plugin-scanner 2.0.150__tar.gz → 2.0.151__tar.gz

{plugin_scanner-2.0.150 → plugin_scanner-2.0.151}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.150
+Version: 2.0.151
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.150 → plugin_scanner-2.0.151}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.150"
+version = "2.0.151"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.150 → plugin_scanner-2.0.151}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.150"
+version = "2.0.151"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.150 → plugin_scanner-2.0.151}/src/codex_plugin_scanner/guard/runtime/detectors.py

@@ -12,6 +12,14 @@ from codex_plugin_scanner.guard.config import GuardConfig
 from codex_plugin_scanner.guard.runtime.actions import GuardActionEnvelope
 from codex_plugin_scanner.guard.runtime.cisco_preflight import CiscoMcpPreflightDetector, CiscoSkillPreflightDetector
 from codex_plugin_scanner.guard.runtime.data_flow_rules import detect_data_flow_exfiltration
+from codex_plugin_scanner.guard.runtime.false_positive_rules import (
+    classify_docs_example_source,
+    classify_health_endpoint_fetch,
+    classify_package_metadata_access,
+    classify_source_search_command,
+    classify_version_file_access,
+)
+from codex_plugin_scanner.guard.runtime.persistence_rules import detect_persistence_mechanisms
 from codex_plugin_scanner.guard.runtime.prompt_injection import detect_prompt_injection_requests
 from codex_plugin_scanner.guard.runtime.safe_decode import decode_layers
 from codex_plugin_scanner.guard.runtime.secret_sensitivity import SecretPathMatch, classify_secret_path
@@ -286,6 +294,163 @@ class SafeDecodeDetector:
         return tuple(signals)
 
 
+class FalsePositiveSuppressorDetector:
+    """Detects patterns that are commonly benign, emitting advisory false_positive signals.
+
+    These signals do not directly change policy action but provide hints that
+    policy composition rules and operators can use to reduce unnecessary blocks.
+    """
+
+    detector_id = "false_positive.suppressor"
+    categories: tuple[RiskSignalCategory, ...] = ("false_positive",)
+
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        signals: list[RiskSignalV2] = []
+
+        if action.action_type == "shell_command" and action.command is not None:
+            classification = classify_source_search_command(action.command)
+            if classification.is_source_search:
+                signals.append(
+                    RiskSignalV2(
+                        signal_id=f"fp:source-search:{classification.tool}",
+                        category="false_positive",
+                        severity="info",
+                        confidence="strong",
+                        detector=self.detector_id,
+                        title="Read-only code or filesystem search",
+                        plain_reason=(
+                            f"This command uses '{classification.tool}' to search code or the filesystem "
+                            "and does not access secret files or pipe output to the network."
+                        ),
+                        technical_detail=classification.reason,
+                        evidence_ref="command",
+                        redaction_level="none",
+                        false_positive_hint=None,
+                        advisory_id=None,
+                    )
+                )
+
+            if classify_health_endpoint_fetch(action.command):
+                signals.append(
+                    RiskSignalV2(
+                        signal_id="fp:health-endpoint-fetch",
+                        category="false_positive",
+                        severity="info",
+                        confidence="strong",
+                        detector=self.detector_id,
+                        title="Localhost health or readiness check",
+                        plain_reason=(
+                            "This command fetches a localhost health or readiness endpoint,"
+                            " which is a normal development pattern."
+                        ),
+                        technical_detail="matched localhost health endpoint pattern",
+                        evidence_ref="command",
+                        redaction_level="none",
+                        false_positive_hint=None,
+                        advisory_id=None,
+                    )
+                )
+
+        if action.action_type == "file_read" and action.target_paths:
+            if classify_version_file_access(list(action.target_paths)):
+                signals.append(
+                    RiskSignalV2(
+                        signal_id="fp:version-file-access",
+                        category="false_positive",
+                        severity="info",
+                        confidence="strong",
+                        detector=self.detector_id,
+                        title="Version pin file access",
+                        plain_reason=(
+                            "Reading a version pin file (.nvmrc, .python-version, etc.) is a normal"
+                            " toolchain operation with no sensitive data."
+                        ),
+                        technical_detail="matched version pin file pattern",
+                        evidence_ref="target_paths",
+                        redaction_level="none",
+                        false_positive_hint=None,
+                        advisory_id=None,
+                    )
+                )
+
+            if classify_package_metadata_access(list(action.target_paths)):
+                signals.append(
+                    RiskSignalV2(
+                        signal_id="fp:package-metadata-access",
+                        category="false_positive",
+                        severity="info",
+                        confidence="strong",
+                        detector=self.detector_id,
+                        title="Package manifest or lock file access",
+                        plain_reason=(
+                            "Reading package.json, requirements.txt, or similar manifests is a normal"
+                            " dependency management operation."
+                        ),
+                        technical_detail="matched package metadata file pattern",
+                        evidence_ref="target_paths",
+                        redaction_level="none",
+                        false_positive_hint=None,
+                        advisory_id=None,
+                    )
+                )
+
+            for path in action.target_paths:
+                if classify_docs_example_source(path):
+                    signals.append(
+                        RiskSignalV2(
+                            signal_id=f"fp:docs-example-source:{path[:40]}",
+                            category="false_positive",
+                            severity="info",
+                            confidence="strong",
+                            detector=self.detector_id,
+                            title="Access to docs or example file",
+                            plain_reason=(
+                                "The file path points to documentation, examples, or fixture data,"
+                                " which rarely contains real credentials or sensitive content."
+                            ),
+                            technical_detail=f"matched docs/example path: {path}",
+                            evidence_ref="target_paths",
+                            redaction_level="none",
+                            false_positive_hint=None,
+                            advisory_id=None,
+                        )
+                    )
+                    break
+
+        return tuple(signals)
+
+
+class PersistenceDetector:
+    """Detects commands that install persistence mechanisms on the host system."""
+
+    detector_id = "persistence.mechanism"
+    categories: tuple[RiskSignalCategory, ...] = ("persistence",)
+
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        if action.action_type != "shell_command" or action.command is None:
+            return ()
+        matches = detect_persistence_mechanisms(action.command)
+        return tuple(
+            RiskSignalV2(
+                signal_id=f"persistence:{match.mechanism}",
+                category="persistence",
+                severity="high",
+                confidence="moderate",
+                detector=self.detector_id,
+                title=f"Persistence via {match.mechanism.replace('_', ' ')}",
+                plain_reason=match.plain_reason,
+                technical_detail=f"mechanism: {match.mechanism}",
+                evidence_ref="command",
+                redaction_level="summary",
+                false_positive_hint=match.false_positive_hint,
+                advisory_id=None,
+            )
+            for match in matches
+        )
+
+
 def register_default_detectors() -> tuple[GuardDetector, ...]:
     """Return the default ordered detector list.
 
@@ -293,11 +458,17 @@ def register_default_detectors() -> tuple[GuardDetector, ...]:
     before native data-flow and prompt detectors evaluate the same action.
     This ordering is intentional: scanner evidence can influence policy before
     runtime detectors produce additional signals.
+
+    FalsePositiveSuppressorDetector runs early to annotate benign patterns
+    before risk detectors evaluate the same action, so policy resolution can
+    factor in FP signals when composing the final action.
     """
     return (
         CiscoMcpPreflightDetector(),
         CiscoSkillPreflightDetector(),
+        FalsePositiveSuppressorDetector(),
         DataFlowExfiltrationDetector(),
+        PersistenceDetector(),
         PromptInjectionDetector(),
         SafeDecodeDetector(),
         SecretPathDetector(),

plugin_scanner-2.0.151/src/codex_plugin_scanner/guard/runtime/false_positive_rules.py

@@ -0,0 +1,226 @@
+"""False-positive classification rules for Guard runtime detectors."""
+
+from __future__ import annotations
+
+import re
+from collections.abc import Sequence
+from dataclasses import dataclass
+
+_SOURCE_SEARCH_TOOLS = frozenset(
+    {
+        "rg",
+        "ripgrep",
+        "grep",
+        "egrep",
+        "fgrep",
+        "fd",
+        "find",
+    }
+)
+
+_READ_ONLY_INLINE_TOOLS = frozenset({"jq", "yq", "awk", "sed"})
+
+_SECRET_FILE_NAMES = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"(?:\.env(?:\.[A-Za-z0-9_-]+)?|\.npmrc|\.pypirc|\.netrc|\.git-credentials"
+    r"|id_rsa|id_ed25519|id_ecdsa|credentials|wallet\.key|private[_-]?key\.pem|terraform\.tfvars)"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+_PIPE_TO_EXFIL = re.compile(
+    r"[|;]\s*(?:curl|wget|nc|ncat|netcat|scp|rsync|aws\s+s3|gsutil|gcloud)\b",
+    re.IGNORECASE,
+)
+
+_FIND_MUTATING_FLAGS = re.compile(
+    r"(?:^|[\s])-(?:delete|exec\s+rm|exec\s+unlink|exec\s+shred|execdir\s+rm)\b"
+    r"|(?:^|[\s])-exec\s+\S+[^\r\n;&|]{0,100}\{.*\}\s*(?:\\;|;|\+)",
+    re.IGNORECASE,
+)
+
+_OUTPUT_REDIRECT_TO_EXFIL = re.compile(
+    r">\s*(?:/proc/\S+|/dev/tcp/|/dev/udp/)",
+    re.IGNORECASE,
+)
+
+_CLIPBOARD_PIPE = re.compile(
+    r"[|;]\s*(?:pbcopy|xclip|xsel|wl-copy|clip)\b",
+    re.IGNORECASE,
+)
+
+_LOCALHOST_HEALTH_PATTERN = re.compile(
+    r"(?:^|[\s;&|])"
+    r"(?:curl|wget|fetch|http\.get|requests\.get)"
+    r"\b[^\r\n;&|]{0,80}"
+    r"(?:localhost|127\.0\.0\.1|::1|\[::1\]|0\.0\.0\.0)"
+    r"(?::\d{1,5})?"
+    r"(?:/(?:healthz?|readiness|ready|liveness|live|ping|status|metrics|info|version))?"
+    r"(?:\s|$|[;&|'\"])",
+    re.IGNORECASE,
+)
+
+_FAKE_CREDENTIAL_PATTERNS: tuple[re.Pattern[str], ...] = (
+    re.compile(
+        r"(?i)(?:your[_-]?api[_-]?key|example[_-]?token|fake[_-]?(?:secret|token|key|credential)|"
+        r"placeholder|<[A-Z_]{2,}(?:[_-][A-Z]+)*>|x{4,}|\b1234(?:5678)?\b|test[_-]?token|dummy[_-]?(?:key|secret|token)|"
+        r"replace[_-]?me|insert[_-]?(?:your|token)|changeme|secret123|password123|"
+        r"\babc123\b|my[_-]?(?:secret|key|token|api[_-]?key)|sample[_-]?(?:key|token|credential))"
+    ),
+    re.compile(r"(?i)\b(?:todo|fixme|hack|stub|mock|fake|demo|sample|example)\b.*?(?:key|token|secret|credential)"),
+)
+
+_DOCS_EXAMPLE_CONTEXT = re.compile(
+    r"(?:README|CHANGELOG|CONTRIBUTING|SECURITY|LICENSE|NOTICE|\.md|\.rst|\.txt|\.adoc)"
+    r"|(?:example|demo|tutorial|sample|docs?/|documentation/|spec/|test/fixtures?/)",
+    re.IGNORECASE,
+)
+
+_VERSION_FILE_NAMES = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"(?:\.nvmrc|\.node-version|\.python-version|\.ruby-version|\.tool-versions|\.java-version)"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+_PACKAGE_METADATA_FILES = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"(?:package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|"
+    r"requirements\.txt|setup\.py|setup\.cfg|pyproject\.toml|Pipfile(?:\.lock)?|"
+    r"go\.(?:mod|sum)|Cargo\.(?:toml|lock)|composer\.json|Gemfile(?:\.lock)?)"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+
+@dataclass(frozen=True, slots=True)
+class SourceSearchClassification:
+    """Result of classifying a shell command as a read-only source search."""
+
+    is_source_search: bool
+    reason: str | None
+    tool: str | None
+
+
+def classify_source_search_command(command: str) -> SourceSearchClassification:
+    """Return whether *command* is a benign read-only code/filesystem search.
+
+    A source search is a command that:
+    - Uses known search tools (rg, grep, fd, find)
+    - Does not target actual secret files
+    - Does not pipe output to network, clipboard, or other exfiltration sinks
+    - Does not use read-inline tools (jq, awk, sed) to extract and relay data
+    """
+    stripped = command.strip()
+    if not stripped:
+        return SourceSearchClassification(is_source_search=False, reason=None, tool=None)
+
+    parts = stripped.split()
+    if not parts:
+        return SourceSearchClassification(is_source_search=False, reason=None, tool=None)
+
+    tool = _leading_tool(parts)
+    if tool is None:
+        return SourceSearchClassification(is_source_search=False, reason=None, tool=None)
+
+    if _PIPE_TO_EXFIL.search(command):
+        return SourceSearchClassification(
+            is_source_search=False,
+            reason="piped to network tool",
+            tool=tool,
+        )
+
+    if _OUTPUT_REDIRECT_TO_EXFIL.search(command):
+        return SourceSearchClassification(
+            is_source_search=False,
+            reason="output redirected to device/proc",
+            tool=tool,
+        )
+
+    if _CLIPBOARD_PIPE.search(command):
+        return SourceSearchClassification(
+            is_source_search=False,
+            reason="piped to clipboard",
+            tool=tool,
+        )
+
+    if _SECRET_FILE_NAMES.search(command):
+        return SourceSearchClassification(
+            is_source_search=False,
+            reason="targets secret file",
+            tool=tool,
+        )
+
+    if tool == "find" and _FIND_MUTATING_FLAGS.search(command):
+        return SourceSearchClassification(
+            is_source_search=False,
+            reason="find with mutating action flag",
+            tool=tool,
+        )
+
+    return SourceSearchClassification(
+        is_source_search=True,
+        reason="read-only code/filesystem search",
+        tool=tool,
+    )
+
+
+def classify_fake_credential_pattern(text: str) -> bool:
+    """Return True if *text* matches known fake/example/placeholder credential patterns."""
+    return any(pattern.search(text) for pattern in _FAKE_CREDENTIAL_PATTERNS)
+
+
+def classify_health_endpoint_fetch(command: str) -> bool:
+    """Return True if *command* is a benign localhost health/readiness check."""
+    return bool(_LOCALHOST_HEALTH_PATTERN.search(command))
+
+
+def classify_docs_example_source(source_hint: str) -> bool:
+    """Return True if *source_hint* (path or context label) is a docs/example location."""
+    return bool(_DOCS_EXAMPLE_CONTEXT.search(source_hint))
+
+
+def classify_version_file_access(paths: Sequence[str]) -> bool:
+    """Return True if all *paths* are benign version-pin files with no sensitive data."""
+    if not paths:
+        return False
+    return all(_VERSION_FILE_NAMES.search(p) for p in paths)
+
+
+def classify_package_metadata_access(paths: Sequence[str]) -> bool:
+    """Return True if all *paths* are package manifest/lock files (no secrets in them)."""
+    if not paths:
+        return False
+    return all(_PACKAGE_METADATA_FILES.search(p) for p in paths)
+
+
+def _leading_tool(parts: list[str]) -> str | None:
+    """Return the base command name if it is a known source-search tool, else None."""
+    if not parts:
+        return None
+    base = _strip_path_prefix(parts[0]).lower()
+    if base in _SOURCE_SEARCH_TOOLS:
+        return base
+    if base in _READ_ONLY_INLINE_TOOLS and _has_no_write_flags(parts):
+        return base
+    return None
+
+
+def _strip_path_prefix(token: str) -> str:
+    return token.rsplit("/", 1)[-1].rsplit("\\", 1)[-1]
+
+
+def _has_no_write_flags(parts: list[str]) -> bool:
+    """Return True if awk/sed/jq are used read-only (no in-place or write flags).
+
+    Handles suffixed in-place forms (``-i.bak``, ``-i ''``) and clustered
+    short options that include ``i`` (e.g. ``-ni``).
+    """
+    write_flags = {"--in-place", "-w", "--write"}
+    for p in parts[1:]:
+        tok = p.split("=")[0]
+        if tok in write_flags:
+            return False
+        if len(tok) >= 2 and tok[0] == "-" and tok[1] != "-" and "i" in tok[1:]:
+            return False
+    return True

plugin_scanner-2.0.151/src/codex_plugin_scanner/guard/runtime/persistence_rules.py

@@ -0,0 +1,188 @@
+"""Persistence mechanism detection rules for Guard runtime shell actions."""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+
+_GIT_HOOK_PATHS = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"\.git/hooks/(?:pre-commit|post-commit|pre-push|post-merge|post-checkout|"
+    r"pre-receive|post-receive|update|commit-msg|prepare-commit-msg)"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+_CRON_WRITE_PATTERN = re.compile(
+    r"(?:^|[\s;&|])"
+    r"(?:"
+    r"crontab\s+(?:-u\s+\S+\s+)?(?:-e\b|-\s*$|[^-\r\n\s][^\r\n;&|]{0,100})|"
+    r"crontab\s*<\s*\S+|"
+    r"(?:echo|printf|cat|tee)\b[^\r\n;&|]{0,200}(?:>|\|\s*tee)\s*/(?:var/spool/cron|etc/cron[^'\"]*?)"
+    r")",
+    re.IGNORECASE,
+)
+
+_LAUNCH_AGENT_PATHS = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"(?:~/Library/LaunchAgents/|/Library/LaunchAgents/|/Library/LaunchDaemons/|"
+    r"/System/Library/LaunchAgents/|/System/Library/LaunchDaemons/)"
+    r"[^'\"\s\\]{3,}\.plist"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+_SYSTEMD_WRITE_PATTERN = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"(?:/etc/systemd/system/|/usr/lib/systemd/system/|/run/systemd/system/|"
+    r"~?/\.config/systemd/user/|"
+    r"(?:/home/[^/\s]+|\$HOME)/\.config/systemd/user/)"
+    r"[^'\"\s\\]{3,}\.(?:service|timer|socket|path|mount|target)"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+_VSCODE_TASKS_PATTERN = re.compile(
+    r"(?<![A-Za-z0-9_.-])"
+    r"\.vscode/(?:tasks|launch|settings)\.json"
+    r"(?![A-Za-z0-9_.-])",
+    re.IGNORECASE,
+)
+
+_REGISTRY_WRITE_PATTERN = re.compile(
+    r"(?:^|[\s;&|])(?:reg\s+(?:add|import|copy)|regini)\b",
+    re.IGNORECASE,
+)
+
+_AT_JOB_WRITE_PATTERN = re.compile(
+    r"(?:^|[\s;&|])"
+    r"(?:"
+    r"at\s+(?:-f\s+\S+\s+)?(?:now|midnight|noon|tomorrow|\d+(?::\d+)?(?:am|pm)?)\b|"
+    r"(?:echo|printf)\b[^\r\n;&|]{0,200}\|\s*at\b"
+    r")",
+    re.IGNORECASE,
+)
+
+
+@dataclass(frozen=True, slots=True)
+class PersistenceMatch:
+    """Describes a detected persistence mechanism."""
+
+    mechanism: str
+    plain_reason: str
+    false_positive_hint: str
+
+
+def detect_persistence_mechanisms(command: str) -> tuple[PersistenceMatch, ...]:
+    """Return persistence mechanism matches found in *command*."""
+    matches: list[PersistenceMatch] = []
+
+    if _SHELL_PROFILE_WRITE.search(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="shell_profile_write",
+                plain_reason=(
+                    "Command writes to a shell profile or startup file, which runs on every new terminal session."
+                ),
+                false_positive_hint="Allow if this is setting up a legitimate development environment or PATH entry.",
+            )
+        )
+
+    if _GIT_HOOK_PATHS.search(command) and _is_write_operation(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="git_hook_write",
+                plain_reason="Command installs or modifies a git hook, which runs automatically on git events.",
+                false_positive_hint="Allow if this is installing a project-standard code quality or signing hook.",
+            )
+        )
+
+    if _CRON_WRITE_PATTERN.search(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="cron_write",
+                plain_reason=(
+                    "Command modifies scheduled tasks (cron), allowing code to run automatically at set times."
+                ),
+                false_positive_hint="Allow if this is setting up a legitimate periodic maintenance task.",
+            )
+        )
+
+    if _LAUNCH_AGENT_PATHS.search(command) and _is_write_operation(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="launch_agent_write",
+                plain_reason=(
+                    "Command installs a macOS Launch Agent or Daemon, which runs automatically on login or boot."
+                ),
+                false_positive_hint="Allow if this is installing a known legitimate background service.",
+            )
+        )
+
+    if _SYSTEMD_WRITE_PATTERN.search(command) and _is_write_operation(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="systemd_unit_write",
+                plain_reason="Command installs a systemd service unit, which can run automatically at boot or login.",
+                false_positive_hint="Allow if this is installing a known legitimate system service.",
+            )
+        )
+
+    if _VSCODE_TASKS_PATTERN.search(command) and _is_write_operation(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="vscode_tasks_write",
+                plain_reason=(
+                    "Command modifies VS Code tasks or launch configuration, which run automatically in the IDE."
+                ),
+                false_positive_hint="Allow if this is setting up legitimate project build or debug tasks.",
+            )
+        )
+
+    if _REGISTRY_WRITE_PATTERN.search(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="registry_write",
+                plain_reason=(
+                    "Command writes to the Windows Registry, which can configure autostart or persistent settings."
+                ),
+                false_positive_hint="Allow if this is a known legitimate software installer or configuration step.",
+            )
+        )
+
+    if _AT_JOB_WRITE_PATTERN.search(command):
+        matches.append(
+            PersistenceMatch(
+                mechanism="at_job_schedule",
+                plain_reason=(
+                    "Command schedules a one-time deferred job via `at`,"
+                    " which runs automatically at the specified time."
+                ),
+                false_positive_hint="Allow if this is scheduling a legitimate maintenance or notification task.",
+            )
+        )
+
+    return tuple(matches)
+
+
+_SHELL_PROFILE_WRITE = re.compile(
+    r"(?:^|[\s;&|])"
+    r"(?:echo|printf|cat|tee|append|heredoc)\b[^\r\n;&|]{0,300}"
+    r"(?:>>|>\s*>?|\|\s*(?:tee\s+(?:-a\s+)?)?)\s*"
+    r"~?/?(?:"
+    r"\.bashrc|\.bash_profile|\.bash_login|\.profile|\.zshrc|\.zprofile|\.zlogin|"
+    r"\.zshenv|\.kshrc|\.config/fish/config\.fish"
+    r")",
+    re.IGNORECASE,
+)
+
+
+def _is_write_operation(command: str) -> bool:
+    """Return True if the command contains a write indicator (output redirect, tee, cp, mv, install)."""
+    return bool(
+        re.search(
+            r"(?:>>?|tee\b|\bcp\b|\bmv\b|\binstall\b|\bwrite\b|\bcat\s*>)",
+            command,
+            re.IGNORECASE,
+        )
+    )

{plugin_scanner-2.0.150 → plugin_scanner-2.0.151}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.150"
+__version__ = "2.0.151"