Releases · gethasp/hasp · GitHub

10 Jun 19:09

v1.0.36 Latest

Latest

[v1.0.36]

Return standard MCP CallToolResult envelopes for tools/call, including
text content and structured payloads, so strict clients such as Codex can
execute HASP tools without Unexpected response type failures.
Extend MCP tests and the release gate to require the tool-call envelope before
a release can ship.

Assets 30

hasp-release-public-key.asc

sha256:1bce3b9e70a2e0c5dc5659ac3b4f1738971f3360be811b7b86514a565f050fed

449 Bytes 2026-06-10T19:09:24Z
hasp-v1.0.36-darwin-amd64.tar.gz

sha256:c57752d0eed8f99fa6e4e7e1d881d722163c4c34d6cd0db6b658c9750056314e

4.75 MB 2026-06-10T19:09:24Z
hasp-v1.0.36-darwin-amd64.tar.gz.sig

sha256:f7ddb76339116e28edc97d350ac52850271c95cd88fc1408188e35f6a472d53e

64 Bytes 2026-06-10T19:09:24Z
hasp-v1.0.36-darwin-arm64.tar.gz

sha256:c890e718c396370cec7953831dd9a68b41add876df15031a7b330d4eb9aa7b88

4.34 MB 2026-06-10T19:09:24Z
hasp-v1.0.36-darwin-arm64.tar.gz.sig

sha256:338f1820edfea4e59d0fbf49534f7b966a0b3dfe8044552586e30c7ed77d1e4c

64 Bytes 2026-06-10T19:09:24Z
hasp-v1.0.36-linux-amd64.tar.gz

sha256:ceba2e27b8808ef33574843723f80f2f7120436e39dd39f86aaab38ab39d2dae

4.72 MB 2026-06-10T19:09:24Z
hasp-v1.0.36-linux-amd64.tar.gz.sig

sha256:fa8e115add2f64b730160c5399cb32024ca084d91fa8d0e935255b996176fc6c

64 Bytes 2026-06-10T19:09:24Z
hasp-v1.0.36-linux-arm64.tar.gz

sha256:12656d434699921904cee08b6ebf1173135510f2bae3f2657551c46d59d5c805

4.23 MB 2026-06-10T19:09:24Z
hasp-v1.0.36-linux-arm64.tar.gz.sig

sha256:53960ab09b45500e1cc359db44f6643fe726c86222fb97d35db6361ec914bd09

64 Bytes 2026-06-10T19:09:24Z
hasp_1.0.36_darwin_amd64.tar.gz

sha256:c57752d0eed8f99fa6e4e7e1d881d722163c4c34d6cd0db6b658c9750056314e

4.75 MB 2026-06-10T19:09:24Z
Source code (zip)

2026-06-10T18:10:40Z
Source code (tar.gz)

2026-06-10T18:10:40Z

08 Jun 17:16

v1.0.35

[v1.0.35]

Add the Agent Cookie comparison page to the public competition matrix.
Classify cookies, browser storage, and browser session state as high-risk
manifest material.
Allow value-free browser_session requirement declarations while rejecting
manifest target delivery until HASP has an explicit high-risk capability path.
Reject raw cookie, localStorage, IndexedDB, and browser-session value fields
in repo manifests.

Assets 30

03 Jun 22:30

v1.0.34

[v1.0.34]

Prevent managed Claude Code and Codex CLI MCP wrappers from being pinned to
stale HASP_AGENT_HASP binaries, and make the release gate fail when
generated MCP configs or wrapper ordering could shadow the managed binary.
Make hasp_run release-gate coverage execute through a managed wrapper with
a deliberately stale inherited HASP_SESSION_TOKEN, proving MCP session
recovery before a tag ships.
Teach hasp doctor and the MCP release gate to detect already-running stale
agent MCP bridge processes, report exact PIDs, and tell operators to restart
the affected agent session instead of retrying a dead MCP connection.

Assets 30

03 Jun 17:53

v1.0.33

[v1.0.33]

Recover MCP tool calls from stale inherited HASP_SESSION_TOKEN values,
including sessions that no longer exist or point at a different project.
Keep explicit MCP session_token values fail-closed while returning a clear
diagnostic that tells agents to omit stale explicit tokens and let HASP open a
fresh local MCP session.
Restore release-blocking 100% Go statement coverage after the MCP hardening
work and refresh the public export mirror.
Raise Go modules to 1.26.4 to clear current Go stdlib OSV advisories before
release.

Assets 30

28 May 07:11

v1.0.32

[v1.0.32]

Ship credential sets in value-free manifests, including schema validation for
google_oauth_client, set-role target delivery through from_set and
role, project command output, MCP target metadata, brokered execution, and
regression coverage.

Assets 30

28 May 05:54

v1.0.31

[v1.0.31]

Document the scoped credential-set model for coupled credentials such as
Google OAuth client IDs and client secrets, including the interim value-free
manifest pattern to use before credential sets ship.
Restore and verify the source 100% coverage gate after the manifest-target
hardening work by adding focused coverage and removing unreachable branches.

Assets 30

28 May 02:18

v1.0.30

[v1.0.30]

Add value-free repo manifest target authoring and review commands through
hasp project target ... and the hasp template ... alias, so agents can
request brokered workflows without storing raw secret values in the repo.
Require local target review before hasp run --target,
hasp inject --target, hasp write-env --target, MCP target execution, or
hasp app connect --target can authorize refs or seed runtime profiles.
Improve project binding diagnostics so hasp doctor, manifest-backed
secret flows, and hasp secret add --expose distinguish unbound repos from
bindings that point at missing vault items.

Assets 30

26 May 18:36

v1.0.29

[v1.0.29]

Add hasp audit recover so operators can archive a degraded audit log,
emit a recovery report, and start a fresh tamper-evident chain without
rewriting historical entries.
Document the degraded audit-log recovery workflow in the quickstart and
generated CLI reference.

Assets 30

26 May 08:31

v1.0.28

[v1.0.28]

Distinguish missing named references from existing vault items that are not
exposed to the current project, with specific CLI and MCP recovery metadata.
Keep default MCP secret tooling safe-by-default while documenting the explicit
operator path for exposing existing vault items to a repo.
Add release-blocking web dependency audit coverage and patch the vulnerable
ws transitives in the private docs toolchain.
Rotate download Worker release pins through secrets by default, avoiding
route-aware Worker deploys unless explicitly requested.

Assets 30

25 May 22:51

v1.0.27

[v1.0.27]

Accept trailing known flags across the remaining hasp secret subcommands,
including hasp secret add NAME --from-stdin --expose=never --json.
Track the next surgical release-hardening work for vulnerable web-toolchain
transitives, package-manager audit gates, and Node deprecation warnings.

Assets 30