plugin-scanner 2.0.105__tar.gz → 2.0.107__tar.gz

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.105
+Version: 2.0.107
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.105"
+version = "2.0.107"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.105"
+version = "2.0.107"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/adapters/mcp_servers.py

@@ -2,7 +2,10 @@
 
 from __future__ import annotations
 
+import json
 from dataclasses import dataclass
+from hashlib import sha256
+from pathlib import PurePath
 
 from ..models import GuardArtifact, HarnessDetection
 
@@ -31,6 +34,23 @@ _GUARD_PROXY_COMMANDS = frozenset(
     }
 )
 
+_STABLE_SLASH_FLAG_TOKENS = frozenset(
+    {
+        "/?",
+        "/debug",
+        "/dry-run",
+        "/h",
+        "/help",
+        "/quiet",
+        "/read-only",
+        "/readonly",
+        "/ro",
+        "/safe",
+        "/trace",
+        "/verbose",
+    }
+)
+
 
 def managed_stdio_servers(detection: HarnessDetection) -> tuple[ManagedMcpServer, ...]:
     """Extract local stdio MCP servers from a harness detection payload."""
@@ -76,6 +96,8 @@ def proxy_cli_args(
         guard_home,
         "--server-name",
         server.name,
+        "--server-id",
+        stable_mcp_server_identifier(server),
         "--source-scope",
         server.source_scope,
         "--config-path",
@@ -94,6 +116,24 @@ def proxy_cli_args(
     return args
 
 
+def stable_mcp_server_identifier(server: ManagedMcpServer) -> str:
+    """Build a Cloud-stable MCP server ID without local config path material."""
+
+    harness = server.harness.strip().lower()
+    source_scope = server.source_scope.strip().lower()
+    server_name = _stable_server_name(server.name)
+    payload = {
+        "harness": harness,
+        "source_scope": source_scope,
+        "name": server_name,
+        "command": _stable_command_name(server.command),
+        "args": [_stable_arg_token(value) for value in server.args],
+        "transport": server.transport,
+    }
+    digest = sha256(json.dumps(payload, sort_keys=True).encode("utf-8")).hexdigest()[:20]
+    return f"mcp_server:{harness}:{source_scope}:{server_name}:{digest}"
+
+
 def _managed_stdio_server(artifact: GuardArtifact) -> ManagedMcpServer | None:
     if artifact.artifact_type != "mcp_server":
         return None
@@ -119,6 +159,50 @@ def _managed_stdio_server(artifact: GuardArtifact) -> ManagedMcpServer | None:
     )
 
 
+def _stable_arg_token(value: str) -> str:
+    key, separator, item = value.partition("=")
+    if separator and (_looks_like_path_assignment(key, item) or _looks_like_path_token(item)):
+        return f"{key}=<path>"
+    if _looks_like_path_token(value):
+        return "<path>"
+    return value
+
+
+def _stable_server_name(value: str) -> str:
+    return value.strip().lower() or "unnamed"
+
+
+def _stable_command_name(value: str) -> str:
+    return PurePath(value.replace("\\", "/")).name.lower()
+
+
+def _looks_like_path_assignment(key: str, value: str) -> bool:
+    normalized_key = key.strip().lstrip("-/").lower().replace("_", "-")
+    path_keys = {
+        "cache",
+        "config",
+        "cwd",
+        "dir",
+        "directory",
+        "file",
+        "folder",
+        "path",
+        "root",
+        "workspace",
+        "workdir",
+    }
+    return normalized_key in path_keys and value.strip().replace("\\", "/").startswith("/")
+
+
+def _looks_like_path_token(value: str) -> bool:
+    normalized = value.strip().replace("\\", "/")
+    if normalized.startswith(("~/", "./", "../")):
+        return True
+    if normalized.startswith("/"):
+        return "/" in normalized[1:] or normalized.lower() not in _STABLE_SLASH_FLAG_TOKENS
+    return len(normalized) >= 3 and normalized[0].isalpha() and normalized[1:3] == ":/"
+
+
 def _string_env(value: object) -> dict[str, str]:
     if not isinstance(value, dict):
         return {}
@@ -149,4 +233,5 @@ __all__ = [
     "managed_stdio_servers",
     "proxy_cli_args",
     "skipped_stdio_server_names",
+    "stable_mcp_server_identifier",
 ]

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/capabilities.py

@@ -196,6 +196,25 @@ def severity_from_deltas(deltas: tuple[CapabilityDelta, ...]) -> int:
     return max(delta.severity for delta in deltas)
 
 
+def normalized_capability_categories(capabilities: CapabilitySet) -> tuple[str, ...]:
+    """Return broad Cloud access graph categories for skills and MCP tools."""
+
+    categories: set[str] = set()
+    if capabilities.network_hosts or capabilities.network_schemes:
+        categories.add("network")
+    if capabilities.filesystem_paths:
+        categories.add("filesystem")
+    if capabilities.secret_classes:
+        categories.add("secret")
+    if capabilities.subprocess_invocation or capabilities.interpreters or capabilities.shell_wrappers:
+        categories.add("execution")
+    if capabilities.publisher:
+        categories.add("publisher")
+    if capabilities.transport != "local":
+        categories.add("transport")
+    return tuple(sorted(categories))
+
+
 def _first_seen_deltas(after: CapabilitySet) -> list[CapabilityDelta]:
     deltas: list[CapabilityDelta] = []
     if after.network_hosts:

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -539,6 +539,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     codex_proxy_parser = guard_subparsers.add_parser("codex-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(codex_proxy_parser)
     codex_proxy_parser.add_argument("--server-name", required=True)
+    codex_proxy_parser.add_argument("--server-id")
     codex_proxy_parser.add_argument("--source-scope", default="project")
     codex_proxy_parser.add_argument("--config-path", required=True)
     codex_proxy_parser.add_argument("--transport", default="stdio")
@@ -548,6 +549,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     opencode_proxy_parser = guard_subparsers.add_parser("opencode-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(opencode_proxy_parser)
     opencode_proxy_parser.add_argument("--server-name", required=True)
+    opencode_proxy_parser.add_argument("--server-id")
     opencode_proxy_parser.add_argument("--source-scope", default="project")
     opencode_proxy_parser.add_argument("--config-path", required=True)
     opencode_proxy_parser.add_argument("--transport", default="local")
@@ -557,6 +559,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     copilot_proxy_parser = guard_subparsers.add_parser("copilot-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(copilot_proxy_parser)
     copilot_proxy_parser.add_argument("--server-name", required=True)
+    copilot_proxy_parser.add_argument("--server-id")
     copilot_proxy_parser.add_argument("--source-scope", default="project")
     copilot_proxy_parser.add_argument("--config-path", required=True)
     copilot_proxy_parser.add_argument("--transport", default="stdio")
@@ -807,6 +810,7 @@ def run_guard_command(
             source_scope=args.source_scope,
             config_path=args.config_path,
             transport=args.transport,
+            server_id=args.server_id,
         )
         return proxy.serve()
 
@@ -820,6 +824,7 @@ def run_guard_command(
             source_scope=args.source_scope,
             config_path=args.config_path,
             transport=args.transport,
+            server_id=args.server_id,
         )
         return proxy.serve()
 
@@ -833,6 +838,7 @@ def run_guard_command(
             source_scope=args.source_scope,
             config_path=args.config_path,
             transport=args.transport,
+            server_id=args.server_id,
         )
         return proxy.serve()
 
@@ -1253,6 +1259,7 @@ def run_guard_command(
                     decision_source="pre-tool-hook",
                     now=now,
                     signals=decision.signals,
+                    risk_categories=decision.risk_categories,
                     remember=False,
                 )
                 if _should_emit_copilot_hook_response(args):
@@ -1267,6 +1274,7 @@ def run_guard_command(
                         decision_source="pre-tool-hook",
                         now=now,
                         signals=decision.signals,
+                        risk_categories=decision.risk_categories,
                     )
                 if _should_emit_copilot_hook_response(args):
                     _emit_copilot_hook_response(
@@ -1345,6 +1353,7 @@ def run_guard_command(
                     decision_source=decision.source,
                     now=now,
                     signals=decision.signals,
+                    risk_categories=decision.risk_categories,
                     remember=False,
                 )
                 if _should_emit_copilot_hook_response(args):
@@ -1359,6 +1368,7 @@ def run_guard_command(
                 decision_source="permission-request-hook",
                 now=now,
                 signals=decision.signals,
+                risk_categories=decision.risk_categories,
             )
             approval_center_url = ensure_guard_daemon(guard_home)
             approval_flow = get_adapter(args.harness).approval_flow(managed_install=managed_install)
@@ -2010,18 +2020,19 @@ def _should_emit_native_hook_json_response(
 
 
 def _should_emit_native_hook_exit_block(args: argparse.Namespace, *, event_name: str, policy_action: str) -> bool:
-    codex_runtime_marker = (
-        os.environ.get("CODEX_HOME", "").strip() or os.environ.get("CODEX_MANAGED_BY_BUN", "").strip()
-    )
     return (
         args.harness == "codex"
         and event_name == "PreToolUse"
         and policy_action in {"block", "sandbox-required", "require-reapproval"}
         and not getattr(args, "json", False)
-        and bool(codex_runtime_marker)
+        and _is_codex_native_runtime()
     )
 
 
+def _is_codex_native_runtime() -> bool:
+    return bool(os.environ.get("CODEX_HOME", "").strip() or os.environ.get("CODEX_MANAGED_BY_BUN", "").strip())
+
+
 def _codex_browser_approval_decision(
     *,
     args: argparse.Namespace,
@@ -2040,6 +2051,8 @@ def _codex_browser_approval_decision(
         return None
     if policy_action not in {"block", "sandbox-required", "require-reapproval"}:
         return None
+    if event_name == "PreToolUse" and not _is_codex_native_runtime():
+        return None
     approval_requests = response_payload.get("approval_requests")
     if not isinstance(approval_requests, list):
         return None

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/mcp_tool_calls.py

@@ -22,6 +22,7 @@ class ToolCallDecision:
     source: str
     signals: tuple[str, ...]
     summary: str
+    risk_categories: tuple[str, ...] = ()
 
 
 def build_tool_call_artifact(
@@ -32,9 +33,12 @@ def build_tool_call_artifact(
     source_scope: str,
     config_path: str,
     transport: str,
+    server_id: str | None = None,
     server_fingerprint: object | None = None,
 ) -> GuardArtifact:
     metadata = {"server_name": server_name}
+    if server_id is not None:
+        metadata["server_id"] = server_id
     if server_fingerprint is not None:
         metadata["server_fingerprint"] = server_fingerprint
     return GuardArtifact(
@@ -82,20 +86,24 @@ def evaluate_tool_call(
         override = config.resolve_action_override(artifact.harness, artifact.artifact_id, artifact.publisher)
     action = _coerce_guard_action(override) if isinstance(override, str) else None
     if action is not None:
+        risk_categories = tool_call_risk_categories(artifact, arguments)
         return ToolCallDecision(
             action=action,
             source="policy",
             signals=tool_call_risk_signals(artifact, arguments),
             summary="Local Guard policy matched this exact tool call.",
+            risk_categories=risk_categories,
         )
 
     signals = tool_call_risk_signals(artifact, arguments)
+    risk_categories = tool_call_risk_categories(artifact, arguments)
     if len(signals) == 0:
         return ToolCallDecision(
             action="allow",
             source="heuristic",
             signals=(),
             summary="Guard did not detect a high-risk signal in this tool call.",
+            risk_categories=(),
         )
     if config.mode == "prompt":
         return ToolCallDecision(
@@ -103,37 +111,95 @@ def evaluate_tool_call(
             source="heuristic",
             signals=signals,
             summary=tool_call_risk_summary(artifact, arguments),
+            risk_categories=risk_categories,
         )
     return ToolCallDecision(
         action="block",
         source="heuristic",
         signals=signals,
         summary=tool_call_risk_summary(artifact, arguments),
+        risk_categories=risk_categories,
     )
 
 
 def tool_call_risk_signals(artifact: GuardArtifact, arguments: object) -> tuple[str, ...]:
+    signals_by_category = {
+        "destructive_mutation": "tool name implies destructive file or system changes",
+        "command_execution": "tool name implies shell or command execution",
+        "outbound_network": "call arguments imply outbound network activity",
+        "secret_access": "call arguments mention sensitive local files or secrets",
+        "privileged_system_mutation": "call arguments imply privileged system mutation",
+    }
+    return tuple(signals_by_category[category] for category in tool_call_risk_categories(artifact, arguments))
+
+
+def tool_call_risk_categories(artifact: GuardArtifact, arguments: object) -> tuple[str, ...]:
+    """Return normalized Cloud risk categories for one MCP tool call."""
+
+    categories = _tool_call_risk_category_set(artifact, arguments)
+    order = (
+        "command_execution",
+        "destructive_mutation",
+        "outbound_network",
+        "privileged_system_mutation",
+        "secret_access",
+    )
+    return tuple(category for category in order if category in categories)
+
+
+def _tool_call_risk_category_set(artifact: GuardArtifact, arguments: object) -> set[str]:
     tool_name = PurePath(artifact.command or artifact.name).name
-    serialized_arguments = json.dumps(arguments, sort_keys=True).lower() if arguments is not None else ""
-    combined = f"{artifact.name.lower()} {serialized_arguments}"
+    serialized_arguments = _serialized_tool_arguments(arguments)
+    combined = _risk_match_text(f"{artifact.name} {serialized_arguments}")
     tool_name_tokens = set(_tool_name_tokens(tool_name))
-    signals: list[str] = []
+    categories: set[str] = set()
 
     if len(tool_name_tokens.intersection({"delete", "remove", "rm", "destroy", "erase"})) > 0:
-        signals.append("tool name implies destructive file or system changes")
+        categories.add("destructive_mutation")
     if len(tool_name_tokens.intersection({"shell", "bash", "exec", "execute", "command", "powershell"})) > 0:
-        signals.append("tool name implies shell or command execution")
-    if any(token in combined for token in ("http://", "https://", "curl", "wget", "fetch", "axios", "requests")):
-        signals.append("call arguments imply outbound network activity")
-    if any(
-        token in combined
-        for token in (".env", ".ssh", "id_rsa", "credentials", ".npmrc", ".pypirc", "token", "secret", "passwd")
+        categories.add("command_execution")
+    if _matches_any(
+        combined,
+        (
+            r"https?://",
+            _token_pattern("curl", "wget", "fetch", "axios", "requests"),
+        ),
+    ):
+        categories.add("outbound_network")
+    if _matches_any(
+        combined,
+        (
+            r"(?<![a-z0-9_-])\.env(?![a-z0-9_-])",
+            r"(?<![a-z0-9_-])\.ssh(?![a-z0-9_-])",
+            r"(?<![a-z0-9])(id[_-]?rsa|credentials|token|secret|passwd)(?![a-z0-9])",
+            r"(?<![a-z0-9_-])\.(npmrc|pypirc)(?![a-z0-9_-])",
+        ),
     ):
-        signals.append("call arguments mention sensitive local files or secrets")
-    if any(token in combined for token in ("sudo", "chmod", "chown", "launchctl", "systemctl")):
-        signals.append("call arguments imply privileged system mutation")
+        categories.add("secret_access")
+    if _matches_any(
+        combined,
+        (_token_pattern("sudo", "chmod", "chown", "launchctl", "systemctl"),),
+    ):
+        categories.add("privileged_system_mutation")
+    return categories
+
 
-    return tuple(_dedupe(signals))
+def _serialized_tool_arguments(arguments: object) -> str:
+    if arguments is None:
+        return ""
+    try:
+        return json.dumps(arguments, sort_keys=True, default=str)
+    except (TypeError, ValueError):
+        return str(arguments)
+
+
+def _matches_any(value: str, patterns: tuple[str, ...]) -> bool:
+    return any(re.search(pattern, value) is not None for pattern in patterns)
+
+
+def _token_pattern(*tokens: str) -> str:
+    alternatives = "|".join(re.escape(token) for token in tokens)
+    return rf"(?<![a-z0-9])({alternatives})(?![a-z0-9])"
 
 
 def tool_call_risk_summary(artifact: GuardArtifact, arguments: object) -> str:
@@ -154,6 +220,7 @@ def allow_tool_call(
     now: str,
     signals: tuple[str, ...],
     remember: bool,
+    risk_categories: tuple[str, ...] = (),
 ) -> GuardReceipt:
     if remember:
         store.upsert_policy(
@@ -196,6 +263,7 @@ def allow_tool_call(
             "artifact_id": artifact.artifact_id,
             "artifact_hash": artifact_hash,
             "decision_source": decision_source,
+            "risk_categories": list(risk_categories),
             "signals": list(signals),
         },
         now,
@@ -211,6 +279,7 @@ def block_tool_call(
     decision_source: str,
     now: str,
     signals: tuple[str, ...],
+    risk_categories: tuple[str, ...] = (),
 ) -> GuardReceipt:
     store.record_inventory_artifact(
         artifact=artifact,
@@ -239,6 +308,7 @@ def block_tool_call(
             "artifact_id": artifact.artifact_id,
             "artifact_hash": artifact_hash,
             "decision_source": decision_source,
+            "risk_categories": list(risk_categories),
             "signals": list(signals),
         },
         now,
@@ -258,10 +328,18 @@ def _dedupe(values: list[str]) -> list[str]:
 
 
 def _tool_name_tokens(tool_name: str) -> tuple[str, ...]:
-    camel_normalized = re.sub(r"([a-z0-9])([A-Z])", r"\1 \2", tool_name)
+    camel_normalized = _camel_token_normalized(tool_name)
     return tuple(token for token in re.findall(r"[a-z0-9]+", camel_normalized.lower()) if token)
 
 
+def _risk_match_text(value: str) -> str:
+    return _camel_token_normalized(value).lower()
+
+
+def _camel_token_normalized(value: str) -> str:
+    return re.sub(r"([a-z0-9])([A-Z])", r"\1 \2", value)
+
+
 def _coerce_guard_action(value: str) -> GuardAction | None:
     for action in GUARD_ACTION_VALUES:
         if value == action:

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/proxy/runtime_mcp.py

@@ -18,6 +18,7 @@ from ..mcp_tool_calls import (
     build_tool_call_artifact,
     build_tool_call_hash,
     evaluate_tool_call,
+    tool_call_risk_categories,
     tool_call_risk_summary,
 )
 from ..models import HarnessDetection
@@ -40,6 +41,7 @@ class RuntimeMcpGuardProxy:
         source_scope: str,
         config_path: str,
         transport: str = "stdio",
+        server_id: str | None = None,
     ) -> None:
         self.harness = harness
         self.server_name = server_name
@@ -50,6 +52,7 @@ class RuntimeMcpGuardProxy:
         self.source_scope = source_scope
         self.config_path = config_path
         self.transport = transport
+        self.server_id = server_id
         self._inline_prompt_available = False
         self._inline_prompt_counter = 0
         self._buffered_child_responses: dict[str, list[dict[str, Any]]] = {}
@@ -185,6 +188,7 @@ class RuntimeMcpGuardProxy:
             source_scope=self.source_scope,
             config_path=self.config_path,
             transport=self.transport,
+            server_id=self.server_id,
             server_fingerprint={
                 "command": self.command,
                 "transport": self.transport,
@@ -209,6 +213,7 @@ class RuntimeMcpGuardProxy:
                 artifact_hash=artifact_hash,
                 decision_source=_decision_source(decision.action, decision.source),
                 signals=decision.signals,
+                risk_categories=decision.risk_categories,
                 params=params,
             )
         if self._allow_after_native_prompt(decision):
@@ -222,6 +227,7 @@ class RuntimeMcpGuardProxy:
                 artifact_hash=artifact_hash,
                 decision_source="native-approved",
                 signals=decision.signals,
+                risk_categories=decision.risk_categories,
                 params=params,
             )
         if self._inline_prompt_available and approval_callback is not None:
@@ -237,6 +243,7 @@ class RuntimeMcpGuardProxy:
                     artifact_hash=artifact_hash,
                     decision_source="inline-approved",
                     signals=decision.signals,
+                    risk_categories=decision.risk_categories,
                     params=params,
                     remember=True,
                 )
@@ -248,6 +255,7 @@ class RuntimeMcpGuardProxy:
                     decision_source="inline-denied",
                     now=_now(),
                     signals=decision.signals,
+                    risk_categories=decision.risk_categories,
                 )
                 return _blocked_tool_response(
                     message.get("id"),
@@ -289,6 +297,7 @@ class RuntimeMcpGuardProxy:
         artifact_hash: str,
         decision_source: str,
         signals: tuple[str, ...],
+        risk_categories: tuple[str, ...],
         params: dict[str, Any],
         remember: bool = False,
     ) -> tuple[dict[str, Any], dict[str, Any]]:
@@ -299,6 +308,7 @@ class RuntimeMcpGuardProxy:
             decision_source=decision_source,
             now=_now(),
             signals=signals,
+            risk_categories=risk_categories,
             remember=remember,
         )
         response = self._forward_message(
@@ -537,6 +547,7 @@ class RuntimeMcpGuardProxy:
             decision_source="approval-center-pending",
             now=_now(),
             signals=signals,
+            risk_categories=tool_call_risk_categories(artifact, params.get("arguments")),
         )
         request_id = str(queued[0]["request_id"]) if queued else "unknown"
         return _blocked_tool_response(

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/risk.py

@@ -8,6 +8,7 @@ from pathlib import PurePath
 from urllib.parse import urlsplit
 
 from .models import GuardArtifact
+from .runtime.secret_sensitivity import classify_legacy_secret_path_families
 from .runtime.signals import RiskSignalV2
 from .types import GuardSignal
 
@@ -305,12 +306,7 @@ def extract_network_hosts(text: str) -> set[str]:
 def classify_secret_paths(text: str) -> set[str]:
     """Classify secret-bearing file families referenced in text."""
 
-    lowered = text.lower()
-    classes: set[str] = set()
-    for pattern, label in _SECRET_PATH_LABELS:
-        if pattern in lowered:
-            classes.add(label)
-    return classes
+    return classify_legacy_secret_path_families(text)
 
 
 def detect_encoded_command(text: str) -> list[GuardSignal]:

{plugin_scanner-2.0.105 → plugin_scanner-2.0.107}/src/codex_plugin_scanner/guard/runtime/actions.py

@@ -11,6 +11,7 @@ from pathlib import Path, PureWindowsPath
 from typing import Literal
 
 from ..redaction import redact_text
+from .secret_sensitivity import redacted_secret_path_context
 
 GuardActionType = Literal[
     "prompt",
@@ -43,7 +44,23 @@ _SCHEMA_VERSION = 1
 _SHELL_TOOL_NAMES = frozenset({"bash", "shell", "sh", "zsh", "terminal", "run_command", "run_terminal_command"})
 _FILE_READ_TOOL_NAMES = frozenset({"read", "read_file", "open_file", "view", "view_file", "cat_file"})
 _FILE_WRITE_TOOL_NAMES = frozenset({"write", "edit", "multiedit", "write_file", "edit_file"})
-_PATH_KEYS = ("path", "file_path", "filePath", "filepath", "file", "filename", "target_path", "targetPath")
+_PATH_KEYS = (
+    "path",
+    "paths",
+    "file_path",
+    "file_paths",
+    "filePath",
+    "filePaths",
+    "filepath",
+    "file",
+    "files",
+    "filename",
+    "filenames",
+    "target_path",
+    "target_paths",
+    "targetPath",
+    "targetPaths",
+)
 _COMMAND_KEYS = ("command", "cmd", "shell_command", "shellCommand")
 _SENSITIVE_RAW_KEYS = frozenset(
     {
@@ -652,6 +669,8 @@ def _target_paths(
         value = tool_input.get(key)
         if isinstance(value, str) and value.strip():
             paths.append(value.strip())
+        elif isinstance(value, list):
+            paths.extend(item.strip() for item in value if isinstance(item, str) and item.strip())
     for text in (command, prompt_text):
         if text is not None:
             paths.extend(match.group("path") for match in _PROMPT_PATH_PATTERN.finditer(text))
@@ -687,14 +706,25 @@ def _redacted_target_path(path: str, *, home_dir: Path | str | None) -> str | No
     if stripped == "~" or stripped.startswith("~/"):
         return redact_text(stripped).text
     if stripped.startswith("~"):
+        secret_context = redacted_secret_path_context(stripped)
+        if secret_context is not None:
+            return secret_context
         target_name = Path(stripped).name or "path"
         return f".../{target_name}"
     windows_path = PureWindowsPath(stripped)
     if windows_path.is_absolute():
+        secret_context = redacted_secret_path_context(stripped)
+        if secret_context is not None:
+            return secret_context
         target_name = windows_path.name or "path"
         return f".../{target_name}"
     if _is_absolute_target_path(stripped):
-        return redacted_workspace_label(stripped, home_dir=home_dir)
+        redacted_path = redacted_workspace_label(stripped, home_dir=home_dir)
+        if redacted_path.startswith(".../"):
+            secret_context = redacted_secret_path_context(stripped)
+            if secret_context is not None:
+                return secret_context
+        return redacted_path
     return redact_text(stripped).text