v0.1.0 — first public release

First public release of the Tool Output Mimicry reference reproducer.

What's in the box

• Primitive (tom_repro.primitive): UpstreamAgentImpersonation + ToolOutputMimicry recipes — the canonical implementation of the impersonation-block format described in the paper (paper §IV).
• Stego helper (tom_repro.stego): generate_stego_html + STEGO_CSS_MARKERS — produces the CSS-stego attachments that satisfy regex-based detectors (paper §V.B Gate 2).
• FinBot adapter (tom_repro.targets.finbot): full end-to-end driver for the OWASP FinBot CTF `policy-bypass-fine-print` challenge, exposed as the `tom-repro-finbot` console script. Auto-bootstraps CSRF + vendor from a single `finbot_session` cookie.
• 24 offline unit tests on Python 3.10 / 3.11 / 3.12 / 3.13 (CI matrix).
• Verbatim live-capture evidence from a freshly-registered CTF account on 2026-04-27.
• Discovery log narrating the two material schema drifts the FinBot deployment underwent between the original capture and this re-validation.

Reference paper

Brana, J. P. (2026). Tool Output Mimicry: Bypassing Multi-Layer Agentic AI Defenses via Upstream-Agent Impersonation in User-Controlled Fields. Zenodo. doi:10.5281/zenodo.19794072 (CC BY 4.0).

Reproducibility footprint

System	Identifier
Paper concept-DOI	10.5281/zenodo.19794071
Paper version-DOI	10.5281/zenodo.19794072
Software Heritage snapshot	`swh:1:snp:4544ea40cf1ad016809348b497860c5c2316bc60`
Software DOI (Zenodo)	(assigned by webhook on this release)

Usage

```bash
pip install -e .
tom-repro-finbot --dry-run # offline composition check, zero credentials
```

For live capture against your own OWASP FinBot CTF account, see README.md.

Scope and disclaimer

Independent research by i-314 Research Lab. Not an OWASP project; not endorsed by the OWASP Foundation or the OWASP GenAI Security Project. The OWASP FinBot CTF is referenced solely as the validation target — see Acknowledgments.

Run the live path only against systems you own or are authorised to test — see SECURITY.md.