@polygraphso/litmus 0.2.0 → 0.3.0

package/README.md

@@ -5,9 +5,8 @@ The behavioral **litmus** harness for MCP servers, from [polygraph.so](https://p
 It connects to an MCP server the way an agent would, fingerprints its exact tool
 surface, and runs three probe categories — **C-01** tool-output injection, **C-02**
 permission/egress (in a hardened default-deny Docker sandbox), **C-03**
-sensitive-data handling (planted canaries) — then grades the server **A–F**. With
-an API URL configured it pins a deterministic evidence bundle and hands off to a
-browser flow where you sign an onchain EAS attestation on Base.
+sensitive-data handling (planted canaries) — then grades the server **A–F** and
+produces a deterministic, content-addressed evidence bundle.
 
 A passing grade is a measurement, not a guarantee. The methodology and its
 disclosed limits live at [polygraph.so](https://polygraph.so).
@@ -29,7 +28,6 @@ and the grade is capped at **B** for that run.
 ```bash
 polygraphso-litmus litmus <registry-ref | https-url | path-to-mcp>   # grade a server
 polygraphso-litmus litmus --json <ref>                              # machine-readable evidence bundle
-polygraphso-litmus challenge <attestation-uid> <ref>                # re-run to dispute a published grade
 polygraphso-litmus check <ref>                                      # look up a published grade
 ```
 
@@ -41,7 +39,9 @@ polygraphso-litmus litmus https://example.com/mcp
 ```
 
 The `litmus` command exits non-zero on a failing grade (D/F), so it scripts in CI.
-Set `POLYGRAPH_API_URL` to pin the evidence bundle and print a mint hand-off link.
+
+To dispute a published grade, just re-run `litmus` against the same server: the harness is
+open and deterministic, so a re-run reproduces the grade — or refutes it.
 
 ## Use it from an AI agent (MCP server)
 
@@ -49,13 +49,13 @@ The package ships a stdio MCP server, `polygraphso-litmus-mcp`, so it works in a
 MCP-capable client. It exposes two tools:
 
 - **`run_litmus`** — actively grade a server *now* (runs the harness end-to-end),
-  and return the grade, the evidence, and a mint hand-off URL.
+  and return the grade and the evidence.
 - **`verify_attestation`** — passively read a server's *already-published* grade
   before trusting or paying it.
 
 **Prerequisites:** Node ≥ 18. Docker is optional (without it, C-02 egress is
-skipped and the grade caps at B). Set `POLYGRAPH_API_URL=https://polygraph.so` to
-enable the pin + mint hand-off.
+skipped and the grade caps at B). Set `POLYGRAPH_API_URL=https://polygraph.so` so
+`verify_attestation` can resolve a server's published grade.
 
 Add the server once, then just talk to your agent.
 
@@ -90,15 +90,12 @@ claude mcp add polygraph-litmus -e POLYGRAPH_API_URL=https://polygraph.so \
 > Run polygraph against `npm/@modelcontextprotocol/server-filesystem` and tell me the grade.
 
 The agent calls **`run_litmus`**, which launches that server in the harness, runs
-C-01/C-02/C-03, and returns the **grade (A–F)**, the per-category results, the
-tool-surface fingerprint, and — when `POLYGRAPH_API_URL` is set — a **`mint` URL**.
-Open that URL in a browser, connect your wallet, and sign to publish the grade
-onchain as an EAS attestation. Signing is intentionally **not** headless: the agent
-does the work, you approve the mint. Use **`verify_attestation`** instead to read a
-grade that's already published.
+C-01/C-02/C-03, and returns the **grade (A–F)**, the per-category results, and the
+tool-surface fingerprint. Use **`verify_attestation`** instead to read a grade
+that's already published.
 
 `run_litmus` launches the target server's code to exercise it (egress-sandboxed
-when Docker is present). It needs no wallet or RPC; only minting does.
+when Docker is present). It needs no wallet or RPC.
 
 ## Library
 

package/dist/{chunk-6QM4RK25.js → chunk-BIALP22F.js}

@@ -33,39 +33,6 @@ function truncate(s, n) {
   return s.length > n ? `${s.slice(0, n)}\u2026` : s;
 }
 
-// ../cli/src/api.ts
-var DEFAULT_BASE = "https://polygraph.so";
-function apiBaseUrl() {
-  const override = process.env.POLYGRAPH_API_URL;
-  if (!override || override.length === 0) return DEFAULT_BASE;
-  const trimmed = override.replace(/\/+$/, "");
-  let u;
-  try {
-    u = new URL(trimmed);
-  } catch {
-    throw new Error(`POLYGRAPH_API_URL is not a valid URL: ${override}`);
-  }
-  const isLoopback = u.hostname === "localhost" || u.hostname === "127.0.0.1" || u.hostname === "::1";
-  if (u.protocol !== "https:" && !(u.protocol === "http:" && isLoopback)) {
-    throw new Error(`POLYGRAPH_API_URL must use https (http allowed only for localhost): ${override}`);
-  }
-  return trimmed;
-}
-function pinUrl() {
-  return `${apiBaseUrl()}/api/pin`;
-}
-function attestationsUrl() {
-  return `${apiBaseUrl()}/api/attestations`;
-}
-function mintUrl(params) {
-  const u = new URL(`${apiBaseUrl()}/mint`);
-  u.searchParams.set("cid", params.cid);
-  u.searchParams.set("ref", params.ref);
-  u.searchParams.set("fp", params.fp);
-  if (params.ver) u.searchParams.set("ver", params.ver);
-  return u.toString();
-}
-
 // ../cli/src/litmus.ts
 async function runLitmusCli(args) {
   const json = args.includes("--json");
@@ -82,7 +49,6 @@ async function runLitmusCli(args) {
   try {
     const bundle = await runLitmus(input, { headers, allowStateChanging });
     process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
-    await maybePin(bundle, json);
     return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
   } catch (err) {
     process.stderr.write(`\u2192 litmus failed: ${err instanceof Error ? err.message : String(err)}
@@ -144,37 +110,9 @@ function tsxCli() {
   const rel = typeof bin === "string" ? bin : bin.tsx ?? "./dist/cli.mjs";
   return path.join(dir, rel);
 }
-async function maybePin(bundle, json = false) {
-  if (!process.env.POLYGRAPH_API_URL) return;
-  const note = (line) => (json ? process.stderr : process.stdout).write(line);
-  try {
-    const cid = await pinBundle(bundle);
-    note(`\u2192 pinned ${cid}
-`);
-    note(`\u2192 mint ${mintUrl({ cid, ref: bundle.serverRef, fp: bundle.toolDefsFingerprint, ver: bundle.resolvedVersion })}
-`);
-  } catch (err) {
-    note(`\u2192 pin skipped: ${err instanceof Error ? err.message : String(err)}
-`);
-  }
-}
-async function pinBundle(bundle) {
-  const res = await fetch(pinUrl(), {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: canonicalStringify(bundle)
-  });
-  if (!res.ok) throw new Error(`pin endpoint returned ${res.status}`);
-  const data = await res.json();
-  if (!data.cid) throw new Error("pin response missing cid");
-  return data.cid;
-}
 
 export {
-  attestationsUrl,
-  mintUrl,
   runLitmusCli,
   parseAuthFlags,
-  resolveTarget,
-  pinBundle
+  resolveTarget
 };

package/dist/{chunk-MQC54LFV.js → chunk-JK3UGN2G.js}

@@ -1,8 +1,6 @@
 import {
-  mintUrl,
-  pinBundle,
   resolveTarget
-} from "./chunk-6QM4RK25.js";
+} from "./chunk-BIALP22F.js";
 import {
   runLitmus
 } from "./chunk-2K6T4FZX.js";
@@ -137,44 +135,23 @@ var RUN_LITMUS_TOOL_DESCRIPTION = [
   "for egress when Docker is available). It is not a passive lookup \u2014 for that,",
   "use `verify_attestation`. It needs no wallet or RPC.",
   "",
-  "When POLYGRAPH_API_URL is configured the evidence is pinned and the result",
-  "includes a `mint` URL: open it in a browser, connect a wallet, and sign to",
-  "publish the grade onchain as an EAS attestation. Signing is intentionally not",
-  "headless.",
-  "",
   "Input: server_ref \u2014 a registry ref (npm/@scope/server), an https:// MCP URL,",
   "or a local path to an MCP entry file. If Docker is unavailable, C-02 is",
   "skipped and the grade is capped at B for that run."
 ].join("\n");
 var runLitmusInputShape = {
-  server_ref: z.string().min(1).max(512).describe("What to grade: a registry ref (npm/@scope/server), an https:// MCP URL, or a local path to an MCP entry file."),
-  pin: z.boolean().optional().describe("When true (default) and POLYGRAPH_API_URL is set, pin the evidence and return a mint hand-off URL. Set false to grade only.")
+  server_ref: z.string().min(1).max(512).describe("What to grade: a registry ref (npm/@scope/server), an https:// MCP URL, or a local path to an MCP entry file.")
 };
-async function handleRunLitmus({ server_ref, pin }) {
+async function handleRunLitmus({ server_ref }) {
   try {
     const bundle = await runLitmus(resolveTarget(server_ref));
-    const payload = { ...summarize(bundle), mint: await mintHandoff(bundle, pin) };
+    const payload = summarize(bundle);
     return { content: [{ type: "text", text: JSON.stringify(payload, null, 2) }] };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     return { isError: true, content: [{ type: "text", text: `run_litmus failed: ${message}` }] };
   }
 }
-async function mintHandoff(bundle, pin) {
-  if (pin === false || !process.env.POLYGRAPH_API_URL) {
-    return { available: false, reason: "Set POLYGRAPH_API_URL to pin the evidence and get a mint hand-off URL." };
-  }
-  try {
-    const cid = await pinBundle(bundle);
-    return {
-      url: mintUrl({ cid, ref: bundle.serverRef, fp: bundle.toolDefsFingerprint, ver: bundle.resolvedVersion }),
-      cid,
-      instruction: "Open this URL in a browser, connect your wallet, and sign to mint the onchain EAS attestation. Signing cannot be done headlessly."
-    };
-  } catch (err) {
-    return { available: false, reason: `pin failed: ${err instanceof Error ? err.message : String(err)}` };
-  }
-}
 function summarize(b) {
   const find = (code) => b.categories.find((c) => c.code === code);
   const categories = ["C-01", "C-02", "C-03"].map((code) => {

package/dist/cli.js

@@ -1,8 +1,7 @@
 #!/usr/bin/env node
 import {
-  attestationsUrl,
   runLitmusCli
-} from "./chunk-6QM4RK25.js";
+} from "./chunk-BIALP22F.js";
 import {
   parseServerRef,
   serverKey
@@ -13,6 +12,28 @@ import { readFileSync } from "fs";
 import { fileURLToPath } from "url";
 import { dirname, join } from "path";
 
+// ../cli/src/api.ts
+var DEFAULT_BASE = "https://polygraph.so";
+function apiBaseUrl() {
+  const override = process.env.POLYGRAPH_API_URL;
+  if (!override || override.length === 0) return DEFAULT_BASE;
+  const trimmed = override.replace(/\/+$/, "");
+  let u;
+  try {
+    u = new URL(trimmed);
+  } catch {
+    throw new Error(`POLYGRAPH_API_URL is not a valid URL: ${override}`);
+  }
+  const isLoopback = u.hostname === "localhost" || u.hostname === "127.0.0.1" || u.hostname === "::1";
+  if (u.protocol !== "https:" && !(u.protocol === "http:" && isLoopback)) {
+    throw new Error(`POLYGRAPH_API_URL must use https (http allowed only for localhost): ${override}`);
+  }
+  return trimmed;
+}
+function attestationsUrl() {
+  return `${apiBaseUrl()}/api/attestations`;
+}
+
 // ../cli/src/check.ts
 function checkQuery(rawRef) {
   try {

package/dist/index.d.ts

@@ -196,7 +196,7 @@ interface ConnectOptions {
     httpHeaders?: Record<string, string>;
     /**
      * stdio execution mode. "none" (default) launches the target on the host;
-     * "docker" runs an npm target ONLY inside the hardened container (§2.6) and
+     * "docker" runs an npm target ONLY inside the hardened container and
      * throws IsolationUnsupportedError for any other stdio kind. http targets are
      * unaffected (isolation is stdio-only).
      */
@@ -527,13 +527,12 @@ declare function liveFingerprint(target: TargetInput): Promise<LiveTarget>;
 
 /**
  * `run_litmus` — run the open behavioral harness end-to-end against an MCP
- * server and return the grade, the evidence, and (when an API URL is set) a mint
- * hand-off URL. Brand-voiced: plain, exact, no overclaim.
+ * server and return the grade and the evidence. Brand-voiced: plain, exact, no
+ * overclaim.
  *
  * Unlike `verify_attestation` (a passive onchain read), this tool LAUNCHES the
  * target server's code to exercise it — sandboxed for egress when Docker is
- * present. It needs no wallet or RPC; only minting (which the human does in a
- * browser via the returned URL) requires a wallet.
+ * present. It needs no wallet or RPC.
  */
 
 declare const RUN_LITMUS_TOOL_NAME = "run_litmus";
@@ -541,11 +540,9 @@ declare const RUN_LITMUS_TOOL_TITLE = "Run a behavioral litmus on an MCP server"
 declare const RUN_LITMUS_TOOL_DESCRIPTION: string;
 declare const runLitmusInputShape: {
     server_ref: z.ZodString;
-    pin: z.ZodOptional<z.ZodBoolean>;
 };
-declare function handleRunLitmus({ server_ref, pin }: {
+declare function handleRunLitmus({ server_ref }: {
     server_ref: string;
-    pin?: boolean;
 }): Promise<{
     content: {
         type: "text";
@@ -565,7 +562,6 @@ declare function handleRunLitmus({ server_ref, pin }: {
  * harness locally and print the grade. The heavy harness (`@polygraph/probes`)
  * is loaded lazily so the zero-dep `check`/`list` fast path stays intact.
  */
-
 type StdioCommand = {
     command: string;
     args: string[];

package/dist/index.js

@@ -14,11 +14,11 @@ import {
   rpcUrl,
   runLitmusInputShape,
   selectedNetwork
-} from "./chunk-MQC54LFV.js";
+} from "./chunk-JK3UGN2G.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-6QM4RK25.js";
+} from "./chunk-BIALP22F.js";
 import {
   assembleBundle,
   canaryMatch,

package/dist/mcp.js

@@ -7,8 +7,8 @@ import {
   readAttestation,
   runLitmusInputShape,
   selectedNetwork
-} from "./chunk-MQC54LFV.js";
-import "./chunk-6QM4RK25.js";
+} from "./chunk-JK3UGN2G.js";
+import "./chunk-BIALP22F.js";
 import "./chunk-2K6T4FZX.js";
 import {
   parseServerRef,
@@ -17,14 +17,12 @@ import {
 
 // src/mcp.ts
 import { realpathSync } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
+import { fileURLToPath } from "url";
 import { McpServer as McpServer2 } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { StdioServerTransport as StdioServerTransport2 } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 // ../mcp/src/index.ts
-import { fileURLToPath } from "url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 // ../mcp/src/tools/verify-attestation.ts
 import { z } from "zod";
@@ -100,58 +98,8 @@ async function resolveUid(serverRef) {
   }
 }
 
-// ../mcp/src/index.ts
-function buildServer() {
-  const server = new McpServer(
-    { name: "polygraph", version: "0.0.0" },
-    {
-      instructions: [
-        "polygraph issues behavioral litmus grades for MCP servers, published",
-        "onchain. Use `verify_attestation` to read a server's grade before",
-        "recommending, installing, or paying it. A server with no attestation is",
-        "unevaluated \u2014 neither safe nor unsafe; say so."
-      ].join("\n")
-    }
-  );
-  server.registerTool(
-    VERIFY_TOOL_NAME,
-    {
-      title: VERIFY_TOOL_TITLE,
-      description: VERIFY_TOOL_DESCRIPTION,
-      inputSchema: verifyInputShape,
-      annotations: {
-        title: VERIFY_TOOL_TITLE,
-        readOnlyHint: true,
-        destructiveHint: false,
-        idempotentHint: true,
-        openWorldHint: true
-      }
-    },
-    handleVerify
-  );
-  return server;
-}
-async function main() {
-  const server = buildServer();
-  await server.connect(new StdioServerTransport());
-}
-var invokedDirectly = (() => {
-  try {
-    return process.argv[1] === fileURLToPath(import.meta.url);
-  } catch {
-    return false;
-  }
-})();
-if (invokedDirectly) {
-  main().catch((err) => {
-    process.stderr.write(`polygraph-mcp: fatal: ${err instanceof Error ? err.message : String(err)}
-`);
-    process.exit(1);
-  });
-}
-
 // src/mcp.ts
-function buildServer2() {
+function buildServer() {
   const server = new McpServer2(
     { name: "polygraph-litmus", version: "0.1.0" },
     {
@@ -208,23 +156,23 @@ function buildServer2() {
   );
   return server;
 }
-async function main2() {
-  await buildServer2().connect(new StdioServerTransport2());
+async function main() {
+  await buildServer().connect(new StdioServerTransport());
 }
-var invokedDirectly2 = (() => {
+var invokedDirectly = (() => {
   try {
-    return realpathSync(process.argv[1] ?? "") === fileURLToPath2(import.meta.url);
+    return realpathSync(process.argv[1] ?? "") === fileURLToPath(import.meta.url);
   } catch {
     return false;
   }
 })();
-if (invokedDirectly2) {
-  main2().catch((err) => {
+if (invokedDirectly) {
+  main().catch((err) => {
     process.stderr.write(`polygraphso-litmus-mcp: fatal: ${err instanceof Error ? err.message : String(err)}
 `);
     process.exit(1);
   });
 }
 export {
-  buildServer2 as buildServer
+  buildServer
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.2.0",
-  "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data), then hand off to mint an onchain attestation. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
+  "version": "0.3.0",
+  "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
   "repository": {
@@ -58,8 +58,8 @@
     "typescript": "^5.9.3",
     "vitest": "^2.1.0",
     "@polygraph/core": "0.0.0",
-    "@polygraph/probes": "0.0.0",
     "@polygraph/onchain": "0.0.0",
+    "@polygraph/probes": "0.0.0",
     "@polygraph/agent": "0.0.0",
     "@polygraph/mcp": "0.0.0",
     "@polygraph/cli": "0.0.0"