plugin-scanner 2.0.134__tar.gz → 2.0.136__tar.gz

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.134
+Version: 2.0.136
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.134"
+version = "2.0.136"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.134"
+version = "2.0.136"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/guard/cli/approval_commands.py

@@ -10,6 +10,19 @@ from ..approvals import apply_approval_resolution, build_runtime_snapshot
 from ..daemon import load_guard_daemon_url
 from ..store import GuardStore
 
+_HARNESS_RETRY_COPY: dict[str, str] = {
+    "codex": "Return to Codex and retry",
+    "claude-code": "Return to Claude and retry",
+    "opencode": "Return to OpenCode and retry",
+    "copilot": "Return to Copilot and retry",
+}
+_DEFAULT_RETRY_COPY = "Return to your AI assistant and retry"
+
+
+def _build_retry_hint(action: str, harness: str) -> dict[str, str]:
+    title = "Approved. Retry in chat." if action == "allow" else "Blocked. Guard will remember this decision."
+    return {"title": title, "body": _HARNESS_RETRY_COPY.get(harness, _DEFAULT_RETRY_COPY)}
+
 
 def add_approval_parser(
     guard_subparsers: argparse._SubParsersAction[argparse.ArgumentParser],
@@ -57,6 +70,22 @@ def add_approval_parser(
     add_common_args(clear_history_parser)
     clear_history_parser.add_argument("--json", action="store_true")
 
+    open_parser = approvals_subparsers.add_parser(
+        "open",
+        help="Show the approval URL for a pending request",
+    )
+    open_parser.add_argument("request_id", help="The approval request ID to open")
+    add_common_args(open_parser)
+    open_parser.add_argument("--json", action="store_true")
+
+    retry_hint_parser = approvals_subparsers.add_parser(
+        "retry-hint",
+        help="Print the retry hint for a resolved approval request",
+    )
+    retry_hint_parser.add_argument("request_id", help="The approval request ID to get the retry hint for")
+    add_common_args(retry_hint_parser)
+    retry_hint_parser.add_argument("--json", action="store_true")
+
 
 def run_approval_command(
     args: argparse.Namespace,
@@ -115,5 +144,35 @@ def run_approval_command(
     return {"resolved": True, "item": item}
 
 
+def run_approval_open_command(
+    args: argparse.Namespace,
+    *,
+    store: GuardStore,
+) -> tuple[dict[str, object], int]:
+    request_id = args.request_id
+    item = store.get_approval_request(request_id)
+    if item is None:
+        return {"error": "not_found", "request_id": request_id}, 1
+    return {"request_id": request_id, "approval_url": str(item.get("approval_url", ""))}, 0
+
+
+def run_approval_retry_hint_command(
+    args: argparse.Namespace,
+    *,
+    store: GuardStore,
+) -> tuple[dict[str, object], int]:
+    request_id = args.request_id
+    item = store.get_approval_request(request_id)
+    if item is None:
+        return {"error": "not_found", "request_id": request_id}, 1
+    status = str(item.get("status", ""))
+    if status != "resolved":
+        return {"error": "not_resolved", "status": status, "request_id": request_id}, 1
+    resolution_action = str(item.get("resolution_action", ""))
+    harness = str(item.get("harness", ""))
+    hint: dict[str, object] = dict(_build_retry_hint(resolution_action, harness))
+    return hint, 0
+
+
 def _now() -> str:
     return datetime.now(timezone.utc).isoformat()

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -109,7 +109,12 @@ from ..runtime.secret_sensitivity import (
 from ..runtime.signals import RiskSignalV2
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
-from .approval_commands import add_approval_parser, run_approval_command
+from .approval_commands import (
+    add_approval_parser,
+    run_approval_command,
+    run_approval_open_command,
+    run_approval_retry_hint_command,
+)
 from .bootstrap import DEFAULT_ALIAS_NAME, build_guard_bootstrap_payload
 from .connect_flow import (
     DEFAULT_GUARD_CONNECT_URL,
@@ -1152,6 +1157,15 @@ def run_guard_command(
         return 0
 
     if args.guard_command == "approvals":
+        approvals_command = getattr(args, "approvals_command", None)
+        if approvals_command == "open":
+            payload, exit_code = run_approval_open_command(args, store=store)
+            _emit("approvals", payload, getattr(args, "json", False))
+            return exit_code
+        if approvals_command == "retry-hint":
+            payload, exit_code = run_approval_retry_hint_command(args, store=store)
+            _emit("approvals", payload, getattr(args, "json", False))
+            return exit_code
         payload = run_approval_command(args, store=store, workspace=workspace)
         _emit("approvals", payload, getattr(args, "json", False))
         return int(payload.get("exit_code", 0))

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/guard/cli/render.py

@@ -566,6 +566,22 @@ def _render_events(console: Console, payload: dict[str, object]) -> None:
 
 
 def _render_approvals(console: Console, payload: dict[str, object]) -> None:
+    approval_url = payload.get("approval_url")
+    if isinstance(approval_url, str) and approval_url:
+        body = Table.grid(padding=(0, 1))
+        body.add_row("Request", str(payload.get("request_id", "")))
+        body.add_row("URL", f"[bold]{approval_url}[/bold]")
+        console.print(Panel(body, title="Open approval", border_style="cyan"))
+        return
+    if "title" in payload and "body" in payload:
+        body = Table.grid(padding=(0, 1))
+        body.add_row("Status", str(payload["title"]))
+        body.add_row("Next step", str(payload["body"]))
+        console.print(Panel(body, title="Approval resolved", border_style="green"))
+        return
+    if payload.get("error"):
+        console.print(Panel(str(payload.get("error")), title="Approval error", border_style="red"))
+        return
     if "history_cleared" in payload or "cleared_policies" in payload:
         error = payload.get("error")
         body = Table.grid(padding=(0, 1))

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -456,7 +456,15 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         except ValueError as error:
             self._write_json({"resolved": False, "error": str(error)}, status=400)
             return
-        self._write_json({"resolved": True, "item": updated})
+        normalized_scope = scope.strip()
+        harness_str = str(updated.get("harness", ""))
+        self.server.store.add_event(  # type: ignore[attr-defined]
+            "approval_resolved",
+            {"request_id": request_id, "action": action, "scope": normalized_scope, "harness": harness_str},
+            _now(),
+        )
+        harness = str(updated.get("harness", ""))
+        self._write_json({"resolved": True, "item": updated, "copy": _build_resolution_copy(action, harness)})
 
     def log_message(self, fmt: str, *args: Any) -> None:
         return
@@ -1388,6 +1396,20 @@ def _build_local_url(host: str, port: int, path: str) -> str:
     return f"http://{host_part}:{port}{path}"
 
 
+_HARNESS_RETRY_COPY: dict[str, str] = {
+    "codex": "Return to Codex and retry",
+    "claude-code": "Return to Claude and retry",
+    "opencode": "Return to OpenCode and retry",
+    "copilot": "Return to Copilot and retry",
+}
+_DEFAULT_RETRY_COPY = "Return to your AI assistant and retry"
+
+
+def _build_resolution_copy(action: str, harness: str) -> dict[str, str]:
+    title = "Approved. Retry in chat." if action == "allow" else "Blocked. Guard will remember this decision."
+    return {"title": title, "body": _HARNESS_RETRY_COPY.get(harness, _DEFAULT_RETRY_COPY)}
+
+
 def _now() -> str:
     from datetime import datetime, timezone
 

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/guard/store.py

@@ -686,6 +686,7 @@ class GuardStore:
             self._ensure_approval_column(connection, "action_envelope_json", "text")
             self._ensure_approval_column(connection, "decision_v2_json", "text")
             self._ensure_approval_column(connection, "workspace", "text")
+            self._ensure_approval_column(connection, "normalized_identity_key", "text")
             self._ensure_approval_column(connection, "fallback_cli_command", "text")
             self._ensure_attachment_column(connection, "lease_id", "text not null default ''")
             self._ensure_attachment_column(connection, "lease_expires_at", "text")

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/guard/store_approvals.py

@@ -6,6 +6,11 @@ import json
 import sqlite3
 
 from .models import GuardApprovalRequest
+from .runtime.action_identity import normalize_command_identity
+
+
+def _normalized_identity_key(launch_target: str | None) -> str:
+    return normalize_command_identity(launch_target or "")
 
 
 def approval_schema_statement() -> str:
@@ -25,6 +30,7 @@ def approval_schema_statement() -> str:
           config_path text not null,
           workspace text,
           launch_target text,
+          normalized_identity_key text,
           transport text,
           risk_summary text,
           risk_signals_json text not null default '[]',
@@ -50,16 +56,37 @@ def approval_schema_statement() -> str:
 
 
 def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalRequest, now: str) -> str:
+    identity_key = _normalized_identity_key(request.launch_target)
     existing = connection.execute(
         """
         select request_id
         from approval_requests
-        where harness = ? and artifact_id = ? and status = 'pending'
+        where harness = ?
+          and artifact_id = ?
+          and workspace IS ?
+          and normalized_identity_key = ?
+          and status = 'pending'
         order by created_at desc
         limit 1
         """,
-        (request.harness, request.artifact_id),
+        (request.harness, request.artifact_id, request.workspace, identity_key),
     ).fetchone()
+    if existing is None:
+        existing = connection.execute(
+            """
+            select request_id
+            from approval_requests
+            where harness = ?
+              and artifact_id = ?
+              and workspace IS ?
+              and launch_target IS ?
+              and normalized_identity_key IS NULL
+              and status = 'pending'
+            order by created_at desc
+            limit 1
+            """,
+            (request.harness, request.artifact_id, request.workspace, request.launch_target),
+        ).fetchone()
     request_id = str(existing["request_id"]) if existing is not None else request.request_id
     if existing is not None:
         review_command = _rewrite_review_command(request.review_command, request_id)
@@ -69,7 +96,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
             update approval_requests
             set artifact_name = ?, artifact_type = ?, artifact_hash = ?, publisher = ?, policy_action = ?,
                 recommended_scope = ?, changed_fields_json = ?, source_scope = ?, config_path = ?, workspace = ?,
-                launch_target = ?, transport = ?, risk_summary = ?, risk_signals_json = ?,
+                launch_target = ?, normalized_identity_key = ?, transport = ?, risk_summary = ?, risk_signals_json = ?,
                 artifact_label = ?, source_label = ?, trigger_summary = ?, why_now = ?, launch_summary = ?,
                 risk_headline = ?, action_envelope_json = ?, decision_v2_json = ?, fallback_cli_command = ?,
                 review_command = ?, approval_url = ?, created_at = ?
@@ -87,6 +114,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
                 request.config_path,
                 request.workspace,
                 request.launch_target,
+                _normalized_identity_key(request.launch_target),
                 request.transport,
                 request.risk_summary,
                 json.dumps(list(request.risk_signals)),
@@ -115,12 +143,14 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
         insert into approval_requests (
           request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
           recommended_scope, changed_fields_json, source_scope, config_path, workspace,
-           launch_target, transport, risk_summary,
+           launch_target, normalized_identity_key, transport, risk_summary,
            risk_signals_json, artifact_label, source_label, trigger_summary, why_now, launch_summary, risk_headline,
             action_envelope_json, decision_v2_json, fallback_cli_command, review_command,
             approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
           )
-          values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+          values (
+            ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+          )
         """,
         (
             request.request_id,
@@ -137,6 +167,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
             request.config_path,
             request.workspace,
             request.launch_target,
+            _normalized_identity_key(request.launch_target),
             request.transport,
             request.risk_summary,
             json.dumps(list(request.risk_signals)),

{plugin_scanner-2.0.134 → plugin_scanner-2.0.136}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.134"
+__version__ = "2.0.136"

plugin_scanner-2.0.136/tests/test_guard_approval_copy_commands.py

@@ -0,0 +1,203 @@
+"""Tests for T732-T737: harness copy rule and approval CLI commands."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+
+from codex_plugin_scanner.cli import main
+from codex_plugin_scanner.guard.adapters.base import HarnessContext
+from codex_plugin_scanner.guard.approvals import approval_center_hint
+from codex_plugin_scanner.guard.models import GuardApprovalRequest
+from codex_plugin_scanner.guard.store import GuardStore
+
+_KNOWN_HARNESSES = ["codex", "claude-code", "opencode", "copilot", "gemini"]
+
+
+def _make_queue_item(harness: str, request_id: str) -> dict:
+    return {
+        "request_id": request_id,
+        "harness": harness,
+        "artifact_id": f"{harness}:project:tool",
+        "artifact_name": "Test tool",
+        "policy_action": "block",
+        "recommended_scope": "artifact",
+    }
+
+
+def _make_request(
+    *,
+    request_id: str,
+    harness: str = "codex",
+    status: str = "pending",
+) -> GuardApprovalRequest:
+    return GuardApprovalRequest(
+        request_id=request_id,
+        harness=harness,
+        artifact_id=f"{harness}:project:tool",
+        artifact_name="Test tool",
+        artifact_hash="hash-abc",
+        policy_action="require-reapproval",
+        recommended_scope="artifact",
+        changed_fields=("tool_action_request",),
+        source_scope="project",
+        config_path="/tmp/config.toml",
+        review_command=f"hol-guard approvals approve {request_id}",
+        approval_url=f"http://127.0.0.1:5474/approvals/{request_id}",
+    )
+
+
+class TestHarnessBlockMessageCopyRule:
+    """T732: harness block messages must never tell users to run 'hol-guard dashboard' as primary path."""
+
+    @pytest.mark.parametrize("harness", _KNOWN_HARNESSES)
+    def test_approval_center_hint_does_not_require_manual_dashboard_launch(
+        self, tmp_path: Path, harness: str
+    ) -> None:
+        """T732: approval_center_hint must not instruct users to run 'hol-guard dashboard'."""
+        context = HarnessContext(
+            home_dir=tmp_path,
+            guard_home=tmp_path / ".hol-guard",
+            workspace_dir=tmp_path / "workspace",
+        )
+        queued = [_make_queue_item(harness, "req-rule-01")]
+        hint = approval_center_hint(
+            context=context,
+            harness=harness,
+            approval_center_url="http://127.0.0.1:5474",
+            queued=queued,
+        )
+        assert "hol-guard dashboard" not in hint, (
+            f"Harness hint for '{harness}' must not tell users to run 'hol-guard dashboard' as primary path. "
+            f"Got: {hint!r}"
+        )
+
+
+class TestBlockMessageNoDashboardLaunchRequired:
+    """T733: CLI block message must not require manual dashboard launch."""
+
+    def test_block_approval_center_hint_no_manual_dashboard_command(self, tmp_path: Path) -> None:
+        """T733: block flow copy does not contain 'hol-guard dashboard' for any harness."""
+        context = HarnessContext(
+            home_dir=tmp_path,
+            guard_home=tmp_path / ".hol-guard",
+            workspace_dir=tmp_path / "workspace",
+        )
+        for harness in _KNOWN_HARNESSES:
+            queued = [_make_queue_item(harness, f"req-t733-{harness}")]
+            hint = approval_center_hint(
+                context=context,
+                harness=harness,
+                approval_center_url="http://127.0.0.1:5474",
+                queued=queued,
+            )
+            assert "hol-guard dashboard" not in hint, (
+                f"CLI block message for '{harness}' must not say 'hol-guard dashboard'. Got: {hint!r}"
+            )
+
+
+class TestApprovalsOpenCommand:
+    """T734-T735: 'hol-guard approvals open <request_id>' command."""
+
+    def test_approvals_open_returns_approval_url_for_known_request(self, tmp_path: Path, capsys) -> None:
+        """T734: approvals open prints the approval URL for an existing pending request."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-open-01"), "2026-01-01T00:00:00Z")
+
+        rc = main(["guard", "approvals", "open", "req-open-01", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["request_id"] == "req-open-01"
+        assert "approval_url" in output
+
+    def test_approvals_open_returns_error_for_missing_request(self, tmp_path: Path, capsys) -> None:
+        """T735: approvals open with daemon stopped returns a clear error, not a crash."""
+        home_dir = tmp_path / "guard-home"
+
+        rc = main(["guard", "approvals", "open", "req-missing", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc != 0
+        assert "error" in output
+
+
+class TestApprovalsRetryHintCommand:
+    """T736-T737: 'hol-guard approvals retry-hint <request_id>' command."""
+
+    def test_retry_hint_allow_resolution(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint returns allow copy after approval."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-hint-allow"), "2026-01-01T00:00:00Z")
+        main(
+            [
+                "guard",
+                "approvals",
+                "approve",
+                "req-hint-allow",
+                "--home",
+                str(home_dir),
+                "--scope",
+                "artifact",
+                "--json",
+            ]
+        )
+        capsys.readouterr()
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-allow", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["title"] == "Approved. Retry in chat."
+
+    def test_retry_hint_block_resolution(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint returns block copy after block decision."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-hint-block"), "2026-01-01T00:00:00Z")
+        main(
+            [
+                "guard",
+                "approvals",
+                "deny",
+                "req-hint-block",
+                "--home",
+                str(home_dir),
+                "--scope",
+                "artifact",
+                "--json",
+            ]
+        )
+        capsys.readouterr()
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-block", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["title"] == "Blocked. Guard will remember this decision."
+
+    def test_retry_hint_missing_request(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint with unknown request_id returns error."""
+        home_dir = tmp_path / "guard-home"
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-missing", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc != 0
+        assert "error" in output
+
+    def test_retry_hint_pending_request(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint with still-pending request returns not_resolved status."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-hint-pending"), "2026-01-01T00:00:00Z")
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-pending", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc != 0
+        assert output.get("status") == "pending" or "error" in output