PyPI - plugin-scanner - Versions diffs - 2.0.113__tar.gz → 2.0.114__tar.gz - Mend

plugin-scanner 2.0.113tar.gz → 2.0.114tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (359) hide show

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.113
+Version: 2.0.114
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/dashboard/src/approval-center-layout.tsx RENAMED Viewed

@@ -21,6 +21,7 @@ import {
   ListControls,
   PaginationControls
 } from "./approval-center-primitives";
+import { DataFlowEvidenceCard } from "./data-flow-evidence-card";
 import { ReceiptsWorkspace } from "./receipts-workspace";
 import { RuntimeOverview } from "./runtime-overview";
 import {
@@ -555,6 +556,7 @@ function WhatChanged(props: { item: GuardApprovalRequest; diff: GuardArtifactDif
       <div className="mt-4 space-y-3 border-l-2 border-brand-blue/10 pl-4">
         <p className="text-sm leading-relaxed text-brand-dark/70">{buildStoppedReason(item, receipt)}</p>
         <WhyGuardCares item={item} />
+        <DataFlowEvidenceCard item={item} />
         {policy.length > 0 ? (
           <p className="text-sm leading-relaxed text-brand-dark/70">
             HOL Guard checked {policy.length} saved {policy.length === 1 ? "decision" : "decisions"} before asking you.

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/dashboard/src/approval-center-utils.ts RENAMED Viewed

@@ -5,6 +5,48 @@ import type {
   GuardReceipt
 } from "./guard-types";
+export type DataFlowEvidenceSummary = {
+  signalTitle: string;
+  sourceLabel: string;
+  sinkLabel: string;
+  signalId: string;
+  count: number;
+};
+export function deriveDataFlowEvidence(item: GuardApprovalRequest): DataFlowEvidenceSummary | null {
+  const signals = item.decision_v2_json?.signals ?? [];
+  const dataFlowSignals = signals.filter(
+    (s) => s.detector === "data_flow.exfiltration" || s.signal_id.startsWith("data-flow:")
+  );
+  if (dataFlowSignals.length === 0) {
+    return null;
+  }
+  const primary = dataFlowSignals[0];
+  return {
+    signalTitle: primary.title,
+    sourceLabel: "Local secret",
+    sinkLabel: resolveDataFlowSinkLabel(primary),
+    signalId: primary.signal_id,
+    count: dataFlowSignals.length,
+  };
+}
+function resolveDataFlowSinkLabel(signal: RiskSignalV2): string {
+  if (signal.category === "network") {
+    return "Network host";
+  }
+  if (signal.signal_id === "data-flow:clipboard-secret") {
+    return "Clipboard";
+  }
+  if (signal.signal_id === "data-flow:world-readable-temp-secret") {
+    return "World-readable temp file";
+  }
+  if (signal.signal_id === "data-flow:git-remote-token") {
+    return "Git remote config";
+  }
+  return "External sink";
+}
 export function resolveEnvelopeDisplayText(envelope: GuardActionEnvelope): string | null {
   if (envelope.action_type === "shell_command" && envelope.command !== null) {
     return envelope.command;

plugin_scanner-2.0.114/dashboard/src/data-flow-evidence-card.tsx ADDED Viewed

@@ -0,0 +1,37 @@
+import { SectionLabel } from "./approval-center-primitives";
+import { deriveDataFlowEvidence } from "./approval-center-utils";
+import type { GuardApprovalRequest } from "./guard-types";
+export function DataFlowEvidenceCard(props: { item: GuardApprovalRequest }) {
+  const evidence = deriveDataFlowEvidence(props.item);
+  if (evidence === null) return null;
+  const extraCount = evidence.count - 1;
+  return (
+    <div
+      className="rounded-xl border border-brand-blue/20 bg-brand-blue/[0.04] p-4"
+      aria-label="Data flow evidence"
+    >
+      <SectionLabel>Data flow detected</SectionLabel>
+      <div
+        className="mt-3 flex flex-wrap items-center gap-2"
+        role="group"
+        aria-label="Source to sink route"
+      >
+        <span className="rounded-full bg-brand-purple/10 px-2.5 py-1 text-xs font-medium text-brand-purple">
+          {evidence.sourceLabel}
+        </span>
+        <span className="select-none text-muted-foreground" aria-hidden="true">-&gt;</span>
+        <span className="rounded-full bg-brand-blue/10 px-2.5 py-1 text-xs font-medium text-brand-blue">
+          {evidence.sinkLabel}
+        </span>
+      </div>
+      <p className="mt-2 text-sm leading-relaxed text-brand-dark/80">{evidence.signalTitle}</p>
+      <p className="mt-1 font-mono text-[11px] text-muted-foreground">{evidence.signalId}</p>
+      {extraCount > 0 ? (
+        <p className="mt-1 text-xs text-muted-foreground">
+          {`and ${extraCount} more data-flow ${extraCount === 1 ? "signal" : "signals"}`}
+        </p>
+      ) : null}
+    </div>
+  );
+}

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/dashboard/src/guard-api.test.ts RENAMED Viewed

@@ -8,9 +8,10 @@ import {
   resolveDecisionV2Detail,
   resolveDecisionV2Title,
   resolveEnvelopeDisplayText,
-  resolveStoppedCommandText
+  resolveStoppedCommandText,
+  deriveDataFlowEvidence
 } from "./approval-center-utils";
-import type { GuardActionEnvelope, GuardApprovalRequest, GuardDecisionV2 } from "./guard-types";
+import type { GuardActionEnvelope, GuardApprovalRequest, GuardDecisionV2, RiskSignalV2 } from "./guard-types";
 function assert(condition: boolean, message: string): void {
   if (!condition) {
@@ -284,3 +285,97 @@ assert(
   resolveDecisionV2Detail(requestWithEmptyV2Detail) === null,
   "T082: resolveDecisionV2Detail returns null for empty dashboard_primary_detail"
 );
+const DATA_FLOW_SIGNAL: RiskSignalV2 = {
+  signal_id: "data-flow:exfil-env",
+  category: "network",
+  severity: "high",
+  confidence: "strong",
+  detector: "data_flow.exfiltration",
+  title: "Secret value sent to remote host",
+  plain_reason: "A value from a local credential file was passed to a network request.",
+  technical_detail: "source: /home/user/project/.env, sink: https://example.com/collect",
+  evidence_ref: "metadata.data_flow_path",
+  redaction_level: "redacted",
+  false_positive_hint: null,
+  advisory_id: null
+};
+assert(
+  deriveDataFlowEvidence(BASE_REQUEST) === null,
+  "T090: no data-flow evidence when request has no decision_v2_json"
+);
+const requestNoDataFlowSignals: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: { ...BASE_DECISION_V2, signals: [BASE_DECISION_V2.signals[0]] }
+};
+assert(
+  deriveDataFlowEvidence(requestNoDataFlowSignals) === null,
+  "T090: no data-flow evidence when signals contain no data-flow detector or id prefix"
+);
+const requestWithDetectorSignal: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: { ...BASE_DECISION_V2, signals: [DATA_FLOW_SIGNAL] }
+};
+const detectorEvidence = deriveDataFlowEvidence(requestWithDetectorSignal);
+assert(detectorEvidence !== null, "T091: evidence returned when signal detector is data_flow.exfiltration");
+assert(detectorEvidence?.sourceLabel === "Local secret", "T091: sourceLabel is 'Local secret' for exfiltration signal");
+assert(detectorEvidence?.sinkLabel === "Network host", "T091: sinkLabel is 'Network host' for network category signal");
+const DATA_FLOW_ID_SIGNAL: RiskSignalV2 = {
+  ...DATA_FLOW_SIGNAL,
+  detector: "guard-risk-v2",
+  signal_id: "data-flow:env-to-curl",
+  category: "secret",
+  title: "Env variable forwarded via shell"
+};
+const requestWithIdPrefixSignal: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: { ...BASE_DECISION_V2, signals: [DATA_FLOW_ID_SIGNAL] }
+};
+const idPrefixEvidence = deriveDataFlowEvidence(requestWithIdPrefixSignal);
+assert(idPrefixEvidence !== null, "T092: evidence returned when signal_id starts with data-flow:");
+assert(idPrefixEvidence?.signalId === "data-flow:env-to-curl", "T092: signalId preserved from signal");
+assert(idPrefixEvidence?.sinkLabel === "External sink", "T092: sinkLabel is 'External sink' for non-network category");
+const DATA_FLOW_CLIPBOARD_SIGNAL: RiskSignalV2 = {
+  ...DATA_FLOW_SIGNAL,
+  signal_id: "data-flow:clipboard-secret",
+  category: "secret",
+  title: "Clipboard receives a local secret"
+};
+const requestWithClipboardSignal: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: { ...BASE_DECISION_V2, signals: [DATA_FLOW_CLIPBOARD_SIGNAL] }
+};
+const clipboardEvidence = deriveDataFlowEvidence(requestWithClipboardSignal);
+assert(clipboardEvidence?.sinkLabel === "Clipboard", "T092: sinkLabel names clipboard for clipboard data-flow signal");
+const detectorEvidenceSummary = deriveDataFlowEvidence(requestWithDetectorSignal);
+assert(
+  detectorEvidenceSummary !== null && !detectorEvidenceSummary.sourceLabel.includes(".env"),
+  "T093: sourceLabel does not expose raw secret path even if technical_detail mentions .env"
+);
+assert(
+  detectorEvidenceSummary !== null && !detectorEvidenceSummary.sinkLabel.includes(".env"),
+  "T093: sinkLabel does not expose raw secret path"
+);
+assert(
+  detectorEvidenceSummary !== null && !detectorEvidenceSummary.signalTitle.includes("/home/"),
+  "T093: signalTitle does not echo raw filesystem paths from technical_detail"
+);
+assert(
+  detectorEvidenceSummary !== null && detectorEvidenceSummary.count === 1,
+  "T093: count matches number of data-flow signals"
+);
+const mixedSignals: RiskSignalV2[] = [BASE_DECISION_V2.signals[0], DATA_FLOW_SIGNAL, DATA_FLOW_ID_SIGNAL];
+const requestWithMixedSignals: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: { ...BASE_DECISION_V2, signals: mixedSignals }
+};
+const mixedEvidence = deriveDataFlowEvidence(requestWithMixedSignals);
+assert(mixedEvidence !== null && mixedEvidence.count === 2, "T094: count reflects only data-flow signals, not unrelated ones");

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/dashboard/src/guard-api.ts RENAMED Viewed

@@ -444,6 +444,7 @@ export async function fetchSettings(): Promise<GuardSettingsPayload> {
         risk_actions: {
           local_secret_read: "require-reapproval",
           credential_exfiltration: "require-reapproval",
+          data_flow_exfiltration: "require-reapproval",
           destructive_shell: "require-reapproval",
           encoded_execution: "require-reapproval",
           network_egress: "warn"

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/dashboard/src/settings-workspace.tsx RENAMED Viewed

@@ -74,6 +74,11 @@ const riskControls = [
     label: "Credential sharing",
     description: "Commands or scripts that appear to send keys, tokens, or credentials away."
   },
+  {
+    key: "data_flow_exfiltration",
+    label: "Secret data flow",
+    description: "Detected source-to-sink route where a local secret is read and its value reaches a network or external sink."
+  },
   {
     key: "destructive_shell",
     label: "Destructive commands",
@@ -97,6 +102,7 @@ const riskProfileActions: Record<"balanced" | "strict" | "custom", Record<RiskKe
   balanced: {
     local_secret_read: "require-reapproval",
     credential_exfiltration: "require-reapproval",
+    data_flow_exfiltration: "require-reapproval",
     destructive_shell: "require-reapproval",
     encoded_execution: "require-reapproval",
     network_egress: "warn"
@@ -104,6 +110,7 @@ const riskProfileActions: Record<"balanced" | "strict" | "custom", Record<RiskKe
   strict: {
     local_secret_read: "require-reapproval",
     credential_exfiltration: "require-reapproval",
+    data_flow_exfiltration: "block",
     destructive_shell: "require-reapproval",
     encoded_execution: "require-reapproval",
     network_egress: "require-reapproval"
@@ -111,6 +118,7 @@ const riskProfileActions: Record<"balanced" | "strict" | "custom", Record<RiskKe
   custom: {
     local_secret_read: "require-reapproval",
     credential_exfiltration: "require-reapproval",
+    data_flow_exfiltration: "require-reapproval",
     destructive_shell: "require-reapproval",
     encoded_execution: "require-reapproval",
     network_egress: "warn"

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.113"
+version = "2.0.114"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.113"
+version = "2.0.114"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -70,7 +70,7 @@ from ..mcp_tool_calls import (
     evaluate_tool_call,
 )
 from ..models import GuardArtifact, HarnessDetection, PolicyDecision
-from ..policy.engine import SAFE_CHANGED_HASH_ACTION, VALID_GUARD_ACTIONS
+from ..policy.engine import SAFE_CHANGED_HASH_ACTION, VALID_GUARD_ACTIONS, build_decision_v2
 from ..protect import build_protect_payload
 from ..proxy import (
     CodexMcpGuardProxy,
@@ -80,8 +80,9 @@ from ..proxy import (
     StdioGuardProxy,
 )
 from ..receipts import build_receipt
-from ..risk import artifact_risk_signals, artifact_risk_summary
+from ..risk import artifact_risk_signals, artifact_risk_signals_v2, artifact_risk_summary
 from ..runtime.actions import GuardActionEnvelope, normalize_harness_payload
+from ..runtime.data_flow_rules import detect_data_flow_exfiltration
 from ..runtime.runner import (
     GuardSyncNotConfiguredError,
     extract_prompt_requests,
@@ -103,6 +104,7 @@ from ..runtime.secret_sensitivity import (
     classify_secret_content,
     classify_secret_path,
 )
+from ..runtime.signals import RiskSignalV2
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
 from .approval_commands import add_approval_parser, run_approval_command
@@ -1547,11 +1549,12 @@ def run_guard_command(
                         artifact_hash=artifact_hash(legacy_artifact),
                         workspace=str(runtime_workspace) if runtime_workspace else None,
                     )
-            policy_action = _coalesce_string(
+            requested_policy_action = _coalesce_string(
                 getattr(args, "policy_action", None),
                 stored_policy_action,
                 payload.get("policy_action"),
             )
+            policy_action = requested_policy_action
             if policy_action not in VALID_GUARD_ACTIONS:
                 policy_action = _runtime_artifact_policy_action(config, runtime_artifact, args.harness)
             if _canonical_harness_name(args.harness) == "claude-code" and event_name in {
@@ -1582,8 +1585,27 @@ def run_guard_command(
                     store.add_receipt(receipt)
                 return 0
             changed_capabilities = [runtime_artifact.artifact_type]
-            risk_signals = list(artifact_risk_signals(runtime_artifact))
-            risk_summary = artifact_risk_summary(runtime_artifact)
+            data_flow_signals = _runtime_action_data_flow_signals(action_envelope, workspace=runtime_workspace)
+            if data_flow_signals and requested_policy_action not in VALID_GUARD_ACTIONS:
+                data_flow_action = resolve_risk_action(
+                    config,
+                    "data_flow_exfiltration",
+                    harness=policy_harness,
+                )
+                if _guard_action_severity(data_flow_action) > _guard_action_severity(policy_action):
+                    policy_action = data_flow_action
+            decision_signals = data_flow_signals or artifact_risk_signals_v2(runtime_artifact)
+            risk_signals = (
+                [signal.plain_reason for signal in data_flow_signals]
+                if data_flow_signals
+                else list(artifact_risk_signals(runtime_artifact))
+            )
+            risk_summary = (
+                _runtime_data_flow_summary(data_flow_signals)
+                if data_flow_signals
+                else artifact_risk_summary(runtime_artifact)
+            )
+            decision_v2 = build_decision_v2(policy_action, reason=policy_action, signals=decision_signals)
             incident = build_incident_context(
                 harness=args.harness,
                 artifact=runtime_artifact,
@@ -1619,6 +1641,7 @@ def run_guard_command(
                 "policy_action": policy_action,
                 "risk_signals": risk_signals,
                 "risk_summary": risk_summary,
+                "decision_v2_json": decision_v2.to_dict(),
                 "artifact_label": incident["artifact_label"],
                 "source_label": incident["source_label"],
                 "trigger_summary": incident["trigger_summary"],
@@ -1703,6 +1726,7 @@ def run_guard_command(
                                 "config_path": runtime_artifact.config_path,
                                 "launch_target": _runtime_request_summary(runtime_artifact),
                                 "action_envelope_json": _action_envelope_json(action_envelope),
+                                "decision_v2_json": decision_v2.to_dict(),
                             }
                         ]
                     }
@@ -3045,6 +3069,36 @@ def _runtime_artifact_guard_default_action(artifact: GuardArtifact) -> str | Non
     return None
+def _runtime_action_data_flow_signals(
+    action_envelope: GuardActionEnvelope | None,
+    *,
+    workspace: Path | None,
+) -> tuple[RiskSignalV2, ...]:
+    if action_envelope is None:
+        return ()
+    return detect_data_flow_exfiltration(action_envelope, workspace=workspace)
+def _runtime_data_flow_summary(signals: tuple[RiskSignalV2, ...]) -> str:
+    sink_type = _runtime_data_flow_sink_type(signals)
+    if signals:
+        return f"This command sends local secret to {sink_type}. Guard kept raw secret contents out of the evidence."
+    return f"This command sends local secret to {sink_type}."
+def _runtime_data_flow_sink_type(signals: tuple[RiskSignalV2, ...]) -> str:
+    signal_ids = {signal.signal_id for signal in signals}
+    if any(signal.category == "network" for signal in signals):
+        return "network host"
+    if "data-flow:clipboard-secret" in signal_ids:
+        return "clipboard"
+    if "data-flow:world-readable-temp-secret" in signal_ids:
+        return "world-readable temp file"
+    if "data-flow:git-remote-token" in signal_ids:
+        return "git remote configuration"
+    return "external sink"
 def _guard_action_severity(action: str) -> int:
     return {
         "allow": 0,
@@ -3077,7 +3131,11 @@ def _runtime_artifact_risk_classes(artifact: GuardArtifact) -> list[str]:
     if not isinstance(action_class, str):
         return []
     action_risk_classes = {
-        "credential exfiltration shell command": ["credential_exfiltration", "network_egress"],
+        "credential exfiltration shell command": [
+            "data_flow_exfiltration",
+            "credential_exfiltration",
+            "network_egress",
+        ],
         "docker-sensitive command": ["network_egress", "destructive_shell"],
         "docker client config access": ["local_secret_read"],
         "encoded or encrypted shell command": ["encoded_execution"],
@@ -3200,7 +3258,7 @@ def _native_prompt_context(artifact: GuardArtifact) -> str:
 def _runtime_artifact_native_reason(artifact: GuardArtifact, response_payload: dict[str, object]) -> str:
     decision_message = _decision_v2_harness_message(response_payload)
-    if decision_message is not None:
+    if decision_message is not None and _should_use_decision_v2_harness_message(response_payload, decision_message):
         return decision_message
     if artifact.artifact_type == "prompt_request":
         harness = response_payload.get("harness")
@@ -3261,6 +3319,37 @@ def _decision_v2_harness_message(response_payload: dict[str, object]) -> str | N
     return None
+def _decision_v2_has_data_flow_signal(response_payload: dict[str, object]) -> bool:
+    decision_v2 = response_payload.get("decision_v2_json")
+    if not isinstance(decision_v2, Mapping):
+        return False
+    signals = decision_v2.get("signals")
+    if not isinstance(signals, list):
+        return False
+    for item in signals:
+        if not isinstance(item, Mapping):
+            continue
+        detector = item.get("detector")
+        signal_id = item.get("signal_id")
+        if detector == "data_flow.exfiltration":
+            return True
+        if isinstance(signal_id, str) and signal_id.startswith("data-flow:"):
+            return True
+    return False
+def _should_use_decision_v2_harness_message(response_payload: dict[str, object], message: str) -> bool:
+    if _decision_v2_has_data_flow_signal(response_payload):
+        return True
+    generic_messages = {
+        "HOL Guard blocked this action.",
+        "HOL Guard wants this action reviewed and run in a sandboxed path.",
+    }
+    if message in generic_messages:
+        return False
+    return not message.startswith("HOL Guard needs a fresh approval because this action changed.")
 def _claude_prompt_additional_context(
     *,
     harness: str,

{plugin_scanner-2.0.113 → plugin_scanner-2.0.114}/src/codex_plugin_scanner/guard/config.py RENAMED Viewed

@@ -37,6 +37,7 @@ VALID_SECURITY_LEVELS = {"balanced", "strict", "custom"}
 VALID_RISK_ACTION_KEYS = {
     "local_secret_read",
     "credential_exfiltration",
+    "data_flow_exfiltration",
     "destructive_shell",
     "encoded_execution",
     "network_egress",
@@ -46,6 +47,7 @@ SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
     "balanced": {
         "local_secret_read": "require-reapproval",
         "credential_exfiltration": "require-reapproval",
+        "data_flow_exfiltration": "require-reapproval",
         "destructive_shell": "require-reapproval",
         "encoded_execution": "require-reapproval",
         "network_egress": "warn",
@@ -53,6 +55,7 @@ SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
     "strict": {
         "local_secret_read": "require-reapproval",
         "credential_exfiltration": "require-reapproval",
+        "data_flow_exfiltration": "block",
         "destructive_shell": "require-reapproval",
         "encoded_execution": "require-reapproval",
         "network_egress": "require-reapproval",
@@ -60,6 +63,7 @@ SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
     "custom": {
         "local_secret_read": "require-reapproval",
         "credential_exfiltration": "require-reapproval",
+        "data_flow_exfiltration": "require-reapproval",
         "destructive_shell": "require-reapproval",
         "encoded_execution": "require-reapproval",
         "network_egress": "warn",

plugin-scanner 2.0.113__tar.gz → 2.0.114__tar.gz

plugin-scanner 2.0.113tar.gz → 2.0.114tar.gz