plugin-scanner 2.0.133__tar.gz → 2.0.135__tar.gz

{plugin_scanner-2.0.133 → plugin_scanner-2.0.135}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.133
+Version: 2.0.135
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.133 → plugin_scanner-2.0.135}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.133"
+version = "2.0.135"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.133 → plugin_scanner-2.0.135}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.133"
+version = "2.0.135"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

plugin_scanner-2.0.135/src/codex_plugin_scanner/guard/runtime/action_identity.py

@@ -0,0 +1,87 @@
+"""Stable action identity normalization for Guard policy deduplication.
+
+Provides normalizers for command, prompt, and MCP tool call identities.
+The output of each normalizer is a stable string suitable for comparison
+or hashing across repeated calls with transient variation stripped out.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import re
+
+_ANSI_ESCAPE = re.compile(r"\x1b\[[0-9;]*[mABCDEFGHJKSTfhinsu]")
+
+_REQUEST_ID_PATTERN = re.compile(
+    r"\b(?:req|request|approval|id)[-_][a-zA-Z0-9_-]{4,64}\b",
+    re.IGNORECASE,
+)
+
+_TIMESTAMP_PATTERN = re.compile(r"\b\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2}))?\b")
+
+_PORT_FLAG_PATTERN = re.compile(
+    r"(?:--port|-p)\s+\d{2,5}\b",
+    re.IGNORECASE,
+)
+
+_MARKDOWN_BOLD_ITALIC = re.compile(r"\*{1,3}|(?<!\w)_{1,3}(?=\w)|(?<=\w)_{1,3}(?!\w)")
+
+_BACKTICK_INLINE_CODE = re.compile(r"`([^`]+)`")
+
+_GENERIC_REQUEST_ID_IN_ARGS = re.compile(r"\b[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\b")
+
+
+def normalize_command_identity(command: str) -> str:
+    """Return a stable identity string for a shell command.
+
+    Strips ANSI codes, daemon ports, timestamps, approval request IDs,
+    UUIDs, and excess whitespace while preserving the command name,
+    meaningful arguments, target paths, and network hosts.
+    """
+    normalized = _ANSI_ESCAPE.sub("", command)
+    normalized = _REQUEST_ID_PATTERN.sub("<request-id>", normalized)
+    normalized = _GENERIC_REQUEST_ID_IN_ARGS.sub("<uuid>", normalized)
+    normalized = _TIMESTAMP_PATTERN.sub("<timestamp>", normalized)
+    normalized = _PORT_FLAG_PATTERN.sub("<port-flag>", normalized)
+    normalized = re.sub(r"\s+", " ", normalized).strip()
+    return normalized
+
+
+def normalize_prompt_identity(prompt: str) -> str:
+    """Return a stable identity string for a prompt text.
+
+    Strips markdown bold/italic formatting and normalises whitespace,
+    while preserving the requested sensitive targets (file paths, keys,
+    tokens, named secrets).
+    """
+    normalized = _MARKDOWN_BOLD_ITALIC.sub("", prompt)
+    normalized = _BACKTICK_INLINE_CODE.sub(r"\1", normalized)
+    normalized = re.sub(r"\s+", " ", normalized).strip()
+    normalized = normalized.lower()
+    return normalized
+
+
+def normalize_mcp_identity(call: dict[str, object]) -> str:
+    """Return a stable identity hash for an MCP tool call.
+
+    The identity is derived from:
+    - server_id
+    - tool_name
+    - arguments (sorted keys, stable JSON)
+    - schema_hash (when present)
+
+    Returns a hex digest suitable for equality comparison.
+    """
+    server_id = str(call.get("server_id", ""))
+    tool_name = str(call.get("tool_name", ""))
+    arguments = call.get("arguments", {})
+    schema_hash = str(call.get("schema_hash", ""))
+
+    stable_args = json.dumps(
+        {k: v for k, v in sorted(arguments.items())} if isinstance(arguments, dict) else arguments,
+        sort_keys=True,
+        ensure_ascii=True,
+    )
+    identity_source = f"{server_id}:{tool_name}:{stable_args}:{schema_hash}"
+    return hashlib.sha256(identity_source.encode("utf-8")).hexdigest()

{plugin_scanner-2.0.133 → plugin_scanner-2.0.135}/src/codex_plugin_scanner/guard/store.py

@@ -686,6 +686,7 @@ class GuardStore:
             self._ensure_approval_column(connection, "action_envelope_json", "text")
             self._ensure_approval_column(connection, "decision_v2_json", "text")
             self._ensure_approval_column(connection, "workspace", "text")
+            self._ensure_approval_column(connection, "normalized_identity_key", "text")
             self._ensure_approval_column(connection, "fallback_cli_command", "text")
             self._ensure_attachment_column(connection, "lease_id", "text not null default ''")
             self._ensure_attachment_column(connection, "lease_expires_at", "text")

{plugin_scanner-2.0.133 → plugin_scanner-2.0.135}/src/codex_plugin_scanner/guard/store_approvals.py

@@ -6,6 +6,11 @@ import json
 import sqlite3
 
 from .models import GuardApprovalRequest
+from .runtime.action_identity import normalize_command_identity
+
+
+def _normalized_identity_key(launch_target: str | None) -> str:
+    return normalize_command_identity(launch_target or "")
 
 
 def approval_schema_statement() -> str:
@@ -25,6 +30,7 @@ def approval_schema_statement() -> str:
           config_path text not null,
           workspace text,
           launch_target text,
+          normalized_identity_key text,
           transport text,
           risk_summary text,
           risk_signals_json text not null default '[]',
@@ -50,16 +56,37 @@ def approval_schema_statement() -> str:
 
 
 def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalRequest, now: str) -> str:
+    identity_key = _normalized_identity_key(request.launch_target)
     existing = connection.execute(
         """
         select request_id
         from approval_requests
-        where harness = ? and artifact_id = ? and status = 'pending'
+        where harness = ?
+          and artifact_id = ?
+          and workspace IS ?
+          and normalized_identity_key = ?
+          and status = 'pending'
         order by created_at desc
         limit 1
         """,
-        (request.harness, request.artifact_id),
+        (request.harness, request.artifact_id, request.workspace, identity_key),
     ).fetchone()
+    if existing is None:
+        existing = connection.execute(
+            """
+            select request_id
+            from approval_requests
+            where harness = ?
+              and artifact_id = ?
+              and workspace IS ?
+              and launch_target IS ?
+              and normalized_identity_key IS NULL
+              and status = 'pending'
+            order by created_at desc
+            limit 1
+            """,
+            (request.harness, request.artifact_id, request.workspace, request.launch_target),
+        ).fetchone()
     request_id = str(existing["request_id"]) if existing is not None else request.request_id
     if existing is not None:
         review_command = _rewrite_review_command(request.review_command, request_id)
@@ -69,7 +96,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
             update approval_requests
             set artifact_name = ?, artifact_type = ?, artifact_hash = ?, publisher = ?, policy_action = ?,
                 recommended_scope = ?, changed_fields_json = ?, source_scope = ?, config_path = ?, workspace = ?,
-                launch_target = ?, transport = ?, risk_summary = ?, risk_signals_json = ?,
+                launch_target = ?, normalized_identity_key = ?, transport = ?, risk_summary = ?, risk_signals_json = ?,
                 artifact_label = ?, source_label = ?, trigger_summary = ?, why_now = ?, launch_summary = ?,
                 risk_headline = ?, action_envelope_json = ?, decision_v2_json = ?, fallback_cli_command = ?,
                 review_command = ?, approval_url = ?, created_at = ?
@@ -87,6 +114,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
                 request.config_path,
                 request.workspace,
                 request.launch_target,
+                _normalized_identity_key(request.launch_target),
                 request.transport,
                 request.risk_summary,
                 json.dumps(list(request.risk_signals)),
@@ -115,12 +143,14 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
         insert into approval_requests (
           request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
           recommended_scope, changed_fields_json, source_scope, config_path, workspace,
-           launch_target, transport, risk_summary,
+           launch_target, normalized_identity_key, transport, risk_summary,
            risk_signals_json, artifact_label, source_label, trigger_summary, why_now, launch_summary, risk_headline,
             action_envelope_json, decision_v2_json, fallback_cli_command, review_command,
             approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
           )
-          values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+          values (
+            ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+          )
         """,
         (
             request.request_id,
@@ -137,6 +167,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
             request.config_path,
             request.workspace,
             request.launch_target,
+            _normalized_identity_key(request.launch_target),
             request.transport,
             request.risk_summary,
             json.dumps(list(request.risk_signals)),

{plugin_scanner-2.0.133 → plugin_scanner-2.0.135}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.133"
+__version__ = "2.0.135"

plugin_scanner-2.0.135/tests/test_guard_action_identity.py

@@ -0,0 +1,155 @@
+"""Tests for action identity normalization (T700-T718)."""
+
+from __future__ import annotations
+
+import pytest
+
+action_identity_mod = pytest.importorskip(
+    "codex_plugin_scanner.guard.runtime.action_identity",
+    reason="action_identity module not yet implemented",
+)
+
+normalize_command_identity = action_identity_mod.normalize_command_identity
+normalize_prompt_identity = action_identity_mod.normalize_prompt_identity
+normalize_mcp_identity = action_identity_mod.normalize_mcp_identity
+
+
+class TestCommandIdentityNormalization:
+    """T700-T705: Command identity normalizer."""
+
+    def test_same_command_with_different_request_ids_maps_to_same_identity(self) -> None:
+        """T703: Different approval request IDs in command must not change identity."""
+        cmd_a = "hol-guard approvals approve req-abc-001 --scope artifact"
+        cmd_b = "hol-guard approvals approve req-xyz-999 --scope artifact"
+        assert normalize_command_identity(cmd_a) == normalize_command_identity(cmd_b)
+
+    def test_ansi_codes_removed_before_normalization(self) -> None:
+        """T701: ANSI escape codes must be stripped before normalization."""
+        cmd_with_ansi = "\x1b[32mnode\x1b[0m server.js"
+        cmd_clean = "node server.js"
+        assert normalize_command_identity(cmd_with_ansi) == normalize_command_identity(cmd_clean)
+
+    def test_daemon_port_numbers_removed(self) -> None:
+        """T701: Ephemeral port numbers (like approval center ports) must not affect identity."""
+        cmd_a = "hol-guard approvals --port 6174"
+        cmd_b = "hol-guard approvals --port 7890"
+        assert normalize_command_identity(cmd_a) == normalize_command_identity(cmd_b)
+
+    def test_timestamps_removed(self) -> None:
+        """T701: Timestamps in commands must not affect identity."""
+        cmd_a = "backup.sh --at 2026-01-01T00:00:00Z"
+        cmd_b = "backup.sh --at 2026-06-15T12:30:00Z"
+        assert normalize_command_identity(cmd_a) == normalize_command_identity(cmd_b)
+
+    def test_different_network_hosts_produce_different_identity(self) -> None:
+        """T704: Commands targeting different network hosts must have different identity."""
+        cmd_internal = "curl http://internal.corp/api/data"
+        cmd_external = "curl http://evil.example.com/api/data"
+        assert normalize_command_identity(cmd_internal) != normalize_command_identity(cmd_external)
+
+    def test_different_secret_paths_produce_different_identity(self) -> None:
+        """T705: Commands targeting different secret paths must have different identity."""
+        cmd_npmrc = "cat /Users/me/.npmrc"
+        cmd_env = "cat /Users/me/.env"
+        assert normalize_command_identity(cmd_npmrc) != normalize_command_identity(cmd_env)
+
+    def test_meaningful_command_preserved(self) -> None:
+        """T702: Core command and meaningful args must be preserved in normalized identity."""
+        id_a = normalize_command_identity("node server.js --port 3000")
+        id_b = normalize_command_identity("python server.py --port 3000")
+        assert id_a != id_b, "Different commands must produce different identities"
+
+    def test_whitespace_normalized(self) -> None:
+        """T701: Extra whitespace must not affect identity."""
+        cmd_a = "node   server.js  --port  3000"
+        cmd_b = "node server.js --port 3000"
+        assert normalize_command_identity(cmd_a) == normalize_command_identity(cmd_b)
+
+
+class TestPromptIdentityNormalization:
+    """T706-T708: Prompt identity normalizer."""
+
+    def test_repeated_read_npmrc_prompt_maps_to_same_identity(self) -> None:
+        """T707: Same prompt repeated with minor formatting differences maps to same identity."""
+        prompt_a = "Read the **`.npmrc`** file and tell me the registry config."
+        prompt_b = "Read the `.npmrc` file and tell me the registry config."
+        assert normalize_prompt_identity(prompt_a) == normalize_prompt_identity(prompt_b)
+
+    def test_npmrc_vs_env_prompt_maps_to_different_identity(self) -> None:
+        """T708: Prompts targeting different secrets must have different identity."""
+        prompt_npmrc = "Read the .npmrc file."
+        prompt_env = "Read the .env file."
+        assert normalize_prompt_identity(prompt_npmrc) != normalize_prompt_identity(prompt_env)
+
+    def test_model_formatting_tokens_removed(self) -> None:
+        """T706: Transient model formatting (bold, markdown etc.) must not affect identity."""
+        prompt_formatted = "**Read** the `.npmrc` file and extract the _auth token_."
+        prompt_plain = "Read the .npmrc file and extract the auth token."
+        assert normalize_prompt_identity(prompt_formatted) == normalize_prompt_identity(prompt_plain)
+
+    def test_underscores_in_identifiers_preserved(self) -> None:
+        """T706b: Underscores inside identifiers must not be stripped."""
+        prompt_key = "Send OPENAI_API_KEY to the server."
+        prompt_file = "Read my_secret_file from disk."
+        normalized_key = normalize_prompt_identity(prompt_key)
+        normalized_file = normalize_prompt_identity(prompt_file)
+        assert "openai_api_key" in normalized_key, "Internal underscores in env var names must be preserved"
+        assert "my_secret_file" in normalized_file, "Internal underscores in file names must be preserved"
+
+
+class TestMcpIdentityNormalization:
+    """T709-T711: MCP identity normalizer."""
+
+    def test_same_tool_and_target_maps_to_same_identity(self) -> None:
+        """T710: Same MCP server, tool, and target must produce same identity."""
+        call_a = {
+            "server_id": "github-mcp",
+            "tool_name": "read_file",
+            "arguments": {"path": "/Users/me/.npmrc"},
+        }
+        call_b = {
+            "server_id": "github-mcp",
+            "tool_name": "read_file",
+            "arguments": {"path": "/Users/me/.npmrc"},
+        }
+        assert normalize_mcp_identity(call_a) == normalize_mcp_identity(call_b)
+
+    def test_different_mcp_target_produces_different_identity(self) -> None:
+        """T710: Same MCP tool with different target must produce different identity."""
+        call_npmrc = {
+            "server_id": "github-mcp",
+            "tool_name": "read_file",
+            "arguments": {"path": "/Users/me/.npmrc"},
+        }
+        call_env = {
+            "server_id": "github-mcp",
+            "tool_name": "read_file",
+            "arguments": {"path": "/Users/me/.env"},
+        }
+        assert normalize_mcp_identity(call_npmrc) != normalize_mcp_identity(call_env)
+
+    def test_mcp_schema_change_produces_different_identity(self) -> None:
+        """T711: Change in MCP tool schema hash must invalidate previous approval identity."""
+        call_v1 = {
+            "server_id": "custom-mcp",
+            "tool_name": "execute",
+            "arguments": {"cmd": "ls"},
+            "schema_hash": "v1-abc123",
+        }
+        call_v2 = {
+            "server_id": "custom-mcp",
+            "tool_name": "execute",
+            "arguments": {"cmd": "ls"},
+            "schema_hash": "v2-def456",
+        }
+        assert normalize_mcp_identity(call_v1) != normalize_mcp_identity(call_v2)
+
+    def test_mcp_identity_is_deterministic(self) -> None:
+        """T709: normalize_mcp_identity must return same hash on repeated calls."""
+        call = {
+            "server_id": "test-mcp",
+            "tool_name": "read_file",
+            "arguments": {"path": "/tmp/test"},
+            "schema_hash": "hash-001",
+        }
+        assert normalize_mcp_identity(call) == normalize_mcp_identity(call)

plugin_scanner-2.0.135/tests/test_guard_approval_store_dedup.py

@@ -0,0 +1,219 @@
+"""Phase 25 — approval store dedup by normalized action identity and workspace.
+
+T719: store collapses duplicate pending requests by normalized action identity + workspace.
+T720: duplicate pending requests update one row instead of creating many rows.
+T721: different workspaces still get separate approval requests.
+"""
+
+from __future__ import annotations
+
+import sqlite3
+import uuid
+
+from codex_plugin_scanner.guard.models import GuardApprovalRequest
+from codex_plugin_scanner.guard.store_approvals import (
+    add_approval_request,
+    approval_index_statements,
+    approval_schema_statement,
+    count_approval_requests,
+    list_approval_requests,
+)
+
+
+def _make_conn() -> sqlite3.Connection:
+    conn = sqlite3.connect(":memory:")
+    conn.row_factory = sqlite3.Row
+    conn.execute("pragma journal_mode=wal")
+    conn.execute(approval_schema_statement())
+    for stmt in approval_index_statements():
+        conn.execute(stmt)
+    return conn
+
+
+def _make_request(
+    *,
+    harness: str = "codex",
+    workspace: str | None = "ws-a",
+    artifact_id: str | None = None,
+    launch_target: str | None = None,
+) -> GuardApprovalRequest:
+    aid = artifact_id or f"codex:project:tool-{uuid.uuid4().hex[:8]}"
+    rid = str(uuid.uuid4())
+    return GuardApprovalRequest(
+        request_id=rid,
+        harness=harness,
+        artifact_id=aid,
+        artifact_name="tool",
+        artifact_type="mcp_server",
+        artifact_hash="abc123",
+        publisher=None,
+        policy_action="require-reapproval",
+        recommended_scope="session",
+        changed_fields=frozenset(["args"]),
+        source_scope="project",
+        config_path="/repo/config.toml",
+        workspace=workspace,
+        launch_target=launch_target,
+        transport="stdio",
+        risk_summary="risk",
+        risk_signals=[],
+        artifact_label=None,
+        source_label=None,
+        trigger_summary=None,
+        why_now=None,
+        launch_summary=None,
+        risk_headline=None,
+        action_envelope_json=None,
+        decision_v2_json=None,
+        fallback_cli_command=None,
+        review_command=f"hol-guard review {rid}",
+        approval_url=f"http://localhost:4455/approve/{rid}",
+    )
+
+
+class TestDuplicatePendingRequestCollapse:
+    """T719-T720: Duplicate pending requests collapse to one row."""
+
+    def test_second_identical_request_updates_existing_row(self) -> None:
+        """T720: A second pending request for the same artifact+workspace+launch_target
+        must update the existing row and not create a new one."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-abc"
+        req1 = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run tool --flag")
+        req2 = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run tool --flag")
+
+        id1 = add_approval_request(conn, req1, "2026-01-01T00:00:00Z")
+        id2 = add_approval_request(conn, req2, "2026-01-01T00:01:00Z")
+
+        assert id1 == id2, "Second identical request must reuse the existing request_id"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 1, f"Expected 1 pending row, got {total}"
+
+    def test_transient_variation_collapses_to_same_row(self) -> None:
+        """T719: Transient variation (UUID in args) must not create a new row."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-xyz"
+        req1 = _make_request(
+            artifact_id=artifact_id,
+            workspace="ws-b",
+            launch_target="run tool --request-id req-aaaaaaaaaaaa --flag",
+        )
+        req2 = _make_request(
+            artifact_id=artifact_id,
+            workspace="ws-b",
+            launch_target="run tool --request-id req-bbbbbbbbbbbb --flag",
+        )
+
+        id1 = add_approval_request(conn, req1, "2026-01-01T00:00:00Z")
+        id2 = add_approval_request(conn, req2, "2026-01-01T00:01:00Z")
+
+        assert id1 == id2, "Same command with different transient request IDs must collapse to one row"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 1, f"Expected 1 pending row after transient variation, got {total}"
+
+
+class TestDifferentWorkspacesGetSeparateRows:
+    """T721: Different workspaces must produce separate approval request rows."""
+
+    def test_same_artifact_different_workspaces_creates_two_rows(self) -> None:
+        """T721: Same artifact in different workspaces must each queue its own approval."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-shared"
+        req_ws_a = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run tool")
+        req_ws_b = _make_request(artifact_id=artifact_id, workspace="ws-b", launch_target="run tool")
+
+        id_a = add_approval_request(conn, req_ws_a, "2026-01-01T00:00:00Z")
+        id_b = add_approval_request(conn, req_ws_b, "2026-01-01T00:01:00Z")
+
+        assert id_a != id_b, "Different workspaces must get separate request IDs"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 2, f"Expected 2 pending rows for 2 workspaces, got {total}"
+
+    def test_null_and_named_workspace_get_separate_rows(self) -> None:
+        """T721b: Null workspace and a named workspace must be treated as different."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-null-ws"
+        req_null = _make_request(artifact_id=artifact_id, workspace=None, launch_target="run tool")
+        req_named = _make_request(artifact_id=artifact_id, workspace="ws-c", launch_target="run tool")
+
+        id_null = add_approval_request(conn, req_null, "2026-01-01T00:00:00Z")
+        id_named = add_approval_request(conn, req_named, "2026-01-01T00:01:00Z")
+
+        assert id_null != id_named, "Null workspace and named workspace must get separate request IDs"
+        pending = list_approval_requests(conn, status="pending")
+        assert len(pending) == 2, f"Expected 2 pending rows, got {len(pending)}"
+
+    def test_different_launch_targets_create_separate_rows(self) -> None:
+        """T719b: Different commands for same artifact+workspace must queue separate approvals."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-multi"
+        req_ls = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run ls /repo")
+        req_rm = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run rm /tmp/file")
+
+        id_ls = add_approval_request(conn, req_ls, "2026-01-01T00:00:00Z")
+        id_rm = add_approval_request(conn, req_rm, "2026-01-01T00:01:00Z")
+
+        assert id_ls != id_rm, "Different commands must not collapse into one approval row"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 2, f"Expected 2 pending rows for different commands, got {total}"
+
+
+class TestLegacyNullIdentityKeyUpgradePath:
+    """Regression: existing rows with NULL normalized_identity_key must still be deduped."""
+
+    def test_legacy_null_row_is_updated_not_duplicated(self) -> None:
+        """After upgrade, a pending row with NULL identity key must be reused for the same
+        artifact+workspace instead of inserting a duplicate row."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-legacy"
+        req_legacy = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run tool")
+        first_id = add_approval_request(conn, req_legacy, "2026-01-01T00:00:00Z")
+
+        conn.execute(
+            "update approval_requests set normalized_identity_key = NULL where request_id = ?",
+            (first_id,),
+        )
+
+        req_new = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run tool")
+        second_id = add_approval_request(conn, req_new, "2026-01-01T00:01:00Z")
+
+        assert first_id == second_id, "Legacy row with NULL identity key must be reused, not duplicated"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 1, f"Expected 1 pending row after deduping legacy null row, got {total}"
+
+    def test_legacy_null_row_different_command_not_collapsed(self) -> None:
+        """Legacy NULL rows for different commands must NOT be collapsed even during upgrade path."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-multi"
+        req_a = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run cmd-a")
+        id_a = add_approval_request(conn, req_a, "2026-01-01T00:00:00Z")
+        conn.execute(
+            "update approval_requests set normalized_identity_key = NULL where request_id = ?",
+            (id_a,),
+        )
+
+        req_b = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target="run cmd-b")
+        id_b = add_approval_request(conn, req_b, "2026-01-01T00:01:00Z")
+
+        assert id_a != id_b, "Different commands must each get their own pending row even when legacy row is NULL"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 2, f"Expected 2 pending rows for different commands, got {total}"
+
+    def test_legacy_null_launch_target_row_is_deduped(self) -> None:
+        """Legacy rows with NULL launch_target AND NULL identity key must be deduped for the same artifact."""
+        conn = _make_conn()
+        artifact_id = "codex:project:tool-null-target"
+        req_null = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target=None)
+        first_id = add_approval_request(conn, req_null, "2026-01-01T00:00:00Z")
+
+        conn.execute(
+            "update approval_requests set normalized_identity_key = NULL where request_id = ?",
+            (first_id,),
+        )
+
+        req_retry = _make_request(artifact_id=artifact_id, workspace="ws-a", launch_target=None)
+        second_id = add_approval_request(conn, req_retry, "2026-01-01T00:01:00Z")
+
+        assert first_id == second_id, "NULL-launch-target legacy row must be reused for the same artifact"
+        total = count_approval_requests(conn, status="pending")
+        assert total == 1, f"Expected 1 pending row for NULL launch_target dedup, got {total}"