plugin-scanner 2.0.109__tar.gz → 2.0.110__tar.gz

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.109
+Version: 2.0.110
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.109"
+version = "2.0.110"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.109"
+version = "2.0.110"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -97,7 +97,7 @@ from ..runtime.secret_file_requests import (
     extract_sensitive_tool_action_request,
     is_explicitly_benign_tool_action_request,
 )
-from ..runtime.secret_sensitivity import SecretContentMatch, classify_secret_content
+from ..runtime.secret_sensitivity import SecretContentMatch, classify_secret_content, classify_secret_path
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
 from .approval_commands import add_approval_parser, run_approval_command
@@ -2999,16 +2999,47 @@ def _runtime_stored_policy_action(
 def _runtime_artifact_policy_action(config: GuardConfig, artifact: GuardArtifact, harness: str) -> str:
     if _prompt_requires_hard_block(artifact):
         return "block"
-    risk_actions = [
-        resolve_risk_action(config, risk_class, harness=_canonical_harness_name(harness))
-        for risk_class in _runtime_artifact_risk_classes(artifact)
-    ]
+    canonical_harness = _canonical_harness_name(harness)
+    risk_classes = _runtime_artifact_risk_classes(artifact)
+    has_configured_risk_action = any(
+        _resolve_configured_risk_action(config, risk_class, harness=canonical_harness) for risk_class in risk_classes
+    )
+    if has_configured_risk_action:
+        risk_actions = [
+            _resolve_configured_risk_action(config, risk_class, harness=canonical_harness)
+            or resolve_risk_action(config, risk_class, harness=canonical_harness)
+            for risk_class in risk_classes
+        ]
+        resolved_actions = [action for action in risk_actions if action in VALID_GUARD_ACTIONS]
+        if resolved_actions:
+            return max(resolved_actions, key=_guard_action_severity)
+    guard_default_action = _runtime_artifact_guard_default_action(artifact)
+    if guard_default_action is not None:
+        return guard_default_action
+    risk_actions = [resolve_risk_action(config, risk_class, harness=canonical_harness) for risk_class in risk_classes]
     resolved_actions = [action for action in risk_actions if action in VALID_GUARD_ACTIONS]
     if resolved_actions:
         return max(resolved_actions, key=_guard_action_severity)
     return SAFE_CHANGED_HASH_ACTION
 
 
+def _resolve_configured_risk_action(config: GuardConfig, risk_class: str, *, harness: str) -> str | None:
+    if config.harness_risk_actions is not None:
+        harness_actions = config.harness_risk_actions.get(harness)
+        if harness_actions is not None and risk_class in harness_actions:
+            return harness_actions[risk_class]
+    if config.risk_actions is not None and risk_class in config.risk_actions:
+        return config.risk_actions[risk_class]
+    return None
+
+
+def _runtime_artifact_guard_default_action(artifact: GuardArtifact) -> str | None:
+    value = artifact.metadata.get("guard_default_action")
+    if value in VALID_GUARD_ACTIONS:
+        return str(value)
+    return None
+
+
 def _guard_action_severity(action: str) -> int:
     return {
         "allow": 0,
@@ -3985,13 +4016,16 @@ def _codex_post_tool_output_artifact(
     cwd: Path | None,
 ) -> GuardArtifact | None:
     response_text = _collect_codex_tool_response_text(payload.get("tool_response"))
-    content_matches = classify_secret_content(response_text)
-    if not content_matches:
-        return None
     tool_name = _coalesce_string(payload.get("tool_name"), "Bash")
     command_text = _codex_post_tool_command_text(payload)
     if not command_text:
         command_text = tool_name
+    references_local_content = _codex_command_may_read_local_content(command_text, cwd=cwd)
+    content_matches = classify_secret_content(response_text)
+    if not content_matches and references_local_content:
+        content_matches = classify_secret_content(response_text, suppress_samples=False)
+    if not content_matches:
+        return None
     if _codex_source_inspection_can_skip_secret_output(
         command_text=command_text,
         response_text=response_text,
@@ -4009,6 +4043,10 @@ def _codex_post_tool_output_artifact(
             sort_keys=True,
         ).encode("utf-8")
     ).hexdigest()
+    runtime_default_action = "require-reapproval" if references_local_content else "warn"
+    runtime_request_signals = ["tool output contains credential-looking material"]
+    if references_local_content:
+        runtime_request_signals.append("command references a sensitive local source")
     return GuardArtifact(
         artifact_id=f"codex:{source_scope}:tool-output:{fingerprint}",
         name=f"{tool_name} credential-looking output",
@@ -4020,10 +4058,11 @@ def _codex_post_tool_output_artifact(
             "tool_name": tool_name,
             "command_text": command_text,
             "action_class": "credential exfiltration shell command",
+            "guard_default_action": runtime_default_action,
             "request_summary": (
                 f"Codex tool `{tool_name}` produced credential-looking output while running `{command_text}`."
             ),
-            "runtime_request_signals": ["tool output contains credential-looking material"],
+            "runtime_request_signals": runtime_request_signals,
             "runtime_request_summary": (
                 "Requests a sensitive native tool action: credential-looking output reached Codex."
             ),
@@ -4035,6 +4074,209 @@ def _codex_post_tool_output_artifact(
     )
 
 
+def _codex_command_references_sensitive_local_source(command_text: str, *, cwd: Path | None) -> bool:
+    if _codex_text_contains_sensitive_path_token(command_text, cwd=cwd):
+        return True
+    try:
+        parts = shlex.split(command_text)
+    except ValueError:
+        return False
+    for part in parts:
+        stripped = part.strip()
+        if not stripped or stripped.startswith("-"):
+            continue
+        if _codex_token_is_url(stripped):
+            continue
+        if classify_secret_path(stripped, cwd=cwd) is not None:
+            return True
+    return False
+
+
+def _codex_token_is_url(token: str) -> bool:
+    parsed = urllib.parse.urlparse(token)
+    return bool(parsed.scheme and parsed.netloc)
+
+
+def _codex_text_contains_sensitive_path_token(text: str, *, cwd: Path | None) -> bool:
+    for match in _PROMPT_PATH_TOKEN_PATTERN.finditer(text):
+        if _codex_path_token_is_url_path(text, match.start()):
+            continue
+        if classify_secret_path(match.group(0), cwd=cwd) is not None:
+            return True
+    return False
+
+
+def _codex_path_token_is_url_path(text: str, start: int) -> bool:
+    prefix = text[:start].lower()
+    last_separator = max(prefix.rfind(separator) for separator in " \t\r\n'\"`<>|;(){}[]")
+    token_prefix = prefix[last_separator + 1 :]
+    if "://" in token_prefix:
+        return True
+    scheme = ""
+    if token_prefix.endswith(":/"):
+        scheme = token_prefix[:-2]
+    elif token_prefix.endswith(":"):
+        scheme = token_prefix[:-1]
+    return _codex_token_prefix_is_url_scheme(scheme)
+
+
+def _codex_token_prefix_is_url_scheme(scheme: str) -> bool:
+    return bool(scheme) and scheme[0].isalpha() and all(char.isalnum() or char in "+.-" for char in scheme)
+
+
+def _codex_command_may_read_local_content(command_text: str, *, cwd: Path | None) -> bool:
+    if _codex_command_references_sensitive_local_source(command_text, cwd=cwd):
+        return True
+    if any(marker in command_text for marker in ("$(", "${", "`")):
+        return True
+    pipeline_segments = _split_codex_safe_read_only_pipeline(command_text)
+    if pipeline_segments is not None:
+        return any(
+            _codex_pipeline_segment_may_read_local_content(segment, index=index, cwd=cwd)
+            for index, segment in enumerate(pipeline_segments)
+        )
+    try:
+        parts = _codex_shell_split(command_text)
+    except ValueError:
+        return True
+    return _codex_command_parts_may_read_local_content(parts, cwd=cwd)
+
+
+def _codex_pipeline_segment_may_read_local_content(segment: str, *, index: int, cwd: Path | None) -> bool:
+    try:
+        parts = _codex_shell_split(segment)
+    except ValueError:
+        return True
+    if not parts:
+        return False
+    if index == 0:
+        return _codex_command_parts_may_read_local_content(parts, cwd=cwd)
+    return _codex_command_is_read_only_source_search(segment, cwd=cwd) or _codex_command_is_read_only_source_view(
+        segment, cwd=cwd
+    )
+
+
+def _codex_command_parts_may_read_local_content(parts: list[str], *, cwd: Path | None) -> bool:
+    for start in _codex_command_start_indexes(parts):
+        previous_token = parts[start - 1] if start > 0 else None
+        segment_parts = _codex_command_segment_parts(parts, start)
+        if previous_token == "|":
+            if _codex_command_sequence_is_read_only_source_inspection(segment_parts, cwd=cwd):
+                return True
+            continue
+        if _codex_command_sequence_starts_with_local_reader(segment_parts, cwd=cwd):
+            return True
+    return False
+
+
+def _codex_command_start_indexes(parts: list[str]) -> list[int]:
+    starts = [0] if parts else []
+    for index, part in enumerate(parts[:-1]):
+        if part in {"&&", "||", ";", "&", "|", "|&"}:
+            starts.append(index + 1)
+    return starts
+
+
+def _codex_command_segment_parts(parts: list[str], start: int) -> list[str]:
+    end = start
+    while end < len(parts) and parts[end] not in {"&&", "||", ";", "&", "|", "|&"}:
+        end += 1
+    return parts[start:end]
+
+
+def _codex_command_sequence_is_read_only_source_inspection(parts: list[str], *, cwd: Path | None) -> bool:
+    command_parts = _codex_unwrapped_command_parts(parts)
+    if not command_parts:
+        return False
+    segment = shlex.join(command_parts)
+    return _codex_command_is_read_only_source_search(segment, cwd=cwd) or _codex_command_is_read_only_source_view(
+        segment, cwd=cwd
+    )
+
+
+def _codex_command_sequence_starts_with_local_reader(parts: list[str], *, cwd: Path | None) -> bool:
+    command_parts = _codex_unwrapped_command_parts(parts)
+    if not command_parts:
+        return False
+    if _codex_command_parts_are_git_grep(command_parts):
+        return True
+    return _codex_command_part_is_local_reader(command_parts, 0, cwd=cwd)
+
+
+def _codex_command_parts_are_git_grep(parts: list[str]) -> bool:
+    return bool(parts) and Path(parts[0]).name.lower() == "git" and _git_grep_search_args(parts[1:]) is not None
+
+
+def _codex_unwrapped_command_parts(parts: list[str]) -> list[str]:
+    remaining = parts
+    while remaining:
+        executable = Path(remaining[0]).name.lower()
+        if executable == "command":
+            remaining = _codex_strip_command_wrapper(remaining[1:])
+            continue
+        if executable == "env":
+            remaining = _codex_strip_env_wrapper(remaining[1:])
+            continue
+        return remaining
+    return []
+
+
+def _codex_strip_command_wrapper(parts: list[str]) -> list[str]:
+    index = 0
+    while index < len(parts) and parts[index] in {"-p", "-v", "-V"}:
+        index += 1
+    if index < len(parts) and parts[index] == "--":
+        index += 1
+    return parts[index:]
+
+
+def _codex_strip_env_wrapper(parts: list[str]) -> list[str]:
+    index = 0
+    while index < len(parts):
+        part = parts[index]
+        if part == "--":
+            return parts[index + 1 :]
+        if part in {"-i", "-0", "--ignore-environment", "--null"}:
+            index += 1
+            continue
+        if part in {"-u", "--unset", "-C", "--chdir", "-S", "--split-string"}:
+            index += 2
+            continue
+        if part.startswith(("--unset=", "--chdir=", "--split-string=")):
+            index += 1
+            continue
+        if part.startswith("-"):
+            index += 1
+            continue
+        if "=" in part and not part.startswith("="):
+            index += 1
+            continue
+        return parts[index:]
+    return []
+
+
+def _codex_shell_split(command_text: str) -> list[str]:
+    lexer = shlex.shlex(command_text, posix=True, punctuation_chars=True)
+    lexer.whitespace_split = True
+    lexer.commenters = ""
+    return list(lexer)
+
+
+def _codex_command_part_is_local_reader(parts: list[str], index: int, *, cwd: Path | None) -> bool:
+    local_read_commands = {"cat", "grep", "head", "rg", "sed", "tail"}
+    executable = Path(parts[index]).name.lower()
+    if executable not in local_read_commands:
+        return False
+    if index == 0:
+        return True
+    if parts[index - 1] == "|":
+        segment = shlex.join(parts[index:])
+        return _codex_command_is_read_only_source_search(segment, cwd=cwd) or _codex_command_is_read_only_source_view(
+            segment, cwd=cwd
+        )
+    return parts[index - 1] in {"&&", "||", ";", "&", "|&"}
+
+
 def _codex_post_tool_command_is_read_only_source_inspection(
     *,
     payload: dict[str, object],

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/src/codex_plugin_scanner/guard/consumer/service.py

@@ -16,6 +16,7 @@ from ..config import GuardConfig
 from ..incident import build_incident_context
 from ..models import GuardArtifact, HarnessDetection, PolicyDecision
 from ..policy import build_decision_v2, decide_action
+from ..policy.engine import VALID_GUARD_ACTIONS
 from ..receipts import build_receipt
 from ..risk import artifact_risk_signals_typed, artifact_risk_summary, summarize_signals
 from ..runtime.signals import RiskSignalV2
@@ -102,6 +103,13 @@ def _is_blocking_action(policy_action: str) -> bool:
     return policy_action in {"block", "sandbox-required", "require-reapproval"}
 
 
+def _guard_default_action(artifact: GuardArtifact) -> str | None:
+    value = artifact.metadata.get("guard_default_action")
+    if value in VALID_GUARD_ACTIONS:
+        return str(value)
+    return None
+
+
 def _build_removed_provenance(previous: dict[str, object]) -> str:
     scope = previous.get("source_scope")
     config_path = previous.get("config_path")
@@ -395,7 +403,7 @@ def evaluate_detection(
             "file_read_request",
             "tool_action_request",
         }:
-            policy_action = "require-reapproval"
+            policy_action = _guard_default_action(artifact) or "require-reapproval"
         elif is_first_seen and configured_action is None and effective_default_action is not None:
             policy_action = effective_default_action
         else:

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/src/codex_plugin_scanner/guard/runtime/secret_sensitivity.py

@@ -92,6 +92,8 @@ _SENSITIVE_PATH_REASONS = {
 }
 _SECRET_ASSIGNMENT_VALUE_PATTERN = r"(?:\"[^\"\r\n]+\"|'[^'\r\n]+'|[^ \t\r\n\"',}]+)"
 _HEDERA_PRIVATE_KEY_VALUE_PATTERN = r"(?:\"(?:0x)?[0-9a-f]{64,96}\"|'(?:0x)?[0-9a-f]{64,96}'|(?:0x)?[0-9a-f]{64,96}\b)"
+_SAMPLE_SECRET_VALUE_PATTERN = re.compile(r"(?i)\b(?:example|fake|dummy|invalid|test|canary)\b")
+_SAMPLE_SUPPRESSIBLE_CONTENT_CLASSIFIERS = frozenset({"credential-assignment", "generic-bearer-token"})
 _SECRET_CONTENT_PATTERNS: tuple[tuple[str, str, SecretContentSensitivity, re.Pattern[str], str], ...] = (
     (
         "npm-auth-token",
@@ -148,6 +150,13 @@ _SECRET_CONTENT_PATTERNS: tuple[tuple[str, str, SecretContentSensitivity, re.Pat
         re.compile(r"-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----", re.MULTILINE),
         "Guard found a PEM private key header.",
     ),
+    (
+        "generic-bearer-token",
+        "generic bearer token",
+        "medium",
+        re.compile(r"(?im)\bbearer\s+[A-Za-z0-9._~+/=-]{16,}\b"),
+        "Guard found a bearer token pattern.",
+    ),
     (
         "credential-marker",
         "credential assignment",
@@ -272,13 +281,18 @@ def classify_legacy_secret_path_families(text: str) -> set[str]:
     return {family for marker, family in LEGACY_SECRET_PATH_TEXT_MARKERS if marker in lowered}
 
 
-def classify_secret_content(text: str | None) -> tuple[SecretContentMatch, ...]:
+def classify_secret_content(text: str | None, *, suppress_samples: bool = True) -> tuple[SecretContentMatch, ...]:
     if not isinstance(text, str) or not text.strip():
         return ()
     matches: list[SecretContentMatch] = []
     seen: set[str] = set()
     for classifier, family, sensitivity, pattern, reason in _SECRET_CONTENT_PATTERNS:
-        if pattern.search(text) is None or classifier in seen:
+        if classifier in seen:
+            continue
+        if not any(
+            not _secret_content_match_is_sample(classifier=classifier, text=match.group(0), enabled=suppress_samples)
+            for match in pattern.finditer(text)
+        ):
             continue
         seen.add(classifier)
         matches.append(
@@ -292,6 +306,15 @@ def classify_secret_content(text: str | None) -> tuple[SecretContentMatch, ...]:
     return tuple(matches)
 
 
+def _secret_content_match_is_sample(*, classifier: str, text: str, enabled: bool) -> bool:
+    if not enabled or classifier not in _SAMPLE_SUPPRESSIBLE_CONTENT_CLASSIFIERS:
+        return False
+    if classifier == "generic-bearer-token":
+        token = text.rsplit(None, 1)[-1]
+        return _SAMPLE_SECRET_VALUE_PATTERN.search(token) is not None and re.search(r"[A-Za-z0-9]{20,}", token) is None
+    return _SAMPLE_SECRET_VALUE_PATTERN.search(text) is not None
+
+
 def redacted_secret_path_context(path: str) -> str | None:
     segments = tuple(segment for segment in path.replace("\\", "/").split("/") if segment)
     lowered_segments = tuple(segment.lower() for segment in segments)

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.109"
+__version__ = "2.0.110"

{plugin_scanner-2.0.109 → plugin_scanner-2.0.110}/tests/test_guard_risk.py

@@ -415,10 +415,13 @@ def test_secret_sensitivity_module_classifies_wallet_private_key_filenames(tmp_p
         ("token=" + "github_pat_" + "A" * 22 + "_" + "B" * 59, "GitHub token"),
         ("aws_access_key_id=" + "AKIA" + "A" * 16, "AWS access key"),
         ("OPENAI_API_KEY=" + "sk-" + "A" * 32, "OpenAI API key"),
+        ("OPENAI_API_KEY=sk-proj-" + "A" * 24 + "-test-" + "B" * 24, "OpenAI API key"),
         ("ANTHROPIC_API_KEY=" + "sk-ant-api03-" + "A" * 60, "Anthropic API key"),
         ("HEDERA_PRIVATE_KEY=" + "a" * 64, "Hedera private key"),
         ('HEDERA_PRIVATE_KEY="' + "a" * 64 + '"', "Hedera private key"),
         ("-----BEGIN " + "PRIVATE KEY-----\nredacted\n-----END " + "PRIVATE KEY-----", "PEM private key"),
+        ("Authorization: Bearer " + "A" * 32, "generic bearer token"),
+        ("Authorization: Bearer " + "A" * 24 + "-test-" + "B" * 24, "generic bearer token"),
         ('TOKEN="' + "A" * 24 + '"', "credential assignment"),
         ("auth_token='" + "B" * 24 + "'", "credential assignment"),
         ('{"password": "' + "C" * 24 + '"}', "credential assignment"),
@@ -439,6 +442,23 @@ def test_secret_content_classifier_does_not_upgrade_npm_token_prose():
     assert not any(match.family == "npm auth token" for match in matches)
 
 
+@pytest.mark.parametrize(
+    "content",
+    [
+        "API_TOKEN=example-token",
+        "password=dummy-value",
+        "token=definitely-invalid",
+        "secret=fake-value",
+        "auth_token=canary-token",
+        "OPENAI_API_KEY=sk-test",
+        "https://api.example.test/health?token=definitely-invalid",
+        "Authorization: Bearer definitely-invalid",
+    ],
+)
+def test_secret_content_classifier_suppresses_sample_token_values(content):
+    assert classify_secret_content(content) == ()
+
+
 def test_file_read_request_classifier_is_argument_aware(tmp_path):
     env_request = extract_sensitive_file_read_request("read_file", {"path": ".env.local"})
     claude_request = extract_sensitive_file_read_request("Read", {"file_path": "~/.ssh/config"}, home_dir=tmp_path)