@polygraphso/litmus 0.12.1 → 0.13.0

package/README.md

@@ -1,5 +1,7 @@
 # @polygraphso/litmus
 
+[![polygraph](https://polygraph.so/api/badge?server=npm/@polygraphso/litmus)](https://polygraph.so/mcp/npm/@polygraphso/litmus)
+
 The behavioral **litmus** harness for MCP servers, from [polygraph.so](https://polygraph.so).
 
 It connects to an MCP server the way an agent would, fingerprints its exact tool
@@ -52,6 +54,19 @@ your host: set `LITMUS_STDIO_ISOLATION=docker` to run the target only inside the
 hardened sandbox, or pass `--unsafe-host-exec` to accept host execution. Remote
 `https://` targets run no local code and need neither.
 
+**Token-gated servers.** If a target is a token-gated `https://` server and you pass no
+`--bearer` / `--header` / `LITMUS_BEARER`, litmus — on the auth failure — looks for a token you
+already configured for that server (matched by URL in your MCP client config: project
+`.mcp.json` / `.cursor/mcp.json` / `.vscode/mcp.json`, or your Claude Code / Claude Desktop /
+Cursor config) and offers to reuse it. It is read-only, asks before sending, sends only to the
+target origin, and never prints the token. In non-interactive use, pass `--use-discovered-auth`
+to opt in without a prompt.
+
+If the server uses **OAuth** (no static token to reuse), litmus opens your browser to authorize,
+captures the token via a single-use `127.0.0.1` callback, and grades with it — used for that run
+only, never stored. This happens automatically on an interactive terminal; use `--oauth` /
+`--no-oauth` to force or skip it. From the `run_litmus` MCP tool, set `interactive_auth: true`.
+
 The `litmus` command exits non-zero on a failing grade (D/F), so it scripts in CI.
 
 To dispute a published grade, just re-run `litmus` against the same server: the harness is

package/dist/{chunk-OGOFUBLN.js → chunk-7HI2KPXH.js}

@@ -3,7 +3,7 @@ import {
   METHODOLOGY_VERSION,
   parseServerRef,
   serverKey
-} from "./chunk-CKQZFK77.js";
+} from "./chunk-IXX5YEBC.js";
 
 // ../probes/src/harness.ts
 import { execFile as execFile3 } from "child_process";
@@ -956,7 +956,25 @@ var STATE_CHANGING_VERBS = /* @__PURE__ */ new Set([
   "rename",
   "purchase",
   "checkout",
-  "order"
+  "order",
+  "submit",
+  "confirm",
+  "finalize",
+  "cancel",
+  "publish",
+  "share",
+  "invite",
+  "book",
+  "schedule",
+  "subscribe",
+  "unsubscribe",
+  "register",
+  "upload",
+  "email",
+  "enable",
+  "disable",
+  "archive",
+  "restore"
 ]);
 var UNAMBIGUOUS_DESTRUCTIVE_VERBS = /* @__PURE__ */ new Set([
   "delete",
@@ -1034,6 +1052,13 @@ function stateChangingToolNames(tools) {
   }
   return names;
 }
+function unsafeToExerciseToolNames(tools) {
+  const names = /* @__PURE__ */ new Set();
+  for (const t of tools) {
+    if (classifyTool(t).stateChanging || declarationMismatchV2(t) !== null) names.add(t.name);
+  }
+  return names;
+}
 function skippedNote(skipped) {
   return `${skipped.length} tool(s) skipped (state-changing; pass --allow-state-changing): ${skipped.join(", ")}`;
 }
@@ -2074,7 +2099,7 @@ async function runLitmus(target, opts = {}) {
         inputSchema: t.inputSchema ?? null,
         annotations: t.annotations
       }));
-      const stateChangingTools = stateChangingToolNames(annotated);
+      const stateChangingTools = unsafeToExerciseToolNames(annotated);
       const ctx = {
         client: conn.client,
         tools,
@@ -2639,6 +2664,7 @@ export {
   fingerprintToolDefs,
   classifyTool,
   stateChangingToolNames,
+  unsafeToExerciseToolNames,
   invisibleUnicode,
   instructionMimicry,
   markdownTricks,

package/dist/{chunk-PTWDLGI5.js → chunk-ERMA3J2T.js}

@@ -1,9 +1,11 @@
 import {
   DEFAULT_RUN_TIMEOUT_MS,
+  acquireOAuthToken,
   checkHostExec,
+  isAuthError,
   parseAuthFlags,
   resolveTarget
-} from "./chunk-TTGWSGPC.js";
+} from "./chunk-FFE6ZQPL.js";
 import {
   SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
@@ -11,7 +13,7 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-OGOFUBLN.js";
+} from "./chunk-7HI2KPXH.js";
 import {
   CATEGORY_META,
   CATEGORY_STATUS_UINT8,
@@ -20,7 +22,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-CKQZFK77.js";
+} from "./chunk-IXX5YEBC.js";
 
 // ../onchain/src/networks.ts
 var NETWORKS = {
@@ -297,18 +299,20 @@ var RUN_LITMUS_TOOL_DESCRIPTION = [
   "",
   "server_ref examples: npm/@modelcontextprotocol/server-filesystem \xB7",
   "https://example.com/mcp \xB7 ./build/index.js. For a token-gated https:// target,",
-  "pass `bearer`. If Docker is unavailable, C-02 is skipped and the grade is capped",
-  "at B for that run."
+  "pass `bearer`; for an OAuth-gated one, set `interactive_auth: true` to open a",
+  "browser and authorize. If Docker is unavailable, C-02 is skipped and the grade is",
+  "capped at B for that run."
 ].join("\n");
 var runLitmusInputShape = {
   server_ref: z.string().min(1).max(512).describe("What to grade: a registry ref (npm/@scope/server), an https:// MCP URL, or a local path to an MCP entry file."),
   bearer: z.string().min(1).max(8192).optional().describe("Bearer token for a token-gated https:// MCP server. Sent as `Authorization: Bearer <token>` to the target origin only. Ignored for stdio/local targets."),
   header: z.array(z.string()).max(20).optional().describe('Extra HTTP headers for a gated https:// target, each "Key: Value" (e.g. "X-Api-Key: \u2026"). Overrides the bearer-derived Authorization for the same key. Ignored for stdio/local targets.'),
   unsafe_host_exec: z.boolean().optional().describe("Required to grade a registry ref or local path: it launches the target's own code, and without Docker isolation that runs on THIS host. Set true to accept host execution. Ignored for https:// targets or when LITMUS_STDIO_ISOLATION=docker."),
-  timeout_seconds: z.number().int().positive().max(3600).optional().describe("Aggregate wall-clock ceiling for the whole run, in seconds (default 900). Bounds a hostile server that stretches the run across many tools/probes.")
+  timeout_seconds: z.number().int().positive().max(3600).optional().describe("Aggregate wall-clock ceiling for the whole run, in seconds (default 900). Bounds a hostile server that stretches the run across many tools/probes."),
+  interactive_auth: z.boolean().optional().describe("If a token-gated https:// target uses OAuth, open a browser on THIS machine to authorize and grade with the obtained token (used for this run only, never stored). Default false: without it, an OAuth-gated target returns guidance instead of opening a browser. Ignored for stdio/local targets or when a bearer/header is supplied.")
 };
 var PROGRESS_TOTAL = 5;
-async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds }, extra) {
+async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds, interactive_auth }, extra) {
   try {
     const argv = [
       ...bearer ? ["--bearer", bearer] : [],
@@ -331,11 +335,39 @@ async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, t
       params: { progressToken, progress, total: PROGRESS_TOTAL, message }
     }) : void 0;
     sendProgress?.(0, `Connecting to ${server_ref}\u2026`);
-    const bundle = await runLitmus(input, {
-      ...Object.keys(headers).length ? { headers } : {},
+    const runOpts = {
       timeoutMs: timeout_seconds ? timeout_seconds * 1e3 : DEFAULT_RUN_TIMEOUT_MS,
       ...sendProgress ? { onProgress: (done, _total, label) => sendProgress(done, label) } : {}
-    });
+    };
+    const isHttp = typeof input === "string" && /^https?:\/\//i.test(input);
+    const hasExplicitAuth = Object.keys(headers).length > 0;
+    let bundle;
+    try {
+      bundle = await runLitmus(input, { ...hasExplicitAuth ? { headers } : {}, ...runOpts });
+    } catch (err) {
+      if (!(isHttp && !hasExplicitAuth && isAuthError(err))) throw err;
+      if (!interactive_auth) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `${server_ref} is token-gated and appears to use OAuth. Re-run with "interactive_auth": true \u2014 a browser window will open on this machine to log in \u2014 or grade it from the \`polygraphso litmus\` CLI.`
+            }
+          ]
+        };
+      }
+      sendProgress?.(0, "Opening your browser to authorize\u2026");
+      const token = await acquireOAuthToken(input, {
+        onAuthUrl: (u) => sendProgress?.(0, `Authorize in your browser: ${u}`)
+      });
+      if (!token) {
+        return {
+          isError: true,
+          content: [{ type: "text", text: `run_litmus failed: could not obtain an OAuth token for ${server_ref} (declined, timed out, or not an OAuth server).` }]
+        };
+      }
+      bundle = await runLitmus(input, { headers: { Authorization: `Bearer ${token}` }, ...runOpts });
+    }
     const payload = summarize(bundle);
     return { content: [{ type: "text", text: JSON.stringify(payload, null, 2) }] };
   } catch (err) {

package/dist/chunk-FFE6ZQPL.js

@@ -0,0 +1,524 @@
+import {
+  CATEGORY_META,
+  canonicalStringify
+} from "./chunk-IXX5YEBC.js";
+
+// ../cli/src/litmus.ts
+import { existsSync as existsSync2 } from "fs";
+import { createRequire } from "module";
+import * as path2 from "path";
+
+// ../cli/src/format.ts
+function formatBundle(b) {
+  const lines = [];
+  lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
+  if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
+  if (b.selfReportedVersion) lines.push(`\u2192 self-reported ${b.selfReportedVersion} (unverified)`);
+  lines.push("\u2192 checks");
+  const labelWidth = Math.max(0, ...b.categories.map((c) => CATEGORY_META[c.code].label.length));
+  for (const c of b.categories) {
+    const { label, description } = CATEGORY_META[c.code];
+    lines.push(`    ${c.code}  ${label.padEnd(labelWidth)}  ${c.status}`);
+    lines.push(`          ${description}`);
+  }
+  const c01 = b.categories.find((c) => c.code === "C-01");
+  if (c01?.status === "fail") {
+    const highs = c01.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high");
+    for (const f of highs.slice(0, 3)) {
+      lines.push(`   \u26A0 ${f.tool ?? "?"}: ${f.kind} \u2014 ${truncate(f.match, 64)}`);
+    }
+  }
+  lines.push(`\u2192 fingerprint ${shortFp(b.toolDefsFingerprint)}`);
+  lines.push(`\u2192 grade: ${b.grade}`);
+  lines.push(`   ${b.gradeRationale}`);
+  return lines.join("\n") + "\n";
+}
+function shortFp(fp) {
+  return fp.length > 14 ? `${fp.slice(0, 6)}\u2026${fp.slice(-4)}` : fp;
+}
+function truncate(s, n) {
+  return s.length > n ? `${s.slice(0, n)}\u2026` : s;
+}
+
+// ../cli/src/mcp-config.ts
+import { existsSync, readFileSync } from "fs";
+import { homedir } from "os";
+import * as path from "path";
+function normalizeUrl(u) {
+  try {
+    const url = new URL(u);
+    let pathname = url.pathname;
+    if (pathname.length > 1 && pathname.endsWith("/")) pathname = pathname.slice(0, -1);
+    return `${url.protocol.toLowerCase()}//${url.host.toLowerCase()}${pathname}`;
+  } catch {
+    return u;
+  }
+}
+function resolveEnvPlaceholders(value, env) {
+  return value.replace(/\$\{(?:env:)?([A-Za-z_][A-Za-z0-9_]*)\}/g, (_m, name) => env[name] ?? "");
+}
+function collectServerEntries(config) {
+  const out = [];
+  if (!config || typeof config !== "object") return out;
+  const c = config;
+  for (const key of ["mcpServers", "servers"]) {
+    const map = c[key];
+    if (map && typeof map === "object") out.push(...Object.values(map));
+  }
+  const projects = c.projects;
+  if (projects && typeof projects === "object") {
+    for (const proj of Object.values(projects)) out.push(...collectServerEntries(proj));
+  }
+  return out;
+}
+function extractMatchingHeaders(config, targetUrl, env) {
+  const target = normalizeUrl(targetUrl);
+  for (const entry of collectServerEntries(config)) {
+    if (typeof entry.url !== "string" || normalizeUrl(entry.url) !== target) continue;
+    if (!entry.headers || typeof entry.headers !== "object") continue;
+    const headers = {};
+    for (const [k, v] of Object.entries(entry.headers)) {
+      if (typeof v === "string") headers[k] = resolveEnvPlaceholders(v, env);
+    }
+    if (Object.keys(headers).length > 0) return headers;
+  }
+  return null;
+}
+function candidateConfigPaths(cwd, home) {
+  return [
+    path.join(cwd, ".mcp.json"),
+    path.join(cwd, ".cursor", "mcp.json"),
+    path.join(cwd, ".vscode", "mcp.json"),
+    path.join(home, ".claude.json"),
+    path.join(home, "Library", "Application Support", "Claude", "claude_desktop_config.json"),
+    path.join(home, ".cursor", "mcp.json")
+  ];
+}
+function resolveHeadersFromClientConfig(targetUrl, opts = {}) {
+  const cwd = opts.cwd ?? process.cwd();
+  const home = opts.home ?? homedir();
+  const env = opts.env ?? process.env;
+  const read = opts.readFile ?? ((p) => existsSync(p) ? safeRead(p) : null);
+  for (const file of candidateConfigPaths(cwd, home)) {
+    const raw = read(file);
+    if (!raw) continue;
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      continue;
+    }
+    const headers = extractMatchingHeaders(parsed, targetUrl, env);
+    if (headers) return { headers, source: file };
+  }
+  return null;
+}
+function isAuthError(err) {
+  const msg = (err instanceof Error ? err.message : String(err)).toLowerCase();
+  return /\b40[13]\b/.test(msg) || msg.includes("unauthor") || msg.includes("forbidden") || msg.includes("invalid_token") || msg.includes("invalid token") || msg.includes("www-authenticate") || msg.includes("no authorization");
+}
+function safeRead(p) {
+  try {
+    return readFileSync(p, "utf8");
+  } catch {
+    return null;
+  }
+}
+
+// ../cli/src/oauth.ts
+import { createServer } from "http";
+import { execFile } from "child_process";
+import { randomUUID } from "crypto";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { UnauthorizedError } from "@modelcontextprotocol/sdk/client/auth.js";
+var CALLBACK_PATH = "/callback";
+var DEFAULT_TIMEOUT_MS = 3 * 60 * 1e3;
+var CLIENT_NAME = "polygraph-litmus";
+var SUCCESS_HTML = '<!doctype html><meta charset="utf-8"><title>polygraph</title><body style="font-family:system-ui;padding:2rem;max-width:32rem"><h3>Authorization received</h3><p>You can close this tab and return to the terminal.</p></body>';
+var LoopbackOAuthProvider = class {
+  constructor(_redirectUrl, _onRedirect, _clientName = CLIENT_NAME) {
+    this._redirectUrl = _redirectUrl;
+    this._onRedirect = _onRedirect;
+    this._clientName = _clientName;
+  }
+  _redirectUrl;
+  _onRedirect;
+  _clientName;
+  /** CSRF state, generated once; validated against the callback's `state`. */
+  issuedState = randomUUID();
+  _clientInfo;
+  _codeVerifier;
+  _tokens;
+  get redirectUrl() {
+    return this._redirectUrl;
+  }
+  get clientMetadata() {
+    return {
+      client_name: this._clientName,
+      redirect_uris: [this._redirectUrl],
+      token_endpoint_auth_method: "none",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"]
+    };
+  }
+  state() {
+    return this.issuedState;
+  }
+  clientInformation() {
+    return this._clientInfo;
+  }
+  saveClientInformation(info) {
+    this._clientInfo = info;
+  }
+  tokens() {
+    return this._tokens;
+  }
+  saveTokens(tokens) {
+    this._tokens = tokens;
+  }
+  saveCodeVerifier(verifier) {
+    this._codeVerifier = verifier;
+  }
+  codeVerifier() {
+    if (!this._codeVerifier) throw new Error("PKCE code verifier missing");
+    return this._codeVerifier;
+  }
+  redirectToAuthorization(authorizationUrl) {
+    return this._onRedirect(authorizationUrl);
+  }
+};
+function parseCallbackParams(reqUrl) {
+  let u;
+  try {
+    u = new URL(reqUrl, "http://127.0.0.1");
+  } catch {
+    return null;
+  }
+  if (u.pathname !== CALLBACK_PATH) return null;
+  const code = u.searchParams.get("code");
+  if (!code) return null;
+  return { code, state: u.searchParams.get("state") };
+}
+function startCallbackServer() {
+  return new Promise((resolve2) => {
+    let pending;
+    let deliver = null;
+    let timer = null;
+    const server = createServer((req, res) => {
+      const parsed = req.url ? parseCallbackParams(req.url) : null;
+      if (!parsed) {
+        res.writeHead(404, { "content-type": "text/plain" });
+        res.end("not found");
+        return;
+      }
+      res.writeHead(200, { "content-type": "text/html" });
+      res.end(SUCCESS_HTML);
+      if (deliver) deliver(parsed);
+      else pending = parsed;
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      const port = typeof addr === "object" && addr ? addr.port : 0;
+      resolve2({
+        redirectUrl: `http://127.0.0.1:${port}${CALLBACK_PATH}`,
+        waitForCode(timeoutMs) {
+          if (pending !== void 0) {
+            const r = pending;
+            pending = void 0;
+            return Promise.resolve(r);
+          }
+          return new Promise((res2) => {
+            timer = setTimeout(() => {
+              deliver = null;
+              timer = null;
+              res2(null);
+            }, timeoutMs);
+            deliver = (r) => {
+              if (timer) clearTimeout(timer);
+              timer = null;
+              res2(r);
+            };
+          });
+        },
+        close() {
+          if (timer) clearTimeout(timer);
+          timer = null;
+          deliver = null;
+          server.close();
+        }
+      });
+    });
+  });
+}
+function defaultOpenBrowser(url) {
+  const [cmd, args] = process.platform === "darwin" ? ["open", [url]] : process.platform === "win32" ? ["cmd", ["/c", "start", "", url]] : ["xdg-open", [url]];
+  execFile(cmd, args, () => {
+  });
+}
+async function acquireOAuthToken(targetUrl, opts = {}) {
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const openBrowser = opts.openBrowser ?? defaultOpenBrowser;
+  const server = await startCallbackServer();
+  const provider = new LoopbackOAuthProvider(
+    server.redirectUrl,
+    async (url) => {
+      opts.onAuthUrl?.(url.toString());
+      await openBrowser(url.toString());
+    },
+    opts.clientName
+  );
+  const transport = new StreamableHTTPClientTransport(new URL(targetUrl), { authProvider: provider });
+  const client = new Client({ name: CLIENT_NAME, version: "0.0.0" }, {});
+  try {
+    try {
+      await client.connect(transport);
+      return (await provider.tokens())?.access_token ?? null;
+    } catch (err) {
+      if (!(err instanceof UnauthorizedError)) return null;
+    }
+    const cb = await server.waitForCode(timeoutMs);
+    if (!cb || cb.state !== provider.issuedState) return null;
+    await transport.finishAuth(cb.code);
+    return (await provider.tokens())?.access_token ?? null;
+  } catch {
+    return null;
+  } finally {
+    server.close();
+    await transport.close().catch(() => {
+    });
+    await client.close().catch(() => {
+    });
+  }
+}
+
+// ../cli/src/litmus.ts
+var DEFAULT_RUN_TIMEOUT_MS = 15 * 60 * 1e3;
+async function runLitmusCli(args) {
+  const json = args.includes("--json");
+  const useDiscoveredAuth = args.includes("--use-discovered-auth");
+  const oauthFlag = args.includes("--oauth");
+  const noOauth = args.includes("--no-oauth");
+  const { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals } = parseAuthFlags(args);
+  const target = positionals[0];
+  if (!target) {
+    process.stderr.write(
+      'usage: polygraphso litmus [--json] [--bearer <token>] [--header "Key: Value"] [--allow-state-changing] [--unsafe-host-exec] [--use-discovered-auth] [--oauth | --no-oauth] [--timeout <seconds>] <registry-ref | https-url | path-to-mcp>\n'
+    );
+    return 2;
+  }
+  const input = resolveTarget(target);
+  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
+  const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  const probes = await import("./src-I63MJGJE.js");
+  const dockerAvailable = isStdio && interactive ? await probes.isDockerAvailable() : false;
+  const decision = checkHostExec(input, { optIn: unsafeHostExec, dockerAvailable, interactive });
+  if (decision.action === "refuse") {
+    process.stderr.write(`\u2192 litmus: ${decision.refuse}
+`);
+    return 2;
+  }
+  if (decision.action === "confirm" && !await promptYesNo(decision.prompt, decision.defaultYes)) {
+    process.stderr.write("\u2192 litmus: cancelled.\n");
+    return 2;
+  }
+  const isolation = decision.isolation;
+  if (decision.warn) process.stderr.write(`\u2192 ${decision.warn}
+`);
+  if (!json) process.stderr.write(`\u2192 running litmus against ${target} \u2026 (~20\u201360s)
+`);
+  const onProgress = (done, total, label) => {
+    if (!json) process.stderr.write(`  \u2192 [${done}/${total}] ${label}
+`);
+  };
+  const runOnce = async (effectiveHeaders) => {
+    const bundle = await probes.runLitmus(input, {
+      headers: effectiveHeaders,
+      allowStateChanging,
+      timeoutMs,
+      onProgress,
+      ...isolation ? { isolation } : {}
+    });
+    process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
+    return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
+  };
+  try {
+    return await runOnce(headers);
+  } catch (err) {
+    const targetUrl = typeof input === "string" && /^https?:\/\//i.test(input) ? input : null;
+    const hasExplicitAuth = Object.keys(headers).length > 0;
+    if (targetUrl && !hasExplicitAuth && isAuthError(err)) {
+      const found = resolveHeadersFromClientConfig(targetUrl);
+      if (found && (interactive || useDiscoveredAuth)) {
+        const proceed = useDiscoveredAuth || await promptYesNo(
+          `\u2192 Found a token for ${targetUrl} in ${found.source}.
+  Grading will make live, authenticated tool calls to that server AS YOU (read-only tools only).
+  Use it? [y/N] `,
+          false
+        );
+        if (proceed) {
+          try {
+            return await runOnce(found.headers);
+          } catch (err2) {
+            process.stderr.write(`\u2192 litmus failed: ${err2 instanceof Error ? err2.message : String(err2)}
+`);
+            return 1;
+          }
+        }
+      } else if (!found) {
+        if (interactive && !noOauth || oauthFlag) {
+          process.stderr.write(`\u2192 ${targetUrl} is token-gated \u2014 opening your browser to authorize\u2026
+`);
+          const token = await acquireOAuthToken(targetUrl, {
+            onAuthUrl: (u) => process.stderr.write(`  \u2192 if your browser didn't open, visit:
+    ${u}
+`)
+          });
+          if (token) {
+            try {
+              return await runOnce({ Authorization: `Bearer ${token}` });
+            } catch (err2) {
+              process.stderr.write(`\u2192 litmus failed: ${err2 instanceof Error ? err2.message : String(err2)}
+`);
+              return 1;
+            }
+          }
+        }
+        process.stderr.write(
+          `\u2192 ${targetUrl} is token-gated. litmus connects as a fresh client, so it needs the
+  same bearer token your agent already uses for this server. Pass it with
+  --bearer <token> or set LITMUS_BEARER.
+`
+        );
+        return 2;
+      }
+    }
+    process.stderr.write(`\u2192 litmus failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 1;
+  }
+}
+async function promptYesNo(prompt, defaultYes) {
+  const { createInterface } = await import("readline/promises");
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  try {
+    return isAffirmative(await rl.question(prompt), defaultYes);
+  } finally {
+    rl.close();
+  }
+}
+function parseAuthFlags(args, env = process.env) {
+  const headers = {};
+  const headerArgs = [];
+  let allowStateChanging = false;
+  let unsafeHostExec = false;
+  let timeoutMs = DEFAULT_RUN_TIMEOUT_MS;
+  let bearer = env.LITMUS_BEARER || void 0;
+  const positionals = [];
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "--json") continue;
+    if (a === "--allow-state-changing") {
+      allowStateChanging = true;
+    } else if (a === "--unsafe-host-exec") {
+      unsafeHostExec = true;
+    } else if (a === "--timeout") {
+      timeoutMs = timeoutSecondsToMs(args[++i]) ?? timeoutMs;
+    } else if (a.startsWith("--timeout=")) {
+      timeoutMs = timeoutSecondsToMs(a.slice("--timeout=".length)) ?? timeoutMs;
+    } else if (a === "--bearer") {
+      bearer = args[++i] ?? bearer;
+    } else if (a.startsWith("--bearer=")) {
+      bearer = a.slice("--bearer=".length);
+    } else if (a === "--header") {
+      const v = args[++i];
+      if (v) headerArgs.push(v);
+    } else if (a.startsWith("--header=")) {
+      headerArgs.push(a.slice("--header=".length));
+    } else if (a.startsWith("--")) {
+    } else {
+      positionals.push(a);
+    }
+  }
+  if (bearer) headers["Authorization"] = `Bearer ${bearer}`;
+  for (const h of headerArgs) {
+    const idx = h.indexOf(":");
+    if (idx === -1) continue;
+    const key = h.slice(0, idx).trim();
+    const value = h.slice(idx + 1).trim();
+    if (key) headers[key] = value;
+  }
+  return { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals };
+}
+function timeoutSecondsToMs(v) {
+  if (!v) return void 0;
+  const sec = Number(v);
+  return Number.isFinite(sec) && sec > 0 ? Math.floor(sec * 1e3) : void 0;
+}
+function checkHostExec(input, gate) {
+  const { optIn, dockerAvailable, interactive, optInHint = "--unsafe-host-exec", env = process.env } = gate;
+  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
+  if (!isStdio) return { action: "allow" };
+  if (env.LITMUS_STDIO_ISOLATION === "docker") return { action: "allow", isolation: "docker" };
+  const why = "this launches the target's own code; without Docker isolation it runs on THIS host";
+  const warn = `\u26A0 unsafe host execution \u2014 ${why}.`;
+  if (optIn) return { action: "allow", isolation: "none", warn };
+  if (interactive) {
+    if (dockerAvailable) {
+      return {
+        action: "confirm",
+        isolation: "docker",
+        defaultYes: true,
+        prompt: "Docker detected \u2014 the target will run sandboxed (recommended). Proceed? [Y/n] "
+      };
+    }
+    return {
+      action: "confirm",
+      isolation: "none",
+      defaultYes: false,
+      prompt: `No Docker found \u2014 this would run the target's own code on THIS host, unsandboxed.
+  Type "yes" to proceed, or set LITMUS_STDIO_ISOLATION=docker to sandbox: `,
+      warn
+    };
+  }
+  return {
+    action: "refuse",
+    refuse: `refusing host execution \u2014 ${why}.
+  \u2022 sandboxed (recommended): set LITMUS_STDIO_ISOLATION=docker (requires Docker)
+  \u2022 accept the risk: re-run with ${optInHint}`
+  };
+}
+function isAffirmative(answer, defaultYes) {
+  const a = answer.trim().toLowerCase();
+  if (a === "") return defaultYes;
+  return a === "y" || a === "yes";
+}
+function resolveTarget(target) {
+  if (/^https?:\/\//i.test(target)) return target;
+  if (existsSync2(target)) {
+    const abs = path2.resolve(target);
+    if (abs.endsWith(".ts") || abs.endsWith(".mts") || abs.endsWith(".cts")) {
+      return { command: process.execPath, args: [tsxCli(), abs], serverRef: target };
+    }
+    return { command: process.execPath, args: [abs], serverRef: target };
+  }
+  return target;
+}
+function tsxCli() {
+  const require2 = createRequire(import.meta.url);
+  const pkgJsonPath = require2.resolve("tsx/package.json");
+  const dir = path2.dirname(pkgJsonPath);
+  const bin = require2(pkgJsonPath).bin;
+  const rel = typeof bin === "string" ? bin : bin.tsx ?? "./dist/cli.mjs";
+  return path2.join(dir, rel);
+}
+
+export {
+  isAuthError,
+  acquireOAuthToken,
+  DEFAULT_RUN_TIMEOUT_MS,
+  runLitmusCli,
+  parseAuthFlags,
+  checkHostExec,
+  resolveTarget
+};

package/dist/{chunk-CKQZFK77.js → chunk-IXX5YEBC.js}

@@ -1,5 +1,5 @@
 // ../core/src/types.ts
-var METHODOLOGY_VERSION = "litmus-v5";
+var METHODOLOGY_VERSION = "litmus-v6";
 var BUNDLE_SCHEMA_VERSION = "1.5.0";
 var CATEGORY_META = {
   "C-01": { label: "tool-output injection", description: "whether it tries to hijack the caller through tool output" },

package/dist/cli-skill.js

@@ -5,8 +5,8 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-OGOFUBLN.js";
-import "./chunk-CKQZFK77.js";
+} from "./chunk-7HI2KPXH.js";
+import "./chunk-IXX5YEBC.js";
 
 // src/cli-skill.ts
 import { statSync } from "fs";

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-TTGWSGPC.js";
+} from "./chunk-FFE6ZQPL.js";
 import {
   parseServerRef,
   serverKey
-} from "./chunk-CKQZFK77.js";
+} from "./chunk-IXX5YEBC.js";
 
 // src/cli.ts
 import { readFileSync } from "fs";

package/dist/index.d.ts

@@ -26,9 +26,11 @@ type Registry = "npm" | "pypi" | "github";
  *  declared/baseline host is permitted; only egress beyond that union fails — "A"
  *  means "no overreach", not "no network"); v2 added probe 2.1. A pass/fail-
  *  semantics change → version bumps per litmus-test §8. The version is a string
- *  field on the attestation, so v1–v5 attestations coexist and the agent gate does
- *  not branch on it. */
-declare const METHODOLOGY_VERSION: "litmus-v5";
+ *  field on the attestation, so v1–v6 attestations coexist and the agent gate does
+ *  not branch on it. v6 widens the default tool-safety skip set: a tool that claims
+ *  read-only but evidences mutation is no longer actively exercised, which can
+ *  change which tools are probed (hence the grade) on such servers. */
+declare const METHODOLOGY_VERSION: "litmus-v6";
 /** Evidence-bundle format version (owned by onchain-proof-spec §2).
  *  1.5.0 adds the optional `selfReportedVersion` field (the server's
  *  self-asserted `serverInfo.version`, descriptive metadata only);
@@ -775,6 +777,16 @@ interface ToolSafety {
 declare function classifyTool(tool: ToolSafetyInput): ToolSafety;
 /** Names of the tools in a surface that are state-changing (skipped by default). */
 declare function stateChangingToolNames(tools: readonly ToolSafetyInput[]): Set<string>;
+/**
+ * Names of tools that must NOT be actively bait-called by default — the union of
+ * (a) tools classified state-changing ({@link classifyTool}) and (b) tools that
+ * claim `readOnlyHint:true` but evidence mutation ({@link declarationMismatchV2}).
+ * (b) closes the gap where a server gets a destructive tool exercised by lying
+ * about it: the lie is still scored (C-02 2.1), and here it also removes the tool
+ * from active exercise. `--allow-state-changing` overrides this (it accepts side
+ * effects), so the union only gates the default path.
+ */
+declare function unsafeToExerciseToolNames(tools: readonly ToolSafetyInput[]): Set<string>;
 
 /** What every probe receives: the live client, the tool surface, planted canaries. */
 interface ProbeContext {
@@ -1026,13 +1038,15 @@ declare const runLitmusInputShape: {
     header: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     unsafe_host_exec: z.ZodOptional<z.ZodBoolean>;
     timeout_seconds: z.ZodOptional<z.ZodNumber>;
+    interactive_auth: z.ZodOptional<z.ZodBoolean>;
 };
-declare function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds }: {
+declare function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds, interactive_auth }: {
     server_ref: string;
     bearer?: string;
     header?: string[];
     unsafe_host_exec?: boolean;
     timeout_seconds?: number;
+    interactive_auth?: boolean;
 }, extra: RequestHandlerExtra<ServerRequest, ServerNotification>): Promise<{
     isError: true;
     content: {
@@ -1114,6 +1128,7 @@ declare function handleVerifySkill({ skill_ref }: {
  * harness locally and print the grade. The heavy harness (`@polygraph/probes`)
  * is loaded lazily so the zero-dep `check`/`list` fast path stays intact.
  */
+
 type StdioCommand = {
     command: string;
     args: string[];
@@ -1143,4 +1158,4 @@ declare function parseAuthFlags(args: readonly string[], env?: NodeJS.ProcessEnv
 /** A target is an https URL, a local MCP entry file, or a registry ref. */
 declare function resolveTarget(target: string): string | StdioCommand;
 
-export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_META, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type ListToolsClient, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_CATEGORY_META, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, enumerateTools, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, isDockerAvailable, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };
+export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_META, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type ListToolsClient, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_CATEGORY_META, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, enumerateTools, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, isDockerAvailable, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, unsafeToExerciseToolNames, verifySkillInputShape };

package/dist/index.js

@@ -31,11 +31,11 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-PTWDLGI5.js";
+} from "./chunk-ERMA3J2T.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-TTGWSGPC.js";
+} from "./chunk-FFE6ZQPL.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_CATEGORY_META,
@@ -70,8 +70,9 @@ import {
   skillInjection,
   skillInjectionFails,
   stateChangingToolNames,
-  stripExamples
-} from "./chunk-OGOFUBLN.js";
+  stripExamples,
+  unsafeToExerciseToolNames
+} from "./chunk-7HI2KPXH.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_META,
@@ -86,7 +87,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-CKQZFK77.js";
+} from "./chunk-IXX5YEBC.js";
 
 // ../agent/src/gate.ts
 function sameServer(a, b) {
@@ -216,5 +217,6 @@ export {
   skillSchemaUID,
   stateChangingToolNames,
   stripExamples,
+  unsafeToExerciseToolNames,
   verifySkillInputShape
 };

package/dist/mcp.js

@@ -20,12 +20,12 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-PTWDLGI5.js";
-import "./chunk-TTGWSGPC.js";
+} from "./chunk-ERMA3J2T.js";
+import "./chunk-FFE6ZQPL.js";
 import {
   judgeFromEnv
-} from "./chunk-OGOFUBLN.js";
-import "./chunk-CKQZFK77.js";
+} from "./chunk-7HI2KPXH.js";
+import "./chunk-IXX5YEBC.js";
 
 // src/mcp.ts
 import { realpathSync } from "fs";

package/dist/{src-ZHTFCKNR.js → src-I63MJGJE.js}

@@ -32,9 +32,10 @@ import {
   skillInjection,
   skillInjectionFails,
   stateChangingToolNames,
-  stripExamples
-} from "./chunk-OGOFUBLN.js";
-import "./chunk-CKQZFK77.js";
+  stripExamples,
+  unsafeToExerciseToolNames
+} from "./chunk-7HI2KPXH.js";
+import "./chunk-IXX5YEBC.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_CATEGORY_META,
@@ -69,5 +70,6 @@ export {
   skillInjection,
   skillInjectionFails,
   stateChangingToolNames,
-  stripExamples
+  stripExamples,
+  unsafeToExerciseToolNames
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.12.1",
+  "version": "0.13.0",
   "mcpName": "io.github.polygraphso/litmus",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
@@ -67,8 +67,8 @@
     "@polygraph/probes": "0.0.0",
     "@polygraph/agent": "0.0.0",
     "@polygraph/onchain": "0.0.0",
-    "@polygraph/mcp": "0.0.0",
-    "@polygraph/cli": "0.0.0"
+    "@polygraph/cli": "0.0.0",
+    "@polygraph/mcp": "0.0.0"
   },
   "publishConfig": {
     "access": "public"

package/dist/chunk-TTGWSGPC.js

@@ -1,216 +0,0 @@
-import {
-  CATEGORY_META,
-  canonicalStringify
-} from "./chunk-CKQZFK77.js";
-
-// ../cli/src/litmus.ts
-import { existsSync } from "fs";
-import { createRequire } from "module";
-import * as path from "path";
-
-// ../cli/src/format.ts
-function formatBundle(b) {
-  const lines = [];
-  lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
-  if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
-  if (b.selfReportedVersion) lines.push(`\u2192 self-reported ${b.selfReportedVersion} (unverified)`);
-  lines.push("\u2192 checks");
-  const labelWidth = Math.max(0, ...b.categories.map((c) => CATEGORY_META[c.code].label.length));
-  for (const c of b.categories) {
-    const { label, description } = CATEGORY_META[c.code];
-    lines.push(`    ${c.code}  ${label.padEnd(labelWidth)}  ${c.status}`);
-    lines.push(`          ${description}`);
-  }
-  const c01 = b.categories.find((c) => c.code === "C-01");
-  if (c01?.status === "fail") {
-    const highs = c01.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high");
-    for (const f of highs.slice(0, 3)) {
-      lines.push(`   \u26A0 ${f.tool ?? "?"}: ${f.kind} \u2014 ${truncate(f.match, 64)}`);
-    }
-  }
-  lines.push(`\u2192 fingerprint ${shortFp(b.toolDefsFingerprint)}`);
-  lines.push(`\u2192 grade: ${b.grade}`);
-  lines.push(`   ${b.gradeRationale}`);
-  return lines.join("\n") + "\n";
-}
-function shortFp(fp) {
-  return fp.length > 14 ? `${fp.slice(0, 6)}\u2026${fp.slice(-4)}` : fp;
-}
-function truncate(s, n) {
-  return s.length > n ? `${s.slice(0, n)}\u2026` : s;
-}
-
-// ../cli/src/litmus.ts
-var DEFAULT_RUN_TIMEOUT_MS = 15 * 60 * 1e3;
-async function runLitmusCli(args) {
-  const json = args.includes("--json");
-  const { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals } = parseAuthFlags(args);
-  const target = positionals[0];
-  if (!target) {
-    process.stderr.write(
-      'usage: polygraphso litmus [--json] [--bearer <token>] [--header "Key: Value"] [--allow-state-changing] [--unsafe-host-exec] [--timeout <seconds>] <registry-ref | https-url | path-to-mcp>\n'
-    );
-    return 2;
-  }
-  const input = resolveTarget(target);
-  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
-  const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
-  const probes = await import("./src-ZHTFCKNR.js");
-  const dockerAvailable = isStdio && interactive ? await probes.isDockerAvailable() : false;
-  const decision = checkHostExec(input, { optIn: unsafeHostExec, dockerAvailable, interactive });
-  if (decision.action === "refuse") {
-    process.stderr.write(`\u2192 litmus: ${decision.refuse}
-`);
-    return 2;
-  }
-  if (decision.action === "confirm" && !await promptYesNo(decision.prompt, decision.defaultYes)) {
-    process.stderr.write("\u2192 litmus: cancelled.\n");
-    return 2;
-  }
-  const isolation = decision.isolation;
-  if (decision.warn) process.stderr.write(`\u2192 ${decision.warn}
-`);
-  if (!json) process.stderr.write(`\u2192 running litmus against ${target} \u2026 (~20\u201360s)
-`);
-  const onProgress = (done, total, label) => {
-    if (!json) process.stderr.write(`  \u2192 [${done}/${total}] ${label}
-`);
-  };
-  try {
-    const bundle = await probes.runLitmus(input, {
-      headers,
-      allowStateChanging,
-      timeoutMs,
-      onProgress,
-      ...isolation ? { isolation } : {}
-    });
-    process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
-    return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
-  } catch (err) {
-    process.stderr.write(`\u2192 litmus failed: ${err instanceof Error ? err.message : String(err)}
-`);
-    return 1;
-  }
-}
-async function promptYesNo(prompt, defaultYes) {
-  const { createInterface } = await import("readline/promises");
-  const rl = createInterface({ input: process.stdin, output: process.stderr });
-  try {
-    return isAffirmative(await rl.question(prompt), defaultYes);
-  } finally {
-    rl.close();
-  }
-}
-function parseAuthFlags(args, env = process.env) {
-  const headers = {};
-  const headerArgs = [];
-  let allowStateChanging = false;
-  let unsafeHostExec = false;
-  let timeoutMs = DEFAULT_RUN_TIMEOUT_MS;
-  let bearer = env.LITMUS_BEARER || void 0;
-  const positionals = [];
-  for (let i = 0; i < args.length; i++) {
-    const a = args[i];
-    if (a === "--json") continue;
-    if (a === "--allow-state-changing") {
-      allowStateChanging = true;
-    } else if (a === "--unsafe-host-exec") {
-      unsafeHostExec = true;
-    } else if (a === "--timeout") {
-      timeoutMs = timeoutSecondsToMs(args[++i]) ?? timeoutMs;
-    } else if (a.startsWith("--timeout=")) {
-      timeoutMs = timeoutSecondsToMs(a.slice("--timeout=".length)) ?? timeoutMs;
-    } else if (a === "--bearer") {
-      bearer = args[++i] ?? bearer;
-    } else if (a.startsWith("--bearer=")) {
-      bearer = a.slice("--bearer=".length);
-    } else if (a === "--header") {
-      const v = args[++i];
-      if (v) headerArgs.push(v);
-    } else if (a.startsWith("--header=")) {
-      headerArgs.push(a.slice("--header=".length));
-    } else if (a.startsWith("--")) {
-    } else {
-      positionals.push(a);
-    }
-  }
-  if (bearer) headers["Authorization"] = `Bearer ${bearer}`;
-  for (const h of headerArgs) {
-    const idx = h.indexOf(":");
-    if (idx === -1) continue;
-    const key = h.slice(0, idx).trim();
-    const value = h.slice(idx + 1).trim();
-    if (key) headers[key] = value;
-  }
-  return { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals };
-}
-function timeoutSecondsToMs(v) {
-  if (!v) return void 0;
-  const sec = Number(v);
-  return Number.isFinite(sec) && sec > 0 ? Math.floor(sec * 1e3) : void 0;
-}
-function checkHostExec(input, gate) {
-  const { optIn, dockerAvailable, interactive, optInHint = "--unsafe-host-exec", env = process.env } = gate;
-  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
-  if (!isStdio) return { action: "allow" };
-  if (env.LITMUS_STDIO_ISOLATION === "docker") return { action: "allow", isolation: "docker" };
-  const why = "this launches the target's own code; without Docker isolation it runs on THIS host";
-  const warn = `\u26A0 unsafe host execution \u2014 ${why}.`;
-  if (optIn) return { action: "allow", isolation: "none", warn };
-  if (interactive) {
-    if (dockerAvailable) {
-      return {
-        action: "confirm",
-        isolation: "docker",
-        defaultYes: true,
-        prompt: "Docker detected \u2014 the target will run sandboxed (recommended). Proceed? [Y/n] "
-      };
-    }
-    return {
-      action: "confirm",
-      isolation: "none",
-      defaultYes: false,
-      prompt: `No Docker found \u2014 this would run the target's own code on THIS host, unsandboxed.
-  Type "yes" to proceed, or set LITMUS_STDIO_ISOLATION=docker to sandbox: `,
-      warn
-    };
-  }
-  return {
-    action: "refuse",
-    refuse: `refusing host execution \u2014 ${why}.
-  \u2022 sandboxed (recommended): set LITMUS_STDIO_ISOLATION=docker (requires Docker)
-  \u2022 accept the risk: re-run with ${optInHint}`
-  };
-}
-function isAffirmative(answer, defaultYes) {
-  const a = answer.trim().toLowerCase();
-  if (a === "") return defaultYes;
-  return a === "y" || a === "yes";
-}
-function resolveTarget(target) {
-  if (/^https?:\/\//i.test(target)) return target;
-  if (existsSync(target)) {
-    const abs = path.resolve(target);
-    if (abs.endsWith(".ts") || abs.endsWith(".mts") || abs.endsWith(".cts")) {
-      return { command: process.execPath, args: [tsxCli(), abs], serverRef: target };
-    }
-    return { command: process.execPath, args: [abs], serverRef: target };
-  }
-  return target;
-}
-function tsxCli() {
-  const require2 = createRequire(import.meta.url);
-  const pkgJsonPath = require2.resolve("tsx/package.json");
-  const dir = path.dirname(pkgJsonPath);
-  const bin = require2(pkgJsonPath).bin;
-  const rel = typeof bin === "string" ? bin : bin.tsx ?? "./dist/cli.mjs";
-  return path.join(dir, rel);
-}
-
-export {
-  DEFAULT_RUN_TIMEOUT_MS,
-  runLitmusCli,
-  parseAuthFlags,
-  checkHostExec,
-  resolveTarget
-};