@polygraphso/litmus 0.11.0 → 0.12.0

package/dist/{chunk-X3P26XGS.js → chunk-CKQZFK77.js}

@@ -1,6 +1,6 @@
 // ../core/src/types.ts
 var METHODOLOGY_VERSION = "litmus-v5";
-var BUNDLE_SCHEMA_VERSION = "1.4.0";
+var BUNDLE_SCHEMA_VERSION = "1.5.0";
 var CATEGORY_META = {
   "C-01": { label: "tool-output injection", description: "whether it tries to hijack the caller through tool output" },
   "C-02": { label: "permission / egress overreach", description: "whether it reaches the network beyond what it declares" },

package/dist/{chunk-NPYDTMQ7.js → chunk-OGOFUBLN.js}

@@ -3,7 +3,7 @@ import {
   METHODOLOGY_VERSION,
   parseServerRef,
   serverKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 
 // ../probes/src/harness.ts
 import { execFile as execFile3 } from "child_process";
@@ -638,6 +638,9 @@ function makeResult(client, kind, descriptor, serverRef, resolvedVersion, teardo
     descriptor,
     serverRef,
     resolvedVersion,
+    // The server's self-reported identity from the initialize handshake. The SDK
+    // exposes it post-connect via getServerVersion(); absent/blank → null.
+    selfReportedVersion: client.getServerVersion()?.version ?? null,
     teardown: async () => {
       try {
         await client.close();
@@ -2018,6 +2021,7 @@ function assembleBundle(input) {
     methodologyVersion: METHODOLOGY_VERSION,
     serverRef: input.serverRef,
     resolvedVersion: input.resolvedVersion,
+    selfReportedVersion: input.selfReportedVersion,
     target: input.target,
     toolDefsFingerprint: input.toolDefsFingerprint,
     toolDefs: input.toolDefs,
@@ -2100,6 +2104,7 @@ async function runLitmus(target, opts = {}) {
       return assembleBundle({
         serverRef: conn.serverRef,
         resolvedVersion: conn.resolvedVersion,
+        selfReportedVersion: conn.selfReportedVersion,
         // Surface the server's declared egress in the bundle (disclosure: a
         // declaration is not exoneration — the consumer/agent-gate can judge).
         target: egress.declaredEgress.length ? { ...conn.descriptor, declaredEgress: egress.declaredEgress } : conn.descriptor,

package/dist/{chunk-TK4EI66E.js → chunk-PTWDLGI5.js}

@@ -3,7 +3,7 @@ import {
   checkHostExec,
   parseAuthFlags,
   resolveTarget
-} from "./chunk-EMMCE3LC.js";
+} from "./chunk-TTGWSGPC.js";
 import {
   SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
@@ -11,7 +11,7 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-NPYDTMQ7.js";
+} from "./chunk-OGOFUBLN.js";
 import {
   CATEGORY_META,
   CATEGORY_STATUS_UINT8,
@@ -20,7 +20,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 
 // ../onchain/src/networks.ts
 var NETWORKS = {
@@ -362,6 +362,9 @@ function summarize(b) {
     summary: b.gradeRationale,
     serverRef: b.serverRef,
     resolvedVersion: b.resolvedVersion,
+    // The server's self-asserted serverInfo.version — descriptive only, not a
+    // re-fetchable pin (cf. resolvedVersion). Null when the server reports none.
+    selfReportedVersion: b.selfReportedVersion,
     fingerprint: b.toolDefsFingerprint,
     ranAt: b.ranAt,
     methodologyVersion: b.methodologyVersion,

package/dist/{chunk-EMMCE3LC.js → chunk-TTGWSGPC.js}

@@ -1,7 +1,7 @@
 import {
   CATEGORY_META,
   canonicalStringify
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 
 // ../cli/src/litmus.ts
 import { existsSync } from "fs";
@@ -13,6 +13,7 @@ function formatBundle(b) {
   const lines = [];
   lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
   if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
+  if (b.selfReportedVersion) lines.push(`\u2192 self-reported ${b.selfReportedVersion} (unverified)`);
   lines.push("\u2192 checks");
   const labelWidth = Math.max(0, ...b.categories.map((c) => CATEGORY_META[c.code].label.length));
   for (const c of b.categories) {
@@ -54,7 +55,7 @@ async function runLitmusCli(args) {
   const input = resolveTarget(target);
   const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
   const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
-  const probes = await import("./src-4L5VHLRF.js");
+  const probes = await import("./src-ZHTFCKNR.js");
   const dockerAvailable = isStdio && interactive ? await probes.isDockerAvailable() : false;
   const decision = checkHostExec(input, { optIn: unsafeHostExec, dockerAvailable, interactive });
   if (decision.action === "refuse") {

package/dist/cli-skill.js

@@ -5,8 +5,8 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-NPYDTMQ7.js";
-import "./chunk-X3P26XGS.js";
+} from "./chunk-OGOFUBLN.js";
+import "./chunk-CKQZFK77.js";
 
 // src/cli-skill.ts
 import { statSync } from "fs";

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-EMMCE3LC.js";
+} from "./chunk-TTGWSGPC.js";
 import {
   parseServerRef,
   serverKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 
 // src/cli.ts
 import { readFileSync } from "fs";

package/dist/index.d.ts

@@ -30,12 +30,14 @@ type Registry = "npm" | "pypi" | "github";
  *  not branch on it. */
 declare const METHODOLOGY_VERSION: "litmus-v5";
 /** Evidence-bundle format version (owned by onchain-proof-spec §2).
+ *  1.5.0 adds the optional `selfReportedVersion` field (the server's
+ *  self-asserted `serverInfo.version`, descriptive metadata only);
  *  1.4.0 adds the C-01 probe id `1.3` (second-order injection, litmus-v5);
  *  1.3.0 adds the optional C-04 category and the `internals-leak`/`crash` finding
  *  kinds (litmus-v4); 1.2.0 adds the optional `target.declaredEgress` field and
  *  the `egress-allowed` finding kind (litmus-v3); 1.1.0 adds
  *  `harness.stdioIsolation`; older remain valid. */
-declare const BUNDLE_SCHEMA_VERSION: "1.4.0";
+declare const BUNDLE_SCHEMA_VERSION: "1.5.0";
 type CategoryCode = "C-01" | "C-02" | "C-03" | "C-04";
 /**
  * Plain-English label + one-line description for each probe category, so CLI and
@@ -117,8 +119,15 @@ interface EvidenceBundle {
     methodologyVersion: string;
     /** Canonical, versionless identity (serverKey). */
     serverRef: string;
-    /** The exact version actually run. */
+    /** The exact version actually run — a re-fetchable pin (npm/pypi version,
+     *  skill commit). Null when the target has no such identity (remote URL,
+     *  unpinned ref). This is the reproducibility anchor. */
     resolvedVersion: string | null;
+    /** The version the server reports about *itself* in the MCP `initialize`
+     *  handshake (`serverInfo.version`). Self-asserted and operator-controlled —
+     *  descriptive metadata only, never a reproducibility anchor (cf.
+     *  resolvedVersion). Null when the server reports none. */
+    selfReportedVersion: string | null;
     target: TargetDescriptor;
     /** sha256 of the canonical tool surface → `0x` + 64 hex (bytes32). */
     toolDefsFingerprint: string;
@@ -255,6 +264,9 @@ interface ConnectedTarget {
     /** Canonical versionless identity (serverKey), the URL, or the command line. */
     serverRef: string;
     resolvedVersion: string | null;
+    /** The server's self-asserted `serverInfo.version` from the MCP handshake.
+     *  Descriptive metadata only (see EvidenceBundle.selfReportedVersion). */
+    selfReportedVersion: string | null;
     teardown: () => Promise<void>;
 }
 interface ConnectOptions {
@@ -421,6 +433,7 @@ declare function gradeFromCategories(categories: readonly CategoryResult[]): Gra
 interface BundleInput {
     serverRef: string;
     resolvedVersion: string | null;
+    selfReportedVersion: string | null;
     target: TargetDescriptor;
     toolDefsFingerprint: string;
     toolDefs: ToolDef[];

package/dist/index.js

@@ -31,11 +31,11 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-TK4EI66E.js";
+} from "./chunk-PTWDLGI5.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-EMMCE3LC.js";
+} from "./chunk-TTGWSGPC.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_CATEGORY_META,
@@ -71,7 +71,7 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-NPYDTMQ7.js";
+} from "./chunk-OGOFUBLN.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_META,
@@ -86,7 +86,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 
 // ../agent/src/gate.ts
 function sameServer(a, b) {

package/dist/mcp.js

@@ -20,12 +20,12 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-TK4EI66E.js";
-import "./chunk-EMMCE3LC.js";
+} from "./chunk-PTWDLGI5.js";
+import "./chunk-TTGWSGPC.js";
 import {
   judgeFromEnv
-} from "./chunk-NPYDTMQ7.js";
-import "./chunk-X3P26XGS.js";
+} from "./chunk-OGOFUBLN.js";
+import "./chunk-CKQZFK77.js";
 
 // src/mcp.ts
 import { realpathSync } from "fs";

package/dist/{src-4L5VHLRF.js → src-ZHTFCKNR.js}

@@ -33,8 +33,8 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-NPYDTMQ7.js";
-import "./chunk-X3P26XGS.js";
+} from "./chunk-OGOFUBLN.js";
+import "./chunk-CKQZFK77.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_CATEGORY_META,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.11.0",
+  "version": "0.12.0",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -66,8 +66,8 @@
     "@polygraph/onchain": "0.0.0",
     "@polygraph/agent": "0.0.0",
     "@polygraph/mcp": "0.0.0",
-    "@polygraph/cli": "0.0.0",
-    "@polygraph/probes": "0.0.0"
+    "@polygraph/probes": "0.0.0",
+    "@polygraph/cli": "0.0.0"
   },
   "publishConfig": {
     "access": "public"