PyPI - plugin-scanner - Versions diffs - 2.0.147__tar.gz → 2.0.148__tar.gz - Mend

plugin-scanner 2.0.147tar.gz → 2.0.148tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (443) hide show

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.147
+Version: 2.0.148
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.147"
+version = "2.0.148"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.147"
+version = "2.0.148"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

plugin_scanner-2.0.148/src/codex_plugin_scanner/guard/runtime/cisco_evidence.py ADDED Viewed

@@ -0,0 +1,175 @@
+"""Cisco scanner evidence adapters for Guard runtime signals."""
+from __future__ import annotations
+import re
+from hashlib import sha256
+from codex_plugin_scanner.guard.runtime.scanner_cache import scanner_cache_key
+from codex_plugin_scanner.guard.runtime.signals import (
+    GuardRiskSignalV3,
+    RiskConfidenceLabel,
+    RiskSeverityLabel,
+    RiskSignalCategory,
+    RiskSignalSource,
+    ScannerStatusLabel,
+)
+from codex_plugin_scanner.integrations.cisco_skill_scanner import CiscoIntegrationStatus
+from codex_plugin_scanner.models import Finding, Severity
+_LONG_SECRET_LIKE_TOKEN = re.compile(r"\b[A-Za-z0-9_./+=-]{32,}\b")
+_MAX_TEXT_LENGTH = 280
+__all__ = ["cisco_finding_to_risk_signal", "scanner_cache_key"]
+def cisco_finding_to_risk_signal(
+    finding: Finding,
+    *,
+    scanner_status: CiscoIntegrationStatus,
+    scanner_name: str | None = None,
+    source_version: str = "unknown",
+) -> GuardRiskSignalV3:
+    source = _source_from_finding(finding)
+    category = _category_from_finding(finding, source)
+    display_name = scanner_name or _scanner_name_from_source(source)
+    evidence_ref = _evidence_ref(finding)
+    return GuardRiskSignalV3(
+        signal_id=_signal_id(finding),
+        source=source,
+        source_version=source_version,
+        category=category,
+        severity=_severity_label(finding.severity),
+        confidence=_confidence_label(finding.severity),
+        title=_safe_text(finding.title, fallback="Cisco scanner finding"),
+        plain_language_summary=_safe_text(
+            finding.description,
+            fallback=f"{display_name} reported a potential {category} risk.",
+        ),
+        technical_detail=f"{display_name} rule {finding.rule_id} reported {finding.category} evidence.",
+        evidence_ref=evidence_ref,
+        scanner_name=display_name,
+        scanner_status=_status_label(scanner_status),
+        scanner_rule_id=finding.rule_id,
+        redaction_level="summary",
+        source_path=finding.file_path,
+        source_line=finding.line_number,
+        data_source=None,
+        data_sink=None,
+        recommended_action=_safe_optional_text(finding.remediation),
+    )
+def _signal_id(finding: Finding) -> str:
+    source = finding.source or "cisco-scanner"
+    path = finding.file_path or "unknown"
+    if finding.line_number is not None:
+        return f"{source}:{finding.rule_id}:{path}:{finding.line_number}"
+    payload = "|".join(
+        (
+            finding.rule_id,
+            path,
+            finding.title,
+            finding.description,
+            finding.remediation or "",
+        )
+    )
+    suffix = sha256(payload.encode("utf-8")).hexdigest()[:12]
+    return f"{source}:{finding.rule_id}:{path}:{suffix}"
+def _source_from_finding(finding: Finding) -> RiskSignalSource:
+    source = (finding.source or "").lower()
+    if "mcp" in source:
+        return "cisco_mcp"
+    if "skill" in source:
+        return "cisco_skill"
+    if "mcp" in finding.category.lower():
+        return "cisco_mcp"
+    if "skill" in finding.category.lower():
+        return "cisco_skill"
+    return "native"
+def _category_from_finding(finding: Finding, source: RiskSignalSource) -> RiskSignalCategory:
+    if source == "cisco_mcp":
+        return "mcp"
+    if source == "cisco_skill":
+        return "skill"
+    category = finding.category.lower()
+    if "secret" in category:
+        return "secret"
+    if "network" in category:
+        return "network"
+    if "prompt" in category:
+        return "prompt"
+    if "supply" in category:
+        return "supply_chain"
+    return "policy"
+def _scanner_name_from_source(source: RiskSignalSource) -> str:
+    if source == "cisco_mcp":
+        return "Cisco MCP scanner"
+    if source == "cisco_skill":
+        return "Cisco skill scanner"
+    return "Cisco scanner"
+def _severity_label(severity: Severity) -> RiskSeverityLabel:
+    match severity:
+        case Severity.CRITICAL:
+            return "critical"
+        case Severity.HIGH:
+            return "high"
+        case Severity.MEDIUM:
+            return "medium"
+        case Severity.LOW:
+            return "low"
+        case Severity.INFO:
+            return "info"
+def _confidence_label(severity: Severity) -> RiskConfidenceLabel:
+    if severity in {Severity.CRITICAL, Severity.HIGH}:
+        return "strong"
+    if severity == Severity.MEDIUM:
+        return "likely"
+    return "weak"
+def _status_label(status: CiscoIntegrationStatus) -> ScannerStatusLabel:
+    match status:
+        case CiscoIntegrationStatus.ENABLED:
+            return "enabled"
+        case CiscoIntegrationStatus.SKIPPED:
+            return "skipped"
+        case CiscoIntegrationStatus.UNAVAILABLE:
+            return "unavailable"
+        case CiscoIntegrationStatus.FAILED:
+            return "failed"
+        case CiscoIntegrationStatus.TIMED_OUT:
+            return "timed_out"
+def _evidence_ref(finding: Finding) -> str | None:
+    if finding.file_path is None:
+        return None
+    if finding.line_number is None:
+        return finding.file_path
+    return f"{finding.file_path}:{finding.line_number}"
+def _safe_optional_text(value: str | None) -> str | None:
+    if value is None:
+        return None
+    return _safe_text(value, fallback="")
+def _safe_text(value: str, *, fallback: str) -> str:
+    normalized = " ".join(value.split())
+    if not normalized:
+        return fallback
+    redacted = _LONG_SECRET_LIKE_TOKEN.sub("[redacted]", normalized)
+    if len(redacted) <= _MAX_TEXT_LENGTH:
+        return redacted
+    return f"{redacted[: _MAX_TEXT_LENGTH - 1].rstrip()}…"

plugin_scanner-2.0.148/src/codex_plugin_scanner/guard/runtime/scanner_cache.py ADDED Viewed

@@ -0,0 +1,10 @@
+"""Scanner cache identity helpers."""
+from __future__ import annotations
+from hashlib import sha256
+def scanner_cache_key(*, scanner_name: str, input_content_hash: str, scanner_version: str) -> str:
+    payload = "\0".join((scanner_name.strip(), input_content_hash.strip(), scanner_version.strip()))
+    return sha256(payload.encode("utf-8")).hexdigest()

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/src/codex_plugin_scanner/guard/runtime/signals.py RENAMED Viewed

@@ -28,6 +28,8 @@ RiskSignalCategory = Literal[
 RiskSeverityLabel = Literal["info", "low", "medium", "high", "critical"]
 RiskConfidenceLabel = Literal["weak", "likely", "strong"]
 RiskRedactionLevel = Literal["none", "summary", "redacted"]
+RiskSignalSource = Literal["native", "cisco_mcp", "cisco_skill", "threat_intel", "runtime_detector"]
+ScannerStatusLabel = Literal["enabled", "skipped", "unavailable", "failed", "timed_out"]
 _FAMILY_CATEGORY: dict[str, RiskSignalCategory] = {
     "network": "network",
@@ -109,6 +111,78 @@ class RiskSignalV2:
         )
+@dataclass(frozen=True, slots=True)
+class GuardRiskSignalV3:
+    """Scanner-aware risk signal with durable local evidence references."""
+    signal_id: str
+    source: RiskSignalSource
+    source_version: str
+    category: RiskSignalCategory
+    severity: RiskSeverityLabel
+    confidence: RiskConfidenceLabel
+    title: str
+    plain_language_summary: str
+    technical_detail: str | None
+    evidence_ref: str | None
+    scanner_name: str | None
+    scanner_status: ScannerStatusLabel
+    scanner_rule_id: str | None
+    redaction_level: RiskRedactionLevel
+    source_path: str | None
+    source_line: int | None
+    data_source: str | None
+    data_sink: str | None
+    recommended_action: str | None
+    def to_dict(self) -> dict[str, object]:
+        return {
+            "signal_id": self.signal_id,
+            "source": self.source,
+            "source_version": self.source_version,
+            "category": self.category,
+            "severity": self.severity,
+            "confidence": self.confidence,
+            "title": self.title,
+            "plain_language_summary": self.plain_language_summary,
+            "technical_detail": self.technical_detail,
+            "evidence_ref": self.evidence_ref,
+            "scanner_name": self.scanner_name,
+            "scanner_status": self.scanner_status,
+            "scanner_rule_id": self.scanner_rule_id,
+            "redaction_level": self.redaction_level,
+            "source_path": self.source_path,
+            "source_line": self.source_line,
+            "data_source": self.data_source,
+            "data_sink": self.data_sink,
+            "recommended_action": self.recommended_action,
+        }
+    @classmethod
+    def from_dict(cls, payload: Mapping[str, object]) -> GuardRiskSignalV3:
+        return cls(
+            signal_id=_required_string(payload, "signal_id"),
+            source=_parse_source(payload.get("source")),
+            source_version=_required_string(payload, "source_version"),
+            category=_parse_category(payload.get("category")),
+            severity=_parse_severity(payload.get("severity")),
+            confidence=_parse_confidence(payload.get("confidence")),
+            title=_required_string(payload, "title"),
+            plain_language_summary=_required_string(payload, "plain_language_summary"),
+            technical_detail=_optional_string(payload, "technical_detail"),
+            evidence_ref=_optional_string(payload, "evidence_ref"),
+            scanner_name=_optional_string(payload, "scanner_name"),
+            scanner_status=_parse_scanner_status(payload.get("scanner_status")),
+            scanner_rule_id=_optional_string(payload, "scanner_rule_id"),
+            redaction_level=_parse_redaction_level(payload.get("redaction_level")),
+            source_path=_optional_string(payload, "source_path"),
+            source_line=_optional_int(payload, "source_line"),
+            data_source=_optional_string(payload, "data_source"),
+            data_sink=_optional_string(payload, "data_sink"),
+            recommended_action=_optional_string(payload, "recommended_action"),
+        )
 def severity_label_from_score(score: int | float) -> RiskSeverityLabel:
     if score >= 9:
         return "critical"
@@ -167,6 +241,31 @@ def _optional_string(payload: Mapping[str, object], key: str) -> str | None:
     return value
+def _optional_int(payload: Mapping[str, object], key: str) -> int | None:
+    value = payload.get(key)
+    if value is None:
+        return None
+    if not isinstance(value, int):
+        raise ValueError(f"{key} must be an integer or null")
+    return value
+def _parse_source(value: object) -> RiskSignalSource:
+    match value:
+        case "native":
+            return "native"
+        case "cisco_mcp":
+            return "cisco_mcp"
+        case "cisco_skill":
+            return "cisco_skill"
+        case "threat_intel":
+            return "threat_intel"
+        case "runtime_detector":
+            return "runtime_detector"
+        case _:
+            raise ValueError("source must be a known risk signal source")
 def _parse_category(value: object) -> RiskSignalCategory:
     match value:
         case "secret":
@@ -241,3 +340,19 @@ def _parse_redaction_level(value: object) -> RiskRedactionLevel:
             return "redacted"
         case _:
             raise ValueError("redaction_level must be a known redaction level")
+def _parse_scanner_status(value: object) -> ScannerStatusLabel:
+    match value:
+        case "enabled":
+            return "enabled"
+        case "skipped":
+            return "skipped"
+        case "unavailable":
+            return "unavailable"
+        case "failed":
+            return "failed"
+        case "timed_out":
+            return "timed_out"
+        case _:
+            raise ValueError("scanner_status must be a known scanner status")

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/src/codex_plugin_scanner/guard/store.py RENAMED Viewed

@@ -21,6 +21,7 @@ from cryptography.fernet import Fernet, InvalidToken
 from .edge_events import build_receipt_event
 from .models import GuardApprovalRequest, GuardArtifact, GuardReceipt, GuardRuntimeState, PolicyDecision
+from .runtime.scanner_cache import scanner_cache_key
 from .schemas.guard_event_v1 import GuardEventV1
 from .store_approvals import (
     add_approval_request as persist_approval_request,
@@ -619,6 +620,22 @@ class GuardStore:
             )
             """,
             """
+            create table if not exists scanner_cache (
+              scanner_name text not null,
+              target_id text not null,
+              cache_key text not null,
+              input_content_hash text not null,
+              scanner_version text not null,
+              payload_json text not null,
+              updated_at text not null,
+              primary key (scanner_name, target_id)
+            )
+            """,
+            """
+            create index if not exists idx_scanner_cache_key
+            on scanner_cache (cache_key)
+            """,
+            """
             create table if not exists managed_installs (
               harness text primary key,
               active integer not null,
@@ -809,6 +826,72 @@ class GuardStore:
             rows = connection.execute("select name from sqlite_master where type = 'table'").fetchall()
         return sorted(str(row["name"]) for row in rows)
+    def save_scanner_cache(
+        self,
+        *,
+        scanner_name: str,
+        target_id: str,
+        input_content_hash: str,
+        scanner_version: str,
+        payload: dict[str, object],
+        now: str,
+    ) -> None:
+        cache_key = scanner_cache_key(
+            scanner_name=scanner_name,
+            input_content_hash=input_content_hash,
+            scanner_version=scanner_version,
+        )
+        with self._connect() as connection:
+            connection.execute(
+                """
+                insert into scanner_cache (
+                  scanner_name, target_id, cache_key, input_content_hash, scanner_version, payload_json, updated_at
+                )
+                values (?, ?, ?, ?, ?, ?, ?)
+                on conflict(scanner_name, target_id) do update set
+                  cache_key = excluded.cache_key,
+                  input_content_hash = excluded.input_content_hash,
+                  scanner_version = excluded.scanner_version,
+                  payload_json = excluded.payload_json,
+                  updated_at = excluded.updated_at
+                """,
+                (
+                    scanner_name,
+                    target_id,
+                    cache_key,
+                    input_content_hash,
+                    scanner_version,
+                    json.dumps(payload, sort_keys=True),
+                    now,
+                ),
+            )
+    def get_scanner_cache(
+        self,
+        *,
+        scanner_name: str,
+        target_id: str,
+        input_content_hash: str,
+        scanner_version: str,
+    ) -> dict[str, object] | None:
+        cache_key = scanner_cache_key(
+            scanner_name=scanner_name,
+            input_content_hash=input_content_hash,
+            scanner_version=scanner_version,
+        )
+        with self._connect() as connection:
+            row = connection.execute(
+                """
+                select payload_json from scanner_cache
+                where scanner_name = ? and target_id = ? and cache_key = ?
+                """,
+                (scanner_name, target_id, cache_key),
+            ).fetchone()
+        if row is None:
+            return None
+        payload = json.loads(str(row["payload_json"]))
+        return payload if isinstance(payload, dict) else None
     def save_snapshot(
         self,
         harness: str,

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/src/codex_plugin_scanner/integrations/cisco_mcp_scanner.py RENAMED Viewed

@@ -352,7 +352,11 @@ async def _scan_targets(
     return tuple(findings), targets_scanned
-def run_cisco_mcp_scan(plugin_dir: Path, mode: str = "auto") -> CiscoMcpScanSummary:
+def run_cisco_mcp_scan(
+    plugin_dir: Path,
+    mode: str = "auto",
+    timeout_seconds: float | None = None,
+) -> CiscoMcpScanSummary:
     """Run Cisco MCP scanner static analysis when available."""
     config_path = plugin_dir / ".mcp.json"
@@ -396,7 +400,15 @@ def run_cisco_mcp_scan(plugin_dir: Path, mode: str = "auto") -> CiscoMcpScanSumm
         analyzer_class = components["YaraAnalyzer"]
         analyzer = analyzer_class()
         targets = _collect_static_targets(plugin_dir)
-        findings, targets_scanned = _run_awaitable(_scan_targets(plugin_dir, targets, analyzer))
+        scan_awaitable: Awaitable[tuple[tuple[Finding, ...], int]] = _scan_targets(plugin_dir, targets, analyzer)
+        if timeout_seconds is not None:
+            scan_awaitable = asyncio.wait_for(scan_awaitable, timeout=timeout_seconds)
+        findings, targets_scanned = _run_awaitable(scan_awaitable)
+    except (TimeoutError, asyncio.TimeoutError):
+        return _build_summary(
+            status=CiscoIntegrationStatus.TIMED_OUT,
+            message="Cisco MCP scanner timed out before it could finish.",
+        )
     except Exception as exc:
         return _build_summary(
             status=CiscoIntegrationStatus.FAILED,

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/src/codex_plugin_scanner/integrations/cisco_skill_scanner.py RENAMED Viewed

@@ -4,7 +4,10 @@ from __future__ import annotations
 from dataclasses import dataclass
 from enum import Enum
+from multiprocessing import get_context
+from multiprocessing.process import BaseProcess
 from pathlib import Path
+from queue import Empty
 from ..models import Finding, Severity, severity_from_value
@@ -16,6 +19,7 @@ class CiscoIntegrationStatus(str, Enum):
     SKIPPED = "skipped"
     UNAVAILABLE = "unavailable"
     FAILED = "failed"
+    TIMED_OUT = "timed_out"
 @dataclass(frozen=True, slots=True)
@@ -69,6 +73,69 @@ def _build_unavailable_summary(message: str, *, status: CiscoIntegrationStatus)
     )
+def _scan_directory_payload(skills_dir: Path, policy_name: str) -> dict[str, object]:
+    from skill_scanner import SkillScanner
+    from skill_scanner.core.scan_policy import ScanPolicy
+    scanner = SkillScanner(policy=ScanPolicy(preset_base=policy_name))
+    report = scanner.scan_directory(skills_dir)
+    payload = report.to_dict()
+    return payload if isinstance(payload, dict) else {}
+def _scan_directory_worker(skills_dir: str, policy_name: str, result_queue: object) -> None:
+    try:
+        payload = _scan_directory_payload(Path(skills_dir), policy_name)
+        result_queue.put(("ok", payload))
+    except BaseException as exc:
+        result_queue.put(("error", type(exc).__name__, str(exc)))
+def _terminate_scan_process(process: BaseProcess) -> None:
+    process.terminate()
+    process.join(1)
+    if process.is_alive():
+        process.kill()
+        process.join()
+def _scan_directory_with_timeout(
+    skills_dir: Path, policy_name: str, timeout_seconds: float | None
+) -> dict[str, object]:
+    if timeout_seconds is None:
+        return _scan_directory_payload(skills_dir, policy_name)
+    context = get_context("spawn")
+    result_queue = context.Queue(maxsize=1)
+    process = context.Process(
+        target=_scan_directory_worker,
+        args=(str(skills_dir), policy_name, result_queue),
+    )
+    process.start()
+    try:
+        status, payload, *details = result_queue.get(timeout=timeout_seconds)
+    except Empty as exc:
+        process.join(0)
+        if process.is_alive():
+            _terminate_scan_process(process)
+            raise TimeoutError("Cisco skill scanner timed out") from exc
+        try:
+            status, payload, *details = result_queue.get(timeout=1)
+        except Empty as empty_exc:
+            raise RuntimeError(f"Cisco skill scanner exited with code {process.exitcode}") from empty_exc
+    else:
+        process.join(1)
+        if process.is_alive():
+            _terminate_scan_process(process)
+    if status == "error":
+        error_type = str(payload)
+        error_message = str(details[0]) if details else "unknown error"
+        raise RuntimeError(f"{error_type}: {error_message}")
+    return payload if isinstance(payload, dict) else {}
 def _to_local_finding(plugin_dir: Path, skill_result: dict[str, object], finding: dict[str, object]) -> Finding:
     skill_path = Path(str(skill_result.get("skill_path", "")))
     relative_skill_path = skill_path
@@ -131,7 +198,12 @@ def _extract_skipped_skills(summary: object, results: object) -> tuple[str, ...]
     return tuple(dict.fromkeys(skipped))
-def run_cisco_skill_scan(skills_dir: Path, mode: str = "auto", policy_name: str = "balanced") -> CiscoSkillScanSummary:
+def run_cisco_skill_scan(
+    skills_dir: Path,
+    mode: str = "auto",
+    policy_name: str = "balanced",
+    timeout_seconds: float | None = None,
+) -> CiscoSkillScanSummary:
     """Run Cisco skill-scanner against a skills directory when available."""
     if mode == "off":
@@ -141,8 +213,8 @@ def run_cisco_skill_scan(skills_dir: Path, mode: str = "auto", policy_name: str
         )
     try:
-        from skill_scanner import SkillScanner
-        from skill_scanner.core.scan_policy import ScanPolicy
+        __import__("skill_scanner")
+        __import__("skill_scanner.core.scan_policy")
     except ImportError:
         if mode == "on":
             return _build_unavailable_summary(
@@ -155,9 +227,12 @@ def run_cisco_skill_scan(skills_dir: Path, mode: str = "auto", policy_name: str
         )
     try:
-        scanner = SkillScanner(policy=ScanPolicy(preset_base=policy_name))
-        report = scanner.scan_directory(skills_dir.resolve())
-        payload = report.to_dict()
+        payload = _scan_directory_with_timeout(skills_dir.resolve(), policy_name, timeout_seconds)
+    except TimeoutError:
+        return _build_unavailable_summary(
+            "Cisco skill scanner timed out before it could finish.",
+            status=CiscoIntegrationStatus.TIMED_OUT,
+        )
     except Exception as exc:  # pragma: no cover - defensive around third-party code
         return _build_unavailable_summary(
             f"Cisco skill scanner failed: {exc}",

{plugin_scanner-2.0.147 → plugin_scanner-2.0.148}/src/codex_plugin_scanner/version.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
-__version__ = "2.0.147"
+__version__ = "2.0.148"

plugin-scanner 2.0.147__tar.gz → 2.0.148__tar.gz

plugin-scanner 2.0.147tar.gz → 2.0.148tar.gz