npm - @polygraphso/litmus - Versions diffs - 0.8.0 → 0.9.0 - Mend

@polygraphso/litmus 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/README.md +71 -4
package/dist/{chunk-ZR6XRGMQ.js → chunk-44R4ZYOE.js} +67 -0
package/dist/chunk-AVF3GYCS.js +692 -0
package/dist/{chunk-35UOPCBW.js → chunk-DN2OX4RT.js} +456 -2
package/dist/{chunk-VOPISHBU.js → chunk-M5HXKZVN.js} +2 -2
package/dist/cli-skill.d.ts +1 -0
package/dist/cli-skill.js +98 -0
package/dist/cli.js +2 -2
package/dist/index.d.ts +441 -3
package/dist/index.js +86 -8
package/dist/mcp.js +130 -122
package/dist/src-TG44QXFV.js +67 -0
package/package.json +4 -4
package/dist/chunk-LBXHFQN3.js +0 -219
package/dist/src-RSTPCEYU.js +0 -31

package/dist/index.d.ts CHANGED Viewed

@@ -46,7 +46,7 @@ type LitmusGrade = "A" | "B" | "C" | "D" | "F";
 type Severity = "low" | "medium" | "high";
 /** uint8 encoding for per-category verdicts on the attestation (onchain-proof-spec §5). */
 declare const CATEGORY_STATUS_UINT8: Record<CategoryStatus, number>;
-type FindingKind = "invisible-unicode" | "instruction-mimicry" | "markdown-trick" | "canary" | "egress" | "egress-allowed" | "permission-mislabel" | "internals-leak" | "crash";
+type FindingKind = "invisible-unicode" | "instruction-mimicry" | "markdown-trick" | "canary" | "egress" | "egress-allowed" | "permission-mislabel" | "internals-leak" | "crash" | "exfil-instruction" | "dangerous-command" | "over-broad-trigger";
 interface Finding {
     kind: FindingKind;
     severity: Severity;
@@ -56,6 +56,8 @@ interface Finding {
     offset?: number;
     /** Offending tool name, when the finding is tied to one. */
     tool?: string;
+    /** Offending bundled file (relative path), for skill findings tied to a file. */
+    file?: string;
     host?: string;
     port?: number;
     firstBytes?: string;
@@ -162,6 +164,43 @@ declare function formatServerRef(parts: ParsedServerRef): string;
 /** Identity of a server without a version pin. */
 declare function serverKey(parts: Pick<ParsedServerRef, "registry" | "owner" | "name">): string;
+/**
+ * Skill-identity helpers for refs of the form `{source}/{owner}/{name}[#{path}][@{ref}]`.
+ *
+ * Deliberately a SEPARATE namespace from the server `Registry` (identity.ts): a
+ * skill grade must never be readable as a server grade, so `SkillSource` and
+ * `Registry` do not overlap and the skill attestation uses its own EAS schema UID.
+ *
+ * A skill is static content, so the trust anchor is a CONTENT HASH of the whole
+ * directory (load-skill.ts), and the `@{ref}` pin should be IMMUTABLE (a git commit
+ * sha or the contentHash itself), never a mutable tag — there is no live re-
+ * fingerprint to catch drift, so the pin is all that binds a grade to the bytes.
+ *
+ * Examples:
+ *   github/anthropic/skills#document-skills/pdf@a1b2c3d   (repo + subdir + commit)
+ *   marketplace/acme/format-markdown                      (a marketplace coordinate)
+ *   npm/@acme/skills#skills/tidy@1.4.0                     (a skill shipped in a pkg)
+ */
+type SkillSource = "github" | "marketplace" | "npm";
+interface ParsedSkillRef {
+    source: SkillSource;
+    /** Null for sources that don't namespace by owner (rare); usually present. */
+    owner: string | null;
+    name: string;
+    /** Subdirectory of the skill within the source (the SKILL.md folder), or null. */
+    path: string | null;
+    /** Immutable content pin (commit sha / contentHash). Mutable tags are discouraged. */
+    ref: string | null;
+}
+declare class SkillRefParseError extends Error {
+    constructor(ref: string, reason: string);
+}
+declare function parseSkillRef(ref: string): ParsedSkillRef;
+declare function formatSkillRef(p: ParsedSkillRef): string;
+/** Versionless identity of a skill (drops the `@ref` pin, keeps the `#path` — a
+ *  repo can hold many skills, so the path is part of the identity). */
+declare function skillKey(p: Pick<ParsedSkillRef, "source" | "owner" | "name" | "path">): string;
 /**
  * Deterministic JSON for content-addressing the evidence bundle
  * (onchain-proof-spec §2). Object keys are sorted lexicographically (recursively)
@@ -382,6 +421,261 @@ declare function canaryMatch(text: string, canaries: readonly string[]): Finding
 /** True if any finding is high-severity (the C-01 fail bar). */
 declare function hasHighSeverity(findings: readonly Finding[]): boolean;
+/**
+ * Skill grading rubric — a strict structural mirror of `grade.ts gradeFromCategories`,
+ * for skill categories (S-*). Fail-first, always with a rationale.
+ *
+ *   F — any S-01 (injection) or S-03 (exfil instruction) failure; disqualifying.
+ *   D — any S-04 (dangerous bundled command) or S-05 (tool/permission overreach)
+ *       failure, with no S-01/S-03 failure; capped.
+ *   A — all present categories pass.
+ *   B — S-01 & S-03 pass but a category was skipped (e.g. no bundle ⇒ S-04 skipped);
+ *       a skipped category never grants A.
+ *   F — fallthrough when S-01 did not complete (e.g. an unparseable SKILL.md):
+ *       ungraded == unsafe.
+ *
+ * STRICT ALPHABET: skills emit A/B/D/F only — never "C". The agent gate's
+ * `DEFAULT_PASSING` is {A,B,C} and the hosted store rejects "C" (publish-check.ts),
+ * so a stray "C" would silently become a transacting grade. A "works but smells"
+ * signal belongs in the separate, non-letter quality channel.
+ */
+type SkillCategoryCode = "S-01" | "S-03" | "S-04" | "S-05";
+interface SkillCategoryResult {
+    code: SkillCategoryCode;
+    status: CategoryStatus;
+    reason?: string | null;
+    findings: Finding[];
+}
+interface SkillGrade {
+    grade: LitmusGrade;
+    rationale: string;
+}
+declare function gradeSkillCategories(categories: readonly SkillCategoryResult[]): SkillGrade;
+/**
+ * Skill litmus harness — runs the deterministic static safety scan over a loaded
+ * skill and produces a content-addressed evidence bundle with an A/B/D/F letter.
+ *
+ * v1 (litmus-skill-v1) is STATIC ONLY: it scans the SKILL.md body + frontmatter
+ * (S-01 injection, S-03 exfil instructions) and the bundled executable files (S-04
+ * dangerous commands). It does NOT execute anything — bundled-script sandboxing and
+ * the agent-in-the-loop quality signal are out of scope here, by design. The
+ * disclaimer states the residual plainly: a static A is not behavioral proof.
+ */
+declare const SKILL_METHODOLOGY_VERSION: "litmus-skill-v1";
+declare const SKILL_BUNDLE_SCHEMA_VERSION: "0.1.0";
+interface SkillEvidenceBundle {
+    schemaVersion: string;
+    methodologyVersion: string;
+    /** Caller-supplied identity (defaults to the directory). */
+    skillRef: string;
+    /** `0x` + 64 hex sha256 over the skill's file tree (the rug-pull anchor). */
+    contentHash: string;
+    ranAt: string;
+    harness: {
+        package: string;
+        version: string;
+        node: string;
+    };
+    categories: SkillCategoryResult[];
+    /** Non-letter signals (over-broad trigger, MED-only dangerous commands): recorded,
+     *  never floor the grade. The semantic honesty/overreach checks (S-02/S-05) and the
+     *  quality signal also land here / in a separate artifact, never in `categories`. */
+    advisories: Finding[];
+    grade: LitmusGrade;
+    gradeRationale: string;
+    disclaimer: string;
+}
+interface RunSkillLitmusOptions {
+    skillRef?: string;
+    /** Injectable for deterministic bundles/tests; defaults to now. */
+    ranAt?: string;
+    harnessVersion?: string;
+}
+declare function runSkillLitmus(dir: string, opts?: RunSkillLitmusOptions): SkillEvidenceBundle;
+declare class SkillLoadError extends Error {
+}
+interface SkillFile {
+    /** NFC, forward-slash path relative to the skill dir. */
+    relPath: string;
+    bytes: Buffer;
+    /** A bundled executable (shebang or known interpreter extension) — the S-04 surface. */
+    isExecutable: boolean;
+}
+interface LoadedSkill {
+    dir: string;
+    /** Raw frontmatter text (between the leading `---` fences), "" if none. */
+    frontmatter: string;
+    /** Extracted `description` value, "" if absent. */
+    description: string;
+    /** Markdown body after the frontmatter. */
+    body: string;
+    /** Every file in the tree (including SKILL.md), sorted by relPath. */
+    files: SkillFile[];
+    /** `0x` + 64 hex sha256 over the canonical file-tree manifest. */
+    contentHash: string;
+}
+/** Load a skill from a directory. Throws SkillLoadError if there is no SKILL.md. */
+declare function loadSkill(dir: string): LoadedSkill;
+/**
+ * Skill safety scanners (S-01) — the deterministic, reuse-first core of the skill
+ * litmus. A skill's graded input is STATIC bytes (frontmatter + markdown body +
+ * bundled files), so these are pure functions over text, exactly like
+ * `probes/scanners.ts`. They are calibrated against a real skill corpus
+ * (`scripts/skill-fp-benchmark.ts`), not against tool docs.
+ *
+ * Recalibration (Phase 0 gate result, 110 real skills):
+ *  - Scan the EXAMPLE-STRIPPED body: fenced/inline code and blockquoted transcript
+ *    lines are where role tags / `system:` / tool-call JSON legitimately appear.
+ *  - The bare `system:` colon pattern from `instructionMimicry` is dropped for
+ *    skills: "design system:", "billing system:", "operating system:" are pervasive
+ *    in honest skill prose and were the ONLY false-fail in the corpus. The
+ *    angle-bracket role-tag pattern still covers the `<system>` injection shape, so
+ *    no real injection signal is lost. After this, the corpus false-fail rate is 0.
+ */
+/**
+ * The reference prose-segmentation for skills. Pinned as part of the skill
+ * methodology: "same bytes → same letter UNDER THIS PARSER". Strips fenced code
+ * (``` and ~~~), inline code spans, and blockquoted lines — the example/transcript
+ * surface — leaving the directive prose that an injection would have to live in to
+ * actually steer the agent.
+ */
+declare function stripExamples(md: string): string;
+/**
+ * S-01 — instruction-body injection / context-poisoning. Reuses the existing
+ * text scanners verbatim, over the example-stripped body, minus the over-broad
+ * bare-`system:` pattern. HIGH findings floor the letter to F (see grade-skill).
+ */
+declare function skillInjection(body: string): Finding[];
+/** True if S-01 should fail (any HIGH finding), the C-01-parity fail bar. */
+declare function skillInjectionFails(findings: readonly Finding[]): boolean;
+/**
+ * S-03 — an imperative instruction to exfiltrate secrets to a sink. Deliberately
+ * HIGH-PRECISION: a transmit verb, a credential/secret noun, AND a network sink
+ * must co-occur in ONE sentence. Prose that merely *mentions* credentials, or a
+ * security skill that *documents* an exfil attack across paragraphs, will not trip.
+ * The residual (an exfil instruction split across sentences, or constructed at
+ * agent runtime) is a disclosed limit — static prose scanning cannot resolve it.
+ */
+declare function exfilInstruction(text: string): Finding[];
+/**
+ * S-04 — dangerous commands in a bundled EXECUTABLE FILE. Scanning files (not body
+ * prose) collapses the "taught vs executed" ambiguity: a file with a shebang IS the
+ * executable. Obfuscated payloads (base64/hex blobs) are decoded and re-scanned so
+ * an encoded `curl … | sh` is still caught. HIGH findings floor the category to D.
+ */
+declare function dangerousCommand(text: string, file?: string): Finding[];
+/** Advisory: a frontmatter description/trigger that claims to fire on everything.
+ *  Pure-lexical, the only deterministic slice of honesty checking; recorded as an
+ *  advisory finding, NOT a failing category (see the plan: S-02/S-05 are advisory). */
+declare function overBroadTrigger(description: string): Finding[];
+/**
+ * Optional LLM-judged quality axes — the "is it honest / coherent" signal that
+ * static scanning provably cannot decide (this is the semantic S-02 we kept OUT of
+ * the deterministic letter). It is ADVISORY, NON-DETERMINISTIC, and provider-
+ * AGNOSTIC: it runs against any `Judge`, never floors the safety letter, and is
+ * never minted.
+ *
+ * Provider-agnostic by design:
+ *  - inside an agent, the host model judges via MCP sampling (no key — the adapter
+ *    lives in the litmus package, where the server connection is);
+ *  - standalone, the user brings their OWN key for any OpenAI-compatible endpoint
+ *    (OpenAI, OpenRouter, Groq, Google's compat layer, a local model, …);
+ *  - with neither, the judged axes are simply skipped — the litmus core needs no key.
+ *
+ * Repeatability is majority-over-k + a recorded judge id, not seeding (modern models
+ * don't expose a usable temperature). The agreement ratio is reported honestly.
+ */
+/** Provider-agnostic completion. Implementations: MCP sampling, OpenAI-compatible. */
+interface Judge {
+    /** Stable label recorded in the bundle (e.g. "mcp-sampling", "openai-compat:gpt-4o"). */
+    readonly id: string;
+    complete(system: string, user: string): Promise<string>;
+}
+interface OpenAICompatConfig {
+    baseUrl: string;
+    apiKey: string;
+    model: string;
+}
+/**
+ * A Judge over any OpenAI-compatible Chat Completions endpoint. Uses global fetch
+ * (Node ≥18) — no SDK dependency. Sends only model/messages/max_tokens for the
+ * widest provider compatibility (temperature is omitted; many models reject it and
+ * repeatability comes from majority-over-k anyway).
+ */
+declare function openAICompatJudge(cfg: OpenAICompatConfig): Judge;
+/** Build an OpenAI-compatible judge from env, or null if no key is configured.
+ *  LITMUS_LLM_API_KEY (+ LITMUS_LLM_MODEL; LITMUS_LLM_BASE_URL defaults to OpenAI). */
+declare function judgeFromEnv(env?: NodeJS.ProcessEnv): Judge | null;
+interface JudgeOptions {
+    /** Samples per run; majority-voted. Default 1 (host-agent sampling is not free). */
+    samples?: number;
+}
+/**
+ * Run the judged axes against a skill. Draws `samples` verdicts, majority-votes per
+ * axis, and reports the agreement ratio. Throws only if EVERY sample failed (no
+ * usable verdict) — callers treat that, and "no judge", as "judged axes not run".
+ */
+declare function judgeSkillQuality(loaded: LoadedSkill, judge: Judge, opts?: JudgeOptions): Promise<JudgedQuality>;
+declare const SKILL_QUALITY_VERSION: "skill-quality-v1";
+type QualityCheckStatus = "pass" | "warn" | "fail";
+/** Deliberately not A–F: a quality verdict must never read as a safety letter. */
+type QualityVerdict = "well-formed" | "issues" | "malformed";
+interface QualityCheck {
+    id: string;
+    status: QualityCheckStatus;
+    detail: string;
+}
+/** Optional, NON-DETERMINISTIC, opt-in LLM-judged axes (see quality-judge.ts).
+ *  Present only when a judge was available (host-agent sampling, or a user key). */
+interface JudgedQuality {
+    /** Judge identity: "mcp-sampling" (host agent), or "openai-compat:<model>". */
+    judge: string;
+    /** Number of samples drawn per axis (repeatability is majority-over-k, not seeding). */
+    samples: number;
+    /** Fraction of samples that agreed with the reported per-axis majority (0..1). */
+    agreement: number;
+    axes: {
+        axis: "honesty" | "coherence";
+        rating: "good" | "concern" | "bad";
+        rationale: string;
+    }[];
+    note: string;
+}
+interface QualityBundle {
+    qualityVersion: string;
+    /** Binds to the exact skill it evaluated; the SAME identity as the safety bundle… */
+    skillRef: string;
+    /** …but carried in a SEPARATE artifact — never inside the safety EvidenceBundle. */
+    contentHash: string;
+    ranAt: string;
+    verdict: QualityVerdict;
+    checks: QualityCheck[];
+    /** Non-deterministic LLM-judged axes, if a judge was available; else omitted. */
+    judged?: JudgedQuality;
+    disclaimer: string;
+}
+interface RunSkillQualityOptions {
+    skillRef?: string;
+    ranAt?: string;
+}
+declare function runSkillQuality(dir: string, opts?: RunSkillQualityOptions): QualityBundle;
+/**
+ * The deterministic quality bundle PLUS the optional LLM-judged axes. The judged
+ * axes are best-effort: if the judge is unavailable or every sample fails, they are
+ * omitted and the deterministic verdict is returned unchanged. The judged result
+ * NEVER changes `verdict` and never touches the safety letter.
+ */
+declare function runSkillQualityJudged(dir: string, judge: Judge, opts?: RunSkillQualityOptions & JudgeOptions): Promise<QualityBundle>;
 /**
  * Tool-safety classification (litmus-test-v1 §C-01/§C-03 safety note).
  *
@@ -489,12 +783,64 @@ declare function litmusFields(bundle: EvidenceBundle, reportCID: string): Litmus
 declare function encodeLitmusAttestation(bundle: EvidenceBundle, reportCID: string): string;
 declare function decodeLitmusAttestation(encoded: string): Record<string, unknown>;
+/**
+ * EAS attestation encoding for SKILL grades (litmus-skill-v1).
+ *
+ * A SEPARATE, flat schema with its OWN UID — not an extension of LITMUS_SCHEMA.
+ * read-skill.ts fail-closes any attestation not under this exact UID, so a skill
+ * grade can never be read as a server grade (and vice versa). Fields mirror the
+ * server schema but key on a static-content artifact: `skillRef` + `contentHash`
+ * (the whole-directory hash) replace serverRef + toolDefsFingerprint, and
+ * `resolvedRef` is the immutable content pin (commit sha / contentHash) the grade
+ * was run against.
+ *
+ * Like eas.ts, this is a FLAT schema (no tuples/arrays/bytes), so the EAS
+ * SchemaEncoder reduces to `AbiCoder.defaultAbiCoder().encode(types, values)`; we
+ * encode directly with ethers and pin the bytes in eas-skill.test.ts.
+ */
+declare const LITMUS_SKILL_SCHEMA = "string skillRef,bytes32 contentHash,uint8 gradeS01,uint8 gradeS03,uint8 gradeS04,string overallGrade,string reportCID,string methodologyVersion,uint64 ranAt,string resolvedRef";
+interface SkillAttestationFields {
+    skillRef: string;
+    contentHash: string;
+    gradeS01: number;
+    gradeS03: number;
+    gradeS04: number;
+    overallGrade: string;
+    reportCID: string;
+    methodologyVersion: string;
+    ranAt: bigint;
+    resolvedRef: string;
+}
+/** Minimal structural view of a skill evidence bundle — satisfied by the probes
+ *  SkillEvidenceBundle, so onchain needs no dependency on probes. */
+interface SkillGradeForAttestation {
+    skillRef: string;
+    contentHash: string;
+    categories: readonly {
+        code: string;
+        status: CategoryStatus;
+    }[];
+    grade: string;
+    methodologyVersion: string;
+    ranAt: string;
+}
+/** Build the attestation fields. `resolvedRef` is the immutable pin (commit sha /
+ *  contentHash) the grade was run against; "" when none is known. */
+declare function skillAttestationFields(g: SkillGradeForAttestation, reportCID: string, resolvedRef: string | null): SkillAttestationFields;
+declare function encodeSkillAttestationFields(f: SkillAttestationFields): string;
+declare function encodeSkillAttestation(g: SkillGradeForAttestation, reportCID: string, resolvedRef: string | null): string;
+declare function decodeSkillAttestation(encoded: string): Record<string, unknown>;
 /**
  * Read a litmus attestation from chain (the trust-critical read — onchain-proof
  * §7). Needs an RPC + a registered schema; the agent-gate calls this, then
  * re-checks the live fingerprint before paying.
  *
- * [verify] eas-sdk EAS.getAttestation return shape (uid / data / revocationTime).
+ * The read is a single EAS `getAttestation` view call. We hit the contract
+ * directly through a minimal ethers ABI fragment (below) rather than the
+ * eas-sdk `EAS` class — same on-chain struct, one fewer dependency (eas-sdk
+ * dragged hardhat into the production tree).
  */
 /** The registered litmus schema UID for the selected network (from env). */
 declare function litmusSchemaUID(): string;
@@ -515,6 +861,36 @@ interface OnchainLitmusAttestation {
 }
 declare function readAttestation(uid: string): Promise<OnchainLitmusAttestation | null>;
+/**
+ * Read a SKILL attestation from chain. Mirrors read.ts, but fail-closes on the
+ * SKILL schema UID (NEXT_PUBLIC_EAS_SKILL_SCHEMA_UID) — a SEPARATE UID from the
+ * server schema. EAS schemas are permissionless, so without this bind a server
+ * attestation (or a look-alike) could be decoded and trusted as a skill grade.
+ *
+ * The trust anchor a consumer must check is `contentHash`: recompute sha256 of the
+ * skill directory (every file the SKILL.md can load) and require equality before
+ * installing. There is no live re-fingerprint, so the (immutable) `resolvedRef`
+ * pin and the contentHash are all that bind a grade to the bytes that run.
+ */
+/** The registered SKILL schema UID for the selected network (from env). Distinct
+ *  from the server schema UID so the two can never be confused. */
+declare function skillSchemaUID(): string;
+interface OnchainSkillAttestation {
+    uid: string;
+    skillRef: string;
+    /** Whole-directory sha256 (`0x` + 64 hex) — the consumer's re-hash trust anchor. */
+    contentHash: string;
+    overallGrade: string;
+    reportCID: string;
+    /** Immutable content pin (commit sha / contentHash) the grade was run against;
+     *  null when none (the on-chain empty-string sentinel is normalized here). */
+    resolvedRef: string | null;
+    revoked: boolean;
+    attester: string;
+    expirationTime: bigint;
+}
+declare function readSkillAttestation(uid: string): Promise<OnchainSkillAttestation | null>;
 /**
  * The agent payment-gate (technical-design §6, onchain-proof-spec §7).
  *
@@ -604,6 +980,68 @@ declare function handleRunLitmus({ server_ref, bearer, header }: {
     }[];
 }>;
+/**
+ * `run_skill_litmus` — run the deterministic static safety litmus over a Claude
+ * Code / Agent Skill (a SKILL.md + bundle) and return the grade + evidence.
+ *
+ * Unlike `run_litmus` (which LAUNCHES an MCP server's code), this is a pure STATIC
+ * read of the skill's text and bundled files — no execution, no network. That is
+ * also its disclosed limit: a static A is not behavioral proof. v1 grades a LOCAL
+ * skill directory; remote refs (github/marketplace) come with the onchain phase.
+ */
+declare const RUN_SKILL_LITMUS_TOOL_NAME = "run_skill_litmus";
+declare const RUN_SKILL_LITMUS_TOOL_TITLE = "Run a safety litmus on a Claude Code skill";
+declare const RUN_SKILL_LITMUS_TOOL_DESCRIPTION: string;
+declare const runSkillLitmusInputShape: {
+    skill_ref: z.ZodString;
+};
+/** Optional judge for the advisory quality axes. Resolved per-call by mcp.ts
+ *  (host-agent sampling if available, else an env key) — null ⇒ deterministic
+ *  quality only. The litmus core never requires a key. */
+interface RunSkillLitmusContext {
+    judge?: Judge | null;
+}
+declare function handleRunSkillLitmus({ skill_ref }: {
+    skill_ref: string;
+}, ctx?: RunSkillLitmusContext): Promise<{
+    isError: true;
+    content: {
+        type: "text";
+        text: string;
+    }[];
+} | {
+    content: {
+        type: "text";
+        text: string;
+    }[];
+}>;
+/**
+ * `verify_skill_attestation` — read a skill's already-published polygraph grade
+ * (no run) before an agent installs or trusts it. The skill analogue of
+ * `verify_attestation`: instead of recomputing a LIVE tool-surface fingerprint,
+ * the consumer must recompute the skill's CONTENT HASH (sha256 of every file the
+ * SKILL.md can load) and require it to equal the attested `contentHash` before
+ * installing — there is no live re-fingerprint, so the hash is the only thing
+ * binding the grade to the bytes that run.
+ */
+declare const VERIFY_SKILL_TOOL_NAME = "verify_skill_attestation";
+declare const VERIFY_SKILL_TOOL_TITLE = "Verify a skill's polygraph attestation";
+declare const VERIFY_SKILL_TOOL_DESCRIPTION: string;
+declare const verifySkillInputShape: {
+    skill_ref: z.ZodString;
+};
+declare function handleVerifySkill({ skill_ref }: {
+    skill_ref: string;
+}): Promise<{
+    content: {
+        type: "text";
+        text: string;
+    }[];
+}>;
 /**
  * `polygraphso litmus <ref | https-url | path-to-mcp>` — run the behavioral
  * harness locally and print the grade. The heavy harness (`@polygraph/probes`)
@@ -634,4 +1072,4 @@ declare function parseAuthFlags(args: readonly string[], env?: NodeJS.ProcessEnv
 /** A target is an https URL, a local MCP entry file, or a registry ref. */
 declare function resolveTarget(target: string): string | StdioCommand;
-export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, LITMUS_SCHEMA, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type ParsedLitmusFlags, type ParsedServerRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, ServerRefParseError, type Severity, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, decodeLitmusAttestation, encodeLitmusAttestation, fingerprintToolDefs, formatServerRef, gateDecision, gradeFromCategories, handleRunLitmus, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, litmusFields, litmusSchemaUID, liveFingerprint, markdownTricks, networkConfig, parseAuthFlags, parseServerRef, readAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, selectedNetwork, serverKey, stateChangingToolNames };
+export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };

package/dist/index.js CHANGED Viewed

@@ -1,49 +1,88 @@
 import {
   LITMUS_SCHEMA,
+  LITMUS_SKILL_SCHEMA,
   NETWORKS,
   RUN_LITMUS_TOOL_DESCRIPTION,
   RUN_LITMUS_TOOL_NAME,
   RUN_LITMUS_TOOL_TITLE,
+  RUN_SKILL_LITMUS_TOOL_DESCRIPTION,
+  RUN_SKILL_LITMUS_TOOL_NAME,
+  RUN_SKILL_LITMUS_TOOL_TITLE,
+  VERIFY_SKILL_TOOL_DESCRIPTION,
+  VERIFY_SKILL_TOOL_NAME,
+  VERIFY_SKILL_TOOL_TITLE,
   decodeLitmusAttestation,
+  decodeSkillAttestation,
   encodeLitmusAttestation,
+  encodeSkillAttestation,
+  encodeSkillAttestationFields,
   handleRunLitmus,
+  handleRunSkillLitmus,
+  handleVerifySkill,
   litmusFields,
   litmusSchemaUID,
   networkConfig,
   readAttestation,
+  readSkillAttestation,
   rpcUrl,
   runLitmusInputShape,
-  selectedNetwork
-} from "./chunk-LBXHFQN3.js";
+  runSkillLitmusInputShape,
+  selectedNetwork,
+  skillAttestationFields,
+  skillSchemaUID,
+  verifySkillInputShape
+} from "./chunk-AVF3GYCS.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-VOPISHBU.js";
+} from "./chunk-M5HXKZVN.js";
 import {
+  SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_METHODOLOGY_VERSION,
+  SKILL_QUALITY_VERSION,
+  SkillLoadError,
   assembleBundle,
   canaryMatch,
   classifyTool,
   connectTarget,
+  dangerousCommand,
+  exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,
+  gradeSkillCategories,
   hasHighSeverity,
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  judgeFromEnv,
+  judgeSkillQuality,
+  loadSkill,
   markdownTricks,
+  openAICompatJudge,
+  overBroadTrigger,
   runLitmus,
-  stateChangingToolNames
-} from "./chunk-35UOPCBW.js";
+  runSkillLitmus,
+  runSkillQuality,
+  runSkillQualityJudged,
+  skillInjection,
+  skillInjectionFails,
+  stateChangingToolNames,
+  stripExamples
+} from "./chunk-DN2OX4RT.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,
   ServerRefParseError,
+  SkillRefParseError,
   canonicalStringify,
   formatServerRef,
+  formatSkillRef,
   parseServerRef,
-  serverKey
-} from "./chunk-ZR6XRGMQ.js";
+  parseSkillRef,
+  serverKey,
+  skillKey
+} from "./chunk-44R4ZYOE.js";
 // ../agent/src/gate.ts
 function sameServer(a, b) {
@@ -92,41 +131,80 @@ export {
   CATEGORY_STATUS_UINT8,
   DEFAULT_PASSING,
   LITMUS_SCHEMA,
+  LITMUS_SKILL_SCHEMA,
   METHODOLOGY_VERSION,
   NETWORKS,
   RUN_LITMUS_TOOL_DESCRIPTION,
   RUN_LITMUS_TOOL_NAME,
   RUN_LITMUS_TOOL_TITLE,
+  RUN_SKILL_LITMUS_TOOL_DESCRIPTION,
+  RUN_SKILL_LITMUS_TOOL_NAME,
+  RUN_SKILL_LITMUS_TOOL_TITLE,
+  SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_METHODOLOGY_VERSION,
+  SKILL_QUALITY_VERSION,
   ServerRefParseError,
+  SkillLoadError,
+  SkillRefParseError,
+  VERIFY_SKILL_TOOL_DESCRIPTION,
+  VERIFY_SKILL_TOOL_NAME,
+  VERIFY_SKILL_TOOL_TITLE,
   assembleBundle,
   canaryMatch,
   canonicalStringify,
   classifyTool,
   connectTarget,
+  dangerousCommand,
   decodeLitmusAttestation,
+  decodeSkillAttestation,
   encodeLitmusAttestation,
+  encodeSkillAttestation,
+  encodeSkillAttestationFields,
+  exfilInstruction,
   fingerprintToolDefs,
   formatServerRef,
+  formatSkillRef,
   gateDecision,
   gradeFromCategories,
+  gradeSkillCategories,
   handleRunLitmus,
+  handleRunSkillLitmus,
+  handleVerifySkill,
   hasHighSeverity,
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  judgeFromEnv,
+  judgeSkillQuality,
   litmusFields,
   litmusSchemaUID,
   liveFingerprint,
+  loadSkill,
   markdownTricks,
   networkConfig,
+  openAICompatJudge,
+  overBroadTrigger,
   parseAuthFlags,
   parseServerRef,
+  parseSkillRef,
   readAttestation,
+  readSkillAttestation,
   resolveTarget,
   rpcUrl,
   runLitmus,
   runLitmusInputShape,
+  runSkillLitmus,
+  runSkillLitmusInputShape,
+  runSkillQuality,
+  runSkillQualityJudged,
   selectedNetwork,
   serverKey,
-  stateChangingToolNames
+  skillAttestationFields,
+  skillInjection,
+  skillInjectionFails,
+  skillKey,
+  skillSchemaUID,
+  stateChangingToolNames,
+  stripExamples,
+  verifySkillInputShape
 };