v0.2.1
Renamed
@askalf/picket→@askalf/fieldpass(#23) — npm-publishable name;picketis squatted unscoped and the registry create-policy blocks colliding scoped names. The GitHub repo is nowaskalf/fieldpass(old URLs redirect). Legacypicket/picket-mcpbin aliases retained; MCP tool names andPICKET_*env vars unchanged.
Added
- Streamable HTTP transport for the MCP server (#21) —
fieldpass-mcp --httpservespicket_observe/picket_gate/picket_loginas a URL-type MCP server, so clients that can't spawn a stdio process (the Claude API MCP connector, Managed Agents, remote agent runtimes) can attach. Spec session management with every session sharing one governed browser (verdict cache and keeper leases persist, same as stdio); binds127.0.0.1by default with DNS-rebinding protection on loopback, optional constant-time bearer auth (PICKET_MCP_TOKEN), and an unauthenticatedGET /healthzliveness probe. stdio stays the default transport. - Framework example series (#22) — four runnable, offline, no-API-key examples of real agent-framework engines browsing behind the firewall via the MCP server: LangGraph.js (
StateGraph), OpenAI Agents SDK (scripted offline model through the genuineRunner), CrewAI (Flow), and Microsoft AutoGen (AssistantAgent+McpWorkbench). Each reads a booby-trapped invoice page, proves the injection is withheld while benign content survives, has every hijack action refused at the gate, and shows login failing closed with no vault — with captured evidence and pinned versions from real runs in each example'sevidence/.
CI
- npm releases are now tokenless: OIDC trusted publishing via
publish.yml(#27), with a dailynpm-drift.ymlwatch comparing the latest GitHub release against the npm registry.
This version is live on npm as @askalf/fieldpass@0.2.1.