v0.3.0
@askalf/fieldpass v0.3.0
Added
- Replay-verification oracle over MCP —
picket_verify/picket_snapshot/picket_replay. The deterministic anti-fabrication gate (re-capture the real page, check claims / snapshot goldens / detect a clean→injection regression) is now reachable from any MCP client, not just as a JS import. No withheld excerpt ever crosses the wire. (#26)
Security (from a full repo audit)
- Unicode confusable fold hardened — broadened the fold to close a homoglyph bypass outside the Cyrillic/Greek core (the Latin script-g
ɡ, U+0261), and made the safe view stop Latinizing/normalizing benign non-Latin page text (it now folds only to detect a fence/role forgery and neutralizes the exact original span). - Shadow DOM / declarative templates / pseudo-element capture — the live backend now descends open shadow roots and reads
::before/::aftercontent, so an injection planted there is no longer captured as zero nodes; the replay oracle sees that visible content too. (#25) - HTTP transport refuses an unauthenticated non-loopback bind — a
0.0.0.0bind with no bearer token would be an open, unauthenticated governed browser; it now throws unless a token is set orallowInsecureis passed. - Underlying confusables and Shadow-DOM-capture fixes (#24, #25), plus test coverage for the WardenClient escalation path and the split-trifecta quarantine branch.
Published to npm via OIDC trusted publishing. Full test suite green on Node 20 and 22.
Full changelog: https://github.com/askalf/fieldpass/blob/main/CHANGELOG.md