plugin-scanner 2.0.135__tar.gz → 2.0.137__tar.gz

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.135
+Version: 2.0.137
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/docs/guard/get-started.md

@@ -270,3 +270,36 @@ That means the user should never get a silent pass-through on a risky Codex acti
 - native Bash deny plus HOL Guard approval-center recovery for sensitive shell actions
 - same-chat approve or deny when Codex can render the inline MCP prompt
 - explicit approval-center recovery when the session cannot
+
+## Seamless approvals
+
+When Guard blocks a launch, it opens a persistent approval link in the terminal rather than pausing the session. You can resolve requests without leaving your harness:
+
+1. Guard returns the approval URL in the block output and queues the request locally.
+2. Open the approval center at the URL or in your browser.
+3. Approve or deny the request from the approval center UI or the CLI:
+
+   ```bash
+   hol-guard approvals approve <request-id>
+   hol-guard approvals deny <request-id>
+   ```
+
+4. After you resolve the request, Guard emits copy telling you to return to your AI assistant and retry. No page reload or session restart is needed.
+
+To inspect a pending request's details or get the approval URL, pass the request-id to the `approve` command with `--dry-run`, or visit the approval center URL shown in the block message directly.
+
+## Troubleshooting
+
+### Approval link says API error
+
+If the approval center URL in a block message returns an API error, the local approval center locator may be stale.
+Use the **Repair approval center** action in the Guard dashboard Settings tab, or call the repair endpoint directly when the daemon is running. The port shown in Guard's status output or the dashboard URL is your daemon port:
+
+```bash
+GUARD_PORT=$(hol-guard status --json 2>/dev/null | python3 -c "import json,sys; d=json.load(sys.stdin); print((d.get('runtime_state') or {}).get('daemon_port', d.get('daemon_port', 4781)))" 2>/dev/null || echo 4781)
+curl -s -X POST "http://127.0.0.1:${GUARD_PORT}/v1/daemon/repair" \
+  -H "X-Guard-Token: $(cat ~/.hol-guard/daemon-auth-token)"
+```
+
+After repair, restart Guard, then retry the block message URL or relaunch your harness through Guard. Pending approval requests are preserved across repairs.
+

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.135"
+version = "2.0.137"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"
@@ -98,3 +98,7 @@ select = ["E", "F", "W", "I", "N", "UP", "B", "A", "SIM", "RUF"]
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 python_files = ["test_*.py"]
+addopts = ["-m", "not slow"]
+markers = [
+  "slow: marks tests as slow (deselected by default; run with -m slow to include)",
+]

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.135"
+version = "2.0.137"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"
@@ -100,3 +100,7 @@ select = ["E", "F", "W", "I", "N", "UP", "B", "A", "SIM", "RUF"]
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 python_files = ["test_*.py"]
+addopts = ["-m", "not slow"]
+markers = [
+  "slow: marks tests as slow (deselected by default; run with -m slow to include)",
+]

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/guard/cli/approval_commands.py

@@ -10,6 +10,19 @@ from ..approvals import apply_approval_resolution, build_runtime_snapshot
 from ..daemon import load_guard_daemon_url
 from ..store import GuardStore
 
+_HARNESS_RETRY_COPY: dict[str, str] = {
+    "codex": "Return to Codex and retry",
+    "claude-code": "Return to Claude and retry",
+    "opencode": "Return to OpenCode and retry",
+    "copilot": "Return to Copilot and retry",
+}
+_DEFAULT_RETRY_COPY = "Return to your AI assistant and retry"
+
+
+def _build_retry_hint(action: str, harness: str) -> dict[str, str]:
+    title = "Approved. Retry in chat." if action == "allow" else "Blocked. Guard will remember this decision."
+    return {"title": title, "body": _HARNESS_RETRY_COPY.get(harness, _DEFAULT_RETRY_COPY)}
+
 
 def add_approval_parser(
     guard_subparsers: argparse._SubParsersAction[argparse.ArgumentParser],
@@ -57,6 +70,22 @@ def add_approval_parser(
     add_common_args(clear_history_parser)
     clear_history_parser.add_argument("--json", action="store_true")
 
+    open_parser = approvals_subparsers.add_parser(
+        "open",
+        help="Show the approval URL for a pending request",
+    )
+    open_parser.add_argument("request_id", help="The approval request ID to open")
+    add_common_args(open_parser)
+    open_parser.add_argument("--json", action="store_true")
+
+    retry_hint_parser = approvals_subparsers.add_parser(
+        "retry-hint",
+        help="Print the retry hint for a resolved approval request",
+    )
+    retry_hint_parser.add_argument("request_id", help="The approval request ID to get the retry hint for")
+    add_common_args(retry_hint_parser)
+    retry_hint_parser.add_argument("--json", action="store_true")
+
 
 def run_approval_command(
     args: argparse.Namespace,
@@ -115,5 +144,35 @@ def run_approval_command(
     return {"resolved": True, "item": item}
 
 
+def run_approval_open_command(
+    args: argparse.Namespace,
+    *,
+    store: GuardStore,
+) -> tuple[dict[str, object], int]:
+    request_id = args.request_id
+    item = store.get_approval_request(request_id)
+    if item is None:
+        return {"error": "not_found", "request_id": request_id}, 1
+    return {"request_id": request_id, "approval_url": str(item.get("approval_url", ""))}, 0
+
+
+def run_approval_retry_hint_command(
+    args: argparse.Namespace,
+    *,
+    store: GuardStore,
+) -> tuple[dict[str, object], int]:
+    request_id = args.request_id
+    item = store.get_approval_request(request_id)
+    if item is None:
+        return {"error": "not_found", "request_id": request_id}, 1
+    status = str(item.get("status", ""))
+    if status != "resolved":
+        return {"error": "not_resolved", "status": status, "request_id": request_id}, 1
+    resolution_action = str(item.get("resolution_action", ""))
+    harness = str(item.get("harness", ""))
+    hint: dict[str, object] = dict(_build_retry_hint(resolution_action, harness))
+    return hint, 0
+
+
 def _now() -> str:
     return datetime.now(timezone.utc).isoformat()

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -109,7 +109,12 @@ from ..runtime.secret_sensitivity import (
 from ..runtime.signals import RiskSignalV2
 from ..runtime.surface_server import GuardSurfaceRuntime
 from ..store import GuardStore
-from .approval_commands import add_approval_parser, run_approval_command
+from .approval_commands import (
+    add_approval_parser,
+    run_approval_command,
+    run_approval_open_command,
+    run_approval_retry_hint_command,
+)
 from .bootstrap import DEFAULT_ALIAS_NAME, build_guard_bootstrap_payload
 from .connect_flow import (
     DEFAULT_GUARD_CONNECT_URL,
@@ -1152,6 +1157,15 @@ def run_guard_command(
         return 0
 
     if args.guard_command == "approvals":
+        approvals_command = getattr(args, "approvals_command", None)
+        if approvals_command == "open":
+            payload, exit_code = run_approval_open_command(args, store=store)
+            _emit("approvals", payload, getattr(args, "json", False))
+            return exit_code
+        if approvals_command == "retry-hint":
+            payload, exit_code = run_approval_retry_hint_command(args, store=store)
+            _emit("approvals", payload, getattr(args, "json", False))
+            return exit_code
         payload = run_approval_command(args, store=store, workspace=workspace)
         _emit("approvals", payload, getattr(args, "json", False))
         return int(payload.get("exit_code", 0))

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/guard/cli/render.py

@@ -566,6 +566,22 @@ def _render_events(console: Console, payload: dict[str, object]) -> None:
 
 
 def _render_approvals(console: Console, payload: dict[str, object]) -> None:
+    approval_url = payload.get("approval_url")
+    if isinstance(approval_url, str) and approval_url:
+        body = Table.grid(padding=(0, 1))
+        body.add_row("Request", str(payload.get("request_id", "")))
+        body.add_row("URL", f"[bold]{approval_url}[/bold]")
+        console.print(Panel(body, title="Open approval", border_style="cyan"))
+        return
+    if "title" in payload and "body" in payload:
+        body = Table.grid(padding=(0, 1))
+        body.add_row("Status", str(payload["title"]))
+        body.add_row("Next step", str(payload["body"]))
+        console.print(Panel(body, title="Approval resolved", border_style="green"))
+        return
+    if payload.get("error"):
+        console.print(Panel(str(payload.get("error")), title="Approval error", border_style="red"))
+        return
     if "history_cleared" in payload or "cleared_policies" in payload:
         error = payload.get("error")
         body = Table.grid(padding=(0, 1))

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/guard/daemon/__init__.py

@@ -2,7 +2,13 @@
 
 from __future__ import annotations
 
-from .manager import ensure_guard_daemon, guard_daemon_url_for_home, load_guard_daemon_auth_token, load_guard_daemon_url
+from .manager import (
+    ensure_guard_daemon,
+    guard_daemon_url_for_home,
+    load_guard_daemon_auth_token,
+    load_guard_daemon_url,
+    repair_approval_center_locator,
+)
 
 __all__ = [
     "GuardDaemonServer",
@@ -12,6 +18,7 @@ __all__ = [
     "load_guard_daemon_auth_token",
     "load_guard_daemon_url",
     "load_guard_surface_daemon_client",
+    "repair_approval_center_locator",
 ]
 
 

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/guard/daemon/manager.py

@@ -187,6 +187,36 @@ def clear_guard_daemon_state(guard_home: Path) -> None:
     _write_private_text(state_path, "{}")
 
 
+def repair_approval_center_locator(guard_home: Path) -> dict[str, object]:
+    """Remove a stale approval center locator and optionally clear dead daemon state.
+
+    Only clears daemon-state.json when the recorded PID is no longer running,
+    so a live daemon's state is not disturbed.  Raises OSError if a required
+    write fails so callers can detect incomplete repair.
+
+    Safe to call while the database is live.  Returns a dict describing what was cleared.
+    """
+    cleared: list[str] = []
+    locator = _locator_path(guard_home)
+    if locator.is_file():
+        locator.unlink()
+        cleared.append("locator")
+    state = _state_path(guard_home)
+    if state.is_file():
+        state_payload = _load_state(guard_home)
+        pid = state_payload.get("pid") if isinstance(state_payload, dict) else None
+        daemon_is_live = (
+            isinstance(pid, int)
+            and pid > 0
+            and _guard_daemon_pid_is_running(pid)
+            and _guard_daemon_pid_matches_command(pid, expected_guard_home=guard_home)
+        )
+        if not daemon_is_live:
+            _write_private_text(state, "{}")
+            cleared.append("daemon_state")
+    return {"repaired": True, "cleared": cleared}
+
+
 def _locator_path(guard_home: Path) -> Path:
     return guard_home / _APPROVAL_CENTER_LOCATOR_FILE
 

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -38,6 +38,7 @@ from .manager import (
     GUARD_DAEMON_COMPATIBILITY_VERSION,
     clear_guard_daemon_state,
     load_guard_daemon_auth_token,
+    repair_approval_center_locator,
     write_guard_daemon_state,
 )
 
@@ -401,6 +402,10 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if parsed.path == "/v1/settings":
             self._handle_settings_update(payload)
             return
+        if parsed.path == "/v1/daemon/repair":
+            result = repair_approval_center_locator(self.server.store.guard_home)  # type: ignore[attr-defined]
+            self._write_json(result)
+            return
         request_id, action, matched = self._resolve_request_action(path_parts, payload)
         if not matched:
             self.send_response(404)
@@ -456,7 +461,15 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         except ValueError as error:
             self._write_json({"resolved": False, "error": str(error)}, status=400)
             return
-        self._write_json({"resolved": True, "item": updated})
+        normalized_scope = scope.strip()
+        harness_str = str(updated.get("harness", ""))
+        self.server.store.add_event(  # type: ignore[attr-defined]
+            "approval_resolved",
+            {"request_id": request_id, "action": action, "scope": normalized_scope, "harness": harness_str},
+            _now(),
+        )
+        harness = str(updated.get("harness", ""))
+        self._write_json({"resolved": True, "item": updated, "copy": _build_resolution_copy(action, harness)})
 
     def log_message(self, fmt: str, *args: Any) -> None:
         return
@@ -988,6 +1001,7 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if path in {
             "/v1/inventory",
             "/v1/connect/state",
+            "/v1/daemon/repair",
             "/v1/evidence",
             "/v1/evidence/export",
             "/v1/policy",
@@ -1159,6 +1173,7 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             "/v1/policy/decisions",
             "/v1/policy/clear",
             "/v1/settings",
+            "/v1/daemon/repair",
         }:
             return True
         if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] in {"items", "status"}:
@@ -1388,6 +1403,20 @@ def _build_local_url(host: str, port: int, path: str) -> str:
     return f"http://{host_part}:{port}{path}"
 
 
+_HARNESS_RETRY_COPY: dict[str, str] = {
+    "codex": "Return to Codex and retry",
+    "claude-code": "Return to Claude and retry",
+    "opencode": "Return to OpenCode and retry",
+    "copilot": "Return to Copilot and retry",
+}
+_DEFAULT_RETRY_COPY = "Return to your AI assistant and retry"
+
+
+def _build_resolution_copy(action: str, harness: str) -> dict[str, str]:
+    title = "Approved. Retry in chat." if action == "allow" else "Blocked. Guard will remember this decision."
+    return {"title": title, "body": _HARNESS_RETRY_COPY.get(harness, _DEFAULT_RETRY_COPY)}
+
+
 def _now() -> str:
     from datetime import datetime, timezone
 

{plugin_scanner-2.0.135 → plugin_scanner-2.0.137}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.135"
+__version__ = "2.0.137"

plugin_scanner-2.0.137/tests/test_guard_approval_copy_commands.py

@@ -0,0 +1,203 @@
+"""Tests for T732-T737: harness copy rule and approval CLI commands."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+
+from codex_plugin_scanner.cli import main
+from codex_plugin_scanner.guard.adapters.base import HarnessContext
+from codex_plugin_scanner.guard.approvals import approval_center_hint
+from codex_plugin_scanner.guard.models import GuardApprovalRequest
+from codex_plugin_scanner.guard.store import GuardStore
+
+_KNOWN_HARNESSES = ["codex", "claude-code", "opencode", "copilot", "gemini"]
+
+
+def _make_queue_item(harness: str, request_id: str) -> dict:
+    return {
+        "request_id": request_id,
+        "harness": harness,
+        "artifact_id": f"{harness}:project:tool",
+        "artifact_name": "Test tool",
+        "policy_action": "block",
+        "recommended_scope": "artifact",
+    }
+
+
+def _make_request(
+    *,
+    request_id: str,
+    harness: str = "codex",
+    status: str = "pending",
+) -> GuardApprovalRequest:
+    return GuardApprovalRequest(
+        request_id=request_id,
+        harness=harness,
+        artifact_id=f"{harness}:project:tool",
+        artifact_name="Test tool",
+        artifact_hash="hash-abc",
+        policy_action="require-reapproval",
+        recommended_scope="artifact",
+        changed_fields=("tool_action_request",),
+        source_scope="project",
+        config_path="/tmp/config.toml",
+        review_command=f"hol-guard approvals approve {request_id}",
+        approval_url=f"http://127.0.0.1:5474/approvals/{request_id}",
+    )
+
+
+class TestHarnessBlockMessageCopyRule:
+    """T732: harness block messages must never tell users to run 'hol-guard dashboard' as primary path."""
+
+    @pytest.mark.parametrize("harness", _KNOWN_HARNESSES)
+    def test_approval_center_hint_does_not_require_manual_dashboard_launch(
+        self, tmp_path: Path, harness: str
+    ) -> None:
+        """T732: approval_center_hint must not instruct users to run 'hol-guard dashboard'."""
+        context = HarnessContext(
+            home_dir=tmp_path,
+            guard_home=tmp_path / ".hol-guard",
+            workspace_dir=tmp_path / "workspace",
+        )
+        queued = [_make_queue_item(harness, "req-rule-01")]
+        hint = approval_center_hint(
+            context=context,
+            harness=harness,
+            approval_center_url="http://127.0.0.1:5474",
+            queued=queued,
+        )
+        assert "hol-guard dashboard" not in hint, (
+            f"Harness hint for '{harness}' must not tell users to run 'hol-guard dashboard' as primary path. "
+            f"Got: {hint!r}"
+        )
+
+
+class TestBlockMessageNoDashboardLaunchRequired:
+    """T733: CLI block message must not require manual dashboard launch."""
+
+    def test_block_approval_center_hint_no_manual_dashboard_command(self, tmp_path: Path) -> None:
+        """T733: block flow copy does not contain 'hol-guard dashboard' for any harness."""
+        context = HarnessContext(
+            home_dir=tmp_path,
+            guard_home=tmp_path / ".hol-guard",
+            workspace_dir=tmp_path / "workspace",
+        )
+        for harness in _KNOWN_HARNESSES:
+            queued = [_make_queue_item(harness, f"req-t733-{harness}")]
+            hint = approval_center_hint(
+                context=context,
+                harness=harness,
+                approval_center_url="http://127.0.0.1:5474",
+                queued=queued,
+            )
+            assert "hol-guard dashboard" not in hint, (
+                f"CLI block message for '{harness}' must not say 'hol-guard dashboard'. Got: {hint!r}"
+            )
+
+
+class TestApprovalsOpenCommand:
+    """T734-T735: 'hol-guard approvals open <request_id>' command."""
+
+    def test_approvals_open_returns_approval_url_for_known_request(self, tmp_path: Path, capsys) -> None:
+        """T734: approvals open prints the approval URL for an existing pending request."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-open-01"), "2026-01-01T00:00:00Z")
+
+        rc = main(["guard", "approvals", "open", "req-open-01", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["request_id"] == "req-open-01"
+        assert "approval_url" in output
+
+    def test_approvals_open_returns_error_for_missing_request(self, tmp_path: Path, capsys) -> None:
+        """T735: approvals open with daemon stopped returns a clear error, not a crash."""
+        home_dir = tmp_path / "guard-home"
+
+        rc = main(["guard", "approvals", "open", "req-missing", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc != 0
+        assert "error" in output
+
+
+class TestApprovalsRetryHintCommand:
+    """T736-T737: 'hol-guard approvals retry-hint <request_id>' command."""
+
+    def test_retry_hint_allow_resolution(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint returns allow copy after approval."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-hint-allow"), "2026-01-01T00:00:00Z")
+        main(
+            [
+                "guard",
+                "approvals",
+                "approve",
+                "req-hint-allow",
+                "--home",
+                str(home_dir),
+                "--scope",
+                "artifact",
+                "--json",
+            ]
+        )
+        capsys.readouterr()
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-allow", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["title"] == "Approved. Retry in chat."
+
+    def test_retry_hint_block_resolution(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint returns block copy after block decision."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-hint-block"), "2026-01-01T00:00:00Z")
+        main(
+            [
+                "guard",
+                "approvals",
+                "deny",
+                "req-hint-block",
+                "--home",
+                str(home_dir),
+                "--scope",
+                "artifact",
+                "--json",
+            ]
+        )
+        capsys.readouterr()
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-block", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["title"] == "Blocked. Guard will remember this decision."
+
+    def test_retry_hint_missing_request(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint with unknown request_id returns error."""
+        home_dir = tmp_path / "guard-home"
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-missing", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc != 0
+        assert "error" in output
+
+    def test_retry_hint_pending_request(self, tmp_path: Path, capsys) -> None:
+        """T737: retry-hint with still-pending request returns not_resolved status."""
+        home_dir = tmp_path / "guard-home"
+        store = GuardStore(home_dir)
+        store.add_approval_request(_make_request(request_id="req-hint-pending"), "2026-01-01T00:00:00Z")
+
+        rc = main(["guard", "approvals", "retry-hint", "req-hint-pending", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc != 0
+        assert output.get("status") == "pending" or "error" in output