@polygraphso/litmus 0.10.0 → 0.11.0

package/dist/{chunk-GNPHHS6I.js → chunk-EMMCE3LC.js}

@@ -1,6 +1,7 @@
 import {
+  CATEGORY_META,
   canonicalStringify
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../cli/src/litmus.ts
 import { existsSync } from "fs";
@@ -9,11 +10,16 @@ import * as path from "path";
 
 // ../cli/src/format.ts
 function formatBundle(b) {
-  const status = (code) => b.categories.find((c) => c.code === code)?.status ?? "?";
   const lines = [];
   lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
   if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
-  lines.push(`\u2192 C-01 ${status("C-01")} \xB7 C-02 ${status("C-02")} \xB7 C-03 ${status("C-03")} \xB7 C-04 ${status("C-04")}`);
+  lines.push("\u2192 checks");
+  const labelWidth = Math.max(0, ...b.categories.map((c) => CATEGORY_META[c.code].label.length));
+  for (const c of b.categories) {
+    const { label, description } = CATEGORY_META[c.code];
+    lines.push(`    ${c.code}  ${label.padEnd(labelWidth)}  ${c.status}`);
+    lines.push(`          ${description}`);
+  }
   const c01 = b.categories.find((c) => c.code === "C-01");
   if (c01?.status === "fail") {
     const highs = c01.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high");
@@ -46,17 +52,37 @@ async function runLitmusCli(args) {
     return 2;
   }
   const input = resolveTarget(target);
-  const guard = checkHostExec(input, unsafeHostExec);
-  if (!guard.allow) {
-    process.stderr.write(`\u2192 litmus: ${guard.refuse}
+  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
+  const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  const probes = await import("./src-4L5VHLRF.js");
+  const dockerAvailable = isStdio && interactive ? await probes.isDockerAvailable() : false;
+  const decision = checkHostExec(input, { optIn: unsafeHostExec, dockerAvailable, interactive });
+  if (decision.action === "refuse") {
+    process.stderr.write(`\u2192 litmus: ${decision.refuse}
 `);
     return 2;
   }
-  if (guard.warn) process.stderr.write(`\u2192 ${guard.warn}
+  if (decision.action === "confirm" && !await promptYesNo(decision.prompt, decision.defaultYes)) {
+    process.stderr.write("\u2192 litmus: cancelled.\n");
+    return 2;
+  }
+  const isolation = decision.isolation;
+  if (decision.warn) process.stderr.write(`\u2192 ${decision.warn}
 `);
-  const { runLitmus } = await import("./src-I6AGG4CJ.js");
+  if (!json) process.stderr.write(`\u2192 running litmus against ${target} \u2026 (~20\u201360s)
+`);
+  const onProgress = (done, total, label) => {
+    if (!json) process.stderr.write(`  \u2192 [${done}/${total}] ${label}
+`);
+  };
   try {
-    const bundle = await runLitmus(input, { headers, allowStateChanging, timeoutMs });
+    const bundle = await probes.runLitmus(input, {
+      headers,
+      allowStateChanging,
+      timeoutMs,
+      onProgress,
+      ...isolation ? { isolation } : {}
+    });
     process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
     return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
   } catch (err) {
@@ -65,6 +91,15 @@ async function runLitmusCli(args) {
     return 1;
   }
 }
+async function promptYesNo(prompt, defaultYes) {
+  const { createInterface } = await import("readline/promises");
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  try {
+    return isAffirmative(await rl.question(prompt), defaultYes);
+  } finally {
+    rl.close();
+  }
+}
 function parseAuthFlags(args, env = process.env) {
   const headers = {};
   const headerArgs = [];
@@ -113,19 +148,44 @@ function timeoutSecondsToMs(v) {
   const sec = Number(v);
   return Number.isFinite(sec) && sec > 0 ? Math.floor(sec * 1e3) : void 0;
 }
-function checkHostExec(input, optIn, optInHint = "--unsafe-host-exec", env = process.env) {
+function checkHostExec(input, gate) {
+  const { optIn, dockerAvailable, interactive, optInHint = "--unsafe-host-exec", env = process.env } = gate;
   const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
-  const dockerIsolated = env.LITMUS_STDIO_ISOLATION === "docker";
-  if (!isStdio || dockerIsolated) return { allow: true };
+  if (!isStdio) return { action: "allow" };
+  if (env.LITMUS_STDIO_ISOLATION === "docker") return { action: "allow", isolation: "docker" };
   const why = "this launches the target's own code; without Docker isolation it runs on THIS host";
-  if (optIn) return { allow: true, warn: `\u26A0 unsafe host execution \u2014 ${why}.` };
+  const warn = `\u26A0 unsafe host execution \u2014 ${why}.`;
+  if (optIn) return { action: "allow", isolation: "none", warn };
+  if (interactive) {
+    if (dockerAvailable) {
+      return {
+        action: "confirm",
+        isolation: "docker",
+        defaultYes: true,
+        prompt: "Docker detected \u2014 the target will run sandboxed (recommended). Proceed? [Y/n] "
+      };
+    }
+    return {
+      action: "confirm",
+      isolation: "none",
+      defaultYes: false,
+      prompt: `No Docker found \u2014 this would run the target's own code on THIS host, unsandboxed.
+  Type "yes" to proceed, or set LITMUS_STDIO_ISOLATION=docker to sandbox: `,
+      warn
+    };
+  }
   return {
-    allow: false,
+    action: "refuse",
     refuse: `refusing host execution \u2014 ${why}.
   \u2022 sandboxed (recommended): set LITMUS_STDIO_ISOLATION=docker (requires Docker)
   \u2022 accept the risk: re-run with ${optInHint}`
   };
 }
+function isAffirmative(answer, defaultYes) {
+  const a = answer.trim().toLowerCase();
+  if (a === "") return defaultYes;
+  return a === "y" || a === "yes";
+}
 function resolveTarget(target) {
   if (/^https?:\/\//i.test(target)) return target;
   if (existsSync(target)) {

package/dist/{chunk-63OICX66.js → chunk-NPYDTMQ7.js}

@@ -3,7 +3,7 @@ import {
   METHODOLOGY_VERSION,
   parseServerRef,
   serverKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../probes/src/harness.ts
 import { execFile as execFile3 } from "child_process";
@@ -451,6 +451,10 @@ import { execFile as execFile2 } from "child_process";
 import { promisify } from "util";
 import { randomUUID as randomUUID3 } from "crypto";
 var execFileP = promisify(execFile2);
+var TARGET_STDERR = process.env.LITMUS_DEBUG ? "inherit" : "pipe";
+function discardStderr(transport) {
+  transport.stderr?.resume?.();
+}
 var CLIENT_INFO = { name: "polygraph-litmus", version: "0.0.0" };
 async function connectTarget(input, opts = {}) {
   const isolated = opts.isolation === "docker";
@@ -464,6 +468,7 @@ async function connectTarget(input, opts = {}) {
       command: input.command,
       args: input.args ?? [],
       env: { ...getDefaultEnvironment(), ...opts.seedEnv ?? {}, ...input.env ?? {} },
+      stderr: TARGET_STDERR,
       ...input.cwd ?? opts.seedCwd ? { cwd: input.cwd ?? opts.seedCwd } : {}
     });
     const cmdline = [input.command, ...input.args ?? []].join(" ");
@@ -497,6 +502,7 @@ async function connectTarget(input, opts = {}) {
     command: launch.command,
     args: launch.args,
     env: { ...getDefaultEnvironment(), ...opts.seedEnv ?? {} },
+    stderr: TARGET_STDERR,
     ...opts.seedCwd ? { cwd: opts.seedCwd } : {}
   });
   const client = await connectOrThrow(transport);
@@ -518,14 +524,14 @@ async function connectHostNpm(ref, parsed, opts) {
   const binNames = await fetchNpmBins(spec, parsed.name);
   if (!binNames || binNames.length === 0) {
     const args = ["-y", spec];
-    const transport = new StdioClientTransport({ command: "npx", args, env, ...cwd });
+    const transport = new StdioClientTransport({ command: "npx", args, env, stderr: TARGET_STDERR, ...cwd });
     const client = await connectOrThrow(transport);
     return makeResult(client, "stdio", { kind: "stdio", command: ["npx", ...args].join(" "), url: null }, serverRefVal, resolvedVersion, []);
   }
   const candidates = orderBinCandidates(binNames, parsed.name);
   const { result } = await probeForMcpBin(ref, candidates, async (bin) => {
     const args = ["-y", "-p", spec, bin];
-    const transport = new StdioClientTransport({ command: "npx", args, env, ...cwd });
+    const transport = new StdioClientTransport({ command: "npx", args, env, stderr: TARGET_STDERR, ...cwd });
     const client = await tryConnect(transport);
     return client ? { client, descriptor: { kind: "stdio", command: ["npx", ...args].join(" "), url: null } } : null;
   });
@@ -562,8 +568,9 @@ async function connectIsolatedNpm(ref, parsed, opts) {
       const transport = new StdioClientTransport({
         command: launch.command,
         args: namedArgs,
-        env: getDefaultEnvironment()
+        env: getDefaultEnvironment(),
         // default env only: no host secrets, no canaries
+        stderr: TARGET_STDERR
       });
       const client = await tryConnect(transport);
       if (!client) {
@@ -608,6 +615,7 @@ async function tryConnect(transport) {
   const client = new Client(CLIENT_INFO, { capabilities: {} });
   try {
     await withConnectTimeout(client.connect(transport), transport);
+    discardStderr(transport);
     return client;
   } catch {
     try {
@@ -620,6 +628,7 @@ async function tryConnect(transport) {
 async function connectOrThrow(transport) {
   const client = new Client(CLIENT_INFO, { capabilities: {} });
   await withConnectTimeout(client.connect(transport), transport);
+  discardStderr(transport);
   return client;
 }
 function makeResult(client, kind, descriptor, serverRef, resolvedVersion, teardownExtra) {
@@ -2027,7 +2036,7 @@ async function runLitmus(target, opts = {}) {
   const isolation = opts.isolation ?? (process.env.LITMUS_STDIO_ISOLATION === "docker" ? "docker" : "none");
   const ranAt = (/* @__PURE__ */ new Date()).toISOString();
   const baselineAllowlist = [...DEFAULT_EGRESS_BASELINE, ...parseAllowlistEnv(process.env.LITMUS_EGRESS_ALLOWLIST)];
-  const dockerAvailable = await checkDocker();
+  const dockerAvailable = await isDockerAvailable();
   const canaries = mintCanaries();
   const seedEnv = canaryEnv(canaries);
   const isHttp = typeof target === "string" && /^https?:\/\//i.test(target);
@@ -2169,7 +2178,7 @@ function withTimeout(p, ms, label) {
     })
   ]);
 }
-function checkDocker() {
+function isDockerAvailable() {
   return new Promise((resolve) => {
     const child = execFile3("docker", ["info"], { timeout: 4e3 }, (err) => resolve(!err));
     child.on("error", () => resolve(false));
@@ -2364,6 +2373,12 @@ function overBroadTrigger(description) {
 }
 
 // ../probes/src/skills/grade-skill.ts
+var SKILL_CATEGORY_META = {
+  "S-01": { label: "prompt injection / context poisoning", description: "whether the skill body tries to hijack the agent" },
+  "S-03": { label: "data-exfiltration instructions", description: "whether it instructs the agent to leak secrets" },
+  "S-04": { label: "dangerous bundled commands", description: "whether it ships dangerous executable commands" },
+  "S-05": { label: "tool / permission overreach", description: "whether it claims more capability than it needs" }
+};
 var DISQUALIFYING = /* @__PURE__ */ new Set(["S-01", "S-03"]);
 var CAPPING = /* @__PURE__ */ new Set(["S-04", "S-05"]);
 function gradeSkillCategories(categories) {
@@ -2629,6 +2644,7 @@ export {
   assembleBundle,
   runLitmus,
   enumerateTools,
+  isDockerAvailable,
   SkillLoadError,
   loadSkill,
   stripExamples,
@@ -2637,6 +2653,7 @@ export {
   exfilInstruction,
   dangerousCommand,
   overBroadTrigger,
+  SKILL_CATEGORY_META,
   gradeSkillCategories,
   SKILL_METHODOLOGY_VERSION,
   SKILL_BUNDLE_SCHEMA_VERSION,

package/dist/{chunk-VAOQNFW3.js → chunk-TK4EI66E.js}

@@ -3,22 +3,24 @@ import {
   checkHostExec,
   parseAuthFlags,
   resolveTarget
-} from "./chunk-GNPHHS6I.js";
+} from "./chunk-EMMCE3LC.js";
 import {
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   runLitmus,
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-63OICX66.js";
+} from "./chunk-NPYDTMQ7.js";
 import {
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,
   parseServerRef,
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../onchain/src/networks.ts
 var NETWORKS = {
@@ -314,9 +316,14 @@ async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, t
     ];
     const { headers } = parseAuthFlags(argv, {});
     const input = resolveTarget(server_ref);
-    const guard = checkHostExec(input, unsafe_host_exec ?? false, 'set "unsafe_host_exec": true');
-    if (!guard.allow) {
-      return { isError: true, content: [{ type: "text", text: `run_litmus refused: ${guard.refuse}` }] };
+    const decision = checkHostExec(input, {
+      optIn: unsafe_host_exec ?? false,
+      dockerAvailable: false,
+      interactive: false,
+      optInHint: 'set "unsafe_host_exec": true'
+    });
+    if (decision.action === "refuse") {
+      return { isError: true, content: [{ type: "text", text: `run_litmus refused: ${decision.refuse}` }] };
     }
     const progressToken = extra._meta?.progressToken;
     const sendProgress = progressToken !== void 0 ? (progress, message) => void extra.sendNotification({
@@ -336,18 +343,19 @@ async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, t
     return { isError: true, content: [{ type: "text", text: `run_litmus failed: ${message}` }] };
   }
 }
-var CATEGORY_LABEL = {
-  "C-01": "tool-output injection",
-  "C-02": "permission / egress overreach",
-  "C-03": "sensitive-data handling",
-  "C-04": "adversarial-input handling"
-};
 function summarize(b) {
   const find = (code) => b.categories.find((c) => c.code === code);
   const categories = ["C-01", "C-02", "C-03", "C-04"].map((code) => {
     const c = find(code);
     const findings = c?.status === "fail" ? c.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high").slice(0, 5).map((f) => ({ tool: f.tool, kind: f.kind, match: truncate(f.match, 120), host: f.host, port: f.port })) : [];
-    return { code, check: CATEGORY_LABEL[code], status: c?.status ?? "unknown", reason: c?.reason ?? null, findings };
+    return {
+      code,
+      check: CATEGORY_META[code].label,
+      description: CATEGORY_META[code].description,
+      status: c?.status ?? "unknown",
+      reason: c?.reason ?? null,
+      findings
+    };
   });
   return {
     grade: b.grade,
@@ -417,15 +425,11 @@ async function handleRunSkillLitmus({ skill_ref }, ctx = {}) {
 function errorResult(message) {
   return { isError: true, content: [{ type: "text", text: `run_skill_litmus failed: ${message}` }] };
 }
-var CATEGORY_LABEL2 = {
-  "S-01": "prompt injection / context poisoning",
-  "S-03": "data-exfiltration instructions",
-  "S-04": "dangerous bundled commands"
-};
 function summarize2(b) {
   const categories = b.categories.map((c) => ({
     code: c.code,
-    check: CATEGORY_LABEL2[c.code] ?? c.code,
+    check: SKILL_CATEGORY_META[c.code]?.label ?? c.code,
+    description: SKILL_CATEGORY_META[c.code]?.description ?? null,
     status: c.status,
     reason: c.reason ?? null,
     findings: c.status === "fail" ? c.findings.filter((f) => f.severity === "high").slice(0, 5).map((f) => ({ kind: f.kind, match: truncate2(f.match, 120), file: f.file })) : []

package/dist/{chunk-44R4ZYOE.js → chunk-X3P26XGS.js}

@@ -1,6 +1,12 @@
 // ../core/src/types.ts
 var METHODOLOGY_VERSION = "litmus-v5";
 var BUNDLE_SCHEMA_VERSION = "1.4.0";
+var CATEGORY_META = {
+  "C-01": { label: "tool-output injection", description: "whether it tries to hijack the caller through tool output" },
+  "C-02": { label: "permission / egress overreach", description: "whether it reaches the network beyond what it declares" },
+  "C-03": { label: "sensitive-data handling", description: "whether it leaks planted secrets it was handed" },
+  "C-04": { label: "adversarial-input handling", description: "whether it stays stable on malformed or hostile input" }
+};
 var CATEGORY_STATUS_UINT8 = {
   pass: 0,
   fail: 1,
@@ -174,6 +180,7 @@ function sortDeep(value, depth = 0) {
 export {
   METHODOLOGY_VERSION,
   BUNDLE_SCHEMA_VERSION,
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   ServerRefParseError,
   parseServerRef,

package/dist/cli-skill.js

@@ -1,31 +1,18 @@
 #!/usr/bin/env node
 import {
+  SKILL_CATEGORY_META,
   judgeFromEnv,
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-63OICX66.js";
-import "./chunk-44R4ZYOE.js";
+} from "./chunk-NPYDTMQ7.js";
+import "./chunk-X3P26XGS.js";
 
 // src/cli-skill.ts
 import { statSync } from "fs";
-var HELP = `polygraphso-litmus-skill \u2014 static safety grades for Claude Code skills.
-
-usage:
-  polygraphso-litmus-skill [--json] <path-to-skill-dir>
-  polygraphso-litmus-skill --help
-
-The skill dir must contain a SKILL.md. The safety letter is a STATIC scan (no
-execution); an A means the static checks were clean, not that the skill is
-behaviorally safe.
 
-It also prints a separate, advisory quality signal. The optional LLM-judged
-axes (honesty, coherence) run only if you provide your own key \u2014 set
-LITMUS_LLM_API_KEY and LITMUS_LLM_MODEL (and LITMUS_LLM_BASE_URL for a non-OpenAI
-endpoint). Without a key only the deterministic well-formedness checks run.
-More at https://polygraph.so
-`;
-function render(b) {
+// src/format-skill.ts
+function formatSkillSafety(b) {
   const lines = [
     `grade: ${b.grade}  (${b.methodologyVersion})`,
     `${b.gradeRationale}`,
@@ -34,8 +21,11 @@ function render(b) {
     "",
     "categories:"
   ];
+  const labelWidth = Math.max(0, ...b.categories.map((c) => SKILL_CATEGORY_META[c.code].label.length));
   for (const c of b.categories) {
-    lines.push(`  ${c.code}  ${c.status}${c.reason ? `  (${c.reason})` : ""}`);
+    const { label, description } = SKILL_CATEGORY_META[c.code];
+    lines.push(`  ${c.code}  ${label.padEnd(labelWidth)}  ${c.status}${c.reason ? `  (${c.reason})` : ""}`);
+    lines.push(`        ${description}`);
     if (c.status === "fail") {
       for (const f of c.findings.filter((x) => x.severity === "high").slice(0, 5)) {
         lines.push(`      ! ${f.kind}${f.file ? ` [${f.file}]` : ""}: ${f.match}`);
@@ -51,6 +41,24 @@ function render(b) {
   lines.push("", b.disclaimer);
   return lines.join("\n") + "\n";
 }
+
+// src/cli-skill.ts
+var HELP = `polygraphso-litmus-skill \u2014 static safety grades for Claude Code skills.
+
+usage:
+  polygraphso-litmus-skill [--json] <path-to-skill-dir>
+  polygraphso-litmus-skill --help
+
+The skill dir must contain a SKILL.md. The safety letter is a STATIC scan (no
+execution); an A means the static checks were clean, not that the skill is
+behaviorally safe.
+
+It also prints a separate, advisory quality signal. The optional LLM-judged
+axes (honesty, coherence) run only if you provide your own key \u2014 set
+LITMUS_LLM_API_KEY and LITMUS_LLM_MODEL (and LITMUS_LLM_BASE_URL for a non-OpenAI
+endpoint). Without a key only the deterministic well-formedness checks run.
+More at https://polygraph.so
+`;
 function renderQuality(q) {
   const lines = ["", `quality (advisory, separate from the grade): ${q.verdict}`];
   for (const c of q.checks) lines.push(`  ${c.status === "pass" ? "\xB7" : "!"} ${c.id}: ${c.detail}`);
@@ -87,7 +95,7 @@ async function main(argv) {
   const judge = judgeFromEnv();
   const quality = judge ? await runSkillQualityJudged(target, judge, { skillRef: target }) : runSkillQuality(target, { skillRef: target });
   process.stdout.write(
-    json ? JSON.stringify({ safety, quality }, null, 2) + "\n" : render(safety) + renderQuality(quality)
+    json ? JSON.stringify({ safety, quality }, null, 2) + "\n" : formatSkillSafety(safety) + renderQuality(quality)
   );
   return 0;
 }

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-GNPHHS6I.js";
+} from "./chunk-EMMCE3LC.js";
 import {
   parseServerRef,
   serverKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // src/cli.ts
 import { readFileSync } from "fs";

package/dist/index.d.ts

@@ -37,6 +37,15 @@ declare const METHODOLOGY_VERSION: "litmus-v5";
  *  `harness.stdioIsolation`; older remain valid. */
 declare const BUNDLE_SCHEMA_VERSION: "1.4.0";
 type CategoryCode = "C-01" | "C-02" | "C-03" | "C-04";
+/**
+ * Plain-English label + one-line description for each probe category, so CLI and
+ * MCP output is legible without knowing the probe IDs. The single source of these
+ * strings — both renderers and the MCP `run_litmus` summary read from here.
+ */
+declare const CATEGORY_META: Record<CategoryCode, {
+    label: string;
+    description: string;
+}>;
 /** Probe IDs carry their family number (1=injection, 2=permission,
  *  3=adversarial-input, 4=sensitive). 1.3 (second-order injection) added in v5. */
 type ProbeId = "1.1" | "1.2" | "1.3" | "2.1" | "2.2" | "3.1" | "3.2" | "4.1" | "4.2";
@@ -352,6 +361,9 @@ declare function enumerateTools(client: ListToolsClient, opts?: {
     maxBytes?: number;
     listTimeoutMs?: number;
 }): Promise<ListedTool[]>;
+/** True if a Docker daemon is reachable (governs C-02 / probe 4.2, and the CLI's
+ *  detect-and-confirm sandbox prompt). */
+declare function isDockerAvailable(): Promise<boolean>;
 
 /**
  * Tool-surface fingerprint (litmus-test-v1 §6, technical-design §3).
@@ -470,6 +482,15 @@ declare function hasHighSeverity(findings: readonly Finding[]): boolean;
  */
 
 type SkillCategoryCode = "S-01" | "S-03" | "S-04" | "S-05";
+/**
+ * Plain-English label + one-line description for each skill category, so the skill
+ * CLI/MCP output is legible without knowing the S-codes. The single source of these
+ * strings — both the renderer and the MCP `run_skill_litmus` summary read from here.
+ */
+declare const SKILL_CATEGORY_META: Record<SkillCategoryCode, {
+    label: string;
+    description: string;
+}>;
 interface SkillCategoryResult {
     code: SkillCategoryCode;
     status: CategoryStatus;
@@ -1109,4 +1130,4 @@ declare function parseAuthFlags(args: readonly string[], env?: NodeJS.ProcessEnv
 /** A target is an https URL, a local MCP entry file, or a registry ref. */
 declare function resolveTarget(target: string): string | StdioCommand;
 
-export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type ListToolsClient, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, enumerateTools, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };
+export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_META, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type ListToolsClient, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_CATEGORY_META, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, enumerateTools, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, isDockerAvailable, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };

package/dist/index.js

@@ -31,13 +31,14 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-VAOQNFW3.js";
+} from "./chunk-TK4EI66E.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-GNPHHS6I.js";
+} from "./chunk-EMMCE3LC.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   SkillLoadError,
@@ -55,6 +56,7 @@ import {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   loadSkill,
@@ -69,9 +71,10 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-63OICX66.js";
+} from "./chunk-NPYDTMQ7.js";
 import {
   BUNDLE_SCHEMA_VERSION,
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,
   ServerRefParseError,
@@ -83,7 +86,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../agent/src/gate.ts
 function sameServer(a, b) {
@@ -131,6 +134,7 @@ async function liveFingerprint(target) {
 }
 export {
   BUNDLE_SCHEMA_VERSION,
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   DEFAULT_PASSING,
   LITMUS_SCHEMA,
@@ -144,6 +148,7 @@ export {
   RUN_SKILL_LITMUS_TOOL_NAME,
   RUN_SKILL_LITMUS_TOOL_TITLE,
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   ServerRefParseError,
@@ -178,6 +183,7 @@ export {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   litmusFields,

package/dist/mcp.js

@@ -20,12 +20,12 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-VAOQNFW3.js";
-import "./chunk-GNPHHS6I.js";
+} from "./chunk-TK4EI66E.js";
+import "./chunk-EMMCE3LC.js";
 import {
   judgeFromEnv
-} from "./chunk-63OICX66.js";
-import "./chunk-44R4ZYOE.js";
+} from "./chunk-NPYDTMQ7.js";
+import "./chunk-X3P26XGS.js";
 
 // src/mcp.ts
 import { realpathSync } from "fs";

package/dist/{src-I6AGG4CJ.js → src-4L5VHLRF.js}

@@ -1,5 +1,6 @@
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   SkillLoadError,
@@ -17,6 +18,7 @@ import {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   loadSkill,
@@ -31,10 +33,11 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-63OICX66.js";
-import "./chunk-44R4ZYOE.js";
+} from "./chunk-NPYDTMQ7.js";
+import "./chunk-X3P26XGS.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   SkillLoadError,
@@ -52,6 +55,7 @@ export {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   loadSkill,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.10.0",
+  "version": "0.11.0",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -62,12 +62,12 @@
     "tsup": "^8.3.0",
     "typescript": "^5.9.3",
     "vitest": "^2.1.0",
-    "@polygraph/onchain": "0.0.0",
     "@polygraph/core": "0.0.0",
-    "@polygraph/probes": "0.0.0",
+    "@polygraph/onchain": "0.0.0",
     "@polygraph/agent": "0.0.0",
     "@polygraph/mcp": "0.0.0",
-    "@polygraph/cli": "0.0.0"
+    "@polygraph/cli": "0.0.0",
+    "@polygraph/probes": "0.0.0"
   },
   "publishConfig": {
     "access": "public"