Releases: proofofwork-agency/toolpin
Releases · proofofwork-agency/toolpin
Release list
ToolPin 0.5.4
Hardening release: the claim-backed tier acceptance introduced in 0.5.3 was put through an adversarial review; every finding is addressed.
Fixed
- Locked-side anchoring — the gate now only accepts a recorded
verifiedtier on the basis of claims the lock actually earned with local verification (passed+verifiedByToolPin+trustedAnchor). Registry-declared or unavailable locked evidence no longer qualifies. - Exact claim-set comparison — for every locked evidence code the current resolution declares, the claim sets must match exactly. A registry declaring extra claims for the same artifact code (old and new SRI side by side) now reads as drift instead of slipping through subset membership.
- Unobservable is explicit — evidence codes the current resolution does not declare at all are treated as unobservable without
--verify: accepted by default, refused under--strict-tier, never silently matched. - Evidence dedupe — trust-evidence deduplication now includes the integrity claim in its identity key, so entries differing only by claim are no longer collapsed.
- Warning noise — the stale registry-cache warning prints once per run instead of once per cache read.
Notes
- Semantics documented in Catch drift in CI → Trust tiers without --verify.
- Release gate: 365 tests (4 new adversarial cases),
self:doctor,self:ci,docs:check, Docusaurus build, curated-registry check,npm auditclean, pack dry-run verified (76 files). - Published to npm with provenance:
@proofofwork-agency/toolpin@0.5.4
ToolPin 0.5.3
Bug-fix release: toolpin ci no longer permanently fails verified-tier lock entries on unverified runs.
Fixed
toolpin ciwithout--verifyfailed every lock entry recorded at theverifiedtier with a misleadingtrust tier decreased verified -> conditional. Since 0.4.0, registry-declared evidence is a claim rather than proof, so an unverified run recomputes trust withverifiedByToolPin: falseand can never re-derive a locally earnedverifiedtier — but the frozen-lock comparison still measured the recorded tier against that weaker recomputation. The gate now compares the locked artifact integrity claims (npm SRI, OCI digest, MCPB hash) against the current resolution: unchanged claims are accepted as "no drift"; changed or missing claims still fail, and now say why. This also fixes the composite Action's default invocation (toolpin ci --live) for verified-tier locks.
Added
toolpin ci --strict-tier— refuse claim-backed tier acceptance: verified-tier entries then fail unless the run re-earns them with--verify. The lenient-on-unchanged-claims behavior remains the default. Semantics documented in Catch drift in CI.
Notes
- Tier drift messages now state the reason: artifact claims changed, no claims to compare, or the run could not re-verify (with the flag that fixes it).
- Release gate: 361 tests (6 new for the tier semantics),
self:doctor,self:ci,docs:check, Docusaurus build, curated-registry check,npm auditclean, pack dry-run verified (76 files). - Published to npm with provenance:
@proofofwork-agency/toolpin@0.5.3
ToolPin 0.5.2
Patch release: repo hygiene fixes discovered in post-release review of 0.5.1.
Fixed
.gitignorenegation ordering. A cleanup in the 0.5.1 cycle alphabetically sorted.gitignore, which moved the!.env.exampleand!.codex/config.tomlexceptions ahead of the.env.*and.codex/*rules they carve out. Gitignore is last-match-wins, so both negations were silently disabled. Section ordering is restored with negations after their globs; the effective ignore set is otherwise unchanged.- npm package README. The immutable 0.5.1 tarball README still referenced internal launch-preparation materials that had been removed from the repository. The 0.5.2 README drops those references.
- Docs consistency. Action examples across README and docs now pin
proofofwork-agency/toolpin@v0.5.2.
Notes
- v0.5.1 was published to npm but intentionally has no GitHub Release page; its changes are documented in CHANGELOG.md.
- Release gate: 355/355 tests,
self:doctor,self:ci,docs:check, Docusaurus build, curated-registry check,npm auditclean (0 vulnerabilities), pack dry-run verified (76 files). - Published to npm with provenance:
@proofofwork-agency/toolpin@0.5.2
ToolPin v0.5.0
ToolPin v0.5.0
Node 24 runtime lane for issue #7.
Changed
- ToolPin now requires Node.js 24 or newer.
- Runtime dependencies align to
undici@7.28.0,@types/node@24.13.3, and TypeScript 6.0.3. - CI, release workflow, and the composite GitHub Action now set up Node 24.
safeFetchkeeps DNS-pinned undici dispatch with a narrow type-boundary adapter.- Lock-signature key fingerprints now normalize to public SPKI DER before hashing.
- Docs explain how projects on Node 18/20/22 can keep app/test jobs unchanged by running ToolPin in a separate CI job or final step.
- Dependabot now allows minor/patch updates on adopted runtime lanes and defers future incompatible majors.
- Launch docs include opt-in-only adoption candidates; no automated third-party PRs without approval.
Verification
npm run release:checkpassed under Node 24 in GitHub Actions.- npm publish completed with provenance.
Closes #7.
ToolPin 0.4.0 — pin what the agent sees
ToolPin 0.4.0 turns the lockfile into a full drift gate for what your agent actually sees: tool input schemas are now pinned, one command scaffolds CI protection, and the lockfile format ships as a vendor-neutral draft specification.
Highlights
- Input-schema pinning (rug-pull defense). The live tool-surface hash (
toolSurfaceHash) now covers tool names, descriptions, and input schemas. A server that quietly widens a tool's parameters after you approved it fails your build. Legacy locks keep working with a CI advisory to re-lock. - One command to protected.
toolpin init ciwrites a minimal least-privilege GitHub workflow (checkout SHA-pinned) plus a starter policy (toolpin policy init --recommended) — a repo goes from nothing to an enforced lockfile gate in under five minutes. - Three-verdict output. Every server is
verified,needs-review, orblocked, with the reason.--explainrestores the full evidence detail; JSON output addsverdictwithout removing any existing field. - Hardened GitHub Action.
strictpreset,doctor: auto|true|false, SARIF output, Marketplace branding, fail-closed input conflict handling, all inputs env-mediated. ci --json+ checklist. Machine-readable CI results (ok/checkedEntries/failures[]with remediation) and a per-protection checklist in human output.- MCP Install Lockfile spec v1.0 (draft). A vendor-neutral specification with JSON Schemas, byte-exact test vectors, and conformance classes — shipped in the npm tarball so other tools can produce, read, and enforce the same format.
Security
- Live probes spawn MCP servers with a minimal env allowlist instead of the caller's full
process.env(no moreGITHUB_TOKEN/cloud-credential exposure to probed packages). - Registry ingestion and non-loopback remote probes go through an SSRF firewall: HTTPS-only, no redirects, public addresses only, DNS answers pinned into the socket (rebinding TOCTOU closed).
- Verification never executes package targets implicitly — live spawning now requires the explicit
--allow-executeflag (Action inputallow-execute: "true"). - Registry-carried evidence is read as a claim, never proof:
verifiedtier requires this installation's own recompute. install/removerefuse to overwrite a client config that is not valid JSON.
Full details in CHANGELOG.md.
Install
npm install -g @proofofwork-agency/toolpin
toolpin init ci- uses: proofofwork-agency/toolpin@v0.4.0ToolPin 0.3.2
- TUI trust labels: clarify that
REVIEWmeans missing, stale, unavailable, or only-declared ToolPin-verified npm, OCI, or MCPB artifact proof. - TUI overview: label the upper metadata block as a registry summary and separate it from verification gates.
- Docs: surface
toolpin interactive/tpn iin the Docusaurus introduction and document the TUI evidence/status meanings explicitly. - Release hygiene: version bump 0.3.1 -> 0.3.2 for the public-launch clarity pass.
ToolPin 0.3.1
ToolPin 0.3.1 is a patch release for the new interactive CLI release line.
Changes:
- Publishes the npm-normalized bin paths for
toolpinandtpn. - Updates the publish-target validation to accept the normalized package metadata.
- Updates README and CI docs examples to use
proofofwork-agency/toolpin@v0.3.1. - Carries forward the
toolpin interactive/tpn iguided CLI mode from v0.3.0.
Validation:
npm run release:checkpassed locally via pre-publish evidence report.- GitHub CI passed for commit
526845f. - GitHub Release workflow published
@proofofwork-agency/toolpin@0.3.1with provenance.
ToolPin 0.3.0
Highlights
- Added
toolpin interactive [query]andtoolpin i [query]/tpn i [query]as a scrollback-friendly guided install flow. - Added reviewed command previews, explicit write confirmation,
--no-inputguidance, and color handling that respectsNO_COLOR,FORCE_COLOR, and--color. - Preserved machine-readable CLI behavior for
--jsonand--sarif, including no ANSI output by default. - Kept the full-screen TUI separate while moving its trust legend above the final shortcut/copyright footer row.
- Tightened CLI flag validation and command-specific help coverage.
Validation
npm run release:checkpassed.- Release evidence:
.codex/pre-publish-review/20260629T112851Z.md npm pack --dry-runpassed for@proofofwork-agency/toolpin@0.3.0.
v0.2.5
- Release hygiene: version bump 0.2.4 -> 0.2.5 for the post-release TUI polish.
- TUI UX: give trust legend swatches horizontal spacing, add vertical breathing room to the footer hotkey row, and anchor the trust legend at the bottom-right of the footer.
- Dogfood: keep the release pipeline gated by
toolpin ciagainst this repo's ownmcp-lock.json.
v0.2.4
- Release hygiene: version bump 0.2.3 -> 0.2.4 because 0.2.3 was already published.
- Package hygiene: clean
dist/before every TypeScript build so removed generated files cannot be packed into npm tarballs. - TUI command help: align the command palette with the actual broad registry refresh settings and the preferred
toolpin audit server <server-name>syntax. - Docs/readme polish: update public Action examples, package-facing README resource links, registry mirror URLs, roadmap/threat-model scope, and README terminal artwork for the live npm release.
- Action metadata: remove pre-publication wording from the
toolpin-versioninput description.