plugin-scanner 2.0.136__tar.gz → 2.0.138__tar.gz

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.136
+Version: 2.0.138
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/dashboard/src/guard-api.ts

@@ -631,3 +631,15 @@ export async function exportDiagnostics(): Promise<Blob> {
   }
   return response.blob();
 }
+
+export async function repairApprovalCenter(): Promise<{ repaired: boolean; cleared: string[] }> {
+  if (isGuardDemoMode()) {
+    return { repaired: true, cleared: ["locator", "daemon_state"] };
+  }
+  const response = await fetch(guardApiInput("/v1/daemon/repair"), withGuardAuth({ method: "POST" }));
+  if (!response.ok) {
+    throw new Error(`Repair failed with ${response.status}`);
+  }
+  return response.json() as Promise<{ repaired: boolean; cleared: string[] }>;
+}
+

plugin_scanner-2.0.138/dashboard/src/runtime-overview.test.ts

@@ -0,0 +1,107 @@
+import { resolveCloudIntelCopy, resolveCloudSyncHealthCopy, resolveProtectionLevelCopy, resolveApprovalCenterHealth } from "./runtime-overview";
+import type { GuardCloudSyncHealth, GuardRuntimeSnapshot } from "./guard-types";
+
+function assert(condition: boolean, message: string): void {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+
+const healthDisabled: GuardCloudSyncHealth = {
+  state: "disabled",
+  label: "Sync disabled",
+  detail: "Cloud sync is turned off on this machine.",
+  pending_events: 0,
+  last_synced_at: null,
+  next_retry_after: null
+};
+
+const healthHealthy: GuardCloudSyncHealth = {
+  state: "healthy",
+  label: "Sync healthy",
+  detail: "Cloud sync is running normally.",
+  pending_events: 0,
+  last_synced_at: new Date().toISOString(),
+  next_retry_after: null
+};
+
+const localOnlyCopy = resolveCloudIntelCopy("local_only");
+assert(localOnlyCopy.label === "Offline, free", "T507: local_only label should be 'Offline, free'");
+assert(localOnlyCopy.detail.length > 0, "T507: local_only detail should not be empty");
+assert(localOnlyCopy.detail.includes("locally"), "T507: local_only detail should mention 'locally'");
+
+const localOnlySyncCopy = resolveCloudSyncHealthCopy(healthDisabled);
+assert(localOnlySyncCopy.label === healthDisabled.label, "T507: cloud sync health label should match");
+assert(localOnlySyncCopy.detail === healthDisabled.detail, "T507: cloud sync health detail should match");
+
+const protectionBalanced = resolveProtectionLevelCopy("balanced");
+assert(protectionBalanced.includes("secrets"), "T507: balanced description should mention secrets");
+
+const pairedActiveCopy = resolveCloudIntelCopy("paired_active");
+assert(pairedActiveCopy.label === "Synced, pro", "T508: paired_active label should be 'Synced, pro'");
+assert(pairedActiveCopy.detail.length > 0, "T508: paired_active detail should not be empty");
+assert(pairedActiveCopy.detail.includes("Guard Cloud"), "T508: paired_active detail should mention Guard Cloud");
+
+const pairedWaitingCopy = resolveCloudIntelCopy("paired_waiting");
+assert(pairedWaitingCopy.label === "Pairing…", "T508: paired_waiting label should be 'Pairing…'");
+
+const pairedActiveSyncCopy = resolveCloudSyncHealthCopy(healthHealthy);
+assert(pairedActiveSyncCopy.label === healthHealthy.label, "T508: healthy sync label should match");
+
+const protectionStrict = resolveProtectionLevelCopy("strict");
+assert(protectionStrict.includes("network"), "T508: strict description should mention network");
+
+const protectionCustom = resolveProtectionLevelCopy("custom");
+assert(protectionCustom.includes("Custom"), "T508: custom description should mention Custom");
+
+const baseSnapshot: GuardRuntimeSnapshot = {
+  generated_at: new Date().toISOString(),
+  approval_center_url: "http://localhost:7392/approval",
+  runtime_state: {
+    session_id: "sess-1",
+    daemon_host: "localhost",
+    daemon_port: 7391,
+    started_at: new Date().toISOString(),
+    last_heartbeat_at: new Date().toISOString(),
+    approval_center_url: "http://localhost:7392/approval",
+  },
+  pending_count: 0,
+  receipt_count: 0,
+  headline_state: "protected",
+  headline_label: "Protected",
+  headline_detail: "Guard is active.",
+  sync_configured: false,
+  cloud_state: "local_only",
+  cloud_state_label: "Offline",
+  cloud_state_detail: "Running locally.",
+  cloud_pairing_state: { state: "local_only", label: "Offline", detail: "No cloud." },
+  cloud_sync_health: healthDisabled,
+  dashboard_url: "http://localhost:7392",
+  inbox_url: "http://localhost:7392/inbox",
+  fleet_url: "http://localhost:7392/fleet",
+  connect_url: "http://localhost:7392/connect",
+  items: [],
+  latest_receipts: [],
+};
+
+const healthyApproval = resolveApprovalCenterHealth(baseSnapshot);
+assert(healthyApproval.state === "ready", "T738: protected snapshot with URL should be ready");
+assert(healthyApproval.label.toLowerCase().includes("ready"), "T738: ready label should say ready");
+assert(healthyApproval.detail.includes("http://localhost:7392/approval"), "T738: ready detail should include the URL");
+
+const nullRuntimeSnapshot: GuardRuntimeSnapshot = { ...baseSnapshot, runtime_state: null };
+const offlineApproval = resolveApprovalCenterHealth(nullRuntimeSnapshot);
+assert(offlineApproval.state === "stale", "T738: null runtime_state (non-setup) should be stale");
+assert(offlineApproval.label.toLowerCase().includes("offline"), "T738: stale label should mention offline");
+
+const setupSnapshot: GuardRuntimeSnapshot = { ...baseSnapshot, runtime_state: null, headline_state: "setup" };
+const startingApproval = resolveApprovalCenterHealth(setupSnapshot);
+assert(startingApproval.state === "starting", "T738: null runtime_state + setup headline should be starting");
+assert(startingApproval.label.toLowerCase().includes("starting"), "T738: starting label should say starting");
+
+const noUrlSnapshot: GuardRuntimeSnapshot = { ...baseSnapshot, approval_center_url: null };
+const repairApproval = resolveApprovalCenterHealth(noUrlSnapshot);
+assert(repairApproval.state === "repair_needed", "T738: null approval_center_url should need repair");
+assert(repairApproval.label.toLowerCase().includes("unreachable"), "T738: repair label should mention unreachable");
+assert(repairApproval.detail.toLowerCase().includes("repair"), "T738: repair detail should suggest repair action");
+

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/dashboard/src/runtime-overview.tsx

@@ -40,6 +40,44 @@ function remediationLine(snapshot: GuardRuntimeSnapshot): string {
   return "Open Guard Cloud for shared proof, Watched Apps for local coverage, or the review queue when something needs your choice.";
 }
 
+export type ApprovalCenterHealthState = "ready" | "starting" | "stale" | "repair_needed";
+
+export type ApprovalCenterHealthCopy = {
+  state: ApprovalCenterHealthState;
+  label: string;
+  detail: string;
+};
+
+export function resolveApprovalCenterHealth(snapshot: GuardRuntimeSnapshot): ApprovalCenterHealthCopy {
+  if (snapshot.runtime_state === null) {
+    if (snapshot.headline_state === "setup") {
+      return {
+        state: "starting",
+        label: "Approval center starting",
+        detail: "Guard is setting up the local approval center. This takes a few seconds.",
+      };
+    }
+    return {
+      state: "stale",
+      label: "Approval center offline",
+      detail: "The local approval center is not running. Start Guard to restore the approval link.",
+    };
+  }
+  if (snapshot.approval_center_url === null) {
+    return {
+      state: "repair_needed",
+      label: "Approval center unreachable",
+      detail: "The approval center URL is missing. Use the repair action in Settings to restore it.",
+    };
+  }
+  return {
+    state: "ready",
+    label: "Approval center ready",
+    detail: `The approval center is running and accepting requests at ${snapshot.approval_center_url}.`,
+  };
+}
+
+
 export function resolveCloudSyncHealthCopy(health: GuardCloudSyncHealth): { label: string; detail: string } {
   return {
     label: health.label,
@@ -95,6 +133,28 @@ function CloudSyncHealthCard(props: { health: GuardCloudSyncHealth }) {
   );
 }
 
+function approvalHealthTone(state: ApprovalCenterHealthState): "green" | "blue" | "slate" | "red" {
+  if (state === "ready") return "green";
+  if (state === "starting") return "blue";
+  if (state === "repair_needed") return "red";
+  return "slate";
+}
+
+function ApprovalCenterHealthCard(props: { snapshot: GuardRuntimeSnapshot }) {
+  const copy = resolveApprovalCenterHealth(props.snapshot);
+  return (
+    <div className="rounded-xl border border-border bg-white px-5 py-4">
+      <div className="flex flex-wrap items-center justify-between gap-2">
+        <p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-blue">
+          Approval center health
+        </p>
+        <Tag tone={approvalHealthTone(copy.state)}>{copy.label}</Tag>
+      </div>
+      <p className="mt-2 text-sm leading-relaxed text-brand-dark/80">{copy.detail}</p>
+    </div>
+  );
+}
+
 function WatchedAppsCard(props: { inventory: GuardInventoryItem[] | undefined }) {
   const inventory = props.inventory ?? [];
   return (
@@ -247,6 +307,7 @@ export function RuntimeOverview(props: RuntimeOverviewProps) {
         </div>
 
         <CloudSyncHealthCard health={snapshot.cloud_sync_health} />
+        <ApprovalCenterHealthCard snapshot={snapshot} />
 
         <div className="rounded-xl border border-border bg-white px-5 py-4">
           <p className="text-xs font-semibold uppercase tracking-[0.18em] text-brand-blue">

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/dashboard/src/settings-workspace.test.ts

@@ -1,4 +1,5 @@
 import { resolveSecurityLevelDescription, buildClearPolicyPayload } from "./settings-workspace";
+import { repairApprovalCenter } from "./guard-api";
 
 function assert(condition: boolean, message: string): void {
   if (!condition) {
@@ -25,3 +26,6 @@ assert(!("harness" in clearAllPayload) || clearAllPayload.harness === undefined,
 
 const clearNonePayload = buildClearPolicyPayload(false);
 assert(clearNonePayload.all === false, "T530: clearPolicy payload with all=false should have all=false");
+
+assert(typeof repairApprovalCenter === "function", "T739: repairApprovalCenter should be exported as a function");
+

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/dashboard/src/settings-workspace.tsx

@@ -13,7 +13,7 @@ import {
   SectionLabel,
   Tag
 } from "./approval-center-primitives";
-import { clearEvidence, exportDiagnostics, fetchSettings, updateSettings, clearPolicy } from "./guard-api";
+import { clearEvidence, exportDiagnostics, fetchSettings, updateSettings, clearPolicy, repairApprovalCenter } from "./guard-api";
 import { resolveProtectionLevelCopy } from "./runtime-overview";
 import type { GuardSettings, GuardSettingsPayload } from "./guard-types";
 
@@ -163,6 +163,7 @@ export function SettingsWorkspace() {
   const [clearingApprovals, setClearingApprovals] = useState(false);
   const [clearingEvidence, setClearingEvidence] = useState(false);
   const [exporting, setExporting] = useState(false);
+  const [repairing, setRepairing] = useState(false);
   const [actionMessage, setActionMessage] = useState<string | null>(null);
   const saveSuccessTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
 
@@ -359,6 +360,22 @@ export function SettingsWorkspace() {
     }
   }, []);
 
+  const handleRepairApprovalCenter = useCallback(async () => {
+    if (!window.confirm("Reset the approval center locator? The daemon will be reachable again after Guard restarts. Pending approvals are preserved.")) {
+      return;
+    }
+    setRepairing(true);
+    setActionMessage(null);
+    try {
+      await repairApprovalCenter();
+      setActionMessage("Approval center repaired. Restart Guard to reconnect.");
+    } catch (error) {
+      setActionMessage(error instanceof Error ? error.message : "Unable to repair approval center.");
+    } finally {
+      setRepairing(false);
+    }
+  }, []);
+
   if (state.kind === "loading") {
     return (
       <div className="space-y-4">
@@ -629,6 +646,17 @@ export function SettingsWorkspace() {
                   </ActionButton>
                 </div>
               </div>
+              <div>
+                <p className="text-sm font-semibold text-brand-dark">Repair local approval center</p>
+                <p className="mt-1 text-xs leading-relaxed text-muted-foreground">
+                  Resets the approval center locator when the approval link returns an API error. Pending approvals are preserved.
+                </p>
+                <div className="mt-2">
+                  <ActionButton onClick={handleRepairApprovalCenter} disabled={repairing} variant="secondary">
+                    {repairing ? "Repairing…" : "Repair approval center"}
+                  </ActionButton>
+                </div>
+              </div>
               {actionMessage ? (
                 <p className="guard-fade-in text-sm leading-6 text-brand-dark/70">{actionMessage}</p>
               ) : null}

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/docs/guard/get-started.md

@@ -270,3 +270,36 @@ That means the user should never get a silent pass-through on a risky Codex acti
 - native Bash deny plus HOL Guard approval-center recovery for sensitive shell actions
 - same-chat approve or deny when Codex can render the inline MCP prompt
 - explicit approval-center recovery when the session cannot
+
+## Seamless approvals
+
+When Guard blocks a launch, it opens a persistent approval link in the terminal rather than pausing the session. You can resolve requests without leaving your harness:
+
+1. Guard returns the approval URL in the block output and queues the request locally.
+2. Open the approval center at the URL or in your browser.
+3. Approve or deny the request from the approval center UI or the CLI:
+
+   ```bash
+   hol-guard approvals approve <request-id>
+   hol-guard approvals deny <request-id>
+   ```
+
+4. After you resolve the request, Guard emits copy telling you to return to your AI assistant and retry. No page reload or session restart is needed.
+
+To inspect a pending request's details or get the approval URL, pass the request-id to the `approve` command with `--dry-run`, or visit the approval center URL shown in the block message directly.
+
+## Troubleshooting
+
+### Approval link says API error
+
+If the approval center URL in a block message returns an API error, the local approval center locator may be stale.
+Use the **Repair approval center** action in the Guard dashboard Settings tab, or call the repair endpoint directly when the daemon is running. The port shown in Guard's status output or the dashboard URL is your daemon port:
+
+```bash
+GUARD_PORT=$(hol-guard status --json 2>/dev/null | python3 -c "import json,sys; d=json.load(sys.stdin); print((d.get('runtime_state') or {}).get('daemon_port', d.get('daemon_port', 4781)))" 2>/dev/null || echo 4781)
+curl -s -X POST "http://127.0.0.1:${GUARD_PORT}/v1/daemon/repair" \
+  -H "X-Guard-Token: $(cat ~/.hol-guard/daemon-auth-token)"
+```
+
+After repair, restart Guard, then retry the block message URL or relaunch your harness through Guard. Pending approval requests are preserved across repairs.
+

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.136"
+version = "2.0.138"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"
@@ -98,3 +98,7 @@ select = ["E", "F", "W", "I", "N", "UP", "B", "A", "SIM", "RUF"]
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 python_files = ["test_*.py"]
+addopts = ["-m", "not slow"]
+markers = [
+  "slow: marks tests as slow (deselected by default; run with -m slow to include)",
+]

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.136"
+version = "2.0.138"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"
@@ -100,3 +100,7 @@ select = ["E", "F", "W", "I", "N", "UP", "B", "A", "SIM", "RUF"]
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 python_files = ["test_*.py"]
+addopts = ["-m", "not slow"]
+markers = [
+  "slow: marks tests as slow (deselected by default; run with -m slow to include)",
+]

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/src/codex_plugin_scanner/guard/daemon/__init__.py

@@ -2,7 +2,13 @@
 
 from __future__ import annotations
 
-from .manager import ensure_guard_daemon, guard_daemon_url_for_home, load_guard_daemon_auth_token, load_guard_daemon_url
+from .manager import (
+    ensure_guard_daemon,
+    guard_daemon_url_for_home,
+    load_guard_daemon_auth_token,
+    load_guard_daemon_url,
+    repair_approval_center_locator,
+)
 
 __all__ = [
     "GuardDaemonServer",
@@ -12,6 +18,7 @@ __all__ = [
     "load_guard_daemon_auth_token",
     "load_guard_daemon_url",
     "load_guard_surface_daemon_client",
+    "repair_approval_center_locator",
 ]
 
 

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/src/codex_plugin_scanner/guard/daemon/manager.py

@@ -187,6 +187,36 @@ def clear_guard_daemon_state(guard_home: Path) -> None:
     _write_private_text(state_path, "{}")
 
 
+def repair_approval_center_locator(guard_home: Path) -> dict[str, object]:
+    """Remove a stale approval center locator and optionally clear dead daemon state.
+
+    Only clears daemon-state.json when the recorded PID is no longer running,
+    so a live daemon's state is not disturbed.  Raises OSError if a required
+    write fails so callers can detect incomplete repair.
+
+    Safe to call while the database is live.  Returns a dict describing what was cleared.
+    """
+    cleared: list[str] = []
+    locator = _locator_path(guard_home)
+    if locator.is_file():
+        locator.unlink()
+        cleared.append("locator")
+    state = _state_path(guard_home)
+    if state.is_file():
+        state_payload = _load_state(guard_home)
+        pid = state_payload.get("pid") if isinstance(state_payload, dict) else None
+        daemon_is_live = (
+            isinstance(pid, int)
+            and pid > 0
+            and _guard_daemon_pid_is_running(pid)
+            and _guard_daemon_pid_matches_command(pid, expected_guard_home=guard_home)
+        )
+        if not daemon_is_live:
+            _write_private_text(state, "{}")
+            cleared.append("daemon_state")
+    return {"repaired": True, "cleared": cleared}
+
+
 def _locator_path(guard_home: Path) -> Path:
     return guard_home / _APPROVAL_CENTER_LOCATOR_FILE
 

{plugin_scanner-2.0.136 → plugin_scanner-2.0.138}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -38,6 +38,7 @@ from .manager import (
     GUARD_DAEMON_COMPATIBILITY_VERSION,
     clear_guard_daemon_state,
     load_guard_daemon_auth_token,
+    repair_approval_center_locator,
     write_guard_daemon_state,
 )
 
@@ -401,6 +402,10 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if parsed.path == "/v1/settings":
             self._handle_settings_update(payload)
             return
+        if parsed.path == "/v1/daemon/repair":
+            result = repair_approval_center_locator(self.server.store.guard_home)  # type: ignore[attr-defined]
+            self._write_json(result)
+            return
         request_id, action, matched = self._resolve_request_action(path_parts, payload)
         if not matched:
             self.send_response(404)
@@ -996,6 +1001,7 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if path in {
             "/v1/inventory",
             "/v1/connect/state",
+            "/v1/daemon/repair",
             "/v1/evidence",
             "/v1/evidence/export",
             "/v1/policy",
@@ -1167,6 +1173,7 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             "/v1/policy/decisions",
             "/v1/policy/clear",
             "/v1/settings",
+            "/v1/daemon/repair",
         }:
             return True
         if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] in {"items", "status"}: