Skip to content

v0.2.0

Latest

Choose a tag to compare

@askalf askalf released this 02 Jul 00:32
07ba074

The complete prototype→product roadmap since the initial release: LLM-judge escalation, an MCP server, a persona context broker, a replay-verification oracle, canon-pinnable browser skills, and a hardened firewall core.

Added

  • LLM-judge escalation tier — a configurable Claude backend reviews only the ambiguous residue the deterministic detector can't rule on, with confidence calibration and a message-id round-trip fix (#1), plus a content-keyed verdict cache (bounded LRU, fail-safe) to cut repeat LLM calls (#3). Escalate-only and inert on error.
  • MCP serverpicket_observe / picket_gate / picket_login exposed over stdio via the picket-mcp entrypoint, so any MCP client gets the governed browser (#4). Observe returns verdict and finding categories only — withheld excerpts never cross the wire.
  • ContextBroker — a pool of isolated, keeper-backed persona contexts on one shared browser: login-once per persona, LRU eviction, and non-destructive teardown (disconnect, never close) (#5).
  • Replay-verification oracle — a deterministic snapshot / diff / claim-verification gate that culls fabricated "the page shows X" claims without an LLM, and flags clean-golden → injection regressions (#6).
  • Canon browser skills — record a governed session and emit it as a canon-pinnable, deterministically replayable skill manifest; secrets are redacted and the sha256 skill hash matches canon's pin (#7).
  • npm publish workflow and publishConfig.access: public (#10).

Fixed

  • Firewall + action-gate hardening (#2): observe() now prefers the live CDP bridge over the static parser when both are available; cross-node split-trifecta detection catches legs scattered across sibling nodes; the gate default-denies unknown action types; credential typing is inferred from field shape even without the flag; the nav allowlist matches hostname (not host:port); and data: / javascript: / blob: URLs count as exfil sinks.
  • Live CDP capture parity (#8): low-contrast hidden text uses the same color-distance threshold as the static backend, and value attributes are scanned — closing two evasions that only affected the live path.
  • The oracle reuses the detector's canonical action lattice instead of a local copy (#9).

Docs

  • README repositioned: picket is a standalone Own Your Stack tool that composes with the warden · canon · keeper trilogy (#11).

Full changelog: v0.1.0...v0.2.0