Skip to content

ToolPin 0.4.0 — pin what the agent sees

Choose a tag to compare

@nillo nillo released this 08 Jul 10:47
a6db980

ToolPin 0.4.0 turns the lockfile into a full drift gate for what your agent actually sees: tool input schemas are now pinned, one command scaffolds CI protection, and the lockfile format ships as a vendor-neutral draft specification.

Highlights

  • Input-schema pinning (rug-pull defense). The live tool-surface hash (toolSurfaceHash) now covers tool names, descriptions, and input schemas. A server that quietly widens a tool's parameters after you approved it fails your build. Legacy locks keep working with a CI advisory to re-lock.
  • One command to protected. toolpin init ci writes a minimal least-privilege GitHub workflow (checkout SHA-pinned) plus a starter policy (toolpin policy init --recommended) — a repo goes from nothing to an enforced lockfile gate in under five minutes.
  • Three-verdict output. Every server is verified, needs-review, or blocked, with the reason. --explain restores the full evidence detail; JSON output adds verdict without removing any existing field.
  • Hardened GitHub Action. strict preset, doctor: auto|true|false, SARIF output, Marketplace branding, fail-closed input conflict handling, all inputs env-mediated.
  • ci --json + checklist. Machine-readable CI results (ok / checkedEntries / failures[] with remediation) and a per-protection checklist in human output.
  • MCP Install Lockfile spec v1.0 (draft). A vendor-neutral specification with JSON Schemas, byte-exact test vectors, and conformance classes — shipped in the npm tarball so other tools can produce, read, and enforce the same format.

Security

  • Live probes spawn MCP servers with a minimal env allowlist instead of the caller's full process.env (no more GITHUB_TOKEN/cloud-credential exposure to probed packages).
  • Registry ingestion and non-loopback remote probes go through an SSRF firewall: HTTPS-only, no redirects, public addresses only, DNS answers pinned into the socket (rebinding TOCTOU closed).
  • Verification never executes package targets implicitly — live spawning now requires the explicit --allow-execute flag (Action input allow-execute: "true").
  • Registry-carried evidence is read as a claim, never proof: verified tier requires this installation's own recompute.
  • install/remove refuse to overwrite a client config that is not valid JSON.

Full details in CHANGELOG.md.

Install

npm install -g @proofofwork-agency/toolpin
toolpin init ci
- uses: proofofwork-agency/toolpin@v0.4.0