PyPI - plugin-scanner - Versions diffs - 2.0.140__tar.gz → 2.0.142__tar.gz - Mend

plugin-scanner 2.0.140tar.gz → 2.0.142tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (433) hide show

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.140
+Version: 2.0.142
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/dashboard/src/guard-types.ts RENAMED Viewed

@@ -171,6 +171,7 @@ export type GuardRuntimeSnapshot = {
   headline_state: GuardHeadlineState;
   headline_label: string;
   headline_detail: string;
+  thread_count?: number;
   sync_configured: boolean;
   cloud_state: "local_only" | "paired_waiting" | "paired_active";
   cloud_state_label: string;

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/dashboard/src/settings-workspace.tsx RENAMED Viewed

@@ -13,9 +13,9 @@ import {
   SectionLabel,
   Tag
 } from "./approval-center-primitives";
-import { clearEvidence, exportDiagnostics, fetchSettings, updateSettings, clearPolicy, repairApprovalCenter } from "./guard-api";
+import { clearEvidence, exportDiagnostics, fetchRuntimeSnapshot, fetchSettings, updateSettings, clearPolicy, repairApprovalCenter } from "./guard-api";
 import { resolveProtectionLevelCopy } from "./runtime-overview";
-import type { GuardSettings, GuardSettingsPayload } from "./guard-types";
+import type { GuardRuntimeSnapshot, GuardSettings, GuardSettingsPayload } from "./guard-types";
 type SettingsState =
   | { kind: "loading" }
@@ -165,6 +165,7 @@ export function SettingsWorkspace() {
   const [exporting, setExporting] = useState(false);
   const [repairing, setRepairing] = useState(false);
   const [actionMessage, setActionMessage] = useState<string | null>(null);
+  const [perfSnapshot, setPerfSnapshot] = useState<GuardRuntimeSnapshot | null>(null);
   const saveSuccessTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   useEffect(() => {
@@ -190,6 +191,20 @@ export function SettingsWorkspace() {
     };
   }, []);
+  useEffect(() => {
+    let cancelled = false;
+    fetchRuntimeSnapshot()
+      .then((snapshot) => {
+        if (!cancelled) setPerfSnapshot(snapshot);
+      })
+      .catch((error: unknown) => {
+        console.error("Failed to fetch runtime snapshot:", error);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
   useEffect(() => {
     return () => {
       if (saveSuccessTimerRef.current !== null) {
@@ -610,6 +625,14 @@ export function SettingsWorkspace() {
               <SettingToggle label="Billing features" checked={draft.billing} onChange={handleBooleanChange("billing")} />
             </div>
           </div>
+          {perfSnapshot !== null ? (
+            <div className="rounded-[1.75rem] border border-slate-200/70 bg-white/80 p-5 shadow-sm">
+              <SectionLabel>Runtime diagnostics</SectionLabel>
+              <div className="mt-4">
+                <DiagnosticsPerfCard snapshot={perfSnapshot} />
+              </div>
+            </div>
+          ) : null}
           <div className="rounded-[1.75rem] border border-red-100 bg-red-50/50 p-5 shadow-sm">
             <SectionLabel>Data management</SectionLabel>
             <div className="mt-4 space-y-3">
@@ -682,6 +705,41 @@ export function SettingsWorkspace() {
   );
 }
+function DiagnosticsPerfCard(props: { snapshot: GuardRuntimeSnapshot }) {
+  const { snapshot } = props;
+  const threadCount = snapshot.thread_count;
+  const daemonPort = snapshot.runtime_state?.daemon_port ?? null;
+  const startedAt = snapshot.runtime_state?.started_at ?? null;
+  return (
+    <div>
+      <h3 className="text-sm font-semibold text-brand-dark">Runtime performance</h3>
+      <p className="mt-1 text-xs leading-relaxed text-muted-foreground">
+        Live process metrics for this Guard daemon session.
+      </p>
+      <dl className="mt-3 grid grid-cols-2 gap-2">
+        {threadCount !== undefined ? (
+          <PerfMetric label="Total interpreter threads" value={String(threadCount)} />
+        ) : null}
+        {daemonPort !== null ? (
+          <PerfMetric label="Daemon port" value={String(daemonPort)} />
+        ) : null}
+        {startedAt !== null ? (
+          <PerfMetric label="Started" value={new Date(startedAt).toLocaleTimeString()} />
+        ) : null}
+      </dl>
+    </div>
+  );
+}
+function PerfMetric(props: { label: string; value: string }) {
+  return (
+    <div className="rounded-xl bg-surface-1 px-3 py-2">
+      <dt className="text-[10px] font-semibold uppercase tracking-[0.14em] text-muted-foreground">{props.label}</dt>
+      <dd className="mt-0.5 font-mono text-sm font-semibold text-brand-dark">{props.value}</dd>
+    </div>
+  );
+}
 function SettingSelect(props: {
   label: string;
   value: string;

plugin_scanner-2.0.142/docs/guard/release-notes.md ADDED Viewed

@@ -0,0 +1,37 @@
+# HOL Guard Release Notes
+Release notes document user-visible changes, false-positive improvements, and paid-feature additions.
+Update this file for every release that touches a Guard integration path.
+---
+## Unreleased
+### False-positive improvements (T647)
+- **Supply-chain artifact fallback** — `SupplyChainRiskCard` now matches `package_request`
+  and any `*_package` artifact type in addition to the original `supply_chain` value,
+  eliminating spurious "no risk signals" cards for npm/PyPI requests.
+- **Encoded-layer count** — `DecodedLayerCard` now reads the true layer count from the
+  detector `plain_reason` field (e.g., "Decoded 3 encoding layer(s)") instead of counting
+  signal list length, so multi-layer exfil is accurately reported rather than shown as
+  "0 additional layers".
+- **Detector registry cached across hook calls** — The default detector registry is now
+  lazily initialised once per process and reused, reducing per-hook construction overhead.
+### Cloud advisory paid sync (T648)
+Advisory bundles are signed by the HOL advisory service and verified locally before use.
+The free plan receives a graceful 403 fallback with a local-only warning; no advisory data
+is sent to the server during sync. Run `hol-guard advisories sync` to pull the latest bundle.
+### Settings presets (T649)
+Four one-click security presets — **Gentle**, **Balanced**, **Strict**, and **Paranoid** —
+are available from the Settings page. Choosing a preset applies a curated `risk_actions`
+profile. Custom overrides survive a preset switch unless explicitly cleared.
+### Dashboard scale (T650)
+The approval center and evidence log now paginate at 50 items per page. Large workspaces
+with thousands of receipts will no longer cause the dashboard to stall on load.

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.140"
+version = "2.0.142"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.140"
+version = "2.0.142"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/src/codex_plugin_scanner/guard/approvals.py RENAMED Viewed

@@ -2,6 +2,7 @@
 from __future__ import annotations
+import threading
 import time
 import uuid
 from collections.abc import Mapping
@@ -215,6 +216,7 @@ def build_runtime_snapshot(
         "headline_state": headline_state,
         "headline_label": _runtime_headline_label(headline_state),
         "headline_detail": _runtime_headline_detail(headline_state),
+        "thread_count": threading.active_count(),
         "items": pending_requests,
         "latest_receipts": latest_receipts,
         "managed_installs": store.list_managed_installs(),

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/src/codex_plugin_scanner/guard/daemon/static/assets/guard-dashboard.js RENAMED Viewed

@@ -15562,6 +15562,7 @@ function SettingsWorkspace() {
   const [exporting, setExporting] = reactExports.useState(false);
   const [repairing, setRepairing] = reactExports.useState(false);
   const [actionMessage, setActionMessage] = reactExports.useState(null);
+  const [perfSnapshot, setPerfSnapshot] = reactExports.useState(null);
   const saveSuccessTimerRef = reactExports.useRef(null);
   reactExports.useEffect(() => {
     let cancelled = false;
@@ -15583,6 +15584,17 @@ function SettingsWorkspace() {
       cancelled = true;
     };
   }, []);
+  reactExports.useEffect(() => {
+    let cancelled = false;
+    fetchRuntimeSnapshot().then((snapshot) => {
+      if (!cancelled) setPerfSnapshot(snapshot);
+    }).catch((error) => {
+      console.error("Failed to fetch runtime snapshot:", error);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
   reactExports.useEffect(() => {
     return () => {
       if (saveSuccessTimerRef.current !== null) {
@@ -15942,6 +15954,10 @@ function SettingsWorkspace() {
             /* @__PURE__ */ jsxRuntimeExports.jsx(SettingToggle, { label: "Billing features", checked: draft.billing, onChange: handleBooleanChange("billing") })
           ] })
         ] }),
+        perfSnapshot !== null ? /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "rounded-[1.75rem] border border-slate-200/70 bg-white/80 p-5 shadow-sm", children: [
+          /* @__PURE__ */ jsxRuntimeExports.jsx(SectionLabel, { children: "Runtime diagnostics" }),
+          /* @__PURE__ */ jsxRuntimeExports.jsx("div", { className: "mt-4", children: /* @__PURE__ */ jsxRuntimeExports.jsx(DiagnosticsPerfCard, { snapshot: perfSnapshot }) })
+        ] }) : null,
         /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "rounded-[1.75rem] border border-red-100 bg-red-50/50 p-5 shadow-sm", children: [
           /* @__PURE__ */ jsxRuntimeExports.jsx(SectionLabel, { children: "Data management" }),
           /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "mt-4 space-y-3", children: [
@@ -15976,6 +15992,27 @@ function SettingsWorkspace() {
     ] })
   ] });
 }
+function DiagnosticsPerfCard(props) {
+  const { snapshot } = props;
+  const threadCount = snapshot.thread_count;
+  const daemonPort = snapshot.runtime_state?.daemon_port ?? null;
+  const startedAt = snapshot.runtime_state?.started_at ?? null;
+  return /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { children: [
+    /* @__PURE__ */ jsxRuntimeExports.jsx("h3", { className: "text-sm font-semibold text-brand-dark", children: "Runtime performance" }),
+    /* @__PURE__ */ jsxRuntimeExports.jsx("p", { className: "mt-1 text-xs leading-relaxed text-muted-foreground", children: "Live process metrics for this Guard daemon session." }),
+    /* @__PURE__ */ jsxRuntimeExports.jsxs("dl", { className: "mt-3 grid grid-cols-2 gap-2", children: [
+      threadCount !== void 0 ? /* @__PURE__ */ jsxRuntimeExports.jsx(PerfMetric, { label: "Total interpreter threads", value: String(threadCount) }) : null,
+      daemonPort !== null ? /* @__PURE__ */ jsxRuntimeExports.jsx(PerfMetric, { label: "Daemon port", value: String(daemonPort) }) : null,
+      startedAt !== null ? /* @__PURE__ */ jsxRuntimeExports.jsx(PerfMetric, { label: "Started", value: new Date(startedAt).toLocaleTimeString() }) : null
+    ] })
+  ] });
+}
+function PerfMetric(props) {
+  return /* @__PURE__ */ jsxRuntimeExports.jsxs("div", { className: "rounded-xl bg-surface-1 px-3 py-2", children: [
+    /* @__PURE__ */ jsxRuntimeExports.jsx("dt", { className: "text-[10px] font-semibold uppercase tracking-[0.14em] text-muted-foreground", children: props.label }),
+    /* @__PURE__ */ jsxRuntimeExports.jsx("dd", { className: "mt-0.5 font-mono text-sm font-semibold text-brand-dark", children: props.value })
+  ] });
+}
 function SettingSelect(props) {
   return /* @__PURE__ */ jsxRuntimeExports.jsxs("label", { className: "block", children: [
     /* @__PURE__ */ jsxRuntimeExports.jsx("span", { className: "font-mono text-[11px] font-semibold uppercase tracking-[0.18em] text-muted-foreground", children: props.label }),

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/src/codex_plugin_scanner/guard/daemon/static/assets/index.css RENAMED Viewed

@@ -2164,6 +2164,11 @@
     letter-spacing: .2em;
   }
+  .tracking-\[0\.14em\] {
+    --tw-tracking: .14em;
+    letter-spacing: .14em;
+  }
   .tracking-\[0\.18em\] {
     --tw-tracking: .18em;
     letter-spacing: .18em;

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/src/codex_plugin_scanner/guard/runtime/runner.py RENAMED Viewed

@@ -8,6 +8,7 @@ import os
 import re
 import socket
 import subprocess
+import threading
 import urllib.error
 import urllib.parse
 import urllib.request
@@ -40,8 +41,22 @@ _APPROVAL_METADATA_KEYS = (
 )
+_DEFAULT_DETECTOR_REGISTRY: tuple[Callable[[], tuple[Any, ...]], DetectorRegistry] | None = None
+_DEFAULT_DETECTOR_REGISTRY_LOCK = threading.Lock()
 def _get_default_detector_registry() -> DetectorRegistry:
-    return DetectorRegistry(register_default_detectors())
+    global _DEFAULT_DETECTOR_REGISTRY
+    factory = register_default_detectors
+    cached = _DEFAULT_DETECTOR_REGISTRY
+    if cached is not None and cached[0] is factory:
+        return cached[1]
+    with _DEFAULT_DETECTOR_REGISTRY_LOCK:
+        cached = _DEFAULT_DETECTOR_REGISTRY
+        if cached is None or cached[0] is not factory:
+            cached = (factory, DetectorRegistry(factory()))
+            _DEFAULT_DETECTOR_REGISTRY = cached
+    return cached[1]
 _PAIN_SIGNAL_EVENTS = frozenset(

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/src/codex_plugin_scanner/guard/store.py RENAMED Viewed

@@ -4,9 +4,11 @@ from __future__ import annotations
 import base64
 import json
+import logging
 import os
 import sqlite3
 import subprocess
+import time
 from collections.abc import Iterator
 from contextlib import contextmanager
 from datetime import datetime, timedelta, timezone
@@ -353,6 +355,10 @@ def _build_secret_store(guard_home: Path) -> SecretStore:
     return fallback_store
+_SLOW_QUERY_THRESHOLD_MS: int = 200
+_store_logger = logging.getLogger(__name__)
 class GuardStore:
     """Local SQLite store for Guard state."""
@@ -403,11 +409,18 @@ class GuardStore:
     def _connect(self) -> Iterator[sqlite3.Connection]:
         connection = sqlite3.connect(self.path)
         connection.row_factory = sqlite3.Row
+        start = time.monotonic()
         try:
             yield connection
             connection.commit()
         finally:
             connection.close()
+            elapsed_ms = (time.monotonic() - start) * 1000
+            if elapsed_ms >= _SLOW_QUERY_THRESHOLD_MS:
+                _store_logger.warning(
+                    "Guard store slow transaction (%.0fms); consider indexing hot query paths.",
+                    elapsed_ms,
+                )
     def _initialize(self) -> None:
         statements = (

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/src/codex_plugin_scanner/version.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
-__version__ = "2.0.140"
+__version__ = "2.0.142"

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/tests/test_guard_daemon_manager.py RENAMED Viewed

@@ -585,3 +585,77 @@ def test_guard_daemon_pid_matches_command_validates_guard_home_on_windows(tmp_pa
         12345,
         expected_guard_home=tmp_path / "other-home",
     )
+def test_guard_daemon_start_lock_prevents_concurrent_starts(tmp_path):
+    guard_home = tmp_path / "guard-home"
+    guard_home.mkdir(parents=True)
+    events: list[str] = []
+    errors: list[Exception] = []
+    t1_entered = threading.Event()
+    release_holder = threading.Event()
+    def holder() -> None:
+        try:
+            with daemon_manager_module._guard_daemon_start_lock(guard_home):
+                events.append("t1-entered")
+                t1_entered.set()
+                release_holder.wait(timeout=5)
+                events.append("t1-exited")
+        except Exception as exc:
+            errors.append(exc)
+    def waiter() -> None:
+        try:
+            with daemon_manager_module._guard_daemon_start_lock(guard_home):
+                events.append("t2-entered")
+        except Exception as exc:
+            errors.append(exc)
+    t1 = threading.Thread(target=holder)
+    t1.start()
+    t1_entered.wait(timeout=5)
+    t2 = threading.Thread(target=waiter)
+    t2.start()
+    release_holder.set()
+    t1.join(timeout=10)
+    t2.join(timeout=10)
+    assert not errors, f"Lock worker raised: {errors}"
+    assert events.index("t1-exited") < events.index("t2-entered"), (
+        "Second thread entered before first released the lock"
+    )
+def test_guard_daemon_start_lock_file_created_and_released(tmp_path):
+    guard_home = tmp_path / "guard-home"
+    guard_home.mkdir(parents=True)
+    lock_path = guard_home / "daemon-start.lock"
+    assert not lock_path.exists()
+    with daemon_manager_module._guard_daemon_start_lock(guard_home):
+        assert lock_path.exists()
+    assert lock_path.exists()
+def test_guard_daemon_start_lock_recovers_after_exception(tmp_path):
+    guard_home = tmp_path / "guard-home"
+    guard_home.mkdir(parents=True)
+    raised = False
+    try:
+        with daemon_manager_module._guard_daemon_start_lock(guard_home):
+            raised = True
+            raise RuntimeError("simulated crash")
+    except RuntimeError:
+        pass
+    assert raised
+    acquired = False
+    with daemon_manager_module._guard_daemon_start_lock(guard_home):
+        acquired = True
+    assert acquired, "Lock was not released after exception; stale lock not recoverable"

{plugin_scanner-2.0.140 → plugin_scanner-2.0.142}/tests/test_guard_daemon_perf.py RENAMED Viewed

@@ -2,6 +2,8 @@
 from __future__ import annotations
+import threading
+import time
 from pathlib import Path
 import pytest
@@ -176,3 +178,117 @@ class TestDoctorPerfPayload:
         for item in perf:
             expected_slow = int(item["elapsed_ms"]) >= _SLOW_DETECTOR_THRESHOLD_MS
             assert item["slow"] == expected_slow
+class TestProcessCountBound:
+    """T620 — 100 safe hook evaluations must not spawn persistent threads."""
+    @pytest.mark.slow
+    def test_100_harness_start_evaluations_do_not_spawn_threads(self, tmp_path: Path) -> None:
+        action = _make_harness_start_action()
+        context = _make_detector_context(tmp_path)
+        registry = _get_default_detector_registry()
+        baseline_threads = threading.active_count()
+        for _ in range(100):
+            registry.run(action, context, timeout_ms=500)
+        after_threads = threading.active_count()
+        assert after_threads - baseline_threads <= 5, (
+            f"Thread count grew by {after_threads - baseline_threads} after 100 evaluations; "
+            "detectors must not leak persistent threads."
+        )
+    def test_100_harness_start_evaluations_complete_without_error(self, tmp_path: Path) -> None:
+        action = _make_harness_start_action()
+        context = _make_detector_context(tmp_path)
+        registry = _get_default_detector_registry()
+        results = [registry.run(action, context, timeout_ms=500) for _ in range(100)]
+        assert all(isinstance(r, DetectorRunResult) for r in results)
+@pytest.mark.slow
+class TestCPUBenchmark:
+    """T622 — 100 safe hook evaluations must complete in under 10 seconds."""
+    def test_100_safe_hook_calls_complete_within_budget(self, tmp_path: Path) -> None:
+        action = _make_harness_start_action()
+        context = _make_detector_context(tmp_path)
+        registry = _get_default_detector_registry()
+        start = time.monotonic()
+        for _ in range(100):
+            registry.run(action, context, timeout_ms=500)
+        elapsed_s = time.monotonic() - start
+        assert elapsed_s < 10.0, f"100 safe hook evaluations took {elapsed_s:.2f}s; budget is 10s."
+class TestMemoryBenchmark:
+    """T621 — Guard module import stays under 50 MB RSS budget."""
+    def test_guard_config_import_does_not_import_heavy_deps(self) -> None:
+        import subprocess
+        import sys
+        result = subprocess.run(
+            [
+                sys.executable,
+                "-c",
+                (
+                    "import codex_plugin_scanner.guard.config as _c;"
+                    " import sys;"
+                    " heavy = {'matplotlib', 'numpy', 'pandas', 'scipy', 'torch', 'tensorflow'};"
+                    " leaked = heavy & set(sys.modules);"
+                    " print(repr(leaked))"
+                ),
+            ],
+            capture_output=True,
+            text=True,
+            timeout=30,
+        )
+        assert result.returncode == 0, f"Subprocess failed: {result.stderr}"
+        import ast
+        leaked = ast.literal_eval(result.stdout.strip())
+        assert not leaked, f"Guard import leaked heavy dependencies: {leaked}"
+class TestSlowSQLiteTelemetry:
+    """T624 — Slow store transactions emit a warning via the logging module."""
+    def test_slow_query_threshold_is_200ms(self) -> None:
+        from codex_plugin_scanner.guard.store import _SLOW_QUERY_THRESHOLD_MS
+        assert _SLOW_QUERY_THRESHOLD_MS == 200
+    def test_fast_transaction_does_not_warn(
+        self, tmp_path: Path, caplog: pytest.LogCaptureFixture, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        import logging
+        import codex_plugin_scanner.guard.store as store_module
+        from codex_plugin_scanner.guard.store import GuardStore
+        monkeypatch.setattr(store_module, "_SLOW_QUERY_THRESHOLD_MS", 10_000)
+        store = GuardStore(guard_home=tmp_path / "guard-home")
+        with caplog.at_level(logging.WARNING, logger="codex_plugin_scanner.guard.store"):
+            _ = store.list_approval_requests()
+        slow_warnings = [r for r in caplog.records if "slow transaction" in r.getMessage().lower()]
+        assert len(slow_warnings) == 0, "Fast transaction must not emit slow transaction warning"
+    def test_slow_transaction_emits_warning(
+        self, tmp_path: Path, caplog: pytest.LogCaptureFixture, monkeypatch: pytest.MonkeyPatch
+    ) -> None:
+        import logging
+        import codex_plugin_scanner.guard.store as store_module
+        from codex_plugin_scanner.guard.store import GuardStore
+        monkeypatch.setattr(store_module, "_SLOW_QUERY_THRESHOLD_MS", 0)
+        store = GuardStore(guard_home=tmp_path / "guard-home")
+        with caplog.at_level(logging.WARNING, logger="codex_plugin_scanner.guard.store"):
+            _ = store.list_approval_requests()
+        slow_warnings = [r for r in caplog.records if "slow transaction" in r.getMessage().lower()]
+        assert len(slow_warnings) > 0, "Slow transaction (threshold=0ms) must emit a slow transaction warning"
+    def test_store_has_slow_query_threshold_constant(self) -> None:
+        from codex_plugin_scanner.guard.store import _SLOW_QUERY_THRESHOLD_MS
+        assert isinstance(_SLOW_QUERY_THRESHOLD_MS, int)
+        assert _SLOW_QUERY_THRESHOLD_MS > 0