@polygraphso/litmus 0.9.1 → 0.10.0

package/README.md

@@ -30,16 +30,28 @@ and the grade is capped at **B** for that run.
 ```bash
 polygraphso-litmus litmus <registry-ref | https-url | path-to-mcp>   # grade a server
 polygraphso-litmus litmus --json <ref>                              # machine-readable evidence bundle
+polygraphso-litmus litmus --timeout <seconds> <ref>                 # cap the whole run (default 900s)
 polygraphso-litmus check <ref>                                      # look up a published grade
 ```
 
 Examples:
 
 ```bash
-polygraphso-litmus litmus npm/@modelcontextprotocol/server-filesystem
+# a remote https target runs no local code — graded directly
 polygraphso-litmus litmus https://example.com/mcp
+
+# a registry ref or local file launches the TARGET's own code. Grade it sandboxed:
+LITMUS_STDIO_ISOLATION=docker polygraphso-litmus litmus npm/@modelcontextprotocol/server-filesystem
+# …or, without Docker, opt in to running it on this host:
+polygraphso-litmus litmus --unsafe-host-exec npm/@modelcontextprotocol/server-filesystem
 ```
 
+**Host-execution safety.** Grading a registry ref (`npm/…`, `pypi/…`) or a local
+path **launches the target's own code**. By default the CLI refuses to do that on
+your host: set `LITMUS_STDIO_ISOLATION=docker` to run the target only inside the
+hardened sandbox, or pass `--unsafe-host-exec` to accept host execution. Remote
+`https://` targets run no local code and need neither.
+
 The `litmus` command exits non-zero on a failing grade (D/F), so it scripts in CI.
 
 To dispute a published grade, just re-run `litmus` against the same server: the harness is
@@ -54,7 +66,9 @@ MCP-capable client. It exposes two tools:
   and return the grade and the evidence. Optional **`bearer`** (and `header`
   entries, each `"Key: Value"`) grade a token-gated `https://` MCP target — sent
   to that origin only, ignored for stdio/local targets, the same plumbing as the
-  CLI's `--bearer` / `--header`.
+  CLI's `--bearer` / `--header`. Grading a registry ref or local path launches the
+  target's own code, so it requires **`unsafe_host_exec: true`** unless
+  `LITMUS_STDIO_ISOLATION=docker` is set (the MCP mirror of `--unsafe-host-exec`).
 - **`verify_attestation`** — passively read a server's *already-published* grade
   before trusting or paying it.
 

package/dist/{chunk-RYJXVMCT.js → chunk-63OICX66.js}

@@ -1536,12 +1536,14 @@ async function runEgressProbe(ref, opts) {
     if (staged) await staged.cleanup();
   }
 }
+async function exerciseSurface(client, exercise) {
+  for (const t of await enumerateTools(client)) {
+    await exercise({ name: t.name, description: t.description ?? "", inputSchema: t.inputSchema ?? null });
+  }
+}
 async function collectEgress(conn, sink, declaredEgress, baselineAllowlist) {
   try {
-    const { tools } = await conn.client.listTools();
-    for (const t of tools) {
-      await exerciseTool(conn.client, { name: t.name, description: t.description ?? "", inputSchema: t.inputSchema ?? null });
-    }
+    await exerciseSurface(conn.client, (def) => exerciseTool(conn.client, def));
   } finally {
     await conn.teardown();
   }
@@ -2626,6 +2628,7 @@ export {
   gradeFromCategories,
   assembleBundle,
   runLitmus,
+  enumerateTools,
   SkillLoadError,
   loadSkill,
   stripExamples,

package/dist/{chunk-BUKDFSDO.js → chunk-GNPHHS6I.js}

@@ -34,20 +34,29 @@ function truncate(s, n) {
 }
 
 // ../cli/src/litmus.ts
+var DEFAULT_RUN_TIMEOUT_MS = 15 * 60 * 1e3;
 async function runLitmusCli(args) {
   const json = args.includes("--json");
-  const { headers, allowStateChanging, positionals } = parseAuthFlags(args);
+  const { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals } = parseAuthFlags(args);
   const target = positionals[0];
   if (!target) {
     process.stderr.write(
-      'usage: polygraphso litmus [--json] [--bearer <token>] [--header "Key: Value"] [--allow-state-changing] <registry-ref | https-url | path-to-mcp>\n'
+      'usage: polygraphso litmus [--json] [--bearer <token>] [--header "Key: Value"] [--allow-state-changing] [--unsafe-host-exec] [--timeout <seconds>] <registry-ref | https-url | path-to-mcp>\n'
     );
     return 2;
   }
-  const { runLitmus } = await import("./src-TMJOIVGB.js");
   const input = resolveTarget(target);
+  const guard = checkHostExec(input, unsafeHostExec);
+  if (!guard.allow) {
+    process.stderr.write(`\u2192 litmus: ${guard.refuse}
+`);
+    return 2;
+  }
+  if (guard.warn) process.stderr.write(`\u2192 ${guard.warn}
+`);
+  const { runLitmus } = await import("./src-I6AGG4CJ.js");
   try {
-    const bundle = await runLitmus(input, { headers, allowStateChanging });
+    const bundle = await runLitmus(input, { headers, allowStateChanging, timeoutMs });
     process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
     return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
   } catch (err) {
@@ -60,6 +69,8 @@ function parseAuthFlags(args, env = process.env) {
   const headers = {};
   const headerArgs = [];
   let allowStateChanging = false;
+  let unsafeHostExec = false;
+  let timeoutMs = DEFAULT_RUN_TIMEOUT_MS;
   let bearer = env.LITMUS_BEARER || void 0;
   const positionals = [];
   for (let i = 0; i < args.length; i++) {
@@ -67,6 +78,12 @@ function parseAuthFlags(args, env = process.env) {
     if (a === "--json") continue;
     if (a === "--allow-state-changing") {
       allowStateChanging = true;
+    } else if (a === "--unsafe-host-exec") {
+      unsafeHostExec = true;
+    } else if (a === "--timeout") {
+      timeoutMs = timeoutSecondsToMs(args[++i]) ?? timeoutMs;
+    } else if (a.startsWith("--timeout=")) {
+      timeoutMs = timeoutSecondsToMs(a.slice("--timeout=".length)) ?? timeoutMs;
     } else if (a === "--bearer") {
       bearer = args[++i] ?? bearer;
     } else if (a.startsWith("--bearer=")) {
@@ -89,7 +106,25 @@ function parseAuthFlags(args, env = process.env) {
     const value = h.slice(idx + 1).trim();
     if (key) headers[key] = value;
   }
-  return { headers, allowStateChanging, positionals };
+  return { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals };
+}
+function timeoutSecondsToMs(v) {
+  if (!v) return void 0;
+  const sec = Number(v);
+  return Number.isFinite(sec) && sec > 0 ? Math.floor(sec * 1e3) : void 0;
+}
+function checkHostExec(input, optIn, optInHint = "--unsafe-host-exec", env = process.env) {
+  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
+  const dockerIsolated = env.LITMUS_STDIO_ISOLATION === "docker";
+  if (!isStdio || dockerIsolated) return { allow: true };
+  const why = "this launches the target's own code; without Docker isolation it runs on THIS host";
+  if (optIn) return { allow: true, warn: `\u26A0 unsafe host execution \u2014 ${why}.` };
+  return {
+    allow: false,
+    refuse: `refusing host execution \u2014 ${why}.
+  \u2022 sandboxed (recommended): set LITMUS_STDIO_ISOLATION=docker (requires Docker)
+  \u2022 accept the risk: re-run with ${optInHint}`
+  };
 }
 function resolveTarget(target) {
   if (/^https?:\/\//i.test(target)) return target;
@@ -112,7 +147,9 @@ function tsxCli() {
 }
 
 export {
+  DEFAULT_RUN_TIMEOUT_MS,
   runLitmusCli,
   parseAuthFlags,
+  checkHostExec,
   resolveTarget
 };

package/dist/{chunk-Z66GKAQD.js → chunk-VAOQNFW3.js}

@@ -1,14 +1,16 @@
 import {
+  DEFAULT_RUN_TIMEOUT_MS,
+  checkHostExec,
   parseAuthFlags,
   resolveTarget
-} from "./chunk-BUKDFSDO.js";
+} from "./chunk-GNPHHS6I.js";
 import {
   SKILL_METHODOLOGY_VERSION,
   runLitmus,
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-63OICX66.js";
 import {
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,
@@ -299,24 +301,32 @@ var RUN_LITMUS_TOOL_DESCRIPTION = [
 var runLitmusInputShape = {
   server_ref: z.string().min(1).max(512).describe("What to grade: a registry ref (npm/@scope/server), an https:// MCP URL, or a local path to an MCP entry file."),
   bearer: z.string().min(1).max(8192).optional().describe("Bearer token for a token-gated https:// MCP server. Sent as `Authorization: Bearer <token>` to the target origin only. Ignored for stdio/local targets."),
-  header: z.array(z.string()).max(20).optional().describe('Extra HTTP headers for a gated https:// target, each "Key: Value" (e.g. "X-Api-Key: \u2026"). Overrides the bearer-derived Authorization for the same key. Ignored for stdio/local targets.')
+  header: z.array(z.string()).max(20).optional().describe('Extra HTTP headers for a gated https:// target, each "Key: Value" (e.g. "X-Api-Key: \u2026"). Overrides the bearer-derived Authorization for the same key. Ignored for stdio/local targets.'),
+  unsafe_host_exec: z.boolean().optional().describe("Required to grade a registry ref or local path: it launches the target's own code, and without Docker isolation that runs on THIS host. Set true to accept host execution. Ignored for https:// targets or when LITMUS_STDIO_ISOLATION=docker."),
+  timeout_seconds: z.number().int().positive().max(3600).optional().describe("Aggregate wall-clock ceiling for the whole run, in seconds (default 900). Bounds a hostile server that stretches the run across many tools/probes.")
 };
 var PROGRESS_TOTAL = 5;
-async function handleRunLitmus({ server_ref, bearer, header }, extra) {
+async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds }, extra) {
   try {
     const argv = [
       ...bearer ? ["--bearer", bearer] : [],
       ...(header ?? []).flatMap((h) => ["--header", h])
     ];
     const { headers } = parseAuthFlags(argv, {});
+    const input = resolveTarget(server_ref);
+    const guard = checkHostExec(input, unsafe_host_exec ?? false, 'set "unsafe_host_exec": true');
+    if (!guard.allow) {
+      return { isError: true, content: [{ type: "text", text: `run_litmus refused: ${guard.refuse}` }] };
+    }
     const progressToken = extra._meta?.progressToken;
     const sendProgress = progressToken !== void 0 ? (progress, message) => void extra.sendNotification({
       method: "notifications/progress",
       params: { progressToken, progress, total: PROGRESS_TOTAL, message }
     }) : void 0;
     sendProgress?.(0, `Connecting to ${server_ref}\u2026`);
-    const bundle = await runLitmus(resolveTarget(server_ref), {
+    const bundle = await runLitmus(input, {
       ...Object.keys(headers).length ? { headers } : {},
+      timeoutMs: timeout_seconds ? timeout_seconds * 1e3 : DEFAULT_RUN_TIMEOUT_MS,
       ...sendProgress ? { onProgress: (done, _total, label) => sendProgress(done, label) } : {}
     });
     const payload = summarize(bundle);

package/dist/cli-skill.js

@@ -4,7 +4,7 @@ import {
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-63OICX66.js";
 import "./chunk-44R4ZYOE.js";
 
 // src/cli-skill.ts

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-BUKDFSDO.js";
+} from "./chunk-GNPHHS6I.js";
 import {
   parseServerRef,
   serverKey

package/dist/index.d.ts

@@ -323,6 +323,35 @@ interface RunLitmusOptions {
     onProgress?: (done: number, total: number, label: string) => void;
 }
 declare function runLitmus(target: TargetInput, opts?: RunLitmusOptions): Promise<EvidenceBundle>;
+/** The fields of a `tools/list` entry the harness reads. */
+interface ListedTool {
+    name: string;
+    description?: string;
+    inputSchema?: unknown;
+    annotations?: unknown;
+}
+interface ListToolsClient {
+    listTools(params?: {
+        cursor?: string;
+    }): Promise<{
+        tools?: ListedTool[];
+        nextCursor?: string;
+    }>;
+}
+/**
+ * Follow `tools/list` pagination to the end, accumulating the full tool surface.
+ * The MCP SDK's `listTools()` returns a single page and does not auto-paginate,
+ * so a server can park a tool (e.g. `transfer_funds`) or a poisoned description
+ * behind a `nextCursor` — invisible to a one-page lister, yet served to a real
+ * agent. We enumerate every page so the fingerprint and grade cover what the
+ * agent actually gets, and **fail closed**: if the server is still paginating
+ * past the gradable cap, we refuse rather than grade a partial surface.
+ */
+declare function enumerateTools(client: ListToolsClient, opts?: {
+    maxTools?: number;
+    maxBytes?: number;
+    listTimeoutMs?: number;
+}): Promise<ListedTool[]>;
 
 /**
  * Tool-surface fingerprint (litmus-test-v1 §6, technical-design §3).
@@ -961,23 +990,27 @@ declare const runLitmusInputShape: {
     server_ref: z.ZodString;
     bearer: z.ZodOptional<z.ZodString>;
     header: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    unsafe_host_exec: z.ZodOptional<z.ZodBoolean>;
+    timeout_seconds: z.ZodOptional<z.ZodNumber>;
 };
-declare function handleRunLitmus({ server_ref, bearer, header }: {
+declare function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds }: {
     server_ref: string;
     bearer?: string;
     header?: string[];
+    unsafe_host_exec?: boolean;
+    timeout_seconds?: number;
 }, extra: RequestHandlerExtra<ServerRequest, ServerNotification>): Promise<{
+    isError: true;
     content: {
         type: "text";
         text: string;
     }[];
-    isError?: undefined;
 } | {
-    isError: true;
     content: {
         type: "text";
         text: string;
     }[];
+    isError?: undefined;
 }>;
 
 /**
@@ -1057,6 +1090,10 @@ interface ParsedLitmusFlags {
     headers: Record<string, string>;
     /** Whether to actively call state-changing tools (opt-in). */
     allowStateChanging: boolean;
+    /** Opt-in to run a stdio target's code on the host without Docker isolation. */
+    unsafeHostExec: boolean;
+    /** Aggregate wall-clock ceiling (ms) — `--timeout <seconds>`, else the default. */
+    timeoutMs: number;
     /** Non-flag arguments, in order (positionals[0] is the target). */
     positionals: string[];
 }
@@ -1072,4 +1109,4 @@ declare function parseAuthFlags(args: readonly string[], env?: NodeJS.ProcessEnv
 /** A target is an https URL, a local MCP entry file, or a registry ref. */
 declare function resolveTarget(target: string): string | StdioCommand;
 
-export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };
+export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type ListToolsClient, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, enumerateTools, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };

package/dist/index.js

@@ -31,11 +31,11 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-Z66GKAQD.js";
+} from "./chunk-VAOQNFW3.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-BUKDFSDO.js";
+} from "./chunk-GNPHHS6I.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
   SKILL_METHODOLOGY_VERSION,
@@ -46,6 +46,7 @@ import {
   classifyTool,
   connectTarget,
   dangerousCommand,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,
@@ -68,7 +69,7 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-63OICX66.js";
 import {
   BUNDLE_SCHEMA_VERSION,
   CATEGORY_STATUS_UINT8,
@@ -112,16 +113,18 @@ function gateDecision(attestation, live, passing = DEFAULT_PASSING, now = BigInt
   const versionNote = attestation.resolvedVersion ? ` (graded version ${attestation.resolvedVersion})` : "";
   return { action: "pay", reason: `grade ${attestation.overallGrade}; live fingerprint matches${versionNote}` };
 }
+async function fingerprintLiveSurface(client) {
+  const defs = (await enumerateTools(client)).map((t) => ({
+    name: t.name,
+    description: t.description ?? "",
+    inputSchema: t.inputSchema ?? null
+  }));
+  return fingerprintToolDefs(defs).fingerprint;
+}
 async function liveFingerprint(target) {
   const conn = await connectTarget(target);
   try {
-    const { tools } = await conn.client.listTools();
-    const defs = (tools ?? []).map((t) => ({
-      name: t.name,
-      description: t.description ?? "",
-      inputSchema: t.inputSchema ?? null
-    }));
-    return { fingerprint: fingerprintToolDefs(defs).fingerprint, serverRef: conn.serverRef };
+    return { fingerprint: await fingerprintLiveSurface(conn.client), serverRef: conn.serverRef };
   } finally {
     await conn.teardown();
   }
@@ -160,6 +163,7 @@ export {
   encodeLitmusAttestation,
   encodeSkillAttestation,
   encodeSkillAttestationFields,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   formatServerRef,

package/dist/mcp.js

@@ -20,11 +20,11 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-Z66GKAQD.js";
-import "./chunk-BUKDFSDO.js";
+} from "./chunk-VAOQNFW3.js";
+import "./chunk-GNPHHS6I.js";
 import {
   judgeFromEnv
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-63OICX66.js";
 import "./chunk-44R4ZYOE.js";
 
 // src/mcp.ts

package/dist/{src-TMJOIVGB.js → src-I6AGG4CJ.js}

@@ -8,6 +8,7 @@ import {
   classifyTool,
   connectTarget,
   dangerousCommand,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,
@@ -30,7 +31,7 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-63OICX66.js";
 import "./chunk-44R4ZYOE.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,
@@ -42,6 +43,7 @@ export {
   classifyTool,
   connectTarget,
   dangerousCommand,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.9.1",
+  "version": "0.10.0",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -62,12 +62,12 @@
     "tsup": "^8.3.0",
     "typescript": "^5.9.3",
     "vitest": "^2.1.0",
-    "@polygraph/core": "0.0.0",
     "@polygraph/onchain": "0.0.0",
-    "@polygraph/agent": "0.0.0",
+    "@polygraph/core": "0.0.0",
     "@polygraph/probes": "0.0.0",
-    "@polygraph/cli": "0.0.0",
-    "@polygraph/mcp": "0.0.0"
+    "@polygraph/agent": "0.0.0",
+    "@polygraph/mcp": "0.0.0",
+    "@polygraph/cli": "0.0.0"
   },
   "publishConfig": {
     "access": "public"