ToolPin 0.4.0 — pin what the agent sees
ToolPin 0.4.0 turns the lockfile into a full drift gate for what your agent actually sees: tool input schemas are now pinned, one command scaffolds CI protection, and the lockfile format ships as a vendor-neutral draft specification.
Highlights
- Input-schema pinning (rug-pull defense). The live tool-surface hash (
toolSurfaceHash) now covers tool names, descriptions, and input schemas. A server that quietly widens a tool's parameters after you approved it fails your build. Legacy locks keep working with a CI advisory to re-lock. - One command to protected.
toolpin init ciwrites a minimal least-privilege GitHub workflow (checkout SHA-pinned) plus a starter policy (toolpin policy init --recommended) — a repo goes from nothing to an enforced lockfile gate in under five minutes. - Three-verdict output. Every server is
verified,needs-review, orblocked, with the reason.--explainrestores the full evidence detail; JSON output addsverdictwithout removing any existing field. - Hardened GitHub Action.
strictpreset,doctor: auto|true|false, SARIF output, Marketplace branding, fail-closed input conflict handling, all inputs env-mediated. ci --json+ checklist. Machine-readable CI results (ok/checkedEntries/failures[]with remediation) and a per-protection checklist in human output.- MCP Install Lockfile spec v1.0 (draft). A vendor-neutral specification with JSON Schemas, byte-exact test vectors, and conformance classes — shipped in the npm tarball so other tools can produce, read, and enforce the same format.
Security
- Live probes spawn MCP servers with a minimal env allowlist instead of the caller's full
process.env(no moreGITHUB_TOKEN/cloud-credential exposure to probed packages). - Registry ingestion and non-loopback remote probes go through an SSRF firewall: HTTPS-only, no redirects, public addresses only, DNS answers pinned into the socket (rebinding TOCTOU closed).
- Verification never executes package targets implicitly — live spawning now requires the explicit
--allow-executeflag (Action inputallow-execute: "true"). - Registry-carried evidence is read as a claim, never proof:
verifiedtier requires this installation's own recompute. install/removerefuse to overwrite a client config that is not valid JSON.
Full details in CHANGELOG.md.
Install
npm install -g @proofofwork-agency/toolpin
toolpin init ci- uses: proofofwork-agency/toolpin@v0.4.0