plugin-scanner 2.0.2__tar.gz → 2.0.4__tar.gz

plugin_scanner-2.0.4/.github/dependabot.yml

@@ -0,0 +1,59 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+      timezone: "America/New_York"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "deps(pip)"
+    groups:
+      pip-patch-minor:
+        update-types:
+          - "minor"
+          - "patch"
+      pip-major:
+        update-types:
+          - "major"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:15"
+      timezone: "America/New_York"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "deps(actions)"
+    groups:
+      github-actions-all:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:30"
+      timezone: "America/New_York"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "deps(docker)"
+    groups:
+      docker-all:
+        patterns:
+          - "*"

{plugin_scanner-2.0.2 → plugin_scanner-2.0.4}/.github/workflows/ci.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: ${{ matrix.python-version }}
-      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
         with:
           enable-cache: true
       - run: uv sync --frozen --extra dev --python ${{ matrix.python-version }}
@@ -38,7 +38,7 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: ${{ matrix.python-version }}
-      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
         with:
           enable-cache: true
       - run: uv sync --frozen --extra dev --python ${{ matrix.python-version }}

{plugin_scanner-2.0.2 → plugin_scanner-2.0.4}/.github/workflows/codeql.yml

@@ -31,11 +31,11 @@ jobs:
           LEGACY_ROOT="/home/runner/work/codex-plugin-scanner"
           mkdir -p "$LEGACY_ROOT"
           ln -sfn "$GITHUB_WORKSPACE" "$LEGACY_ROOT/codex-plugin-scanner"
-      - uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+      - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           languages: ${{ matrix.language }}
           build-mode: none
           source-root: .
-      - uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+      - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           category: /language:${{ matrix.language }}

plugin_scanner-2.0.4/.github/workflows/dependabot-uv-lock.yml

@@ -0,0 +1,54 @@
+name: Dependabot Lockfile Sync
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+    paths:
+      - "pyproject.toml"
+      - "requirements.txt"
+      - "docker-requirements.txt"
+      - ".github/dependabot.yml"
+
+permissions:
+  contents: write
+
+jobs:
+  sync-lockfile:
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.12"
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+
+      - name: Refresh lockfile
+        run: uv lock --no-build
+
+      - name: Commit lockfile updates
+        run: |
+          if git diff --quiet -- uv.lock; then
+            echo "uv.lock unchanged"
+            exit 0
+          fi
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add uv.lock
+          git commit -m "chore: sync uv.lock for dependabot"
+          git push

plugin_scanner-2.0.4/.github/workflows/harness-smoke.yml

@@ -0,0 +1,114 @@
+name: Guard Harness Smoke
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "17 7 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  codex-release-gate:
+    name: Codex release gate
+    runs-on:
+      - self-hosted
+      - linux
+      - guard
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.12"
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - name: Prepare Guard environment
+        run: |
+          uv sync --frozen --extra dev
+          mkdir -p .guard-ci/codex-home/.codex .guard-ci/codex-workspace/.codex
+          cat > .guard-ci/codex-home/.codex/config.toml <<'EOF'
+          [mcp_servers.global_tools]
+          command = "python3"
+          args = ["-m", "http.server", "9000"]
+          EOF
+          cat > .guard-ci/codex-workspace/.codex/config.toml <<'EOF'
+          [mcp_servers.workspace_skill]
+          command = "node"
+          args = ["workspace-skill.js"]
+          EOF
+      - name: Guard detect and install for Codex
+        run: |
+          uv run hol-guard detect codex --home .guard-ci/codex-home --workspace .guard-ci/codex-workspace --json
+          uv run hol-guard install codex --home .guard-ci/codex-home --workspace .guard-ci/codex-workspace --json
+          uv run hol-guard run codex --home .guard-ci/codex-home --workspace .guard-ci/codex-workspace --dry-run --default-action allow --json
+      - name: Verify Codex runtime is available
+        run: |
+          command -v codex
+          codex mcp list
+
+  macos-release-gate:
+    name: Claude or Cursor release gate
+    runs-on:
+      - self-hosted
+      - macOS
+      - guard
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.12"
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - name: Prepare Guard environment
+        run: uv sync --frozen --extra dev
+      - name: Guard detect for Claude Code
+        run: uv run hol-guard detect claude-code --json
+      - name: Guard detect for Cursor
+        run: uv run hol-guard detect cursor --json
+      - name: Verify Claude Code or Cursor runtime
+        run: |
+          if command -v claude >/dev/null 2>&1; then
+            claude --help >/dev/null
+            exit 0
+          fi
+          command -v cursor-agent
+          cursor-agent mcp list
+
+  windows-release-gate:
+    name: Gemini or OpenCode release gate
+    runs-on:
+      - self-hosted
+      - windows
+      - guard
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: "3.12"
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - name: Prepare Guard environment
+        shell: pwsh
+        run: uv sync --frozen --extra dev
+      - name: Guard detect for Gemini
+        shell: pwsh
+        run: uv run hol-guard detect gemini --json
+      - name: Guard detect for OpenCode
+        shell: pwsh
+        run: uv run hol-guard detect opencode --json
+      - name: Verify Gemini or OpenCode runtime
+        shell: pwsh
+        run: |
+          $gemini = Get-Command gemini -ErrorAction SilentlyContinue
+          if ($null -ne $gemini) {
+            gemini --help | Out-Null
+            exit 0
+          }
+          $opencode = Get-Command opencode -ErrorAction SilentlyContinue
+          if ($null -eq $opencode) {
+            throw "Expected gemini or opencode on the Windows Guard runner."
+          }
+          opencode --help | Out-Null

{plugin_scanner-2.0.2 → plugin_scanner-2.0.4}/.github/workflows/publish.yml

@@ -20,7 +20,7 @@ permissions:
   id-token: write
 
 concurrency:
-  group: plugin-scanner-publish-${{ github.ref }}
+  group: hol-guard-publish-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
@@ -36,11 +36,11 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: "3.12"
-      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
         with:
           enable-cache: true
       - name: Install dependencies
-        run: uv sync --frozen --extra dev --group publish
+        run: uv sync --frozen --extra dev --extra publish
       - name: Compute publish version
         id: version
         env:
@@ -70,12 +70,75 @@ jobs:
         run: |
           sed -i "1,/^version = /{s/^version = .*/version = \"$VERSION\"/}" pyproject.toml
           sed -i "1,/^__version__ = /{s/^__version__ = .*/__version__ = \"$VERSION\"/}" src/codex_plugin_scanner/version.py
-      - name: Build primary package (plugin-scanner)
-        run: uv run --no-sync python -m build
-      - name: Build legacy compatibility package (codex-plugin-scanner)
+      - name: Build Guard package (hol-guard)
         run: |
           cp pyproject.toml pyproject.toml.bak
-          sed -i "1,/^name = /{s/^name = .*/name = \"codex-plugin-scanner\"/}" pyproject.toml
+          python3 - <<'PY'
+          from pathlib import Path
+
+          path = Path("pyproject.toml")
+          text = path.read_text(encoding="utf-8")
+          text = text.replace('name = "hol-guard"', 'name = "hol-guard"', 1)
+          text = text.replace(
+              'description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."',
+              'description = "Protect local AI harnesses with HOL Guard before tools run in Codex, Claude Code, Cursor, Gemini, and OpenCode."',
+              1,
+          )
+          start = text.index("[project.scripts]")
+          end = text.index("\n\n[project.urls]")
+          scripts = "[project.scripts]\n" \
+              'hol-guard = "codex_plugin_scanner.cli:main"\n' \
+              'plugin-guard = "codex_plugin_scanner.cli:main"'
+          text = text[:start] + scripts + text[end:]
+          path.write_text(text, encoding="utf-8")
+          PY
+          uv run --no-sync python -m build
+          mv pyproject.toml.bak pyproject.toml
+      - name: Build scanner package (plugin-scanner)
+        run: |
+          cp pyproject.toml pyproject.toml.bak
+          python3 - <<'PY'
+          from pathlib import Path
+
+          path = Path("pyproject.toml")
+          text = path.read_text(encoding="utf-8")
+          text = text.replace('name = "hol-guard"', 'name = "plugin-scanner"', 1)
+          text = text.replace(
+              'description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."',
+              'description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."',
+              1,
+          )
+          start = text.index("[project.scripts]")
+          end = text.index("\n\n[project.urls]")
+          scripts = "[project.scripts]\n" \
+              'plugin-scanner = "codex_plugin_scanner.cli:main"\n' \
+              'plugin-ecosystem-scanner = "codex_plugin_scanner.cli:main"'
+          text = text[:start] + scripts + text[end:]
+          path.write_text(text, encoding="utf-8")
+          PY
+          uv run --no-sync python -m build
+          mv pyproject.toml.bak pyproject.toml
+      - name: Build codex compatibility alias (codex-plugin-scanner)
+        run: |
+          cp pyproject.toml pyproject.toml.bak
+          python3 - <<'PY'
+          from pathlib import Path
+
+          path = Path("pyproject.toml")
+          text = path.read_text(encoding="utf-8")
+          text = text.replace('name = "hol-guard"', 'name = "codex-plugin-scanner"', 1)
+          text = text.replace(
+              'description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."',
+              'description = "Compatibility alias for teams still pinned to the codex-plugin-scanner package name."',
+              1,
+          )
+          start = text.index("[project.scripts]")
+          end = text.index("\n\n[project.urls]")
+          scripts = "[project.scripts]\n" \
+              'codex-plugin-scanner = "codex_plugin_scanner.cli:main"'
+          text = text[:start] + scripts + text[end:]
+          path.write_text(text, encoding="utf-8")
+          PY
           uv run --no-sync python -m build
           mv pyproject.toml.bak pyproject.toml
       - name: Verify distributions
@@ -171,6 +234,10 @@ jobs:
           ${LOG}
 
           ### Installation
+          \`\`\`bash
+          uv tool install hol-guard==${VERSION}
+          \`\`\`
+
           \`\`\`bash
           uv tool install plugin-scanner==${VERSION}
           \`\`\`

{plugin_scanner-2.0.2 → plugin_scanner-2.0.4}/.github/workflows/scorecard.yml

@@ -21,7 +21,7 @@ jobs:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
-      - uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           sarif_file: results.sarif
         if: always()

{plugin_scanner-2.0.2 → plugin_scanner-2.0.4}/.gitignore

@@ -25,6 +25,12 @@ coverage/
 
 # Tooling
 .ruff_cache/
+dashboard/node_modules/
+dashboard/.vite/
+dashboard/dist/
+.guard-*/
+.guard-ui-review/
+.package-check/
 
 # IDE
 .idea/