Changelog¶
The authoritative changelog lives in the source repository at
CHANGELOG.md.
The summary below tracks the user-facing changes that shape this documentation;
see the upstream file for the complete per-PR entries.
Unreleased¶
No changes yet.
0.17.0 (2026-05-21)¶
This release migrates the bundled vulnerability-verification playbooks from a filesystem-installed .claude/skills/ skill tree to MCP Prompts delivered over the standard prompts/list / prompts/get surface. The yorishiro-proxy install skills subcommand and the --skills-dir flag are removed -- after upgrading, the same nine playbooks become visible to your MCP host automatically on next connect, with no install step.
Added¶
- MCP Prompts: nine vulnerability-verification playbooks --
verify-idor,verify-sqli,verify-xss,verify-csrf,audit-auth,fuzz-endpoint,replay-with-mods,capture-traffic,stateful-fuzz-loopare now served via the MCPprompts/list/prompts/getsurface (USK-949 / #28). Hosts that surface prompts (Claude Code, Claude Desktop, ...) see them automatically on connect. See MCP prompts. proxy_startreset semantics + partial-update guidance -- theproxy_starttool description, JSONSchema, and help resource now spell out that each call fully resets prior session settings, and document the recommended "initialize withproxy_start, update withconfigure" pattern (#29).grpc_schemaMCP tool -- register.protoschemas via descriptor-set upload, hostprotoc, or reflection-based discovery (USK-923 / USK-926 / USK-927 / USK-928 / USK-933). Unlocksbody_decoded_encoding="proto-json"onqueryandbody_encoding="proto-json"onresend_grpc. See grpc_schema.- TCP forward L7 dispatch --
tcp_forwards[]entries gainupstream_tls,upstream_insecure_skip_verify, and ansseprotocol value. The full TLS × UpstreamTLS matrix is documented on proxy_start and config_file (USK-911 .. USK-918). - Wire-level overlay envelopes --
h1-chunk,h2-frame,grpc-lpm-frame,grpcweb-base64rows surface viafilter.wire_levelonqueryandmanage.export_flowsfor forensic export (USK-895 / USK-896 / USK-897 / USK-899 / USK-932). max_concurrent_streamsend-to-end -- HTTP/2SETTINGS_MAX_CONCURRENT_STREAMSis exposed viaproxy_start/configure, the-max-concurrent-streamsCLI flag, and theYP_MAX_CONCURRENT_STREAMSenv var (USK-862). Default raised 100 -> 500.querybody inclusion controls --include_bodiesandbody_max_bytesparameters opt in to body payloads with a per-call size cap.- Per-protocol intercept hold/timeout overrides --
intercept_queue.protocol_overrideslets operators set distincthold_timeoutandtimeout_behaviorper canonicalenvelope.Protocol. WS / SSE / gRPC / gRPC-Web default raised 8 s -> 60 s (USK-855). - WS hold-window keepalive injection -- the WS Layer injects synthetic ping frames toward the upstream while a frame is held in intercept review (USK-854).
- Linux NSSDB CA registration in
setup--install ca --trustnow registers the proxy CA into the per-user NSSDB so Chromium/Firefox trust intercepted traffic without a manualcertutilstep (USK-857). proxy_startlisten-address collision detection --listen_addrandtcp_forwardsports are checked before bind, with rollback on any partial-bind failure.- HTTP/2 extended CONNECT -- ServerRole mirrors the upstream's
SETTINGS_ENABLE_CONNECT_PROTOCOL, enabling RFC 8441 extendedCONNECTend-to-end. - HTTPMessage anomalies on Flow rows -- parser-detected anomalies persist on the flow row and surface through
query.
Changed¶
- HTTP/2
SETTINGS_MAX_CONCURRENT_STREAMSdefault raised 100 -> 500 (USK-862). - WS / SSE intercept hold-timeout default raised 8 s -> 60 s (USK-855 / #860).
- HTTP/1 and WS layers wire
StateReleaser.ReleaseStreamon terminal events (#849) -- removes a slow plugin-state leak.
Removed¶
- Breaking:
yorishiro-proxy install skillssubcommand, the--skills-dirflag, and the bundled.claude/skills/yorishiro/skill tree are deleted (USK-951 / #32). Replacement: the same vulnerability-verification playbooks are served as MCP Prompts overprompts/list/prompts/get. Existing.claude/skills/yorishiro/directories on disk are inert -- delete them at your convenience.yorishiro-proxy install skillsnow errors withunknown install target. - Breaking: technology detection (the
querytool'stechnologiesresource andtechnologyfilter, plus theinternal/fingerprint/package) is deleted (USK-843). Migrate to response-header matching via existingqueryfilters or a Starlark plugin. - Breaking:
proxy_start.protocolsMCP input andquery("config").enabled_protocolsoutput are deleted (USK-870). The WebUI Settings -> Proxy panel no longer shows the protocol-selection toggle. Usetarget_scope(host),intercept_rules(request pattern),tls_passthrough(MITM target), andcapture_scope(recording target) for the same effect.
Fixed¶
- Security (USK-879) --
security set_target_scopeis enforced on CONNECT tunnels, plain-HTTP forward proxy, and SOCKS5 tunnels. Before this fix, agent-layer scope mutations reached only MCP-initiated requests (resend_*/fuzz_*/test_target); client traffic through CONNECT / plain HTTP / SOCKS5 bypassed the evaluator. failure_reasonclassification (USK-858) -- client-side MITM handshake rejections (e.g. Chromium refusing the proxy CA with anunknown_certificate/bad_certificateTLS alert) are now taggedclient_tls_errorinstead of being misclassified asupstream_tls_error. See HTTPS MITM.- Macro unresolved-template warnings (#838) -- variables that remain unsubstituted after rendering are surfaced as a warning rather than sent upstream as
{{var}}. request_timeout_mson plain HTTP / CONNECT -- the timeout is now honored on the inner read deadline of CONNECT tunnels and on plain-HTTP forward (#840).- CONNECT / SOCKS5 passthrough audit -- the original target hostname is preserved on the passthrough audit envelope (#839).
- HAR export protocol predicates -- aligned with canonical
Envelope.Protocolvalues (#848). resend_httpquery-string handling --?insidepathis auto-split intopath+raw_query; combining a?-bearingpathwith an explicitraw_queryis rejected (#855).- Intercept-release EOF tag -- only attached on successful downstream relay (#857).
- HTTP/2 connection-specific headers stripped on send -- RFC 7540 §8.1.2.2 hop-by-hop headers (
Connection,Keep-Alive,Proxy-Connection,Transfer-Encoding,Upgrade) are stripped on the H2 send path (#836). - Post-hold upstream EOF (USK-851) -- surfaced via a Stream tag instead of opaque connection loss.
- WebSocket permessage-deflate with context-takeover (USK-867) -- multi-frame messages now correctly serialize
deflateState. - Sec-WebSocket-Extensions propagation (#845) -- the negotiated value reaches the post-Upgrade
ws.Layer. - WebSocket StreamID reuse across handshake -> frames (#843) -- keeps Upgrade + data-frame phase under the same Stream identity.
queryfilterscheme=ws|wssis rejected (USK-848).manageexport/import path resolution clarified -- relative paths resolve against the proxy server's CWD (USK-868).- TLS passthrough audit:
ECONNRESETclassified as tunneled (USK-952 / #30) -- peer-side ungraceful close after bytes have flowed (TLSclose_notifyin flight, abrupt browser / mobile-handover close) is now anoutcome="tunneled"audit record instead of being misclassified asoutcome="failed". Genuine mid-stream failures (i/o timeout, no route to host) still land in thefailedbucket.
Docs¶
target_scope/rate_limit/budgetapplicability scopes (Agent vs Policy Layer) are spelled out on security model and in thesecurityMCP help text (USK-842).
0.15.0 (2026-05-05)¶
Shipped the RFC-001 Envelope + Layered Connection Model rewrite (milestones N1-N9). The data path was rebuilt around an Envelope + typed Message + Layer + Channel model that fixes the HTTP bias of the previous Exchange/Codec abstractions and unlocks structurally-honest support for HTTP/2 multiplexing, gRPC, gRPC-Web, WebSocket, SSE, and raw-byte smuggling diagnostics.
This release contained breaking changes for plugin authors and MCP clients. There is no compatibility shim; see the upstream CHANGELOG for the full Added / Changed / Removed / Migration sections.
0.14.x and earlier¶
Pre-RFC-001 history is preserved as git tags v0.3.0 through v0.14.1 and in the corresponding GitHub Releases. Detailed per-tag changelogs were not maintained at the time; consult git log in the upstream repo for fine-grained history.