PyPI - plugin-scanner - Versions diffs - 2.0.139__tar.gz → 2.0.140__tar.gz - Mend

plugin-scanner 2.0.139tar.gz → 2.0.140tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (434) hide show

{plugin_scanner-2.0.139 → plugin_scanner-2.0.140}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.139
+Version: 2.0.140
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.139 → plugin_scanner-2.0.140}/dashboard/src/approval-center-layout.tsx RENAMED Viewed

@@ -22,6 +22,7 @@ import {
   PaginationControls
 } from "./approval-center-primitives";
 import { DataFlowEvidenceCard } from "./data-flow-evidence-card";
+import { SkillRiskCard, SupplyChainRiskCard, DecodedLayerCard } from "./risk-signal-cards";
 import { ReceiptsWorkspace } from "./receipts-workspace";
 import { RuntimeOverview } from "./runtime-overview";
 import {
@@ -662,6 +663,9 @@ function WhatChanged(props: { item: GuardApprovalRequest; diff: GuardArtifactDif
         <p className="text-sm leading-relaxed text-brand-dark/70">{buildStoppedReason(item, receipt)}</p>
         <WhyGuardCares item={item} />
         <DataFlowEvidenceCard item={item} />
+        <SkillRiskCard item={item} />
+        <SupplyChainRiskCard item={item} />
+        <DecodedLayerCard item={item} />
         {policy.length > 0 ? (
           <p className="text-sm leading-relaxed text-brand-dark/70">
             HOL Guard checked {policy.length} saved {policy.length === 1 ? "decision" : "decisions"} before asking you.

{plugin_scanner-2.0.139 → plugin_scanner-2.0.140}/dashboard/src/approval-center-utils.ts RENAMED Viewed

@@ -32,6 +32,20 @@ export function deriveDataFlowEvidence(item: GuardApprovalRequest): DataFlowEvid
   };
 }
+export function deriveSkillRiskSignals(item: GuardApprovalRequest): RiskSignalV2[] {
+  return (item.decision_v2_json?.signals ?? []).filter((s) => s.detector === "skill.content");
+}
+export function deriveSupplyChainRiskSignals(item: GuardApprovalRequest): RiskSignalV2[] {
+  return (item.decision_v2_json?.signals ?? []).filter((s) => s.detector === "supply-chain.content");
+}
+export function deriveEncodedLayerSignals(item: GuardApprovalRequest): RiskSignalV2[] {
+  return (item.decision_v2_json?.signals ?? []).filter(
+    (s) => s.detector === "safe-decode.content" || s.signal_id.startsWith("encoded.")
+  );
+}
 function resolveDataFlowSinkLabel(signal: RiskSignalV2): string {
   if (signal.category === "network") {
     return "Network host";

plugin_scanner-2.0.140/dashboard/src/risk-signal-cards.test.ts ADDED Viewed

@@ -0,0 +1,158 @@
+import {
+  deriveSkillRiskSignals,
+  deriveSupplyChainRiskSignals,
+  deriveEncodedLayerSignals,
+} from "./approval-center-utils";
+import type { GuardApprovalRequest, GuardDecisionV2, RiskSignalV2 } from "./guard-types";
+function assert(condition: boolean, message: string): void {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+function makeSignal(overrides: Partial<RiskSignalV2>): RiskSignalV2 {
+  return {
+    signal_id: "test-signal",
+    category: "skill",
+    severity: "medium",
+    confidence: "likely",
+    detector: "skill.detector",
+    title: "Test signal",
+    plain_reason: "Test reason",
+    technical_detail: null,
+    evidence_ref: null,
+    redaction_level: "none",
+    false_positive_hint: null,
+    advisory_id: null,
+    ...overrides,
+  };
+}
+function makeDecisionV2(signals: RiskSignalV2[]): GuardDecisionV2 {
+  return {
+    action: "ask",
+    reason: "test",
+    user_title: "Test",
+    user_body: "Body",
+    harness_message: "msg",
+    dashboard_primary_detail: "detail",
+    approval_scopes: ["artifact"],
+    retry_instruction: null,
+    signals,
+    confidence: "likely",
+  };
+}
+const BASE_REQUEST: GuardApprovalRequest = {
+  request_id: "req-risk-test",
+  harness: "claude-code",
+  artifact_id: "claude-code:project:bash",
+  artifact_name: "bash",
+  artifact_type: "command",
+  artifact_hash: "sha256-risk",
+  publisher: null,
+  policy_action: "require-reapproval",
+  recommended_scope: "artifact",
+  changed_fields: [],
+  source_scope: "project",
+  config_path: "./claude.json",
+  launch_target: null,
+  transport: null,
+  review_command: "hol-guard approvals approve req-risk-test",
+  approval_url: "http://127.0.0.1:4781/approvals/req-risk-test",
+  status: "pending",
+  resolution_action: null,
+  resolution_scope: null,
+  reason: null,
+  created_at: "2026-04-11T12:00:00Z",
+  resolved_at: null,
+  action_envelope_json: null,
+};
+const skillSignal = makeSignal({ signal_id: "skill-001", category: "execution", detector: "skill.content", title: "Skill risk" });
+const scSignal = makeSignal({ signal_id: "sc-001", category: "secret", detector: "supply-chain.content", title: "SC risk" });
+const encodedSignal = makeSignal({ signal_id: "encoded.code-execution", category: "execution", detector: "safe-decode.content", title: "Encoded payload" });
+const networkSignal = makeSignal({ signal_id: "net-001", category: "network", title: "Network risk" });
+const requestWithAll: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: makeDecisionV2([skillSignal, scSignal, encodedSignal, networkSignal]),
+};
+const requestEmpty: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: makeDecisionV2([networkSignal]),
+};
+const requestNoDecision: GuardApprovalRequest = { ...BASE_REQUEST };
+assert(
+  deriveSkillRiskSignals(requestWithAll).length === 1,
+  "T282: deriveSkillRiskSignals returns exactly skill-detector signals"
+);
+assert(
+  deriveSkillRiskSignals(requestWithAll)[0].signal_id === "skill-001",
+  "T282: deriveSkillRiskSignals returns the correct signal"
+);
+assert(
+  deriveSkillRiskSignals(requestEmpty).length === 0,
+  "T282: deriveSkillRiskSignals returns empty array when no skill signals"
+);
+assert(
+  deriveSkillRiskSignals(requestNoDecision).length === 0,
+  "T282: deriveSkillRiskSignals returns empty array when decision_v2_json absent"
+);
+assert(
+  deriveSupplyChainRiskSignals(requestWithAll).length === 1,
+  "T317: deriveSupplyChainRiskSignals returns exactly supply-chain-detector signals"
+);
+assert(
+  deriveSupplyChainRiskSignals(requestWithAll)[0].signal_id === "sc-001",
+  "T317: deriveSupplyChainRiskSignals returns the correct signal"
+);
+assert(
+  deriveSupplyChainRiskSignals(requestEmpty).length === 0,
+  "T317: deriveSupplyChainRiskSignals returns empty array when no supply-chain signals"
+);
+assert(
+  deriveSupplyChainRiskSignals(requestNoDecision).length === 0,
+  "T317: deriveSupplyChainRiskSignals returns empty array when decision_v2_json absent"
+);
+assert(
+  deriveEncodedLayerSignals(requestWithAll).length === 1,
+  "T349: deriveEncodedLayerSignals returns exactly safe-decode-detector signals"
+);
+assert(
+  deriveEncodedLayerSignals(requestWithAll)[0].signal_id === "encoded.code-execution",
+  "T349: deriveEncodedLayerSignals returns the correct signal"
+);
+assert(
+  deriveEncodedLayerSignals(requestEmpty).length === 0,
+  "T349: deriveEncodedLayerSignals returns empty array when no encoded signals"
+);
+assert(
+  deriveEncodedLayerSignals(requestNoDecision).length === 0,
+  "T349: deriveEncodedLayerSignals returns empty array when decision_v2_json absent"
+);
+const multiSkillRequest: GuardApprovalRequest = {
+  ...BASE_REQUEST,
+  decision_v2_json: makeDecisionV2([
+    makeSignal({ signal_id: "skill-a", category: "execution", detector: "skill.content" }),
+    makeSignal({ signal_id: "skill-b", category: "secret", detector: "skill.content" }),
+    networkSignal,
+  ]),
+};
+assert(
+  deriveSkillRiskSignals(multiSkillRequest).length === 2,
+  "T282: deriveSkillRiskSignals returns all skill signals when multiple exist"
+);
+assert(
+  deriveSkillRiskSignals(multiSkillRequest).every((s) => s.detector === "skill.content"),
+  "T282: deriveSkillRiskSignals never returns non-skill-detector signals"
+);
+console.log("risk-signal-cards: all assertions passed");

plugin_scanner-2.0.140/dashboard/src/risk-signal-cards.tsx ADDED Viewed

@@ -0,0 +1,139 @@
+import { deriveSkillRiskSignals, deriveSupplyChainRiskSignals, deriveEncodedLayerSignals } from "./approval-center-utils";
+import { SectionLabel } from "./approval-center-primitives";
+import type { GuardApprovalRequest, RiskSignalV2 } from "./guard-types";
+type SkillRiskCardProps = {
+  item: GuardApprovalRequest;
+};
+export function SkillRiskCard(props: SkillRiskCardProps) {
+  const skillSignals = deriveSkillRiskSignals(props.item);
+  if (skillSignals.length === 0) return null;
+  return (
+    <div
+      className="rounded-xl border border-amber-200/60 bg-amber-50/60 p-4"
+      aria-label="Skill risk details"
+    >
+      <SectionLabel>Skill risk</SectionLabel>
+      <ul className="mt-3 space-y-3">
+        {skillSignals.map((signal) => (
+          <SkillSignalRow key={signal.signal_id} signal={signal} />
+        ))}
+      </ul>
+    </div>
+  );
+}
+type SkillSignalRowProps = {
+  signal: RiskSignalV2;
+};
+function SkillSignalRow(props: SkillSignalRowProps) {
+  const { signal } = props;
+  return (
+    <li className="space-y-1">
+      <p className="text-sm font-semibold text-brand-dark">{signal.title}</p>
+      <p className="text-sm leading-relaxed text-brand-dark/70">{signal.plain_reason}</p>
+      {signal.technical_detail !== null ? (
+        <p className="font-mono text-[11px] text-muted-foreground break-all">{signal.technical_detail}</p>
+      ) : null}
+      {signal.false_positive_hint !== null ? (
+        <p className="text-xs leading-5 text-amber-700/80">
+          <span className="font-semibold">Might be safe if: </span>
+          {signal.false_positive_hint}
+        </p>
+      ) : null}
+    </li>
+  );
+}
+type SupplyChainRiskCardProps = {
+  item: GuardApprovalRequest;
+};
+export function SupplyChainRiskCard(props: SupplyChainRiskCardProps) {
+  const scSignals = deriveSupplyChainRiskSignals(props.item);
+  const isSupplyChainArtifact =
+    props.item.artifact_type === "supply_chain" ||
+    props.item.artifact_type === "package_request" ||
+    (typeof props.item.artifact_type === "string" && props.item.artifact_type.endsWith("_package"));
+  if (scSignals.length === 0 && !isSupplyChainArtifact) return null;
+  return (
+    <div
+      className="rounded-xl border border-orange-200/60 bg-orange-50/60 p-4"
+      aria-label="Supply-chain risk"
+    >
+      <SectionLabel>Supply-chain risk</SectionLabel>
+      {scSignals.length > 0 ? (
+        <ul className="mt-3 space-y-3">
+          {scSignals.map((signal) => (
+            <SupplyChainSignalRow key={signal.signal_id} signal={signal} />
+          ))}
+        </ul>
+      ) : (
+        <p className="mt-2 text-sm leading-relaxed text-brand-dark/70">
+          This action originates from a supply-chain artifact. Verify the publisher and version before approving.
+        </p>
+      )}
+    </div>
+  );
+}
+type SupplyChainSignalRowProps = {
+  signal: RiskSignalV2;
+};
+function SupplyChainSignalRow(props: SupplyChainSignalRowProps) {
+  const { signal } = props;
+  return (
+    <li className="space-y-1">
+      <p className="text-sm font-semibold text-brand-dark">{signal.title}</p>
+      <p className="text-sm leading-relaxed text-brand-dark/70">{signal.plain_reason}</p>
+      {signal.advisory_id !== null ? (
+        <p className="font-mono text-[11px] text-brand-purple">{signal.advisory_id}</p>
+      ) : null}
+      {signal.false_positive_hint !== null ? (
+        <p className="text-xs leading-5 text-orange-700/80">
+          <span className="font-semibold">Might be safe if: </span>
+          {signal.false_positive_hint}
+        </p>
+      ) : null}
+    </li>
+  );
+}
+type DecodedLayerCardProps = {
+  item: GuardApprovalRequest;
+};
+export function DecodedLayerCard(props: DecodedLayerCardProps) {
+  const encodedSignals = deriveEncodedLayerSignals(props.item);
+  if (encodedSignals.length === 0) return null;
+  const primary = encodedSignals[0];
+  const extraCount = Math.max(0, (() => {
+    const m = /Decoded (\d+) encoding layer/i.exec(primary.plain_reason ?? "");
+    return m != null ? parseInt(m[1], 10) - 1 : encodedSignals.length - 1;
+  })());
+  return (
+    <div
+      className="rounded-xl border border-rose-200/60 bg-rose-50/60 p-4"
+      aria-label="Decoded-layer evidence"
+    >
+      <SectionLabel>Encoded payload detected</SectionLabel>
+      <p className="mt-2 text-sm leading-relaxed text-brand-dark/80">{primary.plain_reason}</p>
+      {primary.technical_detail !== null ? (
+        <p className="mt-1 font-mono text-[11px] text-muted-foreground break-all">
+          {primary.technical_detail}
+        </p>
+      ) : null}
+      {primary.evidence_ref !== null ? (
+        <p className="mt-2 font-mono text-[11px] text-rose-700/70 break-all">{primary.evidence_ref}</p>
+      ) : null}
+      {extraCount > 0 ? (
+        <p className="mt-1 text-xs text-muted-foreground">
+          {`and ${extraCount} more encoded ${extraCount === 1 ? "layer" : "layers"}`}
+        </p>
+      ) : null}
+    </div>
+  );
+}

{plugin_scanner-2.0.139 → plugin_scanner-2.0.140}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.139"
+version = "2.0.140"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.139 → plugin_scanner-2.0.140}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.139"
+version = "2.0.140"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

plugin-scanner 2.0.139__tar.gz → 2.0.140__tar.gz

plugin-scanner 2.0.139tar.gz → 2.0.140tar.gz