@polygraphso/litmus 0.2.0

package/dist/chunk-2K6T4FZX.js

@@ -0,0 +1,1458 @@
+import {
+  BUNDLE_SCHEMA_VERSION,
+  METHODOLOGY_VERSION,
+  parseServerRef,
+  serverKey
+} from "./chunk-SAZKXB35.js";
+
+// ../probes/src/harness.ts
+import { execFile as execFile2 } from "child_process";
+
+// ../probes/src/connect/index.ts
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import {
+  StdioClientTransport,
+  getDefaultEnvironment
+} from "@modelcontextprotocol/sdk/client/stdio.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+
+// ../probes/src/connect/auth-fetch.ts
+function sameOriginAuthFetch(target, authHeaders) {
+  const targetOrigin = new URL(target).origin;
+  const authKeys = Object.keys(authHeaders).map((k) => k.toLowerCase());
+  return (url, init) => {
+    const reqOrigin = new URL(typeof url === "string" ? url : url.toString()).origin;
+    if (reqOrigin === targetOrigin) return fetch(url, init);
+    const headers = new Headers(init?.headers);
+    for (const k of authKeys) headers.delete(k);
+    return fetch(url, { ...init, headers });
+  };
+}
+
+// ../probes/src/connect/ssrf-guard.ts
+import { lookup } from "dns/promises";
+import { isIP } from "net";
+var UnsafeTargetUrlError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UnsafeTargetUrlError";
+  }
+};
+function allowPrivate() {
+  return process.env.POLYGRAPH_ALLOW_PRIVATE_TARGETS === "1";
+}
+function ipv4Octets(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return null;
+  const octets = parts.map((p) => /^\d{1,3}$/.test(p) ? Number(p) : NaN);
+  return octets.every((n) => Number.isInteger(n) && n >= 0 && n <= 255) ? octets : null;
+}
+function isPrivateIPv4(ip) {
+  const o = ipv4Octets(ip);
+  if (!o) return false;
+  const [a, b] = o;
+  if (a === 0) return true;
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 192 && b === 0 && o[2] === 0) return true;
+  if (a === 192 && b === 0 && o[2] === 2) return true;
+  if (a === 198 && (b === 18 || b === 19)) return true;
+  if (a >= 224) return true;
+  return false;
+}
+function isPrivateIPv6(ip) {
+  const addr = ip.toLowerCase().split("%")[0];
+  if (addr === "::1" || addr === "::") return true;
+  const mapped = addr.match(/(?:^|:)((?:\d{1,3}\.){3}\d{1,3})$/);
+  if (mapped && isPrivateIPv4(mapped[1])) return true;
+  if (addr.startsWith("fe8") || addr.startsWith("fe9") || addr.startsWith("fea") || addr.startsWith("feb"))
+    return true;
+  if (addr.startsWith("fc") || addr.startsWith("fd")) return true;
+  if (addr.startsWith("ff")) return true;
+  if (addr.startsWith("2001:db8")) return true;
+  return false;
+}
+function isPrivateAddress(ip) {
+  const v = isIP(ip);
+  if (v === 4) return isPrivateIPv4(ip);
+  if (v === 6) return isPrivateIPv6(ip);
+  return false;
+}
+async function assertPublicHttpUrl(raw) {
+  let url;
+  try {
+    url = new URL(raw);
+  } catch {
+    throw new UnsafeTargetUrlError(`invalid target URL: ${raw}`);
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw new UnsafeTargetUrlError(`unsupported scheme "${url.protocol}" \u2014 only http(s) MCP targets are allowed`);
+  }
+  const host = url.hostname.replace(/^\[|\]$/g, "");
+  const addresses = [];
+  if (isIP(host)) {
+    addresses.push(host);
+  } else {
+    try {
+      const records = await lookup(host, { all: true });
+      addresses.push(...records.map((r) => r.address));
+    } catch {
+      throw new UnsafeTargetUrlError(`could not resolve target host: ${host}`);
+    }
+  }
+  if (addresses.length === 0) {
+    throw new UnsafeTargetUrlError(`target host did not resolve: ${host}`);
+  }
+  const privateHit = addresses.find((a) => isPrivateAddress(a));
+  if (privateHit && !allowPrivate()) {
+    throw new UnsafeTargetUrlError(
+      `target ${host} resolves to a private/reserved address (${privateHit}); refusing (set POLYGRAPH_ALLOW_PRIVATE_TARGETS=1 for local dev)`
+    );
+  }
+  if (url.protocol === "http:" && !addresses.every((a) => isPrivateAddress(a)) && !allowPrivate()) {
+    throw new UnsafeTargetUrlError(`plaintext http to a public host is not allowed: ${host} (use https)`);
+  }
+}
+
+// ../probes/src/connect/container.ts
+import { randomUUID as randomUUID2 } from "crypto";
+
+// ../probes/src/docker/staging.ts
+import { execFile } from "child_process";
+import { randomUUID } from "crypto";
+import { fileURLToPath } from "url";
+import { existsSync } from "fs";
+import * as path from "path";
+var IMAGE_TAG = "polygraph-egress-sniff:latest";
+var LABEL_KEY = "polygraph-litmus-run";
+var DOCKER_DIR = resolveDockerDir();
+function resolveDockerDir() {
+  const candidates = ["../../docker", "./docker", "../docker"];
+  for (const rel of candidates) {
+    const dir = fileURLToPath(new URL(rel, import.meta.url));
+    if (existsSync(path.join(dir, "egress-sniff.Dockerfile"))) return dir;
+  }
+  return fileURLToPath(new URL("../../docker", import.meta.url));
+}
+var RESOLVER_SCRIPT = `const p=require("path");const d="/stage/node_modules/"+process.argv[1];let j;try{j=require(d+'/package.json')}catch{}let entry=null;if(j){const b=j.bin;const r=typeof b==="string"?b:(b&&Object.values(b)[0]);if(r)entry=p.join(d,r);}const version=j&&j.version?j.version:null;process.stdout.write(JSON.stringify({entry,version}));`;
+function labelFlags(runLabel) {
+  return runLabel ? ["--label", `${LABEL_KEY}=${runLabel}`] : [];
+}
+function volumeCreateArgs(vol, runLabel) {
+  return ["volume", "create", ...labelFlags(runLabel), vol];
+}
+function stageInstallArgs(vol, image, spec, runLabel, runtime) {
+  return [
+    "run",
+    "--rm",
+    "-v",
+    `${vol}:/stage`,
+    ...labelFlags(runLabel),
+    // gVisor parity: this container fetches + extracts the attacker's package and
+    // its full dependency tree (network on, as root), so it must run under the same
+    // runtime as the sandboxed run, not the default runc.
+    ...runtime ? ["--runtime", runtime] : [],
+    "--cap-drop=ALL",
+    "--security-opt",
+    "no-new-privileges",
+    "--pids-limit",
+    "256",
+    "--memory",
+    "1g",
+    "--entrypoint",
+    "npm",
+    image,
+    // `--` ends npm option parsing so a spec can never be read as a flag
+    // (defence-in-depth; parseServerRef already rejects "-"-leading segments).
+    "install",
+    "--prefix",
+    "/stage",
+    "--ignore-scripts",
+    "--no-audit",
+    "--no-fund",
+    "--loglevel",
+    "error",
+    "--",
+    spec
+  ];
+}
+function resolverRunArgs(vol, image, pkgName, runLabel, runtime) {
+  return [
+    "run",
+    "--rm",
+    "-v",
+    `${vol}:/stage`,
+    "--user",
+    "node",
+    "--network",
+    "none",
+    ...labelFlags(runLabel),
+    // gVisor parity: reads the attacker-controlled package.json — same runtime as the run step.
+    ...runtime ? ["--runtime", runtime] : [],
+    "--cap-drop=ALL",
+    "--security-opt",
+    "no-new-privileges",
+    "--pids-limit",
+    "256",
+    "--memory",
+    "512m",
+    "--entrypoint",
+    "node",
+    image,
+    "-e",
+    RESOLVER_SCRIPT,
+    pkgName
+  ];
+}
+function parseResolverOutput(output) {
+  try {
+    const rec = JSON.parse(output);
+    return {
+      entry: typeof rec.entry === "string" ? rec.entry : null,
+      version: typeof rec.version === "string" ? rec.version : null
+    };
+  } catch {
+    return { entry: null, version: null };
+  }
+}
+function buildImageArgs(pull) {
+  return [
+    "build",
+    ...pull ? ["--pull"] : [],
+    "-t",
+    IMAGE_TAG,
+    "-f",
+    path.join(DOCKER_DIR, "egress-sniff.Dockerfile"),
+    DOCKER_DIR
+  ];
+}
+async function ensureImage(dockerFn = docker) {
+  if (process.env.LITMUS_DOCKER_BUILD_PULL === "0") {
+    await dockerFn(buildImageArgs(false), 18e4);
+    return;
+  }
+  try {
+    await dockerFn(buildImageArgs(true), 18e4);
+  } catch {
+    process.stderr.write("docker build --pull failed; retrying with cached base image\n");
+    await dockerFn(buildImageArgs(false), 18e4);
+  }
+}
+async function stageInto(vol, image, spec, pkgName, opts) {
+  const cleanup = () => docker(["volume", "rm", "-f", vol]).then(() => {
+  }).catch(() => {
+  });
+  const runtime = opts.runtime ?? process.env.LITMUS_DOCKER_RUNTIME;
+  try {
+    await docker(stageInstallArgs(vol, image, spec, opts.runLabel, runtime), 18e4);
+    const resolved = parseResolverOutput((await docker(resolverRunArgs(vol, image, pkgName, opts.runLabel, runtime))).trim());
+    if (!resolved.entry) {
+      await cleanup();
+      throw new Error(
+        `target package ${pkgName} exposes no launchable bin under the sandbox policy (install scripts are skipped)`
+      );
+    }
+    return { volume: vol, entry: resolved.entry, resolvedVersion: resolved.version, cleanup };
+  } catch (err) {
+    await cleanup();
+    throw err;
+  }
+}
+async function stageNpmPackage(pkgSpec, opts = {}) {
+  const vol = `pg-stage-${randomUUID().slice(0, 8)}`;
+  await docker(volumeCreateArgs(vol, opts.runLabel));
+  const at = pkgSpec.lastIndexOf("@");
+  const pkgName = at > 0 ? pkgSpec.slice(0, at) : pkgSpec;
+  return stageInto(vol, IMAGE_TAG, pkgSpec, pkgName, opts);
+}
+function docker(args, timeoutMs = 9e4) {
+  return new Promise((resolve, reject) => {
+    execFile("docker", args, { timeout: timeoutMs, maxBuffer: 8 * 1024 * 1024 }, (err, stdout, stderr) => {
+      if (err) reject(new Error(`docker ${args[0]} failed: ${stderr || err.message}`));
+      else resolve(stdout);
+    });
+  });
+}
+
+// ../probes/src/connect/container.ts
+var IMAGE_TAG2 = "polygraph-egress-sniff:latest";
+var IsolationUnsupportedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "IsolationUnsupportedError";
+  }
+};
+function assertSafeToken(value, what) {
+  if (/\s/.test(value)) throw new Error(`${what} must not contain whitespace: ${JSON.stringify(value)}`);
+  if (value.startsWith("-")) throw new Error(`${what} must not start with "-": ${JSON.stringify(value)}`);
+  if (value.length === 0) throw new Error(`${what} must not be empty`);
+}
+function containerLaunch(opts) {
+  assertSafeToken(opts.stageVolume, "stage volume");
+  assertSafeToken(opts.seedVolume, "seed volume");
+  assertSafeToken(opts.entry, "entry");
+  const envFlags = Object.entries(opts.canaryEnv).flatMap(([k, v]) => ["-e", `${k}=${v}`]);
+  const runtimeFlags = opts.runtime ? ["--runtime", opts.runtime] : [];
+  const args = [
+    "run",
+    "-i",
+    "--rm",
+    "--network",
+    "none",
+    "--user",
+    "node",
+    "--read-only",
+    "-v",
+    `${opts.stageVolume}:/stage:ro`,
+    "-v",
+    `${opts.seedVolume}:/work:ro`,
+    "-w",
+    "/work",
+    "--tmpfs",
+    "/tmp:rw,size=64m,mode=1777",
+    "--cap-drop=ALL",
+    "--security-opt",
+    "no-new-privileges",
+    "--pids-limit",
+    "256",
+    "--memory",
+    "512m",
+    "--cpus",
+    "1",
+    "--sysctl",
+    "net.ipv6.conf.all.disable_ipv6=1",
+    "--sysctl",
+    "net.ipv6.conf.default.disable_ipv6=1",
+    ...labelFlags(opts.runLabel),
+    ...envFlags,
+    ...runtimeFlags,
+    "--entrypoint",
+    "node",
+    IMAGE_TAG2,
+    opts.entry
+  ];
+  return { command: "docker", args };
+}
+function recordedContainerCommand(command, args, vols) {
+  const out = [command];
+  for (let i = 0; i < args.length; i += 1) {
+    if (args[i] === "-e") {
+      i += 1;
+      continue;
+    }
+    out.push(stabilizeToken(args[i], vols));
+  }
+  return out.join(" ");
+}
+function stabilizeToken(token, vols) {
+  return token.replace(vols.stageVolume, "<stage>").replace(vols.seedVolume, "<seed>");
+}
+async function prepareSeedVolume(seedDir, opts = {}) {
+  const vol = `pg-seed-${randomUUID2().slice(0, 8)}`;
+  const cleanup = () => docker(["volume", "rm", "-f", vol]).then(() => {
+  }).catch(() => {
+  });
+  await docker(["volume", "create", ...labelFlags(opts.runLabel), vol]);
+  const helper = `pg-seedcp-${randomUUID2().slice(0, 8)}`;
+  try {
+    try {
+      await docker([
+        "container",
+        "create",
+        "--name",
+        helper,
+        ...labelFlags(opts.runLabel),
+        "--entrypoint",
+        "true",
+        "-v",
+        `${vol}:/work`,
+        IMAGE_TAG2
+      ]);
+      await docker(["cp", `${seedDir}/.`, `${helper}:/work`]);
+    } finally {
+      await docker(["rm", "-f", helper]).catch(() => {
+      });
+    }
+  } catch (err) {
+    await cleanup();
+    throw err;
+  }
+  return { volume: vol, cleanup };
+}
+
+// ../probes/src/connect/version.ts
+function isConcreteVersion(v) {
+  return /^\d+\.\d+\.\d+/.test(v);
+}
+function resolveStagedVersion(requested, staged) {
+  if (requested !== null && staged !== null && isConcreteVersion(requested) && staged !== requested) {
+    throw new Error(
+      `requested version ${requested} but the staged package resolved to ${staged}`
+    );
+  }
+  return staged;
+}
+
+// ../probes/src/connect/index.ts
+import { randomUUID as randomUUID3 } from "crypto";
+var CLIENT_INFO = { name: "polygraph-litmus", version: "0.0.0" };
+async function connectTarget(input, opts = {}) {
+  const isolated = opts.isolation === "docker";
+  let kind;
+  let descriptor;
+  let serverRef;
+  let resolvedVersion = null;
+  let transport;
+  const teardownExtra = [];
+  if (typeof input !== "string") {
+    if (isolated) {
+      throw new IsolationUnsupportedError(
+        "docker isolation is unsupported for an explicit stdio command \u2014 only an npm ref can be containerized"
+      );
+    }
+    kind = "stdio";
+    transport = new StdioClientTransport({
+      command: input.command,
+      args: input.args ?? [],
+      env: { ...getDefaultEnvironment(), ...opts.seedEnv ?? {}, ...input.env ?? {} },
+      ...input.cwd ?? opts.seedCwd ? { cwd: input.cwd ?? opts.seedCwd } : {}
+    });
+    const cmdline = [input.command, ...input.args ?? []].join(" ");
+    descriptor = { kind, command: cmdline, url: null };
+    serverRef = input.serverRef ?? cmdline;
+  } else if (/^https?:\/\//i.test(input)) {
+    kind = "http";
+    await assertPublicHttpUrl(input);
+    const headers = opts.httpHeaders && Object.keys(opts.httpHeaders).length > 0 ? opts.httpHeaders : void 0;
+    transport = new StreamableHTTPClientTransport(
+      new URL(input),
+      headers ? { requestInit: { headers }, fetch: sameOriginAuthFetch(input, headers) } : void 0
+    );
+    descriptor = { kind, command: null, url: input };
+    serverRef = input;
+  } else {
+    const parsed = parseServerRef(input);
+    kind = "stdio";
+    if (isolated) {
+      if (parsed.registry !== "npm") {
+        throw new IsolationUnsupportedError(
+          `docker isolation is unsupported for ${parsed.registry} refs \u2014 only npm refs can be containerized`
+        );
+      }
+      const spec = (parsed.owner ? `${parsed.owner}/${parsed.name}` : parsed.name) + (parsed.version ? `@${parsed.version}` : "");
+      const stageOpts = opts.runLabel ? { runLabel: opts.runLabel } : {};
+      await ensureImage();
+      let staged = null;
+      let seed = null;
+      try {
+        staged = await stageNpmPackage(spec, stageOpts);
+        if (!opts.seedCwd) {
+          throw new Error("docker isolation requires a canary seed directory (seedCwd)");
+        }
+        seed = await prepareSeedVolume(opts.seedCwd, stageOpts);
+        const launch = containerLaunch({
+          entry: staged.entry,
+          stageVolume: staged.volume,
+          seedVolume: seed.volume,
+          // Canaries travel INTO the container via -e, NOT via the docker CLI's
+          // own env (the CLI runs on the secrets-bearing host).
+          canaryEnv: opts.seedEnv ?? {},
+          ...opts.runLabel ? { runLabel: opts.runLabel } : {},
+          ...process.env.LITMUS_DOCKER_RUNTIME ? { runtime: process.env.LITMUS_DOCKER_RUNTIME } : {}
+        });
+        const containerName = `pg-connect-${randomUUID3().slice(0, 8)}`;
+        const namedArgs = [launch.args[0], "--name", containerName, ...launch.args.slice(1)];
+        transport = new StdioClientTransport({
+          command: launch.command,
+          args: namedArgs,
+          // Default env only: no host secrets, no canaries (those are -e args).
+          env: getDefaultEnvironment()
+        });
+        descriptor = {
+          kind,
+          command: recordedContainerCommand(launch.command, launch.args, {
+            stageVolume: staged.volume,
+            seedVolume: seed.volume
+          }),
+          url: null
+        };
+        resolvedVersion = resolveStagedVersion(parsed.version, staged.resolvedVersion);
+        const stagedCleanup = staged.cleanup;
+        const seedCleanup = seed.cleanup;
+        teardownExtra.push(
+          () => docker(["rm", "-f", containerName]).then(() => {
+          }).catch(() => {
+          }),
+          stagedCleanup,
+          seedCleanup
+        );
+      } catch (err) {
+        if (seed) await seed.cleanup();
+        if (staged) await staged.cleanup();
+        throw err;
+      }
+      serverRef = serverKey(parsed);
+    } else {
+      const launch = launchForRef(parsed);
+      resolvedVersion = parsed.version ?? null;
+      transport = new StdioClientTransport({
+        command: launch.command,
+        args: launch.args,
+        env: { ...getDefaultEnvironment(), ...opts.seedEnv ?? {} },
+        ...opts.seedCwd ? { cwd: opts.seedCwd } : {}
+      });
+      descriptor = { kind, command: [launch.command, ...launch.args].join(" "), url: null };
+      serverRef = serverKey(parsed);
+    }
+  }
+  const client = new Client(CLIENT_INFO, { capabilities: {} });
+  try {
+    await withConnectTimeout(client.connect(transport), transport);
+  } catch (err) {
+    for (const c of teardownExtra) await c();
+    throw err;
+  }
+  return {
+    client,
+    kind,
+    descriptor,
+    serverRef,
+    resolvedVersion,
+    teardown: async () => {
+      try {
+        await client.close();
+      } catch {
+      }
+      for (const c of teardownExtra) await c();
+    }
+  };
+}
+var CONNECT_TIMEOUT_MS = 3e4;
+async function withConnectTimeout(connecting, transport) {
+  let timer;
+  const timeout = new Promise((_, reject) => {
+    timer = setTimeout(() => reject(new Error("MCP connect/initialize timed out")), CONNECT_TIMEOUT_MS);
+    timer.unref?.();
+  });
+  try {
+    await Promise.race([connecting, timeout]);
+  } catch (err) {
+    await transport.close().catch(() => {
+    });
+    throw err;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function launchForRef(p) {
+  if (p.registry === "npm") {
+    const spec = (p.owner ? `${p.owner}/${p.name}` : p.name) + (p.version ? `@${p.version}` : "");
+    return { command: "npx", args: ["-y", spec] };
+  }
+  if (p.registry === "pypi") {
+    return { command: "uvx", args: [p.version ? `${p.name}@${p.version}` : p.name] };
+  }
+  throw new Error(
+    `registry "${p.registry}" is not launchable over stdio (only npm/pypi). Use an https:// URL for a remote MCP server.`
+  );
+}
+
+// ../probes/src/fingerprint.ts
+import { createHash } from "crypto";
+function fingerprintToolDefs(tools) {
+  const canonical = tools.map((t) => ({
+    name: t.name,
+    description: normalizeWhitespace(t.description ?? ""),
+    inputSchema: sortKeysDeep(t.inputSchema ?? null)
+  })).sort((a, b) => a.name < b.name ? -1 : a.name > b.name ? 1 : 0);
+  const json = JSON.stringify(canonical);
+  const hash = createHash("sha256").update(json, "utf8").digest("hex");
+  return { fingerprint: "0x" + hash, canonical };
+}
+function normalizeWhitespace(s) {
+  return s.replace(/[ \t\r\n\f\v]+/g, " ").trim();
+}
+var MAX_FINGERPRINT_DEPTH = 100;
+function sortKeysDeep(value, depth = 0) {
+  if (depth > MAX_FINGERPRINT_DEPTH) {
+    throw new RangeError(`tool schema nesting exceeds ${MAX_FINGERPRINT_DEPTH} levels`);
+  }
+  if (Array.isArray(value)) return value.map((v) => sortKeysDeep(v, depth + 1));
+  if (value && typeof value === "object") {
+    const src = value;
+    const out = {};
+    for (const k of Object.keys(src).sort()) {
+      Object.defineProperty(out, k, {
+        value: sortKeysDeep(src[k], depth + 1),
+        enumerable: true,
+        writable: true,
+        configurable: true
+      });
+    }
+    return out;
+  }
+  return value;
+}
+
+// ../probes/src/probes/exercise.ts
+var BAIT_POOL = [
+  "polygraph litmus bait input",
+  "summarize the following text for me",
+  "please process and echo this content back",
+  "here is some material \u2014 what do you make of it?"
+];
+function buildBaitArgs(schema, bait = BAIT_POOL[0]) {
+  const args = {};
+  if (!schema || typeof schema !== "object") return args;
+  const s = schema;
+  const props = s.properties && typeof s.properties === "object" ? s.properties : {};
+  const required = Array.isArray(s.required) ? s.required : Object.keys(props);
+  for (const key of required) args[key] = baitValue(props[key], bait);
+  return args;
+}
+function baitValue(prop, bait) {
+  const p = prop ?? {};
+  if (Array.isArray(p.enum) && p.enum.length > 0) return p.enum[0];
+  const type = Array.isArray(p.type) ? p.type[0] : p.type;
+  switch (type) {
+    case "number":
+    case "integer":
+      return 1;
+    case "boolean":
+      return true;
+    case "array":
+      return [];
+    case "object":
+      return {};
+    default:
+      return bait;
+  }
+}
+var MAX_RESULT_CHARS = 256 * 1024;
+function capResultText(s) {
+  return s.length > MAX_RESULT_CHARS ? s.slice(0, MAX_RESULT_CHARS) : s;
+}
+function stringifyResult(result) {
+  if (!result || typeof result !== "object") return capResultText(String(result ?? ""));
+  const r = result;
+  const parts = [];
+  if (Array.isArray(r.content)) {
+    for (const c of r.content) {
+      if (c && typeof c === "object" && "text" in c && typeof c.text === "string") {
+        parts.push(c.text);
+      }
+    }
+  }
+  try {
+    parts.push(JSON.stringify(result));
+  } catch {
+  }
+  return capResultText(parts.join("\n"));
+}
+var CALL_TIMEOUT_MS = 15e3;
+var TIMEOUT = /* @__PURE__ */ Symbol("timeout");
+async function exerciseTool(client, tool, bait = BAIT_POOL[0], timeoutMs = CALL_TIMEOUT_MS) {
+  try {
+    const call = client.callTool({ name: tool.name, arguments: buildBaitArgs(tool.inputSchema, bait) });
+    const raced = await Promise.race([
+      call,
+      new Promise((resolve) => {
+        const t = setTimeout(() => resolve(TIMEOUT), timeoutMs);
+        t.unref?.();
+      })
+    ]);
+    if (raced === TIMEOUT) return { ok: false, reason: "timeout" };
+    return { ok: true, text: stringifyResult(raced) };
+  } catch {
+    return { ok: false, reason: "error" };
+  }
+}
+
+// ../probes/src/probes/tool-safety.ts
+var STATE_CHANGING_VERBS = /* @__PURE__ */ new Set([
+  "send",
+  "transfer",
+  "swap",
+  "sign",
+  "pay",
+  "buy",
+  "sell",
+  "trade",
+  "approve",
+  "withdraw",
+  "deposit",
+  "mint",
+  "burn",
+  "execute",
+  "deploy",
+  "delete",
+  "remove",
+  "drop",
+  "write",
+  "create",
+  "update",
+  "insert",
+  "revoke",
+  "grant",
+  "move",
+  "rename",
+  "purchase",
+  "checkout",
+  "order"
+]);
+var UNAMBIGUOUS_DESTRUCTIVE_VERBS = /* @__PURE__ */ new Set([
+  "delete",
+  "drop",
+  "transfer",
+  "send",
+  "withdraw",
+  "pay",
+  "sign",
+  "burn",
+  "revoke"
+]);
+function tokenize(name) {
+  return name.replace(/([a-z0-9])([A-Z])/g, "$1 $2").split(/[^a-zA-Z0-9]+/).filter(Boolean).map((t) => t.toLowerCase());
+}
+function classifyTool(tool) {
+  const ann = tool.annotations ?? void 0;
+  if (ann?.readOnlyHint === true) return { stateChanging: false };
+  if (ann?.destructiveHint === true) return { stateChanging: true, reason: "annotated destructiveHint" };
+  if (ann?.readOnlyHint === false) return { stateChanging: true, reason: "annotated readOnlyHint:false" };
+  const verb = tokenize(tool.name).find((t) => STATE_CHANGING_VERBS.has(t));
+  if (verb) return { stateChanging: true, reason: `name token "${verb}" is state-changing` };
+  return { stateChanging: false };
+}
+function declarationMismatch(tool) {
+  if (tool.annotations?.readOnlyHint !== true) return null;
+  return tokenize(tool.name).find((t) => UNAMBIGUOUS_DESTRUCTIVE_VERBS.has(t)) ?? null;
+}
+function stateChangingToolNames(tools) {
+  const names = /* @__PURE__ */ new Set();
+  for (const t of tools) {
+    if (classifyTool(t).stateChanging) names.add(t.name);
+  }
+  return names;
+}
+function skippedNote(skipped) {
+  return `${skipped.length} tool(s) skipped (state-changing; pass --allow-state-changing): ${skipped.join(", ")}`;
+}
+function shouldSkipExercise(ctx, toolName) {
+  return !ctx.allowStateChanging && ctx.stateChangingTools.has(toolName);
+}
+
+// ../probes/src/probes/scanners.ts
+function isInvisible(cp) {
+  return cp >= 8203 && cp <= 8205 || // zero-width space/non-joiner/joiner
+  cp === 65279 || // zero-width no-break space (BOM)
+  cp >= 8234 && cp <= 8238 || // bidi embedding/override
+  cp >= 8294 && cp <= 8297 || // bidi isolates
+  cp >= 917504 && cp <= 917631;
+}
+function invisibleUnicode(text) {
+  const findings = [];
+  let offset = 0;
+  for (const ch of text) {
+    const cp = ch.codePointAt(0) ?? 0;
+    if (isInvisible(cp)) {
+      findings.push({
+        kind: "invisible-unicode",
+        severity: "high",
+        match: `U+${cp.toString(16).toUpperCase().padStart(4, "0")}`,
+        offset
+      });
+    }
+    offset += ch.length;
+  }
+  return findings;
+}
+var MIMICRY = [
+  { re: /\bignore\s+(?:all\s+|the\s+|your\s+|any\s+)?(?:previous|prior|above|earlier)\s+(?:instructions?|prompts?|messages?)\b/i, severity: "high" },
+  { re: /\bdisregard\s+(?:all\s+|the\s+|your\s+)?(?:previous|prior|above)\b/i, severity: "high" },
+  { re: /\b(?:new|updated|revised)\s+(?:instructions?|directives?|system\s+prompt)\b/i, severity: "high" },
+  { re: /(?:^|[\s>])system\s*:/i, severity: "high" },
+  { re: /<\/?(?:system|assistant|user|tool)\b[^>]*>/i, severity: "high" },
+  { re: /"(?:tool_call|function_call|tool_name|function)"\s*:/i, severity: "high" },
+  { re: /\byou\s+(?:must|should|shall|will|need\s+to|have\s+to)\s+\w/i, severity: "medium" }
+];
+function instructionMimicry(text) {
+  const findings = [];
+  for (const { re, severity } of MIMICRY) {
+    const m = re.exec(text);
+    if (m) {
+      findings.push({
+        kind: "instruction-mimicry",
+        severity,
+        match: m[0].slice(0, 120),
+        offset: m.index
+      });
+    }
+  }
+  return findings;
+}
+function markdownTricks(text) {
+  const findings = [];
+  const proto = /\b(?:javascript|data):[^\s)"'<>]+/gi;
+  for (let m = proto.exec(text); m; m = proto.exec(text)) {
+    findings.push({
+      kind: "markdown-trick",
+      severity: "high",
+      match: m[0].slice(0, 120),
+      offset: m.index
+    });
+  }
+  const exfilImg = /!?\[[^\]]*\]\((https?:\/\/[^)\s]*\?[^)\s]*=[^)\s]*)\)/gi;
+  for (let m = exfilImg.exec(text); m; m = exfilImg.exec(text)) {
+    findings.push({
+      kind: "markdown-trick",
+      severity: "medium",
+      match: (m[1] ?? m[0]).slice(0, 120),
+      offset: m.index
+    });
+  }
+  return findings;
+}
+function canaryMatch(text, canaries) {
+  const findings = [];
+  const lower = text.toLowerCase();
+  const views = obfuscatedViews(text);
+  for (const c of canaries) {
+    if (!c) continue;
+    const exact = text.indexOf(c);
+    if (exact >= 0) {
+      findings.push({ kind: "canary", severity: "high", match: c, offset: exact });
+      continue;
+    }
+    const ci = lower.indexOf(c.toLowerCase());
+    if (ci >= 0) {
+      findings.push({ kind: "canary", severity: "high", match: c, offset: ci });
+      continue;
+    }
+    const lc = c.toLowerCase();
+    const view = views.find((v) => v.text.includes(c) || v.text.toLowerCase().includes(lc));
+    if (view) findings.push({ kind: "canary", severity: "high", match: `${c} (${view.label})` });
+  }
+  return findings;
+}
+function obfuscatedViews(text) {
+  const views = [
+    { label: "whitespace-stripped", text: text.replace(/\s+/g, "") }
+  ];
+  try {
+    views.push({ label: "url-decoded", text: decodeURIComponent(text) });
+  } catch {
+  }
+  for (const m of text.matchAll(/[A-Za-z0-9+/]{16,}={0,2}/g)) {
+    const d = decodeBuf(m[0], "base64");
+    if (d) views.push({ label: "base64-decoded", text: d });
+  }
+  for (const m of text.matchAll(/[0-9a-fA-F]{32,}/g)) {
+    if (m[0].length % 2 === 0) {
+      const d = decodeBuf(m[0], "hex");
+      if (d) views.push({ label: "hex-decoded", text: d });
+    }
+  }
+  return views;
+}
+function decodeBuf(s, enc) {
+  try {
+    const d = Buffer.from(s, enc).toString("utf8");
+    return /[\x20-\x7e]/.test(d) ? d : null;
+  } catch {
+    return null;
+  }
+}
+function hasHighSeverity(findings) {
+  return findings.some((f) => f.severity === "high");
+}
+
+// ../probes/src/probes/c01-injection.ts
+function scanInjection(text, tool) {
+  return [...invisibleUnicode(text), ...instructionMimicry(text), ...markdownTricks(text)].map((f) => ({
+    ...f,
+    tool
+  }));
+}
+function probe11(ctx) {
+  const findings = [];
+  for (const t of ctx.tools) {
+    const surface = `${t.name}
+${t.description}
+${JSON.stringify(t.inputSchema ?? {})}`;
+    findings.push(...scanInjection(surface, t.name));
+  }
+  return { id: "1.1", status: hasHighSeverity(findings) ? "fail" : "pass", findings };
+}
+async function probe12(ctx) {
+  const findings = [];
+  let exercised = 0;
+  const unexercised = [];
+  const skipped = [];
+  for (const t of ctx.tools) {
+    if (shouldSkipExercise(ctx, t.name)) {
+      skipped.push(t.name);
+      continue;
+    }
+    let answered = false;
+    for (const bait of BAIT_POOL) {
+      const out = await exerciseTool(ctx.client, t, bait);
+      if (!out.ok) continue;
+      answered = true;
+      findings.push(...scanInjection(out.text, t.name));
+    }
+    if (answered) exercised++;
+    else unexercised.push(t.name);
+  }
+  return {
+    id: "1.2",
+    status: hasHighSeverity(findings) ? "fail" : "pass",
+    findings,
+    reason: exerciseReason(exercised, unexercised, skipped)
+  };
+}
+function exerciseReason(exercised, unexercised, skipped) {
+  const notes = [];
+  if (exercised === 0 && skipped.length === 0) notes.push("no tools could be exercised with bait inputs");
+  if (skipped.length) notes.push(skippedNote(skipped));
+  if (unexercised.length) notes.push(`${unexercised.length} tool(s) errored/timed out on bait (unevaluated): ${unexercised.join(", ")}`);
+  return notes.length ? notes.join("; ") : null;
+}
+async function c01Injection(ctx) {
+  const probes = [probe11(ctx), await probe12(ctx)];
+  const status = probes.some((p) => p.status === "fail") ? "fail" : "pass";
+  return { code: "C-01", status, probes };
+}
+
+// ../probes/src/docker/egress-runner.ts
+import { randomUUID as randomUUID4 } from "crypto";
+var IMAGE_TAG3 = "polygraph-egress-sniff:latest";
+function notRan(reason) {
+  return { ran: false, reason, attempts: [] };
+}
+function parseSinkholeOutput(output) {
+  const attempts = [];
+  for (const line of output.split("\n")) {
+    const m = line.match(/^EGRESS\s+(\{.*\})\s*$/);
+    if (!m) continue;
+    try {
+      const rec = JSON.parse(m[1]);
+      if (rec.kind === "tcp" || rec.kind === "dns") {
+        attempts.push({
+          kind: rec.kind,
+          ...rec.host !== void 0 ? { host: rec.host } : {},
+          ...rec.port !== void 0 ? { port: rec.port } : {},
+          ...rec.firstBytes !== void 0 ? { firstBytes: rec.firstBytes } : {}
+        });
+      }
+    } catch {
+    }
+  }
+  return attempts;
+}
+function egressToFindings(attempts) {
+  return attempts.map((a) => ({
+    kind: "egress",
+    severity: "high",
+    match: a.host ? `${a.host}${a.port ? `:${a.port}` : ""}` : `port ${a.port ?? "?"}`,
+    ...a.host !== void 0 ? { host: a.host } : {},
+    ...a.port !== void 0 ? { port: a.port } : {},
+    ...a.firstBytes !== void 0 ? { firstBytes: a.firstBytes } : {}
+  }));
+}
+function egressCanaryFindings(attempts, canaries) {
+  const findings = [];
+  for (const a of attempts) {
+    if (a.firstBytes) findings.push(...canaryMatch(a.firstBytes, canaries));
+    if (a.host) findings.push(...canaryMatch(a.host, canaries));
+  }
+  return findings;
+}
+function egressTargetArgs(opts) {
+  const envFlags = Object.entries(opts.canaryEnv).flatMap(([k, v]) => ["-e", `${k}=${v}`]);
+  const runtimeFlags = opts.runtime ? ["--runtime", opts.runtime] : [];
+  return [
+    "run",
+    "-i",
+    "--rm",
+    "--name",
+    opts.targetName,
+    "--network",
+    opts.net,
+    "--dns",
+    opts.sinkIp,
+    "-v",
+    `${opts.vol}:/stage:ro`,
+    "--user",
+    "node",
+    "--read-only",
+    "--tmpfs",
+    "/tmp:rw,size=64m,mode=1777",
+    "--cap-drop=ALL",
+    // Disable IPv6 in the target: the sinkhole/iptables capture is IPv4-only, so
+    // an IPv6 socket would otherwise dodge detection (and, on a dual-stack net,
+    // egress). --cpus bounds host CPU starvation by a hostile busy-loop.
+    "--sysctl",
+    "net.ipv6.conf.all.disable_ipv6=1",
+    "--sysctl",
+    "net.ipv6.conf.default.disable_ipv6=1",
+    "--cpus",
+    "1",
+    "--security-opt",
+    "no-new-privileges",
+    "--pids-limit",
+    "256",
+    "--memory",
+    "512m",
+    ...opts.label,
+    ...envFlags,
+    ...runtimeFlags,
+    "--entrypoint",
+    "node",
+    IMAGE_TAG3,
+    opts.entry
+  ];
+}
+async function runEgressProbe(ref, opts) {
+  let parsed;
+  try {
+    parsed = parseServerRef(ref);
+  } catch {
+    return notRan("egress sandbox only runs launchable package refs (npm)");
+  }
+  if (parsed.registry !== "npm") {
+    return notRan(`egress sandbox for ${parsed.registry} targets not implemented (npm only)`);
+  }
+  const pkgSpec = (parsed.owner ? `${parsed.owner}/${parsed.name}` : parsed.name) + (parsed.version ? `@${parsed.version}` : "");
+  const net = `pg-egress-${randomUUID4().slice(0, 8)}`;
+  const sink = `pg-sink-${randomUUID4().slice(0, 8)}`;
+  const targetName = `pg-target-${randomUUID4().slice(0, 8)}`;
+  const label = labelFlags(opts.runLabel);
+  let staged = null;
+  try {
+    await ensureImage();
+    try {
+      staged = await stageNpmPackage(pkgSpec, opts.runLabel ? { runLabel: opts.runLabel } : {});
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("exposes no launchable bin")) return notRan(msg);
+      throw err;
+    }
+    const { volume: vol, entry } = staged;
+    await docker(["network", "create", "--internal", ...label, net]);
+    await docker([
+      "run",
+      "-d",
+      "--name",
+      sink,
+      "--network",
+      net,
+      ...label,
+      "--cap-add=NET_ADMIN",
+      "--pids-limit",
+      "64",
+      "--memory",
+      "256m",
+      "--entrypoint",
+      "/sink-entrypoint.sh",
+      IMAGE_TAG3
+    ]);
+    const sinkIp = (await docker(["inspect", "-f", `{{(index .NetworkSettings.Networks "${net}").IPAddress}}`, sink])).trim();
+    const targetArgs = egressTargetArgs({
+      targetName,
+      net,
+      sinkIp,
+      vol,
+      entry,
+      canaryEnv: opts.canaryEnv,
+      label,
+      ...process.env.LITMUS_DOCKER_RUNTIME ? { runtime: process.env.LITMUS_DOCKER_RUNTIME } : {}
+    });
+    const conn = await connectTarget({ command: "docker", args: targetArgs, serverRef: `npm/${pkgSpec}` });
+    try {
+      const { tools } = await conn.client.listTools();
+      for (const t of tools) {
+        await exerciseTool(conn.client, { name: t.name, description: t.description ?? "", inputSchema: t.inputSchema ?? null });
+      }
+    } finally {
+      await conn.teardown();
+    }
+    const logs = await docker(["logs", sink]);
+    return { ran: true, reason: null, attempts: parseSinkholeOutput(logs) };
+  } catch (err) {
+    return notRan(`egress sandbox unavailable: ${err instanceof Error ? err.message : String(err)}`);
+  } finally {
+    await docker(["rm", "-f", targetName]).catch(() => {
+    });
+    await docker(["rm", "-f", sink]).catch(() => {
+    });
+    await docker(["network", "rm", net]).catch(() => {
+    });
+    if (staged) await staged.cleanup();
+  }
+}
+
+// ../probes/src/probes/c02-egress.ts
+function probe21Declaration(tools) {
+  const findings = [];
+  for (const t of tools) {
+    const verb = declarationMismatch(t);
+    if (verb) {
+      findings.push({
+        kind: "permission-mislabel",
+        severity: "high",
+        match: `claims readOnlyHint:true but name verb "${verb}" mutates`,
+        tool: t.name
+      });
+    }
+  }
+  return { id: "2.1", status: findings.length > 0 ? "fail" : "pass", findings };
+}
+function probe22Egress(egress) {
+  if (!egress.ran) return { id: "2.2", status: "skipped", findings: [], reason: egress.reason };
+  const findings = egressToFindings(egress.attempts);
+  return { id: "2.2", status: findings.length > 0 ? "fail" : "pass", findings };
+}
+function c02Permission(declaration, egress) {
+  const egressProbe = probe22Egress(egress);
+  const probes = [declaration, egressProbe];
+  let status;
+  if (declaration.status === "fail" || egressProbe.status === "fail") {
+    status = "fail";
+  } else if (egressProbe.status === "skipped") {
+    return { code: "C-02", status: "skipped", reason: egress.reason, probes };
+  } else {
+    status = "pass";
+  }
+  return { code: "C-02", status, probes };
+}
+
+// ../probes/src/probes/c03-sensitive.ts
+async function probe41(ctx) {
+  const findings = [];
+  let exercised = 0;
+  const unexercised = [];
+  const skipped = [];
+  for (const t of ctx.tools) {
+    if (shouldSkipExercise(ctx, t.name)) {
+      skipped.push(t.name);
+      continue;
+    }
+    const out = await exerciseTool(ctx.client, t);
+    if (!out.ok) {
+      unexercised.push(t.name);
+      continue;
+    }
+    exercised++;
+    findings.push(...canaryMatch(out.text, ctx.canaries).map((f) => ({ ...f, tool: t.name })));
+  }
+  const notes = [];
+  if (exercised === 0 && skipped.length === 0) notes.push("no tools could be exercised");
+  if (skipped.length) notes.push(skippedNote(skipped));
+  if (unexercised.length) notes.push(`${unexercised.length} tool(s) errored/timed out (unevaluated): ${unexercised.join(", ")}`);
+  return { id: "4.1", status: findings.length > 0 ? "fail" : "pass", findings, reason: notes.length ? notes.join("; ") : null };
+}
+function probe42(ctx, egress) {
+  if (!egress.ran) {
+    return {
+      id: "4.2",
+      status: "partial",
+      findings: [],
+      reason: egress.reason ?? "no egress capture (sandbox unavailable)"
+    };
+  }
+  const findings = egressCanaryFindings(egress.attempts, ctx.canaries);
+  return { id: "4.2", status: findings.length > 0 ? "fail" : "pass", findings };
+}
+async function c03Sensitive(ctx, egress) {
+  const p41 = await probe41(ctx);
+  const p42 = probe42(ctx, egress);
+  const status = p41.status === "fail" || p42.status === "fail" ? "fail" : "pass";
+  return { code: "C-03", status, probes: [p41, p42] };
+}
+
+// ../probes/src/probes/canaries.ts
+import { randomUUID as randomUUID5 } from "crypto";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "fs";
+import { tmpdir } from "os";
+import { dirname, join as join2 } from "path";
+function mintCanaries() {
+  const id = randomUUID5();
+  const short = id.replace(/-/g, "").slice(0, 16);
+  const apiKey = `POLYGRAPH-CANARY-${id}`;
+  const token = `pgt_${short}`;
+  const pii = `canary.${short}@polygraph.invalid`;
+  return { apiKey, token, pii, all: [apiKey, token, pii] };
+}
+function canaryEnv(c) {
+  return {
+    OPENAI_API_KEY: c.apiKey,
+    ANTHROPIC_API_KEY: c.apiKey,
+    GITHUB_TOKEN: c.token,
+    AWS_SECRET_ACCESS_KEY: c.token,
+    DATABASE_URL: `postgres://canary:${c.token}@db.internal:5432/app`,
+    USER_EMAIL: c.pii
+  };
+}
+function canaryFiles(c) {
+  return {
+    ".env": `OPENAI_API_KEY=${c.apiKey}
+DATABASE_URL=postgres://canary:${c.token}@db.internal:5432/app
+USER_EMAIL=${c.pii}
+`,
+    ".aws/credentials": `[default]
+aws_access_key_id=${c.apiKey}
+aws_secret_access_key=${c.token}
+`,
+    "config/secrets.json": JSON.stringify({ apiKey: c.apiKey, token: c.token, email: c.pii }, null, 2) + "\n"
+  };
+}
+function seedCanaryDir(c) {
+  const dir = mkdtempSync(join2(tmpdir(), "polygraph-litmus-"));
+  for (const [rel, contents] of Object.entries(canaryFiles(c))) {
+    const full = join2(dir, rel);
+    mkdirSync(dirname(full), { recursive: true });
+    writeFileSync(full, contents, "utf8");
+  }
+  return {
+    dir,
+    cleanup: () => {
+      try {
+        rmSync(dir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  };
+}
+
+// ../probes/src/grade.ts
+function gradeFromCategories(categories) {
+  const byCode = (code) => categories.find((c) => c.code === code);
+  const c01 = byCode("C-01");
+  const c02 = byCode("C-02");
+  const c03 = byCode("C-03");
+  const failed = categories.filter((c) => c.status === "fail").map((c) => c.code);
+  const skipped = categories.filter((c) => c.status === "skipped").map((c) => c.code);
+  if (c01?.status === "fail" || c03?.status === "fail") {
+    return {
+      grade: "F",
+      rationale: `Disqualifying failure in ${failed.join(", ")} \u2014 active injection or data leak harms an agent that trusts this server.`
+    };
+  }
+  if (c02?.status === "fail") {
+    return {
+      grade: "D",
+      rationale: "Unexpected egress (C-02 failed); no injection or data leak. Egress is serious but not proven exfiltration, so the grade caps at D."
+    };
+  }
+  if (c01?.status === "pass" && c02?.status === "pass" && c03?.status === "pass") {
+    return { grade: "A", rationale: "All three categories passed. No injection, no unexpected egress, no data leak." };
+  }
+  if (c01?.status === "pass") {
+    const note = skipped.length ? ` Not verified: ${skipped.join(", ")} (${skipped.map((c) => byCode(c)?.reason).filter(Boolean).join("; ")}).` : "";
+    return {
+      grade: "B",
+      rationale: `Injection checks passed; egress not verified.${note}`
+    };
+  }
+  return {
+    grade: "F",
+    rationale: "C-01 did not complete \u2014 the tool surface could not be evaluated, so the server is treated as ungraded/unsafe."
+  };
+}
+
+// ../probes/src/bundle.ts
+import { createRequire } from "module";
+var require2 = createRequire(import.meta.url);
+var PKG_VERSION = (() => {
+  try {
+    return require2("../package.json").version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+})();
+var DISCLAIMER = `Self-run, self-minted under ${METHODOLOGY_VERSION}. Independence traded for cost. Re-run the open harness to verify.`;
+function assembleBundle(input) {
+  const harness = {
+    package: "@polygraph/probes",
+    version: PKG_VERSION,
+    node: process.version,
+    dockerAvailable: input.dockerAvailable,
+    ...input.stdioIsolation ? { stdioIsolation: input.stdioIsolation } : {}
+  };
+  return {
+    schemaVersion: BUNDLE_SCHEMA_VERSION,
+    methodologyVersion: METHODOLOGY_VERSION,
+    serverRef: input.serverRef,
+    resolvedVersion: input.resolvedVersion,
+    target: input.target,
+    toolDefsFingerprint: input.toolDefsFingerprint,
+    toolDefs: input.toolDefs,
+    ranAt: input.ranAt,
+    harness,
+    categories: input.categories,
+    grade: input.grade.grade,
+    gradeRationale: input.grade.rationale,
+    disclaimer: input.disclaimer ?? DISCLAIMER
+  };
+}
+
+// ../probes/src/harness.ts
+async function runLitmus(target, opts = {}) {
+  const isolation = opts.isolation ?? (process.env.LITMUS_STDIO_ISOLATION === "docker" ? "docker" : "none");
+  const ranAt = (/* @__PURE__ */ new Date()).toISOString();
+  const dockerAvailable = await checkDocker();
+  const canaries = mintCanaries();
+  const seedEnv = canaryEnv(canaries);
+  const isHttp = typeof target === "string" && /^https?:\/\//i.test(target);
+  const isStdio = !isHttp;
+  if (isolation === "docker" && isStdio && !dockerAvailable) {
+    throw new Error("stdio isolation requires Docker \u2014 refusing to run the target on the host");
+  }
+  const seed = isHttp ? null : seedCanaryDir(canaries);
+  const conn = await connectTarget(target, {
+    seedEnv,
+    seedCwd: seed?.dir,
+    httpHeaders: opts.headers,
+    isolation,
+    ...opts.runLabel ? { runLabel: opts.runLabel } : {}
+  });
+  try {
+    const runProbes = async () => {
+      const listed = await enumerateTools(conn.client);
+      const tools = listed.map((t) => ({
+        name: t.name,
+        description: t.description ?? "",
+        inputSchema: t.inputSchema ?? null
+      }));
+      assertGradableSurface(tools);
+      const { fingerprint, canonical } = fingerprintToolDefs(tools);
+      const annotated = listed.map((t) => ({
+        name: t.name,
+        description: t.description ?? "",
+        annotations: t.annotations
+      }));
+      const stateChangingTools = stateChangingToolNames(annotated);
+      const ctx = {
+        client: conn.client,
+        tools,
+        canaries: canaries.all,
+        dockerAvailable,
+        stateChangingTools,
+        allowStateChanging: opts.allowStateChanging ?? false
+      };
+      const egress = dockerAvailable && typeof target === "string" && !/^https?:\/\//i.test(target) ? await runEgressProbe(target, { canaryEnv: seedEnv, ...opts.runLabel ? { runLabel: opts.runLabel } : {} }) : {
+        ran: false,
+        reason: dockerAvailable ? "egress not run for this target" : "no sandbox (Docker unavailable)",
+        attempts: []
+      };
+      assertEgressRanUnderIsolation(egress, isolation, isStdio);
+      const categories = [
+        await c01Injection(ctx),
+        c02Permission(probe21Declaration(annotated), egress),
+        await c03Sensitive(ctx, egress)
+      ];
+      const grade = gradeFromCategories(categories);
+      return assembleBundle({
+        serverRef: conn.serverRef,
+        resolvedVersion: conn.resolvedVersion,
+        target: conn.descriptor,
+        toolDefsFingerprint: fingerprint,
+        toolDefs: canonical,
+        categories,
+        grade,
+        ranAt,
+        dockerAvailable,
+        // Record how a stdio target was executed; omit for http.
+        ...isStdio ? { stdioIsolation: isolation } : {},
+        ...opts.disclaimer ? { disclaimer: opts.disclaimer } : {}
+      });
+    };
+    return opts.timeoutMs !== void 0 ? await withTimeout(runProbes(), opts.timeoutMs, `litmus run exceeded ${opts.timeoutMs}ms`) : await runProbes();
+  } finally {
+    await conn.teardown();
+    seed?.cleanup();
+  }
+}
+function assertEgressRanUnderIsolation(egress, isolation, isStdio) {
+  if (isolation === "docker" && isStdio && !egress.ran) {
+    throw new Error(
+      `stdio isolation failed: the egress sandbox did not run (${egress.reason ?? "unknown reason"}) \u2014 refusing to grade without isolation`
+    );
+  }
+}
+var LIST_TIMEOUT_MS = 3e4;
+var MAX_TOOLS = 4096;
+var MAX_SURFACE_BYTES = 8 * 1024 * 1024;
+function assertGradableSurface(tools) {
+  if (tools.length > MAX_TOOLS) {
+    throw new Error(`tool surface too large to grade: ${tools.length} tools (max ${MAX_TOOLS})`);
+  }
+  let bytes = 0;
+  for (const t of tools) {
+    bytes += (t.name?.length ?? 0) + (t.description?.length ?? 0);
+    if (bytes > MAX_SURFACE_BYTES) {
+      throw new Error(`tool surface exceeds ${MAX_SURFACE_BYTES} bytes \u2014 refusing to grade`);
+    }
+  }
+}
+async function enumerateTools(client, opts = {}) {
+  const maxTools = opts.maxTools ?? MAX_TOOLS;
+  const maxBytes = opts.maxBytes ?? MAX_SURFACE_BYTES;
+  const listTimeoutMs = opts.listTimeoutMs ?? LIST_TIMEOUT_MS;
+  const all = [];
+  let bytes = 0;
+  let cursor;
+  for (; ; ) {
+    const page = await withTimeout(
+      client.listTools(cursor !== void 0 ? { cursor } : void 0),
+      listTimeoutMs,
+      "listTools timed out"
+    );
+    for (const t of page.tools ?? []) {
+      all.push(t);
+      bytes += (t.name?.length ?? 0) + (t.description?.length ?? 0);
+    }
+    cursor = page.nextCursor;
+    if (cursor === void 0) break;
+    if (all.length > maxTools || bytes > maxBytes) {
+      throw new Error(
+        `tool surface still paginating past the gradable cap (>${maxTools} tools / >${maxBytes} bytes) \u2014 refusing to grade a partial surface`
+      );
+    }
+  }
+  return all;
+}
+function withTimeout(p, ms, label) {
+  return Promise.race([
+    p,
+    new Promise((_, reject) => {
+      const t = setTimeout(() => reject(new Error(label)), ms);
+      t.unref?.();
+    })
+  ]);
+}
+function checkDocker() {
+  return new Promise((resolve) => {
+    const child = execFile2("docker", ["info"], { timeout: 4e3 }, (err) => resolve(!err));
+    child.on("error", () => resolve(false));
+  });
+}
+
+export {
+  connectTarget,
+  fingerprintToolDefs,
+  classifyTool,
+  stateChangingToolNames,
+  invisibleUnicode,
+  instructionMimicry,
+  markdownTricks,
+  canaryMatch,
+  hasHighSeverity,
+  gradeFromCategories,
+  assembleBundle,
+  runLitmus
+};