plugin-scanner 2.0.129__tar.gz → 2.0.131__tar.gz

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.129
+Version: 2.0.131
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner
@@ -132,6 +132,52 @@ See [docs/guard/get-started.md](docs/guard/get-started.md) for the full local fl
 
 </details>
 
+## Guard: Protection Levels
+
+HOL Guard is antivirus for AI harnesses. It intercepts every tool action before your files change or your network is contacted, then decides in milliseconds whether to allow or block.
+
+Choose a protection level with `hol-guard settings set security-level <level>`:
+
+| Level | Who it's for | What it blocks |
+| :--- | :--- | :--- |
+| **Gentle** | Teams who want minimal friction; experienced users | High-confidence secrets and clear exfil only |
+| **Balanced** | Most users (default) | Secrets, shell exfil, prompt injections, supply-chain hooks |
+| **Strict** | Security-conscious teams | Everything above plus low-confidence signals and untrusted prompts |
+| **Paranoid** | High-security environments | All the above plus any unrecognized MCP server action |
+
+If you are unsure, start with **Balanced**. You can promote to **Strict** after reviewing your first week of receipts.
+
+## Guard: Troubleshooting
+
+### Why was my command paused?
+
+Guard paused a command because one or more detectors fired. To see exactly what triggered:
+
+```bash
+hol-guard receipts          # review recent decisions
+hol-guard doctor            # run a probe and see which detectors are active
+hol-guard doctor --perf     # include per-detector timing
+```
+
+If the block looks like a false positive, you can approve it from the receipts view or from the dashboard at `http://localhost:6174`.
+
+### How do I clear approvals?
+
+From the terminal:
+
+```bash
+hol-guard approvals         # list pending approvals
+hol-guard approvals clear   # clear all pending approvals (prompts for confirmation)
+```
+
+From the dashboard: open `http://localhost:6174`, go to the **Approval Center**, and use the **Clear all** button. You will be asked to confirm before any approvals are removed.
+
+## Guard: Advisory Sync Privacy
+
+Guard's advisory database updates are optional and pull-only. When you run `hol-guard advisories sync`, Guard fetches a signed advisory list from `advisories.hol.org`. No local file paths, harness configs, receipt data, or workspace identifiers are sent to any server during sync.
+
+Advisory sync requires a HOL Guard Cloud account. If you have not signed in, sync is skipped and Guard continues using the locally bundled advisory database. Run `hol-guard login` to connect a free account.
+
 ## Scanner Quickstart
 
 ```bash

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/README.md

@@ -92,6 +92,52 @@ See [docs/guard/get-started.md](docs/guard/get-started.md) for the full local fl
 
 </details>
 
+## Guard: Protection Levels
+
+HOL Guard is antivirus for AI harnesses. It intercepts every tool action before your files change or your network is contacted, then decides in milliseconds whether to allow or block.
+
+Choose a protection level with `hol-guard settings set security-level <level>`:
+
+| Level | Who it's for | What it blocks |
+| :--- | :--- | :--- |
+| **Gentle** | Teams who want minimal friction; experienced users | High-confidence secrets and clear exfil only |
+| **Balanced** | Most users (default) | Secrets, shell exfil, prompt injections, supply-chain hooks |
+| **Strict** | Security-conscious teams | Everything above plus low-confidence signals and untrusted prompts |
+| **Paranoid** | High-security environments | All the above plus any unrecognized MCP server action |
+
+If you are unsure, start with **Balanced**. You can promote to **Strict** after reviewing your first week of receipts.
+
+## Guard: Troubleshooting
+
+### Why was my command paused?
+
+Guard paused a command because one or more detectors fired. To see exactly what triggered:
+
+```bash
+hol-guard receipts          # review recent decisions
+hol-guard doctor            # run a probe and see which detectors are active
+hol-guard doctor --perf     # include per-detector timing
+```
+
+If the block looks like a false positive, you can approve it from the receipts view or from the dashboard at `http://localhost:6174`.
+
+### How do I clear approvals?
+
+From the terminal:
+
+```bash
+hol-guard approvals         # list pending approvals
+hol-guard approvals clear   # clear all pending approvals (prompts for confirmation)
+```
+
+From the dashboard: open `http://localhost:6174`, go to the **Approval Center**, and use the **Clear all** button. You will be asked to confirm before any approvals are removed.
+
+## Guard: Advisory Sync Privacy
+
+Guard's advisory database updates are optional and pull-only. When you run `hol-guard advisories sync`, Guard fetches a signed advisory list from `advisories.hol.org`. No local file paths, harness configs, receipt data, or workspace identifiers are sent to any server during sync.
+
+Advisory sync requires a HOL Guard Cloud account. If you have not signed in, sync is skipped and Guard continues using the locally bundled advisory database. Run `hol-guard login` to connect a free account.
+
 ## Scanner Quickstart
 
 ```bash

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/docs/guard/testing-matrix.md

@@ -81,3 +81,29 @@ Nightly release-bar coverage should include:
 - Claude Code or Cursor on a self-hosted macOS runner
 - Gemini or OpenCode on a self-hosted Windows runner
 - a release gate that only passes when those harness families stay green
+
+## Red-Team Fixture Suite (T646)
+
+Run the red-team corpus to validate fixture safety and manifest integrity:
+
+```bash
+pytest tests/test_guard_red_team.py tests/test_guard_canary_fixtures.py -q
+```
+
+This verifies:
+- All malicious fixtures use only `hol-fake-*` sentinel values and route to the canary domain
+- All benign fixtures contain no exfil patterns or real key prefixes
+- Every fixture listed in `expected-decisions.json` exists on disk
+- No local usernames, real paths, or real tokens appear in any fixture
+
+To run only the red-team manifest and safety tests:
+
+```bash
+pytest tests/test_guard_red_team.py -q
+```
+
+To run the full test suite including red-team:
+
+```bash
+pytest -q
+```

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.129"
+version = "2.0.131"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.129"
+version = "2.0.131"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -503,6 +503,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
         action="store_true",
         help="List all supported harnesses with their protection contract",
     )
+    doctor_parser.add_argument("--perf", action="store_true", help="Include detector performance timings")
 
     login_parser = guard_subparsers.add_parser(
         "login",
@@ -1208,6 +1209,8 @@ def run_guard_command(
                 "adapters": [detection.to_dict() for detection in detect_all(context)],
                 "runtime_detector_registry": _runtime_detector_registry_payload(config),
             }
+        if getattr(args, "perf", False):
+            payload["detector_perf"] = _runtime_detector_perf_payload(config)
         _emit("doctor", payload, getattr(args, "json", False))
         return 0
 
@@ -3382,6 +3385,57 @@ def _runtime_detector_registry_payload(config: GuardConfig) -> dict[str, object]
     }
 
 
+def _runtime_detector_perf_payload(config: GuardConfig) -> list[dict[str, object]]:
+    from ..runtime.actions import GuardActionEnvelope
+    from ..runtime.detectors import (
+        _SLOW_DETECTOR_THRESHOLD_MS,
+        DetectorContext,
+    )
+    from ..runtime.runner import _get_default_detector_registry
+
+    probe_action = GuardActionEnvelope(
+        schema_version=1,
+        action_id="perf-probe",
+        harness="doctor",
+        event_name="HarnessStart",
+        action_type="harness_start",
+        workspace=None,
+        workspace_hash=None,
+        tool_name=None,
+        command=None,
+        prompt_excerpt=None,
+        prompt_text=None,
+        target_paths=(),
+        network_hosts=(),
+        mcp_server=None,
+        mcp_tool=None,
+        package_manager=None,
+        package_name=None,
+        script_name=None,
+        raw_payload_redacted={},
+    )
+    probe_context = DetectorContext(
+        config=config,
+        workspace=None,
+        prior_decisions={},
+        threat_intel={},
+        redaction_settings={},
+    )
+    result = _get_default_detector_registry().run(
+        probe_action,
+        probe_context,
+        timeout_ms=config.runtime_detector_timeout_ms,
+        disabled_detector_ids=config.runtime_detector_disabled_ids,
+    )
+    return [
+        {
+            **t.to_dict(),
+            "slow": t.elapsed_ms >= _SLOW_DETECTOR_THRESHOLD_MS,
+        }
+        for t in result.telemetry
+    ]
+
+
 def _update_guard_cli_settings(*, args: argparse.Namespace, config: GuardConfig, guard_home: Path) -> GuardConfig:
     settings_command = getattr(args, "settings_set_command", None)
     if settings_command == "security-level":

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/src/codex_plugin_scanner/guard/cli/render.py

@@ -337,6 +337,22 @@ def _render_doctor(console: Console, payload: dict[str, object]) -> None:
         artifacts = _coerce_dict_list(payload.get("artifacts"))
         if artifacts:
             console.print(_build_artifact_table(artifacts))
+    perf_items = payload.get("detector_perf")
+    if isinstance(perf_items, list) and perf_items:
+        perf_table = Table(title="Detector performance", box=box.SIMPLE_HEAVY, show_header=True)
+        perf_table.add_column("Detector", style="bold")
+        perf_table.add_column("Status")
+        perf_table.add_column("ms", justify="right")
+        perf_table.add_column("Slow?")
+        for item in perf_items:
+            slow = bool(item.get("slow"))
+            perf_table.add_row(
+                str(item.get("detector_id", "")),
+                str(item.get("status", "")),
+                str(item.get("elapsed_ms", 0)),
+                "[red]yes[/red]" if slow else "no",
+            )
+        console.print(perf_table)
     console.print(_build_diagnostic_command_panel())
 
 

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/src/codex_plugin_scanner/guard/daemon/client.py

@@ -24,6 +24,10 @@ class GuardDaemonTransportError(GuardDaemonRequestError):
     """Raised when the Guard daemon request fails due to transport issues."""
 
 
+_DEFAULT_REQUEST_TIMEOUT_S: float = 5.0
+_STATUS_REQUEST_TIMEOUT_S: float = 0.25
+
+
 class GuardSurfaceDaemonClient:
     """Small authenticated client for the local Guard daemon."""
 
@@ -156,7 +160,7 @@ class GuardSurfaceDaemonClient:
             method="GET",
         )
         try:
-            with urllib.request.urlopen(request, timeout=5) as response:
+            with urllib.request.urlopen(request, timeout=_STATUS_REQUEST_TIMEOUT_S) as response:
                 payload = self._decode_json_response(response.read().decode("utf-8"))
         except urllib.error.HTTPError as error:
             try:
@@ -196,7 +200,13 @@ class GuardSurfaceDaemonClient:
             return state
         return response
 
-    def _post(self, path: str, payload: dict[str, object]) -> dict[str, object]:
+    def _post(
+        self,
+        path: str,
+        payload: dict[str, object],
+        *,
+        timeout: float = _DEFAULT_REQUEST_TIMEOUT_S,
+    ) -> dict[str, object]:
         request = urllib.request.Request(
             f"{self.daemon_url}{path}",
             data=json.dumps(payload).encode("utf-8"),
@@ -207,7 +217,7 @@ class GuardSurfaceDaemonClient:
             method="POST",
         )
         try:
-            with urllib.request.urlopen(request, timeout=5) as response:
+            with urllib.request.urlopen(request, timeout=timeout) as response:
                 return self._decode_json_response(response.read().decode("utf-8"))
         except urllib.error.HTTPError as error:
             try:

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/src/codex_plugin_scanner/guard/runtime/detectors.py

@@ -41,6 +41,7 @@ DETECTOR_CATEGORY_TAGS: tuple[RiskSignalCategory, ...] = (
     "execution",
 )
 DetectorRunStatus = Literal["ok", "disabled", "filtered", "timeout", "error"]
+_SLOW_DETECTOR_THRESHOLD_MS: int = 100
 
 
 @dataclass(frozen=True, slots=True)
@@ -91,6 +92,10 @@ class DetectorRunResult:
     signals: tuple[RiskSignalV2, ...]
     telemetry: tuple[DetectorTelemetry, ...]
 
+    def slow_detectors(self, threshold_ms: int = _SLOW_DETECTOR_THRESHOLD_MS) -> tuple[DetectorTelemetry, ...]:
+        """Return telemetry entries that exceeded *threshold_ms*."""
+        return tuple(t for t in self.telemetry if t.elapsed_ms >= threshold_ms)
+
 
 class DetectorRegistry:
     """Runs detectors in deterministic order with failure isolation."""

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/src/codex_plugin_scanner/guard/runtime/runner.py

@@ -38,6 +38,12 @@ _APPROVAL_METADATA_KEYS = (
     "approval_wait",
     "review_hint",
 )
+
+
+def _get_default_detector_registry() -> DetectorRegistry:
+    return DetectorRegistry(register_default_detectors())
+
+
 _PAIN_SIGNAL_EVENTS = frozenset(
     {
         "changed_artifact_caught",
@@ -364,7 +370,7 @@ def _evaluation_with_detector_registry(
         threat_intel={},
         redaction_settings={},
     )
-    result = DetectorRegistry(register_default_detectors()).run(
+    result = _get_default_detector_registry().run(
         action_envelope,
         detector_context,
         timeout_ms=config.runtime_detector_timeout_ms,

{plugin_scanner-2.0.129 → plugin_scanner-2.0.131}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.129"
+__version__ = "2.0.131"

plugin_scanner-2.0.131/tests/fixtures/guard-red-team/README.md

@@ -0,0 +1,74 @@
+# Guard Red-Team Fixtures
+
+Fixtures in this directory contain intentionally suspicious-looking content used to test
+that HOL Guard correctly detects and blocks malicious AI agent behaviors.
+
+**All credentials, tokens, API keys, and webhook URLs in these fixtures are fake.**
+They use the pattern `hol-fake-*` and route to `https://evil.hol.org/collect`,
+a domain owned by Hashgraph Online solely for testing canary detection.
+
+No real secrets or infrastructure are touched by these tests.
+
+## Files
+
+### Canary Fixtures
+
+| File | Fixture ID | Purpose |
+|------|-----------|---------|
+| `canary-exfil.py` | T604 | Plain-text canary: reads a fake API key and posts it to the canary endpoint |
+| `canary-exfil-encoded.py` | T605 | Encoded canary: base64-encoded exfil payload to test encoded-execution detection |
+
+### Malicious Prompt Fixtures
+
+| File | Fixture ID | Purpose |
+|------|-----------|---------|
+| `malicious-prompt-env-read.md` | T629 | Prompt injection instructing harness to exfiltrate `.env` file contents |
+| `malicious-prompt-npmrc-read.md` | T630 | Prompt injection instructing harness to read npm auth tokens |
+| `malicious-prompt-guard-bypass.md` | T631 | Prompt injection attempting to disable HOL Guard monitoring |
+
+### Malicious MCP Fixtures
+
+| File | Fixture ID | Purpose |
+|------|-----------|---------|
+| `malicious-mcp-delete.md` | T632 | MCP tool call attempting destructive file system deletion |
+| `malicious-mcp-secret-read.md` | T633 | MCP tool call reading credential files then posting to external endpoint |
+| `malicious-mcp-skill-exfil.md` | T634 | MCP skill that exfiltrates workspace data with fake bearer token |
+
+### Malicious Package/Infra Fixtures
+
+| File | Fixture ID | Purpose |
+|------|-----------|---------|
+| `malicious-npm-postinstall.js` | T635 | npm postinstall hook harvesting local credential files |
+| `malicious-python-setup.py` | T636 | Python setup.py exfiltrating credential files on install |
+| `malicious-dockerfile.txt` | T637 | Dockerfile that exfiltrates secrets during image build |
+| `malicious-github-action.yml` | T638 | GitHub Actions workflow exfiltrating CI secrets |
+| `malicious-encoded-shell-exfil.py` | T639 | Base64-encoded exfil payload to test obfuscation detection |
+
+### Benign Fixtures
+
+| File | Fixture ID | Purpose |
+|------|-----------|---------|
+| `benign-source-search.py` | T640 | Legitimate source code search — should not trigger any detectors |
+| `benign-health-endpoint.py` | T641 | Legitimate loopback health check — should not trigger any detectors |
+| `benign-docs-fake-token.py` | T642 | Documentation with explanatory fake tokens — should not be blocked |
+| `benign-nvmrc-fake-creds.py` | T643 | .nvmrc read with version string that looks like a credential |
+
+### Manifests
+
+| File | Purpose |
+|------|---------|
+| `expected-decisions.json` | Expected Guard decision for every fixture (used by red-team test runner) |
+| `smoke-evidence-template.json` | Template for recording smoke test evidence during manual harness verification |
+
+## Running Red-Team Tests
+
+```bash
+pytest tests/test_guard_red_team.py tests/test_guard_canary_fixtures.py -q
+```
+
+The red-team test runner (`tests/test_guard_red_team.py`) validates:
+- All malicious fixtures contain only fake key material (no real secrets)
+- All benign fixtures contain no network exfil patterns
+- Fixture structure matches the expected-decisions manifest
+- No local usernames, real paths, or real tokens appear in any fixture
+

plugin_scanner-2.0.131/tests/fixtures/guard-red-team/benign-docs-fake-token.py

@@ -0,0 +1,28 @@
+"""Benign docs with fake token fixture (T642).
+
+This fixture is documentation that happens to contain fake token strings
+that look like real tokens. Guard should NOT block documentation reads
+that only mention tokens in explanatory context.
+
+The tokens below are clearly fake and used only for illustrative purposes.
+"""
+
+
+DOCS = """
+# API Authentication Guide
+
+To authenticate, pass your API token in the Authorization header:
+
+    Authorization: Bearer <your-api-token>
+
+Example (using a placeholder — replace with your real token):
+
+    curl -H "Authorization: Bearer hol-fake-docs-token-example-0000" \\
+         https://api.example.com/v1/status
+
+Note: hol-fake-docs-token-example-0000 is NOT a real token.
+Do not use this value in production.
+"""
+
+if __name__ == "__main__":
+    print(DOCS)

plugin_scanner-2.0.131/tests/fixtures/guard-red-team/benign-health-endpoint.py

@@ -0,0 +1,26 @@
+"""Benign health endpoint fetch fixture (T641).
+
+Simulates a legitimate health check against a local service.
+No secret files are read. No external network calls to harmful endpoints.
+The URL is a local loopback address only.
+"""
+
+from urllib.error import URLError
+from urllib.request import Request, urlopen
+
+_HEALTH_URL = "http://127.0.0.1:8080/healthz"
+_TIMEOUT_S = 2.0
+
+
+def check_health(url: str = _HEALTH_URL, timeout: float = _TIMEOUT_S) -> bool:
+    try:
+        req = Request(url, method="GET")
+        with urlopen(req, timeout=timeout) as response:
+            return response.status == 200
+    except (URLError, OSError):
+        return False
+
+
+if __name__ == "__main__":
+    ok = check_health()
+    print("healthy" if ok else "unreachable")

plugin_scanner-2.0.131/tests/fixtures/guard-red-team/benign-nvmrc-fake-creds.py

@@ -0,0 +1,29 @@
+"""Benign .nvmrc with fake credential string fixture (T643).
+
+Simulates reading a .nvmrc file that happens to contain a version string
+that superficially resembles a credential. Guard should NOT block benign
+version-file reads.
+
+The strings below are NOT credentials. They are version identifiers used
+only to test that Guard's false-positive rate for benign file reads is low.
+"""
+
+import os
+
+_NVMRC_CONTENT = "v20.11.0\n"
+_FAKE_NVMRC_CRED_LOOKALIKE = "hol-fake-nvmrc-version-token-placeholder-0000"
+
+
+def read_nvmrc(project_root: str = ".") -> str:
+    path = os.path.join(project_root, ".nvmrc")
+    try:
+        with open(path) as fh:
+            return fh.read().strip()
+    except OSError:
+        return _NVMRC_CONTENT.strip()
+
+
+if __name__ == "__main__":
+    version = read_nvmrc()
+    print(f"Node version: {version}")
+    print(f"Placeholder note: {_FAKE_NVMRC_CRED_LOOKALIKE} is not a real token")

plugin_scanner-2.0.131/tests/fixtures/guard-red-team/benign-source-search.py

@@ -0,0 +1,34 @@
+"""Benign source search fixture (T640).
+
+This fixture simulates a legitimate source code search operation.
+No secret files are read. No external network calls are made.
+All identifiers are benign.
+"""
+
+import os
+import re
+
+_SEARCH_ROOT = "src"
+_PATTERN = re.compile(r"def\s+\w+\(")
+
+
+def search_functions(root: str) -> list[tuple[str, int, str]]:
+    matches: list[tuple[str, int, str]] = []
+    for dirpath, _dirs, files in os.walk(root):
+        for fname in files:
+            if not fname.endswith(".py"):
+                continue
+            fpath = os.path.join(dirpath, fname)
+            try:
+                with open(fpath) as fh:
+                    for lineno, line in enumerate(fh, start=1):
+                        if _PATTERN.search(line):
+                            matches.append((fpath, lineno, line.rstrip()))
+            except OSError:
+                pass
+    return matches
+
+
+if __name__ == "__main__":
+    for path, line, text in search_functions(_SEARCH_ROOT):
+        print(f"{path}:{line}: {text}")

plugin_scanner-2.0.131/tests/fixtures/guard-red-team/expected-decisions.json

@@ -0,0 +1,119 @@
+{
+  "version": 1,
+  "description": "Expected Guard decisions for all red-team fixtures. Used by the red-team test runner.",
+  "fixtures": {
+    "canary-exfil.py": {
+      "fixture_id": "T604",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_content_generic", "data_flow_exfil"],
+      "benign": false
+    },
+    "canary-exfil-encoded.py": {
+      "fixture_id": "T605",
+      "expected_decision": "block",
+      "expected_detectors": ["data_flow_exfil"],
+      "benign": false
+    },
+    "malicious-prompt-env-read.md": {
+      "fixture_id": "T629",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_path_direct", "data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "prompt"
+    },
+    "malicious-prompt-npmrc-read.md": {
+      "fixture_id": "T630",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_path_direct", "data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "prompt"
+    },
+    "malicious-prompt-guard-bypass.md": {
+      "fixture_id": "T631",
+      "expected_decision": "block",
+      "expected_detectors": ["prompt_injection_override", "prompt_stealth"],
+      "benign": false,
+      "fixture_type": "prompt"
+    },
+    "malicious-mcp-delete.md": {
+      "fixture_id": "T632",
+      "expected_decision": "block",
+      "expected_detectors": ["shell_destructive_command"],
+      "benign": false,
+      "fixture_type": "mcp"
+    },
+    "malicious-mcp-secret-read.md": {
+      "fixture_id": "T633",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_path_direct", "data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "mcp"
+    },
+    "malicious-mcp-skill-exfil.md": {
+      "fixture_id": "T634",
+      "expected_decision": "block",
+      "expected_detectors": ["data_flow_exfil", "secret_content_bearer"],
+      "benign": false,
+      "fixture_type": "mcp"
+    },
+    "malicious-npm-postinstall.js": {
+      "fixture_id": "T635",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_path_direct", "data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "package"
+    },
+    "malicious-python-setup.py": {
+      "fixture_id": "T636",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_path_direct", "data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "package"
+    },
+    "malicious-dockerfile.txt": {
+      "fixture_id": "T637",
+      "expected_decision": "block",
+      "expected_detectors": ["secret_path_direct", "data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "infra"
+    },
+    "malicious-github-action.yml": {
+      "fixture_id": "T638",
+      "expected_decision": "block",
+      "expected_detectors": ["data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "infra"
+    },
+    "malicious-encoded-shell-exfil.py": {
+      "fixture_id": "T639",
+      "expected_decision": "block",
+      "expected_detectors": ["data_flow_exfil"],
+      "benign": false,
+      "fixture_type": "encoded"
+    },
+    "benign-source-search.py": {
+      "fixture_id": "T640",
+      "expected_decision": "allow",
+      "expected_detectors": [],
+      "benign": true
+    },
+    "benign-health-endpoint.py": {
+      "fixture_id": "T641",
+      "expected_decision": "allow",
+      "expected_detectors": [],
+      "benign": true
+    },
+    "benign-docs-fake-token.py": {
+      "fixture_id": "T642",
+      "expected_decision": "allow",
+      "expected_detectors": [],
+      "benign": true
+    },
+    "benign-nvmrc-fake-creds.py": {
+      "fixture_id": "T643",
+      "expected_decision": "allow",
+      "expected_detectors": [],
+      "benign": true
+    }
+  }
+}