Skip to content

v0.3.0

Choose a tag to compare

@askalf askalf released this 11 Jul 03:50
7ee0222

@askalf/fieldpass v0.3.0

Added

  • Replay-verification oracle over MCPpicket_verify / picket_snapshot / picket_replay. The deterministic anti-fabrication gate (re-capture the real page, check claims / snapshot goldens / detect a clean→injection regression) is now reachable from any MCP client, not just as a JS import. No withheld excerpt ever crosses the wire. (#26)

Security (from a full repo audit)

  • Unicode confusable fold hardened — broadened the fold to close a homoglyph bypass outside the Cyrillic/Greek core (the Latin script-g ɡ, U+0261), and made the safe view stop Latinizing/normalizing benign non-Latin page text (it now folds only to detect a fence/role forgery and neutralizes the exact original span).
  • Shadow DOM / declarative templates / pseudo-element capture — the live backend now descends open shadow roots and reads ::before/::after content, so an injection planted there is no longer captured as zero nodes; the replay oracle sees that visible content too. (#25)
  • HTTP transport refuses an unauthenticated non-loopback bind — a 0.0.0.0 bind with no bearer token would be an open, unauthenticated governed browser; it now throws unless a token is set or allowInsecure is passed.
  • Underlying confusables and Shadow-DOM-capture fixes (#24, #25), plus test coverage for the WardenClient escalation path and the split-trifecta quarantine branch.

Published to npm via OIDC trusted publishing. Full test suite green on Node 20 and 22.

Full changelog: https://github.com/askalf/fieldpass/blob/main/CHANGELOG.md