v1.0.0
First stable release. No new core features over 0.3.0 — v1 is the
distribution-hygiene, self-credentialing, and documentation hardening of an already
v1-strong foundation. Highlights of the 0.3.0 → 1.0.0 arc:
Added
- Sigstore keyless signing + verification of
warden.lockviapin --signand
check --verify(opt-inmcp-warden-cli[sigstore]extra). The tool now signs its own
release artifacts, not just others' locks. (#16) - Deterministic structural JSON-Schema diffing for tool
inputSchemachanges:
each security-relevant mutation (required dropped, enum widened/removed, type
broadened, constraint relaxed,additionalPropertiesopened) is classified
per-fact asWRD-DRIFT-SCHEMA-*instead of one opaque change. (#15) - In-document
$refresolution in the schema differ, so$reftargets are diffed
structurally instead of reported as an opaque leaf. (#29) - Official composite GitHub Action wrapping
mcp-warden checkwith SARIF upload to
code scanning; all runtime deps hash-locked inaction/requirements.lock. (#18) - pre-commit hook (
mcp-warden-check) running the identical drift verdict locally,
with a--strictfail-closed mode and a pre-push variant. (#22) --strictfail-closed mode for theguardproxy: an internal inspection error
terminates the session (exit 3,-32003) instead of failing open. (#21)warden diff: offline, redacted, human-readable comparison of two locks over the
drift engine — never re-captures, never prints rawserver.command/args. (#20)- Structured provenance metadata +
warden lock rotate: re-attest a baseline's
provenance without re-capturing the surface (overall_digeststays byte-identical).
(#19) - Property-based fuzzing (Hypothesis) of the guard stdio framer, ANSI stripper,
exfil-domain matcher, and secret redactor undertests/fuzz/. (#17) --strict-frame-cap: fail-closed on over-cap server→client result frames. (#37)- Raw-IP-literal exfil/SSRF matching (D6): deterministic matching of exfil-domain
rules against raw IPv4/IPv6 literal hosts, closing the IP-literal bypass of the
domain matcher. (#54) guardstartup posture banner reporting the active enforcement stance
(active / monitor / inactive, derived from the liveBLOCK_RULES), plus a
fail-closed refusal (exit 2) on non-POSIX / degraded platforms unless explicitly
overridden. (#57)- Vendor-neutral MCP Lock Format v1 spec (
docs/SPEC.md) and an education-first
docs site with an honest comparison page. (#46, #47, #48, #50) - MCP Lock Format v1 compatibility & versioning policy (
docs/SPEC.md §14) plus a
THREAT_MODEL.md §5.3self-bypass section (signed-lock replay, SARIF suppression,
JCS canonicalization edge cases). (#56) - Hash-pinned dev/CI lockfile (
requirements-dev.lock) and a documented
dependency-update policy inSECURITY.md, so the toolchain that builds a
supply-chain gate is itself pinned. (#59, closes #14) - Release-on-publish GitHub workflow with OIDC trusted publishing to PyPI and
self Sigstore signing of the release artifacts, plus aRELEASING.mdrunbook. (#58)
Changed
- Distribution name
mcp-warden-cli. The PyPI distribution name ismcp-warden-cli
becausemcp-wardenis taken on PyPI by an unrelated package, and PyPI rejects
mcpwardenas "too similar" to it (separator-stripping collapses both to the same
string).mcp-warden-clinormalizes to letters-onlymcpwardencli, which is
distinct. The CLI command (mcp-warden) and repo are unchanged. (#55) - README repositioned around the lockfile / CI-gate category claim, with the
stdio-transport scope surfaced in the opening paragraph and a "Who it's for"
use-cases section (author-flagship first). (#45, #49, #55)
Fixed
redact_secretnever discloses more than half of a detected secret. (#38)- Removed the install hazard: every
pip install mcp-wardensnippet (README, docs
site, example workflows) now installsmcp-warden-cli. The README carries a prominent
impostor-warning banner. (#55) - Corrected the
SPEC.mdworked-exampleschema_versionfrom1to3to match the
liveSCHEMA_VERSION. (#56)