plugin-scanner 2.0.61__tar.gz → 2.0.63__tar.gz

{plugin_scanner-2.0.61 → plugin_scanner-2.0.63}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.61
+Version: 2.0.63
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.61 → plugin_scanner-2.0.63}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.61"
+version = "2.0.63"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.61 → plugin_scanner-2.0.63}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.61"
+version = "2.0.63"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.61 → plugin_scanner-2.0.63}/src/codex_plugin_scanner/guard/adapters/claude_code.py

@@ -19,6 +19,7 @@ from ..shims import install_guard_shim, remove_guard_shim
 from .base import HarnessAdapter, HarnessContext, _ensure_path_within_root, _json_payload, _run_command_probe
 
 CLAUDE_GUARD_TOOL_MATCHER = "Bash|Read|Write|Edit|MultiEdit|WebFetch|WebSearch|mcp__.*"
+CLAUDE_GUARD_POST_TOOL_MATCHER = f"{CLAUDE_GUARD_TOOL_MATCHER}|AskUserQuestion"
 CLAUDE_GUARD_NOTIFICATION_MATCHER = "permission_prompt"
 CLAUDE_GUARD_SESSION_START_MATCHERS = ("startup", "resume", "clear", "compact")
 CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS = 30
@@ -44,7 +45,8 @@ def _shell_command(command: tuple[str, ...], *, windows: bool | None = None) ->
 def _sync_runtime_hook_groups(hooks: dict[str, object], hook_command: str) -> None:
     for key, matcher, timeout in (
         ("PreToolUse", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
-        ("PostToolUse", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
+        ("PermissionRequest", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
+        ("PostToolUse", CLAUDE_GUARD_POST_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
         ("UserPromptSubmit", None, CLAUDE_GUARD_PROMPT_TIMEOUT_SECONDS),
         ("Notification", CLAUDE_GUARD_NOTIFICATION_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
         ("Stop", None, CLAUDE_GUARD_STOP_TIMEOUT_SECONDS),
@@ -486,6 +488,7 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
     def _daemon_hook_command_parts(context: HarnessContext) -> tuple[str, ...]:
         fallback_daemon_url = load_guard_daemon_url(context.guard_home) or guard_daemon_url_for_home(context.guard_home)
         state_path = context.guard_home / "daemon-state.json"
+        fallback_command = ClaudeCodeHarnessAdapter._hook_command_parts(context)
         query: dict[str, str] = {"guard-home": str(context.guard_home)}
         if context.home_dir.resolve() != Path.home().resolve():
             query["home"] = str(context.home_dir)
@@ -496,9 +499,11 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             "void MARKER;"
             "const fs=require('fs');"
             "const http=require('http');"
+            "const cp=require('child_process');"
             "const {URL}=require('url');"
             f"const statePath={str(state_path)!r};"
             f"const fallbackUrl={fallback_daemon_url!r};"
+            f"const fallbackCommand={list(fallback_command)!r};"
             f"const query={urlencode(query)!r};"
             "function daemonUrl(){"
             "try{"
@@ -507,9 +512,42 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             "}catch(_error){}"
             "return fallbackUrl;"
             "}"
+            "function eventName(data){"
+            "try{const payload=JSON.parse(data||'{}');"
+            "return String(payload.hook_event_name||payload.event||'PreToolUse');}"
+            "catch(_error){return 'PreToolUse';}"
+            "}"
+            "function degraded(reason,data){"
+            "const event=eventName(data);"
+            "const message=`HOL Guard could not reach the local daemon (${reason}), so it is using Claude's native "
+            "approval prompt as a temporary safety fallback.`;"
+            "if(event==='UserPromptSubmit'){return '';}"
+            "if(event==='PreToolUse'){return JSON.stringify({systemMessage:'HOL Guard could not reach the local "
+            "daemon, so it cannot render the full HOL Guard approval flow.',hookSpecificOutput:{"
+            "hookEventName:'PreToolUse',permissionDecision:'ask',permissionDecisionReason:`${message} Keep this "
+            "action blocked unless you intentionally trust it. Restart Guard to restore the branded Allow once / "
+            "Allow during this session / Keep blocked flow.`}});}"
+            "return '{}';"
+            "}"
+            "function shouldSuppressOutput(data,responseBody){"
+            "if(eventName(data)!=='UserPromptSubmit')return false;"
+            "const trimmed=(responseBody||'').trim();"
+            "return trimmed===''||trimmed==='{}';"
+            "}"
+            "function runLocalFallback(reason,data){"
+            "try{"
+            "const result=cp.spawnSync(fallbackCommand[0],fallbackCommand.slice(1),{input:data,encoding:'utf8',"
+            "timeout:30000,env:process.env});"
+            "if(result.error)return degraded(`${reason}; fallback failed: ${result.error.message}`,data);"
+            "if(result.status===0){"
+            "if(shouldSuppressOutput(data,result.stdout)){process.exit(0);}"
+            "process.stdout.write(result.stdout&&result.stdout.trim()?result.stdout:'{}');"
+            "process.exit(0);}"
+            "return degraded(`${reason}; fallback exited ${result.status}`,data);"
+            "}catch(error){return degraded(`${reason}; fallback crashed: ${error.message}`,data);}"
+            "}"
             "function fail(reason){"
-            "const message=`HOL Guard could not evaluate this action: ${reason}`;"
-            "process.stdout.write(JSON.stringify({decision:'block',reason:message}));"
+            "process.stdout.write(runLocalFallback(reason,body.trim()?body:'{}'));"
             "process.exit(0);"
             "}"
             "let body='';"
@@ -526,7 +564,9 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             "response.setEncoding('utf8');"
             "response.on('data',chunk=>{responseBody+=chunk;});"
             "response.on('end',()=>{"
-            "if(response.statusCode>=200&&response.statusCode<300){process.stdout.write(responseBody);process.exit(0);}"
+            "if(response.statusCode>=200&&response.statusCode<300){"
+            "if(shouldSuppressOutput(data,responseBody)){process.exit(0);}"
+            "process.stdout.write(responseBody);process.exit(0);}"
             "fail(`daemon returned HTTP ${response.statusCode||0}`);"
             "});"
             "});"
@@ -672,6 +712,7 @@ class ClaudeCodeHarnessAdapter(HarnessAdapter):
             for key in (
                 "SessionStart",
                 "PreToolUse",
+                "PermissionRequest",
                 "PostToolUse",
                 "UserPromptSubmit",
                 "Notification",

{plugin_scanner-2.0.61 → plugin_scanner-2.0.63}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -1187,8 +1187,25 @@ def run_guard_command(
             guard_home=context.guard_home,
             workspace=runtime_workspace,
         )
+        if _is_claude_permission_request(args, payload):
+            notice = _peek_claude_permission_notice(store, payload)
+            if notice is None:
+                _emit_claude_permission_request_passthrough(output_stream=output_stream)
+                return 0
+            _mark_claude_pending_permission_prompt_seen(store=store, payload=payload, notice=notice)
+            _emit_native_hook_response(
+                harness=args.harness,
+                policy_action="block",
+                event_name="PermissionRequest",
+                reason="HOL Guard is routing this approval through AskUserQuestion.",
+                system_message=_claude_permission_prompt_system_message(payload=payload, notice=notice),
+                additional_context=_claude_guard_approval_question_message(notice),
+                output_stream=output_stream,
+            )
+            return 0
         if _is_claude_permission_prompt_notification(args, payload):
             notice = _load_claude_permission_notice(store, payload)
+            _mark_claude_pending_permission_prompt_seen(store=store, payload=payload, notice=notice)
             store.add_event(
                 "claude/permission_prompt",
                 {
@@ -1205,12 +1222,11 @@ def run_guard_command(
                 _emit_native_hook_notification_stderr(
                     _claude_permission_prompt_terminal_notice(payload=payload, notice=notice)
                 )
-                return 2
             _emit_native_hook_response(
                 harness=args.harness,
                 policy_action="allow",
                 event_name="Notification",
-                reason="HOL Guard intercepted the tool request and opened this Claude approval prompt.",
+                reason="HOL Guard intercepted the tool request and is routing it through a HOL Guard approval prompt.",
                 system_message=system_message,
                 additional_context=additional_context,
                 output_stream=output_stream,
@@ -1224,6 +1240,10 @@ def run_guard_command(
                 _now(),
             )
             return 0
+        if _canonical_harness_name(args.harness) == "claude-code" and _persist_claude_guard_question_decision(
+            store, payload
+        ):
+            return 0
         if runtime_artifact is not None:
             event_name = _hook_event_name(payload) or "PreToolUse"
             runtime_artifact_hash = artifact_hash(runtime_artifact)
@@ -1704,6 +1724,11 @@ def _should_emit_prequeue_native_hook_response(
     return output_stream is not None
 
 
+def _emit_claude_permission_request_passthrough(*, output_stream: TextIO | None = None) -> None:
+    if output_stream is not None:
+        output_stream.write("")
+
+
 def _claude_permission_notice_state_key(session_id: str, tool_name: str | None = None) -> str:
     if tool_name is not None:
         return f"claude_permission_notice:{session_id}:{tool_name}"
@@ -1812,6 +1837,82 @@ def _load_claude_permission_notice(store: GuardStore, payload: dict[str, object]
     return None
 
 
+def _peek_claude_permission_notice(store: GuardStore, payload: dict[str, object]) -> dict[str, object] | None:
+    session_id = _optional_string(payload.get("session_id"))
+    if session_id is None:
+        return None
+    tool_name = _claude_notification_tool_name(payload)
+    try:
+        persisted = store.get_sync_payload(_claude_permission_notice_state_key(session_id, tool_name))
+        if persisted is None and tool_name is not None:
+            persisted = store.get_sync_payload(_claude_permission_notice_state_key(session_id))
+    except (OSError, sqlite3.Error):
+        return None
+    return persisted if isinstance(persisted, dict) else None
+
+
+def _mark_claude_pending_permission_prompt_seen(
+    *,
+    store: GuardStore,
+    payload: dict[str, object],
+    notice: dict[str, object] | None,
+) -> None:
+    session_id = _optional_string(payload.get("session_id"))
+    artifact_id = _optional_string((notice or {}).get("artifact_id"))
+    if session_id is None or artifact_id is None:
+        return
+    pending_key = _claude_pending_permission_state_key(session_id, artifact_id)
+    try:
+        pending = store.get_sync_payload(pending_key)
+    except (OSError, sqlite3.Error):
+        return
+    if not isinstance(pending, dict):
+        return
+    updated = dict(pending)
+    updated["permission_prompt_seen"] = True
+    updated["permission_prompt_seen_at"] = _now()
+    try:
+        store.set_sync_payload(pending_key, updated, _now())
+    except (OSError, sqlite3.Error):
+        return
+
+
+def _load_single_claude_pending_permission(
+    store: GuardStore,
+    payload: dict[str, object],
+) -> tuple[str, dict[str, object]] | None:
+    session_id = _optional_string(payload.get("session_id"))
+    if session_id is None:
+        return None
+    try:
+        index_payload = store.get_sync_payload(_claude_pending_permission_index_key(session_id))
+    except (OSError, sqlite3.Error):
+        return None
+    if not isinstance(index_payload, list):
+        return None
+    pending_keys = [str(item) for item in index_payload]
+    pending_items: list[tuple[str, dict[str, object]]] = []
+    for pending_key in pending_keys:
+        try:
+            pending = store.get_sync_payload(pending_key)
+        except (OSError, sqlite3.Error):
+            continue
+        if isinstance(pending, dict):
+            pending_items.append((pending_key, pending))
+    prompt_seen_items = [item for item in pending_items if item[1].get("permission_prompt_seen") is True]
+    if len(prompt_seen_items) == 1:
+        return prompt_seen_items[0]
+    if len(pending_items) != 1:
+        return None
+    try:
+        pending = store.get_sync_payload(pending_items[0][0])
+    except (OSError, sqlite3.Error):
+        return None
+    if not isinstance(pending, dict):
+        return None
+    return pending_items[0][0], pending
+
+
 def _load_claude_pending_permission(
     store: GuardStore,
     payload: dict[str, object],
@@ -1869,6 +1970,7 @@ def _persist_claude_native_permission_policy(
     action: str,
     reason: str,
     now: str,
+    source: str = "claude-native-approval",
 ) -> bool:
     try:
         store.upsert_policy(
@@ -1879,7 +1981,7 @@ def _persist_claude_native_permission_policy(
                 artifact_id=artifact_id,
                 artifact_hash=artifact_hash,
                 reason=reason,
-                source="claude-native-approval",
+                source=source,
             ),
             now,
         )
@@ -1963,6 +2065,8 @@ def _persist_claude_pending_permission_denials(store: GuardStore, payload: dict[
             continue
         if not isinstance(pending, dict):
             continue
+        if pending.get("permission_prompt_seen") is not True:
+            continue
         artifact_id = _optional_string(pending.get("artifact_id"))
         artifact_hash_value = _optional_string(pending.get("artifact_hash"))
         if artifact_id is None or artifact_hash_value is None:
@@ -2011,6 +2115,106 @@ def _persist_claude_pending_permission_denials(store: GuardStore, payload: dict[
     return denied
 
 
+def _claude_guard_approval_question_message(notice: dict[str, object] | None) -> str:
+    tool_name = _optional_string((notice or {}).get("tool_name")) or "this tool"
+    reason = _optional_string((notice or {}).get("reason"))
+    reason_text = f" HOL Guard reason: {_ensure_terminal_punctuation(reason)}" if reason is not None else ""
+    return (
+        f"HOL Guard needs the user's explicit decision before {tool_name} can run.{reason_text} "
+        "The native Claude permission prompt is not the final decision surface for this request. Call "
+        "AskUserQuestion now with one HOL Guard approval question before retrying the tool. Use header "
+        "'HOL Guard', question 'HOL Guard intercepted this sensitive action. What should Claude do?', and exactly "
+        "these options: 'Allow once', 'Allow during this session', and 'Keep blocked'. If the user chooses an "
+        "allow option, retry the same tool once. If the user chooses Keep blocked, do not retry the sensitive "
+        "action."
+    )
+
+
+def _is_claude_guard_approval_question(payload: dict[str, object]) -> bool:
+    if _hook_event_name(payload) != "PostToolUse":
+        return False
+    tool_name = _optional_string(payload.get("tool_name"))
+    if tool_name is None or tool_name.lower() != "askuserquestion":
+        return False
+    combined = json.dumps(
+        {
+            "tool_input": payload.get("tool_input"),
+            "tool_response": payload.get("tool_response"),
+        },
+        sort_keys=True,
+        default=str,
+    ).lower()
+    return "hol guard" in combined and (
+        "allow once" in combined or "allow during this session" in combined or "keep blocked" in combined
+    )
+
+
+def _claude_guard_approval_answer(payload: dict[str, object]) -> str | None:
+    response = payload.get("tool_response")
+    answer_text: str | None = None
+    if isinstance(response, dict):
+        answers = response.get("answers")
+        if isinstance(answers, dict):
+            joined_answers = " ".join(str(answer) for answer in answers.values() if str(answer).strip())
+            if joined_answers:
+                answer_text = joined_answers
+        if answer_text is None:
+            for key in ("answer", "selected_answer", "selected", "choice", "value", "label"):
+                value = response.get(key)
+                if isinstance(value, str) and value.strip():
+                    answer_text = value
+                    break
+        if answer_text is None and "questions" not in response and "options" not in response:
+            content = response.get("content")
+            if isinstance(content, str) and content.strip():
+                answer_text = content
+    elif isinstance(response, str) and response.strip():
+        answer_text = response
+    if answer_text is None:
+        return None
+    normalized_answer = answer_text.lower()
+    if "keep blocked" in normalized_answer:
+        return "block"
+    if "allow during this session" in normalized_answer or "allow once" in normalized_answer:
+        return "allow"
+    return None
+
+
+def _persist_claude_guard_question_decision(store: GuardStore, payload: dict[str, object]) -> bool:
+    if not _is_claude_guard_approval_question(payload):
+        return False
+    action = _claude_guard_approval_answer(payload)
+    if action is None:
+        return False
+    pending_pair = _load_single_claude_pending_permission(store, payload)
+    if pending_pair is None:
+        return False
+    pending_key, pending = pending_pair
+    artifact_id = _optional_string(pending.get("artifact_id"))
+    artifact_hash_value = _optional_string(pending.get("artifact_hash"))
+    if artifact_id is None or artifact_hash_value is None:
+        return False
+    saved = _persist_claude_native_permission_policy(
+        store=store,
+        artifact_id=artifact_id,
+        artifact_hash=artifact_hash_value,
+        action=action,
+        reason=(
+            "Allowed through HOL Guard AskUserQuestion approval."
+            if action == "allow"
+            else "Blocked through HOL Guard AskUserQuestion approval."
+        ),
+        now=_now(),
+        source="claude-ask-user-question",
+    )
+    if not saved:
+        return False
+    session_id = _optional_string(payload.get("session_id"))
+    if session_id is not None:
+        _remove_claude_pending_permission(store, session_id=session_id, pending_key=pending_key)
+    return True
+
+
 def _is_claude_permission_prompt_notification(args: argparse.Namespace, payload: dict[str, object]) -> bool:
     return (
         _canonical_harness_name(args.harness) == "claude-code"
@@ -2019,6 +2223,10 @@ def _is_claude_permission_prompt_notification(args: argparse.Namespace, payload:
     )
 
 
+def _is_claude_permission_request(args: argparse.Namespace, payload: dict[str, object]) -> bool:
+    return _canonical_harness_name(args.harness) == "claude-code" and _hook_event_name(payload) == "PermissionRequest"
+
+
 def _claude_permission_prompt_system_message(
     *,
     payload: dict[str, object],
@@ -2028,20 +2236,23 @@ def _claude_permission_prompt_system_message(
     if tool_name is None and notice is not None:
         tool_name = _optional_string(notice.get("tool_name"))
     reason = _optional_string(notice.get("reason")) if notice is not None else None
-    intro = "HOL Guard intercepted a sensitive request and opened this Claude approval prompt."
+    intro = "HOL Guard intercepted a sensitive request and is routing it to a HOL Guard approval question."
     if tool_name is not None:
-        intro = f"HOL Guard intercepted Claude's attempt to use {tool_name} and opened this approval prompt."
+        intro = (
+            f"HOL Guard intercepted Claude's attempt to use {tool_name} and is routing it to a HOL Guard approval "
+            "question."
+        )
     if reason is not None:
         return (
-            f"{intro} This approval dialog came from HOL Guard, not from Claude alone. "
+            f"{intro} This approval flow came from HOL Guard, not from Claude alone. "
             f"{_ensure_terminal_punctuation(reason)} "
-            "Use the Claude choices below: Yes to allow it once, Yes during this session to trust the same action "
-            "for the rest of this session, or No to keep the sensitive action blocked."
+            "HOL Guard will ask the user to choose Allow once, Allow during this session, or Keep blocked before "
+            "Claude retries the action."
         )
     return (
-        f"{intro} This approval dialog came from HOL Guard, not from Claude alone. "
-        "Use the Claude choices below: Yes to allow it once, Yes during this session to trust the same action for "
-        "the rest of this session, or No to keep the sensitive action blocked."
+        f"{intro} This approval flow came from HOL Guard, not from Claude alone. "
+        "HOL Guard will ask the user to choose Allow once, Allow during this session, or Keep blocked before Claude "
+        "retries the action."
     )
 
 
@@ -2049,17 +2260,17 @@ def _claude_permission_prompt_additional_context(notice: dict[str, object] | Non
     reason = _optional_string(notice.get("reason")) if notice is not None else None
     if reason is not None:
         return (
-            "HOL Guard intercepted the sensitive request and opened the Claude approval dialog that is currently "
-            "open. "
-            "This approval dialog came from HOL Guard, not from Claude alone. "
-            f"{_ensure_terminal_punctuation(reason)} The user can choose Yes, Yes during this session, or No in the "
-            "prompt that is already visible. If the user denies it, do not retry the same sensitive access."
+            "HOL Guard intercepted the sensitive request and is routing it into a HOL Guard approval question. "
+            "This approval flow came from HOL Guard, not from Claude alone. "
+            f"{_ensure_terminal_punctuation(reason)} Ask the user with AskUserQuestion and the options Allow once, "
+            "Allow during this session, and Keep blocked. If the user chooses Keep blocked, do not retry the same "
+            "sensitive access."
         )
     return (
-        "HOL Guard intercepted the sensitive request and opened the Claude approval dialog that is currently open. "
-        "This approval dialog came from HOL Guard, not from Claude alone. "
-        "The user can choose Yes, Yes during this session, or No in the prompt that is already visible. "
-        "If the user denies it, do not retry the same action."
+        "HOL Guard intercepted the sensitive request and is routing it into a HOL Guard approval question. "
+        "This approval flow came from HOL Guard, not from Claude alone. Ask the user with AskUserQuestion and the "
+        "options Allow once, Allow during this session, and Keep blocked. If the user chooses Keep blocked, do not "
+        "retry the same action."
     )
 
 
@@ -2072,28 +2283,32 @@ def _claude_permission_prompt_terminal_notice(
     reason = _optional_string(notice.get("reason")) if notice is not None else None
     if tool_name is not None and reason is not None:
         return (
-            f"HOL Guard opened this Claude approval prompt for {tool_name}. "
+            f"HOL Guard is routing this Claude approval request for {tool_name} into a HOL Guard decision prompt. "
             f"{_ensure_terminal_punctuation(reason)} "
-            "Review the request below, then choose Yes, Yes during this session, or No."
+            "Choose Allow once, Allow during this session, or Keep blocked in the HOL Guard prompt."
         )
     if tool_name is not None:
         return (
-            f"HOL Guard opened this Claude approval prompt for {tool_name}. "
-            "Review the request below, then choose Yes, Yes during this session, or No."
+            f"HOL Guard is routing this Claude approval request for {tool_name} into a HOL Guard decision prompt. "
+            "Choose Allow once, Allow during this session, or Keep blocked in the HOL Guard prompt."
         )
     return (
-        "HOL Guard opened this Claude approval prompt to protect a sensitive action. "
-        "Review the request below, then choose Yes, Yes during this session, or No."
+        "HOL Guard is routing this Claude approval request into a HOL Guard decision prompt to protect a sensitive "
+        "action. Choose Allow once, Allow during this session, or Keep blocked in the HOL Guard prompt."
     )
 
 
 def _claude_native_pretooluse_terminal_notice(*, payload: dict[str, object], reason: str) -> str:
     tool_name = _claude_notification_tool_name(payload)
     if tool_name is not None:
-        return f"HOL Guard opened this Claude approval prompt for {tool_name}. {_ensure_terminal_punctuation(reason)}"
+        return (
+            f"HOL Guard intercepted Claude's attempt to use {tool_name}. {_ensure_terminal_punctuation(reason)} "
+            "Guard will route the next approval through a HOL Guard prompt if Claude asks to continue."
+        )
     return (
-        "HOL Guard opened this Claude approval prompt to protect a sensitive action. "
-        f"{_ensure_terminal_punctuation(reason)}"
+        "HOL Guard intercepted a sensitive Claude action. "
+        f"{_ensure_terminal_punctuation(reason)} Guard will route the next approval through a HOL Guard prompt if "
+        "Claude asks to continue."
     )
 
 
@@ -2191,9 +2406,8 @@ def _runtime_artifact_native_reason(artifact: GuardArtifact, response_payload: d
         if harness == "claude-code" and policy_action == "require-reapproval":
             return (
                 f"HOL Guard intercepted Claude's attempt to use {tool_name} for {path_class} to protect your local "
-                "secrets. This approval prompt came from HOL Guard, not from Claude alone. "
-                "Choose Yes to allow it once, Yes during this session to trust the same action for the rest of this "
-                "session, or No to keep the secret private."
+                "secrets. The approval flow came from HOL Guard, not from Claude alone. HOL Guard will ask you to "
+                "choose Allow once, Allow during this session, or Keep blocked before Claude retries this action."
             )
         return (
             f"HOL Guard blocked Claude's attempt to use {tool_name} for {path_class} to protect your local secrets. "
@@ -2236,7 +2450,10 @@ def _claude_prompt_additional_context(
         )
     return (
         f"{_ensure_terminal_punctuation(native_reason)} "
-        "Before you use the first sensitive tool for this request, tell the user exactly: "
+        "Before you use the first sensitive tool for this request, call AskUserQuestion with header 'HOL Guard', "
+        "question 'HOL Guard intercepted this sensitive action. What should Claude do?', and exactly these options: "
+        "'Allow once', 'Allow during this session', and 'Keep blocked'. If the user chooses Keep blocked, do not "
+        "retry the sensitive action. Then tell the user exactly: "
         f"'{briefing_sentence}' "
         "Attempt that sensitive tool at most once. If HOL Guard or Claude denies it, do not retry the same sensitive "
         "action automatically. Instead, tell the user approval is required in Claude to continue."
@@ -2255,12 +2472,11 @@ def _claude_prompt_system_message(
             if "secret_read" in _prompt_request_classes(artifact):
                 return (
                     "HOL Guard intercepted this prompt because it asks Claude to access local secrets. "
-                    "If Claude opens a permission dialog on the next tool call, that approval prompt came from HOL "
-                    "Guard."
+                    "If Claude asks to continue, HOL Guard will route the decision through a branded approval prompt."
                 )
             return (
                 "HOL Guard intercepted this prompt because it leads to a sensitive action. "
-                "If Claude opens a permission dialog on the next tool call, that approval prompt came from HOL Guard."
+                "If Claude asks to continue, HOL Guard will route the decision through a branded approval prompt."
             )
         if policy_action in {"block", "sandbox-required"}:
             return _ensure_terminal_punctuation(native_reason)
@@ -2377,7 +2593,18 @@ def _emit_native_hook_response(
         if payload:
             _write_json_line(payload, output_stream=output_stream)
         return
-    if event_name == "Notification":
+    if event_name in {"Notification", "PermissionRequest"}:
+        if event_name == "PermissionRequest" and policy_action in {"block", "sandbox-required"}:
+            payload["hookSpecificOutput"] = {
+                "hookEventName": event_name,
+                "decision": {
+                    "behavior": "deny",
+                    "message": additional_context or reason,
+                    "interrupt": False,
+                },
+            }
+            _write_json_line(payload, output_stream=output_stream)
+            return
         if additional_context:
             payload["hookSpecificOutput"] = {
                 "hookEventName": event_name,

{plugin_scanner-2.0.61 → plugin_scanner-2.0.63}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.61"
+__version__ = "2.0.63"