litmus v1.0.0 is the first tagged release. Point it at a file, directory, or running process; it runs the sample through cleave, scores the resulting capability vector with an XGBoost model, and prints hostile, suspicious, or benign along with the capabilities that drove the call. The explanation comes from TreeSHAP on the live model, not a story told afterward.
This is a 1.0 in the SemVer "we won't break the contract" sense, not the "ship to prod" sense. The default model (scan-v16) is beta quality at best — false positives are real, false negatives are real, the thresholds will move. Use it for triage, evaluation, and feeding bug reports back upstream. Don't wire it into a production gate yet.
CPU-only inference. No network, no telemetry, Apache-2.0. CLI, JSON emitter, and HTTP server live in one binary.
Full notes on Codeberg.