@polygraphso/litmus 0.9.0 → 0.9.1

package/README.md

@@ -180,9 +180,12 @@ It also prints a separate, advisory **quality** signal (`well-formed` / `issues`
 - **Standalone:** bring your own key for any OpenAI-compatible endpoint:
 
   ```bash
-  export LITMUS_LLM_API_KEY=…                            # your key
-  export LITMUS_LLM_MODEL=gpt-4o                         # any model the endpoint serves
+  export LITMUS_LLM_API_KEY=…                            # your key (any OpenAI-compatible endpoint)
+  export LITMUS_LLM_MODEL=gpt-4o                         # a model the endpoint serves
   export LITMUS_LLM_BASE_URL=https://api.openai.com/v1   # optional; defaults to OpenAI
+  # Other providers via their OpenAI-compatible endpoint, e.g.:
+  #   Claude:  LITMUS_LLM_BASE_URL=https://api.anthropic.com/v1                       LITMUS_LLM_MODEL=claude-sonnet-4-6
+  #   Gemini:  LITMUS_LLM_BASE_URL=https://generativelanguage.googleapis.com/v1beta/openai  LITMUS_LLM_MODEL=gemini-2.5-flash
   ```
 
 - With neither, the judged axes are skipped — the grade and deterministic quality
@@ -195,9 +198,10 @@ The same `polygraphso-litmus-mcp` server exposes two skill tools (plus `grade-sk
 
 - **`run_skill_litmus`** — grade a local skill directory now (static; uses the host
   model via sampling for the quality axes, no key).
-- **`verify_skill_attestation`** — read a skill's *already-published* grade. It returns
-  the attested `contentHash`; recompute the skill's hash and require equality before
-  installing — the content hash, not the version, is the trust anchor.
+- **`verify_skill_attestation`** — read a skill's *already-published* grade by its
+  `skill_ref` (`source/owner/repo#path`, e.g. `github/anthropics/skills#skills/pdf`). It
+  returns the attested `contentHash`; recompute the skill's hash and require equality
+  before installing — the content hash, not the version, is the trust anchor.
 
 ## Library
 

package/dist/{chunk-M5HXKZVN.js → chunk-BUKDFSDO.js}

@@ -44,7 +44,7 @@ async function runLitmusCli(args) {
     );
     return 2;
   }
-  const { runLitmus } = await import("./src-TG44QXFV.js");
+  const { runLitmus } = await import("./src-TMJOIVGB.js");
   const input = resolveTarget(target);
   try {
     const bundle = await runLitmus(input, { headers, allowStateChanging });

package/dist/{chunk-DN2OX4RT.js → chunk-RYJXVMCT.js}

@@ -1078,15 +1078,29 @@ function instructionMimicry(text) {
   }
   return findings;
 }
-var SENSITIVE_QUERY_KEY = /(?:^|[?&])[^=&]*(?:key|token|secret|password|passwd|auth|session|cookie|canary|api|env|cred)[^=&]*=/i;
+var SENSITIVE_QUERY_KEY_TOKENS = [
+  "key",
+  "token",
+  "secret",
+  "password",
+  "passwd",
+  "auth",
+  "session",
+  "cookie",
+  "canary",
+  "api",
+  "env",
+  "cred"
+];
 function looksExfilQuery(url) {
   const q = url.indexOf("?");
   if (q < 0) return false;
   const query = url.slice(q + 1);
-  if (SENSITIVE_QUERY_KEY.test(url)) return true;
   for (const pair of query.split("&")) {
     const eq = pair.indexOf("=");
     if (eq < 0) continue;
+    const key = pair.slice(0, eq).toLowerCase();
+    if (SENSITIVE_QUERY_KEY_TOKENS.some((t) => key.includes(t))) return true;
     let v = pair.slice(eq + 1);
     try {
       v = decodeURIComponent(v);
@@ -1100,7 +1114,7 @@ function looksExfilQuery(url) {
 }
 function markdownTricks(text) {
   const findings = [];
-  const proto = /\b(?:javascript|data):[^\s)"'<>]+/gi;
+  const proto = /\b(?:javascript|data):[^\s)"'<>*`]+/gi;
   for (let m = proto.exec(text); m; m = proto.exec(text)) {
     findings.push({
       kind: "markdown-trick",
@@ -1109,7 +1123,7 @@ function markdownTricks(text) {
       offset: m.index
     });
   }
-  const exfilImg = /!?\[[^\]]*\]\((https?:\/\/[^)\s]*\?[^)\s]*=[^)\s]*)\)/gi;
+  const exfilImg = /!?\[[^\]]{0,200}\]\((https?:\/\/[^)\s?]{0,400}\?[^)\s=]{0,200}=[^)\s]{0,200})\)/gi;
   for (let m = exfilImg.exec(text); m; m = exfilImg.exec(text)) {
     const url = m[1] ?? m[0];
     if (!looksExfilQuery(url)) continue;
@@ -1126,7 +1140,9 @@ var INTERNALS_LEAK = [
   // V8 / Node stack frame: `at fn (/abs/file.js:12:5)` or `at /abs/file.js:12:5`
   // (a leading path/drive/`node:`/`file:` is required, so a "meet at 10:30:45"
   // timestamp can't trip it).
-  /^\s*at\s+(?:.*\s)?\(?(?:\/|[A-Za-z]:[\\/]|node:|file:\/\/)[^\s()]*:\d+:\d+\)?\s*$/m,
+  // Bounded quantifiers ({0,300}) keep this linear: overlapping `.*\s` + `[^\s()]*`
+  // + trailing `\s*$` over untrusted output is otherwise polynomial (js/polynomial-redos).
+  /^\s*at\s+(?:[^\n]{0,300}\s)?\(?(?:\/|[A-Za-z]:[\\/]|node:|file:\/\/)[^\s()]{0,300}:\d+:\d+\)?\s*$/m,
   // Node uncaught-rejection / fatal banners.
   /\b(?:UnhandledPromiseRejection(?:Warning)?|unhandledRejection|FATAL ERROR:|Fatal error:)\b/,
   // Python traceback header + frame.
@@ -1138,8 +1154,9 @@ var INTERNALS_LEAK = [
   // Go panic with its goroutine dump (`panic: … goroutine 1 [running]:`).
   /\bpanic:[\s\S]{0,300}?\bgoroutine\s+\d+\s+\[/,
   // Ruby backtrace frame (`from app.rb:10:in 'method'` / older backtick form);
-  // requires a `.rb` file + `:line:in` so prose can't trip it.
-  /[\w./-]+\.rb:\d+:in\s+['\x60]/,
+  // requires a `.rb` file + `:line:in` so prose can't trip it. The lookbehind +
+  // bounded run keep `[\w./-]+\.rb` linear (the `.`-overlap is otherwise polynomial).
+  /(?<![\w./-])[\w./-]{1,200}\.rb:\d+:in\s+['\x60]/,
   // .NET stack frame (`at NS.Method() in C:\path\File.cs:line 12`).
   /\bat\s+[\w.<>+]+\([^)]*\)\s+in\s+\S+:line\s+\d+/i,
   // Rust panic banner (`thread 'main' panicked at …`).
@@ -2282,7 +2299,7 @@ var SINK = /(?:https?:\/\/\S+|\bto\s+(?:a\s+|an\s+|the\s+|your\s+|our\s+)?(?:rem
 function exfilInstruction(text) {
   const findings = [];
   const stripped = stripExamples(text);
-  for (const raw of stripped.split(/(?<=[.!?\n])/)) {
+  for (const raw of stripped.split(/(?<=[.!?])\s+|\n/)) {
     const sentence = raw.trim();
     if (!sentence) continue;
     if (TRANSMIT_VERB.test(sentence) && SECRET_NOUN.test(sentence) && SINK.test(sentence)) {
@@ -2439,7 +2456,9 @@ function runSkillLitmus(dir, opts = {}) {
 
 // ../probes/src/skills/quality-judge.ts
 function openAICompatJudge(cfg) {
-  const url = `${cfg.baseUrl.replace(/\/+$/, "")}/chat/completions`;
+  let base = cfg.baseUrl;
+  while (base.endsWith("/")) base = base.slice(0, -1);
+  const url = `${base}/chat/completions`;
   return {
     id: `openai-compat:${cfg.model}`,
     async complete(system, user) {

package/dist/{chunk-AVF3GYCS.js → chunk-Z66GKAQD.js}

@@ -1,14 +1,14 @@
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-M5HXKZVN.js";
+} from "./chunk-BUKDFSDO.js";
 import {
   SKILL_METHODOLOGY_VERSION,
   runLitmus,
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-DN2OX4RT.js";
+} from "./chunk-RYJXVMCT.js";
 import {
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,

package/dist/cli-skill.js

@@ -4,7 +4,7 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-DN2OX4RT.js";
+} from "./chunk-RYJXVMCT.js";
 import "./chunk-44R4ZYOE.js";
 
 // src/cli-skill.ts

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-M5HXKZVN.js";
+} from "./chunk-BUKDFSDO.js";
 import {
   parseServerRef,
   serverKey

package/dist/index.js

@@ -31,11 +31,11 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-AVF3GYCS.js";
+} from "./chunk-Z66GKAQD.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-M5HXKZVN.js";
+} from "./chunk-BUKDFSDO.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_METHODOLOGY_VERSION,
@@ -68,7 +68,7 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-DN2OX4RT.js";
+} from "./chunk-RYJXVMCT.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_STATUS_UINT8,

package/dist/mcp.js

@@ -20,11 +20,11 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-AVF3GYCS.js";
-import "./chunk-M5HXKZVN.js";
+} from "./chunk-Z66GKAQD.js";
+import "./chunk-BUKDFSDO.js";
 import {
   judgeFromEnv
-} from "./chunk-DN2OX4RT.js";
+} from "./chunk-RYJXVMCT.js";
 import "./chunk-44R4ZYOE.js";
 
 // src/mcp.ts

package/dist/{src-TG44QXFV.js → src-TMJOIVGB.js}

@@ -30,7 +30,7 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-DN2OX4RT.js";
+} from "./chunk-RYJXVMCT.js";
 import "./chunk-44R4ZYOE.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.9.0",
+  "version": "0.9.1",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -63,9 +63,9 @@
     "typescript": "^5.9.3",
     "vitest": "^2.1.0",
     "@polygraph/core": "0.0.0",
-    "@polygraph/probes": "0.0.0",
     "@polygraph/onchain": "0.0.0",
     "@polygraph/agent": "0.0.0",
+    "@polygraph/probes": "0.0.0",
     "@polygraph/cli": "0.0.0",
     "@polygraph/mcp": "0.0.0"
   },