deps): bump hono from 4.12.8 to 4.12.14 by @dependabot[bot] in #1890
• build(deps): bump dompurify from 3.3.3 to 3.4.0 in /dashboard by @dependabot[bot] in #1891
• build(deps): bump protobufjs from 7.5.4 to 7.5.5 by @dependabot[bot] in #1960
• build(deps): bump @fastify/static from 9.1.0 to 9.1.1 by @dependabot[bot] in #1907
• chore(release): dashboard-perfection v0.6.0-preview by @OneStepAt4time in #2063
• chore(release): prepare 0.6.1-preview by @OneStepAt4time in #2076

Full Changelog: v0.5.3-alpha...v0.6.1-preview

v0.5.3-alpha

What's Changed

• fix(ci): fail packaging when dashboard build output is missing by @OneStepAt4time in #1744
• chore(main): release 0.5.3-alpha by @aegis-gh-agent[bot] in #1745

Full Changelog: v0.5.2-alpha...v0.5.3-alpha

v0.5.2-alpha

What's Changed

• docs: clarify alpha release channel by @OneStepAt4time in #1740
• fix(ci): make release gh commands repository-explicit by @OneStepAt4time in #1741
• chore(main): release 0.5.2-alpha by @aegis-gh-agent[bot] in #1743

Full Changelog: v0.5.1-alpha...v0.5.2-alpha

v0.5.1-alpha

What's Changed

• chore(main): promote develop to main for v0.5.0-alpha release by @OneStepAt4time in #1682
• chore(main): release 0.5.0-alpha by @aegis-gh-agent[bot] in #1686
• chore: promote release workflow fix to main by @OneStepAt4time in #1688
• fix: skip release-please on all promote commits to prevent duplicate tag errors by @OneStepAt4time in #1689
• chore(main): release 0.5.0-alpha by @aegis-gh-agent[bot] in #1690
• chore: promote develop to main (release) by @OneStepAt4time in #1710
• chore: promote develop to main for alpha release by @OneStepAt4time in #1729
• chore: prepare main for next alpha release by @OneStepAt4time in #1730
• chore: promote develop into main for release by @OneStepAt4time in #1732
• chore: sync develop into main for release pipeline by @OneStepAt4time in #1733
• fix(ci): align release-please manifest with latest released tag by @OneStepAt4time in #1735
• chore(main): release 0.5.1-alpha by @aegis-gh-agent[bot] in #1734

Full Changelog: v0.5.0-alpha...v0.5.1-alpha