Below you will find pages that utilize the taxonomy term “Polygraphso”
July 4, 2026
Polygraph MCP gate
Version updated for https://github.com/polygraphso/litmus to version litmus-v0.26.0.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed The lookup tools now attribute the calling agent — and the release pipeline publishes the MCP-registry listing automatically.
Client identity on lookups (#91): check_server, list_servers, and request_grade send the connected client’s handshake identity (name/version plus declared title, website, description, and capability keys such as sampling/roots) to polygraph.so’s aggregate per-agent usage counters. Software metadata only — nothing about the user is read or sent; all fields are optional server-side. Official MCP Registry auto-publish (#93): pushing a litmus-v* tag now also publishes server.json to registry.modelcontextprotocol.io via GitHub OIDC, with a fail-fast version-drift check. polygraph plugin 0.6.0: spawn pinned to this release (#92). No grading-semantics changes: litmus-v12 / litmus-skill-v2 unchanged.
July 3, 2026
Polygraph MCP gate
Version updated for https://github.com/polygraphso/litmus to version litmus-v0.24.0.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed Methodology litmus-v12 — two false-positive fixes so a server’s correct, defensive behavior is no longer graded as a fault.
C-04 (probe 3.2): a validation error that quotes the rejected input back (e.g. Pydantic input_value='…') is a safe rejection, not server-generated amplification — no longer a false D. (#85) C-02 (probe 2.1): a mutation verb under a negation (“Cannot create or revoke keys”) no longer reads as a permission-mislabel lie; clause-scoped, so a real “Deletes… Cannot be undone.” still trips. (#85) methodologyVersion moves litmus-v11 → litmus-v12 (a string, so older attestations coexist). Release bump in #86. Both fixes are covered by regression tests reproduced from real servers.
July 2, 2026
Polygraph MCP gate
Version updated for https://github.com/polygraphso/litmus to version litmus-v0.23.0.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed litmus-v11 — C-02 gains expected-upstream inference, fixing a first-party-egress false positive.
An honest API-wrapper server — a tool that transparently calls the API it advertises (openai_chat → api.openai.com) — made an undeclared egress attempt and was capped at D, even though the upstream is the very API its own surface names. Before an undeclared host is now counted as overreach, the harness infers whether it is a plausible upstream for the server’s own tool surface: a host named verbatim in the tool text (strong), or an egress host whose registrable label matches a non-generic brand token drawn from the surface and the package owner/name (medium, plain-TLD hosts only). A match reclassifies the attempt from overreach into an informational egress-inferred finding — disclosure, not exoneration.
July 2, 2026
Polygraph MCP gate
Version updated for https://github.com/polygraphso/litmus to version litmus-v0.22.1.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed Patch release shipping the security and correctness fixes from the 2026-07-02 engineering review.
False-pass paths (grading correctness):
A1 — iptables add-op is now atomic (set -e): a partial rule insertion exits non-zero so the caller falls back to --internal instead of running with broken NAT and silently missing IP-literal/DoH egress A2 — readOnlyHint:true can no longer bypass the exercise skip gate: unsafeToExerciseToolNames now checks the broad STATE_CHANGING_VERBS set regardless of the annotation, so a lying swap_*/buy_*/approve_*/mint_* tool is never actively bait-called A3 — content in a JSON-RPC error response is now scanned: callToolArgs carries errorText; probes 1.2, 1.3 run scanInjection on it, probe 3.1 runs internalsLeak A5 — MCP progress forwarding: void sendNotification(…) → .catch(() => {}) so a client disconnect during a run can’t kill the server process Sandbox observability:
July 1, 2026
Polygraph MCP gate
Version updated for https://github.com/polygraphso/litmus to version litmus-v0.22.0.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed Minor release shipping two changes from a false-positive review of the harness:
#78 fix(c02) — the C-02 egress D rationale is now actionable: it names the undeclared host(s) and points authors at polygraph.egress, and the CLI itemizes them. Messaging only — every server’s letter grade is byte-identical. #79 feat(sandbox) — pypi/uvx MCP servers are now gradeable under the Docker sandbox. They stage wheels-only into a venv (no target code runs during staging; fails closed on sdist), resolve offline, and launch with the venv python. Both the connect and C-02 egress paths support pypi; gVisor runtime parity preserved. methodologyVersion is unchanged (litmus-v10) — a pypi server is graded by the same rubric as an npm one.