plugin-scanner 2.0.61__tar.gz → 2.0.62__tar.gz

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.61
+Version: 2.0.62
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.61"
+version = "2.0.62"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.61"
+version = "2.0.62"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/src/codex_plugin_scanner/guard/adapters/claude_code.py

@@ -44,6 +44,7 @@ def _shell_command(command: tuple[str, ...], *, windows: bool | None = None) ->
 def _sync_runtime_hook_groups(hooks: dict[str, object], hook_command: str) -> None:
     for key, matcher, timeout in (
         ("PreToolUse", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
+        ("PermissionRequest", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
         ("PostToolUse", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
         ("UserPromptSubmit", None, CLAUDE_GUARD_PROMPT_TIMEOUT_SECONDS),
         ("Notification", CLAUDE_GUARD_NOTIFICATION_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
@@ -486,6 +487,7 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
     def _daemon_hook_command_parts(context: HarnessContext) -> tuple[str, ...]:
         fallback_daemon_url = load_guard_daemon_url(context.guard_home) or guard_daemon_url_for_home(context.guard_home)
         state_path = context.guard_home / "daemon-state.json"
+        fallback_command = ClaudeCodeHarnessAdapter._hook_command_parts(context)
         query: dict[str, str] = {"guard-home": str(context.guard_home)}
         if context.home_dir.resolve() != Path.home().resolve():
             query["home"] = str(context.home_dir)
@@ -496,9 +498,11 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             "void MARKER;"
             "const fs=require('fs');"
             "const http=require('http');"
+            "const cp=require('child_process');"
             "const {URL}=require('url');"
             f"const statePath={str(state_path)!r};"
             f"const fallbackUrl={fallback_daemon_url!r};"
+            f"const fallbackCommand={list(fallback_command)!r};"
             f"const query={urlencode(query)!r};"
             "function daemonUrl(){"
             "try{"
@@ -507,9 +511,41 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             "}catch(_error){}"
             "return fallbackUrl;"
             "}"
+            "function eventName(data){"
+            "try{const payload=JSON.parse(data||'{}');"
+            "return String(payload.hook_event_name||payload.event||'PreToolUse');}"
+            "catch(_error){return 'PreToolUse';}"
+            "}"
+            "function degraded(reason,data){"
+            "const event=eventName(data);"
+            "const message=`HOL Guard could not reach the local daemon (${reason}), so it is using Claude's native "
+            "approval prompt as a safety fallback.`;"
+            "if(event==='UserPromptSubmit'){return '';}"
+            "if(event==='PreToolUse'){return JSON.stringify({systemMessage:'HOL Guard opened this Claude approval "
+            "prompt because local daemon evaluation was unavailable.',hookSpecificOutput:{hookEventName:'PreToolUse',"
+            "permissionDecision:'ask',permissionDecisionReason:`${message} Choose Yes to allow it once, Yes during "
+            "this session to trust the same action for this session, or No to keep it blocked.`}});}"
+            "return '{}';"
+            "}"
+            "function shouldSuppressOutput(data,responseBody){"
+            "if(eventName(data)!=='UserPromptSubmit')return false;"
+            "const trimmed=(responseBody||'').trim();"
+            "return trimmed===''||trimmed==='{}';"
+            "}"
+            "function runLocalFallback(reason,data){"
+            "try{"
+            "const result=cp.spawnSync(fallbackCommand[0],fallbackCommand.slice(1),{input:data,encoding:'utf8',"
+            "timeout:30000,env:process.env});"
+            "if(result.error)return degraded(`${reason}; fallback failed: ${result.error.message}`,data);"
+            "if(result.status===0){"
+            "if(shouldSuppressOutput(data,result.stdout)){process.exit(0);}"
+            "process.stdout.write(result.stdout&&result.stdout.trim()?result.stdout:'{}');"
+            "process.exit(0);}"
+            "return degraded(`${reason}; fallback exited ${result.status}`,data);"
+            "}catch(error){return degraded(`${reason}; fallback crashed: ${error.message}`,data);}"
+            "}"
             "function fail(reason){"
-            "const message=`HOL Guard could not evaluate this action: ${reason}`;"
-            "process.stdout.write(JSON.stringify({decision:'block',reason:message}));"
+            "process.stdout.write(runLocalFallback(reason,body.trim()?body:'{}'));"
             "process.exit(0);"
             "}"
             "let body='';"
@@ -526,7 +562,9 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             "response.setEncoding('utf8');"
             "response.on('data',chunk=>{responseBody+=chunk;});"
             "response.on('end',()=>{"
-            "if(response.statusCode>=200&&response.statusCode<300){process.stdout.write(responseBody);process.exit(0);}"
+            "if(response.statusCode>=200&&response.statusCode<300){"
+            "if(shouldSuppressOutput(data,responseBody)){process.exit(0);}"
+            "process.stdout.write(responseBody);process.exit(0);}"
             "fail(`daemon returned HTTP ${response.statusCode||0}`);"
             "});"
             "});"
@@ -672,6 +710,7 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             for key in (
                 "SessionStart",
                 "PreToolUse",
+                "PermissionRequest",
                 "PostToolUse",
                 "UserPromptSubmit",
                 "Notification",

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -1187,8 +1187,25 @@ def run_guard_command(
             guard_home=context.guard_home,
             workspace=runtime_workspace,
         )
+        if _is_claude_permission_request(args, payload):
+            notice = _peek_claude_permission_notice(store, payload)
+            if notice is None:
+                _emit_claude_permission_request_passthrough(output_stream=output_stream)
+                return 0
+            _mark_claude_pending_permission_prompt_seen(store=store, payload=payload, notice=notice)
+            _emit_native_hook_response(
+                harness=args.harness,
+                policy_action="require-reapproval",
+                event_name="PermissionRequest",
+                reason="HOL Guard is keeping Claude's native permission prompt open for user review.",
+                system_message=_claude_permission_prompt_system_message(payload=payload, notice=notice),
+                additional_context=_claude_permission_prompt_additional_context(notice),
+                output_stream=output_stream,
+            )
+            return 0
         if _is_claude_permission_prompt_notification(args, payload):
             notice = _load_claude_permission_notice(store, payload)
+            _mark_claude_pending_permission_prompt_seen(store=store, payload=payload, notice=notice)
             store.add_event(
                 "claude/permission_prompt",
                 {
@@ -1205,7 +1222,6 @@ def run_guard_command(
                 _emit_native_hook_notification_stderr(
                     _claude_permission_prompt_terminal_notice(payload=payload, notice=notice)
                 )
-                return 2
             _emit_native_hook_response(
                 harness=args.harness,
                 policy_action="allow",
@@ -1330,6 +1346,14 @@ def run_guard_command(
                 "risk_headline": incident["risk_headline"],
                 "path_summary": _runtime_requested_path(runtime_artifact),
             }
+            if (
+                _canonical_harness_name(args.harness) == "claude-code"
+                and event_name == "UserPromptSubmit"
+                and policy_action == "require-reapproval"
+                and not _prompt_requires_hard_block(runtime_artifact)
+                and (not getattr(args, "json", False) or output_stream is not None)
+            ):
+                return 0
             if policy_action in {"block", "sandbox-required", "require-reapproval"}:
                 native_reason = _runtime_artifact_native_reason(runtime_artifact, response_payload)
                 additional_context = _claude_prompt_additional_context(
@@ -1704,6 +1728,11 @@ def _should_emit_prequeue_native_hook_response(
     return output_stream is not None
 
 
+def _emit_claude_permission_request_passthrough(*, output_stream: TextIO | None = None) -> None:
+    if output_stream is not None:
+        output_stream.write("")
+
+
 def _claude_permission_notice_state_key(session_id: str, tool_name: str | None = None) -> str:
     if tool_name is not None:
         return f"claude_permission_notice:{session_id}:{tool_name}"
@@ -1812,6 +1841,46 @@ def _load_claude_permission_notice(store: GuardStore, payload: dict[str, object]
     return None
 
 
+def _peek_claude_permission_notice(store: GuardStore, payload: dict[str, object]) -> dict[str, object] | None:
+    session_id = _optional_string(payload.get("session_id"))
+    if session_id is None:
+        return None
+    tool_name = _claude_notification_tool_name(payload)
+    try:
+        persisted = store.get_sync_payload(_claude_permission_notice_state_key(session_id, tool_name))
+        if persisted is None and tool_name is not None:
+            persisted = store.get_sync_payload(_claude_permission_notice_state_key(session_id))
+    except (OSError, sqlite3.Error):
+        return None
+    return persisted if isinstance(persisted, dict) else None
+
+
+def _mark_claude_pending_permission_prompt_seen(
+    *,
+    store: GuardStore,
+    payload: dict[str, object],
+    notice: dict[str, object] | None,
+) -> None:
+    session_id = _optional_string(payload.get("session_id"))
+    artifact_id = _optional_string((notice or {}).get("artifact_id"))
+    if session_id is None or artifact_id is None:
+        return
+    pending_key = _claude_pending_permission_state_key(session_id, artifact_id)
+    try:
+        pending = store.get_sync_payload(pending_key)
+    except (OSError, sqlite3.Error):
+        return
+    if not isinstance(pending, dict):
+        return
+    updated = dict(pending)
+    updated["permission_prompt_seen"] = True
+    updated["permission_prompt_seen_at"] = _now()
+    try:
+        store.set_sync_payload(pending_key, updated, _now())
+    except (OSError, sqlite3.Error):
+        return
+
+
 def _load_claude_pending_permission(
     store: GuardStore,
     payload: dict[str, object],
@@ -1963,6 +2032,8 @@ def _persist_claude_pending_permission_denials(store: GuardStore, payload: dict[
             continue
         if not isinstance(pending, dict):
             continue
+        if pending.get("permission_prompt_seen") is not True:
+            continue
         artifact_id = _optional_string(pending.get("artifact_id"))
         artifact_hash_value = _optional_string(pending.get("artifact_hash"))
         if artifact_id is None or artifact_hash_value is None:
@@ -2019,6 +2090,10 @@ def _is_claude_permission_prompt_notification(args: argparse.Namespace, payload:
     )
 
 
+def _is_claude_permission_request(args: argparse.Namespace, payload: dict[str, object]) -> bool:
+    return _canonical_harness_name(args.harness) == "claude-code" and _hook_event_name(payload) == "PermissionRequest"
+
+
 def _claude_permission_prompt_system_message(
     *,
     payload: dict[str, object],
@@ -2377,7 +2452,7 @@ def _emit_native_hook_response(
         if payload:
             _write_json_line(payload, output_stream=output_stream)
         return
-    if event_name == "Notification":
+    if event_name in {"Notification", "PermissionRequest"}:
         if additional_context:
             payload["hookSpecificOutput"] = {
                 "hookEventName": event_name,

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.61"
+__version__ = "2.0.62"

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/tests/test_guard_claude_adapter.py

@@ -47,7 +47,7 @@ def _runtime_hook_handlers(payload: dict[str, object]) -> list[dict[str, object]
     hooks = payload["hooks"]
     assert isinstance(hooks, dict)
     handlers: list[dict[str, object]] = []
-    for key in ("PreToolUse", "PostToolUse", "UserPromptSubmit", "Notification", "Stop"):
+    for key in ("PreToolUse", "PermissionRequest", "PostToolUse", "UserPromptSubmit", "Notification", "Stop"):
         entries = hooks[key]
         assert isinstance(entries, list)
         for entry in entries:
@@ -144,6 +144,7 @@ def test_claude_install_writes_session_start_and_command_hook_schema_and_is_idem
     payload = json.loads(settings_path.read_text(encoding="utf-8"))
     session_start = payload["hooks"]["SessionStart"]
     pre_tool_use = payload["hooks"]["PreToolUse"]
+    permission_request = payload["hooks"]["PermissionRequest"]
     post_tool_use = payload["hooks"]["PostToolUse"]
     prompt_submit = payload["hooks"]["UserPromptSubmit"]
     notification = payload["hooks"]["Notification"]
@@ -157,6 +158,10 @@ def test_claude_install_writes_session_start_and_command_hook_schema_and_is_idem
     assert CLAUDE_GUARD_DAEMON_HOOK_MARKER in pre_tool_use[0]["hooks"][0]["command"]
     assert "url" not in pre_tool_use[0]["hooks"][0]
     assert pre_tool_use[0]["hooks"][0]["timeout"] == 30
+    assert len(permission_request) == 1
+    assert permission_request[0]["matcher"] == "Bash|Read|Write|Edit|MultiEdit|WebFetch|WebSearch|mcp__.*"
+    assert permission_request[0]["hooks"][0]["type"] == "command"
+    assert permission_request[0]["hooks"][0]["timeout"] == 10
     assert len(post_tool_use) == 1
     assert post_tool_use[0]["hooks"][0]["type"] == "command"
     assert len(prompt_submit) == 1
@@ -249,6 +254,7 @@ def test_claude_install_replaces_legacy_http_guard_hooks(tmp_path):
         "command",
         "command",
         "command",
+        "command",
     ]
     assert all(CLAUDE_GUARD_DAEMON_HOOK_MARKER in str(handler.get("command", "")) for handler in installed_handlers)
     assert all("url" not in handler for handler in installed_handlers)
@@ -365,12 +371,60 @@ def test_claude_daemon_hook_command_survives_shell_execution(tmp_path):
         check=False,
     )
 
+    assert result.returncode == 0
+    assert result.stderr == ""
+    assert result.stdout == ""
+
+
+def test_claude_daemon_hook_command_falls_back_without_blocking_prompt_on_daemon_miss(tmp_path):
+    context = _build_context(tmp_path)
+    adapter = ClaudeCodeHarnessAdapter()
+    command = adapter._daemon_hook_command(context)
+
+    result = subprocess.run(
+        ["/bin/sh", "-c", command],
+        input=json.dumps(
+            {
+                "hook_event_name": "UserPromptSubmit",
+                "prompt": "Use the Read tool to open ./.env and print the full file contents exactly.",
+            }
+        ),
+        text=True,
+        capture_output=True,
+        timeout=5,
+        check=False,
+    )
+    assert result.returncode == 0
+    assert result.stderr == ""
+    assert result.stdout == ""
+
+
+def test_claude_daemon_hook_command_falls_back_to_native_ask_on_daemon_miss(tmp_path):
+    context = _build_context(tmp_path)
+    adapter = ClaudeCodeHarnessAdapter()
+    command = adapter._daemon_hook_command(context)
+
+    result = subprocess.run(
+        ["/bin/sh", "-c", command],
+        input=json.dumps(
+            {
+                "hook_event_name": "PreToolUse",
+                "tool_name": "Read",
+                "tool_input": {"file_path": str(context.workspace_dir / ".env")},
+            }
+        ),
+        text=True,
+        capture_output=True,
+        timeout=5,
+        check=False,
+    )
     payload = json.loads(result.stdout)
 
     assert result.returncode == 0
     assert result.stderr == ""
-    assert payload["decision"] == "block"
-    assert "HOL Guard could not evaluate this action" in payload["reason"]
+    assert payload["hookSpecificOutput"]["hookEventName"] == "PreToolUse"
+    assert payload["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert "HOL Guard" in payload["hookSpecificOutput"]["permissionDecisionReason"]
 
 
 def test_claude_install_replaces_prior_session_start_guard_handlers_when_context_changes(tmp_path):

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/tests/test_guard_runtime.py

@@ -4317,6 +4317,21 @@ def test_guard_hook_claude_stop_persists_unapproved_native_prompt_as_denied(tmp_
         capsys=capsys,
         monkeypatch=monkeypatch,
     )
+    notification_rc, notification_output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event={
+            "session_id": "session-claude-deny",
+            "hook_event_name": "Notification",
+            "notification_type": "permission_prompt",
+            "title": "Permission needed",
+            "message": "Claude needs your permission to use Read",
+            "tool_name": "Read",
+        },
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
     stop_rc, stop_output = _run_guard_hook(
         home_dir=home_dir,
         workspace_dir=workspace_dir,
@@ -4338,6 +4353,8 @@ def test_guard_hook_claude_stop_persists_unapproved_native_prompt_as_denied(tmp_
 
     assert first_rc == 0
     assert first_payload["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert notification_rc == 0
+    assert "HOL Guard intercepted Claude's attempt to use Read" in json.loads(notification_output)["systemMessage"]
     assert stop_rc == 0
     assert stop_output == ""
     assert second_rc == 0
@@ -4345,6 +4362,59 @@ def test_guard_hook_claude_stop_persists_unapproved_native_prompt_as_denied(tmp_
     assert "HOL Guard blocked Claude's attempt to use Read" in second_payload["systemMessage"]
 
 
+def test_guard_hook_claude_stop_does_not_persist_denial_without_visible_prompt(
+    tmp_path,
+    capsys,
+    monkeypatch,
+):
+    home_dir = tmp_path / "home"
+    workspace_dir = tmp_path / "workspace"
+    _build_guard_fixture(home_dir, workspace_dir)
+    first_event = {
+        "session_id": "session-claude-headless",
+        "hook_event_name": "PreToolUse",
+        "tool_name": "Read",
+        "tool_input": {"file_path": str(workspace_dir / ".env")},
+        "source_scope": "project",
+    }
+    monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
+
+    first_rc, first_output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event=first_event,
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+    stop_rc, stop_output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event={"session_id": "session-claude-headless", "hook_event_name": "Stop", "stop_hook_active": False},
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+    second_rc, second_output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event={**first_event, "session_id": "session-claude-headless-next"},
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+    first_payload = json.loads(first_output)
+    second_payload = json.loads(second_output)
+
+    assert first_rc == 0
+    assert first_payload["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert stop_rc == 0
+    assert stop_output == ""
+    assert second_rc == 0
+    assert second_payload["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert "HOL Guard intercepted Claude's attempt to use Read" in second_payload["systemMessage"]
+
+
 def test_guard_hook_emits_claude_native_ask_response_for_claude_alias(tmp_path, capsys, monkeypatch):
     home_dir = tmp_path / "home"
     workspace_dir = tmp_path / "workspace"
@@ -4521,15 +4591,9 @@ def test_guard_hook_brands_claude_user_prompt_submit_before_native_approval(
         monkeypatch=monkeypatch,
     )
     receipts = GuardStore(home_dir).list_receipts()
-    payload = json.loads(output)
-    hook_output = payload["hookSpecificOutput"]
 
     assert rc == 0
-    assert "decision" not in payload
-    assert "HOL Guard intercepted this prompt" in payload["systemMessage"]
-    assert hook_output["hookEventName"] == "UserPromptSubmit"
-    assert "HOL Guard intercepted Claude's next attempt to access local secrets" in hook_output["additionalContext"]
-    assert "approval dialog" in hook_output["additionalContext"]
+    assert output == ""
     assert any(receipt["artifact_id"].startswith("claude-code:session:prompt") for receipt in receipts)
 
 
@@ -4554,15 +4618,9 @@ def test_guard_hook_brands_generic_claude_user_prompt_submit_before_native_appro
         capsys=capsys,
         monkeypatch=monkeypatch,
     )
-    payload = json.loads(output)
-    hook_output = payload["hookSpecificOutput"]
 
     assert rc == 0
-    assert "decision" not in payload
-    assert "HOL Guard intercepted this prompt" in payload["systemMessage"]
-    assert hook_output["hookEventName"] == "UserPromptSubmit"
-    assert "HOL Guard intercepted Claude's next sensitive action" in hook_output["additionalContext"]
-    assert "approval dialog" in hook_output["additionalContext"]
+    assert output == ""
 
 
 def test_guard_hook_emits_json_for_claude_user_prompt_submit_overridable_prompts(
@@ -4634,7 +4692,11 @@ def test_guard_hook_emits_claude_user_prompt_submit_block_reason_without_continu
     assert "blocked this prompt" in output["reason"].lower()
 
 
-def test_guard_hook_emits_claude_user_prompt_submit_block_response(tmp_path, capsys, monkeypatch):
+def test_guard_hook_hard_blocks_claude_user_prompt_submit_bypass(
+    tmp_path,
+    capsys,
+    monkeypatch,
+):
     home_dir = tmp_path / "home"
     workspace_dir = tmp_path / "workspace"
     _build_guard_fixture(home_dir, workspace_dir)
@@ -4783,11 +4845,87 @@ def test_guard_hook_emits_claude_notification_notice_for_permission_prompt(tmp_p
 
     assert pre_tool_rc == 0
     assert pre_tool_output["hookSpecificOutput"]["permissionDecision"] == "ask"
-    assert notification_rc == 2
-    assert notification_capture.out == ""
+    notification_payload = json.loads(notification_capture.out)
+
+    assert notification_rc == 0
     assert "HOL Guard opened this Claude approval prompt for Read." in notification_capture.err
     assert "protect your local secrets" in notification_capture.err
-    assert "choose Yes, Yes during this session, or No" in notification_capture.err
+    assert "HOL Guard intercepted Claude's attempt to use Read" in notification_payload["systemMessage"]
+    assert "came from HOL Guard, not from Claude alone" in notification_payload["systemMessage"]
+    assert "Yes during this session" in notification_payload["systemMessage"]
+    assert "No to keep the sensitive action blocked" in notification_payload["systemMessage"]
+
+
+def test_guard_hook_emits_claude_permission_request_attribution_without_decision(
+    tmp_path,
+    capsys,
+    monkeypatch,
+):
+    home_dir = tmp_path / "home"
+    workspace_dir = tmp_path / "workspace"
+    _build_guard_fixture(home_dir, workspace_dir)
+    pre_tool_event = {
+        "session_id": "session-claude-permission-request",
+        "hook_event_name": "PreToolUse",
+        "tool_name": "Read",
+        "tool_input": {"file_path": str(workspace_dir / ".env")},
+        "source_scope": "project",
+    }
+    monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
+    pre_tool_rc, pre_tool_output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event=pre_tool_event,
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+
+    permission_rc, permission_output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event={**pre_tool_event, "hook_event_name": "PermissionRequest"},
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+    permission_payload = json.loads(permission_output)
+
+    assert pre_tool_rc == 0
+    assert json.loads(pre_tool_output)["hookSpecificOutput"]["permissionDecision"] == "ask"
+    assert permission_rc == 0
+    assert "HOL Guard intercepted Claude's attempt to use Read" in permission_payload["systemMessage"]
+    assert "came from HOL Guard, not from Claude alone" in permission_payload["systemMessage"]
+    assert permission_payload["hookSpecificOutput"]["hookEventName"] == "PermissionRequest"
+    assert "decision" not in permission_payload["hookSpecificOutput"]
+
+
+def test_guard_hook_ignores_unattributed_claude_permission_request(
+    tmp_path,
+    capsys,
+    monkeypatch,
+):
+    home_dir = tmp_path / "home"
+    workspace_dir = tmp_path / "workspace"
+    _build_guard_fixture(home_dir, workspace_dir)
+
+    rc, output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="claude-code",
+        event={
+            "session_id": "session-claude-unattributed-permission-request",
+            "hook_event_name": "PermissionRequest",
+            "tool_name": "Read",
+            "tool_input": {"file_path": str(workspace_dir / "README.md")},
+            "source_scope": "project",
+        },
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+
+    assert rc == 0
+    assert output == ""
 
 
 def test_guard_hook_emits_claude_native_ask_for_sensitive_file_reads(

{plugin_scanner-2.0.61 → plugin_scanner-2.0.62}/tests/test_guard_surface_server.py

@@ -251,18 +251,9 @@ class TestGuardSurfaceServer:
         finally:
             daemon.stop()
 
-        assert "decision" not in hook_payload
-        assert "HOL Guard intercepted this prompt" in hook_payload["systemMessage"]
-        assert hook_payload["hookSpecificOutput"]["hookEventName"] == "UserPromptSubmit"
-        assert (
-            "HOL Guard intercepted Claude's next attempt to access local secrets"
-            in hook_payload["hookSpecificOutput"]["additionalContext"]
-        )
-        assert "approval dialog" in hook_payload["hookSpecificOutput"]["additionalContext"]
+        assert hook_payload == {}
 
-    def test_guard_daemon_claude_hook_endpoint_returns_native_user_prompt_submit_block(
-        self, tmp_path
-    ) -> None:
+    def test_guard_daemon_claude_hook_endpoint_blocks_guard_bypass_user_prompt_submit(self, tmp_path) -> None:
         home_dir = tmp_path / "home"
         workspace_dir = tmp_path / "workspace"
         workspace_dir.mkdir(parents=True, exist_ok=True)
@@ -291,10 +282,7 @@ class TestGuardSurfaceServer:
             daemon.stop()
 
         assert hook_payload["decision"] == "block"
-        assert (
-            hook_payload["reason"]
-            == "HOL Guard blocked this prompt because it asks to bypass or disable Guard."
-        )
+        assert "bypass" in hook_payload["reason"].lower() or "disable" in hook_payload["reason"].lower()
 
     def test_guard_daemon_background_start_auto_stops_after_idle_timeout(self, tmp_path) -> None:
         guard_home = tmp_path / "pytest-of-user" / "guard-home"