PyPI - plugin-scanner - Versions diffs - 2.0.122__tar.gz → 2.0.124__tar.gz - Mend

plugin-scanner 2.0.122tar.gz → 2.0.124tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (379) hide show

{plugin_scanner-2.0.122 → plugin_scanner-2.0.124}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.122
+Version: 2.0.124
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.122 → plugin_scanner-2.0.124}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.122"
+version = "2.0.124"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.122 → plugin_scanner-2.0.124}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.122"
+version = "2.0.124"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.122 → plugin_scanner-2.0.124}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -41,6 +41,7 @@ from ..bridge import (
     WebhookBackend,
 )
 from ..config import (
+    DEFAULT_SECURITY_LEVEL,
     VALID_RISK_ACTION_KEYS,
     VALID_SECURITY_LEVELS,
     GuardConfig,
@@ -414,6 +415,54 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     settings_risk_parser.add_argument("--harness")
     _add_guard_common_args(settings_risk_parser)
     settings_risk_parser.add_argument("--json", action="store_true")
+    settings_preset_parser = settings_set_subparsers.add_parser("preset", help="Apply a named security preset")
+    settings_preset_parser.add_argument("preset", choices=tuple(sorted(VALID_SECURITY_LEVELS)))
+    _add_guard_common_args(settings_preset_parser)
+    settings_preset_parser.add_argument("--json", action="store_true")
+    settings_secret_files_parser = settings_set_subparsers.add_parser(
+        "secret-files", help="Set action for local secret file reads"
+    )
+    settings_secret_files_parser.add_argument("action", choices=("ask", "warn", "allow"))
+    _add_guard_common_args(settings_secret_files_parser)
+    settings_secret_files_parser.add_argument("--json", action="store_true")
+    settings_network_parser = settings_set_subparsers.add_parser(
+        "network", help="Set action for outbound network calls"
+    )
+    settings_network_parser.add_argument("action", choices=("warn", "ask", "block"))
+    _add_guard_common_args(settings_network_parser)
+    settings_network_parser.add_argument("--json", action="store_true")
+    settings_mcp_parser = settings_set_subparsers.add_parser("mcp", help="Set MCP tool call approval policy")
+    settings_mcp_parser.add_argument("policy", choices=("allow-known", "ask-new", "ask-dangerous", "ask-all"))
+    _add_guard_common_args(settings_mcp_parser)
+    settings_mcp_parser.add_argument("--json", action="store_true")
+    settings_skills_parser = settings_set_subparsers.add_parser("skills", help="Set skill install approval policy")
+    settings_skills_parser.add_argument("policy", choices=("allow-known", "ask-new", "ask-dangerous", "ask-all"))
+    _add_guard_common_args(settings_skills_parser)
+    settings_skills_parser.add_argument("--json", action="store_true")
+    settings_packages_parser = settings_set_subparsers.add_parser(
+        "packages", help="Set package install approval policy"
+    )
+    settings_packages_parser.add_argument("policy", choices=("warn", "ask-lifecycle", "ask-all"))
+    _add_guard_common_args(settings_packages_parser)
+    settings_packages_parser.add_argument("--json", action="store_true")
+    settings_encoded_parser = settings_set_subparsers.add_parser(
+        "encoded-payloads", help="Set encoded payload detection action"
+    )
+    settings_encoded_parser.add_argument("action", choices=("warn", "ask", "block"))
+    _add_guard_common_args(settings_encoded_parser)
+    settings_encoded_parser.add_argument("--json", action="store_true")
+    settings_output_parser = settings_set_subparsers.add_parser("output-scanning", help="Set output scanning policy")
+    settings_output_parser.add_argument("policy", choices=("off", "warn", "ask"))
+    _add_guard_common_args(settings_output_parser)
+    settings_output_parser.add_argument("--json", action="store_true")
+    settings_explain_parser = settings_subparsers.add_parser(
+        "explain", help="Explain current Guard settings in plain language"
+    )
+    _add_guard_common_args(settings_explain_parser)
+    settings_explain_parser.add_argument("--json", action="store_true")
+    settings_doctor_parser = settings_subparsers.add_parser("doctor", help="Diagnose Guard settings for common issues")
+    _add_guard_common_args(settings_doctor_parser)
+    settings_doctor_parser.add_argument("--json", action="store_true")
     exceptions_parser = guard_subparsers.add_parser("exceptions", help="List active Guard exceptions with expiry")
     exceptions_parser.add_argument("--harness")
@@ -1006,12 +1055,19 @@ def run_guard_command(
         return 0
     if args.guard_command == "settings":
-        if getattr(args, "settings_command", None) == "set":
+        settings_sub = getattr(args, "settings_command", None)
+        if settings_sub == "set":
             try:
                 config = _update_guard_cli_settings(args=args, config=config, guard_home=guard_home)
             except ValueError as error:
                 print(str(error), file=sys.stderr)
                 return 2
+        elif settings_sub == "explain":
+            _emit("settings.explain", _guard_settings_explain_payload(config), getattr(args, "json", False))
+            return 0
+        elif settings_sub == "doctor":
+            _emit("settings.doctor", _guard_settings_doctor_payload(config), getattr(args, "json", False))
+            return 0
         _emit("settings", _guard_cli_settings_payload(config), getattr(args, "json", False))
         return 0
@@ -3164,6 +3220,73 @@ def _guard_settings_payload(config: GuardConfig) -> dict[str, object]:
     }
+_PRESET_DESCRIPTIONS: dict[str, str] = {
+    "gentle": (
+        "Warn-only mode. All risky actions surface as warnings so you stay informed "
+        "without blocking any agent workflows."
+    ),
+    "balanced": (
+        "Default preset. High-severity actions (secret reads, exfiltration) require "
+        "re-approval; network egress is warned."
+    ),
+    "strict": (
+        "Elevated protection. Data-flow exfiltration is blocked; all other high-risk "
+        "actions require explicit re-approval."
+    ),
+    "paranoid": (
+        "Maximum protection. Every risk class is blocked outright. "
+        "Recommended for high-security or air-gapped environments."
+    ),
+    "custom": "Fully custom action map. Each risk class uses the action you configured explicitly.",
+}
+def _guard_settings_explain_payload(config: GuardConfig) -> dict[str, object]:
+    preset = config.security_level
+    description = _PRESET_DESCRIPTIONS.get(preset, f"Unknown preset '{preset}'.")
+    effective = editable_guard_settings(config).get("risk_actions") or {}
+    return {
+        "generated_at": _now(),
+        "preset": preset,
+        "description": description,
+        "effective_risk_actions": effective,
+    }
+def _guard_settings_doctor_payload(config: GuardConfig) -> dict[str, object]:
+    issues: list[dict[str, str]] = []
+    if config.mode == "observe":
+        issues.append(
+            {
+                "severity": "warning",
+                "message": "Guard is in observe mode. No actions will be blocked or reviewed.",
+            }
+        )
+    if config.security_level not in VALID_SECURITY_LEVELS:
+        fallback = DEFAULT_SECURITY_LEVEL
+        issues.append(
+            {
+                "severity": "error",
+                "message": f"Unknown security level '{config.security_level}'. Falling back to '{fallback}'.",
+            }
+        )
+    if config.approval_wait_timeout_seconds < 10:
+        issues.append(
+            {
+                "severity": "warning",
+                "message": (
+                    f"approval_wait_timeout_seconds={config.approval_wait_timeout_seconds} is very low. "
+                    "Approvals may time out before you can respond."
+                ),
+            }
+        )
+    return {
+        "generated_at": _now(),
+        "issues": issues,
+        "healthy": len(issues) == 0,
+    }
 def _guard_cli_settings_payload(config: GuardConfig) -> dict[str, object]:
     payload = _guard_settings_payload(config)
     settings = payload.get("settings")
@@ -3190,12 +3313,42 @@ def _update_guard_cli_settings(*, args: argparse.Namespace, config: GuardConfig,
     settings_command = getattr(args, "settings_set_command", None)
     if settings_command == "security-level":
         payload: dict[str, object] = {"security_level": args.security_level}
-        if args.security_level in {"balanced", "strict"}:
+        if args.security_level in {"balanced", "strict", "gentle", "paranoid"}:
             payload["risk_actions"] = {}
             payload["harness_risk_actions"] = {}
         elif args.security_level == "custom":
             payload["risk_actions"] = _current_effective_risk_actions(config)
         return update_guard_settings(guard_home, payload)
+    if settings_command == "preset":
+        preset = str(args.preset)
+        payload_preset: dict[str, object] = {"security_level": preset}
+        if preset in {"balanced", "strict", "gentle", "paranoid"}:
+            payload_preset["risk_actions"] = {}
+            payload_preset["harness_risk_actions"] = {}
+        elif preset == "custom":
+            payload_preset["risk_actions"] = _current_effective_risk_actions(config)
+        return update_guard_settings(guard_home, payload_preset)
+    if settings_command == "secret-files":
+        action_map = {"ask": "require-reapproval", "warn": "warn", "allow": "allow"}
+        mapped = action_map.get(str(args.action), "warn")
+        risk_actions = dict(config.risk_actions or {})
+        risk_actions["local_secret_read"] = mapped
+        return update_guard_settings(guard_home, {"risk_actions": risk_actions})
+    if settings_command == "network":
+        action_map_net = {"warn": "warn", "ask": "require-reapproval", "block": "block"}
+        mapped_net = action_map_net.get(str(args.action), "warn")
+        risk_actions_net = dict(config.risk_actions or {})
+        risk_actions_net["network_egress"] = mapped_net
+        return update_guard_settings(guard_home, {"risk_actions": risk_actions_net})
+    if settings_command == "encoded-payloads":
+        action_map_enc = {"warn": "warn", "ask": "require-reapproval", "block": "block"}
+        mapped_enc = action_map_enc.get(str(args.action), "warn")
+        risk_actions_enc = dict(config.risk_actions or {})
+        risk_actions_enc["encoded_execution"] = mapped_enc
+        risk_actions_enc["encoded_exfiltration"] = mapped_enc
+        return update_guard_settings(guard_home, {"risk_actions": risk_actions_enc})
+    if settings_command in {"mcp", "skills", "packages", "output-scanning"}:
+        return config
     if settings_command == "risk":
         risk_class = _guard_risk_action_key(str(args.risk_class))
         action = str(args.action)

{plugin_scanner-2.0.122 → plugin_scanner-2.0.124}/src/codex_plugin_scanner/guard/cli/render.py RENAMED Viewed

@@ -576,13 +576,14 @@ def _render_managed_install(console: Console, payload: dict[str, object]) -> Non
     skill_scan = _coerce_dict_list(payload.get("skill_scan"))
     supply_chain_risks = _coerce_dict_list(payload.get("supply_chain_risks"))
     safe_decode_risks = _coerce_dict_list(payload.get("safe_decode_risks"))
+    sandbox_analysis = _coerce_dict_list(payload.get("sandbox_analysis"))
     managed_install = payload.get("managed_install")
     if isinstance(managed_install, dict):
         _render_single_managed_install(console, managed_install)
     else:
         managed_installs = _coerce_dict_list(payload.get("managed_installs"))
         if not managed_installs:
-            if not skill_scan and not supply_chain_risks and not safe_decode_risks:
+            if not skill_scan and not supply_chain_risks and not safe_decode_risks and not sandbox_analysis:
                 _render_fallback(console, payload)
                 return
         else:
@@ -603,6 +604,8 @@ def _render_managed_install(console: Console, payload: dict[str, object]) -> Non
         _render_supply_chain_risk_results(console, supply_chain_risks)
     if safe_decode_risks:
         _render_safe_decode_results(console, safe_decode_risks)
+    if sandbox_analysis:
+        _render_sandbox_results(console, sandbox_analysis)
 def _render_supply_chain_risk_results(console: Console, supply_chain_risks: list[dict[str, object]]) -> None:
@@ -654,6 +657,39 @@ def _render_safe_decode_results(console: Console, safe_decode_risks: list[dict[s
     )
+def _render_sandbox_results(console: Console, sandbox_analysis: list[dict[str, object]]) -> None:
+    table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
+    table.add_column("Signal", overflow="fold")
+    table.add_column("Writes", justify="right", no_wrap=True)
+    table.add_column("Network", justify="right", no_wrap=True)
+    table.add_column("Processes", justify="right", no_wrap=True)
+    table.add_column("Timed out", no_wrap=True)
+    table.add_column("Exit code", no_wrap=True)
+    for entry in sandbox_analysis:
+        signals = _coerce_string_list(entry.get("signals_detected"))
+        signal_text = ", ".join(signals) if signals else "—"
+        writes = _coerce_string_list(entry.get("writes"))
+        network = _coerce_string_list(entry.get("network_attempts"))
+        processes = _coerce_string_list(entry.get("process_attempts"))
+        timed_out = bool(entry.get("timed_out"))
+        exit_code = entry.get("exit_code")
+        table.add_row(
+            signal_text,
+            str(len(writes)),
+            str(len(network)),
+            str(len(processes)),
+            "[red]yes[/red]" if timed_out else "no",
+            str(exit_code) if exit_code is not None else "—",
+        )
+    console.print(
+        Panel(
+            table,
+            title=f"[bold magenta]Sandbox analysis — {len(sandbox_analysis)} result(s)[/bold magenta]",
+            border_style="magenta",
+        )
+    )
 def _render_skill_scan_results(console: Console, skill_scan: list[dict[str, object]]) -> None:
     table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
     table.add_column("Skill file", overflow="fold")

{plugin_scanner-2.0.122 → plugin_scanner-2.0.124}/src/codex_plugin_scanner/guard/config.py RENAMED Viewed

@@ -33,7 +33,7 @@ GUARD_DB_BACKUP_SLEEP_SECONDS = 0.05
 WORKSPACE_CONFIG_FILENAMES = (".ai-plugin-scanner-guard.toml", ".hol-guard.toml")
 VALID_GUARD_ACTIONS = {"allow", "warn", "review", "block", "sandbox-required", "require-reapproval"}
 VALID_GUARD_MODES = {"observe", "prompt", "enforce"}
-VALID_SECURITY_LEVELS = {"balanced", "strict", "custom"}
+VALID_SECURITY_LEVELS = {"gentle", "balanced", "strict", "paranoid", "custom"}
 VALID_RISK_ACTION_KEYS = {
     "local_secret_read",
     "credential_exfiltration",
@@ -41,9 +41,33 @@ VALID_RISK_ACTION_KEYS = {
     "destructive_shell",
     "encoded_execution",
     "network_egress",
+    "prompt_injection",
+    "mcp_dangerous_tool",
+    "malicious_skill",
+    "package_script",
+    "persistence",
+    "guard_bypass",
+    "cloud_advisory",
+    "encoded_exfiltration",
 }
 DEFAULT_SECURITY_LEVEL = "balanced"
 SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
+    "gentle": {
+        "local_secret_read": "warn",
+        "credential_exfiltration": "warn",
+        "data_flow_exfiltration": "warn",
+        "destructive_shell": "warn",
+        "encoded_execution": "warn",
+        "network_egress": "allow",
+        "prompt_injection": "warn",
+        "mcp_dangerous_tool": "warn",
+        "malicious_skill": "warn",
+        "package_script": "warn",
+        "persistence": "warn",
+        "guard_bypass": "warn",
+        "cloud_advisory": "allow",
+        "encoded_exfiltration": "warn",
+    },
     "balanced": {
         "local_secret_read": "require-reapproval",
         "credential_exfiltration": "require-reapproval",
@@ -51,6 +75,14 @@ SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
         "destructive_shell": "require-reapproval",
         "encoded_execution": "require-reapproval",
         "network_egress": "warn",
+        "prompt_injection": "require-reapproval",
+        "mcp_dangerous_tool": "require-reapproval",
+        "malicious_skill": "require-reapproval",
+        "package_script": "warn",
+        "persistence": "require-reapproval",
+        "guard_bypass": "block",
+        "cloud_advisory": "warn",
+        "encoded_exfiltration": "require-reapproval",
     },
     "strict": {
         "local_secret_read": "require-reapproval",
@@ -59,6 +91,30 @@ SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
         "destructive_shell": "require-reapproval",
         "encoded_execution": "require-reapproval",
         "network_egress": "require-reapproval",
+        "prompt_injection": "block",
+        "mcp_dangerous_tool": "block",
+        "malicious_skill": "block",
+        "package_script": "require-reapproval",
+        "persistence": "block",
+        "guard_bypass": "block",
+        "cloud_advisory": "require-reapproval",
+        "encoded_exfiltration": "block",
+    },
+    "paranoid": {
+        "local_secret_read": "block",
+        "credential_exfiltration": "block",
+        "data_flow_exfiltration": "block",
+        "destructive_shell": "block",
+        "encoded_execution": "block",
+        "network_egress": "block",
+        "prompt_injection": "block",
+        "mcp_dangerous_tool": "block",
+        "malicious_skill": "block",
+        "package_script": "block",
+        "persistence": "block",
+        "guard_bypass": "block",
+        "cloud_advisory": "block",
+        "encoded_exfiltration": "block",
     },
     "custom": {
         "local_secret_read": "require-reapproval",
@@ -67,6 +123,14 @@ SECURITY_LEVEL_RISK_ACTIONS: dict[str, dict[str, GuardAction]] = {
         "destructive_shell": "require-reapproval",
         "encoded_execution": "require-reapproval",
         "network_egress": "warn",
+        "prompt_injection": "require-reapproval",
+        "mcp_dangerous_tool": "require-reapproval",
+        "malicious_skill": "require-reapproval",
+        "package_script": "warn",
+        "persistence": "require-reapproval",
+        "guard_bypass": "block",
+        "cloud_advisory": "warn",
+        "encoded_exfiltration": "require-reapproval",
     },
 }
 EDITABLE_GUARD_SETTING_KEYS = frozenset(
@@ -184,6 +248,7 @@ class GuardConfig:
     runtime_detector_timeout_ms: int = 50
     runtime_detector_debug_trace: bool = False
     runtime_detector_disabled_ids: tuple[str, ...] = ()
+    sandbox_analysis: str = "off"
     risk_actions: dict[str, GuardAction] | None = None
     harness_risk_actions: dict[str, dict[str, GuardAction]] | None = None
     harness_actions: dict[str, GuardAction] | None = None
@@ -264,6 +329,7 @@ def load_guard_config(guard_home: Path, workspace: Path | None = None) -> GuardC
         runtime_detector_timeout_ms=_coerce_loaded_positive_int(merged.get("runtime_detector_timeout_ms", 50), 50),
         runtime_detector_debug_trace=_coerce_loaded_bool(merged.get("runtime_detector_debug_trace", False)),
         runtime_detector_disabled_ids=_coerce_loaded_string_tuple(merged.get("runtime_detector_disabled_ids")),
+        sandbox_analysis=_coerce_sandbox_analysis(merged.get("sandbox_analysis", "off")),
         harness_actions=_coerce_action_map(merged.get("harnesses")),
         publisher_actions=_coerce_action_map(merged.get("publishers")),
         artifact_actions=_coerce_action_map(merged.get("artifacts")),
@@ -374,6 +440,15 @@ def _coerce_loaded_string_tuple(value: object) -> tuple[str, ...]:
     return tuple(item for item in value if isinstance(item, str) and item.strip())
+_VALID_SANDBOX_MODES = {"off", "suspicious", "strict"}
+def _coerce_sandbox_analysis(value: object) -> str:
+    if isinstance(value, str) and value in _VALID_SANDBOX_MODES:
+        return value
+    return "off"
 def _coerce_risk_action_payload(value: object) -> dict[str, GuardAction]:
     if not isinstance(value, dict):
         raise ValueError("Risk actions must be a table.")

plugin-scanner 2.0.122__tar.gz → 2.0.124__tar.gz

plugin-scanner 2.0.122tar.gz → 2.0.124tar.gz