plugin-scanner 2.0.109__tar.gz → 2.0.111__tar.gz

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.109
+Version: 2.0.111
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.109"
+version = "2.0.111"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.109"
+version = "2.0.111"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -97,7 +97,12 @@ from ..runtime.secret_file_requests import (
     extract_sensitive_tool_action_request,
     is_explicitly_benign_tool_action_request,
 )
-from ..runtime.secret_sensitivity import SecretContentMatch, classify_secret_content
+from ..runtime.secret_sensitivity import (
+    SecretContentMatch,
+    SecretPathMatch,
+    classify_secret_content,
+    classify_secret_path,
+)
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
 from .approval_commands import add_approval_parser, run_approval_command
@@ -2999,16 +3004,47 @@ def _runtime_stored_policy_action(
 def _runtime_artifact_policy_action(config: GuardConfig, artifact: GuardArtifact, harness: str) -> str:
     if _prompt_requires_hard_block(artifact):
         return "block"
-    risk_actions = [
-        resolve_risk_action(config, risk_class, harness=_canonical_harness_name(harness))
-        for risk_class in _runtime_artifact_risk_classes(artifact)
-    ]
+    canonical_harness = _canonical_harness_name(harness)
+    risk_classes = _runtime_artifact_risk_classes(artifact)
+    has_configured_risk_action = any(
+        _resolve_configured_risk_action(config, risk_class, harness=canonical_harness) for risk_class in risk_classes
+    )
+    if has_configured_risk_action:
+        risk_actions = [
+            _resolve_configured_risk_action(config, risk_class, harness=canonical_harness)
+            or resolve_risk_action(config, risk_class, harness=canonical_harness)
+            for risk_class in risk_classes
+        ]
+        resolved_actions = [action for action in risk_actions if action in VALID_GUARD_ACTIONS]
+        if resolved_actions:
+            return max(resolved_actions, key=_guard_action_severity)
+    guard_default_action = _runtime_artifact_guard_default_action(artifact)
+    if guard_default_action is not None:
+        return guard_default_action
+    risk_actions = [resolve_risk_action(config, risk_class, harness=canonical_harness) for risk_class in risk_classes]
     resolved_actions = [action for action in risk_actions if action in VALID_GUARD_ACTIONS]
     if resolved_actions:
         return max(resolved_actions, key=_guard_action_severity)
     return SAFE_CHANGED_HASH_ACTION
 
 
+def _resolve_configured_risk_action(config: GuardConfig, risk_class: str, *, harness: str) -> str | None:
+    if config.harness_risk_actions is not None:
+        harness_actions = config.harness_risk_actions.get(harness)
+        if harness_actions is not None and risk_class in harness_actions:
+            return harness_actions[risk_class]
+    if config.risk_actions is not None and risk_class in config.risk_actions:
+        return config.risk_actions[risk_class]
+    return None
+
+
+def _runtime_artifact_guard_default_action(artifact: GuardArtifact) -> str | None:
+    value = artifact.metadata.get("guard_default_action")
+    if value in VALID_GUARD_ACTIONS:
+        return str(value)
+    return None
+
+
 def _guard_action_severity(action: str) -> int:
     return {
         "allow": 0,
@@ -3205,6 +3241,12 @@ def _runtime_artifact_native_reason(artifact: GuardArtifact, response_payload: d
         trimmed_summary = risk_summary.strip()
         if len(trimmed_summary) > 180:
             trimmed_summary = f"{trimmed_summary[:177].rstrip()}..."
+        action_class = artifact.metadata.get("action_class")
+        if (
+            action_class == "credential exfiltration shell command"
+            and "credential-looking output" not in trimmed_summary.lower()
+        ):
+            trimmed_summary = f"{trimmed_summary} Guard also detected credential-looking output."
         return f"HOL Guard flagged this request: {trimmed_summary}"
     return "HOL Guard flagged this request for review."
 
@@ -3985,13 +4027,19 @@ def _codex_post_tool_output_artifact(
     cwd: Path | None,
 ) -> GuardArtifact | None:
     response_text = _collect_codex_tool_response_text(payload.get("tool_response"))
-    content_matches = classify_secret_content(response_text)
-    if not content_matches:
-        return None
     tool_name = _coalesce_string(payload.get("tool_name"), "Bash")
     command_text = _codex_post_tool_command_text(payload)
     if not command_text:
         command_text = tool_name
+    local_source_matches = _codex_sensitive_local_source_matches(command_text, cwd=cwd)
+    references_local_content = bool(local_source_matches) or _codex_command_may_read_local_content(
+        command_text, cwd=cwd
+    )
+    content_matches = classify_secret_content(response_text)
+    if not content_matches and references_local_content:
+        content_matches = classify_secret_content(response_text, suppress_samples=False)
+    if not content_matches:
+        return None
     if _codex_source_inspection_can_skip_secret_output(
         command_text=command_text,
         response_text=response_text,
@@ -4009,6 +4057,38 @@ def _codex_post_tool_output_artifact(
             sort_keys=True,
         ).encode("utf-8")
     ).hexdigest()
+    local_secret_source = _codex_local_secret_source_label(
+        local_source_matches,
+        command_text=command_text,
+    )
+    runtime_default_action = "require-reapproval" if references_local_content else "warn"
+    runtime_request_signals = ["tool output contains credential-looking material"]
+    if references_local_content:
+        source_signal = "command references local secrets"
+        if local_secret_source is not None:
+            source_signal = f"command references local secrets from {local_secret_source}"
+        runtime_request_signals.append(source_signal)
+    request_summary = _codex_tool_output_request_summary(
+        tool_name=tool_name,
+        command_text=command_text,
+        local_secret_source=local_secret_source,
+    )
+    runtime_request_summary = _codex_tool_output_runtime_summary(local_secret_source)
+    metadata: dict[str, object] = {
+        "tool_name": tool_name,
+        "command_text": command_text,
+        "action_class": "credential exfiltration shell command",
+        "guard_default_action": runtime_default_action,
+        "request_summary": request_summary,
+        "runtime_request_signals": runtime_request_signals,
+        "runtime_request_summary": runtime_request_summary,
+        "runtime_request_reason": (
+            "Guard inspects supported Codex tool output before Codex uses it, so accidental secret reads can be "
+            "stopped even when the filename was not obviously sensitive."
+        ),
+    }
+    if local_secret_source is not None:
+        metadata["secret_source_family"] = local_secret_source
     return GuardArtifact(
         artifact_id=f"codex:{source_scope}:tool-output:{fingerprint}",
         name=f"{tool_name} credential-looking output",
@@ -4016,25 +4096,307 @@ def _codex_post_tool_output_artifact(
         artifact_type="tool_action_request",
         source_scope=source_scope,
         config_path=config_path,
-        metadata={
-            "tool_name": tool_name,
-            "command_text": command_text,
-            "action_class": "credential exfiltration shell command",
-            "request_summary": (
-                f"Codex tool `{tool_name}` produced credential-looking output while running `{command_text}`."
-            ),
-            "runtime_request_signals": ["tool output contains credential-looking material"],
-            "runtime_request_summary": (
-                "Requests a sensitive native tool action: credential-looking output reached Codex."
-            ),
-            "runtime_request_reason": (
-                "Guard inspects supported Codex tool output before Codex uses it, so accidental secret reads can be "
-                "stopped even when the filename was not obviously sensitive."
-            ),
-        },
+        metadata=metadata,
+    )
+
+
+def _codex_command_references_sensitive_local_source(command_text: str, *, cwd: Path | None) -> bool:
+    return bool(_codex_sensitive_local_source_matches(command_text, cwd=cwd))
+
+
+def _codex_sensitive_local_source_matches(command_text: str, *, cwd: Path | None) -> list[SecretPathMatch]:
+    matches = _codex_sensitive_path_matches_in_text(command_text, cwd=cwd)
+    try:
+        parts = shlex.split(command_text)
+    except ValueError:
+        return matches
+    for part in parts:
+        stripped = part.strip()
+        if not stripped or stripped.startswith("-") or _codex_token_is_url(stripped):
+            continue
+        path_match = classify_secret_path(stripped, cwd=cwd)
+        if path_match is not None:
+            matches.append(path_match)
+    return _dedupe_codex_secret_path_matches(matches)
+
+
+def _dedupe_codex_secret_path_matches(matches: list[SecretPathMatch]) -> list[SecretPathMatch]:
+    deduped: list[SecretPathMatch] = []
+    seen: set[tuple[str, str]] = set()
+    for match in matches:
+        key = (match.family, match.requested_path or match.path)
+        if key in seen:
+            continue
+        seen.add(key)
+        deduped.append(match)
+    return deduped
+
+
+def _codex_token_is_url(token: str) -> bool:
+    parsed = urllib.parse.urlparse(token)
+    return bool(parsed.scheme and parsed.netloc)
+
+
+def _codex_text_contains_sensitive_path_token(text: str, *, cwd: Path | None) -> bool:
+    return bool(_codex_sensitive_path_matches_in_text(text, cwd=cwd))
+
+
+def _codex_sensitive_path_matches_in_text(text: str, *, cwd: Path | None) -> list[SecretPathMatch]:
+    matches: list[SecretPathMatch] = []
+    for match in _PROMPT_PATH_TOKEN_PATTERN.finditer(text):
+        if _codex_path_token_is_url_path(text, match.start()):
+            continue
+        path_match = classify_secret_path(match.group(0), cwd=cwd)
+        if path_match is not None:
+            matches.append(path_match)
+    return matches
+
+
+def _codex_path_token_is_url_path(text: str, start: int) -> bool:
+    prefix = text[:start].lower()
+    last_separator = max(prefix.rfind(separator) for separator in " \t\r\n'\"`<>|;(){}[]")
+    token_prefix = prefix[last_separator + 1 :]
+    if "://" in token_prefix:
+        return True
+    scheme = ""
+    if token_prefix.endswith(":/"):
+        scheme = token_prefix[:-2]
+    elif token_prefix.endswith(":"):
+        scheme = token_prefix[:-1]
+    return _codex_token_prefix_is_url_scheme(scheme)
+
+
+def _codex_token_prefix_is_url_scheme(scheme: str) -> bool:
+    return bool(scheme) and scheme[0].isalpha() and all(char.isalnum() or char in "+.-" for char in scheme)
+
+
+def _codex_command_may_read_local_content(command_text: str, *, cwd: Path | None) -> bool:
+    if _codex_command_references_sensitive_local_source(command_text, cwd=cwd):
+        return True
+    if any(marker in command_text for marker in ("$(", "${", "`")):
+        return True
+    pipeline_segments = _split_codex_safe_read_only_pipeline(command_text)
+    if pipeline_segments is not None:
+        return any(
+            _codex_pipeline_segment_may_read_local_content(segment, index=index, cwd=cwd)
+            for index, segment in enumerate(pipeline_segments)
+        )
+    try:
+        parts = _codex_shell_split(command_text)
+    except ValueError:
+        return True
+    return _codex_command_parts_may_read_local_content(parts, cwd=cwd)
+
+
+def _codex_pipeline_segment_may_read_local_content(segment: str, *, index: int, cwd: Path | None) -> bool:
+    try:
+        parts = _codex_shell_split(segment)
+    except ValueError:
+        return True
+    if not parts:
+        return False
+    if index == 0:
+        return _codex_command_parts_are_environment_dump(parts) or _codex_command_parts_may_read_local_content(
+            parts,
+            cwd=cwd,
+        )
+    return _codex_command_is_read_only_source_search(segment, cwd=cwd) or _codex_command_is_read_only_source_view(
+        segment, cwd=cwd
+    )
+
+
+def _codex_command_parts_may_read_local_content(parts: list[str], *, cwd: Path | None) -> bool:
+    for start in _codex_command_start_indexes(parts):
+        previous_token = parts[start - 1] if start > 0 else None
+        segment_parts = _codex_command_segment_parts(parts, start)
+        if previous_token == "|":
+            if _codex_command_sequence_is_read_only_source_inspection(segment_parts, cwd=cwd):
+                return True
+            continue
+        if _codex_command_sequence_starts_with_local_reader(segment_parts, cwd=cwd):
+            return True
+    return False
+
+
+def _codex_command_start_indexes(parts: list[str]) -> list[int]:
+    starts = [0] if parts else []
+    for index, part in enumerate(parts[:-1]):
+        if part in {"&&", "||", ";", "&", "|", "|&"}:
+            starts.append(index + 1)
+    return starts
+
+
+def _codex_command_segment_parts(parts: list[str], start: int) -> list[str]:
+    end = start
+    while end < len(parts) and parts[end] not in {"&&", "||", ";", "&", "|", "|&"}:
+        end += 1
+    return parts[start:end]
+
+
+def _codex_command_sequence_is_read_only_source_inspection(parts: list[str], *, cwd: Path | None) -> bool:
+    command_parts = _codex_unwrapped_command_parts(parts)
+    if not command_parts:
+        return False
+    segment = shlex.join(command_parts)
+    return _codex_command_is_read_only_source_search(segment, cwd=cwd) or _codex_command_is_read_only_source_view(
+        segment, cwd=cwd
     )
 
 
+def _codex_command_sequence_starts_with_local_reader(parts: list[str], *, cwd: Path | None) -> bool:
+    command_parts = _codex_unwrapped_command_parts(parts)
+    if not command_parts:
+        return False
+    if _codex_command_parts_are_git_grep(command_parts):
+        return True
+    return _codex_command_part_is_local_reader(command_parts, 0, cwd=cwd)
+
+
+def _codex_command_parts_are_git_grep(parts: list[str]) -> bool:
+    return bool(parts) and Path(parts[0]).name.lower() == "git" and _git_grep_search_args(parts[1:]) is not None
+
+
+def _codex_command_reads_environment_pipeline(command_text: str) -> bool:
+    pipeline_segments = _split_codex_safe_read_only_pipeline(command_text)
+    if pipeline_segments is None:
+        return False
+    try:
+        first_parts = _codex_shell_split(pipeline_segments[0])
+    except ValueError:
+        return False
+    return _codex_command_parts_are_environment_dump(first_parts)
+
+
+def _codex_command_parts_are_environment_dump(parts: list[str]) -> bool:
+    if not parts:
+        return False
+    executable = Path(parts[0]).name.lower()
+    if executable == "printenv":
+        return True
+    if executable != "env":
+        return False
+    if _codex_env_args_clear_environment(parts[1:]):
+        return False
+    return not _codex_strip_env_wrapper(parts[1:])
+
+
+def _codex_local_secret_source_label(
+    matches: list[SecretPathMatch],
+    *,
+    command_text: str,
+) -> str | None:
+    families: list[str] = []
+    for match in matches:
+        if match.family not in families:
+            families.append(match.family)
+    if families:
+        if len(families) == 1:
+            return families[0]
+        return f"{families[0]} and other local secret files"
+    if _codex_command_reads_environment_pipeline(command_text):
+        return "environment variables"
+    return None
+
+
+def _codex_tool_output_request_summary(
+    *,
+    tool_name: str,
+    command_text: str,
+    local_secret_source: str | None,
+) -> str:
+    if local_secret_source is not None:
+        return f"Codex tool `{tool_name}` read local secrets from {local_secret_source} while running `{command_text}`."
+    return f"Codex tool `{tool_name}` produced credential-looking output while running `{command_text}`."
+
+
+def _codex_tool_output_runtime_summary(local_secret_source: str | None) -> str:
+    if local_secret_source is not None:
+        return f"Local secrets from {local_secret_source} reached Codex tool output."
+    return "Requests a sensitive native tool action: credential-looking output reached Codex."
+
+
+def _codex_unwrapped_command_parts(parts: list[str]) -> list[str]:
+    remaining = parts
+    while remaining:
+        executable = Path(remaining[0]).name.lower()
+        if executable == "command":
+            remaining = _codex_strip_command_wrapper(remaining[1:])
+            continue
+        if executable == "env":
+            remaining = _codex_strip_env_wrapper(remaining[1:])
+            continue
+        return remaining
+    return []
+
+
+def _codex_strip_command_wrapper(parts: list[str]) -> list[str]:
+    index = 0
+    while index < len(parts) and parts[index] in {"-p", "-v", "-V"}:
+        index += 1
+    if index < len(parts) and parts[index] == "--":
+        index += 1
+    return parts[index:]
+
+
+def _codex_strip_env_wrapper(parts: list[str]) -> list[str]:
+    index = 0
+    while index < len(parts):
+        part = parts[index]
+        if part == "--":
+            return parts[index + 1 :]
+        if part in {"-i", "-0", "--ignore-environment", "--null"}:
+            index += 1
+            continue
+        if part in {"-u", "--unset", "-C", "--chdir", "-S", "--split-string"}:
+            index += 2
+            continue
+        if part.startswith(("--unset=", "--chdir=", "--split-string=")):
+            index += 1
+            continue
+        if part.startswith("-"):
+            index += 1
+            continue
+        if "=" in part and not part.startswith("="):
+            index += 1
+            continue
+        return parts[index:]
+    return []
+
+
+def _codex_env_args_clear_environment(parts: list[str]) -> bool:
+    for part in parts:
+        if part == "--":
+            return False
+        if part in {"-i", "--ignore-environment"}:
+            return True
+        if part.startswith("-") or ("=" in part and not part.startswith("=")):
+            continue
+        return False
+    return False
+
+
+def _codex_shell_split(command_text: str) -> list[str]:
+    lexer = shlex.shlex(command_text, posix=True, punctuation_chars=True)
+    lexer.whitespace_split = True
+    lexer.commenters = ""
+    return list(lexer)
+
+
+def _codex_command_part_is_local_reader(parts: list[str], index: int, *, cwd: Path | None) -> bool:
+    local_read_commands = {"cat", "grep", "head", "rg", "sed", "tail"}
+    executable = Path(parts[index]).name.lower()
+    if executable not in local_read_commands:
+        return False
+    if index == 0:
+        return True
+    if parts[index - 1] == "|":
+        segment = shlex.join(parts[index:])
+        return _codex_command_is_read_only_source_search(segment, cwd=cwd) or _codex_command_is_read_only_source_view(
+            segment, cwd=cwd
+        )
+    return parts[index - 1] in {"&&", "||", ";", "&", "|&"}
+
+
 def _codex_post_tool_command_is_read_only_source_inspection(
     *,
     payload: dict[str, object],

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/src/codex_plugin_scanner/guard/cli/render.py

@@ -50,6 +50,7 @@ _SENSITIVE_STRING_PATTERNS: tuple[tuple[re.Pattern[str], str], ...] = (
     ),
     (re.compile(r"(?i)(authorization:\s*)(bearer\s+)?[^\s,;]+"), r"\1*****"),
     (re.compile(r"(?i)(api[-_ ]?key:\s*)[^\s,;]+"), r"\1*****"),
+    (re.compile(r"\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b"), "*****"),
     (re.compile(r"(?i)(bearer\s+)[^\s,;]+"), r"\1*****"),
     (re.compile(r"(?im)\b(?:_authToken|npm[_ -]?token)\s*[:=]\s*[^\s]+"), "npm token redacted"),
     (re.compile(r"\b(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqp)://[^\s]+", re.IGNORECASE), "*****"),
@@ -963,6 +964,8 @@ def _render_hook(console: Console, payload: dict[str, object]) -> None:
     body.add_row("Recorded", _bool_label(bool(payload.get("recorded"))))
     body.add_row("Artifact", str(payload.get("artifact_name") or payload.get("artifact_id") or "unknown"))
     body.add_row("Decision", _action_text(str(payload.get("policy_action", "warn"))))
+    if payload.get("risk_summary"):
+        body.add_row("Why", str(payload.get("risk_summary")))
     if payload.get("path_summary"):
         body.add_row("Path", str(payload.get("path_summary")))
     if payload.get("approval_center_url"):

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/src/codex_plugin_scanner/guard/consumer/service.py

@@ -16,6 +16,7 @@ from ..config import GuardConfig
 from ..incident import build_incident_context
 from ..models import GuardArtifact, HarnessDetection, PolicyDecision
 from ..policy import build_decision_v2, decide_action
+from ..policy.engine import VALID_GUARD_ACTIONS
 from ..receipts import build_receipt
 from ..risk import artifact_risk_signals_typed, artifact_risk_summary, summarize_signals
 from ..runtime.signals import RiskSignalV2
@@ -102,6 +103,13 @@ def _is_blocking_action(policy_action: str) -> bool:
     return policy_action in {"block", "sandbox-required", "require-reapproval"}
 
 
+def _guard_default_action(artifact: GuardArtifact) -> str | None:
+    value = artifact.metadata.get("guard_default_action")
+    if value in VALID_GUARD_ACTIONS:
+        return str(value)
+    return None
+
+
 def _build_removed_provenance(previous: dict[str, object]) -> str:
     scope = previous.get("source_scope")
     config_path = previous.get("config_path")
@@ -395,7 +403,7 @@ def evaluate_detection(
             "file_read_request",
             "tool_action_request",
         }:
-            policy_action = "require-reapproval"
+            policy_action = _guard_default_action(artifact) or "require-reapproval"
         elif is_first_seen and configured_action is None and effective_default_action is not None:
             policy_action = effective_default_action
         else:

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/src/codex_plugin_scanner/guard/runtime/secret_sensitivity.py

@@ -92,6 +92,8 @@ _SENSITIVE_PATH_REASONS = {
 }
 _SECRET_ASSIGNMENT_VALUE_PATTERN = r"(?:\"[^\"\r\n]+\"|'[^'\r\n]+'|[^ \t\r\n\"',}]+)"
 _HEDERA_PRIVATE_KEY_VALUE_PATTERN = r"(?:\"(?:0x)?[0-9a-f]{64,96}\"|'(?:0x)?[0-9a-f]{64,96}'|(?:0x)?[0-9a-f]{64,96}\b)"
+_SAMPLE_SECRET_VALUE_PATTERN = re.compile(r"(?i)\b(?:example|fake|dummy|invalid|test|canary)\b")
+_SAMPLE_SUPPRESSIBLE_CONTENT_CLASSIFIERS = frozenset({"credential-assignment", "generic-bearer-token"})
 _SECRET_CONTENT_PATTERNS: tuple[tuple[str, str, SecretContentSensitivity, re.Pattern[str], str], ...] = (
     (
         "npm-auth-token",
@@ -148,6 +150,13 @@ _SECRET_CONTENT_PATTERNS: tuple[tuple[str, str, SecretContentSensitivity, re.Pat
         re.compile(r"-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----", re.MULTILINE),
         "Guard found a PEM private key header.",
     ),
+    (
+        "generic-bearer-token",
+        "generic bearer token",
+        "medium",
+        re.compile(r"(?im)\bbearer\s+[A-Za-z0-9._~+/=-]{16,}\b"),
+        "Guard found a bearer token pattern.",
+    ),
     (
         "credential-marker",
         "credential assignment",
@@ -272,13 +281,18 @@ def classify_legacy_secret_path_families(text: str) -> set[str]:
     return {family for marker, family in LEGACY_SECRET_PATH_TEXT_MARKERS if marker in lowered}
 
 
-def classify_secret_content(text: str | None) -> tuple[SecretContentMatch, ...]:
+def classify_secret_content(text: str | None, *, suppress_samples: bool = True) -> tuple[SecretContentMatch, ...]:
     if not isinstance(text, str) or not text.strip():
         return ()
     matches: list[SecretContentMatch] = []
     seen: set[str] = set()
     for classifier, family, sensitivity, pattern, reason in _SECRET_CONTENT_PATTERNS:
-        if pattern.search(text) is None or classifier in seen:
+        if classifier in seen:
+            continue
+        if not any(
+            not _secret_content_match_is_sample(classifier=classifier, text=match.group(0), enabled=suppress_samples)
+            for match in pattern.finditer(text)
+        ):
             continue
         seen.add(classifier)
         matches.append(
@@ -292,6 +306,15 @@ def classify_secret_content(text: str | None) -> tuple[SecretContentMatch, ...]:
     return tuple(matches)
 
 
+def _secret_content_match_is_sample(*, classifier: str, text: str, enabled: bool) -> bool:
+    if not enabled or classifier not in _SAMPLE_SUPPRESSIBLE_CONTENT_CLASSIFIERS:
+        return False
+    if classifier == "generic-bearer-token":
+        token = text.rsplit(None, 1)[-1]
+        return _SAMPLE_SECRET_VALUE_PATTERN.search(token) is not None and re.search(r"[A-Za-z0-9]{20,}", token) is None
+    return _SAMPLE_SECRET_VALUE_PATTERN.search(text) is not None
+
+
 def redacted_secret_path_context(path: str) -> str | None:
     segments = tuple(segment for segment in path.replace("\\", "/").split("/") if segment)
     lowered_segments = tuple(segment.lower() for segment in segments)

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.109"
+__version__ = "2.0.111"

{plugin_scanner-2.0.109 → plugin_scanner-2.0.111}/tests/test_guard_render.py

@@ -79,11 +79,7 @@ def test_guard_json_render_redacts_after_command_specific_payload_shape(capsys)
 
 
 def test_guard_json_render_redacts_private_key_without_breaking_json(capsys) -> None:
-    private_key = (
-        "-----BEGIN PRIVATE KEY-----\n"
-        "super-secret-material\n"
-        "-----END PRIVATE KEY-----"
-    )
+    private_key = "-----BEGIN PRIVATE KEY-----\nsuper-secret-material\n-----END PRIVATE KEY-----"
 
     emit_guard_payload("status", {"details": private_key}, True)
 
@@ -159,6 +155,28 @@ def test_guard_settings_json_omits_billing_flag(capsys) -> None:
     assert "billing" not in output["settings"]
 
 
+def test_guard_hook_render_shows_local_secrets_without_internal_jargon(capsys) -> None:
+    raw_secret = "sk-" + "A" * 32
+
+    emit_guard_payload(
+        "hook",
+        {
+            "recorded": True,
+            "artifact_name": "Bash local secret output",
+            "policy_action": "require-reapproval",
+            "risk_summary": f"Local secrets from local .env file. {raw_secret}",
+            "path_summary": ".env",
+        },
+        False,
+    )
+
+    output = _normalize_render_output(capsys.readouterr().out)
+    assert "local secrets" in output.lower()
+    assert ".env file" in output
+    assert raw_secret not in output
+    assert "credential-looking output" not in output.lower()
+
+
 def test_guard_connect_render_defaults_sync_not_available_to_upgrade_guidance(capsys) -> None:
     emit_guard_payload(
         "connect",