@polygraphso/litmus 0.5.0 → 0.6.0

package/dist/{chunk-HVBVNMLR.js → chunk-6OTL43QM.js}

@@ -44,7 +44,7 @@ async function runLitmusCli(args) {
     );
     return 2;
   }
-  const { runLitmus } = await import("./src-E5F7GEFI.js");
+  const { runLitmus } = await import("./src-AKEARKCO.js");
   const input = resolveTarget(target);
   try {
     const bundle = await runLitmus(input, { headers, allowStateChanging });

package/dist/{chunk-FMJZCIT3.js → chunk-QWXX34ZJ.js}

@@ -1,9 +1,9 @@
 import {
   resolveTarget
-} from "./chunk-HVBVNMLR.js";
+} from "./chunk-6OTL43QM.js";
 import {
   runLitmus
-} from "./chunk-7PIRSQJR.js";
+} from "./chunk-SVFIME2A.js";
 import {
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION

package/dist/{chunk-7PIRSQJR.js → chunk-SVFIME2A.js}

@@ -1218,45 +1218,6 @@ function egressTargetArgs(opts) {
     opts.entry
   ];
 }
-function egressSleeperArgs(opts) {
-  const runtimeFlags = opts.runtime ? ["--runtime", opts.runtime] : [];
-  return [
-    "run",
-    "-d",
-    "--name",
-    opts.targetName,
-    "--network",
-    opts.net,
-    "--dns",
-    opts.sinkIp,
-    "-v",
-    `${opts.vol}:/stage:ro`,
-    "--user",
-    "node",
-    "--read-only",
-    "--tmpfs",
-    "/tmp:rw,size=64m,mode=1777",
-    "--cap-drop=ALL",
-    "--sysctl",
-    "net.ipv6.conf.all.disable_ipv6=1",
-    "--sysctl",
-    "net.ipv6.conf.default.disable_ipv6=1",
-    "--cpus",
-    "1",
-    "--security-opt",
-    "no-new-privileges",
-    "--pids-limit",
-    "256",
-    "--memory",
-    "512m",
-    ...opts.label,
-    ...runtimeFlags,
-    "--entrypoint",
-    "sleep",
-    IMAGE_TAG3,
-    "3600"
-  ];
-}
 async function runEgressProbe(ref, opts) {
   let parsed;
   try {
@@ -1319,8 +1280,12 @@ async function runGatewayCapture(common) {
   const net = `pg-egw-${randomUUID4().slice(0, 8)}`;
   const sink = `pg-sink-${randomUUID4().slice(0, 8)}`;
   const targetName = `pg-target-${randomUUID4().slice(0, 8)}`;
+  let rules = null;
   try {
     await docker(["network", "create", "-o", "com.docker.network.bridge.enable_ip_masquerade=false", ...common.label, net]);
+    const netId = (await docker(["network", "inspect", "-f", "{{.Id}}", net])).trim();
+    const bridge = `br-${netId.slice(0, 12)}`;
+    const subnet = (await docker(["network", "inspect", "-f", "{{(index .IPAM.Config 0).Subnet}}", net])).trim();
     await docker([
       "run",
       "-d",
@@ -1341,26 +1306,23 @@ async function runGatewayCapture(common) {
       IMAGE_TAG3
     ]);
     const sinkIp = (await docker(["inspect", "-f", `{{(index .NetworkSettings.Networks "${net}").IPAddress}}`, sink])).trim();
-    if (!sinkIp) return null;
-    await docker(
-      egressSleeperArgs({ targetName, net, sinkIp, vol: common.vol, label: common.label, ...common.runtime ? { runtime: common.runtime } : {} })
-    );
-    if (!await applyAndVerifySinkRoute(targetName, sinkIp, common.runtime, common.label)) {
-      return null;
-    }
-    const execArgs = [
-      "exec",
-      "-i",
-      "--user",
-      "node",
-      ...Object.entries(common.canaryEnv).flatMap(([k, v]) => ["-e", `${k}=${v}`]),
+    if (!sinkIp || !bridge || !subnet) return null;
+    const scope = { bridge, subnet, sinkIp };
+    if (!await applyHostDnat(scope, common.label)) return null;
+    rules = scope;
+    const targetArgs = egressTargetArgs({
       targetName,
-      "node",
-      common.entry
-    ];
+      net,
+      sinkIp,
+      vol: common.vol,
+      entry: common.entry,
+      canaryEnv: common.canaryEnv,
+      label: common.label,
+      ...common.runtime ? { runtime: common.runtime } : {}
+    });
     let conn;
     try {
-      conn = await connectTarget({ command: "docker", args: execArgs, serverRef: `npm/${common.pkgSpec}` });
+      conn = await connectTarget({ command: "docker", args: targetArgs, serverRef: `npm/${common.pkgSpec}` });
     } catch {
       return null;
     }
@@ -1370,12 +1332,51 @@ async function runGatewayCapture(common) {
   } finally {
     await docker(["rm", "-f", targetName]).catch(() => {
     });
+    if (rules) await removeHostDnat(rules, common.label).catch(() => {
+    });
     await docker(["rm", "-f", sink]).catch(() => {
     });
     await docker(["network", "rm", net]).catch(() => {
     });
   }
 }
+function hostDnatCommands(op, s) {
+  const at = op === "I" ? "-I" : "-D";
+  const pos = op === "I" ? " 1" : "";
+  return [
+    `iptables -t nat ${at} PREROUTING${pos} -i ${s.bridge} -p tcp ! -d ${s.subnet} -j DNAT --to-destination ${s.sinkIp}:8443`,
+    `iptables -t nat ${at} POSTROUTING${pos} -o ${s.bridge} -p tcp -d ${s.sinkIp} --dport 8443 -j MASQUERADE`,
+    `iptables ${at} FORWARD${pos} -i ${s.bridge} -o ${s.bridge} -j ACCEPT`
+  ];
+}
+function hostDnatHelperArgs(op, s, label) {
+  return [
+    "run",
+    "--rm",
+    "--network",
+    "host",
+    "--cap-add=NET_ADMIN",
+    "--cap-drop=ALL",
+    ...label,
+    "--entrypoint",
+    "sh",
+    IMAGE_TAG3,
+    "-c",
+    hostDnatCommands(op, s).join("; ")
+  ];
+}
+async function applyHostDnat(s, label) {
+  try {
+    await docker(hostDnatHelperArgs("I", s, label));
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function removeHostDnat(s, label) {
+  await docker(hostDnatHelperArgs("D", s, label)).catch(() => {
+  });
+}
 async function runInternalCapture(common) {
   const net = `pg-egress-${randomUUID4().slice(0, 8)}`;
   const sink = `pg-sink-${randomUUID4().slice(0, 8)}`;
@@ -1421,47 +1422,6 @@ async function runInternalCapture(common) {
     });
   }
 }
-function egressDelay(ms) {
-  return new Promise((resolve) => {
-    const t = setTimeout(resolve, ms);
-    t.unref?.();
-  });
-}
-async function waitForContainerRunning(name, timeoutMs) {
-  const deadline = Date.now() + timeoutMs;
-  while (Date.now() < deadline) {
-    const state = (await docker(["inspect", "-f", "{{.State.Running}}", name]).catch(() => "")).trim();
-    if (state === "true") return true;
-    await egressDelay(100);
-  }
-  return false;
-}
-async function applyAndVerifySinkRoute(targetName, sinkIp, runtime, label) {
-  if (!await waitForContainerRunning(targetName, 15e3)) return false;
-  const runtimeFlags = runtime ? ["--runtime", runtime] : [];
-  await docker([
-    "run",
-    "--rm",
-    "--network",
-    `container:${targetName}`,
-    "--cap-add=NET_ADMIN",
-    ...runtimeFlags,
-    ...label,
-    "--entrypoint",
-    "sh",
-    IMAGE_TAG3,
-    "-c",
-    `ip route del default 2>/dev/null; ip route add default via ${sinkIp}`
-  ]).catch(() => {
-  });
-  const wanted = `default via ${sinkIp} `;
-  for (let i = 0; i < 20; i++) {
-    const routes = await docker(["exec", targetName, "ip", "route"]).catch(() => "");
-    if (routes.split("\n").some((l) => (l + " ").startsWith(wanted))) return true;
-    await egressDelay(100);
-  }
-  return false;
-}
 
 // ../probes/src/probes/egress-allowlist.ts
 var DEFAULT_EGRESS_BASELINE = [];

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-HVBVNMLR.js";
+} from "./chunk-6OTL43QM.js";
 import {
   parseServerRef,
   serverKey

package/dist/docker/sinkhole.mjs

@@ -6,16 +6,16 @@
  * (any port) to our listener, where we log `{host, port, firstBytes}` and drop
  * the connection — never completing it. One `EGRESS {json}` line per attempt.
  *
- * CAPTURE MODES (egress-runner.ts): in litmus-v4 GATEWAY mode (default) the sink
- * is the target's default route on a regular bridge (host masquerade off), so the
- * iptables REDIRECT funnels EVERY outbound TCP — including a hard-coded IP literal
- * or DoH/DoT to a fixed resolver — to this listener, regardless of DNS. The legacy
- * `--internal` FALLBACK (when the default-route swap can't be applied, e.g. gVisor)
- * is DNS-ROUTED only: an IP-literal connection issues no sinkholed lookup and is
- * dropped at routing, so C-02 reads a false "no egress" pass there — the real data
- * still never leaves the box (`--internal` blocks all egress). Residual either way:
- * non-TCP egress (UDP/QUIC) is not captured by the TCP listener. See
- * docs/litmus-test-v1.md §7.
+ * CAPTURE MODES (egress-runner.ts): in litmus-v4 GATEWAY mode (default) a HOST
+ * iptables DNAT redirects the target's off-subnet egress to this sink — capturing
+ * EVERY outbound TCP, including a hard-coded IP literal or DoH/DoT to a fixed
+ * resolver, regardless of DNS. Because it intercepts below the container runtime it
+ * works identically under runc and gVisor. The legacy `--internal` FALLBACK (when
+ * the host rules can't be applied) is DNS-ROUTED only: an IP-literal connection
+ * issues no sinkholed lookup and is dropped at routing, so C-02 reads a false "no
+ * egress" pass there — the real data still never leaves the box (`--internal` blocks
+ * all egress). Residual either way: non-TCP egress (UDP/QUIC) is not captured by the
+ * TCP listener. See docs/litmus-test-v1.md §7.
  */
 
 import dgram from "node:dgram";

package/dist/index.js

@@ -14,11 +14,11 @@ import {
   rpcUrl,
   runLitmusInputShape,
   selectedNetwork
-} from "./chunk-FMJZCIT3.js";
+} from "./chunk-QWXX34ZJ.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-HVBVNMLR.js";
+} from "./chunk-6OTL43QM.js";
 import {
   assembleBundle,
   canaryMatch,
@@ -33,7 +33,7 @@ import {
   markdownTricks,
   runLitmus,
   stateChangingToolNames
-} from "./chunk-7PIRSQJR.js";
+} from "./chunk-SVFIME2A.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_STATUS_UINT8,

package/dist/mcp.js

@@ -7,9 +7,9 @@ import {
   readAttestation,
   runLitmusInputShape,
   selectedNetwork
-} from "./chunk-FMJZCIT3.js";
-import "./chunk-HVBVNMLR.js";
-import "./chunk-7PIRSQJR.js";
+} from "./chunk-QWXX34ZJ.js";
+import "./chunk-6OTL43QM.js";
+import "./chunk-SVFIME2A.js";
 import {
   parseServerRef,
   serverKey

package/dist/{src-E5F7GEFI.js → src-AKEARKCO.js}

@@ -12,7 +12,7 @@ import {
   markdownTricks,
   runLitmus,
   stateChangingToolNames
-} from "./chunk-7PIRSQJR.js";
+} from "./chunk-SVFIME2A.js";
 import "./chunk-D5MOKALT.js";
 export {
   assembleBundle,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -63,8 +63,8 @@
     "typescript": "^5.9.3",
     "vitest": "^2.1.0",
     "@polygraph/core": "0.0.0",
-    "@polygraph/onchain": "0.0.0",
     "@polygraph/probes": "0.0.0",
+    "@polygraph/onchain": "0.0.0",
     "@polygraph/agent": "0.0.0",
     "@polygraph/mcp": "0.0.0",
     "@polygraph/cli": "0.0.0"