Skip to content

Releases: polygraphso/litmus

@polygraphso/litmus 0.22.0

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 01 Jul 07:55
079cd2b

Minor release shipping two changes from a false-positive review of the harness:

  • #78 fix(c02) — the C-02 egress D rationale is now actionable: it names the undeclared host(s) and points authors at polygraph.egress, and the CLI itemizes them. Messaging only — every server's letter grade is byte-identical.
  • #79 feat(sandbox)pypi/uvx MCP servers are now gradeable under the Docker sandbox. They stage wheels-only into a venv (no target code runs during staging; fails closed on sdist), resolve offline, and launch with the venv python. Both the connect and C-02 egress paths support pypi; gVisor runtime parity preserved.

methodologyVersion is unchanged (litmus-v10) — a pypi server is graded by the same rubric as an npm one.

@polygraphso/litmus 0.21.1

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 30 Jun 13:36
7054db7

instruction-mimicry fixes (#74): the MEDIUM bare-imperative ('you must / need to …') is dropped for skills — their normal instructional voice, never a fail — and the imperative match captures a whole word instead of a mid-word fragment. Grading semantics unchanged.

@polygraphso/litmus 0.21.0

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 30 Jun 12:04
0a0ea97

On-chain EAS schema update (#72): evidence referenced by bytes32 evidenceHash + string evidenceURI instead of an IPFS CID, and every graded category encoded as a per-category uint8 slot (server adds gradeC04; skills keep S-01/S-03/S-04). The encode/decode/read surface and the verify-attestation tools change accordingly.

@polygraphso/litmus 0.20.0

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 29 Jun 15:18
3e443be

Harden the agent gate and CI action for value-routing and untrusted CI.

  • Opt-in GateOptions (allowedAttesters, acceptedMethodologyVersions, requireEgressVerified), all default-off; new PAYMENT_PASSING ({A}); DEFAULT_PASSING → {A,B}.
  • On-chain methodologyVersion and a derived egressVerified surfaced on the read path, so a payment gate can tell an egress-verified local A from a remote/no-sandbox B.
  • CI action auto-discovery now defaults off; ci warns when discovery is on.

Ships #70 + #71. Backward-compatible (new optional surface only).

@polygraphso/litmus 0.19.1

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 26 Jun 07:52
006d05e

Patch for the C-02 transfer-qualifier false positive (#61), still litmus-v10. The qualifier slot in the 'transfers ' pattern now accepts only a number or token-standard id ('transfers 5 tokens', 'transfers ERC-20 tokens'), not an arbitrary word, so read-only docs like 'token transfers with token metadata' / 'transfers per token' are no longer false-flagged as permission-mislabel.

@polygraphso/litmus 0.19.0

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 25 Jun 23:31
d7e9e48

C-02 probe 2.1: narrowed permission-mislabel signals (litmus-v10). The 'transfers' description pattern now requires a value object (allowing one qualifier word, so 'transfers ERC-20 tokens' still trips while 'token transfers' / 'transfer history' do not), and a bare destination address (toAddress) is no longer treated as value movement. Honestly read-only explorer / quote / data tools are no longer false-flagged; a genuine read-only liar (destructive name verb, strong param, or 'transfers funds' description) still fails. Ships #58.

@polygraphso/litmus 0.18.2

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 25 Jun 22:50
5d9a8ec

Fix the GitHub Action's npx invocation so it actually runs — 0.18.0/0.18.1 errored could not determine executable to run (the package's bins don't match the package name). Now npx -p @polygraphso/litmus polygraphso-litmus ci. Also adds a dogfood polygraph-gate CI on the repo. Package code unchanged vs 0.18.1. PRs: #55, #56.

@polygraphso/litmus 0.18.1

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 25 Jun 15:23
55a17ae

Docs + branding patch (no code change vs 0.18.0): the README now leads with the GitHub Action setup (current for servers and skills) with single-row badges, and the action branding icon is award. Carried into a release so the Marketplace listing picks up the branding. PRs: #49, #50, #51.

@polygraphso/litmus 0.18.0

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 25 Jun 14:23
0878c12

First release with the polygraphso ci command and the composite GitHub Action — uses: polygraphso/litmus@v1 — that fails a build when an MCP server or an Agent Skill grades D/F (hybrid published-lookup → behavioral harness for servers; static runSkillLitmus for skills; discovery + explicit targets; --min-grade/--strict). Also ships the litmus-v9 C-04 payload-masking fix.

PRs: #44 (ci command + Action), #47 (release).

@polygraphso/litmus 0.17.1

Choose a tag to compare

@RubenSousaDinis RubenSousaDinis released this 25 Jun 13:02
5678e1b

Skill-litmus false-positive fix — litmus-skill-v2.

Two over-broad signals in the static skill scanner were flooring honest skills to F (the skill-side analog of the litmus-v8 server fix):

  • S-01 (injection): a quoted/referenced attack phrase — a security or defensive skill documenting "ignore previous instructions" in a detection table or example list — no longer floors the grade. A bare directive (no opening quote) still fails.
  • S-03 (exfil): a defensive sentence (treat it as data, never execute/follow it) or an onboarding step (sign up for an API key at <url>) no longer floors the grade. A bare exfil directive (upload all secrets to https://evil.tld) still fails.

On a 113-skill corpus this takes the S-01/S-03 false-fail rate to 0%; real positives (bare directives, curl … | sh installers) still grade D/F. SKILL_METHODOLOGY_VERSION is bumped litmus-skill-v1 → litmus-skill-v2 (string field; v1/v2 grades coexist). The server C-01 scanner is untouched.

Ships #43 · version bump #45.