plugin-scanner 2.0.170__tar.gz → 2.0.171__tar.gz

{plugin_scanner-2.0.170 → plugin_scanner-2.0.171}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.170
+Version: 2.0.171
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.170 → plugin_scanner-2.0.171}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.170"
+version = "2.0.171"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.170 → plugin_scanner-2.0.171}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.170"
+version = "2.0.171"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.170 → plugin_scanner-2.0.171}/src/codex_plugin_scanner/guard/inventory_contract.py

@@ -65,6 +65,35 @@ _SENSITIVE_KEY_RE = re.compile(
     re.IGNORECASE,
 )
 _WHITESPACE_RE = re.compile(r"\s+")
+_MCP_READ_RE = re.compile(
+    r"(?<![a-z0-9])(read|reads|reading|search|searches|list|lists)(?![a-z0-9])",
+    re.IGNORECASE,
+)
+_MCP_DELETE_RE = re.compile(
+    r"(?<![a-z0-9])(delete|deletes|remove|removes|destroy|destroys)(?![a-z0-9])",
+    re.IGNORECASE,
+)
+_MCP_WRITE_RE = re.compile(
+    r"(?<![a-z0-9])(write|writes|update|updates|create|creates|modify|modifies)(?![a-z0-9])",
+    re.IGNORECASE,
+)
+_MCP_SHELL_RE = re.compile(
+    r"(?<![a-z0-9])(shell|command|commands|execute|exec|subprocess)(?![a-z0-9])",
+    re.IGNORECASE,
+)
+_MCP_SECRET_RE = re.compile(
+    r"(?<![a-z0-9])(secret|secrets|token|tokens|password|passwords|credential|credentials|api[_\-\s]?key|apiKey)(?![a-z0-9])",
+    re.IGNORECASE,
+)
+_MCP_NETWORK_RE = re.compile(
+    r"(?<![a-z0-9])(http|url|urls|network|fetch|webhook|webhooks)(?![a-z0-9])",
+    re.IGNORECASE,
+)
+_MCP_MODEL_RE = re.compile(r"(?<![a-z0-9])(sampling|model|models|llm)(?![a-z0-9])", re.IGNORECASE)
+_MCP_PERMISSION_RE = re.compile(
+    r"(?<![a-z0-9])(permission|permissions|chmod)(?![a-z0-9])",
+    re.IGNORECASE,
+)
 _IGNORED_TREE_DIR_NAMES = {".git", ".hg", ".svn", "__pycache__", ".mypy_cache", ".ruff_cache", ".venv", "node_modules"}
 _MAX_FINGERPRINT_FILE_BYTES = 1024 * 1024
 
@@ -191,15 +220,16 @@ def inventory_snapshot_from_detection(
 ) -> GuardAgentInventorySnapshot:
     harness = str(getattr(detection, "harness", "unknown"))
     artifacts = tuple(getattr(detection, "artifacts", ()))
-    items = tuple(
-        _item_from_artifact(
+    items: list[GuardAgentInventoryItem] = []
+    for artifact in artifacts:
+        item = _item_from_artifact(
             harness,
             artifact,
             home_dir=home_dir,
             workspace_dir=workspace_dir,
         )
-        for artifact in artifacts
-    )
+        items.append(item)
+        items.extend(_mcp_tool_items_from_artifact(harness, artifact, item))
     config_paths = tuple(dict.fromkeys(str(path) for path in getattr(detection, "config_paths", ())))
     sources = tuple(
         GuardInventorySource(
@@ -224,7 +254,7 @@ def inventory_snapshot_from_detection(
         agent_type=_agent_type(harness),
         generated_at=generated_at,
         runtime_version=runtime_version,
-        items=items,
+        items=tuple(items),
         sources=sources,
         redaction_report={
             "rawSecretsIncluded": False,
@@ -362,6 +392,156 @@ def _item_from_artifact(
     )
 
 
+def _mcp_tool_items_from_artifact(
+    harness: str,
+    artifact: object,
+    server_item: GuardAgentInventoryItem,
+) -> tuple[GuardAgentInventoryItem, ...]:
+    artifact_type = str(getattr(artifact, "artifact_type", "unknown"))
+    if artifact_type != "mcp_server":
+        return ()
+    raw_metadata = getattr(artifact, "metadata", {})
+    if not isinstance(raw_metadata, dict):
+        return ()
+    raw_tools = _mcp_tool_definitions(raw_metadata)
+    if not raw_tools:
+        return ()
+
+    items: list[GuardAgentInventoryItem] = []
+    for raw_tool in raw_tools:
+        if not isinstance(raw_tool, dict):
+            continue
+        name = raw_tool.get("name")
+        if not isinstance(name, str) or not name.strip():
+            continue
+        display_name = _string_value(raw_tool.get("title")) or name
+        description = _string_value(raw_tool.get("description")) or ""
+        input_schema = _first_present_value(raw_tool, "inputSchema", "input_schema")
+        output_schema = _first_present_value(raw_tool, "outputSchema", "output_schema")
+        annotations = raw_tool.get("annotations")
+        safe_annotations = annotations if isinstance(annotations, dict) else {}
+        metadata = {
+            "serverItemId": server_item.item_id,
+            "toolName": name,
+            "title": display_name,
+            "descriptionHash": fingerprint_text(description),
+            "inputSchemaHash": fingerprint_mapping(input_schema) if input_schema is not None else None,
+            "outputSchemaHash": fingerprint_mapping(output_schema) if output_schema is not None else None,
+            "annotations": safe_annotations,
+            "schemaPresent": input_schema is not None or output_schema is not None,
+        }
+        capabilities = _capabilities_for_mcp_tool(name, description, input_schema, safe_annotations)
+        semantic_hash = fingerprint_mapping(
+            {
+                "server": server_item.item_id,
+                "name": name,
+                "description": description,
+                "inputSchema": input_schema,
+                "outputSchema": output_schema,
+                "annotations": safe_annotations,
+            }
+        )
+        items.append(
+            GuardAgentInventoryItem(
+                item_id=f"{server_item.item_id}:tool:{name}",
+                item_kind="mcp_tool",
+                display_name=display_name,
+                source_fingerprint=fingerprint_mapping(
+                    {"harness": harness, "server": server_item.item_id, "tool": name}
+                ),
+                content_hash=semantic_hash,
+                capability_categories=capabilities,
+                risk_level=_risk_level_for_capabilities(capabilities),
+                scanner_sources=("hol-detector",),
+                metadata=metadata,
+            )
+        )
+    return tuple(items)
+
+
+def _string_value(value: object) -> str | None:
+    return value if isinstance(value, str) else None
+
+
+def _first_present_value(mapping: dict[str, object], *keys: str) -> object | None:
+    for key in keys:
+        if key in mapping:
+            return mapping[key]
+    return None
+
+
+def _mcp_tool_definitions(metadata: dict[str, object]) -> tuple[dict[str, object], ...]:
+    tools: list[dict[str, object]] = []
+    seen_names: set[str] = set()
+    for key in ("tools", "tool_schemas", "toolSchemas"):
+        raw_tools = metadata.get(key)
+        if not isinstance(raw_tools, list):
+            continue
+        for raw_tool in raw_tools:
+            if not isinstance(raw_tool, dict):
+                continue
+            name = raw_tool.get("name")
+            if not isinstance(name, str) or not name.strip() or name in seen_names:
+                continue
+            tools.append(raw_tool)
+            seen_names.add(name)
+    return tuple(tools)
+
+
+def _mcp_schema_signal_text(value: object) -> str:
+    if isinstance(value, dict):
+        parts: list[str] = []
+        for key, item in value.items():
+            if key in {"$schema", "$id"}:
+                continue
+            parts.append(key)
+            parts.append(_mcp_schema_signal_text(item))
+        return " ".join(part for part in parts if part)
+    if isinstance(value, list):
+        return " ".join(_mcp_schema_signal_text(item) for item in value)
+    if isinstance(value, str):
+        return value
+    return ""
+
+
+def _capabilities_for_mcp_tool(
+    name: str,
+    description: str,
+    input_schema: object,
+    annotations: dict[str, object],
+) -> tuple[InventoryCapability, ...]:
+    text = f"{name} {description} {_mcp_schema_signal_text(input_schema)}".lower()
+    capabilities: set[InventoryCapability] = set()
+    if annotations.get("readOnlyHint") is True or _MCP_READ_RE.search(text):
+        capabilities.add("reads_files")
+    if annotations.get("destructiveHint") is True or _MCP_DELETE_RE.search(text):
+        capabilities.update({"writes_files", "deletes_files"})
+    if annotations.get("writeHint") is True or _MCP_WRITE_RE.search(text):
+        capabilities.add("writes_files")
+    if _MCP_SHELL_RE.search(text):
+        capabilities.add("runs_shell")
+    if _MCP_SECRET_RE.search(text):
+        capabilities.add("reads_secrets")
+    if _MCP_NETWORK_RE.search(text):
+        capabilities.add("network_egress")
+    if _MCP_MODEL_RE.search(text):
+        capabilities.add("uses_model_sampling")
+    if _MCP_PERMISSION_RE.search(text):
+        capabilities.add("changes_permissions")
+    return tuple(sorted(capabilities)) if capabilities else ("unknown",)
+
+
+def _risk_level_for_capabilities(capabilities: tuple[InventoryCapability, ...]) -> InventorySeverity:
+    if any(capability in capabilities for capability in ("deletes_files", "reads_secrets", "runs_shell")):
+        return "high"
+    if any(
+        capability in capabilities
+        for capability in ("writes_files", "network_egress", "uses_model_sampling", "changes_permissions")
+    ):
+        return "medium"
+    return "info"
+
+
 def _agent_type(value: str) -> AgentInventoryType:
     for agent_type in _AGENT_INVENTORY_TYPES:
         if value == agent_type:

{plugin_scanner-2.0.170 → plugin_scanner-2.0.171}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.170"
+__version__ = "2.0.171"

plugin_scanner-2.0.171/tests/test_guard_inventory_contract.py

@@ -0,0 +1,408 @@
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+from codex_plugin_scanner.guard.inventory_contract import (
+    GuardAgentInventoryFinding,
+    GuardAgentInventoryItem,
+    GuardAgentInventorySnapshot,
+    classify_endpoint_host,
+    fingerprint_mapping,
+    fingerprint_path_tree,
+    fingerprint_text,
+    inventory_item_id,
+    inventory_snapshot_from_detection,
+    redact_headers,
+    redact_local_path,
+    redact_url,
+    serialize_inventory_snapshot,
+)
+from codex_plugin_scanner.guard.models import GuardArtifact, HarnessDetection
+
+
+class _Detection:
+    harness = "hermes"
+    artifacts = ()
+
+    def __init__(self, config_paths: tuple[str, ...]) -> None:
+        self.config_paths = config_paths
+
+
+def test_inventory_snapshot_serialization_redacts_raw_secrets(tmp_path: Path) -> None:
+    skill_dir = tmp_path / "home" / "skills" / "danger"
+    skill_dir.mkdir(parents=True)
+    (skill_dir / "SKILL.md").write_text("use token sk-testsecretvalue and Authorization: Bearer secret\n")
+
+    snapshot = GuardAgentInventorySnapshot(
+        snapshot_id="snap-hermes-1",
+        agent_id="agent-hermes",
+        agent_type="hermes",
+        generated_at="2026-05-10T00:00:00Z",
+        runtime_version="hermes-test",
+        items=(
+            GuardAgentInventoryItem(
+                item_id="skill-danger",
+                item_kind="skill",
+                display_name="Danger skill",
+                source_fingerprint=fingerprint_path_tree(skill_dir, home_dir=tmp_path / "home"),
+                content_hash=fingerprint_text((skill_dir / "SKILL.md").read_text()),
+                capability_categories=("reads_secrets", "network_egress"),
+                metadata={
+                    "headers": redact_headers({"Authorization": "Bearer secret", "X-Trace": "safe"}),
+                    "url": redact_url("https://user:pass@example.com/mcp?token=secret&mode=safe"),
+                    "path": redact_local_path(skill_dir / "SKILL.md", home_dir=tmp_path / "home"),
+                },
+            ),
+        ),
+        findings=(
+            GuardAgentInventoryFinding(
+                finding_id="finding-1",
+                source="hol-detector",
+                severity="high",
+                confidence="high",
+                title="Secret access",
+                artifact_id="skill-danger",
+                check_id="secret-access",
+            ),
+        ),
+        redaction_report={"raw_secret_values": False, "redacted_fields": ("headers.authorization", "url.token")},
+    )
+
+    payload = serialize_inventory_snapshot(snapshot)
+    encoded = json.dumps(payload, sort_keys=True)
+
+    assert "sk-testsecretvalue" not in encoded
+    assert "Bearer secret" not in encoded
+    assert "user:pass" not in encoded
+    assert str(tmp_path / "home") not in encoded
+    assert payload["items"][0]["metadata"]["headers"]["authorization"] == "present_redacted"
+    assert payload["items"][0]["metadata"]["headers"]["x-trace"] == "present"
+
+
+def test_inventory_helpers_emit_safe_endpoint_and_stable_hashes(tmp_path: Path) -> None:
+    config_a = {"b": [2, 1], "a": {"nested": True}}
+    config_b = {"a": {"nested": True}, "b": [2, 1]}
+    path_a = tmp_path / "skill-a" / "SKILL.md"
+    path_b = tmp_path / "renamed" / "SKILL.md"
+    path_a.parent.mkdir()
+    path_b.parent.mkdir()
+    path_a.write_text("name: demo\n\nRun search query\n")
+    path_b.write_text("name: demo\n\nRun search   query\n")
+
+    assert fingerprint_mapping(config_a) == fingerprint_mapping(config_b)
+    assert inventory_item_id("hermes", "skill", "demo", path_a.read_text()) == inventory_item_id(
+        "hermes",
+        "skill",
+        "demo",
+        path_b.read_text(),
+    )
+    assert classify_endpoint_host("https://user:pass@example.com/mcp?token=value") == "remote_public"
+    assert classify_endpoint_host("http://172.20.4.5:8080/mcp") == "local_private"
+    assert classify_endpoint_host("http://[not-an-ip]/mcp") == "remote_public"
+    assert redact_url("https://user:pass@example.com/mcp?token=value&mode=safe") == "https://example.com/mcp?token=redacted&mode=safe"
+    assert redact_url("https://example.com/mcp?auth=value&mode=safe") == "https://example.com/mcp?auth=redacted&mode=safe"
+    assert redact_url("https://example.com/mcp?mode=safe;token=value") == "https://example.com/mcp?mode=safe&token=redacted"
+    assert redact_url("http://localhost:${PORT}/mcp?auth=value") == "http://localhost/mcp?auth=redacted"
+    assert redact_url("http://[2001:db8::1]:8080/mcp?token=value") == "http://[2001:db8::1]:8080/mcp?token=redacted"
+    assert redact_url("http://[not-an-ip]/mcp?token=value") == "malformed_url_redacted"
+    assert redact_local_path(path_a, home_dir=tmp_path) == "{home}/skill-a/SKILL.md"
+
+
+def test_fingerprint_path_tree_skips_large_ignored_and_path_objects(tmp_path: Path) -> None:
+    root = tmp_path / "workspace"
+    (root / "node_modules" / "pkg").mkdir(parents=True)
+    (root / ".git" / "objects").mkdir(parents=True)
+    (root / "safe").mkdir(parents=True)
+    (root / "safe" / "config.json").write_text('{"ok": true}\n')
+    (root / "node_modules" / "pkg" / "ignored.json").write_text('{"ignored": true}\n')
+    (root / ".git" / "objects" / "ignored").write_text("ignored\n")
+
+    fingerprint = fingerprint_path_tree(root, home_dir=tmp_path)
+    (root / "node_modules" / "pkg" / "ignored.json").write_text('{"ignored": "changed"}\n')
+    (root / ".git" / "objects" / "ignored").write_text("changed\n")
+    fingerprint_after_ignored_changes = fingerprint_path_tree(root, home_dir=tmp_path)
+    snapshot = GuardAgentInventorySnapshot(
+        snapshot_id="snap-path-object",
+        agent_id="agent",
+        agent_type="openclaw",
+        generated_at="2026-05-10T00:00:00Z",
+        items=(
+            GuardAgentInventoryItem(
+                item_id="item",
+                item_kind="repository",
+                display_name="Repo",
+                source_fingerprint=fingerprint,
+                content_hash=fingerprint_text("repo"),
+                capability_categories=("reads_files",),
+                metadata={"pathObject": root / "safe" / "config.json"},
+            ),
+        ),
+    )
+
+    encoded = json.dumps(serialize_inventory_snapshot(snapshot), sort_keys=True)
+
+    assert fingerprint_after_ignored_changes == fingerprint
+    assert str(tmp_path) not in encoded
+
+
+def test_inventory_snapshot_deduplicates_config_sources(tmp_path: Path) -> None:
+    config_path = tmp_path / ".hermes" / "config.yaml"
+    config_path.parent.mkdir(parents=True)
+    config_path.write_text("mcp_servers: {}\n")
+
+    snapshot = inventory_snapshot_from_detection(
+        _Detection((str(config_path), str(config_path))),
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+
+    assert len(snapshot.sources) == 1
+
+
+def test_inventory_snapshot_extracts_mcp_tool_items(tmp_path: Path) -> None:
+    detection = HarnessDetection(
+        harness="hermes",
+        installed=True,
+        command_available=False,
+        config_paths=(),
+        artifacts=(
+            GuardArtifact(
+                artifact_id="hermes:mcp:json:tools",
+                name="tools",
+                harness="hermes",
+                artifact_type="mcp_server",
+                source_scope="global",
+                config_path=str(tmp_path / ".hermes" / "mcp_servers.json"),
+                metadata={
+                    "tools": [
+                        {
+                            "name": "search_docs",
+                            "title": "Search docs",
+                            "description": "Read-only search over project documentation.",
+                            "inputSchema": {"type": "object", "properties": {"query": {"type": "string"}}},
+                            "outputSchema": {"type": "object"},
+                            "annotations": {"readOnlyHint": True, "destructiveHint": False},
+                        },
+                        {
+                            "name": "delete_file",
+                            "description": "Delete a file from disk.",
+                            "inputSchema": {"type": "object", "properties": {"path": {"type": "string"}}},
+                            "annotations": {"destructiveHint": True},
+                        },
+                    ]
+                },
+            ),
+        ),
+    )
+
+    snapshot = inventory_snapshot_from_detection(
+        detection,
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+    items = {item.item_id: item for item in snapshot.items}
+
+    assert "hermes:mcp:json:tools:tool:search_docs" in items
+    assert "hermes:mcp:json:tools:tool:delete_file" in items
+    assert items["hermes:mcp:json:tools:tool:search_docs"].capability_categories == ("reads_files",)
+    assert "writes_files" in items["hermes:mcp:json:tools:tool:delete_file"].capability_categories
+    assert items["hermes:mcp:json:tools:tool:delete_file"].risk_level == "high"
+
+
+def test_inventory_snapshot_handles_missing_mcp_tool_schema_and_scale(tmp_path: Path) -> None:
+    tools = [{"name": f"tool_{index}", "description": "No schema available."} for index in range(500)]
+    detection = HarnessDetection(
+        harness="openclaw",
+        installed=True,
+        command_available=False,
+        config_paths=(),
+        artifacts=(
+            GuardArtifact(
+                artifact_id="openclaw:mcp:bulk",
+                name="bulk",
+                harness="openclaw",
+                artifact_type="mcp_server",
+                source_scope="global",
+                config_path=str(tmp_path / ".openclaw" / "openclaw.json"),
+                metadata={"tools": tools},
+            ),
+        ),
+    )
+
+    snapshot = inventory_snapshot_from_detection(
+        detection,
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+    tool_items = [item for item in snapshot.items if item.item_kind == "mcp_tool"]
+
+    assert len(tool_items) == 500
+    assert all(item.capability_categories == ("unknown",) for item in tool_items)
+
+
+def test_inventory_snapshot_preserves_empty_mcp_tool_schemas(tmp_path: Path) -> None:
+    detection = HarnessDetection(
+        harness="hermes",
+        installed=True,
+        command_available=False,
+        config_paths=(),
+        artifacts=(
+            GuardArtifact(
+                artifact_id="hermes:mcp:empty-schema",
+                name="empty-schema",
+                harness="hermes",
+                artifact_type="mcp_server",
+                source_scope="global",
+                config_path=str(tmp_path / ".hermes" / "mcp_servers.json"),
+                metadata={"tools": [{"name": "ping", "inputSchema": {}, "output_schema": {}}]},
+            ),
+        ),
+    )
+
+    snapshot = inventory_snapshot_from_detection(
+        detection,
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+    tool = next(item for item in snapshot.items if item.item_kind == "mcp_tool")
+
+    assert tool.metadata["schemaPresent"] is True
+    assert tool.metadata["inputSchemaHash"] == fingerprint_mapping({})
+    assert tool.metadata["outputSchemaHash"] == fingerprint_mapping({})
+
+
+def test_inventory_snapshot_mcp_capabilities_avoid_substring_false_positives(tmp_path: Path) -> None:
+    detection = HarnessDetection(
+        harness="hermes",
+        installed=True,
+        command_available=False,
+        config_paths=(),
+        artifacts=(
+            GuardArtifact(
+                artifact_id="hermes:mcp:false-positive",
+                name="false-positive",
+                harness="hermes",
+                artifact_type="mcp_server",
+                source_scope="global",
+                config_path=str(tmp_path / ".hermes" / "mcp_servers.json"),
+                metadata={
+                    "tools": [
+                        {
+                            "name": "thread_listener",
+                            "description": "Returns execution_id for listened events.",
+                            "inputSchema": {"type": "object", "properties": {"execution_id": {"type": "string"}}},
+                        },
+                        {
+                            "name": "credential_probe",
+                            "inputSchema": {
+                                "type": "object",
+                                "properties": {
+                                    "api_key": {"type": "string"},
+                                    "apiKey": {"type": "string"},
+                                },
+                            },
+                        },
+                    ]
+                },
+            ),
+        ),
+    )
+
+    snapshot = inventory_snapshot_from_detection(
+        detection,
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+    tool_items = {item.display_name: item for item in snapshot.items if item.item_kind == "mcp_tool"}
+
+    assert tool_items["thread_listener"].capability_categories == ("unknown",)
+    assert tool_items["credential_probe"].capability_categories == ("reads_secrets",)
+
+
+def test_inventory_snapshot_mcp_capabilities_ignore_schema_boilerplate(tmp_path: Path) -> None:
+    detection = HarnessDetection(
+        harness="hermes",
+        installed=True,
+        command_available=False,
+        config_paths=(),
+        artifacts=(
+            GuardArtifact(
+                artifact_id="hermes:mcp:schema-boilerplate",
+                name="schema-boilerplate",
+                harness="hermes",
+                artifact_type="mcp_server",
+                source_scope="global",
+                config_path=str(tmp_path / ".hermes" / "mcp_servers.json"),
+                metadata={
+                    "tools": [
+                        {
+                            "name": "local_formatter",
+                            "inputSchema": {
+                                "$schema": "https://json-schema.org/draft/2020-12/schema",
+                                "type": "object",
+                                "properties": {"format": {"type": "string"}},
+                            },
+                        },
+                        {
+                            "name": "remote_probe",
+                            "inputSchema": {
+                                "$schema": "https://json-schema.org/draft/2020-12/schema",
+                                "type": "object",
+                                "properties": {"url": {"type": "string"}},
+                            },
+                        },
+                    ]
+                },
+            ),
+        ),
+    )
+
+    snapshot = inventory_snapshot_from_detection(
+        detection,
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+    tool_items = {item.display_name: item for item in snapshot.items if item.item_kind == "mcp_tool"}
+
+    assert tool_items["local_formatter"].capability_categories == ("unknown",)
+    assert tool_items["remote_probe"].capability_categories == ("network_egress",)
+
+
+def test_inventory_snapshot_mcp_tool_fallback_skips_non_schema_tool_allowlist(tmp_path: Path) -> None:
+    detection = HarnessDetection(
+        harness="hermes",
+        installed=True,
+        command_available=False,
+        config_paths=(),
+        artifacts=(
+            GuardArtifact(
+                artifact_id="hermes:mcp:tool-schema-fallback",
+                name="tool-schema-fallback",
+                harness="hermes",
+                artifact_type="mcp_server",
+                source_scope="global",
+                config_path=str(tmp_path / ".hermes" / "mcp_servers.json"),
+                metadata={
+                    "tools": ["*"],
+                    "tool_schemas": [
+                        {
+                            "name": "search_repo",
+                            "description": "Search local project files.",
+                        }
+                    ],
+                },
+            ),
+        ),
+    )
+
+    snapshot = inventory_snapshot_from_detection(
+        detection,
+        generated_at="2026-05-10T00:00:00Z",
+        home_dir=tmp_path,
+    )
+    tool_items = [item for item in snapshot.items if item.item_kind == "mcp_tool"]
+
+    assert len(tool_items) == 1
+    assert tool_items[0].display_name == "search_repo"
+    assert tool_items[0].capability_categories == ("reads_files",)