Skip to content

Enterprise-Grade Privacy and Security

Enterprise-Grade Privacy, Security & AI

A collection of 28 auto-documented Rust binaries plus bundled companion runtimes that form the backbone of Linux Kodachi's privacy, anonymity, and intelligence infrastructure. Security/control binaries deliver enterprise-level protection and policy enforcement, while KAICS AI binaries plus ai-gateway provide a 6-tier AI engine (TF-IDF → ONNX → Mistral.rs → GenAI/Ollama → Legacy LLM → Claude CLI), trusted agent orchestration, and machine-safe command execution — all processed locally with optional cloud AI tiers routable through VPN or Tor.

Production Ready Zero-Trust Architecture Memory Safe Forensic Resistant AI-Powered
v9.0.1 Build #141
Released: 03 October 2025
Updated: 23 March 2026
Quick Installation

Core Architecture Principles

Zero-Trust Architecture: Authentication-first design with granular authorization and certificate pinning

Memory-Safe Implementation: Rust-first design with comprehensive error handling and rigorous safety practices

Modular Design: Independent services with shared libraries through cli-core, auth-shared, and logs-hook

Forensic Resistance: Multi-pass secure wiping, memory cleaning, emergency data destruction capabilities

Privacy-First AI: 6-tier AI engine runs locally by default — optional cloud tiers can be routed through VPN or Tor based on your preference

Looking for a Complete Solution?

These are individual security components designed for advanced users who want to integrate specific tools into their workflow.

For a full desktop experience with GUI, Conky system monitor, LibreWolf browser, and 10 dynamic application layers — choose the Kodachi Desktop Edition, our latest release built on Debian 13 (Trixie).

For a headless, command-line-only environment optimized for testing, SOCKS proxy deployment, and server operations — choose the Kodachi Terminal Server.

Both editions provide:

  • All binaries pre-installed and configured
  • Seamless integration between components
  • Complete privacy stack out-of-the-box
  • KAICS AI engine + kodachi-claw and zeroclaw agent runtimes

Get Kodachi Desktop →   Get Terminal Server →

Kodachi is built and maintained by one person since 2013. These 28 binaries and hundreds of commands are provided free. Your support keeps them maintained. Support the project

Documentation Hub

New: Kodachi Dashboard Now Included in Binary Packages

The Kodachi Dashboard is now bundled with the binary packages! This modern Tauri + Svelte desktop application provides a unified GUI interface for all Kodachi security services. Features include:

  • Centralized Control Panel - Manage all binaries from one elegant interface
  • Authentication Management - online-auth service integration with visual status monitoring
  • Network Routing - routing-switch protocol control (VPN, WireGuard, Shadowsocks, etc.)
  • Tor Network Management - tor-switch operations with 107 commands accessible via GUI
  • DNS Configuration - dns-switch management and leak detection
  • System Health Monitoring - health-control and integrity-check operations

Install the binaries to access the dashboard and streamline your security workflow. Feedback welcome on Discord!

Binary Categories and Requirements

Network and Privacy Tools

Binary Primary Function Auth Sudo Auto-Start
tor-switch Advanced Tor network orchestration (107 commands) Mixed 67% Required No
routing-switch Multi-protocol routing (12 protocols) Mixed 61% Required No
ip-fetch Secure IP geolocation with multi-source verification No 0% No No
dns-switch DNS management with 50+ secure resolver options Mixed 25% Mixed No
dns-leak Real-time DNS leak detection and analysis Mixed 25% No No

System Security and Protection

Binary Primary Function Auth Sudo Auto-Start
health-control Emergency kill switches and panic modes Mixed 84% Required No
integrity-check Cryptographic system integrity verification No No No
permission-guard Real-time permission monitoring and enforcement Mixed 75% Required No
online-auth Secure authentication and heartbeat monitoring Mixed 70% Required No

Infrastructure and Management

Binary Primary Function Auth Sudo Auto-Start
logs-hook Centralized secure logging infrastructure Yes 100% Required Auto
deps-checker Dependency validation and security auditing No No No
global-launcher System-wide binary deployment manager No No No
workflow-manager Batch command execution with conditional logic Mixed 11% Required No
online-info-switch Online information hub and RSS feeds Mixed 58% No No
conky-status Unified Rust telemetry gateway for Conky desktop panels No No Auto

GUI Applications and Desktop Interface

Application Primary Function Technology Stack Auth Sudo
kodachi-dashboard Unified GUI control center for all security services Tauri 2 + Svelte 5 Mixed Required

AI & Intelligence

Binary Primary Function Type Sudo Auto-Start
ai-cmd Natural language CLI for Kodachi commands On-demand No No
ai-trainer ML model training and validation On-demand Required No
ai-learner Learning orchestration and analysis On-demand No No
ai-admin Database management and diagnostics On-demand No No
ai-discovery Binary watcher and auto-indexer daemon Daemon Required Optional
ai-scheduler Cron-based task scheduler Daemon Required Optional
ai-monitor Proactive system monitoring daemon Daemon Required Optional
ai-gateway Unified agent command gateway, policy firewall, and safe executor On-demand Policy No
kodachi-claw Anonymous autonomous AI agent runtime with embedded Tor On-demand / Daemon Required No

Binary Descriptions and Use Cases

Comprehensive overview of each security binary's functionality, primary use cases, and operational capabilities. These user-friendly descriptions provide context for the technical specifications detailed in subsequent sections.

Navigation Guide

Each binary description includes primary function, key capabilities, typical use cases, and integration notes. For detailed command references and authentication requirements, see the individual binary documentation linked in each description.

kodachi-dashboard - Unified GUI Control Center

Quick Reference: Desktop Application | Technology: Tauri 2 + Svelte 5 | Auth Level: Mixed (varies by feature) | Sudo Required: Yes (backend operations)

Modern desktop application providing a unified graphical interface for all Kodachi security services. Built with Tauri 2 and Svelte 5 for native performance and elegant user experience. Features comprehensive control panels for authentication management (online-auth), network routing configuration (routing-switch with 12+ protocols), Tor network operations (tor-switch with 107 commands), DNS management (dns-switch), and system health monitoring (health-control). Provides real-time status displays, visual feedback for operations, and streamlined workflows for complex security tasks. Eliminates the need for multiple terminal windows by consolidating all binary operations into an intuitive dashboard interface. Supports dark/light themes, system tray integration, and keyboard shortcuts for power users. Ideal for users who prefer graphical interfaces while maintaining full access to all CLI capabilities.

Key Features:

  • Centralized Authentication: Visual monitoring and management of online-auth service status and API key validation
  • Network Protocol Control: Easy switching between VPN, WireGuard, Shadowsocks, V2Ray, Xray, Hysteria2, and Tor routing
  • Tor Management: GUI access to 107 tor-switch commands including circuit rotation, exit node selection, and load balancing
  • DNS Configuration: Visual DNS server selection, DNSCrypt management, and real-time leak detection
  • System Health Dashboard: Emergency kill switches, panic modes, integrity verification, and security scoring
  • Modern Tech Stack: Leverages Rust backend for security, Tauri for native performance, and Svelte 5 for reactive UI

Use Cases:

  • Quick access to all security features without memorizing CLI commands
  • Visual monitoring of system security status and active connections
  • Rapid protocol switching for different anonymity requirements
  • Dashboard-style overview of all Kodachi services in one window
  • Ideal for users transitioning from GUI-based privacy tools

ai-cmd - AI-Powered Command Interface

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No

Natural language command-line interface for Kodachi OS powered by a 6-tier AI engine (TF-IDF → ONNX → Mistral.rs → GenAI/Ollama → Legacy LLM → Claude CLI). Translates plain English queries into precise Kodachi commands with real-time streaming responses and native tool calling across 9 system tools. Works out-of-the-box with zero configuration — the built-in TF-IDF engine provides immediate command matching. Supports interactive REPL mode, voice input via whisper-cpp/vosk, dry-run preview, confidence thresholds, and proactive command suggestions based on usage patterns. Mistral.rs integration provides local GGUF model inference supporting 29+ architectures, while GenAI/Ollama enables multi-provider LLM access (local or cloud via Tor) with privacy-safe operation.

ai-gateway - Unified Agent Command Gateway

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No (policy dependent)

Machine-facing gateway for AI agents and automation. Provides unified command discovery (`list`, `search`, `help`), machine invocation metadata in search results, policy-enforced execution, per-agent capability controls, audit logging, rate limiting, and trusted batch execution. Supports JSON argument payloads (`--args-json`) and explicit approval semantics for dangerous commands, while keeping dry-run planning available for safe automation.

Validated integration points (2026-02-19):

  • search --json exposes invocation (service, command) for deterministic agent calls
  • run --args-json accepts object payloads for shell-quote-safe invocation
  • dangerous commands require explicit confirmation for live execution
  • dangerous --dry-run remains available for planning
  • supported agent IDs include: kodachi-claw, zeroclaw, nullclaw, openclaw, picoclaw, nanoclaw, claude-code, gpt, gemini, open-interpreter, anonymous

ai-trainer - ML Model Training and Validation

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: Yes (model ops)

Machine learning model management tool for the KAICS system. Downloads pre-trained ONNX semantic models, trains intent classifiers from training data, performs incremental updates, validates model accuracy, and exports trained models for deployment. Essential for upgrading from Tier 1 (TF-IDF) to Tier 2 (ONNX semantic) accuracy. All training happens locally with no cloud dependency.

ai-learner - Learning Orchestration and Analysis

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No

Continuous improvement engine for the KAICS AI system. Learns from accumulated user feedback and command usage patterns to improve intent classification accuracy over time. Supports incremental learning, period-based analysis, and report generation in markdown or JSON format. Can be scheduled via ai-scheduler for automated periodic learning cycles.

ai-admin - Database Management and Diagnostics

Quick Reference: Full Documentation | Type: On-demand | Sudo Required: No

Administrative tool for KAICS AI infrastructure. Provides full system diagnostics, database statistics and integrity checks, backup/restore operations, and performance tuning capabilities. Essential for maintaining AI system health and troubleshooting issues.

ai-discovery - Binary Watcher and Auto-Indexer

Quick Reference: Full Documentation | Type: Daemon | Sudo Required: Yes

inotify-based binary watcher daemon that automatically detects and indexes new or updated Kodachi binaries. Maintains a real-time service registry used by ai-cmd for command resolution. Supports hot-reload of the AI command index without requiring service restart. Essential for keeping the AI system aware of all available commands.

ai-scheduler - Cron-Based Task Scheduler

Quick Reference: Full Documentation | Type: Daemon | Sudo Required: Yes

Cron-based task scheduler for automated Kodachi operations. Uses a strict command whitelist for security, supports standard cron expressions, and provides persistent task storage that survives service restarts. Ideal for scheduling recurring security checks, Tor circuit rotations, DNS leak tests, and AI learning cycles.

ai-monitor - Proactive System Monitoring Daemon

Quick Reference: Full Documentation | Type: Daemon | Sudo Required: Yes

Background monitoring daemon that continuously tracks VPN connections, Tor circuit health, DNS leak status, and system security scores. Runs checks every 30 seconds and generates actionable suggestions categorized by network, DNS, Tor, and security domains. Provides early warning of potential issues before they impact privacy or security.

kodachi-claw - Anonymous Autonomous AI Agent Runtime

Quick Reference: Full Documentation | Type: On-demand / Daemon | Sudo Required: Yes (Tor + identity)

Anonymity-hardened AI agent runtime forged from ZeroClaw and inspired by OpenClaw. Wraps the ZeroClaw agent engine with Kodachi's full anonymity stack: embedded Arti Tor runtime with multi-circuit load balancing, MAC/hostname/timezone randomization, IP and DNS leak verification, OPSEC outbound identity filter, and kernel-level network namespace isolation via oniux. Every API call, every model request, every channel message is routed through Tor circuits. Connects to 28+ AI providers and 15+ communication channels while keeping your identity invisible. Integrates Kodachi services (online-auth, ip-fetch, tor-switch, oniux) directly as in-process Rust libraries. Independent binary — not a KAICS sub-binary. Kodachi ships both kodachi-claw (anonymity-hardened runtime) and zeroclaw (upstream-compatible runtime) as separate binaries.

Key Features:

  • Embedded Tor: Arti Tor stack built into the binary with multi-circuit pool (default 10 instances)
  • Identity Randomization: MAC address, hostname, and timezone randomization on startup
  • Verification: IP and DNS leak checks confirm traffic exits through Tor
  • OPSEC Filter: Redacts outbound identity leaks from agent messages
  • Namespace Isolation: Full network namespace via oniux (--mode isolated)
  • 28+ AI Providers: OpenAI, Anthropic, Gemini, Ollama, OpenRouter, and more — all through Tor
  • 15+ Channels: Telegram, Discord, Slack, Matrix, WhatsApp, Signal, Email
  • Hardware Peripherals: STM32, RPi GPIO, USB device control
  • Sandboxing: Landlock, Bubblewrap, Firejail, Docker backends

Bundled Companion Binaries (shipped with package builds):

Binary Scope Provenance References
zeroclaw Upstream-compatible lightweight agent runtime Upstream runtime bundled by Kodachi Installation · Terminal Server
oniux Namespace-based process isolation helper Third-party open source (Tor Project) bundled by Kodachi Protection Index
tun2socks-linux-amd64 TUN/TAP to SOCKS5 routing bridge for proxy protocols Third-party open source bundled by Kodachi Protection Index · Installation

Use Cases:

  • Untraceable AI agent for sensitive operations
  • Anonymous automation through Tor-routed channels
  • Privacy-first AI assistant with identity protection

online-auth - Authentication and Heartbeat Monitoring

Quick Reference: Full Documentation | Auth Level: 57% | Sudo Required: Yes (system-wide)

Provides authentication services for Kodachi OS through cryptographic API validation and secure session management. Handles service heartbeats for connection monitoring and manages API keys for authorized access. Implements privacy-preserving authentication protocols with encrypted credential storage and secure token rotation. Ensures anonymous communication channels between local services and authentication endpoints. Maintains session persistence across restarts while adhering to anti-forensic principles.

routing-switch - Multi-Protocol Network Routing

Quick Reference: Full Documentation | Auth Level: 61% | Sudo Required: Yes (network config)

Comprehensive encrypted routing service supporting 12+ anonymization protocols including OpenVPN, WireGuard, Shadowsocks, V2Ray, Xray, Hysteria2, SOCKS5, Dante with Tor integration via Redsocks. Provides traffic obfuscation to bypass Deep Packet Inspection, multi-layer encryption tunneling, and anti-forensic network routing. Ensures complete privacy protection through protocol layering, encrypted tunnel management, and anonymization. Features intelligent routing tables for maximum anonymity while maintaining connection stability. Critical component of Kodachi's security infrastructure for untraceable communications.

tor-switch - Advanced Tor Network Orchestration

Quick Reference: Full Documentation | Auth Level: 73% | Sudo Required: Yes (iptables/nftables)

Manages Tor network connections and circuit isolation for Kodachi OS. Provides control over Tor instances, exit node selection, and circuit rotation. Features multi-instance Tor management, load balancing across circuits, DNS leak prevention, and traffic routing configuration. Supports transparent proxy setup, bridge configuration, and country-based exit node selection. Includes monitoring capabilities for circuit health and connection status.

ip-fetch - Secure IP Geolocation

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

Fetches IP geolocation data with multi-provider support and fallback mechanisms. Retrieves current IP address information including location, ISP, and connection details. Features automatic provider rotation when services are unavailable, response caching for efficiency, and verification through multiple sources. Supports both IPv4 and IPv6 addresses with JSON output format. Integrates with VPN and Tor connections to verify routing status.

online-info-switch - Information Hub and RSS Feeds

Quick Reference: Full Documentation | Auth Level: 58% | Sudo Required: No

Information aggregation service providing RSS feed monitoring and data collection. Manages various information sources including security feeds, cryptocurrency data, and paste services. Features scheduled feed updates, content filtering, and data categorization. Supports multiple RSS sources with configurable refresh intervals. Provides structured output for collected information with timestamp tracking and source attribution.

conky-status - Unified Conky Telemetry Gateway

Quick Reference: Full Documentation | Conky Desktop Section | Auth Level: 0% | Sudo Required: No

Rust telemetry gateway that unifies data collection for Kodachi Conky desktop panels. Replaces fragmented shell polling with a single snapshot cache and compatibility aliases, while preserving Conky-friendly outputs. Supports JSON, panel batching, key lookup, and refresh/TTL controls for stable desktop monitoring without script storms.

health-control - Emergency Kill Switches and Panic Modes

Quick Reference: Full Documentation | Auth Level: 83% | Sudo Required: Yes (system ops)

System health monitoring and emergency control service for Kodachi OS. Provides network connectivity checks, panic mode operations, and system state management. Features multiple emergency response levels (soft, medium, hard), network kill switches using iptables/nftables, secure data wiping capabilities, and MAC address randomization. Includes system scoring for security posture assessment, hardware monitoring, and USB device protection. Supports recovery operations for restoring network connectivity after emergency procedures.

dns-switch - DNS Management with 50+ Resolvers

Quick Reference: Full Documentation | Auth Level: 25% | Sudo Required: Mixed (write operations)

DNS management service supporting multiple secure resolver configurations. Manages system DNS settings with support for 50+ DNS providers including privacy-focused options. Features DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNSCrypt protocol support. Provides automatic resolver switching, fallback mechanisms, and Pi-hole integration. Includes DNS cache management and resolver health monitoring. Supports custom resolver configuration and automatic optimal server selection.

dns-leak - DNS Leak Detection and Prevention

Quick Reference: Full Documentation | Auth Level: 25% | Sudo Required: No

DNS leak detection and prevention service for network privacy verification. Performs comprehensive leak tests across all network interfaces to identify DNS configuration issues. Features real-time leak detection, multi-provider verification, and automated alert generation. Monitors DNS queries to ensure they route through configured secure channels. Provides detailed reports on DNS resolver usage and potential privacy issues.

integrity-check - Cryptographic System Verification

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

System integrity verification service using cryptographic checksums and digital signatures. Validates file integrity through SHA-256 hashing and signature verification. Features binary authentication, configuration file monitoring, and tamper detection. Provides scheduled integrity scans and on-demand verification. Maintains baseline checksums for critical system files and detects unauthorized modifications. Supports custom file lists and exclusion patterns for targeted verification.

permission-guard - Real-Time Permission Monitoring

Quick Reference: Full Documentation | Auth Level: 75% | Sudo Required: Yes (3/4 commands)

File permission monitoring and enforcement service for system security. Monitors file system permissions and ownership to detect unauthorized changes. Features real-time permission tracking, automated correction of insecure permissions, and privilege escalation detection. Provides scheduled scans and on-demand verification of critical directories. Maintains permission baselines and reports deviations. Supports custom permission policies and automated remediation workflows.

logs-hook - Centralized Logging Infrastructure

Quick Reference: Full Documentation | Auth Level: 100% | Sudo Required: Yes (all commands)

Provides centralized logging infrastructure with secure log collection, rotation, and deletion capabilities. Features encrypted log storage, automatic rotation schedules, and secure deletion protocols. Supports multiple log levels, filtering algorithms, and privacy-aware logging practices. Includes log aggregation from all system services and real-time monitoring. Offers multi-pass secure deletion and log anonymization for privacy protection.

deps-checker - Dependency Validation and Auditing

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

Validates system dependencies and performs security auditing of installed packages. Features automated dependency scanning, version conflict detection, and security vulnerability identification. Provides package relationship analysis, compatibility verification, and installation script generation. Includes system configuration validation and dependency tree analysis. Maintains databases of tested configurations for optimal system security.

global-launcher - System-Wide Binary Deployment

Quick Reference: Full Documentation | Auth Level: 0% | Sudo Required: No

Deploys Kodachi binaries system-wide while maintaining proper execution contexts and security validation. Features intelligent shortcut creation, environment variable management, and working directory preservation. Provides binary integrity verification and automated rollback capabilities. Includes security validation protocols and comprehensive deployment logging. Enables global accessibility without compromising security isolation.

workflow-manager - Batch Command Execution and Automation

Quick Reference: Full Documentation | Auth Level: 11% | Sudo Required: Yes (system ops)

Comprehensive workflow automation service for batch command execution with advanced conditional logic and state management. Features template-based workflow creation, hybrid conditional system combining success/fail states with pattern matching and JSON path evaluation. Provides interactive pause controls for manual checkpoints, comprehensive telemetry logging in JSONL format, and configurable timeout protection. Supports concurrent execution within workflows, retry logic for failed operations, and dry-run mode for safe testing. Enables complex multi-step automation with regex pattern matching, substring searching, and JSON response evaluation for precise control flow. Ships with 92+ ready-to-use built-in profiles stored in `dashboard/hooks/config/profiles/`, and users can create custom profiles based on their specific automation requirements. Critical for system maintenance workflows, batch operations, and automated diagnostic procedures requiring conditional execution paths.

Inter-Binary Dependencies Matrix

Binary Communication Flow

Service Calls These Binaries Called By These Binaries
online-auth logs-hook Authentication required by: ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch
logs-hook None Integrated by all services for centralized logging
ip-fetch logs-hook, online-auth, routing-switch tor-switch, routing-switch, dns-switch, dns-leak
tor-switch logs-hook, online-auth, ip-fetch routing-switch
routing-switch logs-hook, online-auth, tor-switch, ip-fetch health-control, ip-fetch
dns-switch logs-hook, online-auth, ip-fetch None
dns-leak logs-hook, online-auth, ip-fetch None
health-control logs-hook, online-auth, routing-switch dns-switch, online-info-switch
integrity-check logs-hook None
permission-guard logs-hook Can be used alongside online-auth for permission checks
deps-checker logs-hook None
global-launcher logs-hook Can be orchestrated by online-auth for deployments
workflow-manager logs-hook None (user-initiated batch operations)
online-info-switch logs-hook, online-auth, health-control None
conky-status logs-hook, online-auth, ip-fetch, dns-switch, health-control None (consumed by Conky desktop panels)
ai-gateway logs-hook kodachi-claw, external agents
kodachi-claw online-auth, ip-fetch, tor-switch, oniux (in-process); optionally ai-gateway None (user-facing)

Critical Service Dependencies

Dependency Type Description Affected Services
Authentication Chain Services requiring valid authentication before operation ip-fetch, tor-switch, routing-switch, dns-switch, dns-leak, health-control, online-info-switch
Logging Infrastructure All services use logs-hook for centralized logging ALL binaries
IP Verification Services that call ip-fetch for network testing tor-switch, routing-switch, dns-switch, dns-leak
System Management Services that may interact with online-auth permission-guard, global-launcher

Command Surface Matrix

Current Command Totals (Generated from bin-json/*_rust_binary.json)

Service Total Commands Privilege Model Primary Use Case
health-control 213 Mixed (many system operations require sudo) Emergency kill switches, panic modes, system hardening
tor-switch 107 Mixed (network stack and firewall operations may require sudo) Tor orchestration and circuit controls
dns-switch 27 Mixed (runtime checks + privileged DNS/system updates) DNS management and resolver control
online-auth 20 Service-auth + local execution Authentication service and heartbeat/session management
kodachi-claw 20 Mixed (Tor/bootstrap steps often require elevated access) Anonymous AI agent runtime
routing-switch 18 Mixed (routing and protocol transitions may require sudo) Multi-protocol network routing
ai-cmd 13 Mostly user-level; delegated commands vary Natural language command interface
workflow-manager 12 Workflow-dependent Batch command execution and automation
ip-fetch 11 Mostly user-level IP geolocation and network verification
ai-gateway 9 Policy-dependent Agent command gateway and policy firewall
ai-trainer 8 Mostly user-level ML model training and validation
integrity-check 7 Mixed (read-only checks vs protected paths) System integrity verification
online-info-switch 10 Mostly user-level Information feeds and freshness checks
deps-checker 6 Mostly user-level; install actions may require sudo Dependency validation
dns-leak 4 Mixed DNS leak testing
permission-guard 4 Mixed (fix operations require sudo) Permission monitoring and remediation
ai-learner 4 Mostly user-level Learning orchestration and analysis
ai-monitor 4 Mostly user-level Proactive monitoring daemon
ai-scheduler 4 Mixed (scheduled command privilege follows command) Cron-based task scheduling
ai-admin 3 Mostly user-level AI database diagnostics and maintenance
ai-discovery 3 Mostly user-level Binary discovery/indexing daemon
global-launcher 3 Mixed (deploy operations may require sudo) Binary deployment and verification
logs-hook 3 Mixed (log maintenance can require elevated access) Logging and log maintenance
conky-status 4 Mostly user-level Conky details (legacy conky-details) telemetry gateway

Source of Truth

These totals come from each binary's generated flag_h.commandCategories metadata in docs/binaries/bin-json/. Privilege/auth requirements are command-specific; check each binary page for exact per-command behavior.

Command Coverage Dashboard

Visualization Scope

This dashboard is a legacy visual layer. Use the Command Surface Matrix above and per-binary pages for exact current command and privilege details.

Key Insights

Overview Statistics

Total Commands 510
Privilege Model Command-specific
Rust Metadata Binaries 24
Bundled Companions 3

Largest Command Surfaces

health-control 213 commands
tor-switch 107 commands
dns-switch 27 commands

Low Command Surface

global-launcher 3 commands
logs-hook 3 commands
ai-admin 3 commands
ai-discovery 3 commands
dns-leak 4 commands
permission-guard 4 commands
ai-monitor 4 commands
ai-scheduler 4 commands
ai-learner 4 commands
deps-checker 6 commands
integrity-check 7 cmds

Bundled Companion Runtimes

zeroclaw upstream runtime
oniux process isolation helper
tun2socks-linux-amd64 proxy tunnel bridge

Command Distribution

Top 3 binaries 68%
Average per binary 22 cmds
Median auth rate 0%

Binary Authentication Overview

health-control
210
84% auth
tor-switch
107
67% auth
dns-switch
34
29% auth
routing-switch
22
50% auth
online-auth
20
policy-dependent
ip-fetch
11
0% auth
online-info-switch
7
0% auth
integrity-check
7
0% auth
dns-leak
4
25% auth
permission-guard
4
75% auth
deps-checker
6
0% auth
global-launcher
3
policy-dependent
logs-hook
3
policy-dependent
conky-status
3
0% auth
workflow-manager
12
8% auth
ai-cmd
13
0% auth
ai-trainer
8
0% auth
ai-monitor
4
policy-dependent
ai-scheduler
4
policy-dependent
ai-learner
4
0% auth
ai-admin
3
0% auth
ai-discovery
3
policy-dependent
ai-gateway
9
policy-dependent
kodachi-claw
16
policy-dependent

Authentication Patterns by Service Type

Pattern Services Description
No Authentication logs-hook global-launcher deps-checker permission-guard integrity-check ai-cmd ai-trainer ai-learner ai-admin ai-discovery ai-scheduler ai-monitor ai-gateway No auth-shared library usage
Mixed Authentication online-info-switch dns-leak routing-switch ip-fetch dns-switch tor-switch health-control workflow-manager kodachi-claw Selective command authentication
Bulk Operations Auth ip-fetch Only bulk/multi operations require auth
Emergency Bypass health-control Critical recovery commands bypass auth
Special Provider online-auth Authentication provider service

Service-Specific Authentication Details

logs-hook

Total Commands: 3 | Auth Required: 3 | No Auth: 0

Command Reference
log
maintenance rotate
maintenance wipe
maintenance

global-launcher

Total Commands: 3 | Auth Required: 0 | No Auth: 3

Commands Without Authentication (3)
deploy
verify
cleanup

deps-checker

Total Commands: 6 | Auth Required: 0 | No Auth: 6

Command Reference
check
check-all
install-missing
list-binaries
list-profiles
generate-script

permission-guard

Total Commands: 4 | Auth Required: 3 | No Auth: 1

Commands Requiring Sudo (3)
watch
scan
config
Commands Without Sudo (1)
status

workflow-manager

Total Commands: 12 | Auth Required: 1 | No Auth: 11

Command Reference
create
add
pause
include
list
show
run
update
delete-step
delete
state
prereq

dns-leak

Total Commands: 4 | Auth Required: 1 | No Auth: 3

Commands Requiring Authentication (1)
test
Commands Without Authentication (3)
discover
report
results

integrity-check

Total Commands: 7 | Auth Required: 0 | No Auth: 7

Commands Without Authentication (7)
generate
check-all
check-integrity
check-signatures
check-version
check-config
view-logs

online-info-switch

Total Commands: 7 | Auth Required: 0 | No Auth: 7

Command Reference
status
rss
paste
freshness
price
balance
releases

ip-fetch

Total Commands: 7 | Auth Required: 0 | No Auth: 7

Command Reference
plain-ip
cache
test-all
dns
geo
fetch
tor
check-tor
test-fallback
verify-multi
random

online-auth

Total Commands: 20 | Auth Required: 14 | No Auth: 6

Commands Requiring Authentication (14)
sync-api-key
authenticate
logout
send-heartbeat
send-heartbeat-with-retry
start-heartbeat
stop-heartbeat
get-card
activate-license
release-license
license-status
enable-permission-guard
disable-permission-guard
permission-guard-status
Commands Without Authentication (6)
check-login
check-if-blocked
get-ids
check-all-status
check-heartbeat
which-group

routing-switch

Total Commands: 18 | Auth Required: Mixed | No Auth: Mixed

Command Reference
connect
disconnect
status
dns-info
list-protocols
test-protocol
benchmark
export-config
showconfig
showconfigurl
showconfigqr
auto-select
reset
cleanup
recover
microsocks-enable
microsocks-disable
microsocks-status
check-prerequisites
tor-dns-info
vps-info
validate-qr

dns-switch

Total Commands: 27 | Auth Required: 10 | No Auth: 17

Command Reference
switch
random
fallback
status
get-mode
set-mode
detect-mode
fix-dns
health
fetch
fetch-count
dnscrypt
dnscrypt-set
dnscrypt-restart
dnscrypt-remove
pihole
pihole-enable
pihole-disable
pihole-password
pihole-reset
list
count
clean
clean-duplicates
backup
restore-default
restore-backup
fetch-dns-from-card
get-modern-method
set-modern-method
verify-no-leaks
boot-check
enable-boot-check
disable-boot-check

tor-switch

Total Commands: 107 | Auth Required: 72 | No Auth: 35

Commands Requiring Authentication (72)
create-instance
delete-instance
delete-all-instances
start-instance
stop-instance
restart-instance
set-default-instance
rename-instance
clone-instance
create-multiple-instances
set-exit-node
set-exit-node-all
set-exclude-node
set-exclude-node-all
clear-exit-node
clear-exit-node-all
new-tor-circuit
new-tor-circuit-all
reload-tor-config
reload-tor-config-all
backup-config
backup-config-all
restore-config
restore-config-all
generate-new-tor-password
generate-new-tor-password-all
clean-torrc-custom
clean-torrc-custom-all
auto-ip-change
stop-auto-ip-change
update-ip-timer
update-ip-all-timer
remove-ip-timer
remove-ip-all-timer
generate-haproxy-config
haproxy-start
haproxy-stop
set-load-balancing-mode
set-instance-weight
torrify-system-iptables-load-balanced
torrify-system-nftables-load-balanced
torrify-system-iptables
torrify-system-nftables
torrify-system-dns
torrify-system-iptables-dns
torrify-system-nftables-dns
start-tor-dns-iptables
start-tor-dns-nftables
detorrify-system-iptables
detorrify-system-nftables
delete-all-instances-with-default
validate-torrc-main
stop-tor-dns-iptables
stop-tor-dns-nftables
cleanup
clean-orphan-services
backup-main-tor-config
flush-iptables
flush-nftables
validate-torrc
restore-main-tor-config
verify-tor-dns
verify-tor-dns-all
verify-tor-dns-direct
verify-tor-dns-port
set-exit-node-main
clear-exit-node-main
set-exclude-node-main
clear-exclude-node-main
reload-main-tor
new-circuit-main-tor
verify-main-tor-dns
list-backups
Commands Without Authentication (35)
start-tor
stop-tor
restart-tor
start-all-instances
stop-all-instances
restart-all-instances
check-tor
check-tor-all
torverify
tor-status
tor-status-all
get-tor-status
show-help
get-tor-custom-status
show-examples
which-is-active
list-instances
list-haproxy-modes
haproxy-status
display-load-balancing-config
list-iptables
list-nftables
list-ip-timers
read-main-tor-config
show-instance
list-exit-exclude-main
status-main-tor
check-main-tor-security
main-tor-bandwidth
main-tor-connections
main-tor-logs
list-instances-with-ip
list-auto-ip-change
list-iptables-nat

health-control

Selected Commands: 185 | Auth Tagged: 104 | No Auth Tagged: 81

Note: Signer metadata currently lists 213 health-control commands. The chips below are a curated operational subset for readability.

Commands Requiring Authentication (176)
block-internet
kill-network
kill-network-interface
kill-process
set-timezone
sync-timezone
change-hostname
set-default-hostname
set-random-hostname
set-custom-hostname
set-random-hostname-category
set-random-timezone
mac-change-all
mac-force-change
mac-change-specific
offline-bluetooth
offline-wifi
offline-usb-storage
offline-webcam
offline-microphone
offline-systemlogs
offline-cups
offline-networkmanager
offline-numlock
offline-cmdhistory
offline-autologin
offline-screen-lock
offline-fdlimit
offline-netoptimize
offline-bbr
offline-ifspeed
offline-avahi
offline-modem-manager
offline-ssh
offline-apache
offline-nginx
offline-docker
offline-mysql
offline-postgresql
security-harden
security-recover
security-reset
monitoring-enable
monitoring-disable
ipv6-disable
ipv6-enable
tirdad-enable
tirdad-disable
ram-wipe
swap-encrypt
swap-decrypt
luks-nuke
luks-manage
luks-remove
luks-nuke-advanced
luks-manage-advanced
create-persistence
container-create
container-mount
container-unmount
memory-clean
memory-force-clean
memory-wipe
memory-wipe-process
swap-configure
disable-swap
enable-swap
ram-wipe-enable
ram-wipe-disable
swap-enable
swap-disable
usb-guard-enable
usb-guard-disable
usb-policy
usb-whitelist
storage-wipe
storage-encrypt
encryption-tune
kill-switch-arm
kill-switch-activate
kloak-enable
kloak-disable
kloak-configure
kloak-event-mode
aide-update
aide-init
aide-reinit
aide-scan-dir
auto-updates-enable
auto-updates-disable
system-maintenance-enable
system-maintenance-disable
password-policy-enable
password-policy-disable
user-security-enable
user-security-disable
2fa-enable
2fa-disable
check-and-install-do
package-cleanup
clear-cache
coldboot-defense-enable
coldboot-defense-disable
memory-limits
Commands Without Authentication (33)
unblock-internet
recover-internet
mac-reset-all
kill-switch-disarm
panic-soft
panic-medium
panic-hard
panic-profile
panic-recover
create-recovery-point
wipe-file
wipe-directory
wipe-logs
wipe-batch
wipe-browser-data
wipe-free-space
wipe-pattern
wipe-schedule
wipe-verify
notify
play-sound
net-check
net-check-http
list-ips
list-domains
get-hostname
get-logged-user
show-timezone
show-remote-timezone
list-timezones
list-hostnames
mac-show-interfaces
mac-show-macs
mac-active-interface
security-status
ipv6-status
tirdad-status
ram-wipe-status
disk-encryption-status
swap-status
offline-info-system
offline-info-hardware
offline-info-process
offline-info-security
offline-info-network
offline-info-user
offline-info-storage
offline-info-services
offline-info-all
security-score
security-report
security-profile
security-history
rootkit-scan
rootkit-scan-enhanced
lynis-audit
lynis-status
clamav-scan
system-audit
internet-status
kill-switch-status
encryption-status
usb-list
memory-stats
auto-updates-status
system-maintenance-status
password-policy-status
user-security-status
2fa-status
kloak-status
kloak-stats
aide-check
usb-monitor
usb-history
hardware-rng-verify
entropy-status
boot-integrity-check
swap-encrypt-status
check-and-install
security-verify
security-remediate

ai-cmd

Total Commands: 13 | Auth Required: 0 | No Auth: 13

Command Reference
query
interactive
feedback
preview
voice
suggest
workflow
tiers
tools
providers
model-info
policy
export-intents

ai-trainer

Total Commands: 8 | Auth Required: 0 | No Auth: 8

All Commands - No Authentication Required (8)
download-model
train
incremental
validate
export
snapshot
list-snapshots
status

ai-learner

Total Commands: 4 | Auth Required: 0 | No Auth: 4

Command Reference
analyze
learn
report
status

ai-admin

Total Commands: 3 | Auth Required: 0 | No Auth: 3

All Commands - No Authentication Required (3)
db
diagnostics
tune

ai-discovery

Total Commands: 3 | Auth Required: 0 | No Auth: 3

All Commands - No Authentication Required (3)
start
status
reindex

ai-scheduler

Total Commands: 4 | Auth Required: 0 | No Auth: 4

All Commands - No Authentication Required (4)
start
add
list
remove

ai-monitor

Total Commands: 4 | Auth Required: 0 | No Auth: 4

All Commands - No Authentication Required (4)
start
status
suggestions
service

ai-gateway

Total Commands: 9 | Auth Required: Policy-dependent | No Auth: Policy-dependent

Command Reference
index
policy
doctor
approve
list
search
help
capabilities
run

kodachi-claw

Total Commands: 20 | Auth Required: 16 | No Auth: 4

Command Reference
onboard
agent
gateway
daemon
service
tor
doctor
status
cron
models
providers
channel
integrations
skills
migrate
auth
hardware
peripheral
recover-internet
help

System Requirements and Permissions

Privilege Escalation Requirements

Operation Type Required Permissions Affected Binaries
Network Configuration sudo/root tor-switch (iptables/nftables), routing-switch, dns-switch
System Security sudo/root health-control (network/MAC/hostname operations)
Authentication Management sudo/root online-auth (system-wide operations)
Read-Only Operations Standard user ip-fetch, dns-leak, integrity-check, logs-hook, conky-status
AI Operations Standard user ai-cmd, ai-trainer, ai-learner, ai-admin, ai-discovery, ai-scheduler, ai-monitor, ai-gateway
Anonymous Agent Runtime sudo/root kodachi-claw (Tor circuits, identity randomization, namespace isolation)

Service Daemon Capabilities

Service Daemon Mode Command Purpose
online-auth Heartbeat daemon online-auth authenticate --keep-alive or --relogin Maintains authentication session
logs-hook Integrated by all services Automatic Centralized logging for all operations
global-launcher Service management Standalone Binary deployment and management
ai-monitor Background daemon ai-monitor start --daemon Proactive VPN/Tor/DNS monitoring
ai-scheduler Background daemon ai-scheduler start Cron-based automated task execution
ai-discovery Background daemon ai-discovery start Binary watcher and auto-indexer
kodachi-claw Background daemon kodachi-claw daemon Anonymous AI agent runtime with embedded Tor

Key Capabilities Overview

Advanced Network Operations

Feature Capability Details
Tor Operations 70+ Commands Complete control over instances, circuits, and exit nodes
Load Balancing Native Kernel-Level Traffic distribution across multiple Tor instances
Protocol Support 12 Protocols OpenVPN, WireGuard, Tor, Shadowsocks, V2Ray, Xray variants, and more
DNS Resolvers 50+ Options DNSCrypt, DoT, DoH, Pi-hole integration

Security and Protection

Feature Implementation Purpose
Emergency Kill Switch health-control kill-network Instant network termination
Panic System 3 Levels (Soft/Medium/Hard) Progressive data destruction
Data Wiping Multi-pass shredding Secure deletion with verification
MAC Randomization Auto/Manual modes Hardware address anonymization
Hostname Management Random generation System identity protection

System Integration

Aspect Approach Benefit
Memory Safety Rust-first implementation Robust error handling, no crashes
Performance Optimized binaries Fast response for critical operations
Output Format JSON-first design Easy automation and scripting
Path Detection Dynamic resolution Works on any Linux environment
Containment Execution folder only Enhanced security isolation

Common Workflows

Network Anonymization Setup

# Authenticate and configure Tor
sudo online-auth authenticate  # Basic authentication
# Or use --relogin for automatic reconnection on session expiry
sudo online-auth authenticate --relogin
sudo tor-switch start-tor
sudo tor-switch torrify-system-nftables  # Prefer nftables (modern)
# sudo tor-switch torrify-system-iptables  # Alternative: iptables (legacy)
ip-fetch fetch  # Fetch current IP info through Tor (ISP/ASN shows Tor exit node)

Multi-Protocol Routing

# Connect through various protocols
sudo routing-switch connect openvpn
sudo routing-switch connect shadowsocks
sudo routing-switch connect wireguard
sudo routing-switch status  # Check active routing
sudo routing-switch list-protocols  # List available protocols with scores
sudo routing-switch disconnect  # Disconnect current protocol

Security Hardening

# System hardening workflow
sudo health-control set-random-hostname
sudo health-control mac-change-all
sudo permission-guard scan
sudo integrity-check check-integrity --json

DNS Configuration

# Secure DNS setup
dns-switch status --json  # Read current DNS mode/status (no sudo)
dns-switch dnscrypt-monitor-status --json  # Monitor DNSCrypt watchdog state
sudo dns-switch switch --category encrypted  # Use encrypted DNS
dns-leak discover --json  # Discover and analyze DNS configuration
sudo dns-switch random --type encrypted --count 3  # Use random encrypted resolvers
sudo dns-switch fix-dns  # Emergency DNS repair fallback
sudo dns-switch fix-dns --force  # Run complete DNS repair chain

Emergency Response

# Quick privacy mode
sudo health-control panic-soft
sudo tor-switch restart-tor  # Get new Tor circuit
sudo health-control recover-internet --check-dns  # Recover connectivity + DNS if needed
sudo health-control fast-recover-internet --force  # Force quick recovery then escalate if still unhealthy

# Complete shutdown
sudo health-control kill-network
sudo health-control wipe-logs

Keep Internet Alive (Auto-Recovery Loop)

# Keeps checking connectivity recovery every 10s.
# Starts recover-internet only if another recovery process is not already running.
while true; do
    if ! pgrep -fx "health-control recover-internet" > /dev/null; then
        sudo health-control recover-internet &
    fi
    sleep 10
done

Performance Metrics

Binary Count
25
Complete security, AI, and gateway suite
Total Size
~130MB
All binaries combined
Protocol Support
12
Routing protocols supported
DNS Resolvers
50+
Available DNS options
Tor Commands
100+
Tor management operations

Documentation Structure

User Guides

Category Description
Network Tools Detailed guides for network and anonymization tools
Security Tools Comprehensive security and authentication documentation
Protection Tools System protection and monitoring guides
Infrastructure Tools Service infrastructure and management documentation
AI & Intelligence Tools AI-powered command interface, monitoring, and automation

API Reference

Reference Description
Binary Reference Complete command-line API documentation for all binaries

Security Considerations

Important Security Notice

These tools provide powerful capabilities that should be used responsibly and in accordance with local laws and regulations. Kodachi OS and its binaries are designed for legitimate privacy protection and security testing purposes only.

Security Implementation Details

Feature Implementation
Authentication Services use KODACHI_CALLING_SERVICE environment variable for identity
Certificate Pinning TLS 1.3 with pinned certificates for network operations
Error Handling Comprehensive error propagation without crashes
Audit Trail All operations logged through centralized logs-hook service

Example JSON error response structure: 

{
  "status": "error",
  "error": {
    "code": "AUTH_FAILED",
    "message": "Authentication required",
    "details": "Service requires valid authentication token",
    "timestamp": "2025-09-19T10:00:00Z"
  }
}

Authentication Flow

Step Command Purpose
1 sudo online-auth authenticate --keep-alive or --relogin Initial authentication (--relogin includes keep-alive)
2 online-auth check-login Check authentication status
3 Service usage Authenticated services automatically verify before execution
4 online-auth logout Logout when finished

System Information

Component Version Build Date License
Kodachi OS 9.0.1 2025 Proprietary
Rust Binaries 9.0.1 2025-09-18 Proprietary
Documentation 9.0.1 2025-09-19 © 2025 Linux Kodachi
Author Warith Al Maawali - All Rights Reserved