Releases: askalf/fieldpass
Release list
v0.4.1
Docs-only patch.
Changed
- README badge row — license, dependency, and "why this matters" are now flat shields.io badges matching the
ciand OpenSSF Scorecard style (one consistent badge row on npm + GitHub). The dependency badge corrects the count from "one" to the actual three runtime dependencies (@modelcontextprotocol/sdk,node-html-parser,zod). No code or API changes. (#41)
v0.4.0
@askalf/fieldpass v0.4.0
Added
- Session-recorder / canon-skill plane over MCP (#30) — the last plane that was reachable only as a JS import is now on the MCP server.
picket_record_startopens a named recording; addrecord: "<name>"topicket_observe/picket_gate/picket_loginto append each governed step (secrets redacted, withheld payloads never recorded).picket_skill_emitserializes it into a canon-pinnable manifest with itsskillHash— goldens reduced to fingerprints, so a withheld payload can't be recovered through the manifest, while the per-stepverdictstill signals recorded hostility.picket_skill_replayre-runs a recording (or a manifest) against the live browser and reports per-step drift +regressedToInjection.
With this, all five planes — perception, action, identity, verification, skill — are reachable over MCP. Additive and backward-compatible (MCP tool count 6 → 9).
Published to npm via OIDC trusted publishing. Full test suite (131) green on Node 20 and 22.
Full changelog: https://github.com/askalf/fieldpass/blob/main/CHANGELOG.md
v0.3.0
@askalf/fieldpass v0.3.0
Added
- Replay-verification oracle over MCP —
picket_verify/picket_snapshot/picket_replay. The deterministic anti-fabrication gate (re-capture the real page, check claims / snapshot goldens / detect a clean→injection regression) is now reachable from any MCP client, not just as a JS import. No withheld excerpt ever crosses the wire. (#26)
Security (from a full repo audit)
- Unicode confusable fold hardened — broadened the fold to close a homoglyph bypass outside the Cyrillic/Greek core (the Latin script-g
ɡ, U+0261), and made the safe view stop Latinizing/normalizing benign non-Latin page text (it now folds only to detect a fence/role forgery and neutralizes the exact original span). - Shadow DOM / declarative templates / pseudo-element capture — the live backend now descends open shadow roots and reads
::before/::aftercontent, so an injection planted there is no longer captured as zero nodes; the replay oracle sees that visible content too. (#25) - HTTP transport refuses an unauthenticated non-loopback bind — a
0.0.0.0bind with no bearer token would be an open, unauthenticated governed browser; it now throws unless a token is set orallowInsecureis passed. - Underlying confusables and Shadow-DOM-capture fixes (#24, #25), plus test coverage for the WardenClient escalation path and the split-trifecta quarantine branch.
Published to npm via OIDC trusted publishing. Full test suite green on Node 20 and 22.
Full changelog: https://github.com/askalf/fieldpass/blob/main/CHANGELOG.md
v0.2.1
Renamed
@askalf/picket→@askalf/fieldpass(#23) — npm-publishable name;picketis squatted unscoped and the registry create-policy blocks colliding scoped names. The GitHub repo is nowaskalf/fieldpass(old URLs redirect). Legacypicket/picket-mcpbin aliases retained; MCP tool names andPICKET_*env vars unchanged.
Added
- Streamable HTTP transport for the MCP server (#21) —
fieldpass-mcp --httpservespicket_observe/picket_gate/picket_loginas a URL-type MCP server, so clients that can't spawn a stdio process (the Claude API MCP connector, Managed Agents, remote agent runtimes) can attach. Spec session management with every session sharing one governed browser (verdict cache and keeper leases persist, same as stdio); binds127.0.0.1by default with DNS-rebinding protection on loopback, optional constant-time bearer auth (PICKET_MCP_TOKEN), and an unauthenticatedGET /healthzliveness probe. stdio stays the default transport. - Framework example series (#22) — four runnable, offline, no-API-key examples of real agent-framework engines browsing behind the firewall via the MCP server: LangGraph.js (
StateGraph), OpenAI Agents SDK (scripted offline model through the genuineRunner), CrewAI (Flow), and Microsoft AutoGen (AssistantAgent+McpWorkbench). Each reads a booby-trapped invoice page, proves the injection is withheld while benign content survives, has every hijack action refused at the gate, and shows login failing closed with no vault — with captured evidence and pinned versions from real runs in each example'sevidence/.
CI
- npm releases are now tokenless: OIDC trusted publishing via
publish.yml(#27), with a dailynpm-drift.ymlwatch comparing the latest GitHub release against the npm registry.
This version is live on npm as @askalf/fieldpass@0.2.1.
v0.2.0
The complete prototype→product roadmap since the initial release: LLM-judge escalation, an MCP server, a persona context broker, a replay-verification oracle, canon-pinnable browser skills, and a hardened firewall core.
Added
- LLM-judge escalation tier — a configurable Claude backend reviews only the ambiguous residue the deterministic detector can't rule on, with confidence calibration and a message-id round-trip fix (#1), plus a content-keyed verdict cache (bounded LRU, fail-safe) to cut repeat LLM calls (#3). Escalate-only and inert on error.
- MCP server —
picket_observe/picket_gate/picket_loginexposed over stdio via thepicket-mcpentrypoint, so any MCP client gets the governed browser (#4). Observe returns verdict and finding categories only — withheld excerpts never cross the wire. - ContextBroker — a pool of isolated, keeper-backed persona contexts on one shared browser: login-once per persona, LRU eviction, and non-destructive teardown (disconnect, never close) (#5).
- Replay-verification oracle — a deterministic snapshot / diff / claim-verification gate that culls fabricated "the page shows X" claims without an LLM, and flags clean-golden → injection regressions (#6).
- Canon browser skills — record a governed session and emit it as a canon-pinnable, deterministically replayable skill manifest; secrets are redacted and the sha256 skill hash matches canon's pin (#7).
- npm publish workflow and
publishConfig.access: public(#10).
Fixed
- Firewall + action-gate hardening (#2):
observe()now prefers the live CDP bridge over the static parser when both are available; cross-node split-trifecta detection catches legs scattered across sibling nodes; the gate default-denies unknown action types; credential typing is inferred from field shape even without the flag; the nav allowlist matcheshostname(not host:port); anddata:/javascript:/blob:URLs count as exfil sinks. - Live CDP capture parity (#8): low-contrast hidden text uses the same color-distance threshold as the static backend, and
valueattributes are scanned — closing two evasions that only affected the live path. - The oracle reuses the detector's canonical action lattice instead of a local copy (#9).
Docs
- README repositioned: picket is a standalone Own Your Stack tool that composes with the warden · canon · keeper trilogy (#11).
Full changelog: v0.1.0...v0.2.0
v0.1.0
First tagged release. A governed agentic browser — an indirect-prompt-injection firewall, an action gate, and an LLM judge between the agent and the open web, plus a verdict cache and an MCP server (picket_observe / gate / login). Part of the Own Your Stack agent-security stack.