From 5293b27585b8f8f4d6daa9e0e999f4fb1eb03f91 Mon Sep 17 00:00:00 2001 From: Ruben Dinis Date: Fri, 26 Jun 2026 12:10:07 +0100 Subject: [PATCH] docs: link the GitHub Marketplace listing and document the action in the install section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The action.yml gate is published on the GitHub Marketplace as polygraphso/litmus@v1, but neither README pointed at the listing or told a reader how to wire it up. - Root README: the "Gate your CI" section now links the Marketplace listing (github.com/marketplace/actions/polygraph-mcp-gate) and names the polygraphso/litmus@v1 ref. - packages/litmus README: the Install section gains a "Gate your CI (GitHub Action)" subsection — the Marketplace link, a copy-paste mcp-gate workflow, the inputs/outputs, and the plain `npx … polygraphso-litmus ci` fallback for non-GitHub CI. Claude-Session: https://claude.ai/code/session_011FW3vDMau8UYnNWCanfT4k Co-authored-by: Claude Opus 4.8 (1M context) --- README.md | 3 +++ packages/litmus/README.md | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/README.md b/README.md index 0bb604a..7d15239 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,9 @@ Fail a build when an MCP **server** or an Agent **Skill** it ships grades **D/F* behavioral litmus. For servers it is hybrid — a fast lookup of the published grade, then the harness when ungraded; for skills it is a fast static scan. Un-gradeable targets warn unless `strict`. +It's on the **[GitHub Marketplace](https://github.com/marketplace/actions/polygraph-mcp-gate)** as +`polygraphso/litmus@v1` — drop it into a workflow: + ```yaml # .github/workflows/mcp-gate.yml name: mcp-gate diff --git a/packages/litmus/README.md b/packages/litmus/README.md index 7884fb2..353d51f 100644 --- a/packages/litmus/README.md +++ b/packages/litmus/README.md @@ -27,6 +27,39 @@ npx -y -p @polygraphso/litmus polygraphso-litmus litmus npm/@modelcontextprotoco Requires Node ≥ 18. **Docker is optional** — without it, C-02 (egress) is skipped and the grade is capped at **B** for that run. +### Gate your CI (GitHub Action) + +Fail a build when an MCP **server** — or an Agent **Skill** it ships — grades **D/F**. +The [**polygraph MCP gate**](https://github.com/marketplace/actions/polygraph-mcp-gate) +on the GitHub Marketplace wraps the harness as `polygraphso/litmus@v1`: + +```yaml +# .github/workflows/mcp-gate.yml +name: mcp-gate +on: [pull_request] +permissions: + contents: read +jobs: + gate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - uses: polygraphso/litmus@v1 + with: + # Auto-discovers MCP servers (.mcp.json / .vscode/mcp.json / .cursor/mcp.json) + # and skills (SKILL.md dirs). Or name them explicitly: + servers: | + npm/@modelcontextprotocol/server-filesystem + # min-grade: B # stricter than the default D/F gate + # strict: "true" # also fail on targets that cannot be graded +``` + +Inputs: `servers` · `skills` · `discover` (default `true`) · `min-grade` · `strict` · +`working-directory` · `version` · `bearer`. Outputs: `result` · `failed` · `report`. +Not on GitHub? The gate is a plain command — +`npx -y -p @polygraphso/litmus polygraphso-litmus ci` — so it runs in any CI or as a +pre-commit hook. + ## CLI ```bash