Releases: askalf/picket
Releases · askalf/picket
Release list
v0.2.0
The complete prototype→product roadmap since the initial release: LLM-judge escalation, an MCP server, a persona context broker, a replay-verification oracle, canon-pinnable browser skills, and a hardened firewall core.
Added
- LLM-judge escalation tier — a configurable Claude backend reviews only the ambiguous residue the deterministic detector can't rule on, with confidence calibration and a message-id round-trip fix (#1), plus a content-keyed verdict cache (bounded LRU, fail-safe) to cut repeat LLM calls (#3). Escalate-only and inert on error.
- MCP server —
picket_observe/picket_gate/picket_loginexposed over stdio via thepicket-mcpentrypoint, so any MCP client gets the governed browser (#4). Observe returns verdict and finding categories only — withheld excerpts never cross the wire. - ContextBroker — a pool of isolated, keeper-backed persona contexts on one shared browser: login-once per persona, LRU eviction, and non-destructive teardown (disconnect, never close) (#5).
- Replay-verification oracle — a deterministic snapshot / diff / claim-verification gate that culls fabricated "the page shows X" claims without an LLM, and flags clean-golden → injection regressions (#6).
- Canon browser skills — record a governed session and emit it as a canon-pinnable, deterministically replayable skill manifest; secrets are redacted and the sha256 skill hash matches canon's pin (#7).
- npm publish workflow and
publishConfig.access: public(#10).
Fixed
- Firewall + action-gate hardening (#2):
observe()now prefers the live CDP bridge over the static parser when both are available; cross-node split-trifecta detection catches legs scattered across sibling nodes; the gate default-denies unknown action types; credential typing is inferred from field shape even without the flag; the nav allowlist matcheshostname(not host:port); anddata:/javascript:/blob:URLs count as exfil sinks. - Live CDP capture parity (#8): low-contrast hidden text uses the same color-distance threshold as the static backend, and
valueattributes are scanned — closing two evasions that only affected the live path. - The oracle reuses the detector's canonical action lattice instead of a local copy (#9).
Docs
- README repositioned: picket is a standalone Own Your Stack tool that composes with the warden · canon · keeper trilogy (#11).
Full changelog: v0.1.0...v0.2.0
v0.1.0
First tagged release. A governed agentic browser — an indirect-prompt-injection firewall, an action gate, and an LLM judge between the agent and the open web, plus a verdict cache and an MCP server (picket_observe / gate / login). Part of the Own Your Stack agent-security stack.