PyPI - plugin-scanner - Versions diffs - 2.0.131__tar.gz → 2.0.133__tar.gz - Mend

plugin-scanner 2.0.131tar.gz → 2.0.133tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (422) hide show

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.131
+Version: 2.0.133
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.131"
+version = "2.0.133"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.131"
+version = "2.0.133"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/approvals.py RENAMED Viewed

@@ -24,6 +24,14 @@ GUARD_FLEET_URL = f"{GUARD_DASHBOARD_URL}/fleet"
 GUARD_CONNECT_URL = f"{GUARD_DASHBOARD_URL}/connect"
+class ApprovalRequestNotFoundError(ValueError):
+    """Raised when an approval request ID does not exist."""
+class ApprovalRequestAlreadyResolvedError(ValueError):
+    """Raised when an approval request was already resolved."""
 def queue_blocked_approvals(
     *,
     detection: HarnessDetection,
@@ -114,9 +122,9 @@ def apply_approval_resolution(
 ) -> dict[str, object]:
     request = store.get_approval_request(request_id)
     if request is None:
-        raise ValueError(f"Unknown approval request: {request_id}")
+        raise ApprovalRequestNotFoundError(f"Unknown approval request: {request_id}")
     if request["status"] != "pending":
-        raise ValueError(f"Approval request already resolved: {request_id}")
+        raise ApprovalRequestAlreadyResolvedError(f"Approval request already resolved: {request_id}")
     if scope == "workspace" and not workspace:
         raise ValueError(f"Approval request {request_id} requires --workspace for workspace scope.")
     if scope == "publisher" and not isinstance(request.get("publisher"), str):

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/cli/render.py RENAMED Viewed

@@ -1768,6 +1768,15 @@ def _build_approval_table(items: list[dict[str, object]], *, title: str | None)
         table.add_row("—", "—", "No pending approvals", "—", "—", "—", "—")
         return table
     for item in items:
+        approval_url = item.get("approval_url")
+        fallback_cli = item.get("fallback_cli_command")
+        review_cmd = str(item.get("review_command") or "hol-guard approvals")
+        if approval_url and fallback_cli:
+            resolve_text = f"{approval_url}\n  or: {fallback_cli}"
+        elif approval_url:
+            resolve_text = str(approval_url)
+        else:
+            resolve_text = review_cmd
         table.add_row(
             str(item.get("request_id") or "unknown"),
             str(item.get("harness") or "unknown"),
@@ -1775,7 +1784,7 @@ def _build_approval_table(items: list[dict[str, object]], *, title: str | None)
             ", ".join(_coerce_string_list(item.get("changed_fields"))) or "none",
             str(item.get("risk_summary") or "no obvious secret/network signal"),
             _action_text(str(item.get("policy_action") or "warn")),
-            str(item.get("review_command") or "hol-guard approvals"),
+            resolve_text,
         )
     return table

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/daemon/manager.py RENAMED Viewed

@@ -2,6 +2,7 @@
 from __future__ import annotations
+import dataclasses
 import hashlib
 import json
 import os
@@ -33,6 +34,7 @@ _EPHEMERAL_GUARD_DAEMON_STALE_SECONDS = 30.0
 _EPHEMERAL_GUARD_DAEMON_MAX_STATES = 512
 _GUARD_DAEMON_PRIVATE_FILE_MODE = 0o600
 _GUARD_DAEMON_PRIVATE_DIR_MODE = 0o700
+_APPROVAL_CENTER_LOCATOR_FILE = "approval-center-locator.json"
 _START_LOCKS: dict[str, threading.Lock] = {}
 _START_LOCKS_GUARD = threading.Lock()
@@ -40,6 +42,18 @@ _LAST_EPHEMERAL_REAP_AT = 0.0
 _RUNTIME_FINGERPRINT_CACHE: str | None = None
+@dataclasses.dataclass(frozen=True, slots=True)
+class ApprovalCenterLocator:
+    """Structured snapshot of where the Guard approval-center daemon is running."""
+    guard_home: Path
+    daemon_url: str
+    approval_url_base: str
+    pid: int
+    started_at: str
+    state_path: Path
 def _daemon_launcher_env() -> dict[str, str]:
     env = dict(os.environ)
     pythonpath_entries: list[str] = []
@@ -173,6 +187,102 @@ def clear_guard_daemon_state(guard_home: Path) -> None:
     _write_private_text(state_path, "{}")
+def _locator_path(guard_home: Path) -> Path:
+    return guard_home / _APPROVAL_CENTER_LOCATOR_FILE
+def write_approval_center_locator(guard_home: Path, locator: ApprovalCenterLocator) -> None:
+    locator_path = _locator_path(guard_home)
+    _ensure_private_directory(locator_path.parent)
+    payload = {
+        "guard_home": str(locator.guard_home),
+        "daemon_url": locator.daemon_url,
+        "approval_url_base": locator.approval_url_base,
+        "pid": locator.pid,
+        "started_at": locator.started_at,
+        "state_path": str(locator.state_path),
+    }
+    _write_private_text(locator_path, json.dumps(payload, indent=2))
+def read_approval_center_locator(guard_home: Path) -> ApprovalCenterLocator | None:
+    locator_path = _locator_path(guard_home)
+    if not locator_path.is_file():
+        return None
+    try:
+        payload = json.loads(locator_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return None
+    if not isinstance(payload, dict):
+        return None
+    pid = payload.get("pid")
+    if not isinstance(pid, int) or pid <= 0:
+        return None
+    if not _guard_daemon_pid_is_running(pid):
+        return None
+    if not _guard_daemon_pid_matches_command(pid, expected_guard_home=guard_home):
+        return None
+    daemon_url = payload.get("daemon_url")
+    approval_url_base = payload.get("approval_url_base")
+    started_at = payload.get("started_at")
+    state_path_str = payload.get("state_path")
+    guard_home_str = payload.get("guard_home")
+    if not all(isinstance(v, str) for v in (daemon_url, approval_url_base, started_at, state_path_str, guard_home_str)):
+        return None
+    return ApprovalCenterLocator(
+        guard_home=Path(guard_home_str),
+        daemon_url=daemon_url,
+        approval_url_base=approval_url_base,
+        pid=pid,
+        started_at=started_at,
+        state_path=Path(state_path_str),
+    )
+def _approval_center_daemon_is_healthy(daemon_url: str) -> bool:
+    try:
+        with urllib.request.urlopen(f"{daemon_url}/healthz", timeout=1) as response:
+            if response.status != 200:
+                return False
+            return _healthz_payload_is_current(response.read().decode("utf-8"))
+    except (OSError, ValueError, urllib.error.URLError):
+        return False
+def _daemon_state_pid_matches_locator(guard_home: Path, locator_pid: int) -> bool:
+    state = _load_state(guard_home)
+    if not isinstance(state, dict):
+        return False
+    state_pid = state.get("pid")
+    return isinstance(state_pid, int) and state_pid == locator_pid
+def ensure_approval_center(guard_home: Path) -> ApprovalCenterLocator:
+    existing = read_approval_center_locator(guard_home)
+    if (
+        existing is not None
+        and _approval_center_daemon_is_healthy(existing.daemon_url)
+        and _daemon_state_pid_matches_locator(guard_home, existing.pid)
+    ):
+        return existing
+    daemon_url = ensure_guard_daemon(guard_home)
+    now = datetime.now(tz=timezone.utc).isoformat()
+    state = _load_state(guard_home)
+    pid = state.get("pid") if isinstance(state, dict) else None
+    if not isinstance(pid, int) or pid <= 0:
+        pid = os.getpid()
+    locator = ApprovalCenterLocator(
+        guard_home=guard_home,
+        daemon_url=daemon_url,
+        approval_url_base=daemon_url,
+        pid=pid,
+        started_at=now,
+        state_path=_state_path(guard_home),
+    )
+    write_approval_center_locator(guard_home, locator)
+    return locator
 def _load_state(guard_home: Path) -> dict[str, object] | None:
     state_path = _state_path(guard_home)
     if not state_path.is_file():

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/daemon/server.py RENAMED Viewed

@@ -18,7 +18,12 @@ from typing import Any
 from urllib.parse import parse_qs, parse_qsl, unquote, urlencode, urlparse, urlunparse
 from ...version import __version__
-from ..approvals import apply_approval_resolution, build_runtime_snapshot
+from ..approvals import (
+    ApprovalRequestAlreadyResolvedError,
+    ApprovalRequestNotFoundError,
+    apply_approval_resolution,
+    build_runtime_snapshot,
+)
 from ..config import editable_guard_settings, load_guard_config, update_guard_settings
 from ..models import DECISION_SCOPE_VALUES, GUARD_ACTION_VALUES
 from ..runtime.surface_server import GuardSurfaceRuntime
@@ -183,7 +188,17 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if len(path_parts) == 3 and path_parts[:2] == ["v1", "requests"]:
             approval = store.get_approval_request(path_parts[2])
             if approval is None:
-                self._write_json({"error": "not_found"}, status=404)
+                self._write_json(
+                    {
+                        "error": "not_found",
+                        "recovery": {
+                            "code": "request_unknown",
+                            "title": "This request is no longer waiting.",
+                            "body": "The request was either already resolved or expired. You can close this tab.",
+                        },
+                    },
+                    status=404,
+                )
                 return
             self._write_json(approval)
             return
@@ -313,11 +328,29 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             self._write_json({"error": "forbidden_origin"}, status=403)
             return
         if self._requires_header_token(parsed.path, path_parts) and not self._header_token_is_valid():
-            self._write_json(
-                {"error": "unauthorized"},
-                status=401,
-                extra_headers=self._cors_headers_for_request(),
-            )
+            if len(path_parts) == 4 and path_parts[:2] == ["v1", "requests"] and path_parts[3] in {"approve", "block"}:
+                host = self.server.server_address[0]  # type: ignore[attr-defined]
+                port = self.server.server_address[1]  # type: ignore[attr-defined]
+                reconnect_url = _build_local_url(host, port, "/#/reconnect")
+                self._write_json(
+                    {
+                        "error": "unauthorized",
+                        "recovery": {
+                            "code": "session_stale",
+                            "title": "Your session with the local Guard daemon has expired.",
+                            "body": "Click the link below to reconnect, then retry your approval.",
+                            "reconnect_url": reconnect_url,
+                        },
+                    },
+                    status=401,
+                    extra_headers=self._cors_headers_for_request(),
+                )
+            else:
+                self._write_json(
+                    {"error": "unauthorized"},
+                    status=401,
+                    extra_headers=self._cors_headers_for_request(),
+                )
             return
         payload, body_error = self._load_request_body()
         if body_error is not None:
@@ -389,6 +422,37 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
                 workspace=self._optional_string(payload.get("workspace")),
                 reason=self._optional_string(payload.get("reason")),
             )
+        except ApprovalRequestNotFoundError:
+            self._write_json(
+                {
+                    "resolved": False,
+                    "error": "not_found",
+                    "recovery": {
+                        "code": "request_unknown",
+                        "title": "This request is no longer waiting.",
+                        "body": "The request was either already resolved or expired. You can close this tab.",
+                    },
+                },
+                status=404,
+            )
+            return
+        except ApprovalRequestAlreadyResolvedError:
+            self._write_json(
+                {
+                    "resolved": False,
+                    "error": "already_resolved",
+                    "recovery": {
+                        "code": "request_resolved",
+                        "title": "This request has already been resolved.",
+                        "body": (
+                            "If the action is blocked and you believe it should be allowed, "
+                            "you can re-submit from your AI assistant."
+                        ),
+                    },
+                },
+                status=409,
+            )
+            return
         except ValueError as error:
             self._write_json({"resolved": False, "error": str(error)}, status=400)
             return
@@ -1319,6 +1383,11 @@ def _approval_center_browser_url(approval_center_url: str, auth_token: str) -> s
     return urlunparse(parsed._replace(fragment=urlencode(fragment_pairs)))
+def _build_local_url(host: str, port: int, path: str) -> str:
+    host_part = f"[{host}]" if ":" in host else host
+    return f"http://{host_part}:{port}{path}"
 def _now() -> str:
     from datetime import datetime, timezone

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/models.py RENAMED Viewed

@@ -180,6 +180,7 @@ class GuardApprovalRequest:
     risk_headline: str | None = None
     action_envelope_json: dict[str, object] | None = None
     decision_v2_json: dict[str, object] | None = None
+    fallback_cli_command: str | None = None
     def to_dict(self) -> dict[str, object]:
         payload = asdict(self)

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/store.py RENAMED Viewed

@@ -686,6 +686,7 @@ class GuardStore:
             self._ensure_approval_column(connection, "action_envelope_json", "text")
             self._ensure_approval_column(connection, "decision_v2_json", "text")
             self._ensure_approval_column(connection, "workspace", "text")
+            self._ensure_approval_column(connection, "fallback_cli_command", "text")
             self._ensure_attachment_column(connection, "lease_id", "text not null default ''")
             self._ensure_attachment_column(connection, "lease_expires_at", "text")
             self._ensure_local_device(connection)

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/guard/store_approvals.py RENAMED Viewed

@@ -36,6 +36,7 @@ def approval_schema_statement() -> str:
            risk_headline text,
             action_envelope_json text,
             decision_v2_json text,
+            fallback_cli_command text,
             review_command text not null,
            approval_url text not null,
           status text not null,
@@ -70,7 +71,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
                 recommended_scope = ?, changed_fields_json = ?, source_scope = ?, config_path = ?, workspace = ?,
                 launch_target = ?, transport = ?, risk_summary = ?, risk_signals_json = ?,
                 artifact_label = ?, source_label = ?, trigger_summary = ?, why_now = ?, launch_summary = ?,
-                risk_headline = ?, action_envelope_json = ?, decision_v2_json = ?,
+                risk_headline = ?, action_envelope_json = ?, decision_v2_json = ?, fallback_cli_command = ?,
                 review_command = ?, approval_url = ?, created_at = ?
             where request_id = ?
             """,
@@ -97,6 +98,11 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
                 request.risk_headline,
                 json.dumps(request.action_envelope_json) if request.action_envelope_json is not None else None,
                 json.dumps(request.decision_v2_json) if request.decision_v2_json is not None else None,
+                (
+                    _rewrite_review_command(request.fallback_cli_command, request_id)
+                    if request.fallback_cli_command
+                    else None
+                ),
                 review_command,
                 approval_url,
                 now,
@@ -111,10 +117,10 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
           recommended_scope, changed_fields_json, source_scope, config_path, workspace,
            launch_target, transport, risk_summary,
            risk_signals_json, artifact_label, source_label, trigger_summary, why_now, launch_summary, risk_headline,
-            action_envelope_json, decision_v2_json, review_command,
+            action_envelope_json, decision_v2_json, fallback_cli_command, review_command,
             approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
           )
-          values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+          values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
         """,
         (
             request.request_id,
@@ -142,6 +148,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
             request.risk_headline,
             json.dumps(request.action_envelope_json) if request.action_envelope_json is not None else None,
             json.dumps(request.decision_v2_json) if request.decision_v2_json is not None else None,
+            request.fallback_cli_command,
             request.review_command,
             request.approval_url,
             "pending",
@@ -211,7 +218,8 @@ def list_approval_requests(
         select request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
                recommended_scope, changed_fields_json, source_scope, config_path, workspace, launch_target, transport,
                 risk_summary, risk_signals_json, artifact_label, source_label, trigger_summary, why_now,
-                launch_summary, risk_headline, action_envelope_json, decision_v2_json, review_command,
+                launch_summary, risk_headline, action_envelope_json, decision_v2_json,
+                fallback_cli_command, review_command,
                 approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
         from approval_requests
         {where_clause}
@@ -230,7 +238,8 @@ def get_approval_request(connection: sqlite3.Connection, request_id: str) -> dic
         select request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
                recommended_scope, changed_fields_json, source_scope, config_path, workspace, launch_target, transport,
                 risk_summary, risk_signals_json, artifact_label, source_label, trigger_summary, why_now,
-                launch_summary, risk_headline, action_envelope_json, decision_v2_json, review_command,
+                launch_summary, risk_headline, action_envelope_json, decision_v2_json,
+                fallback_cli_command, review_command,
                 approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
         from approval_requests
         where request_id = ?
@@ -311,6 +320,7 @@ def _row_to_payload(row: sqlite3.Row) -> dict[str, object]:
         "risk_headline": row["risk_headline"],
         "action_envelope_json": _optional_json_object(row["action_envelope_json"]),
         "decision_v2_json": _optional_json_object(row["decision_v2_json"]),
+        "fallback_cli_command": row["fallback_cli_command"],
         "review_command": str(row["review_command"]),
         "approval_url": str(row["approval_url"]),
         "status": str(row["status"]),

{plugin_scanner-2.0.131 → plugin_scanner-2.0.133}/src/codex_plugin_scanner/version.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
-__version__ = "2.0.131"
+__version__ = "2.0.133"

plugin-scanner 2.0.131__tar.gz → 2.0.133__tar.gz

plugin-scanner 2.0.131tar.gz → 2.0.133tar.gz