plugin-scanner 2.0.107__tar.gz → 2.0.108__tar.gz

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.107
+Version: 2.0.108
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.107"
+version = "2.0.108"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.107"
+version = "2.0.108"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -97,6 +97,7 @@ from ..runtime.secret_file_requests import (
     extract_sensitive_tool_action_request,
     is_explicitly_benign_tool_action_request,
 )
+from ..runtime.secret_sensitivity import SecretContentMatch, classify_secret_content
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
 from .approval_commands import add_approval_parser, run_approval_command
@@ -3962,10 +3963,6 @@ def _hook_runtime_artifact(
     )
 
 
-_CODEX_SECRET_OUTPUT_PATTERN = re.compile(
-    r"(?i)(?:fake[_-]?credential|fake[_-]?secret|"
-    r"(?:api[_-]?key|auth[_-]?token|credential|npm[_-]?token|private[_-]?key|secret|token|password)\s*[:=])"
-)
 _CODEX_PROMPT_SECRET_KEY_MARKERS = ("TOKEN", "SECRET", "PASSWORD", "PASS", "API_KEY", "API-KEY", "AUTH", "CREDENTIAL")
 _CODEX_TOOL_RESPONSE_MAX_DEPTH = 5
 _CODEX_TOOL_RESPONSE_TEXT_LIMIT = 20000
@@ -3980,13 +3977,19 @@ def _codex_post_tool_output_artifact(
     cwd: Path | None,
 ) -> GuardArtifact | None:
     response_text = _collect_codex_tool_response_text(payload.get("tool_response"))
-    if not response_text or _CODEX_SECRET_OUTPUT_PATTERN.search(response_text) is None:
+    content_matches = classify_secret_content(response_text)
+    if not content_matches:
         return None
     tool_name = _coalesce_string(payload.get("tool_name"), "Bash")
     command_text = _codex_post_tool_command_text(payload)
     if not command_text:
         command_text = tool_name
-    if _codex_command_is_read_only_source_inspection(command_text, cwd=cwd):
+    if _codex_source_inspection_can_skip_secret_output(
+        command_text=command_text,
+        response_text=response_text,
+        content_matches=content_matches,
+        cwd=cwd,
+    ):
         return None
     fingerprint = hashlib.sha256(
         json.dumps(
@@ -4109,6 +4112,10 @@ _CODEX_SOURCE_SEARCH_EXTENSIONS = frozenset(
         ".yml",
     }
 )
+_CODEX_BENIGN_SOURCE_DOTFILES = frozenset({".nvmrc"})
+_CODEX_BENIGN_SECRET_FIXTURE_ASSIGNMENT_PATTERN = re.compile(
+    r"(?i)\s*fake[_-]?(?:credential|secret|token)\s*[:=]\s*(?:\"[^\r\n\"]+\"|'[^\r\n']+'|[^\s\"',}]+)\s*"
+)
 _CODEX_SENSITIVE_SEARCH_BASENAMES = frozenset(
     {
         ".aws",
@@ -4127,6 +4134,35 @@ _CODEX_SENSITIVE_SEARCH_BASENAMES = frozenset(
 _CODEX_SED_PRINT_SCRIPT_PATTERN = re.compile(r"^\s*(?:\$|\d+)?(?:\s*,\s*(?:\$|\d+))?p\s*$")
 
 
+def _codex_source_inspection_can_skip_secret_output(
+    *,
+    command_text: str,
+    response_text: str,
+    content_matches: tuple[SecretContentMatch, ...],
+    cwd: Path | None,
+) -> bool:
+    if not _codex_command_is_read_only_source_inspection(command_text, cwd=cwd):
+        return False
+    if any(match.sensitivity != "medium" for match in content_matches):
+        return False
+    if _codex_command_references_benign_source_dotfile(command_text):
+        return _codex_output_is_only_benign_secret_fixture(response_text)
+    return True
+
+
+def _codex_output_is_only_benign_secret_fixture(response_text: str) -> bool:
+    lines = [line for line in response_text.splitlines() if line.strip()]
+    return bool(lines) and all(_CODEX_BENIGN_SECRET_FIXTURE_ASSIGNMENT_PATTERN.fullmatch(line) for line in lines)
+
+
+def _codex_command_references_benign_source_dotfile(command_text: str) -> bool:
+    try:
+        parts = shlex.split(command_text)
+    except ValueError:
+        return False
+    return any(Path(part).name.lower() in _CODEX_BENIGN_SOURCE_DOTFILES for part in parts)
+
+
 def _codex_command_is_read_only_source_inspection(command_text: str, *, cwd: Path | None) -> bool:
     command = command_text.strip()
     if not command:
@@ -4644,13 +4680,16 @@ def _codex_search_target_is_source_like(target: str, *, cwd: Path | None) -> boo
     lowered_parts = [part.lower() for part in parts]
     if any(part in _CODEX_SENSITIVE_SEARCH_BASENAMES for part in lowered_parts):
         return False
-    if any(part.startswith(".") for part in parts):
+    hidden_parts = [part for part in lowered_parts if part.startswith(".")]
+    if hidden_parts and not all(part in _CODEX_BENIGN_SOURCE_DOTFILES for part in hidden_parts):
         return False
     normalized = "/".join(parts)
     if normalized in {prefix.rstrip("/") for prefix in _CODEX_SOURCE_SEARCH_PREFIXES}:
         return True
     if any(normalized.startswith(prefix) for prefix in _CODEX_SOURCE_SEARCH_PREFIXES):
         return True
+    if Path(stripped).name.lower() in _CODEX_BENIGN_SOURCE_DOTFILES:
+        return True
     return Path(stripped).suffix.lower() in _CODEX_SOURCE_SEARCH_EXTENSIONS
 
 
@@ -4745,7 +4784,7 @@ def _codex_prompt_credential_file_artifact(
                 content = handle.read(_PROMPT_CONTENT_SCAN_MAX_BYTES).decode("utf-8", errors="ignore")
         except OSError:
             continue
-        if _CODEX_SECRET_OUTPUT_PATTERN.search(content) is None:
+        if not classify_secret_content(content):
             continue
         normalized_path = str(path)
         fingerprint = hashlib.sha256(

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/guard/runtime/secret_sensitivity.py

@@ -3,11 +3,13 @@
 from __future__ import annotations
 
 import os
+import re
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Literal
 
 SecretSensitivity = Literal["high", "critical"]
+SecretContentSensitivity = Literal["medium", "high", "critical"]
 
 _AWS_CREDENTIALS_MARKER = "/".join((".aws", "credentials"))
 _DOCKER_CONFIG_MARKER = "/".join((".docker", "config.json"))
@@ -42,8 +44,12 @@ _SENSITIVE_BASENAME_LABELS = {
     ".netrc": "netrc credentials",
     ".git-credentials": "Git credential store",
     ".terraform.tfvars": "Terraform variable secrets",
+    "private-key.pem": "wallet/private-key file",
+    "private.key": "wallet/private-key file",
+    "wallet.key": "wallet/private-key file",
     "terraform.tfvars": "Terraform variable secrets",
 }
+_SENSITIVE_BASENAME_KEYWORDS = ("private-key", "private_key", "wallet-key", "wallet_key")
 _REDACTED_BASENAME_LABELS = {
     "id_rsa": "SSH private key",
     "id_ed25519": "SSH private key",
@@ -80,7 +86,86 @@ _SENSITIVE_PATH_REASONS = {
     "Terraform variable secrets": (
         "Guard treats Terraform variable files as sensitive because they often contain secrets."
     ),
+    "wallet/private-key file": (
+        "Guard treats wallet and private-key files as sensitive because they can authorize account control."
+    ),
 }
+_SECRET_ASSIGNMENT_VALUE_PATTERN = r"(?:\"[^\"\r\n]+\"|'[^'\r\n]+'|[^ \t\r\n\"',}]+)"
+_HEDERA_PRIVATE_KEY_VALUE_PATTERN = r"(?:\"(?:0x)?[0-9a-f]{64,96}\"|'(?:0x)?[0-9a-f]{64,96}'|(?:0x)?[0-9a-f]{64,96}\b)"
+_SECRET_CONTENT_PATTERNS: tuple[tuple[str, str, SecretContentSensitivity, re.Pattern[str], str], ...] = (
+    (
+        "npm-auth-token",
+        "npm auth token",
+        "high",
+        re.compile(
+            r"(?im)[\"']?\b[A-Za-z0-9_-]*(?:_authToken|npm[_-]?token)\b[\"']?\s*[:=]\s*"
+            + _SECRET_ASSIGNMENT_VALUE_PATTERN
+        ),
+        "Guard found an npm registry token pattern.",
+    ),
+    (
+        "github-token",
+        "GitHub token",
+        "high",
+        re.compile(r"\b(?:gh[pousr]_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}_[A-Za-z0-9_]{20,})\b"),
+        "Guard found a GitHub token pattern.",
+    ),
+    (
+        "aws-access-key",
+        "AWS access key",
+        "high",
+        re.compile(r"\b(?:AKIA|ASIA)[0-9A-Z]{16}\b"),
+        "Guard found an AWS access key pattern.",
+    ),
+    (
+        "openai-api-key",
+        "OpenAI API key",
+        "high",
+        re.compile(r"\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b"),
+        "Guard found an OpenAI API key pattern.",
+    ),
+    (
+        "anthropic-api-key",
+        "Anthropic API key",
+        "high",
+        re.compile(r"\bsk-ant-api03-[A-Za-z0-9_-]{20,}\b"),
+        "Guard found an Anthropic API key pattern.",
+    ),
+    (
+        "hedera-private-key",
+        "Hedera private key",
+        "critical",
+        re.compile(
+            r"(?im)[\"']?\b[A-Za-z0-9_-]*(?:hedera[_-]?)?(?:operator[_-]?)?private[_-]?key\b[\"']?\s*[:=]\s*"
+            + _HEDERA_PRIVATE_KEY_VALUE_PATTERN
+        ),
+        "Guard found a Hedera private-key-like value.",
+    ),
+    (
+        "pem-private-key",
+        "PEM private key",
+        "critical",
+        re.compile(r"-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----", re.MULTILINE),
+        "Guard found a PEM private key header.",
+    ),
+    (
+        "credential-marker",
+        "credential assignment",
+        "medium",
+        re.compile(r"(?i)(?:^|[^a-z0-9])fake[_-]?(?:credential|secret)\b"),
+        "Guard found credential-looking marker text.",
+    ),
+    (
+        "credential-assignment",
+        "credential assignment",
+        "medium",
+        re.compile(
+            r"(?im)[\"']?\b[A-Za-z0-9_-]*(?:api[_-]?key|auth[_-]?token|credential|credentials|npm[_-]?token|"
+            r"private[_-]?key|secret|token|password)\b[\"']?\s*[:=]\s*" + _SECRET_ASSIGNMENT_VALUE_PATTERN
+        ),
+        "Guard found credential-looking assignment text.",
+    ),
+)
 
 
 @dataclass(frozen=True, slots=True)
@@ -100,6 +185,14 @@ class SecretPathMatch:
         return self.family
 
 
+@dataclass(frozen=True, slots=True)
+class SecretContentMatch:
+    classifier: str
+    family: str
+    sensitivity: SecretContentSensitivity
+    reason: str
+
+
 def classify_secret_path(
     path: str | None,
     *,
@@ -125,11 +218,20 @@ def classify_secret_path(
             sensitivity="critical",
         )
     if basename in _SENSITIVE_BASENAME_LABELS:
+        family = _SENSITIVE_BASENAME_LABELS[basename]
+        sensitivity: SecretSensitivity = "critical" if family == "wallet/private-key file" else "high"
+        return _match(
+            requested_path=requested_path,
+            normalized_path=normalized_path,
+            family=family,
+            sensitivity=sensitivity,
+        )
+    if any(keyword in basename for keyword in _SENSITIVE_BASENAME_KEYWORDS):
         return _match(
             requested_path=requested_path,
             normalized_path=normalized_path,
-            family=_SENSITIVE_BASENAME_LABELS[basename],
-            sensitivity="high",
+            family="wallet/private-key file",
+            sensitivity="critical",
         )
     if "..." in lowered_segments and basename in _REDACTED_BASENAME_LABELS:
         family = _REDACTED_BASENAME_LABELS[basename]
@@ -170,6 +272,26 @@ def classify_legacy_secret_path_families(text: str) -> set[str]:
     return {family for marker, family in LEGACY_SECRET_PATH_TEXT_MARKERS if marker in lowered}
 
 
+def classify_secret_content(text: str | None) -> tuple[SecretContentMatch, ...]:
+    if not isinstance(text, str) or not text.strip():
+        return ()
+    matches: list[SecretContentMatch] = []
+    seen: set[str] = set()
+    for classifier, family, sensitivity, pattern, reason in _SECRET_CONTENT_PATTERNS:
+        if pattern.search(text) is None or classifier in seen:
+            continue
+        seen.add(classifier)
+        matches.append(
+            SecretContentMatch(
+                classifier=classifier,
+                family=family,
+                sensitivity=sensitivity,
+                reason=reason,
+            )
+        )
+    return tuple(matches)
+
+
 def redacted_secret_path_context(path: str) -> str | None:
     segments = tuple(segment for segment in path.replace("\\", "/").split("/") if segment)
     lowered_segments = tuple(segment.lower() for segment in segments)

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.107"
+__version__ = "2.0.108"

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/tests/test_guard_risk.py

@@ -44,7 +44,12 @@ from codex_plugin_scanner.guard.runtime.secret_file_requests import (
     is_explicitly_benign_tool_action_request,
     is_file_read_tool_name,
 )
-from codex_plugin_scanner.guard.runtime.secret_sensitivity import SecretPathMatch, classify_secret_path
+from codex_plugin_scanner.guard.runtime.secret_sensitivity import (
+    SecretContentMatch,
+    SecretPathMatch,
+    classify_secret_content,
+    classify_secret_path,
+)
 from codex_plugin_scanner.guard.store import GuardStore
 
 
@@ -384,6 +389,56 @@ def test_secret_sensitivity_module_classifies_planned_secret_path_families(tmp_p
     assert match.reason
 
 
+@pytest.mark.parametrize(
+    ("path", "family"),
+    [
+        ("wallet.key", "wallet/private-key file"),
+        ("private-key.pem", "wallet/private-key file"),
+        ("operator-private-key.txt", "wallet/private-key file"),
+    ],
+)
+def test_secret_sensitivity_module_classifies_wallet_private_key_filenames(tmp_path, path, family):
+    match = classify_secret_path(path, home_dir=tmp_path)
+
+    assert isinstance(match, SecretPathMatch)
+    assert match.family == family
+    assert match.sensitivity == "critical"
+
+
+@pytest.mark.parametrize(
+    ("content", "family"),
+    [
+        ("//registry.npmjs.org/:_authToken=" + "n" * 36, "npm auth token"),
+        ('//registry.npmjs.org/:_authToken="' + "n" * 36 + '"', "npm auth token"),
+        ('MY_NPM_TOKEN="' + "n" * 36 + '"', "npm auth token"),
+        ("token=" + "ghp_" + "A" * 36, "GitHub token"),
+        ("token=" + "github_pat_" + "A" * 22 + "_" + "B" * 59, "GitHub token"),
+        ("aws_access_key_id=" + "AKIA" + "A" * 16, "AWS access key"),
+        ("OPENAI_API_KEY=" + "sk-" + "A" * 32, "OpenAI API key"),
+        ("ANTHROPIC_API_KEY=" + "sk-ant-api03-" + "A" * 60, "Anthropic API key"),
+        ("HEDERA_PRIVATE_KEY=" + "a" * 64, "Hedera private key"),
+        ('HEDERA_PRIVATE_KEY="' + "a" * 64 + '"', "Hedera private key"),
+        ("-----BEGIN " + "PRIVATE KEY-----\nredacted\n-----END " + "PRIVATE KEY-----", "PEM private key"),
+        ('TOKEN="' + "A" * 24 + '"', "credential assignment"),
+        ("auth_token='" + "B" * 24 + "'", "credential assignment"),
+        ('{"password": "' + "C" * 24 + '"}', "credential assignment"),
+        ("MY_TOKEN=fixture-token", "credential assignment"),
+        ('MY_NPM_TOKEN="fixture-token"', "credential assignment"),
+        ('{"OPENAI_API_KEY": "fixture-key"}', "credential assignment"),
+    ],
+)
+def test_secret_content_classifier_detects_planned_secret_content(content, family):
+    matches = classify_secret_content(content)
+
+    assert any(isinstance(match, SecretContentMatch) and match.family == family for match in matches)
+
+
+def test_secret_content_classifier_does_not_upgrade_npm_token_prose():
+    matches = classify_secret_content("Docs say npm token: use an environment variable instead.")
+
+    assert not any(match.family == "npm auth token" for match in matches)
+
+
 def test_file_read_request_classifier_is_argument_aware(tmp_path):
     env_request = extract_sensitive_file_read_request("read_file", {"path": ".env.local"})
     claude_request = extract_sensitive_file_read_request("Read", {"file_path": "~/.ssh/config"}, home_dir=tmp_path)

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/tests/test_guard_runtime.py

@@ -879,6 +879,172 @@ clearer UX and an implementation plan with technical references.
         assert output["recorded"] is True
         assert "approval_requests" not in output
 
+    def test_codex_post_tool_use_allows_benign_nvmrc_fake_credential_fixture(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        _write_text(workspace_dir / ".nvmrc", "fake_credential=fixture-only\n")
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "cat .nvmrc"},
+            "tool_response": {"stdout": "fake_credential=fixture-only\n"},
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["recorded"] is True
+        assert "approval_requests" not in output
+
+    @pytest.mark.parametrize(
+        "secret_output",
+        [
+            "NPM_TOKEN=" + "n" * 36 + "\n",
+            'NPM_TOKEN="' + "n" * 36 + '"\n',
+            "DB_PASSWORD=fixture-pass\n",
+            "auth_token='fixture-token'\n",
+        ],
+    )
+    def test_codex_post_tool_use_blocks_nvmrc_high_confidence_secret(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+        secret_output,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        _write_text(workspace_dir / ".nvmrc", secret_output)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "cat .nvmrc"},
+            "tool_response": {"stdout": secret_output},
+            "source_scope": "project",
+        }
+        monkeypatch.setenv("CODEX_HOME", str(home_dir / ".codex"))
+        monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["continue"] is False
+        assert "credential-looking output" in output["stopReason"]
+
+    def test_codex_post_tool_use_blocks_nvmrc_mixed_fake_and_secret_assignments(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        secret_output = "fake_credential=fixture-only\nDB_PASSWORD=fixture-pass\n"
+        _write_text(workspace_dir / ".nvmrc", secret_output)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "cat .nvmrc"},
+            "tool_response": {"stdout": secret_output},
+            "source_scope": "project",
+        }
+        monkeypatch.setenv("CODEX_HOME", str(home_dir / ".codex"))
+        monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["continue"] is False
+        assert "credential-looking output" in output["stopReason"]
+
+    def test_codex_post_tool_use_allows_docs_fake_token_examples(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        docs_file = workspace_dir / "docs" / "secret-examples.md"
+        _write_text(docs_file, "Use fake_token=example-only in docs.\n")
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "cat docs/secret-examples.md"},
+            "tool_response": {"stdout": "Use fake_token=example-only in docs.\n"},
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["recorded"] is True
+        assert "approval_requests" not in output
+
     def test_codex_post_tool_use_allows_short_option_value_payloads(
         self,
         monkeypatch,
@@ -10911,7 +11077,7 @@ def test_guard_hook_codex_post_tool_use_blocks_credential_looking_output(
     event = {
         "hook_event_name": "PostToolUse",
         "tool_name": "Bash",
-        "tool_input": {"command": "cat .nvmrc"},
+        "tool_input": {"command": "cat .authrc"},
         "tool_response": {"stdout": "HOL_GUARD_FAKE_CREDENTIAL=fixture-only\n"},
         "source_scope": "project",
     }
@@ -10958,7 +11124,7 @@ def test_guard_hook_codex_post_tool_use_browser_approval_resumes_result(
     event = {
         "hook_event_name": "PostToolUse",
         "tool_name": "Bash",
-        "tool_input": {"command": "cat .nvmrc"},
+        "tool_input": {"command": "cat .authrc"},
         "tool_response": {"stdout": "HOL_GUARD_FAKE_CREDENTIAL=fixture-only\n"},
         "source_scope": "project",
     }
@@ -11440,7 +11606,7 @@ def test_guard_hook_codex_runtime_risk_ignores_broad_allow_policy(
     event = {
         "hook_event_name": "PostToolUse",
         "tool_name": "Bash",
-        "tool_input": {"command": "sed -n '1,20p' .nvmrc"},
+        "tool_input": {"command": "sed -n '1,20p' .authrc"},
         "tool_response": "fake_credential\n",
         "source_scope": "project",
     }

{plugin_scanner-2.0.107 → plugin_scanner-2.0.108}/tests/test_guard_runtime_detectors.py

@@ -248,6 +248,9 @@ def test_register_default_detectors_includes_secret_path_detector():
         "~/.docker/" + "config.json",
         "~/.kube/config",
         ".terraform.tfvars",
+        "wallet.key",
+        "private-key.pem",
+        "operator-private-key.txt",
     ],
 )
 def test_default_secret_path_detector_flags_planned_direct_file_reads(tmp_path, path):