@polygraphso/litmus 0.8.0 → 0.9.0

package/dist/chunk-AVF3GYCS.js

@@ -0,0 +1,692 @@
+import {
+  parseAuthFlags,
+  resolveTarget
+} from "./chunk-M5HXKZVN.js";
+import {
+  SKILL_METHODOLOGY_VERSION,
+  runLitmus,
+  runSkillLitmus,
+  runSkillQuality,
+  runSkillQualityJudged
+} from "./chunk-DN2OX4RT.js";
+import {
+  CATEGORY_STATUS_UINT8,
+  METHODOLOGY_VERSION,
+  parseServerRef,
+  parseSkillRef,
+  serverKey,
+  skillKey
+} from "./chunk-44R4ZYOE.js";
+
+// ../onchain/src/networks.ts
+var NETWORKS = {
+  "base-sepolia": {
+    chainId: 84532,
+    rpc: "https://sepolia.base.org",
+    eas: "0x4200000000000000000000000000000000000021",
+    schemaRegistry: "0x4200000000000000000000000000000000000020",
+    easscan: "https://base-sepolia.easscan.org"
+  },
+  base: {
+    chainId: 8453,
+    rpc: "https://mainnet.base.org",
+    eas: "0x4200000000000000000000000000000000000021",
+    schemaRegistry: "0x4200000000000000000000000000000000000020",
+    easscan: "https://base.easscan.org"
+  }
+};
+function selectedNetwork() {
+  return process.env.NEXT_PUBLIC_POLYGRAPH_NETWORK === "base" ? "base" : "base-sepolia";
+}
+function networkConfig(net = selectedNetwork()) {
+  return NETWORKS[net];
+}
+function rpcUrl(net = selectedNetwork()) {
+  const override = net === "base" ? process.env.BASE_MAINNET_RPC_URL : process.env.BASE_SEPOLIA_RPC_URL;
+  return override && override.length > 0 ? override : NETWORKS[net].rpc;
+}
+
+// ../onchain/src/eas.ts
+import { AbiCoder } from "ethers";
+var LITMUS_SCHEMA = "string serverRef,bytes32 toolDefsFingerprint,uint8 gradeC01,uint8 gradeC02,uint8 gradeC03,string overallGrade,string reportCID,string methodologyVersion,uint64 ranAt,string resolvedVersion";
+var LITMUS_ABI_TYPES = [
+  "string",
+  // serverRef
+  "bytes32",
+  // toolDefsFingerprint
+  "uint8",
+  // gradeC01
+  "uint8",
+  // gradeC02
+  "uint8",
+  // gradeC03
+  "string",
+  // overallGrade
+  "string",
+  // reportCID
+  "string",
+  // methodologyVersion
+  "uint64",
+  // ranAt
+  "string"
+  // resolvedVersion
+];
+var LITMUS_ABI_NAMES = [
+  "serverRef",
+  "toolDefsFingerprint",
+  "gradeC01",
+  "gradeC02",
+  "gradeC03",
+  "overallGrade",
+  "reportCID",
+  "methodologyVersion",
+  "ranAt",
+  "resolvedVersion"
+];
+function categoryUint8(bundle, code) {
+  const status = bundle.categories.find((c) => c.code === code)?.status;
+  return status ? CATEGORY_STATUS_UINT8[status] : CATEGORY_STATUS_UINT8.skipped;
+}
+function litmusFields(bundle, reportCID) {
+  return {
+    serverRef: bundle.serverRef,
+    toolDefsFingerprint: bundle.toolDefsFingerprint,
+    gradeC01: categoryUint8(bundle, "C-01"),
+    gradeC02: categoryUint8(bundle, "C-02"),
+    gradeC03: categoryUint8(bundle, "C-03"),
+    overallGrade: bundle.grade,
+    reportCID,
+    methodologyVersion: bundle.methodologyVersion || METHODOLOGY_VERSION,
+    ranAt: BigInt(Math.floor(Date.parse(bundle.ranAt) / 1e3)),
+    resolvedVersion: bundle.resolvedVersion ?? ""
+  };
+}
+function encodeLitmusAttestation(bundle, reportCID) {
+  const f = litmusFields(bundle, reportCID);
+  return AbiCoder.defaultAbiCoder().encode(
+    [...LITMUS_ABI_TYPES],
+    [
+      f.serverRef,
+      f.toolDefsFingerprint,
+      f.gradeC01,
+      f.gradeC02,
+      f.gradeC03,
+      f.overallGrade,
+      f.reportCID,
+      f.methodologyVersion,
+      f.ranAt,
+      f.resolvedVersion
+    ]
+  );
+}
+function decodeLitmusAttestation(encoded) {
+  const values = AbiCoder.defaultAbiCoder().decode([...LITMUS_ABI_TYPES], encoded);
+  const out = {};
+  LITMUS_ABI_NAMES.forEach((name, i) => {
+    out[name] = values[i];
+  });
+  return out;
+}
+
+// ../onchain/src/eas-skill.ts
+import { AbiCoder as AbiCoder2 } from "ethers";
+var LITMUS_SKILL_SCHEMA = "string skillRef,bytes32 contentHash,uint8 gradeS01,uint8 gradeS03,uint8 gradeS04,string overallGrade,string reportCID,string methodologyVersion,uint64 ranAt,string resolvedRef";
+var SKILL_ABI_TYPES = [
+  "string",
+  // skillRef
+  "bytes32",
+  // contentHash
+  "uint8",
+  // gradeS01
+  "uint8",
+  // gradeS03
+  "uint8",
+  // gradeS04
+  "string",
+  // overallGrade
+  "string",
+  // reportCID
+  "string",
+  // methodologyVersion
+  "uint64",
+  // ranAt
+  "string"
+  // resolvedRef
+];
+var SKILL_ABI_NAMES = [
+  "skillRef",
+  "contentHash",
+  "gradeS01",
+  "gradeS03",
+  "gradeS04",
+  "overallGrade",
+  "reportCID",
+  "methodologyVersion",
+  "ranAt",
+  "resolvedRef"
+];
+function categoryUint82(g, code) {
+  const status = g.categories.find((c) => c.code === code)?.status;
+  return status ? CATEGORY_STATUS_UINT8[status] : CATEGORY_STATUS_UINT8.skipped;
+}
+function skillAttestationFields(g, reportCID, resolvedRef) {
+  return {
+    skillRef: g.skillRef,
+    contentHash: g.contentHash,
+    gradeS01: categoryUint82(g, "S-01"),
+    gradeS03: categoryUint82(g, "S-03"),
+    gradeS04: categoryUint82(g, "S-04"),
+    overallGrade: g.grade,
+    reportCID,
+    methodologyVersion: g.methodologyVersion,
+    ranAt: BigInt(Math.floor(Date.parse(g.ranAt) / 1e3)),
+    resolvedRef: resolvedRef ?? ""
+  };
+}
+function encodeSkillAttestationFields(f) {
+  return AbiCoder2.defaultAbiCoder().encode(
+    [...SKILL_ABI_TYPES],
+    [
+      f.skillRef,
+      f.contentHash,
+      f.gradeS01,
+      f.gradeS03,
+      f.gradeS04,
+      f.overallGrade,
+      f.reportCID,
+      f.methodologyVersion,
+      f.ranAt,
+      f.resolvedRef
+    ]
+  );
+}
+function encodeSkillAttestation(g, reportCID, resolvedRef) {
+  return encodeSkillAttestationFields(skillAttestationFields(g, reportCID, resolvedRef));
+}
+function decodeSkillAttestation(encoded) {
+  const values = AbiCoder2.defaultAbiCoder().decode([...SKILL_ABI_TYPES], encoded);
+  const out = {};
+  SKILL_ABI_NAMES.forEach((name, i) => {
+    out[name] = values[i];
+  });
+  return out;
+}
+
+// ../onchain/src/read.ts
+import { Contract, JsonRpcProvider, ZeroHash } from "ethers";
+var EAS_ABI = [
+  "function getAttestation(bytes32 uid) view returns ((bytes32 uid, bytes32 schema, uint64 time, uint64 expirationTime, uint64 revocationTime, bytes32 refUID, address recipient, address attester, bool revocable, bytes data))"
+];
+function litmusSchemaUID() {
+  const uid = process.env.NEXT_PUBLIC_EAS_SCHEMA_UID;
+  if (!uid) throw new Error("NEXT_PUBLIC_EAS_SCHEMA_UID is required \u2014 register the schema first.");
+  return uid;
+}
+async function readAttestation(uid) {
+  const cfg = networkConfig();
+  const provider = new JsonRpcProvider(rpcUrl(), cfg.chainId);
+  const eas = new Contract(cfg.eas, EAS_ABI, provider);
+  const att = await eas.getAttestation(uid);
+  if (!att || att.uid === ZeroHash) return null;
+  if (String(att.schema).toLowerCase() !== litmusSchemaUID().toLowerCase()) return null;
+  const d = decodeLitmusAttestation(att.data);
+  return {
+    uid: att.uid,
+    serverRef: String(d.serverRef),
+    toolDefsFingerprint: String(d.toolDefsFingerprint),
+    overallGrade: String(d.overallGrade),
+    reportCID: String(d.reportCID),
+    resolvedVersion: d.resolvedVersion || null,
+    revoked: att.revocationTime > 0n,
+    attester: String(att.attester),
+    expirationTime: BigInt(att.expirationTime ?? 0n)
+  };
+}
+
+// ../onchain/src/read-skill.ts
+import { Contract as Contract2, JsonRpcProvider as JsonRpcProvider2, ZeroHash as ZeroHash2 } from "ethers";
+var EAS_ABI2 = [
+  "function getAttestation(bytes32 uid) view returns ((bytes32 uid, bytes32 schema, uint64 time, uint64 expirationTime, uint64 revocationTime, bytes32 refUID, address recipient, address attester, bool revocable, bytes data))"
+];
+function skillSchemaUID() {
+  const uid = process.env.NEXT_PUBLIC_EAS_SKILL_SCHEMA_UID;
+  if (!uid) throw new Error("NEXT_PUBLIC_EAS_SKILL_SCHEMA_UID is required \u2014 register the skill schema first.");
+  return uid;
+}
+async function readSkillAttestation(uid) {
+  const cfg = networkConfig();
+  const provider = new JsonRpcProvider2(rpcUrl(), cfg.chainId);
+  const eas = new Contract2(cfg.eas, EAS_ABI2, provider);
+  const att = await eas.getAttestation(uid);
+  if (!att || att.uid === ZeroHash2) return null;
+  if (String(att.schema).toLowerCase() !== skillSchemaUID().toLowerCase()) return null;
+  const d = decodeSkillAttestation(att.data);
+  return {
+    uid: att.uid,
+    skillRef: String(d.skillRef),
+    contentHash: String(d.contentHash),
+    overallGrade: String(d.overallGrade),
+    reportCID: String(d.reportCID),
+    resolvedRef: d.resolvedRef || null,
+    revoked: att.revocationTime > 0n,
+    attester: String(att.attester),
+    expirationTime: BigInt(att.expirationTime ?? 0n)
+  };
+}
+
+// src/tools/run-litmus.ts
+import { z } from "zod";
+var RUN_LITMUS_TOOL_NAME = "run_litmus";
+var RUN_LITMUS_TOOL_TITLE = "Run a behavioral litmus on an MCP server";
+var RUN_LITMUS_TOOL_DESCRIPTION = [
+  `Grade an MCP server A\u2013F against the open behavioral litmus (${METHODOLOGY_VERSION}).`,
+  "The harness connects the way an agent would, fingerprints the tool surface, and",
+  "runs four checks: C-01 tool-output injection, C-02 permission/egress overreach",
+  "(egress in a hardened default-deny Docker sandbox, plus a declared-permission",
+  "honesty check), C-03 sensitive-data handling (planted canaries), and C-04",
+  "adversarial-input handling (malformed/oversized and jailbreak inputs).",
+  "",
+  "This is ACTIVE: it launches the target server's code to exercise it (egress-",
+  "sandboxed when Docker is available) and takes ~20\u201360s. It is not a lookup \u2014 for",
+  "a server's already-published grade, use `verify_attestation`. No wallet or RPC",
+  "needed.",
+  "",
+  "server_ref examples: npm/@modelcontextprotocol/server-filesystem \xB7",
+  "https://example.com/mcp \xB7 ./build/index.js. For a token-gated https:// target,",
+  "pass `bearer`. If Docker is unavailable, C-02 is skipped and the grade is capped",
+  "at B for that run."
+].join("\n");
+var runLitmusInputShape = {
+  server_ref: z.string().min(1).max(512).describe("What to grade: a registry ref (npm/@scope/server), an https:// MCP URL, or a local path to an MCP entry file."),
+  bearer: z.string().min(1).max(8192).optional().describe("Bearer token for a token-gated https:// MCP server. Sent as `Authorization: Bearer <token>` to the target origin only. Ignored for stdio/local targets."),
+  header: z.array(z.string()).max(20).optional().describe('Extra HTTP headers for a gated https:// target, each "Key: Value" (e.g. "X-Api-Key: \u2026"). Overrides the bearer-derived Authorization for the same key. Ignored for stdio/local targets.')
+};
+var PROGRESS_TOTAL = 5;
+async function handleRunLitmus({ server_ref, bearer, header }, extra) {
+  try {
+    const argv = [
+      ...bearer ? ["--bearer", bearer] : [],
+      ...(header ?? []).flatMap((h) => ["--header", h])
+    ];
+    const { headers } = parseAuthFlags(argv, {});
+    const progressToken = extra._meta?.progressToken;
+    const sendProgress = progressToken !== void 0 ? (progress, message) => void extra.sendNotification({
+      method: "notifications/progress",
+      params: { progressToken, progress, total: PROGRESS_TOTAL, message }
+    }) : void 0;
+    sendProgress?.(0, `Connecting to ${server_ref}\u2026`);
+    const bundle = await runLitmus(resolveTarget(server_ref), {
+      ...Object.keys(headers).length ? { headers } : {},
+      ...sendProgress ? { onProgress: (done, _total, label) => sendProgress(done, label) } : {}
+    });
+    const payload = summarize(bundle);
+    return { content: [{ type: "text", text: JSON.stringify(payload, null, 2) }] };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { isError: true, content: [{ type: "text", text: `run_litmus failed: ${message}` }] };
+  }
+}
+var CATEGORY_LABEL = {
+  "C-01": "tool-output injection",
+  "C-02": "permission / egress overreach",
+  "C-03": "sensitive-data handling",
+  "C-04": "adversarial-input handling"
+};
+function summarize(b) {
+  const find = (code) => b.categories.find((c) => c.code === code);
+  const categories = ["C-01", "C-02", "C-03", "C-04"].map((code) => {
+    const c = find(code);
+    const findings = c?.status === "fail" ? c.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high").slice(0, 5).map((f) => ({ tool: f.tool, kind: f.kind, match: truncate(f.match, 120), host: f.host, port: f.port })) : [];
+    return { code, check: CATEGORY_LABEL[code], status: c?.status ?? "unknown", reason: c?.reason ?? null, findings };
+  });
+  return {
+    grade: b.grade,
+    summary: b.gradeRationale,
+    serverRef: b.serverRef,
+    resolvedVersion: b.resolvedVersion,
+    fingerprint: b.toolDefsFingerprint,
+    ranAt: b.ranAt,
+    methodologyVersion: b.methodologyVersion,
+    categories
+  };
+}
+function truncate(s, n) {
+  return s.length > n ? `${s.slice(0, n)}\u2026` : s;
+}
+
+// src/tools/run-skill-litmus.ts
+import { z as z2 } from "zod";
+import { statSync } from "fs";
+var RUN_SKILL_LITMUS_TOOL_NAME = "run_skill_litmus";
+var RUN_SKILL_LITMUS_TOOL_TITLE = "Run a safety litmus on a Claude Code skill";
+var RUN_SKILL_LITMUS_TOOL_DESCRIPTION = [
+  `Grade a Claude Code / Agent Skill A/B/D/F against the open static safety litmus (${SKILL_METHODOLOGY_VERSION}).`,
+  "A skill is a SKILL.md (instructions + frontmatter) plus an optional bundle. The",
+  "litmus scans the bytes for S-01 prompt-injection / context-poisoning in the body,",
+  "S-03 data-exfiltration instructions, and S-04 dangerous commands in bundled",
+  "executable scripts. It content-hashes the whole directory (the anti-tamper anchor).",
+  "",
+  "The SAFETY letter is a STATIC read: it does NOT execute the skill or its scripts",
+  "and is fast \u2014 therefore NOT behavioral proof. An A means the static checks found no",
+  "injection, exfil instruction, or dangerous bundled command, not that the skill is",
+  "safe to run unsupervised. A command a skill constructs or fetches at runtime is not",
+  "visible to static scanning (a disclosed limit).",
+  "",
+  "It also returns a SEPARATE, advisory `quality` signal (well-formed / issues /",
+  "malformed) \u2014 never an A\u2013F letter, never minted, never affecting the safety letter.",
+  "Its deterministic checks always run; its optional LLM-judged axes (honesty,",
+  "coherence) run only when a judge is available \u2014 the host agent's own model via MCP",
+  "sampling (no key), or a user-provided OpenAI-compatible key \u2014 and are skipped",
+  "otherwise.",
+  "",
+  "skill_ref (v1): a LOCAL path to a skill directory containing SKILL.md, e.g.",
+  "./skills/my-skill. Remote refs (github/<owner>/<repo>#path, marketplace/<owner>/<name>)",
+  "are not yet supported."
+].join("\n");
+var runSkillLitmusInputShape = {
+  skill_ref: z2.string().min(1).max(1024).describe("Local path to a skill directory (must contain SKILL.md). Remote refs are not yet supported in this version.")
+};
+async function handleRunSkillLitmus({ skill_ref }, ctx = {}) {
+  try {
+    let st;
+    try {
+      st = statSync(skill_ref);
+    } catch {
+      return errorResult(`no such path: ${skill_ref} (v1 grades a local skill directory; remote refs are not yet supported)`);
+    }
+    if (!st.isDirectory()) {
+      return errorResult(`not a directory: ${skill_ref} (pass the skill folder that contains SKILL.md)`);
+    }
+    const safety = runSkillLitmus(skill_ref, { skillRef: skill_ref });
+    const quality = ctx.judge ? await runSkillQualityJudged(skill_ref, ctx.judge, { skillRef: skill_ref }) : runSkillQuality(skill_ref, { skillRef: skill_ref });
+    return { content: [{ type: "text", text: JSON.stringify({ safety: summarize2(safety), quality: summarizeQuality(quality) }, null, 2) }] };
+  } catch (err) {
+    return errorResult(err instanceof Error ? err.message : String(err));
+  }
+}
+function errorResult(message) {
+  return { isError: true, content: [{ type: "text", text: `run_skill_litmus failed: ${message}` }] };
+}
+var CATEGORY_LABEL2 = {
+  "S-01": "prompt injection / context poisoning",
+  "S-03": "data-exfiltration instructions",
+  "S-04": "dangerous bundled commands"
+};
+function summarize2(b) {
+  const categories = b.categories.map((c) => ({
+    code: c.code,
+    check: CATEGORY_LABEL2[c.code] ?? c.code,
+    status: c.status,
+    reason: c.reason ?? null,
+    findings: c.status === "fail" ? c.findings.filter((f) => f.severity === "high").slice(0, 5).map((f) => ({ kind: f.kind, match: truncate2(f.match, 120), file: f.file })) : []
+  }));
+  return {
+    grade: b.grade,
+    summary: b.gradeRationale,
+    skillRef: b.skillRef,
+    contentHash: b.contentHash,
+    ranAt: b.ranAt,
+    methodologyVersion: b.methodologyVersion,
+    categories,
+    advisories: b.advisories.slice(0, 10).map((f) => ({ kind: f.kind, severity: f.severity, match: truncate2(f.match, 120), file: f.file })),
+    disclaimer: b.disclaimer
+  };
+}
+function summarizeQuality(q) {
+  return {
+    qualityVersion: q.qualityVersion,
+    verdict: q.verdict,
+    // well-formed | issues | malformed — NOT an A–F letter
+    checks: q.checks.map((c) => ({ id: c.id, status: c.status, detail: c.detail })),
+    judged: q.judged ? { judge: q.judged.judge, samples: q.judged.samples, agreement: q.judged.agreement, axes: q.judged.axes } : null,
+    disclaimer: q.disclaimer
+  };
+}
+function truncate2(s, n) {
+  return s.length > n ? `${s.slice(0, n)}\u2026` : s;
+}
+
+// ../mcp/src/tools/verify-attestation.ts
+import { z as z3 } from "zod";
+function canonicalRef(ref) {
+  try {
+    return serverKey(parseServerRef(ref)).toLowerCase();
+  } catch {
+    return ref.trim().toLowerCase();
+  }
+}
+var VERIFY_TOOL_NAME = "verify_attestation";
+var VERIFY_TOOL_TITLE = "Verify a server's polygraph attestation";
+var VERIFY_TOOL_DESCRIPTION = [
+  "Read a server's already-published polygraph (litmus) grade \u2014 without running",
+  "anything \u2014 before an agent trusts or, in agentic commerce, pays it.",
+  "",
+  "When a grade is published it returns the behavioral grade (A\u2013F), the attestation",
+  "UID, the evidence CID, and the graded tool-surface fingerprint. The caller must",
+  "still recompute the LIVE fingerprint and require it to equal the attested one",
+  "before paying \u2014 a passing attestation can otherwise front for a tool surface the",
+  "server no longer serves (rug pull).",
+  "",
+  "Grade publishing is still rolling out, so this commonly returns not_available",
+  "today: that means UNEVALUATED (neither safe nor unsafe), not a failing grade \u2014 to",
+  "grade the server yourself right now, use `run_litmus`. A `lookup_failed` result",
+  "means the lookup itself failed (the index or chain was unreachable); the grade is",
+  "unknown, which is not the same as unevaluated.",
+  "",
+  "Input: server_ref \u2014 e.g. npm/@modelcontextprotocol/server-filesystem."
+].join("\n");
+var verifyInputShape = {
+  server_ref: z3.string().min(1).max(512).describe("Registry-prefixed server identifier, e.g. npm/@scope/server.")
+};
+async function handleVerify({ server_ref }) {
+  const found = await resolveUid(server_ref);
+  if (found.kind === "error") {
+    return {
+      isError: true,
+      content: [
+        {
+          type: "text",
+          text: `lookup_failed \u2014 could not reach the polygraph grade index for ${server_ref} (${found.detail}). The lookup itself failed, so the grade is unknown \u2014 retry or report it as unchecked, NOT as unevaluated.`
+        }
+      ]
+    };
+  }
+  let att = null;
+  if (found.kind === "found") {
+    try {
+      att = await readAttestation(found.uid);
+    } catch (err) {
+      return {
+        isError: true,
+        content: [
+          {
+            type: "text",
+            text: `lookup_failed \u2014 the onchain read failed for ${server_ref} (${err instanceof Error ? err.message : String(err)}). Treat as unchecked (the chain/RPC was unreachable), not as "no grade".`
+          }
+        ]
+      };
+    }
+  }
+  if (!att) {
+    return {
+      content: [
+        {
+          type: "text",
+          text: `not_available \u2014 no published polygraph grade for ${server_ref}. Grade publishing is still rolling out, so this is expected for most servers; it means unevaluated (neither safe nor unsafe), not a failing grade. To grade it now, use run_litmus.`
+        }
+      ]
+    };
+  }
+  if (canonicalRef(att.serverRef) !== canonicalRef(server_ref)) {
+    return {
+      content: [
+        {
+          type: "text",
+          text: `not_available \u2014 the resolved attestation is for ${att.serverRef}, not ${server_ref} (discovery mismatch; treat as unevaluated)`
+        }
+      ]
+    };
+  }
+  const payload = {
+    status: "attested",
+    grade: att.overallGrade,
+    attestationUid: att.uid,
+    serverRef: att.serverRef,
+    // The version the grade was run against (null for HTTP/unresolved targets).
+    // Advisory: the live fingerprint, not this string, is the trust anchor.
+    resolvedVersion: att.resolvedVersion,
+    reportCID: att.reportCID,
+    toolDefsFingerprint: att.toolDefsFingerprint,
+    revoked: att.revoked,
+    network: selectedNetwork(),
+    liveFingerprintCheckRequired: "Recompute the live tool-surface fingerprint and require it to equal toolDefsFingerprint before paying."
+  };
+  return { content: [{ type: "text", text: JSON.stringify(payload, null, 2) }] };
+}
+async function resolveUid(serverRef) {
+  const base = process.env.POLYGRAPH_API_URL ?? "https://polygraph.so";
+  try {
+    const res = await fetch(`${base}/api/attestations?ref=${encodeURIComponent(serverRef)}`);
+    if (res.status === 404) return { kind: "none" };
+    if (!res.ok) return { kind: "error", detail: `grade index returned HTTP ${res.status}` };
+    const row = await res.json();
+    return row?.attestation_uid ? { kind: "found", uid: row.attestation_uid } : { kind: "none" };
+  } catch (err) {
+    return { kind: "error", detail: err instanceof Error ? err.message : String(err) };
+  }
+}
+
+// ../mcp/src/tools/verify-skill-attestation.ts
+import { z as z4 } from "zod";
+function canonicalRef2(ref) {
+  try {
+    return skillKey(parseSkillRef(ref)).toLowerCase();
+  } catch {
+    return ref.trim().toLowerCase();
+  }
+}
+var VERIFY_SKILL_TOOL_NAME = "verify_skill_attestation";
+var VERIFY_SKILL_TOOL_TITLE = "Verify a skill's polygraph attestation";
+var VERIFY_SKILL_TOOL_DESCRIPTION = [
+  "Read a Claude Code / Agent Skill's already-published polygraph grade \u2014 without",
+  "running anything \u2014 before an agent installs or trusts it.",
+  "",
+  "When a grade is published it returns the letter (A/B/D/F), the attestation UID,",
+  "the evidence CID, and the attested contentHash. The caller MUST then recompute the",
+  "skill's content hash (sha256 over every file the SKILL.md can load, including",
+  "lazily-referenced files) and require it to equal contentHash before installing \u2014 a",
+  "passing attestation can otherwise front for different bytes (a swapped bundled",
+  "script). The ref/version is advisory; the contentHash is the trust anchor.",
+  "",
+  "Grade publishing for skills is rolling out, so this commonly returns not_available:",
+  "that means UNEVALUATED (neither safe nor unsafe), not a failing grade \u2014 to grade a",
+  "local skill yourself, use `run_skill_litmus`. A `lookup_failed` result means the",
+  "lookup itself failed (index/chain unreachable); the grade is unknown, not unevaluated.",
+  "",
+  "Input: skill_ref \u2014 e.g. github/<owner>/<repo>#<path> or marketplace/<owner>/<name>."
+].join("\n");
+var verifySkillInputShape = {
+  skill_ref: z4.string().min(1).max(1024).describe("Skill identifier, e.g. github/<owner>/<repo>#<path> or marketplace/<owner>/<name>.")
+};
+async function handleVerifySkill({ skill_ref }) {
+  const found = await resolveUid2(skill_ref);
+  if (found.kind === "error") {
+    return errorResult2(
+      `lookup_failed \u2014 could not reach the polygraph skill-grade index for ${skill_ref} (${found.detail}). The lookup itself failed, so the grade is unknown \u2014 retry or report it as unchecked, NOT as unevaluated.`
+    );
+  }
+  let att = null;
+  if (found.kind === "found") {
+    try {
+      att = await readSkillAttestation(found.uid);
+    } catch (err) {
+      return errorResult2(
+        `lookup_failed \u2014 the onchain read failed for ${skill_ref} (${err instanceof Error ? err.message : String(err)}). Treat as unchecked (the chain/RPC was unreachable), not as "no grade".`
+      );
+    }
+  }
+  if (!att) {
+    return text(
+      `not_available \u2014 no published polygraph grade for ${skill_ref}. Skill grade publishing is still rolling out, so this is expected; it means unevaluated (neither safe nor unsafe), not a failing grade. To grade a local skill now, use run_skill_litmus.`
+    );
+  }
+  if (canonicalRef2(att.skillRef) !== canonicalRef2(skill_ref)) {
+    return text(
+      `not_available \u2014 the resolved attestation is for ${att.skillRef}, not ${skill_ref} (discovery mismatch; treat as unevaluated).`
+    );
+  }
+  const payload = {
+    status: "attested",
+    grade: att.overallGrade,
+    attestationUid: att.uid,
+    skillRef: att.skillRef,
+    contentHash: att.contentHash,
+    resolvedRef: att.resolvedRef,
+    reportCID: att.reportCID,
+    revoked: att.revoked,
+    network: selectedNetwork(),
+    contentHashCheckRequired: "Recompute sha256 over every file the SKILL.md can load (including lazily-referenced files) and require it to equal contentHash before installing. The ref/version is advisory."
+  };
+  return { content: [{ type: "text", text: JSON.stringify(payload, null, 2) }] };
+}
+function text(t) {
+  return { content: [{ type: "text", text: t }] };
+}
+function errorResult2(t) {
+  return { isError: true, content: [{ type: "text", text: t }] };
+}
+async function resolveUid2(skillRef) {
+  const base = process.env.POLYGRAPH_API_URL ?? "https://polygraph.so";
+  try {
+    const res = await fetch(`${base}/api/skill-attestations?ref=${encodeURIComponent(skillRef)}`);
+    if (res.status === 404) return { kind: "none" };
+    if (!res.ok) return { kind: "error", detail: `grade index returned HTTP ${res.status}` };
+    const row = await res.json();
+    return row?.attestation_uid ? { kind: "found", uid: row.attestation_uid } : { kind: "none" };
+  } catch (err) {
+    return { kind: "error", detail: err instanceof Error ? err.message : String(err) };
+  }
+}
+
+// ../mcp/src/index.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+export {
+  NETWORKS,
+  selectedNetwork,
+  networkConfig,
+  rpcUrl,
+  LITMUS_SCHEMA,
+  litmusFields,
+  encodeLitmusAttestation,
+  decodeLitmusAttestation,
+  LITMUS_SKILL_SCHEMA,
+  skillAttestationFields,
+  encodeSkillAttestationFields,
+  encodeSkillAttestation,
+  decodeSkillAttestation,
+  litmusSchemaUID,
+  readAttestation,
+  skillSchemaUID,
+  readSkillAttestation,
+  RUN_LITMUS_TOOL_NAME,
+  RUN_LITMUS_TOOL_TITLE,
+  RUN_LITMUS_TOOL_DESCRIPTION,
+  runLitmusInputShape,
+  handleRunLitmus,
+  RUN_SKILL_LITMUS_TOOL_NAME,
+  RUN_SKILL_LITMUS_TOOL_TITLE,
+  RUN_SKILL_LITMUS_TOOL_DESCRIPTION,
+  runSkillLitmusInputShape,
+  handleRunSkillLitmus,
+  VERIFY_TOOL_NAME,
+  VERIFY_TOOL_TITLE,
+  VERIFY_TOOL_DESCRIPTION,
+  verifyInputShape,
+  handleVerify,
+  VERIFY_SKILL_TOOL_NAME,
+  VERIFY_SKILL_TOOL_TITLE,
+  VERIFY_SKILL_TOOL_DESCRIPTION,
+  verifySkillInputShape,
+  handleVerifySkill
+};