PyPI - plugin-scanner - Versions diffs - 2.0.117__tar.gz → 2.0.119__tar.gz - Mend

plugin-scanner 2.0.117tar.gz → 2.0.119tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (364) hide show

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.117
+Version: 2.0.119
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/dashboard/src/guard-api.test.ts RENAMED Viewed

@@ -4,6 +4,7 @@ import {
   parseActionEnvelope,
   parseDecisionV2
 } from "./guard-api";
+import { resolveCloudSyncHealthCopy } from "./runtime-overview";
 import {
   resolveDecisionV2Detail,
   resolveDecisionV2Title,
@@ -29,6 +30,29 @@ assert(snapshot.cloud_pairing_state.dashboard_url === snapshot.dashboard_url, "d
 assert(snapshot.cloud_pairing_state.inbox_url === snapshot.inbox_url, "demo inbox URL is preserved");
 assert(snapshot.cloud_pairing_state.fleet_url === snapshot.fleet_url, "demo fleet URL is preserved");
 assert(snapshot.cloud_pairing_state.connect_url === snapshot.connect_url, "demo connect URL is preserved");
+assert(snapshot.cloud_sync_health.state === "pending", "demo snapshot exposes pending Cloud sync health");
+const expectedSyncHealthLabels = {
+  healthy: "Cloud sync healthy",
+  pending: "Cloud sync pending",
+  failed: "Cloud sync needs attention",
+  degraded: "Cloud sync degraded",
+  disabled: "Cloud sync disabled",
+  stale: "Cloud sync stale"
+};
+for (const [state, label] of Object.entries(expectedSyncHealthLabels)) {
+  const copy = resolveCloudSyncHealthCopy({
+    state: state as keyof typeof expectedSyncHealthLabels,
+    label,
+    detail: `${label} detail`,
+    pending_events: state === "pending" ? 2 : 0,
+    last_synced_at: state === "disabled" ? null : "2026-04-24T00:00:00+00:00",
+    next_retry_after: state === "failed" ? "2026-04-24T00:02:00+00:00" : null
+  });
+  assert(copy.label === label, `T370: ${state} sync health label is preserved`);
+  assert(copy.detail.includes("detail"), `T370: ${state} sync health detail is preserved`);
+}
 const BASE_ENVELOPE: GuardActionEnvelope = {
   schema_version: 1,

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/dashboard/src/guard-api.ts RENAMED Viewed

@@ -411,6 +411,14 @@ export function buildDemoRuntimeSnapshot(): GuardRuntimeSnapshot {
       fleet_url: fleetUrl,
       connect_url: connectUrl
     },
+    cloud_sync_health: {
+      state: "pending",
+      label: "Cloud sync pending",
+      detail: "Waiting for the first shared Cloud proof from this machine.",
+      pending_events: 1,
+      last_synced_at: null,
+      next_retry_after: null
+    },
     dashboard_url: dashboardUrl,
     inbox_url: inboxUrl,
     fleet_url: fleetUrl,

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/dashboard/src/guard-types.ts RENAMED Viewed

@@ -153,6 +153,15 @@ export type GuardCloudPairingState = {
   connect_url: string;
 };
+export type GuardCloudSyncHealth = {
+  state: "healthy" | "pending" | "failed" | "degraded" | "disabled" | "stale";
+  label: string;
+  detail: string;
+  pending_events: number;
+  last_synced_at: string | null;
+  next_retry_after: string | null;
+};
 export type GuardRuntimeSnapshot = {
   generated_at: string;
   approval_center_url: string | null;
@@ -167,6 +176,7 @@ export type GuardRuntimeSnapshot = {
   cloud_state_label: string;
   cloud_state_detail: string;
   cloud_pairing_state: GuardCloudPairingState;
+  cloud_sync_health: GuardCloudSyncHealth;
   dashboard_url: string;
   inbox_url: string;
   fleet_url: string;

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/dashboard/src/runtime-overview.tsx RENAMED Viewed

@@ -1,5 +1,5 @@
 import { ActionButton, Badge, KeyValueGrid, SectionLabel, Surface, Tag } from "./approval-center-primitives";
-import type { GuardRuntimeSnapshot } from "./guard-types";
+import type { GuardCloudSyncHealth, GuardRuntimeSnapshot } from "./guard-types";
 type RuntimeOverviewProps = {
   snapshot: GuardRuntimeSnapshot;
@@ -34,6 +34,35 @@ function remediationLine(snapshot: GuardRuntimeSnapshot): string {
   return "Open Guard Cloud for shared proof, Watched Apps for local coverage, or the review queue when something needs your choice.";
 }
+export function resolveCloudSyncHealthCopy(health: GuardCloudSyncHealth): { label: string; detail: string } {
+  return {
+    label: health.label,
+    detail: health.detail
+  };
+}
+function cloudSyncHealthTone(state: GuardCloudSyncHealth["state"]): "blue" | "slate" {
+  if (state === "disabled" || state === "failed" || state === "stale") {
+    return "slate";
+  }
+  return "blue";
+}
+function CloudSyncHealthCard(props: { health: GuardCloudSyncHealth }) {
+  const copy = resolveCloudSyncHealthCopy(props.health);
+  return (
+    <div className="rounded-xl border border-border bg-white px-5 py-4">
+      <div className="flex flex-wrap items-center justify-between gap-2">
+        <p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-blue">
+          Cloud sync health
+        </p>
+        <Tag tone={cloudSyncHealthTone(props.health.state)}>{copy.label}</Tag>
+      </div>
+      <p className="mt-2 text-sm leading-relaxed text-brand-dark/80">{copy.detail}</p>
+    </div>
+  );
+}
 export function RuntimeOverview(props: RuntimeOverviewProps) {
   const { snapshot } = props;
@@ -72,6 +101,8 @@ export function RuntimeOverview(props: RuntimeOverviewProps) {
           />
         </div>
+        <CloudSyncHealthCard health={snapshot.cloud_sync_health} />
         <div className="rounded-xl border border-border bg-white px-5 py-4">
           <p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-blue">
             Recommended next step

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.117"
+version = "2.0.119"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.117"
+version = "2.0.119"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

plugin_scanner-2.0.119/src/codex_plugin_scanner/guard/access_graph_events.py ADDED Viewed

@@ -0,0 +1,223 @@
+"""Local access graph snapshot event queueing for Guard Cloud."""
+from __future__ import annotations
+import hashlib
+import json
+from .edge_events import build_access_graph_snapshot_event
+from .models import HarnessDetection
+from .redaction import redact_sensitive_text
+from .store import GuardStore
+def queue_access_graph_snapshot(
+    *,
+    store: GuardStore,
+    detection: HarnessDetection,
+    artifacts: list[dict[str, object]],
+    now: str,
+) -> None:
+    workspace_id = store.get_cloud_workspace_id()
+    device_id = store.get_or_create_installation_id()
+    device_fingerprint = f"device:{device_id}"
+    harness_fingerprint = f"harness:{detection.harness}"
+    agent_id = f"{detection.harness}:local-agent"
+    agent_fingerprint = f"agent:{agent_id}"
+    entities: list[dict[str, object]] = []
+    edges: list[dict[str, object]] = []
+    seen_fingerprints: set[str] = set()
+    def add_entity(entity: dict[str, object]) -> None:
+        fingerprint = entity.get("fingerprint")
+        if not isinstance(fingerprint, str) or fingerprint in seen_fingerprints:
+            return
+        seen_fingerprints.add(fingerprint)
+        entities.append(entity)
+    _add_device_harness_and_agent(
+        add_entity=add_entity,
+        edges=edges,
+        device_id=device_id,
+        device_fingerprint=device_fingerprint,
+        detection=detection,
+        harness_fingerprint=harness_fingerprint,
+        agent_id=agent_id,
+        agent_fingerprint=agent_fingerprint,
+        now=now,
+    )
+    _add_artifact_entities(
+        add_entity=add_entity,
+        edges=edges,
+        artifacts=artifacts,
+        agent_fingerprint=agent_fingerprint,
+        now=now,
+    )
+    snapshot_seed = {
+        "workspace": workspace_id,
+        "device": device_id,
+        "harness": detection.harness,
+        "generatedAt": now,
+    }
+    snapshot_hash = hashlib.sha256(json.dumps(snapshot_seed, sort_keys=True).encode("utf-8")).hexdigest()[:24]
+    snapshot_id = f"access-graph-{snapshot_hash}"
+    payload = {
+        "snapshotId": snapshot_id,
+        "generatedAt": now,
+        "entities": entities,
+        "edges": edges,
+    }
+    try:
+        store.add_guard_event_v1(
+            build_access_graph_snapshot_event(
+                snapshot_id=snapshot_id,
+                occurred_at=now,
+                payload=payload,
+                workspace_id=workspace_id,
+                device_id=device_id,
+            )
+        )
+    except Exception as error:
+        store.add_event(
+            "access_graph_snapshot_queue_failed",
+            {
+                "error_type": type(error).__name__,
+                "message": redact_sensitive_text(str(error)),
+            },
+            now,
+        )
+def _add_device_harness_and_agent(
+    *,
+    add_entity,
+    edges: list[dict[str, object]],
+    device_id: str,
+    device_fingerprint: str,
+    detection: HarnessDetection,
+    harness_fingerprint: str,
+    agent_id: str,
+    agent_fingerprint: str,
+    now: str,
+) -> None:
+    add_entity(
+        {
+            "entityType": "device",
+            "entityId": device_id,
+            "displayName": "Local machine",
+            "fingerprint": device_fingerprint,
+            "metadata": {},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    add_entity(
+        {
+            "entityType": "harness",
+            "entityId": detection.harness,
+            "displayName": detection.harness,
+            "fingerprint": harness_fingerprint,
+            "metadata": {"installed": detection.installed, "commandAvailable": detection.command_available},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    edges.append(
+        {
+            "sourceFingerprint": device_fingerprint,
+            "targetFingerprint": harness_fingerprint,
+            "edgeType": "device_runs_harness",
+            "confidence": 100,
+            "metadata": {},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    add_entity(
+        {
+            "entityType": "agent",
+            "entityId": agent_id,
+            "displayName": f"{detection.harness} local agent",
+            "fingerprint": agent_fingerprint,
+            "metadata": {"harness": detection.harness},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+    edges.append(
+        {
+            "sourceFingerprint": harness_fingerprint,
+            "targetFingerprint": agent_fingerprint,
+            "edgeType": "harness_runs_agent",
+            "confidence": 90,
+            "metadata": {},
+            "firstSeenAt": now,
+            "lastSeenAt": now,
+        }
+    )
+def _add_artifact_entities(
+    *,
+    add_entity,
+    edges: list[dict[str, object]],
+    artifacts: list[dict[str, object]],
+    agent_fingerprint: str,
+    now: str,
+) -> None:
+    for artifact in artifacts:
+        artifact_id = _non_empty_string(artifact.get("artifact_id"))
+        if artifact_id is None:
+            continue
+        artifact_type = _non_empty_string(artifact.get("artifact_type")) or "tool"
+        entity_type = _access_graph_entity_type(artifact_type)
+        fingerprint = f"{entity_type}:{artifact_id}"
+        add_entity(
+            {
+                "entityType": entity_type,
+                "entityId": artifact_id,
+                "displayName": _non_empty_string(artifact.get("artifact_name")) or artifact_id,
+                "fingerprint": fingerprint,
+                "metadata": {
+                    "artifactType": artifact_type,
+                    "sourceScope": _non_empty_string(artifact.get("source_scope")),
+                    "policyAction": _non_empty_string(artifact.get("policy_action")),
+                    "present": artifact.get("removed") is not True,
+                },
+                "firstSeenAt": now,
+                "lastSeenAt": now,
+            }
+        )
+        edge_type = _access_graph_artifact_edge_type(entity_type)
+        if edge_type is not None:
+            edges.append(
+                {
+                    "sourceFingerprint": agent_fingerprint,
+                    "targetFingerprint": fingerprint,
+                    "edgeType": edge_type,
+                    "confidence": 80,
+                    "metadata": {},
+                    "firstSeenAt": now,
+                    "lastSeenAt": now,
+                }
+            )
+def _access_graph_entity_type(artifact_type: str) -> str:
+    if artifact_type in {"skill", "mcp_server", "tool", "repository", "agent", "policy", "integration"}:
+        return artifact_type
+    return "tool"
+def _access_graph_artifact_edge_type(entity_type: str) -> str | None:
+    if entity_type == "skill":
+        return "agent_uses_skill"
+    if entity_type == "mcp_server":
+        return "agent_uses_mcp_server"
+    return None
+def _non_empty_string(value: object) -> str | None:
+    if isinstance(value, str) and value.strip():
+        return value
+    return None

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/src/codex_plugin_scanner/guard/adapters/mcp_servers.py RENAMED Viewed

@@ -8,6 +8,7 @@ from hashlib import sha256
 from pathlib import PurePath
 from ..models import GuardArtifact, HarnessDetection
+from ..runtime.mcp_protection import McpServerIdentity, build_mcp_server_identity
 @dataclass(frozen=True, slots=True)
@@ -23,6 +24,7 @@ class ManagedMcpServer:
     transport: str
     env: dict[str, str]
     enabled: bool
+    identity: McpServerIdentity | None = None
 _GUARD_PROXY_COMMANDS = frozenset(
@@ -113,6 +115,9 @@ def proxy_cli_args(
         args.extend(["--workspace", workspace])
     for value in server.args:
         args.append(f"--arg={value}")
+    for key in sorted(server.env):
+        if key.strip():
+            args.append(f"--server-env-key={key.strip()}")
     return args
@@ -156,6 +161,13 @@ def _managed_stdio_server(artifact: GuardArtifact) -> ManagedMcpServer | None:
         transport=transport,
         env=env,
         enabled=enabled,
+        identity=build_mcp_server_identity(
+            config_path=artifact.config_path,
+            command=artifact.command,
+            args=artifact.args,
+            transport=transport,
+            env=env,
+        ),
     )

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/src/codex_plugin_scanner/guard/approvals.py RENAMED Viewed

@@ -6,7 +6,7 @@ import time
 import uuid
 from collections.abc import Mapping
 from dataclasses import replace
-from datetime import datetime, timezone
+from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from urllib.parse import urlparse
@@ -374,11 +374,13 @@ def _build_runtime_cloud_context(store: GuardStore) -> dict[str, object]:
         remote_payload_active=remote_payload_active,
     )
     dashboard_url, inbox_url, fleet_url, connect_url = _resolve_guard_urls(sync_url)
+    sync_health = _build_cloud_sync_health(store, credentials is not None, cloud_state)
     return {
         "sync_configured": credentials is not None,
         "cloud_state": cloud_state,
         "cloud_state_label": _runtime_cloud_state_label(cloud_state),
         "cloud_state_detail": _runtime_cloud_state_detail(cloud_state),
+        "cloud_sync_health": sync_health,
         "cloud_pairing_state": {
             "state": cloud_state,
             "label": _runtime_cloud_state_label(cloud_state),
@@ -396,6 +398,102 @@ def _build_runtime_cloud_context(store: GuardStore) -> dict[str, object]:
     }
+def _build_cloud_sync_health(store: GuardStore, sync_configured: bool, cloud_state: str) -> dict[str, object]:
+    pending_events = store.count_guard_events_v1(uploaded=False)
+    event_summary = store.get_sync_payload("guard_events_v1_summary") or {}
+    sync_summary = store.get_sync_payload("sync_summary") or {}
+    runtime_summary = store.get_sync_payload("runtime_session_summary") or {}
+    last_synced_at = _latest_sync_timestamp(
+        event_summary.get("synced_at"),
+        sync_summary.get("synced_at"),
+        runtime_summary.get("synced_at"),
+    )
+    if not sync_configured:
+        state = "disabled"
+    elif isinstance(event_summary, dict) and event_summary.get("status") == "failed":
+        state = "failed"
+    elif (
+        isinstance(event_summary, dict)
+        and event_summary.get("sync_skipped") is True
+        and event_summary.get("sync_reason") == "guard_events_endpoint_unavailable"
+    ):
+        state = "degraded"
+    elif last_synced_at is not None and _timestamp_is_stale(last_synced_at):
+        state = "stale"
+    elif pending_events > 0 or cloud_state == "paired_waiting":
+        state = "pending"
+    else:
+        state = "healthy"
+    return {
+        "state": state,
+        "label": _cloud_sync_health_label(state),
+        "detail": _cloud_sync_health_detail(state, pending_events=pending_events),
+        "pending_events": pending_events,
+        "last_synced_at": last_synced_at,
+        "next_retry_after": event_summary.get("next_retry_after") if isinstance(event_summary, dict) else None,
+    }
+def _latest_sync_timestamp(*values: object) -> str | None:
+    parsed_values: list[tuple[datetime, str]] = []
+    for value in values:
+        if not isinstance(value, str) or not value.strip():
+            continue
+        parsed = _parse_timestamp(value)
+        if parsed is not None:
+            parsed_values.append((parsed, value))
+    if not parsed_values:
+        return None
+    return max(parsed_values, key=lambda item: item[0])[1]
+def _parse_timestamp(value: str) -> datetime | None:
+    try:
+        parsed = datetime.fromisoformat(value.replace("Z", "+00:00"))
+    except ValueError:
+        return None
+    if parsed.tzinfo is None:
+        return parsed.replace(tzinfo=timezone.utc)
+    return parsed
+def _timestamp_is_stale(value: str) -> bool:
+    parsed = _parse_timestamp(value)
+    if parsed is None:
+        return False
+    return datetime.now(timezone.utc) - parsed > timedelta(hours=24)
+def _cloud_sync_health_label(state: str) -> str:
+    labels = {
+        "healthy": "Cloud sync healthy",
+        "pending": "Cloud sync pending",
+        "failed": "Cloud sync needs attention",
+        "degraded": "Cloud sync degraded",
+        "disabled": "Cloud sync disabled",
+        "stale": "Cloud sync stale",
+    }
+    return labels.get(state, "Cloud sync pending")
+def _cloud_sync_health_detail(state: str, *, pending_events: int) -> str:
+    if state == "healthy":
+        return "Guard Cloud has the latest local proof from this machine."
+    if state == "failed":
+        return "The latest Cloud upload failed. HOL Guard kept local protection active and will retry."
+    if state == "degraded":
+        return "Cloud accepted legacy sync, but v1 Guard event ingest is unavailable. Local protection stayed active."
+    if state == "disabled":
+        return "Local protection is active. Connect Cloud when you want shared team proof."
+    if state == "stale":
+        return "Cloud has not seen fresh local proof recently. Keep this runtime open or run sync again."
+    if pending_events == 1:
+        return "One local proof event is queued for the next Cloud sync."
+    if pending_events > 1:
+        return f"{pending_events} local proof events are queued for the next Cloud sync."
+    return "Waiting for the first shared Cloud proof from this machine."
 def _resolve_runtime_cloud_state(*, sync_configured: bool, sync_completed: bool, remote_payload_active: bool) -> str:
     if not sync_configured:
         return "local_only"

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -95,6 +95,7 @@ from ..runtime.secret_file_requests import (
     build_file_read_request_artifact,
     build_tool_action_request_artifact,
     extract_sensitive_file_read_request,
+    extract_sensitive_file_read_request_from_action,
     extract_sensitive_tool_action_request,
     is_explicitly_benign_tool_action_request,
 )
@@ -561,6 +562,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     codex_proxy_parser.add_argument("--transport", default="stdio")
     codex_proxy_parser.add_argument("--command", dest="server_command", required=True)
     codex_proxy_parser.add_argument("--arg", dest="server_args", action="append", default=[])
+    codex_proxy_parser.add_argument("--server-env-key", dest="server_env_keys", action="append", default=[])
     opencode_proxy_parser = guard_subparsers.add_parser("opencode-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(opencode_proxy_parser)
@@ -571,6 +573,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     opencode_proxy_parser.add_argument("--transport", default="local")
     opencode_proxy_parser.add_argument("--command", dest="server_command", required=True)
     opencode_proxy_parser.add_argument("--arg", dest="server_args", action="append", default=[])
+    opencode_proxy_parser.add_argument("--server-env-key", dest="server_env_keys", action="append", default=[])
     copilot_proxy_parser = guard_subparsers.add_parser("copilot-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(copilot_proxy_parser)
@@ -581,6 +584,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     copilot_proxy_parser.add_argument("--transport", default="stdio")
     copilot_proxy_parser.add_argument("--command", dest="server_command", required=True)
     copilot_proxy_parser.add_argument("--arg", dest="server_args", action="append", default=[])
+    copilot_proxy_parser.add_argument("--server-env-key", dest="server_env_keys", action="append", default=[])
     hermes_mcp_proxy_parser = guard_subparsers.add_parser("hermes-mcp-proxy", help=argparse.SUPPRESS)
     _add_guard_common_args(hermes_mcp_proxy_parser)
@@ -827,6 +831,7 @@ def run_guard_command(
             config_path=args.config_path,
             transport=args.transport,
             server_id=args.server_id,
+            server_env_keys=tuple(args.server_env_keys),
         )
         return proxy.serve()
@@ -841,6 +846,7 @@ def run_guard_command(
             config_path=args.config_path,
             transport=args.transport,
             server_id=args.server_id,
+            server_env_keys=tuple(args.server_env_keys),
         )
         return proxy.serve()
@@ -855,6 +861,7 @@ def run_guard_command(
             config_path=args.config_path,
             transport=args.transport,
             server_id=args.server_id,
+            server_env_keys=tuple(args.server_env_keys),
         )
         return proxy.serve()
@@ -1455,6 +1462,7 @@ def run_guard_command(
         runtime_artifact = _hook_runtime_artifact(
             harness=args.harness,
             payload=payload,
+            action_envelope=action_envelope,
             home_dir=context.home_dir,
             guard_home=context.guard_home,
             workspace=runtime_workspace,
@@ -4019,6 +4027,7 @@ def _hook_runtime_artifact(
     *,
     harness: str,
     payload: dict[str, object],
+    action_envelope: GuardActionEnvelope | None,
     home_dir: Path,
     guard_home: Path,
     workspace: Path | None,
@@ -4079,6 +4088,12 @@ def _hook_runtime_artifact(
         cwd=workspace,
         home_dir=home_dir,
     )
+    if request is None:
+        request = (
+            extract_sensitive_file_read_request_from_action(action_envelope, cwd=workspace, home_dir=home_dir)
+            if action_envelope is not None
+            else None
+        )
     source_scope = _coalesce_string(payload.get("source_scope"), "project")
     config_path = str(_runtime_policy_path(harness, home_dir, workspace))
     if request is not None:
@@ -5916,7 +5931,7 @@ def _guard_service_login_payload(
         "client_title": label,
         "client_version": _GUARD_CLIENT_VERSION,
     }
-    store.set_sync_credentials(sync_url, token, now)
+    store.set_sync_credentials(sync_url, token, now, workspace_id=workspace or None)
     store.set_sync_payload(_SERVICE_RUNTIME_PROFILE_STATE_KEY, service_profile, now)
     device = store.set_device_label(label, now)
     store.add_event(

{plugin_scanner-2.0.117 → plugin_scanner-2.0.119}/src/codex_plugin_scanner/guard/consumer/service.py RENAMED Viewed

@@ -9,6 +9,7 @@ from pathlib import Path
 from typing import Any
 from ...models import ScanOptions
+from ..access_graph_events import queue_access_graph_snapshot
 from ..adapters import get_adapter, list_adapters
 from ..adapters.base import HarnessContext
 from ..capabilities import compute_capability_delta, normalize_artifact_capabilities, severity_from_deltas
@@ -658,6 +659,13 @@ def evaluate_detection(
             },
             now,
         )
+    if persist:
+        queue_access_graph_snapshot(
+            store=store,
+            detection=detection,
+            artifacts=results,
+            now=now,
+        )
     return {
         "harness": detection.harness,
         "artifacts": results,

plugin-scanner 2.0.117__tar.gz → 2.0.119__tar.gz

plugin-scanner 2.0.117tar.gz → 2.0.119tar.gz