plugin-scanner 2.0.116__tar.gz → 2.0.118__tar.gz

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.116
+Version: 2.0.118
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/dashboard/src/guard-api.test.ts

@@ -4,6 +4,7 @@ import {
   parseActionEnvelope,
   parseDecisionV2
 } from "./guard-api";
+import { resolveCloudSyncHealthCopy } from "./runtime-overview";
 import {
   resolveDecisionV2Detail,
   resolveDecisionV2Title,
@@ -29,6 +30,29 @@ assert(snapshot.cloud_pairing_state.dashboard_url === snapshot.dashboard_url, "d
 assert(snapshot.cloud_pairing_state.inbox_url === snapshot.inbox_url, "demo inbox URL is preserved");
 assert(snapshot.cloud_pairing_state.fleet_url === snapshot.fleet_url, "demo fleet URL is preserved");
 assert(snapshot.cloud_pairing_state.connect_url === snapshot.connect_url, "demo connect URL is preserved");
+assert(snapshot.cloud_sync_health.state === "pending", "demo snapshot exposes pending Cloud sync health");
+
+const expectedSyncHealthLabels = {
+  healthy: "Cloud sync healthy",
+  pending: "Cloud sync pending",
+  failed: "Cloud sync needs attention",
+  degraded: "Cloud sync degraded",
+  disabled: "Cloud sync disabled",
+  stale: "Cloud sync stale"
+};
+
+for (const [state, label] of Object.entries(expectedSyncHealthLabels)) {
+  const copy = resolveCloudSyncHealthCopy({
+    state: state as keyof typeof expectedSyncHealthLabels,
+    label,
+    detail: `${label} detail`,
+    pending_events: state === "pending" ? 2 : 0,
+    last_synced_at: state === "disabled" ? null : "2026-04-24T00:00:00+00:00",
+    next_retry_after: state === "failed" ? "2026-04-24T00:02:00+00:00" : null
+  });
+  assert(copy.label === label, `T370: ${state} sync health label is preserved`);
+  assert(copy.detail.includes("detail"), `T370: ${state} sync health detail is preserved`);
+}
 
 const BASE_ENVELOPE: GuardActionEnvelope = {
   schema_version: 1,

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/dashboard/src/guard-api.ts

@@ -411,6 +411,14 @@ export function buildDemoRuntimeSnapshot(): GuardRuntimeSnapshot {
       fleet_url: fleetUrl,
       connect_url: connectUrl
     },
+    cloud_sync_health: {
+      state: "pending",
+      label: "Cloud sync pending",
+      detail: "Waiting for the first shared Cloud proof from this machine.",
+      pending_events: 1,
+      last_synced_at: null,
+      next_retry_after: null
+    },
     dashboard_url: dashboardUrl,
     inbox_url: inboxUrl,
     fleet_url: fleetUrl,

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/dashboard/src/guard-types.ts

@@ -153,6 +153,15 @@ export type GuardCloudPairingState = {
   connect_url: string;
 };
 
+export type GuardCloudSyncHealth = {
+  state: "healthy" | "pending" | "failed" | "degraded" | "disabled" | "stale";
+  label: string;
+  detail: string;
+  pending_events: number;
+  last_synced_at: string | null;
+  next_retry_after: string | null;
+};
+
 export type GuardRuntimeSnapshot = {
   generated_at: string;
   approval_center_url: string | null;
@@ -167,6 +176,7 @@ export type GuardRuntimeSnapshot = {
   cloud_state_label: string;
   cloud_state_detail: string;
   cloud_pairing_state: GuardCloudPairingState;
+  cloud_sync_health: GuardCloudSyncHealth;
   dashboard_url: string;
   inbox_url: string;
   fleet_url: string;

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/dashboard/src/runtime-overview.tsx

@@ -1,5 +1,5 @@
 import { ActionButton, Badge, KeyValueGrid, SectionLabel, Surface, Tag } from "./approval-center-primitives";
-import type { GuardRuntimeSnapshot } from "./guard-types";
+import type { GuardCloudSyncHealth, GuardRuntimeSnapshot } from "./guard-types";
 
 type RuntimeOverviewProps = {
   snapshot: GuardRuntimeSnapshot;
@@ -34,6 +34,35 @@ function remediationLine(snapshot: GuardRuntimeSnapshot): string {
   return "Open Guard Cloud for shared proof, Watched Apps for local coverage, or the review queue when something needs your choice.";
 }
 
+export function resolveCloudSyncHealthCopy(health: GuardCloudSyncHealth): { label: string; detail: string } {
+  return {
+    label: health.label,
+    detail: health.detail
+  };
+}
+
+function cloudSyncHealthTone(state: GuardCloudSyncHealth["state"]): "blue" | "slate" {
+  if (state === "disabled" || state === "failed" || state === "stale") {
+    return "slate";
+  }
+  return "blue";
+}
+
+function CloudSyncHealthCard(props: { health: GuardCloudSyncHealth }) {
+  const copy = resolveCloudSyncHealthCopy(props.health);
+  return (
+    <div className="rounded-xl border border-border bg-white px-5 py-4">
+      <div className="flex flex-wrap items-center justify-between gap-2">
+        <p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-blue">
+          Cloud sync health
+        </p>
+        <Tag tone={cloudSyncHealthTone(props.health.state)}>{copy.label}</Tag>
+      </div>
+      <p className="mt-2 text-sm leading-relaxed text-brand-dark/80">{copy.detail}</p>
+    </div>
+  );
+}
+
 export function RuntimeOverview(props: RuntimeOverviewProps) {
   const { snapshot } = props;
 
@@ -72,6 +101,8 @@ export function RuntimeOverview(props: RuntimeOverviewProps) {
           />
         </div>
 
+        <CloudSyncHealthCard health={snapshot.cloud_sync_health} />
+
         <div className="rounded-xl border border-border bg-white px-5 py-4">
           <p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-blue">
             Recommended next step

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.116"
+version = "2.0.118"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.116"
+version = "2.0.118"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

plugin_scanner-2.0.118/src/codex_plugin_scanner/guard/access_graph_events.py

@@ -0,0 +1,223 @@
+"""Local access graph snapshot event queueing for Guard Cloud."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+
+from .edge_events import build_access_graph_snapshot_event
+from .models import HarnessDetection
+from .redaction import redact_sensitive_text
+from .store import GuardStore
+
+
+def queue_access_graph_snapshot(
+    *,
+    store: GuardStore,
+    detection: HarnessDetection,
+    artifacts: list[dict[str, object]],
+    now: str,
+) -> None:
+    workspace_id = store.get_cloud_workspace_id()
+    device_id = store.get_or_create_installation_id()
+    device_fingerprint = f"device:{device_id}"
+    harness_fingerprint = f"harness:{detection.harness}"
+    agent_id = f"{detection.harness}:local-agent"
+    agent_fingerprint = f"agent:{agent_id}"
+    entities: list[dict[str, object]] = []
+    edges: list[dict[str, object]] = []
+    seen_fingerprints: set[str] = set()
+
+    def add_entity(entity: dict[str, object]) -> None:
+        fingerprint = entity.get("fingerprint")
+        if not isinstance(fingerprint, str) or fingerprint in seen_fingerprints:
+            return
+        seen_fingerprints.add(fingerprint)
+        entities.append(entity)
+
+    _add_device_harness_and_agent(
+        add_entity=add_entity,
+        edges=edges,
+        device_id=device_id,
+        device_fingerprint=device_fingerprint,
+        detection=detection,
+        harness_fingerprint=harness_fingerprint,
+        agent_id=agent_id,
+        agent_fingerprint=agent_fingerprint,
+        now=now,
+    )
+    _add_artifact_entities(
+        add_entity=add_entity,
+        edges=edges,
+        artifacts=artifacts,
+        agent_fingerprint=agent_fingerprint,
+        now=now,
+    )
+    snapshot_seed = {
+        "workspace": workspace_id,
+        "device": device_id,
+        "harness": detection.harness,
+        "generatedAt": now,
+    }
+    snapshot_hash = hashlib.sha256(json.dumps(snapshot_seed, sort_keys=True).encode("utf-8")).hexdigest()[:24]
+    snapshot_id = f"access-graph-{snapshot_hash}"
+    payload = {
+        "snapshotId": snapshot_id,
+        "generatedAt": now,
+        "entities": entities,
+        "edges": edges,
+    }
+    try:
+        store.add_guard_event_v1(
+            build_access_graph_snapshot_event(
+                snapshot_id=snapshot_id,
+                occurred_at=now,
+                payload=payload,
+                workspace_id=workspace_id,
+                device_id=device_id,
+            )
+        )
+    except Exception as error:
+        store.add_event(
+            "access_graph_snapshot_queue_failed",
+            {
+                "error_type": type(error).__name__,
+                "message": redact_sensitive_text(str(error)),
+            },
+            now,
+        )
+
+
+def _add_device_harness_and_agent(
+    *,
+    add_entity,
+    edges: list[dict[str, object]],
+    device_id: str,
+    device_fingerprint: str,
+    detection: HarnessDetection,
+    harness_fingerprint: str,
+    agent_id: str,
+    agent_fingerprint: str,
+    now: str,
+) -> None:
+    add_entity(
+        {
+            "entityType": "device",
+            "entityId": device_id,
+            "displayName": "Local machine",
+            "fingerprint": device_fingerprint,
+            "metadata": {},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    add_entity(
+        {
+            "entityType": "harness",
+            "entityId": detection.harness,
+            "displayName": detection.harness,
+            "fingerprint": harness_fingerprint,
+            "metadata": {"installed": detection.installed, "commandAvailable": detection.command_available},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    edges.append(
+        {
+            "sourceFingerprint": device_fingerprint,
+            "targetFingerprint": harness_fingerprint,
+            "edgeType": "device_runs_harness",
+            "confidence": 100,
+            "metadata": {},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    add_entity(
+        {
+            "entityType": "agent",
+            "entityId": agent_id,
+            "displayName": f"{detection.harness} local agent",
+            "fingerprint": agent_fingerprint,
+            "metadata": {"harness": detection.harness},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    edges.append(
+        {
+            "sourceFingerprint": harness_fingerprint,
+            "targetFingerprint": agent_fingerprint,
+            "edgeType": "harness_runs_agent",
+            "confidence": 90,
+            "metadata": {},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+
+
+def _add_artifact_entities(
+    *,
+    add_entity,
+    edges: list[dict[str, object]],
+    artifacts: list[dict[str, object]],
+    agent_fingerprint: str,
+    now: str,
+) -> None:
+    for artifact in artifacts:
+        artifact_id = _non_empty_string(artifact.get("artifact_id"))
+        if artifact_id is None:
+            continue
+        artifact_type = _non_empty_string(artifact.get("artifact_type")) or "tool"
+        entity_type = _access_graph_entity_type(artifact_type)
+        fingerprint = f"{entity_type}:{artifact_id}"
+        add_entity(
+            {
+                "entityType": entity_type,
+                "entityId": artifact_id,
+                "displayName": _non_empty_string(artifact.get("artifact_name")) or artifact_id,
+                "fingerprint": fingerprint,
+                "metadata": {
+                    "artifactType": artifact_type,
+                    "sourceScope": _non_empty_string(artifact.get("source_scope")),
+                    "policyAction": _non_empty_string(artifact.get("policy_action")),
+                    "present": artifact.get("removed") is not True,
+                },
+                "firstSeenAt": now,
+                "lastSeenAt": now,
+            }
+        )
+        edge_type = _access_graph_artifact_edge_type(entity_type)
+        if edge_type is not None:
+            edges.append(
+                {
+                    "sourceFingerprint": agent_fingerprint,
+                    "targetFingerprint": fingerprint,
+                    "edgeType": edge_type,
+                    "confidence": 80,
+                    "metadata": {},
+                    "firstSeenAt": now,
+                    "lastSeenAt": now,
+                }
+            )
+
+
+def _access_graph_entity_type(artifact_type: str) -> str:
+    if artifact_type in {"skill", "mcp_server", "tool", "repository", "agent", "policy", "integration"}:
+        return artifact_type
+    return "tool"
+
+
+def _access_graph_artifact_edge_type(entity_type: str) -> str | None:
+    if entity_type == "skill":
+        return "agent_uses_skill"
+    if entity_type == "mcp_server":
+        return "agent_uses_mcp_server"
+    return None
+
+
+def _non_empty_string(value: object) -> str | None:
+    if isinstance(value, str) and value.strip():
+        return value
+    return None

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/src/codex_plugin_scanner/guard/approvals.py

@@ -6,7 +6,7 @@ import time
 import uuid
 from collections.abc import Mapping
 from dataclasses import replace
-from datetime import datetime, timezone
+from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from urllib.parse import urlparse
 
@@ -374,11 +374,13 @@ def _build_runtime_cloud_context(store: GuardStore) -> dict[str, object]:
         remote_payload_active=remote_payload_active,
     )
     dashboard_url, inbox_url, fleet_url, connect_url = _resolve_guard_urls(sync_url)
+    sync_health = _build_cloud_sync_health(store, credentials is not None, cloud_state)
     return {
         "sync_configured": credentials is not None,
         "cloud_state": cloud_state,
         "cloud_state_label": _runtime_cloud_state_label(cloud_state),
         "cloud_state_detail": _runtime_cloud_state_detail(cloud_state),
+        "cloud_sync_health": sync_health,
         "cloud_pairing_state": {
             "state": cloud_state,
             "label": _runtime_cloud_state_label(cloud_state),
@@ -396,6 +398,102 @@ def _build_runtime_cloud_context(store: GuardStore) -> dict[str, object]:
     }
 
 
+def _build_cloud_sync_health(store: GuardStore, sync_configured: bool, cloud_state: str) -> dict[str, object]:
+    pending_events = store.count_guard_events_v1(uploaded=False)
+    event_summary = store.get_sync_payload("guard_events_v1_summary") or {}
+    sync_summary = store.get_sync_payload("sync_summary") or {}
+    runtime_summary = store.get_sync_payload("runtime_session_summary") or {}
+    last_synced_at = _latest_sync_timestamp(
+        event_summary.get("synced_at"),
+        sync_summary.get("synced_at"),
+        runtime_summary.get("synced_at"),
+    )
+    if not sync_configured:
+        state = "disabled"
+    elif isinstance(event_summary, dict) and event_summary.get("status") == "failed":
+        state = "failed"
+    elif (
+        isinstance(event_summary, dict)
+        and event_summary.get("sync_skipped") is True
+        and event_summary.get("sync_reason") == "guard_events_endpoint_unavailable"
+    ):
+        state = "degraded"
+    elif last_synced_at is not None and _timestamp_is_stale(last_synced_at):
+        state = "stale"
+    elif pending_events > 0 or cloud_state == "paired_waiting":
+        state = "pending"
+    else:
+        state = "healthy"
+    return {
+        "state": state,
+        "label": _cloud_sync_health_label(state),
+        "detail": _cloud_sync_health_detail(state, pending_events=pending_events),
+        "pending_events": pending_events,
+        "last_synced_at": last_synced_at,
+        "next_retry_after": event_summary.get("next_retry_after") if isinstance(event_summary, dict) else None,
+    }
+
+
+def _latest_sync_timestamp(*values: object) -> str | None:
+    parsed_values: list[tuple[datetime, str]] = []
+    for value in values:
+        if not isinstance(value, str) or not value.strip():
+            continue
+        parsed = _parse_timestamp(value)
+        if parsed is not None:
+            parsed_values.append((parsed, value))
+    if not parsed_values:
+        return None
+    return max(parsed_values, key=lambda item: item[0])[1]
+
+
+def _parse_timestamp(value: str) -> datetime | None:
+    try:
+        parsed = datetime.fromisoformat(value.replace("Z", "+00:00"))
+    except ValueError:
+        return None
+    if parsed.tzinfo is None:
+        return parsed.replace(tzinfo=timezone.utc)
+    return parsed
+
+
+def _timestamp_is_stale(value: str) -> bool:
+    parsed = _parse_timestamp(value)
+    if parsed is None:
+        return False
+    return datetime.now(timezone.utc) - parsed > timedelta(hours=24)
+
+
+def _cloud_sync_health_label(state: str) -> str:
+    labels = {
+        "healthy": "Cloud sync healthy",
+        "pending": "Cloud sync pending",
+        "failed": "Cloud sync needs attention",
+        "degraded": "Cloud sync degraded",
+        "disabled": "Cloud sync disabled",
+        "stale": "Cloud sync stale",
+    }
+    return labels.get(state, "Cloud sync pending")
+
+
+def _cloud_sync_health_detail(state: str, *, pending_events: int) -> str:
+    if state == "healthy":
+        return "Guard Cloud has the latest local proof from this machine."
+    if state == "failed":
+        return "The latest Cloud upload failed. HOL Guard kept local protection active and will retry."
+    if state == "degraded":
+        return "Cloud accepted legacy sync, but v1 Guard event ingest is unavailable. Local protection stayed active."
+    if state == "disabled":
+        return "Local protection is active. Connect Cloud when you want shared team proof."
+    if state == "stale":
+        return "Cloud has not seen fresh local proof recently. Keep this runtime open or run sync again."
+    if pending_events == 1:
+        return "One local proof event is queued for the next Cloud sync."
+    if pending_events > 1:
+        return f"{pending_events} local proof events are queued for the next Cloud sync."
+    return "Waiting for the first shared Cloud proof from this machine."
+
+
 def _resolve_runtime_cloud_state(*, sync_configured: bool, sync_completed: bool, remote_payload_active: bool) -> str:
     if not sync_configured:
         return "local_only"

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -95,6 +95,7 @@ from ..runtime.secret_file_requests import (
     build_file_read_request_artifact,
     build_tool_action_request_artifact,
     extract_sensitive_file_read_request,
+    extract_sensitive_file_read_request_from_action,
     extract_sensitive_tool_action_request,
     is_explicitly_benign_tool_action_request,
 )
@@ -1455,6 +1456,7 @@ def run_guard_command(
         runtime_artifact = _hook_runtime_artifact(
             harness=args.harness,
             payload=payload,
+            action_envelope=action_envelope,
             home_dir=context.home_dir,
             guard_home=context.guard_home,
             workspace=runtime_workspace,
@@ -4019,6 +4021,7 @@ def _hook_runtime_artifact(
     *,
     harness: str,
     payload: dict[str, object],
+    action_envelope: GuardActionEnvelope | None,
     home_dir: Path,
     guard_home: Path,
     workspace: Path | None,
@@ -4079,6 +4082,12 @@ def _hook_runtime_artifact(
         cwd=workspace,
         home_dir=home_dir,
     )
+    if request is None:
+        request = (
+            extract_sensitive_file_read_request_from_action(action_envelope, cwd=workspace, home_dir=home_dir)
+            if action_envelope is not None
+            else None
+        )
     source_scope = _coalesce_string(payload.get("source_scope"), "project")
     config_path = str(_runtime_policy_path(harness, home_dir, workspace))
     if request is not None:
@@ -5916,7 +5925,7 @@ def _guard_service_login_payload(
         "client_title": label,
         "client_version": _GUARD_CLIENT_VERSION,
     }
-    store.set_sync_credentials(sync_url, token, now)
+    store.set_sync_credentials(sync_url, token, now, workspace_id=workspace or None)
     store.set_sync_payload(_SERVICE_RUNTIME_PROFILE_STATE_KEY, service_profile, now)
     device = store.set_device_label(label, now)
     store.add_event(

{plugin_scanner-2.0.116 → plugin_scanner-2.0.118}/src/codex_plugin_scanner/guard/consumer/service.py

@@ -9,6 +9,7 @@ from pathlib import Path
 from typing import Any
 
 from ...models import ScanOptions
+from ..access_graph_events import queue_access_graph_snapshot
 from ..adapters import get_adapter, list_adapters
 from ..adapters.base import HarnessContext
 from ..capabilities import compute_capability_delta, normalize_artifact_capabilities, severity_from_deltas
@@ -658,6 +659,13 @@ def evaluate_detection(
             },
             now,
         )
+    if persist:
+        queue_access_graph_snapshot(
+            store=store,
+            detection=detection,
+            artifacts=results,
+            now=now,
+        )
     return {
         "harness": detection.harness,
         "artifacts": results,