PyPI - plugin-scanner - Versions diffs - 2.0.147__tar.gz → 2.0.149__tar.gz - Mend

plugin-scanner 2.0.147tar.gz → 2.0.149tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (445) hide show

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.147
+Version: 2.0.149
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.147"
+version = "2.0.149"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.147"
+version = "2.0.149"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/src/codex_plugin_scanner/guard/approvals.py RENAMED Viewed

@@ -98,6 +98,7 @@ def queue_blocked_approvals(
             risk_headline=incident["risk_headline"],
             action_envelope_json=_item_action_envelope_json(item),
             decision_v2_json=_item_decision_v2_json(item),
+            scanner_evidence=_item_scanner_evidence(item),
         )
         persisted_request_id = store.add_approval_request(request, timestamp)
         if persisted_request_id != request.request_id:
@@ -433,6 +434,13 @@ def _item_decision_v2_json(item: dict[str, object]) -> dict[str, object] | None:
     return {str(key): item_value for key, item_value in value.items() if isinstance(key, str)}
+def _item_scanner_evidence(item: dict[str, object]) -> tuple[dict[str, object], ...]:
+    value = item.get("scanner_evidence")
+    if not isinstance(value, list | tuple):
+        return ()
+    return tuple(dict(entry) for entry in value if isinstance(entry, Mapping))
 def _string_list(value: object) -> list[str]:
     if not isinstance(value, list):
         return []

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -83,6 +83,12 @@ from ..proxy import (
 from ..receipts import build_receipt
 from ..risk import artifact_risk_signals, artifact_risk_signals_v2, artifact_risk_summary
 from ..runtime.actions import GuardActionEnvelope, normalize_harness_payload
+from ..runtime.cisco_preflight import (
+    build_cisco_deep_scan_payload,
+    cisco_risk_signal_v3_to_v2,
+    policy_action_for_cisco_signals,
+    scan_action_for_cisco_evidence,
+)
 from ..runtime.data_flow_rules import detect_data_flow_exfiltration
 from ..runtime.runner import (
     GuardSyncNotConfiguredError,
@@ -359,6 +365,8 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     scan_parser.add_argument("target", nargs="?", default=".")
     scan_parser.add_argument("--consumer-mode", action="store_true")
     scan_parser.add_argument("--json", action="store_true")
+    scan_parser.add_argument("--deep", action="store_true", help="Run first-class local Cisco scanner evidence.")
+    _add_guard_common_args(scan_parser)
     _add_guard_cisco_mode_arg(scan_parser)
     diff_parser = guard_subparsers.add_parser("diff", help="Compare current harness artifacts to stored snapshots")
@@ -840,6 +848,24 @@ def run_guard_command(
     """Execute a Guard subcommand."""
     if args.guard_command == "scan":
+        if getattr(args, "deep", False):
+            scan_type = str(args.target)
+            if scan_type not in {"skills", "mcp"}:
+                print("guard scan --deep supports 'skills' or 'mcp'.", file=sys.stderr)
+                return 2
+            home_override = getattr(args, "home", None)
+            guard_home = resolve_guard_home(getattr(args, "guard_home", None) or home_override)
+            workspace = Path(args.workspace).resolve() if getattr(args, "workspace", None) else Path.cwd().resolve()
+            config = load_guard_config(guard_home, workspace=workspace)
+            payload = build_cisco_deep_scan_payload(
+                scan_type=scan_type,
+                target=workspace,
+                mode=args.cisco_mode,
+                config=config,
+            )
+            payload["generated_at"] = _now()
+            _emit("deep-scan", payload, getattr(args, "json", False))
+            return 0
         payload = _run_consumer_scan_with_mode(Path(args.target).resolve(), cisco_mode=args.cisco_mode)
         _emit("scan", payload, args.json or args.consumer_mode)
         return 0
@@ -1850,6 +1876,12 @@ def run_guard_command(
                 return 0
             changed_capabilities = [runtime_artifact.artifact_type]
             data_flow_signals = _runtime_action_data_flow_signals(action_envelope, workspace=runtime_workspace)
+            scanner_evidence = (
+                scan_action_for_cisco_evidence(action_envelope, workspace=runtime_workspace)
+                if action_envelope is not None
+                else ()
+            )
+            scanner_evidence_payload = [signal.to_dict() for signal in scanner_evidence]
             if data_flow_signals and requested_policy_action not in VALID_GUARD_ACTIONS:
                 data_flow_action = resolve_risk_action(
                     config,
@@ -1858,17 +1890,32 @@ def run_guard_command(
                 )
                 if _guard_action_severity(data_flow_action) > _guard_action_severity(policy_action):
                     policy_action = data_flow_action
-            decision_signals = data_flow_signals or artifact_risk_signals_v2(runtime_artifact)
-            risk_signals = (
-                [signal.plain_reason for signal in data_flow_signals]
-                if data_flow_signals
-                else list(artifact_risk_signals(runtime_artifact))
-            )
-            risk_summary = (
-                _runtime_data_flow_summary(data_flow_signals)
-                if data_flow_signals
-                else artifact_risk_summary(runtime_artifact)
+            _pre_scanner_policy_action = policy_action
+            if scanner_evidence and requested_policy_action not in VALID_GUARD_ACTIONS:
+                scanner_action = policy_action_for_cisco_signals(
+                    scanner_evidence,
+                    config=config,
+                    harness=policy_harness,
+                )
+                if _guard_action_severity(scanner_action) > _guard_action_severity(policy_action):
+                    policy_action = scanner_action
+            scanner_raised_to_block = (
+                policy_action == "block" and _pre_scanner_policy_action != "block" and bool(scanner_evidence)
             )
+            base_decision_signals = data_flow_signals or artifact_risk_signals_v2(runtime_artifact)
+            scanner_decision_signals = tuple(cisco_risk_signal_v3_to_v2(signal) for signal in scanner_evidence)
+            decision_signals = (*base_decision_signals, *scanner_decision_signals)
+            scanner_risk_signals = [signal.plain_language_summary for signal in scanner_evidence]
+            if data_flow_signals:
+                risk_signals = [signal.plain_reason for signal in data_flow_signals]
+                risk_summary = _runtime_data_flow_summary(data_flow_signals)
+            else:
+                risk_signals = list(artifact_risk_signals(runtime_artifact))
+                risk_summary = artifact_risk_summary(runtime_artifact)
+            if scanner_risk_signals:
+                risk_signals.extend(scanner_risk_signals)
+                if scanner_raised_to_block:
+                    risk_summary = scanner_risk_signals[0]
             decision_v2 = build_decision_v2(policy_action, reason=policy_action, signals=decision_signals)
             incident = build_incident_context(
                 harness=args.harness,
@@ -1894,6 +1941,7 @@ def run_guard_command(
                 artifact_name=artifact_name,
                 source_scope=runtime_artifact.source_scope,
                 user_override=_optional_string(payload.get("user_override")),
+                scanner_evidence=scanner_evidence_payload,
             )
             store.add_receipt(receipt)
             response_payload = {
@@ -1905,6 +1953,7 @@ def run_guard_command(
                 "policy_action": policy_action,
                 "risk_signals": risk_signals,
                 "risk_summary": risk_summary,
+                "scanner_evidence": scanner_evidence_payload,
                 "decision_v2_json": decision_v2.to_dict(),
                 "artifact_label": incident["artifact_label"],
                 "source_label": incident["source_label"],
@@ -1991,6 +2040,7 @@ def run_guard_command(
                                 "launch_target": _runtime_request_summary(runtime_artifact),
                                 "action_envelope_json": _action_envelope_json(action_envelope),
                                 "decision_v2_json": decision_v2.to_dict(),
+                                "scanner_evidence": scanner_evidence_payload,
                             }
                         ]
                     }

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/src/codex_plugin_scanner/guard/cli/render.py RENAMED Viewed

@@ -1253,6 +1253,37 @@ def _render_scan(console: Console, payload: dict[str, object]) -> None:
     _render_cisco_evidence(console, payload)
+def _render_deep_scan(console: Console, payload: dict[str, object]) -> None:
+    scan_type = str(payload.get("scan_type") or "unknown")
+    status = str(payload.get("status") or "unknown")
+    body = Table.grid(padding=(0, 1))
+    body.add_row("Type", scan_type)
+    body.add_row("Status", _cisco_status_text(status))
+    body.add_row("Mode", str(payload.get("mode") or "auto"))
+    body.add_row("Findings", str(payload.get("finding_count") or 0))
+    body.add_row("Targets", str(payload.get("targets_scanned") or 0))
+    body.add_row("Analyzers", str(payload.get("analyzers_used") or 0))
+    if payload.get("message"):
+        body.add_row("Message", str(payload["message"]))
+    console.print(Panel(body, title=f"Deep scan — {scan_type}", border_style="cyan"))
+    findings = _coerce_dict_list(payload.get("scanner_evidence") or payload.get("findings"))
+    if findings:
+        table = Table(box=box.SIMPLE_HEAVY, show_header=True)
+        table.add_column("Severity", style="bold")
+        table.add_column("Title")
+        table.add_column("Category")
+        for finding in findings[:50]:
+            sev = str(finding.get("severity") or "info")
+            table.add_row(
+                sev,
+                str(finding.get("title") or finding.get("rule_id") or "unknown"),
+                str(finding.get("category") or ""),
+            )
+        if len(findings) > 50:
+            table.add_row("…", f"and {len(findings) - 50} more", "")
+        console.print(table)
 def _render_explain(console: Console, payload: dict[str, object]) -> None:
     advisories = _coerce_dict_list(payload.get("advisories"))
     if "artifact_snapshot" in payload:
@@ -1996,5 +2027,6 @@ _RENDERERS: dict[str, Any] = {
     "protect": _render_protect,
     "preflight": _render_preflight,
     "scan": _render_scan,
+    "deep-scan": _render_deep_scan,
     "explain": _render_explain,
 }

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/src/codex_plugin_scanner/guard/models.py RENAMED Viewed

@@ -142,10 +142,12 @@ class GuardReceipt:
     artifact_name: str | None = None
     source_scope: str | None = None
     action_envelope_json: dict[str, object] | None = None
+    scanner_evidence: tuple[dict[str, object], ...] = ()
     def to_dict(self) -> dict[str, object]:
         payload = asdict(self)
         payload["changed_capabilities"] = list(self.changed_capabilities)
+        payload["scanner_evidence"] = [dict(item) for item in self.scanner_evidence]
         return payload
@@ -185,11 +187,13 @@ class GuardApprovalRequest:
     queue_group_id: str | None = None
     dedupe_count: int = 1
     last_seen_at: str | None = None
+    scanner_evidence: tuple[dict[str, object], ...] = ()
     def to_dict(self) -> dict[str, object]:
         payload = asdict(self)
         payload["changed_fields"] = list(self.changed_fields)
         payload["risk_signals"] = list(self.risk_signals)
+        payload["scanner_evidence"] = [dict(item) for item in self.scanner_evidence]
         return payload

{plugin_scanner-2.0.147 → plugin_scanner-2.0.149}/src/codex_plugin_scanner/guard/receipts/manager.py RENAMED Viewed

@@ -2,6 +2,7 @@
 from __future__ import annotations
+from collections.abc import Mapping, Sequence
 from datetime import datetime, timezone
 from uuid import uuid4
@@ -19,6 +20,7 @@ def build_receipt(
     artifact_name: str | None,
     source_scope: str | None,
     user_override: str | None = None,
+    scanner_evidence: Sequence[Mapping[str, object]] = (),
 ) -> GuardReceipt:
     """Create a runtime receipt."""
@@ -35,4 +37,5 @@ def build_receipt(
         user_override=user_override,
         artifact_name=artifact_name,
         source_scope=source_scope,
+        scanner_evidence=tuple(dict(item) for item in scanner_evidence),
     )

plugin_scanner-2.0.149/src/codex_plugin_scanner/guard/runtime/cisco_evidence.py ADDED Viewed

@@ -0,0 +1,175 @@
+"""Cisco scanner evidence adapters for Guard runtime signals."""
+from __future__ import annotations
+import re
+from hashlib import sha256
+from codex_plugin_scanner.guard.runtime.scanner_cache import scanner_cache_key
+from codex_plugin_scanner.guard.runtime.signals import (
+    GuardRiskSignalV3,
+    RiskConfidenceLabel,
+    RiskSeverityLabel,
+    RiskSignalCategory,
+    RiskSignalSource,
+    ScannerStatusLabel,
+)
+from codex_plugin_scanner.integrations.cisco_skill_scanner import CiscoIntegrationStatus
+from codex_plugin_scanner.models import Finding, Severity
+_LONG_SECRET_LIKE_TOKEN = re.compile(r"\b[A-Za-z0-9_./+=-]{32,}\b")
+_MAX_TEXT_LENGTH = 280
+__all__ = ["cisco_finding_to_risk_signal", "scanner_cache_key"]
+def cisco_finding_to_risk_signal(
+    finding: Finding,
+    *,
+    scanner_status: CiscoIntegrationStatus,
+    scanner_name: str | None = None,
+    source_version: str = "unknown",
+) -> GuardRiskSignalV3:
+    source = _source_from_finding(finding)
+    category = _category_from_finding(finding, source)
+    display_name = scanner_name or _scanner_name_from_source(source)
+    evidence_ref = _evidence_ref(finding)
+    return GuardRiskSignalV3(
+        signal_id=_signal_id(finding),
+        source=source,
+        source_version=source_version,
+        category=category,
+        severity=_severity_label(finding.severity),
+        confidence=_confidence_label(finding.severity),
+        title=_safe_text(finding.title, fallback="Cisco scanner finding"),
+        plain_language_summary=_safe_text(
+            finding.description,
+            fallback=f"{display_name} reported a potential {category} risk.",
+        ),
+        technical_detail=f"{display_name} rule {finding.rule_id} reported {finding.category} evidence.",
+        evidence_ref=evidence_ref,
+        scanner_name=display_name,
+        scanner_status=_status_label(scanner_status),
+        scanner_rule_id=finding.rule_id,
+        redaction_level="summary",
+        source_path=finding.file_path,
+        source_line=finding.line_number,
+        data_source=None,
+        data_sink=None,
+        recommended_action=_safe_optional_text(finding.remediation),
+    )
+def _signal_id(finding: Finding) -> str:
+    source = finding.source or "cisco-scanner"
+    path = finding.file_path or "unknown"
+    if finding.line_number is not None:
+        return f"{source}:{finding.rule_id}:{path}:{finding.line_number}"
+    payload = "|".join(
+        (
+            finding.rule_id,
+            path,
+            finding.title,
+            finding.description,
+            finding.remediation or "",
+        )
+    )
+    suffix = sha256(payload.encode("utf-8")).hexdigest()[:12]
+    return f"{source}:{finding.rule_id}:{path}:{suffix}"
+def _source_from_finding(finding: Finding) -> RiskSignalSource:
+    source = (finding.source or "").lower()
+    if "mcp" in source:
+        return "cisco_mcp"
+    if "skill" in source:
+        return "cisco_skill"
+    if "mcp" in finding.category.lower():
+        return "cisco_mcp"
+    if "skill" in finding.category.lower():
+        return "cisco_skill"
+    return "native"
+def _category_from_finding(finding: Finding, source: RiskSignalSource) -> RiskSignalCategory:
+    if source == "cisco_mcp":
+        return "mcp"
+    if source == "cisco_skill":
+        return "skill"
+    category = finding.category.lower()
+    if "secret" in category:
+        return "secret"
+    if "network" in category:
+        return "network"
+    if "prompt" in category:
+        return "prompt"
+    if "supply" in category:
+        return "supply_chain"
+    return "policy"
+def _scanner_name_from_source(source: RiskSignalSource) -> str:
+    if source == "cisco_mcp":
+        return "Cisco MCP scanner"
+    if source == "cisco_skill":
+        return "Cisco skill scanner"
+    return "Cisco scanner"
+def _severity_label(severity: Severity) -> RiskSeverityLabel:
+    match severity:
+        case Severity.CRITICAL:
+            return "critical"
+        case Severity.HIGH:
+            return "high"
+        case Severity.MEDIUM:
+            return "medium"
+        case Severity.LOW:
+            return "low"
+        case Severity.INFO:
+            return "info"
+def _confidence_label(severity: Severity) -> RiskConfidenceLabel:
+    if severity in {Severity.CRITICAL, Severity.HIGH}:
+        return "strong"
+    if severity == Severity.MEDIUM:
+        return "likely"
+    return "weak"
+def _status_label(status: CiscoIntegrationStatus) -> ScannerStatusLabel:
+    match status:
+        case CiscoIntegrationStatus.ENABLED:
+            return "enabled"
+        case CiscoIntegrationStatus.SKIPPED:
+            return "skipped"
+        case CiscoIntegrationStatus.UNAVAILABLE:
+            return "unavailable"
+        case CiscoIntegrationStatus.FAILED:
+            return "failed"
+        case CiscoIntegrationStatus.TIMED_OUT:
+            return "timed_out"
+def _evidence_ref(finding: Finding) -> str | None:
+    if finding.file_path is None:
+        return None
+    if finding.line_number is None:
+        return finding.file_path
+    return f"{finding.file_path}:{finding.line_number}"
+def _safe_optional_text(value: str | None) -> str | None:
+    if value is None:
+        return None
+    return _safe_text(value, fallback="")
+def _safe_text(value: str, *, fallback: str) -> str:
+    normalized = " ".join(value.split())
+    if not normalized:
+        return fallback
+    redacted = _LONG_SECRET_LIKE_TOKEN.sub("[redacted]", normalized)
+    if len(redacted) <= _MAX_TEXT_LENGTH:
+        return redacted
+    return f"{redacted[: _MAX_TEXT_LENGTH - 1].rstrip()}…"

plugin-scanner 2.0.147__tar.gz → 2.0.149__tar.gz

plugin-scanner 2.0.147tar.gz → 2.0.149tar.gz