PyPI - plugin-scanner - Versions diffs - 2.0.106__tar.gz → 2.0.108__tar.gz - Mend

plugin-scanner 2.0.106tar.gz → 2.0.108tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (351) hide show

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.106
+Version: 2.0.108
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.106"
+version = "2.0.108"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.106"
+version = "2.0.108"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/guard/adapters/mcp_servers.py RENAMED Viewed

@@ -2,7 +2,10 @@
 from __future__ import annotations
+import json
 from dataclasses import dataclass
+from hashlib import sha256
+from pathlib import PurePath
 from ..models import GuardArtifact, HarnessDetection
@@ -31,6 +34,23 @@ _GUARD_PROXY_COMMANDS = frozenset(
     }
 )
+_STABLE_SLASH_FLAG_TOKENS = frozenset(
+    {
+        "/?",
+        "/debug",
+        "/dry-run",
+        "/h",
+        "/help",
+        "/quiet",
+        "/read-only",
+        "/readonly",
+        "/ro",
+        "/safe",
+        "/trace",
+        "/verbose",
+    }
+)
 def managed_stdio_servers(detection: HarnessDetection) -> tuple[ManagedMcpServer, ...]:
     """Extract local stdio MCP servers from a harness detection payload."""
@@ -76,6 +96,8 @@ def proxy_cli_args(
         guard_home,
         "--server-name",
         server.name,
+        "--server-id",
+        stable_mcp_server_identifier(server),
         "--source-scope",
         server.source_scope,
         "--config-path",
@@ -94,6 +116,24 @@ def proxy_cli_args(
     return args
+def stable_mcp_server_identifier(server: ManagedMcpServer) -> str:
+    """Build a Cloud-stable MCP server ID without local config path material."""
+    harness = server.harness.strip().lower()
+    source_scope = server.source_scope.strip().lower()
+    server_name = _stable_server_name(server.name)
+    payload = {
+        "harness": harness,
+        "source_scope": source_scope,
+        "name": server_name,
+        "command": _stable_command_name(server.command),
+        "args": [_stable_arg_token(value) for value in server.args],
+        "transport": server.transport,
+    }
+    digest = sha256(json.dumps(payload, sort_keys=True).encode("utf-8")).hexdigest()[:20]
+    return f"mcp_server:{harness}:{source_scope}:{server_name}:{digest}"
 def _managed_stdio_server(artifact: GuardArtifact) -> ManagedMcpServer | None:
     if artifact.artifact_type != "mcp_server":
         return None
@@ -119,6 +159,50 @@ def _managed_stdio_server(artifact: GuardArtifact) -> ManagedMcpServer | None:
     )
+def _stable_arg_token(value: str) -> str:
+    key, separator, item = value.partition("=")
+    if separator and (_looks_like_path_assignment(key, item) or _looks_like_path_token(item)):
+        return f"{key}=<path>"
+    if _looks_like_path_token(value):
+        return "<path>"
+    return value
+def _stable_server_name(value: str) -> str:
+    return value.strip().lower() or "unnamed"
+def _stable_command_name(value: str) -> str:
+    return PurePath(value.replace("\\", "/")).name.lower()
+def _looks_like_path_assignment(key: str, value: str) -> bool:
+    normalized_key = key.strip().lstrip("-/").lower().replace("_", "-")
+    path_keys = {
+        "cache",
+        "config",
+        "cwd",
+        "dir",
+        "directory",
+        "file",
+        "folder",
+        "path",
+        "root",
+        "workspace",
+        "workdir",
+    }
+    return normalized_key in path_keys and value.strip().replace("\\", "/").startswith("/")
+def _looks_like_path_token(value: str) -> bool:
+    normalized = value.strip().replace("\\", "/")
+    if normalized.startswith(("~/", "./", "../")):
+        return True
+    if normalized.startswith("/"):
+        return "/" in normalized[1:] or normalized.lower() not in _STABLE_SLASH_FLAG_TOKENS
+    return len(normalized) >= 3 and normalized[0].isalpha() and normalized[1:3] == ":/"
 def _string_env(value: object) -> dict[str, str]:
     if not isinstance(value, dict):
         return {}
@@ -149,4 +233,5 @@ __all__ = [
     "managed_stdio_servers",
     "proxy_cli_args",
     "skipped_stdio_server_names",
+    "stable_mcp_server_identifier",
 ]

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/guard/capabilities.py RENAMED Viewed

@@ -196,6 +196,25 @@ def severity_from_deltas(deltas: tuple[CapabilityDelta, ...]) -> int:
     return max(delta.severity for delta in deltas)
+def normalized_capability_categories(capabilities: CapabilitySet) -> tuple[str, ...]:
+    """Return broad Cloud access graph categories for skills and MCP tools."""
+    categories: set[str] = set()
+    if capabilities.network_hosts or capabilities.network_schemes:
+        categories.add("network")
+    if capabilities.filesystem_paths:
+        categories.add("filesystem")
+    if capabilities.secret_classes:
+        categories.add("secret")
+    if capabilities.subprocess_invocation or capabilities.interpreters or capabilities.shell_wrappers:
+        categories.add("execution")
+    if capabilities.publisher:
+        categories.add("publisher")
+    if capabilities.transport != "local":
+        categories.add("transport")
+    return tuple(sorted(categories))
 def _first_seen_deltas(after: CapabilitySet) -> list[CapabilityDelta]:
     deltas: list[CapabilityDelta] = []
     if after.network_hosts:

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -97,6 +97,7 @@ from ..runtime.secret_file_requests import (
     extract_sensitive_tool_action_request,
     is_explicitly_benign_tool_action_request,
 )
+from ..runtime.secret_sensitivity import SecretContentMatch, classify_secret_content
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
 from .approval_commands import add_approval_parser, run_approval_command
@@ -539,6 +540,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     codex_proxy_parser = guard_subparsers.add_parser("codex-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(codex_proxy_parser)
     codex_proxy_parser.add_argument("--server-name", required=True)
+    codex_proxy_parser.add_argument("--server-id")
     codex_proxy_parser.add_argument("--source-scope", default="project")
     codex_proxy_parser.add_argument("--config-path", required=True)
     codex_proxy_parser.add_argument("--transport", default="stdio")
@@ -548,6 +550,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     opencode_proxy_parser = guard_subparsers.add_parser("opencode-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(opencode_proxy_parser)
     opencode_proxy_parser.add_argument("--server-name", required=True)
+    opencode_proxy_parser.add_argument("--server-id")
     opencode_proxy_parser.add_argument("--source-scope", default="project")
     opencode_proxy_parser.add_argument("--config-path", required=True)
     opencode_proxy_parser.add_argument("--transport", default="local")
@@ -557,6 +560,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     copilot_proxy_parser = guard_subparsers.add_parser("copilot-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(copilot_proxy_parser)
     copilot_proxy_parser.add_argument("--server-name", required=True)
+    copilot_proxy_parser.add_argument("--server-id")
     copilot_proxy_parser.add_argument("--source-scope", default="project")
     copilot_proxy_parser.add_argument("--config-path", required=True)
     copilot_proxy_parser.add_argument("--transport", default="stdio")
@@ -807,6 +811,7 @@ def run_guard_command(
             source_scope=args.source_scope,
             config_path=args.config_path,
             transport=args.transport,
+            server_id=args.server_id,
         )
         return proxy.serve()
@@ -820,6 +825,7 @@ def run_guard_command(
             source_scope=args.source_scope,
             config_path=args.config_path,
             transport=args.transport,
+            server_id=args.server_id,
         )
         return proxy.serve()
@@ -833,6 +839,7 @@ def run_guard_command(
             source_scope=args.source_scope,
             config_path=args.config_path,
             transport=args.transport,
+            server_id=args.server_id,
         )
         return proxy.serve()
@@ -1253,6 +1260,7 @@ def run_guard_command(
                     decision_source="pre-tool-hook",
                     now=now,
                     signals=decision.signals,
+                    risk_categories=decision.risk_categories,
                     remember=False,
                 )
                 if _should_emit_copilot_hook_response(args):
@@ -1267,6 +1275,7 @@ def run_guard_command(
                         decision_source="pre-tool-hook",
                         now=now,
                         signals=decision.signals,
+                        risk_categories=decision.risk_categories,
                     )
                 if _should_emit_copilot_hook_response(args):
                     _emit_copilot_hook_response(
@@ -1345,6 +1354,7 @@ def run_guard_command(
                     decision_source=decision.source,
                     now=now,
                     signals=decision.signals,
+                    risk_categories=decision.risk_categories,
                     remember=False,
                 )
                 if _should_emit_copilot_hook_response(args):
@@ -1359,6 +1369,7 @@ def run_guard_command(
                 decision_source="permission-request-hook",
                 now=now,
                 signals=decision.signals,
+                risk_categories=decision.risk_categories,
             )
             approval_center_url = ensure_guard_daemon(guard_home)
             approval_flow = get_adapter(args.harness).approval_flow(managed_install=managed_install)
@@ -2010,18 +2021,19 @@ def _should_emit_native_hook_json_response(
 def _should_emit_native_hook_exit_block(args: argparse.Namespace, *, event_name: str, policy_action: str) -> bool:
-    codex_runtime_marker = (
-        os.environ.get("CODEX_HOME", "").strip() or os.environ.get("CODEX_MANAGED_BY_BUN", "").strip()
-    )
     return (
         args.harness == "codex"
         and event_name == "PreToolUse"
         and policy_action in {"block", "sandbox-required", "require-reapproval"}
         and not getattr(args, "json", False)
-        and bool(codex_runtime_marker)
+        and _is_codex_native_runtime()
     )
+def _is_codex_native_runtime() -> bool:
+    return bool(os.environ.get("CODEX_HOME", "").strip() or os.environ.get("CODEX_MANAGED_BY_BUN", "").strip())
 def _codex_browser_approval_decision(
     *,
     args: argparse.Namespace,
@@ -2040,6 +2052,8 @@ def _codex_browser_approval_decision(
         return None
     if policy_action not in {"block", "sandbox-required", "require-reapproval"}:
         return None
+    if event_name == "PreToolUse" and not _is_codex_native_runtime():
+        return None
     approval_requests = response_payload.get("approval_requests")
     if not isinstance(approval_requests, list):
         return None
@@ -3949,10 +3963,6 @@ def _hook_runtime_artifact(
     )
-_CODEX_SECRET_OUTPUT_PATTERN = re.compile(
-    r"(?i)(?:fake[_-]?credential|fake[_-]?secret|"
-    r"(?:api[_-]?key|auth[_-]?token|credential|npm[_-]?token|private[_-]?key|secret|token|password)\s*[:=])"
-)
 _CODEX_PROMPT_SECRET_KEY_MARKERS = ("TOKEN", "SECRET", "PASSWORD", "PASS", "API_KEY", "API-KEY", "AUTH", "CREDENTIAL")
 _CODEX_TOOL_RESPONSE_MAX_DEPTH = 5
 _CODEX_TOOL_RESPONSE_TEXT_LIMIT = 20000
@@ -3967,13 +3977,19 @@ def _codex_post_tool_output_artifact(
     cwd: Path | None,
 ) -> GuardArtifact | None:
     response_text = _collect_codex_tool_response_text(payload.get("tool_response"))
-    if not response_text or _CODEX_SECRET_OUTPUT_PATTERN.search(response_text) is None:
+    content_matches = classify_secret_content(response_text)
+    if not content_matches:
         return None
     tool_name = _coalesce_string(payload.get("tool_name"), "Bash")
     command_text = _codex_post_tool_command_text(payload)
     if not command_text:
         command_text = tool_name
-    if _codex_command_is_read_only_source_inspection(command_text, cwd=cwd):
+    if _codex_source_inspection_can_skip_secret_output(
+        command_text=command_text,
+        response_text=response_text,
+        content_matches=content_matches,
+        cwd=cwd,
+    ):
         return None
     fingerprint = hashlib.sha256(
         json.dumps(
@@ -4096,6 +4112,10 @@ _CODEX_SOURCE_SEARCH_EXTENSIONS = frozenset(
         ".yml",
     }
 )
+_CODEX_BENIGN_SOURCE_DOTFILES = frozenset({".nvmrc"})
+_CODEX_BENIGN_SECRET_FIXTURE_ASSIGNMENT_PATTERN = re.compile(
+    r"(?i)\s*fake[_-]?(?:credential|secret|token)\s*[:=]\s*(?:\"[^\r\n\"]+\"|'[^\r\n']+'|[^\s\"',}]+)\s*"
+)
 _CODEX_SENSITIVE_SEARCH_BASENAMES = frozenset(
     {
         ".aws",
@@ -4114,6 +4134,35 @@ _CODEX_SENSITIVE_SEARCH_BASENAMES = frozenset(
 _CODEX_SED_PRINT_SCRIPT_PATTERN = re.compile(r"^\s*(?:\$|\d+)?(?:\s*,\s*(?:\$|\d+))?p\s*$")
+def _codex_source_inspection_can_skip_secret_output(
+    *,
+    command_text: str,
+    response_text: str,
+    content_matches: tuple[SecretContentMatch, ...],
+    cwd: Path | None,
+) -> bool:
+    if not _codex_command_is_read_only_source_inspection(command_text, cwd=cwd):
+        return False
+    if any(match.sensitivity != "medium" for match in content_matches):
+        return False
+    if _codex_command_references_benign_source_dotfile(command_text):
+        return _codex_output_is_only_benign_secret_fixture(response_text)
+    return True
+def _codex_output_is_only_benign_secret_fixture(response_text: str) -> bool:
+    lines = [line for line in response_text.splitlines() if line.strip()]
+    return bool(lines) and all(_CODEX_BENIGN_SECRET_FIXTURE_ASSIGNMENT_PATTERN.fullmatch(line) for line in lines)
+def _codex_command_references_benign_source_dotfile(command_text: str) -> bool:
+    try:
+        parts = shlex.split(command_text)
+    except ValueError:
+        return False
+    return any(Path(part).name.lower() in _CODEX_BENIGN_SOURCE_DOTFILES for part in parts)
 def _codex_command_is_read_only_source_inspection(command_text: str, *, cwd: Path | None) -> bool:
     command = command_text.strip()
     if not command:
@@ -4631,13 +4680,16 @@ def _codex_search_target_is_source_like(target: str, *, cwd: Path | None) -> boo
     lowered_parts = [part.lower() for part in parts]
     if any(part in _CODEX_SENSITIVE_SEARCH_BASENAMES for part in lowered_parts):
         return False
-    if any(part.startswith(".") for part in parts):
+    hidden_parts = [part for part in lowered_parts if part.startswith(".")]
+    if hidden_parts and not all(part in _CODEX_BENIGN_SOURCE_DOTFILES for part in hidden_parts):
         return False
     normalized = "/".join(parts)
     if normalized in {prefix.rstrip("/") for prefix in _CODEX_SOURCE_SEARCH_PREFIXES}:
         return True
     if any(normalized.startswith(prefix) for prefix in _CODEX_SOURCE_SEARCH_PREFIXES):
         return True
+    if Path(stripped).name.lower() in _CODEX_BENIGN_SOURCE_DOTFILES:
+        return True
     return Path(stripped).suffix.lower() in _CODEX_SOURCE_SEARCH_EXTENSIONS
@@ -4732,7 +4784,7 @@ def _codex_prompt_credential_file_artifact(
                 content = handle.read(_PROMPT_CONTENT_SCAN_MAX_BYTES).decode("utf-8", errors="ignore")
         except OSError:
             continue
-        if _CODEX_SECRET_OUTPUT_PATTERN.search(content) is None:
+        if not classify_secret_content(content):
             continue
         normalized_path = str(path)
         fingerprint = hashlib.sha256(

{plugin_scanner-2.0.106 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/guard/mcp_tool_calls.py RENAMED Viewed

@@ -22,6 +22,7 @@ class ToolCallDecision:
     source: str
     signals: tuple[str, ...]
     summary: str
+    risk_categories: tuple[str, ...] = ()
 def build_tool_call_artifact(
@@ -32,9 +33,12 @@ def build_tool_call_artifact(
     source_scope: str,
     config_path: str,
     transport: str,
+    server_id: str | None = None,
     server_fingerprint: object | None = None,
 ) -> GuardArtifact:
     metadata = {"server_name": server_name}
+    if server_id is not None:
+        metadata["server_id"] = server_id
     if server_fingerprint is not None:
         metadata["server_fingerprint"] = server_fingerprint
     return GuardArtifact(
@@ -82,20 +86,24 @@ def evaluate_tool_call(
         override = config.resolve_action_override(artifact.harness, artifact.artifact_id, artifact.publisher)
     action = _coerce_guard_action(override) if isinstance(override, str) else None
     if action is not None:
+        risk_categories = tool_call_risk_categories(artifact, arguments)
         return ToolCallDecision(
             action=action,
             source="policy",
             signals=tool_call_risk_signals(artifact, arguments),
             summary="Local Guard policy matched this exact tool call.",
+            risk_categories=risk_categories,
         )
     signals = tool_call_risk_signals(artifact, arguments)
+    risk_categories = tool_call_risk_categories(artifact, arguments)
     if len(signals) == 0:
         return ToolCallDecision(
             action="allow",
             source="heuristic",
             signals=(),
             summary="Guard did not detect a high-risk signal in this tool call.",
+            risk_categories=(),
         )
     if config.mode == "prompt":
         return ToolCallDecision(
@@ -103,37 +111,95 @@ def evaluate_tool_call(
             source="heuristic",
             signals=signals,
             summary=tool_call_risk_summary(artifact, arguments),
+            risk_categories=risk_categories,
         )
     return ToolCallDecision(
         action="block",
         source="heuristic",
         signals=signals,
         summary=tool_call_risk_summary(artifact, arguments),
+        risk_categories=risk_categories,
     )
 def tool_call_risk_signals(artifact: GuardArtifact, arguments: object) -> tuple[str, ...]:
+    signals_by_category = {
+        "destructive_mutation": "tool name implies destructive file or system changes",
+        "command_execution": "tool name implies shell or command execution",
+        "outbound_network": "call arguments imply outbound network activity",
+        "secret_access": "call arguments mention sensitive local files or secrets",
+        "privileged_system_mutation": "call arguments imply privileged system mutation",
+    }
+    return tuple(signals_by_category[category] for category in tool_call_risk_categories(artifact, arguments))
+def tool_call_risk_categories(artifact: GuardArtifact, arguments: object) -> tuple[str, ...]:
+    """Return normalized Cloud risk categories for one MCP tool call."""
+    categories = _tool_call_risk_category_set(artifact, arguments)
+    order = (
+        "command_execution",
+        "destructive_mutation",
+        "outbound_network",
+        "privileged_system_mutation",
+        "secret_access",
+    )
+    return tuple(category for category in order if category in categories)
+def _tool_call_risk_category_set(artifact: GuardArtifact, arguments: object) -> set[str]:
     tool_name = PurePath(artifact.command or artifact.name).name
-    serialized_arguments = json.dumps(arguments, sort_keys=True).lower() if arguments is not None else ""
-    combined = f"{artifact.name.lower()} {serialized_arguments}"
+    serialized_arguments = _serialized_tool_arguments(arguments)
+    combined = _risk_match_text(f"{artifact.name} {serialized_arguments}")
     tool_name_tokens = set(_tool_name_tokens(tool_name))
-    signals: list[str] = []
+    categories: set[str] = set()
     if len(tool_name_tokens.intersection({"delete", "remove", "rm", "destroy", "erase"})) > 0:
-        signals.append("tool name implies destructive file or system changes")
+        categories.add("destructive_mutation")
     if len(tool_name_tokens.intersection({"shell", "bash", "exec", "execute", "command", "powershell"})) > 0:
-        signals.append("tool name implies shell or command execution")
-    if any(token in combined for token in ("http://", "https://", "curl", "wget", "fetch", "axios", "requests")):
-        signals.append("call arguments imply outbound network activity")
-    if any(
-        token in combined
-        for token in (".env", ".ssh", "id_rsa", "credentials", ".npmrc", ".pypirc", "token", "secret", "passwd")
+        categories.add("command_execution")
+    if _matches_any(
+        combined,
+        (
+            r"https?://",
+            _token_pattern("curl", "wget", "fetch", "axios", "requests"),
+        ),
+    ):
+        categories.add("outbound_network")
+    if _matches_any(
+        combined,
+        (
+            r"(?<![a-z0-9_-])\.env(?![a-z0-9_-])",
+            r"(?<![a-z0-9_-])\.ssh(?![a-z0-9_-])",
+            r"(?<![a-z0-9])(id[_-]?rsa|credentials|token|secret|passwd)(?![a-z0-9])",
+            r"(?<![a-z0-9_-])\.(npmrc|pypirc)(?![a-z0-9_-])",
+        ),
     ):
-        signals.append("call arguments mention sensitive local files or secrets")
-    if any(token in combined for token in ("sudo", "chmod", "chown", "launchctl", "systemctl")):
-        signals.append("call arguments imply privileged system mutation")
+        categories.add("secret_access")
+    if _matches_any(
+        combined,
+        (_token_pattern("sudo", "chmod", "chown", "launchctl", "systemctl"),),
+    ):
+        categories.add("privileged_system_mutation")
+    return categories
-    return tuple(_dedupe(signals))
+def _serialized_tool_arguments(arguments: object) -> str:
+    if arguments is None:
+        return ""
+    try:
+        return json.dumps(arguments, sort_keys=True, default=str)
+    except (TypeError, ValueError):
+        return str(arguments)
+def _matches_any(value: str, patterns: tuple[str, ...]) -> bool:
+    return any(re.search(pattern, value) is not None for pattern in patterns)
+def _token_pattern(*tokens: str) -> str:
+    alternatives = "|".join(re.escape(token) for token in tokens)
+    return rf"(?<![a-z0-9])({alternatives})(?![a-z0-9])"
 def tool_call_risk_summary(artifact: GuardArtifact, arguments: object) -> str:
@@ -154,6 +220,7 @@ def allow_tool_call(
     now: str,
     signals: tuple[str, ...],
     remember: bool,
+    risk_categories: tuple[str, ...] = (),
 ) -> GuardReceipt:
     if remember:
         store.upsert_policy(
@@ -196,6 +263,7 @@ def allow_tool_call(
             "artifact_id": artifact.artifact_id,
             "artifact_hash": artifact_hash,
             "decision_source": decision_source,
+            "risk_categories": list(risk_categories),
             "signals": list(signals),
         },
         now,
@@ -211,6 +279,7 @@ def block_tool_call(
     decision_source: str,
     now: str,
     signals: tuple[str, ...],
+    risk_categories: tuple[str, ...] = (),
 ) -> GuardReceipt:
     store.record_inventory_artifact(
         artifact=artifact,
@@ -239,6 +308,7 @@ def block_tool_call(
             "artifact_id": artifact.artifact_id,
             "artifact_hash": artifact_hash,
             "decision_source": decision_source,
+            "risk_categories": list(risk_categories),
             "signals": list(signals),
         },
         now,
@@ -258,10 +328,18 @@ def _dedupe(values: list[str]) -> list[str]:
 def _tool_name_tokens(tool_name: str) -> tuple[str, ...]:
-    camel_normalized = re.sub(r"([a-z0-9])([A-Z])", r"\1 \2", tool_name)
+    camel_normalized = _camel_token_normalized(tool_name)
     return tuple(token for token in re.findall(r"[a-z0-9]+", camel_normalized.lower()) if token)
+def _risk_match_text(value: str) -> str:
+    return _camel_token_normalized(value).lower()
+def _camel_token_normalized(value: str) -> str:
+    return re.sub(r"([a-z0-9])([A-Z])", r"\1 \2", value)
 def _coerce_guard_action(value: str) -> GuardAction | None:
     for action in GUARD_ACTION_VALUES:
         if value == action:

plugin-scanner 2.0.106__tar.gz → 2.0.108__tar.gz

plugin-scanner 2.0.106tar.gz → 2.0.108tar.gz