npm - @polygraphso/litmus - Versions diffs - 0.11.0 → 0.12.1 - Mend

@polygraphso/litmus 0.11.0 → 0.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +5 -1
package/dist/{chunk-X3P26XGS.js → chunk-CKQZFK77.js} +1 -1
package/dist/{chunk-NPYDTMQ7.js → chunk-OGOFUBLN.js} +6 -1
package/dist/{chunk-TK4EI66E.js → chunk-PTWDLGI5.js} +6 -3
package/dist/{chunk-EMMCE3LC.js → chunk-TTGWSGPC.js} +3 -2
package/dist/cli-skill.js +2 -2
package/dist/cli.js +2 -2
package/dist/index.d.ts +15 -2
package/dist/index.js +4 -4
package/dist/mcp.js +4 -4
package/dist/{src-4L5VHLRF.js → src-ZHTFCKNR.js} +2 -2
package/package.json +5 -4

package/README.md CHANGED Viewed

@@ -109,7 +109,11 @@ claude mcp add polygraph-litmus -e POLYGRAPH_API_URL=https://polygraph.so \
   -- npx -y -p @polygraphso/litmus polygraphso-litmus-mcp
 ```
-**Claude Desktop** (`claude_desktop_config.json`) / **Cursor** (`~/.cursor/mcp.json`):
+**Cursor** — one-click install:
+[![Add polygraph-litmus to Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](cursor://anysphere.cursor-deeplink/mcp/install?name=polygraph-litmus&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsIi1wIiwiQHBvbHlncmFwaHNvL2xpdG11cyIsInBvbHlncmFwaHNvLWxpdG11cy1tY3AiXSwiZW52Ijp7IlBPTFlHUkFQSF9BUElfVVJMIjoiaHR0cHM6Ly9wb2x5Z3JhcGguc28ifX0=)
+Or wire it up by hand — **Claude Desktop** (`claude_desktop_config.json`) / **Cursor** (`~/.cursor/mcp.json`):
 ```json
 {

package/dist/{chunk-X3P26XGS.js → chunk-CKQZFK77.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 // ../core/src/types.ts
 var METHODOLOGY_VERSION = "litmus-v5";
-var BUNDLE_SCHEMA_VERSION = "1.4.0";
+var BUNDLE_SCHEMA_VERSION = "1.5.0";
 var CATEGORY_META = {
   "C-01": { label: "tool-output injection", description: "whether it tries to hijack the caller through tool output" },
   "C-02": { label: "permission / egress overreach", description: "whether it reaches the network beyond what it declares" },

package/dist/{chunk-NPYDTMQ7.js → chunk-OGOFUBLN.js} RENAMED Viewed

@@ -3,7 +3,7 @@ import {
   METHODOLOGY_VERSION,
   parseServerRef,
   serverKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 // ../probes/src/harness.ts
 import { execFile as execFile3 } from "child_process";
@@ -638,6 +638,9 @@ function makeResult(client, kind, descriptor, serverRef, resolvedVersion, teardo
     descriptor,
     serverRef,
     resolvedVersion,
+    // The server's self-reported identity from the initialize handshake. The SDK
+    // exposes it post-connect via getServerVersion(); absent/blank → null.
+    selfReportedVersion: client.getServerVersion()?.version ?? null,
     teardown: async () => {
       try {
         await client.close();
@@ -2018,6 +2021,7 @@ function assembleBundle(input) {
     methodologyVersion: METHODOLOGY_VERSION,
     serverRef: input.serverRef,
     resolvedVersion: input.resolvedVersion,
+    selfReportedVersion: input.selfReportedVersion,
     target: input.target,
     toolDefsFingerprint: input.toolDefsFingerprint,
     toolDefs: input.toolDefs,
@@ -2100,6 +2104,7 @@ async function runLitmus(target, opts = {}) {
       return assembleBundle({
         serverRef: conn.serverRef,
         resolvedVersion: conn.resolvedVersion,
+        selfReportedVersion: conn.selfReportedVersion,
         // Surface the server's declared egress in the bundle (disclosure: a
         // declaration is not exoneration — the consumer/agent-gate can judge).
         target: egress.declaredEgress.length ? { ...conn.descriptor, declaredEgress: egress.declaredEgress } : conn.descriptor,

package/dist/{chunk-TK4EI66E.js → chunk-PTWDLGI5.js} RENAMED Viewed

@@ -3,7 +3,7 @@ import {
   checkHostExec,
   parseAuthFlags,
   resolveTarget
-} from "./chunk-EMMCE3LC.js";
+} from "./chunk-TTGWSGPC.js";
 import {
   SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
@@ -11,7 +11,7 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-NPYDTMQ7.js";
+} from "./chunk-OGOFUBLN.js";
 import {
   CATEGORY_META,
   CATEGORY_STATUS_UINT8,
@@ -20,7 +20,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 // ../onchain/src/networks.ts
 var NETWORKS = {
@@ -362,6 +362,9 @@ function summarize(b) {
     summary: b.gradeRationale,
     serverRef: b.serverRef,
     resolvedVersion: b.resolvedVersion,
+    // The server's self-asserted serverInfo.version — descriptive only, not a
+    // re-fetchable pin (cf. resolvedVersion). Null when the server reports none.
+    selfReportedVersion: b.selfReportedVersion,
     fingerprint: b.toolDefsFingerprint,
     ranAt: b.ranAt,
     methodologyVersion: b.methodologyVersion,

package/dist/{chunk-EMMCE3LC.js → chunk-TTGWSGPC.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   CATEGORY_META,
   canonicalStringify
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 // ../cli/src/litmus.ts
 import { existsSync } from "fs";
@@ -13,6 +13,7 @@ function formatBundle(b) {
   const lines = [];
   lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
   if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
+  if (b.selfReportedVersion) lines.push(`\u2192 self-reported ${b.selfReportedVersion} (unverified)`);
   lines.push("\u2192 checks");
   const labelWidth = Math.max(0, ...b.categories.map((c) => CATEGORY_META[c.code].label.length));
   for (const c of b.categories) {
@@ -54,7 +55,7 @@ async function runLitmusCli(args) {
   const input = resolveTarget(target);
   const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
   const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
-  const probes = await import("./src-4L5VHLRF.js");
+  const probes = await import("./src-ZHTFCKNR.js");
   const dockerAvailable = isStdio && interactive ? await probes.isDockerAvailable() : false;
   const decision = checkHostExec(input, { optIn: unsafeHostExec, dockerAvailable, interactive });
   if (decision.action === "refuse") {

package/dist/cli-skill.js CHANGED Viewed

@@ -5,8 +5,8 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-NPYDTMQ7.js";
-import "./chunk-X3P26XGS.js";
+} from "./chunk-OGOFUBLN.js";
+import "./chunk-CKQZFK77.js";
 // src/cli-skill.ts
 import { statSync } from "fs";

package/dist/cli.js CHANGED Viewed

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-EMMCE3LC.js";
+} from "./chunk-TTGWSGPC.js";
 import {
   parseServerRef,
   serverKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 // src/cli.ts
 import { readFileSync } from "fs";

package/dist/index.d.ts CHANGED Viewed

@@ -30,12 +30,14 @@ type Registry = "npm" | "pypi" | "github";
  *  not branch on it. */
 declare const METHODOLOGY_VERSION: "litmus-v5";
 /** Evidence-bundle format version (owned by onchain-proof-spec §2).
+ *  1.5.0 adds the optional `selfReportedVersion` field (the server's
+ *  self-asserted `serverInfo.version`, descriptive metadata only);
  *  1.4.0 adds the C-01 probe id `1.3` (second-order injection, litmus-v5);
  *  1.3.0 adds the optional C-04 category and the `internals-leak`/`crash` finding
  *  kinds (litmus-v4); 1.2.0 adds the optional `target.declaredEgress` field and
  *  the `egress-allowed` finding kind (litmus-v3); 1.1.0 adds
  *  `harness.stdioIsolation`; older remain valid. */
-declare const BUNDLE_SCHEMA_VERSION: "1.4.0";
+declare const BUNDLE_SCHEMA_VERSION: "1.5.0";
 type CategoryCode = "C-01" | "C-02" | "C-03" | "C-04";
 /**
  * Plain-English label + one-line description for each probe category, so CLI and
@@ -117,8 +119,15 @@ interface EvidenceBundle {
     methodologyVersion: string;
     /** Canonical, versionless identity (serverKey). */
     serverRef: string;
-    /** The exact version actually run. */
+    /** The exact version actually run — a re-fetchable pin (npm/pypi version,
+     *  skill commit). Null when the target has no such identity (remote URL,
+     *  unpinned ref). This is the reproducibility anchor. */
     resolvedVersion: string | null;
+    /** The version the server reports about *itself* in the MCP `initialize`
+     *  handshake (`serverInfo.version`). Self-asserted and operator-controlled —
+     *  descriptive metadata only, never a reproducibility anchor (cf.
+     *  resolvedVersion). Null when the server reports none. */
+    selfReportedVersion: string | null;
     target: TargetDescriptor;
     /** sha256 of the canonical tool surface → `0x` + 64 hex (bytes32). */
     toolDefsFingerprint: string;
@@ -255,6 +264,9 @@ interface ConnectedTarget {
     /** Canonical versionless identity (serverKey), the URL, or the command line. */
     serverRef: string;
     resolvedVersion: string | null;
+    /** The server's self-asserted `serverInfo.version` from the MCP handshake.
+     *  Descriptive metadata only (see EvidenceBundle.selfReportedVersion). */
+    selfReportedVersion: string | null;
     teardown: () => Promise<void>;
 }
 interface ConnectOptions {
@@ -421,6 +433,7 @@ declare function gradeFromCategories(categories: readonly CategoryResult[]): Gra
 interface BundleInput {
     serverRef: string;
     resolvedVersion: string | null;
+    selfReportedVersion: string | null;
     target: TargetDescriptor;
     toolDefsFingerprint: string;
     toolDefs: ToolDef[];

package/dist/index.js CHANGED Viewed

@@ -31,11 +31,11 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-TK4EI66E.js";
+} from "./chunk-PTWDLGI5.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-EMMCE3LC.js";
+} from "./chunk-TTGWSGPC.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_CATEGORY_META,
@@ -71,7 +71,7 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-NPYDTMQ7.js";
+} from "./chunk-OGOFUBLN.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_META,
@@ -86,7 +86,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-X3P26XGS.js";
+} from "./chunk-CKQZFK77.js";
 // ../agent/src/gate.ts
 function sameServer(a, b) {

package/dist/mcp.js CHANGED Viewed

@@ -20,12 +20,12 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-TK4EI66E.js";
-import "./chunk-EMMCE3LC.js";
+} from "./chunk-PTWDLGI5.js";
+import "./chunk-TTGWSGPC.js";
 import {
   judgeFromEnv
-} from "./chunk-NPYDTMQ7.js";
-import "./chunk-X3P26XGS.js";
+} from "./chunk-OGOFUBLN.js";
+import "./chunk-CKQZFK77.js";
 // src/mcp.ts
 import { realpathSync } from "fs";

package/dist/{src-4L5VHLRF.js → src-ZHTFCKNR.js} RENAMED Viewed

@@ -33,8 +33,8 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-NPYDTMQ7.js";
-import "./chunk-X3P26XGS.js";
+} from "./chunk-OGOFUBLN.js";
+import "./chunk-CKQZFK77.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_CATEGORY_META,

package/package.json CHANGED Viewed

@@ -1,6 +1,7 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.11.0",
+  "version": "0.12.1",
+  "mcpName": "io.github.polygraphso/litmus",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -63,11 +64,11 @@
     "typescript": "^5.9.3",
     "vitest": "^2.1.0",
     "@polygraph/core": "0.0.0",
-    "@polygraph/onchain": "0.0.0",
+    "@polygraph/probes": "0.0.0",
     "@polygraph/agent": "0.0.0",
+    "@polygraph/onchain": "0.0.0",
     "@polygraph/mcp": "0.0.0",
-    "@polygraph/cli": "0.0.0",
-    "@polygraph/probes": "0.0.0"
+    "@polygraph/cli": "0.0.0"
   },
   "publishConfig": {
     "access": "public"