Skip to content

Releases: askalf/fieldpass

v0.4.1

Choose a tag to compare

@askalf askalf released this 11 Jul 16:55
2ed1be4

Docs-only patch.

Changed

  • README badge row — license, dependency, and "why this matters" are now flat shields.io badges matching the ci and OpenSSF Scorecard style (one consistent badge row on npm + GitHub). The dependency badge corrects the count from "one" to the actual three runtime dependencies (@modelcontextprotocol/sdk, node-html-parser, zod). No code or API changes. (#41)

v0.4.0

Choose a tag to compare

@askalf askalf released this 11 Jul 11:52
2560f3c

@askalf/fieldpass v0.4.0

Added

  • Session-recorder / canon-skill plane over MCP (#30) — the last plane that was reachable only as a JS import is now on the MCP server. picket_record_start opens a named recording; add record: "<name>" to picket_observe / picket_gate / picket_login to append each governed step (secrets redacted, withheld payloads never recorded). picket_skill_emit serializes it into a canon-pinnable manifest with its skillHash — goldens reduced to fingerprints, so a withheld payload can't be recovered through the manifest, while the per-step verdict still signals recorded hostility. picket_skill_replay re-runs a recording (or a manifest) against the live browser and reports per-step drift + regressedToInjection.

With this, all five planes — perception, action, identity, verification, skill — are reachable over MCP. Additive and backward-compatible (MCP tool count 6 → 9).

Published to npm via OIDC trusted publishing. Full test suite (131) green on Node 20 and 22.

Full changelog: https://github.com/askalf/fieldpass/blob/main/CHANGELOG.md

v0.3.0

Choose a tag to compare

@askalf askalf released this 11 Jul 03:50
7ee0222

@askalf/fieldpass v0.3.0

Added

  • Replay-verification oracle over MCPpicket_verify / picket_snapshot / picket_replay. The deterministic anti-fabrication gate (re-capture the real page, check claims / snapshot goldens / detect a clean→injection regression) is now reachable from any MCP client, not just as a JS import. No withheld excerpt ever crosses the wire. (#26)

Security (from a full repo audit)

  • Unicode confusable fold hardened — broadened the fold to close a homoglyph bypass outside the Cyrillic/Greek core (the Latin script-g ɡ, U+0261), and made the safe view stop Latinizing/normalizing benign non-Latin page text (it now folds only to detect a fence/role forgery and neutralizes the exact original span).
  • Shadow DOM / declarative templates / pseudo-element capture — the live backend now descends open shadow roots and reads ::before/::after content, so an injection planted there is no longer captured as zero nodes; the replay oracle sees that visible content too. (#25)
  • HTTP transport refuses an unauthenticated non-loopback bind — a 0.0.0.0 bind with no bearer token would be an open, unauthenticated governed browser; it now throws unless a token is set or allowInsecure is passed.
  • Underlying confusables and Shadow-DOM-capture fixes (#24, #25), plus test coverage for the WardenClient escalation path and the split-trifecta quarantine branch.

Published to npm via OIDC trusted publishing. Full test suite green on Node 20 and 22.

Full changelog: https://github.com/askalf/fieldpass/blob/main/CHANGELOG.md

v0.2.1

Choose a tag to compare

@askalf askalf released this 11 Jul 01:10
5759709

Renamed

  • @askalf/picket@askalf/fieldpass (#23) — npm-publishable name; picket is squatted unscoped and the registry create-policy blocks colliding scoped names. The GitHub repo is now askalf/fieldpass (old URLs redirect). Legacy picket/picket-mcp bin aliases retained; MCP tool names and PICKET_* env vars unchanged.

Added

  • Streamable HTTP transport for the MCP server (#21) — fieldpass-mcp --http serves picket_observe / picket_gate / picket_login as a URL-type MCP server, so clients that can't spawn a stdio process (the Claude API MCP connector, Managed Agents, remote agent runtimes) can attach. Spec session management with every session sharing one governed browser (verdict cache and keeper leases persist, same as stdio); binds 127.0.0.1 by default with DNS-rebinding protection on loopback, optional constant-time bearer auth (PICKET_MCP_TOKEN), and an unauthenticated GET /healthz liveness probe. stdio stays the default transport.
  • Framework example series (#22) — four runnable, offline, no-API-key examples of real agent-framework engines browsing behind the firewall via the MCP server: LangGraph.js (StateGraph), OpenAI Agents SDK (scripted offline model through the genuine Runner), CrewAI (Flow), and Microsoft AutoGen (AssistantAgent + McpWorkbench). Each reads a booby-trapped invoice page, proves the injection is withheld while benign content survives, has every hijack action refused at the gate, and shows login failing closed with no vault — with captured evidence and pinned versions from real runs in each example's evidence/.

CI

  • npm releases are now tokenless: OIDC trusted publishing via publish.yml (#27), with a daily npm-drift.yml watch comparing the latest GitHub release against the npm registry.

This version is live on npm as @askalf/fieldpass@0.2.1.

v0.2.0

Choose a tag to compare

@askalf askalf released this 02 Jul 00:32
07ba074

The complete prototype→product roadmap since the initial release: LLM-judge escalation, an MCP server, a persona context broker, a replay-verification oracle, canon-pinnable browser skills, and a hardened firewall core.

Added

  • LLM-judge escalation tier — a configurable Claude backend reviews only the ambiguous residue the deterministic detector can't rule on, with confidence calibration and a message-id round-trip fix (#1), plus a content-keyed verdict cache (bounded LRU, fail-safe) to cut repeat LLM calls (#3). Escalate-only and inert on error.
  • MCP serverpicket_observe / picket_gate / picket_login exposed over stdio via the picket-mcp entrypoint, so any MCP client gets the governed browser (#4). Observe returns verdict and finding categories only — withheld excerpts never cross the wire.
  • ContextBroker — a pool of isolated, keeper-backed persona contexts on one shared browser: login-once per persona, LRU eviction, and non-destructive teardown (disconnect, never close) (#5).
  • Replay-verification oracle — a deterministic snapshot / diff / claim-verification gate that culls fabricated "the page shows X" claims without an LLM, and flags clean-golden → injection regressions (#6).
  • Canon browser skills — record a governed session and emit it as a canon-pinnable, deterministically replayable skill manifest; secrets are redacted and the sha256 skill hash matches canon's pin (#7).
  • npm publish workflow and publishConfig.access: public (#10).

Fixed

  • Firewall + action-gate hardening (#2): observe() now prefers the live CDP bridge over the static parser when both are available; cross-node split-trifecta detection catches legs scattered across sibling nodes; the gate default-denies unknown action types; credential typing is inferred from field shape even without the flag; the nav allowlist matches hostname (not host:port); and data: / javascript: / blob: URLs count as exfil sinks.
  • Live CDP capture parity (#8): low-contrast hidden text uses the same color-distance threshold as the static backend, and value attributes are scanned — closing two evasions that only affected the live path.
  • The oracle reuses the detector's canonical action lattice instead of a local copy (#9).

Docs

  • README repositioned: picket is a standalone Own Your Stack tool that composes with the warden · canon · keeper trilogy (#11).

Full changelog: v0.1.0...v0.2.0

v0.1.0

Choose a tag to compare

@askalf askalf released this 19 Jun 19:29

First tagged release. A governed agentic browser — an indirect-prompt-injection firewall, an action gate, and an LLM judge between the agent and the open web, plus a verdict cache and an MCP server (picket_observe / gate / login). Part of the Own Your Stack agent-security stack.