Skip to content

Enterprise-Grade Privacy and Security

BINARY SUITE

The signed Kodachi command-line stack behind routing, Tor, DNS, integrity, health, authentication, and automation.

This is the suite map for operators and power users: see what each tool does, how the categories fit together, and where to find exact generated commands.

25 Rust binaries 588 generated commands Signed metadata Automation ready

Enterprise-Grade Privacy, Security & AI

A collection of 25 auto-documented Rust binaries plus bundled companion runtimes that form the backbone of Linux Kodachi's privacy, anonymity, and intelligence infrastructure. Security/control binaries deliver enterprise-level protection and policy enforcement; AI binaries provide natural-language command execution, trusted agent orchestration, and machine-safe execution (all processed locally by default).

Production Ready Zero-Trust Architecture Memory Safe Forensic Resistant AI-Powered

AI-Powered Privacy Stack Kodachi 9 ships with KAICS (8 binaries, plain-English CLI) and ai-gateway (policy-firewalled agent execution). 7-tier engine (TF-IDF → ONNX → ONNX-Classifier → Local LLM → Mistral.rs → GenAI/Ollama → Claude). Offline-first; optional cloud routing via VPN or Tor. Explore the AI Suite

v9.0.1 Build #310
Released: 03 October 2025
Updated: 12 June 2026
Quick Installation

Core Architecture Principles

Zero-Trust Architecture: Authentication-first design with granular authorization and certificate pinning

Memory-Safe Implementation: Rust-first design with comprehensive error handling and rigorous safety practices

Modular Design: Independent services with shared libraries through cli-core, auth-shared, and logs-hook

Forensic Resistance: Multi-pass secure wiping, memory cleaning, emergency data destruction capabilities

Privacy-First AI: 7-tier AI engine runs locally by default. Optional cloud tiers can be routed through VPN or Tor based on your preference

Looking for a Complete Solution?

These are individual security components designed for advanced users who want to integrate specific tools into their workflow.

For a full desktop experience with GUI, Conky system monitor, LibreWolf browser, and 10 dynamic application layers, choose the Kodachi Desktop Edition, our latest release built on Debian 13 (Trixie).

For a headless, command-line-only environment optimized for testing, SOCKS proxy deployment, and server operations, choose the Kodachi Terminal Server.

Both editions provide:

  • All binaries pre-installed and configured
  • Seamless integration between components
  • Complete privacy stack out-of-the-box
  • KAICS AI engine + ai-gateway agent execution layer

Get Kodachi Desktop →   Get Terminal Server →

Kodachi is built and maintained by one person since 2013. These 25 binaries and hundreds of commands are provided free. Your support keeps them maintained. Support the project

Documentation Hub

Documentation Hub

New: Kodachi Dashboard Now Included in Binary Packages

The Kodachi Dashboard is now bundled with the binary packages! This modern native desktop application provides a unified GUI interface for all Kodachi security services. Features include:

  • Centralized Control Panel - Manage all binaries from one elegant interface
  • Authentication Management - online-auth service integration with visual status monitoring
  • Network Routing - routing-switch protocol control (VPN, WireGuard, Shadowsocks, etc.)
  • Tor Network Management - tor-switch operations with 110 commands accessible via GUI
  • DNS Configuration - dns-switch management and leak detection
  • System Health Monitoring - health-control and integrity-check operations

Install the binaries to access the dashboard and streamline your security workflow. Feedback welcome on Discord!

Binary Categories

Binary Categories and Requirements

Network and Privacy Tools

Binary Primary Function Auth Sudo Auto-Start
tor-switch Advanced Tor network orchestration (110 commands) Mixed 67% Required No
routing-switch Multi-protocol routing (11 protocols) + External VPN Providers (VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, Mullvad-WG and more) Mixed 61% Required No
ip-fetch Secure IP geolocation with multi-source verification No 0% No No
dns-switch DNS management with 50+ secure resolver options Mixed 25% Mixed No
dns-leak Real-time DNS leak detection and analysis Mixed 25% No No

System Security and Protection

Binary Primary Function Auth Sudo Auto-Start
health-control Emergency kill switches and panic modes Mixed 84% Required No
integrity-check Cryptographic system integrity verification No No No
permission-guard Real-time permission monitoring and enforcement Mixed 75% Required No
online-auth Secure authentication and heartbeat monitoring Mixed 70% Required No
kodachi-soc Host security monitoring with MITRE ATT&CK telemetry No Required No

Infrastructure and Management

Binary Primary Function Auth Sudo Auto-Start
logs-hook Centralized secure logging infrastructure Yes 100% Required Auto
deps-checker Dependency validation and security auditing No No No
global-launcher System-wide binary deployment manager No No No
workflow-manager Batch command execution with conditional logic Mixed 11% Required No
online-info-switch Online information hub and RSS feeds Mixed 58% No No
conky-status Unified Rust telemetry gateway for Conky desktop panels No No Auto

GUI Applications and Desktop Interface

Application Primary Function Technology Stack Auth Sudo
kodachi-dashboard Unified GUI control center for all security services Native desktop app Mixed Required

AI & Intelligence

Binary Primary Function Type Sudo Auto-Start
ai-cmd Natural language CLI for Kodachi commands On-demand No No
ai-trainer ML model training and validation On-demand Required No
ai-learner Learning orchestration and analysis On-demand No No
ai-admin Database management and diagnostics On-demand No No
ai-discovery Binary watcher and auto-indexer daemon Daemon Required Optional
ai-scheduler Cron-based task scheduler Daemon Required Optional
ai-monitor Proactive system monitoring daemon Daemon Required Optional
ai-gateway Unified agent command gateway, policy firewall, and safe executor On-demand Policy No

Binary Descriptions

Binary Descriptions and Use Cases

Comprehensive overview of each security binary's functionality, primary use cases, and operational capabilities. These user-friendly descriptions provide context for the technical specifications detailed in subsequent sections.

Navigation Guide

Each binary description includes primary function, key capabilities, typical use cases, and integration notes. For detailed command references and authentication requirements, see the individual binary documentation linked in each description.

kodachi-dashboard - Unified GUI Control Center

Quick Reference: Desktop Application | Technology: Native desktop app | Auth Level: Mixed (varies by feature) | Sudo Required: Yes (backend operations)

Modern desktop application providing a unified graphical interface for all Kodachi security services. Built for native performance and an elegant user experience. Features comprehensive control panels for authentication management (online-auth), network routing configuration (routing-switch with 11 protocols + the new External VPN Providers tab covering VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, AirVPN, Mullvad-WG, Windscribe, ProtonVPN, ExpressVPN, TorGuard), Tor network operations (tor-switch with 110 commands), DNS management (dns-switch), and system health monitoring (health-control). Provides real-time status displays, visual feedback for operations, and streamlined workflows for complex security tasks. Eliminates the need for multiple terminal windows by consolidating all binary operations into an intuitive dashboard interface. Supports dark/light themes, system tray integration, and keyboard shortcuts for power users. Ideal for users who prefer graphical interfaces while maintaining full access to all CLI capabilities.

Key Features:

  • Centralized Authentication: Visual monitoring and management of online-auth service status and API key validation
  • Network Protocol Control: Easy switching between VPN, WireGuard, Shadowsocks, V2Ray, Xray, Hysteria2, and Tor routing
  • Tor Management: GUI access to 110 tor-switch commands including circuit rotation, exit node selection, and load balancing
  • DNS Configuration: Visual DNS server selection, DNSCrypt management, and real-time leak detection
  • System Health Dashboard: Emergency kill switches, panic modes, integrity verification, and security scoring
  • Modern Tech Stack: Leverages a Rust backend for security with a native desktop runtime for a responsive, reactive UI

Use Cases:

  • Quick access to all security features without memorizing CLI commands
  • Visual monitoring of system security status and active connections
  • Rapid protocol switching for different anonymity requirements
  • Dashboard-style overview of all Kodachi services in one window
  • Ideal for users transitioning from GUI-based privacy tools

ai-cmd - AI-Powered Command Interface

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No

Natural language command-line interface for Kodachi OS powered by a 7-tier AI engine (TF-IDF → ONNX → ONNX-Classifier → Local LLM → Mistral.rs → GenAI/Ollama → Claude CLI). Translates plain English queries into precise Kodachi commands with real-time streaming responses and native tool calling across 9 system tools. Works out-of-the-box with zero configuration: the built-in TF-IDF engine provides immediate command matching. Supports interactive REPL mode, voice input via whisper-cpp/vosk, dry-run preview, confidence thresholds, and proactive command suggestions based on usage patterns. Mistral.rs integration provides local GGUF model inference supporting 29+ architectures, while GenAI/Ollama enables multi-provider LLM access (local or cloud via Tor) with privacy-safe operation.

ai-gateway - Unified Agent Command Gateway

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No (policy dependent)

Machine-facing gateway for AI agents and automation. Provides unified command discovery (`list`, `search`, `help`), machine invocation metadata in search results, policy-enforced execution, per-agent capability controls, audit logging, rate limiting, and trusted batch execution. Supports JSON argument payloads (`--args-json`) and explicit approval semantics for dangerous commands, while keeping dry-run planning available for safe automation.

Validated integration points:

  • search --json exposes invocation (service, command) for deterministic agent calls
  • run --args-json accepts object payloads for shell-quote-safe invocation
  • dangerous commands require explicit confirmation for live execution
  • dangerous --dry-run remains available for planning
  • supported agent IDs include: nullclaw, openclaw, picoclaw, nanoclaw, claude-code, gpt, gemini, open-interpreter, anonymous

ai-trainer - ML Model Training and Validation

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: Yes (model ops)

Machine learning model management tool for the KAICS system. Downloads pre-trained ONNX semantic models, trains intent classifiers from training data, performs incremental updates, validates model accuracy, and exports trained models for deployment. Essential for upgrading from Tier 1 (TF-IDF) to Tier 2 (ONNX semantic) accuracy. All training happens locally with no cloud dependency.

ai-learner - Learning Orchestration and Analysis

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No

Continuous improvement engine for the KAICS AI system. Learns from accumulated user feedback and command usage patterns to improve intent classification accuracy over time. Supports incremental learning, period-based analysis, and report generation in markdown or JSON format. Can be scheduled via ai-scheduler for automated periodic learning cycles.

ai-admin - Database Management and Diagnostics

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No

Administrative tool for KAICS AI infrastructure. Provides full system diagnostics, database statistics and integrity checks, backup/restore operations, and performance tuning capabilities. Essential for maintaining AI system health and troubleshooting issues.

ai-discovery - Binary Watcher and Auto-Indexer

Quick Reference: Full Documentation | Type: Daemon | Sudo Required: Yes

inotify-based binary watcher daemon that automatically detects and indexes new or updated Kodachi binaries. Maintains a real-time service registry used by ai-cmd for command resolution. Supports hot-reload of the AI command index without requiring service restart. Essential for keeping the AI system aware of all available commands.

ai-scheduler - Cron-Based Task Scheduler

Quick Reference: Full Documentation | Type: Daemon | Sudo Required: Yes

Cron-based task scheduler for automated Kodachi operations. Uses a strict command whitelist for security, supports standard cron expressions, and provides persistent task storage that survives service restarts. Ideal for scheduling recurring security checks, Tor circuit rotations, DNS leak tests, and AI learning cycles.

ai-monitor - Proactive System Monitoring Daemon

Quick Reference: Full Documentation | Type: Daemon | Sudo Required: Yes

Background monitoring daemon that continuously tracks VPN connections, Tor circuit health, DNS leak status, and system security scores. Runs checks every 30 seconds and generates actionable suggestions categorized by network, DNS, Tor, and security domains. Provides early warning of potential issues before they impact privacy or security.

online-auth - Authentication and Heartbeat Monitoring

Quick Reference: Full Documentation | Auth Level: 57% | Sudo Required: Yes (system-wide)

Provides authentication services for Kodachi OS through cryptographic API validation and secure session management. Handles service heartbeats for connection monitoring and manages API keys for authorized access. Implements privacy-preserving authentication protocols with encrypted credential storage and secure token rotation. Ensures anonymous communication channels between local services and authentication endpoints. Maintains session persistence across restarts while adhering to anti-forensic principles.

routing-switch - Multi-Protocol Network Routing

Quick Reference: Full Documentation | Auth Level: 61% | Sudo Required: Yes (network config)

Comprehensive encrypted routing service supporting 11 auto-scored anonymization protocols (WireGuard, OpenVPN, Tor, Xray VLESS, Xray VLESS-Reality, Hysteria2, Xray Trojan, V2Ray, Shadowsocks, Mita, Dante), plus xray-vmess available in the factory as a legacy fallback. Provides traffic obfuscation to bypass Deep Packet Inspection, multi-layer encryption tunneling, and anti-forensic network routing. Ensures complete privacy protection through protocol layering, encrypted tunnel management, and anonymization. Features intelligent routing tables for maximum anonymity while maintaining connection stability. Critical component of Kodachi's security infrastructure for high-anonymity communications.

tor-switch - Advanced Tor Network Orchestration

Quick Reference: Full Documentation | Auth Level: 73% | Sudo Required: Yes (iptables/nftables)

Manages Tor network connections and circuit isolation for Kodachi OS. Provides control over Tor instances, exit node selection, and circuit rotation. Features multi-instance Tor management, load balancing across circuits, DNS leak prevention, and traffic routing configuration. Supports transparent proxy setup, bridge configuration, and country-based exit node selection. Includes monitoring capabilities for circuit health and connection status.

ip-fetch - Secure IP Geolocation

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

Fetches IP geolocation data with multi-provider support and fallback mechanisms. Retrieves current IP address information including location, ISP, and connection details. Features automatic provider rotation when services are unavailable, response caching for efficiency, and verification through multiple sources. Supports both IPv4 and IPv6 addresses with JSON output format. Integrates with VPN and Tor connections to verify routing status.

online-info-switch - Information Hub and RSS Feeds

Quick Reference: Full Documentation | Auth Level: 58% | Sudo Required: No

Information aggregation service providing RSS feed monitoring and data collection. Manages various information sources including security feeds, cryptocurrency data, and paste services. Features scheduled feed updates, content filtering, and data categorization. Supports multiple RSS sources with configurable refresh intervals. Provides structured output for collected information with timestamp tracking and source attribution.

conky-status - Unified Conky Telemetry Gateway

Quick Reference: Full Documentation | Conky Desktop Section | Auth Level: 0% | Sudo Required: No

Rust telemetry gateway that unifies data collection for Kodachi Conky desktop panels. Replaces fragmented shell polling with a single snapshot cache and compatibility aliases, while preserving Conky-friendly outputs. Supports JSON, panel batching, key lookup, and refresh/TTL controls for stable desktop monitoring without script storms.

health-control - Emergency Kill Switches and Panic Modes

Quick Reference: Full Documentation | Auth Level: 83% | Sudo Required: Yes (system ops)

System health monitoring and emergency control service for Kodachi OS. Provides network connectivity checks, panic mode operations, and system state management. Features multiple emergency response levels (soft, medium, hard), network kill switches using iptables/nftables, secure data wiping capabilities, and MAC address randomization. Includes system scoring for security posture assessment, hardware monitoring, and USB device protection. Supports recovery operations for restoring network connectivity after emergency procedures.

dns-switch - DNS Management with 50+ Resolvers

Quick Reference: Full Documentation | Auth Level: 25% | Sudo Required: Mixed (write operations)

DNS management service supporting multiple secure resolver configurations. Manages system DNS settings with support for 50+ DNS providers including privacy-focused options. Features DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNSCrypt protocol support. Provides automatic resolver switching, fallback mechanisms, and Pi-hole integration. Includes DNS cache management and resolver health monitoring. Supports custom resolver configuration and automatic optimal server selection.

dns-leak - DNS Leak Detection and Prevention

Quick Reference: Full Documentation | Auth Level: 25% | Sudo Required: No

DNS leak detection and prevention service for network privacy verification. Performs comprehensive leak tests across all network interfaces to identify DNS configuration issues. Features real-time leak detection, multi-provider verification, and automated alert generation. Monitors DNS queries to ensure they route through configured secure channels. Provides detailed reports on DNS resolver usage and potential privacy issues.

integrity-check - Cryptographic System Verification

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

System integrity verification service using cryptographic checksums and digital signatures. Validates file integrity through BLAKE3 hashing (SHA-256 as fallback) and signature verification. Features binary authentication, configuration file monitoring, and tamper detection. Provides scheduled integrity scans and on-demand verification. Maintains baseline checksums for critical system files and detects unauthorized modifications. Supports custom file lists and exclusion patterns for targeted verification.

permission-guard - Real-Time Permission Monitoring

Quick Reference: Full Documentation | Auth Level: 75% | Sudo Required: Yes (3/4 commands)

File permission monitoring and enforcement service for system security. Monitors file system permissions and ownership to detect unauthorized changes. Features real-time permission tracking, automated correction of insecure permissions, and privilege escalation detection. Provides scheduled scans and on-demand verification of critical directories. Maintains permission baselines and reports deviations. Supports custom permission policies and automated remediation workflows.

logs-hook - Centralized Logging Infrastructure

Quick Reference: Full Documentation | Auth Level: 100% | Sudo Required: Yes (all commands)

Provides centralized logging infrastructure with secure log collection, rotation, and deletion capabilities. Features encrypted log storage, automatic rotation schedules, and secure deletion protocols. Supports multiple log levels, filtering algorithms, and privacy-aware logging practices. Includes log aggregation from all system services and real-time monitoring. Offers multi-pass secure deletion and log anonymization for privacy protection.

deps-checker - Dependency Validation and Auditing

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

Validates system dependencies and performs security auditing of installed packages. Features automated dependency scanning, version conflict detection, and security vulnerability identification. Provides package relationship analysis, compatibility verification, and installation script generation. Includes system configuration validation and dependency tree analysis. Maintains databases of tested configurations for optimal system security.

global-launcher - System-Wide Binary Deployment

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

Deploys Kodachi binaries system-wide while maintaining proper execution contexts and security validation. Features intelligent shortcut creation, environment variable management, and working directory preservation. Provides binary integrity verification and automated rollback capabilities. Includes security validation protocols and comprehensive deployment logging. Enables global accessibility without compromising security isolation.

workflow-manager - Batch Command Execution and Automation

Quick Reference: Full Documentation | Auth Level: 11% | Sudo Required: Yes (system ops)

Comprehensive workflow automation service for batch command execution with advanced conditional logic and state management. Features template-based workflow creation, hybrid conditional system combining success/fail states with pattern matching and JSON path evaluation. Provides interactive pause controls for manual checkpoints, comprehensive telemetry logging in JSONL format, and configurable timeout protection. Supports concurrent execution within workflows, retry logic for failed operations, and dry-run mode for safe testing. Enables complex multi-step automation with regex pattern matching, substring searching, and JSON response evaluation for precise control flow. Ships with 92+ ready-to-use built-in profiles stored in `dashboard/hooks/config/profiles/`, and users can create custom profiles based on their specific automation requirements. Critical for system maintenance workflows, batch operations, and automated diagnostic procedures requiring conditional execution paths.

Dependencies Matrix

Inter-Binary Dependencies Matrix

Binary Communication Flow

Service Calls These Binaries Called By These Binaries
online-auth logs-hook Authentication required by: ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch
logs-hook None Integrated by all services for centralized logging
ip-fetch logs-hook, online-auth, routing-switch tor-switch, routing-switch, dns-switch, dns-leak
tor-switch logs-hook, online-auth, ip-fetch routing-switch
routing-switch logs-hook, online-auth, tor-switch, ip-fetch health-control, ip-fetch
dns-switch logs-hook, online-auth, ip-fetch None
dns-leak logs-hook, online-auth, ip-fetch None
health-control logs-hook, online-auth, routing-switch dns-switch, online-info-switch
integrity-check logs-hook None
permission-guard logs-hook Can be used alongside online-auth for permission checks
deps-checker logs-hook None
global-launcher logs-hook Can be orchestrated by online-auth for deployments
workflow-manager logs-hook None (user-initiated batch operations)
online-info-switch logs-hook, online-auth, health-control None
conky-status logs-hook, online-auth, ip-fetch, dns-switch, health-control None (consumed by Conky desktop panels)
ai-gateway logs-hook ai-cmd, external agents

Critical Service Dependencies

Dependency Type Description Affected Services
Authentication Chain Services requiring valid authentication before operation ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch
Logging Infrastructure All services use logs-hook for centralized logging ALL binaries
IP Verification Services that call ip-fetch for network testing tor-switch, routing-switch, dns-switch, dns-leak
System Management Services that may interact with online-auth permission-guard, global-launcher

Command Surface

Command Surface Matrix

Current Command Totals (Generated from bin-json/*_rust_binary.json)

Service Total Commands Privilege Model Primary Use Case
health-control 237 Mixed (many system operations require sudo) Emergency kill switches, panic modes, system hardening
tor-switch 110 Mixed (network stack and firewall operations may require sudo) Tor orchestration and circuit controls
dns-switch 44 Mixed (runtime checks + privileged DNS/system updates) DNS management and resolver control
routing-switch 29 Mixed (routing and protocol transitions may require sudo) Multi-protocol network routing
online-auth 21 Service-auth + local execution Authentication service and heartbeat/session management
ip-fetch 20 Mostly user-level IP geolocation and network verification
workflow-manager 18 Workflow-dependent Batch command execution and automation
ai-cmd 13 Mostly user-level; delegated commands vary Natural language command interface
online-info-switch 11 Mostly user-level Information feeds and freshness checks
ai-gateway 9 Policy-dependent Agent command gateway and policy firewall
ai-trainer 8 Mostly user-level ML model training and validation
permission-guard 8 Mixed (fix operations require sudo) Permission monitoring and remediation
integrity-check 7 Mixed (read-only checks vs protected paths) System integrity verification
logs-hook 7 Mixed (log maintenance can require elevated access) Logging and log maintenance
conky-status 7 Mostly user-level Conky details (legacy conky-details) telemetry gateway
deps-checker 6 Mostly user-level; install actions may require sudo Dependency validation
dns-leak 5 Mixed DNS leak testing
global-launcher 4 Mixed (deploy operations may require sudo) Binary deployment and verification
ai-scheduler 4 Mixed (scheduled command privilege follows command) Cron-based task scheduling
ai-monitor 4 Mostly user-level Proactive monitoring daemon
ai-learner 4 Mostly user-level Learning orchestration and analysis
kodachi-session-helper 4 Mostly user-level Session helper utility
ai-discovery 3 Mostly user-level Binary discovery/indexing daemon
ai-admin 3 Mostly user-level AI database diagnostics and maintenance

Source of Truth

These totals come from each binary's generated flag_h.commandCategories metadata in docs/binaries/bin-json/. Privilege/auth requirements are command-specific; check each binary page for exact per-command behavior.

Command Coverage

Command Coverage Dashboard

Visualization Scope

This dashboard is a legacy visual layer. Use the Command Surface Matrix above and per-binary pages for exact current command and privilege details.

Key Insights

Overview Statistics

Total Commands 588
Privilege Model Command-specific
Rust Metadata Binaries 24
Bundled Companions 3

Largest Command Surfaces

health-control 237 commands
tor-switch 110 commands
dns-switch 44 commands

Low Command Surface

global-launcher 3 commands
logs-hook 3 commands
ai-admin 3 commands
ai-discovery 3 commands
dns-leak 5 commands
permission-guard 8 commands
ai-monitor 4 commands
ai-scheduler 4 commands
ai-learner 4 commands
deps-checker 6 commands
integrity-check 7 cmds

Bundled Companion Runtimes

oniux process isolation helper
tun2socks-linux-amd64 proxy tunnel bridge

Command Distribution

Top 3 binaries 68%
Average per binary 22 cmds
Median auth rate 0%

Binary Authentication Overview

health-control
237
84% auth
tor-switch
110
67% auth
dns-switch
44
25% auth
routing-switch
29
61% auth
online-auth
21
policy-dependent
ip-fetch
20
0% auth
online-info-switch
11
0% auth
integrity-check
7
0% auth
dns-leak
5
25% auth
permission-guard
8
75% auth
deps-checker
6
0% auth
global-launcher
4
policy-dependent
logs-hook
7
policy-dependent
conky-status
7
0% auth
workflow-manager
18
11% auth
ai-cmd
13
0% auth
ai-trainer
8
0% auth
ai-monitor
4
policy-dependent
ai-scheduler
4
policy-dependent
ai-learner
4
0% auth
ai-admin
3
0% auth
ai-discovery
3
policy-dependent
ai-gateway
9
policy-dependent

Authentication Patterns by Service Type

Pattern Services Description
No Authentication logs-hook global-launcher deps-checker permission-guard integrity-check ai-cmd ai-trainer ai-learner ai-admin ai-discovery ai-scheduler ai-monitor ai-gateway No auth-shared library usage
Mixed Authentication online-info-switch dns-leak routing-switch ip-fetch dns-switch tor-switch health-control workflow-manager Selective command authentication
Bulk Operations Auth ip-fetch Only bulk/multi operations require auth
Emergency Bypass health-control Critical recovery commands bypass auth
Special Provider online-auth Authentication provider service

Service-Specific Authentication Details

Detailed authentication behavior belongs on each service guide and the generated CLI reference. This overview keeps the suite-level rule: authentication unlocks protected card/routing features, while local read-only or diagnostic commands may run without an active card.

System Requirements and Permissions

Privilege Escalation Requirements

Operation Type Required Permissions Affected Binaries
Network Configuration sudo/root tor-switch (iptables/nftables), routing-switch, dns-switch
System Security sudo/root health-control (network/MAC/hostname operations)
Authentication Management sudo/root online-auth (system-wide operations)
Read-Only Operations Standard user ip-fetch, dns-leak, integrity-check, logs-hook, conky-status
AI Operations Standard user ai-cmd, ai-trainer, ai-learner, ai-admin, ai-discovery, ai-scheduler, ai-monitor, ai-gateway

Service Daemon Capabilities

Service Daemon Mode Command Purpose
online-auth Heartbeat daemon online-auth authenticate --keep-alive or --relogin Maintains authentication session
logs-hook Integrated by all services Automatic Centralized logging for all operations
global-launcher Service management Standalone Binary deployment and management
ai-monitor Background daemon ai-monitor start --daemon Proactive VPN/Tor/DNS monitoring
ai-scheduler Background daemon ai-scheduler start Cron-based automated task execution
ai-discovery Background daemon ai-discovery start Binary watcher and auto-indexer

Key Capabilities

Key Capabilities Overview

Advanced Network Operations

Feature Capability Details
Tor Operations 70+ Commands Complete control over instances, circuits, and exit nodes
Load Balancing Native Kernel-Level Traffic distribution across multiple Tor instances
Protocol Support 11 Protocols OpenVPN, WireGuard, Tor, Shadowsocks, V2Ray, Xray variants, and more
DNS Resolvers 50+ Options DNSCrypt, DoT, DoH, Pi-hole integration

Security and Protection

Feature Implementation Purpose
Emergency Kill Switch health-control kill-network Instant network termination
Panic System 3 Levels (Soft/Medium/Hard) Progressive data destruction
Data Wiping Multi-pass shredding Secure deletion with verification
MAC Randomization Auto/Manual modes Hardware address anonymization
Hostname Management Random generation System identity protection

System Integration

Aspect Approach Benefit
Memory Safety Rust-first implementation Robust error handling, no crashes
Performance Optimized binaries Fast response for critical operations
Output Format JSON-first design Easy automation and scripting
Path Detection Dynamic resolution Works on any Linux environment
Containment Execution folder only Enhanced security isolation

Common Workflows

Common Workflows

Network Anonymization Setup

# Authenticate and configure Tor
sudo online-auth authenticate  # Basic authentication
# Or use --relogin for automatic reconnection on session expiry
sudo online-auth authenticate --relogin
sudo tor-switch start-tor
sudo tor-switch torrify-system-nftables  # Prefer nftables (modern)
# sudo tor-switch torrify-system-iptables  # Alternative: iptables (legacy)
ip-fetch fetch  # Fetch current IP info through Tor (ISP/ASN shows Tor exit node)

Multi-Protocol Routing

# Connect through various protocols
sudo routing-switch connect openvpn
sudo routing-switch connect shadowsocks
sudo routing-switch connect wireguard
sudo routing-switch status  # Check active routing
sudo routing-switch list-protocols  # List available protocols with scores
sudo routing-switch disconnect  # Disconnect current protocol

Security Hardening

# System hardening workflow
sudo health-control set-random-hostname
sudo health-control mac-change-all
sudo permission-guard scan
sudo integrity-check check-integrity --json

DNS Configuration

# Secure DNS setup
dns-switch status --json  # Read current DNS mode/status (no sudo)
dns-switch dnscrypt-monitor-status --json  # Monitor DNSCrypt watchdog state
sudo dns-switch switch --category encrypted  # Use encrypted DNS
dns-leak discover --json  # Discover and analyze DNS configuration
sudo dns-switch random --type encrypted --count 3  # Use random encrypted resolvers
sudo dns-switch fix-dns  # Emergency DNS repair fallback
sudo dns-switch fix-dns --force  # Run complete DNS repair chain

Emergency Response

# Quick privacy mode
sudo health-control panic-soft
sudo tor-switch restart-tor  # Get new Tor circuit
sudo health-control recover-internet --check-dns  # Recover connectivity + DNS if needed
sudo health-control fast-recover-internet --force  # Force quick recovery then escalate if still unhealthy

# Complete shutdown
sudo health-control kill-network
sudo health-control wipe-logs

Keep Internet Alive (Auto-Recovery Loop)

# Keeps checking connectivity recovery every 10s.
# Starts recover-internet only if another recovery process is not already running.
while true; do
    if ! pgrep -fx "health-control recover-internet" > /dev/null; then
        sudo health-control recover-internet &
    fi
    sleep 10
done

Performance Metrics

Performance Metrics

Binary Count
24
Complete security, AI, and gateway suite
Total Size
~130MB
All binaries combined
Protocol Support
11
Auto-scored routing protocols (+ legacy xray-vmess)
DNS Resolvers
336
Bundled servers (encrypted, fallback, normal, fetched, reputable)
Tor Commands
100+
Tor management operations

Documentation Structure

Documentation Structure

User Guides

Category Description
Network Tools Detailed guides for network and anonymization tools
Security Tools Comprehensive security and authentication documentation
Protection Tools System protection and monitoring guides
Infrastructure Tools Service infrastructure and management documentation
AI & Intelligence Tools AI-powered command interface, monitoring, and automation

API Reference

Reference Description
Binary Reference Complete command-line API documentation for all binaries

Security Considerations

Security Considerations

Important Security Notice

These tools provide powerful capabilities that should be used responsibly and in accordance with local laws and regulations. Kodachi OS and its binaries are designed for legitimate privacy protection and security testing purposes only.

Security Implementation Details

Feature Implementation
Authentication Services use KODACHI_CALLING_SERVICE environment variable for identity
Certificate Pinning TLS 1.3 with pinned certificates for network operations
Error Handling Comprehensive error propagation without crashes
Audit Trail All operations logged through centralized logs-hook service

Example JSON error response structure: 

{
  "status": "error",
  "error": {
    "code": "AUTH_FAILED",
    "message": "Authentication required",
    "details": "Service requires valid authentication token",
    "timestamp": "2026-05-14T10:00:00Z"
  }
}

Authentication Flow

Step Command Purpose
1 sudo online-auth authenticate --keep-alive or --relogin Initial authentication (--relogin includes keep-alive)
2 online-auth check-login Check authentication status
3 Service usage Authenticated services automatically verify before execution
4 online-auth logout Logout when finished

System Information

System Information

Component Version Build Date License
Kodachi OS 9.0.1 2026 Proprietary
Rust Binaries 9.0.1 (build #310) 2026-06-12 Proprietary
Documentation 9.0.1 2026-05-14 © 2026 Linux Kodachi
Author Warith Al Maawali - All Rights Reserved