plugin-scanner 2.0.64__tar.gz → 2.0.65__tar.gz

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.64
+Version: 2.0.65
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.64"
+version = "2.0.65"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.64"
+version = "2.0.65"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/src/codex_plugin_scanner/guard/cli/connect_flow.py

@@ -107,36 +107,37 @@ def run_guard_connect_command(
         sync_payload = sync_receipts(store)
     except GuardSyncNotAvailableError as plan_error:
         plan_msg = str(plan_error).strip() or "Cloud sync requires a paid Guard plan."
+        pending_sync_payload = dict(runtime_sync_summary)
+        pending_sync_payload["synced_at"] = None
         pending_state = _record_connect_result(
             daemon_client=daemon_client,
             store=store,
             request_id=str(connect_request["request_id"]),
-            status="connected",
-            milestone="sync_not_available",
+            status="retry_required",
+            milestone="first_sync_failed",
             reason=plan_msg,
+            sync=pending_sync_payload,
         )
         return build_connect_payload(
             state=pending_state,
             browser_opened=browser_opened,
             connect_url=browser_url,
             sync_url=sync_url,
-            connected=True,
+            connected=False,
+            sync=pending_sync_payload,
             sync_available=False,
             sync_message=plan_msg,
         )
     except (RuntimeError, OSError, urllib.error.URLError, json.JSONDecodeError) as error:
         sync_message = str(error)
-        if runtime_sync_error and not _is_paid_plan_sync_error(sync_message):
-            sync_message = runtime_sync_error
-        sync_is_plan_limited = _is_paid_plan_sync_error(sync_message)
         pending_sync_payload = dict(runtime_sync_summary)
         pending_sync_payload["synced_at"] = None
         pending_state = _record_connect_result(
             daemon_client=daemon_client,
             store=store,
             request_id=str(connect_request["request_id"]),
-            status="connected",
-            milestone="first_sync_pending",
+            status="retry_required",
+            milestone="first_sync_failed",
             reason=sync_message,
             sync=pending_sync_payload,
         )
@@ -145,10 +146,9 @@ def run_guard_connect_command(
             browser_opened=browser_opened,
             connect_url=browser_url,
             sync_url=sync_url,
-            connected=True,
+            connected=False,
             sync=pending_sync_payload,
             sync_message=sync_message,
-            sync_available=False if sync_is_plan_limited else None,
         )
     sync_payload["runtime_session_synced_at"] = runtime_sync_summary["runtime_session_synced_at"]
     sync_payload["runtime_session_id"] = runtime_sync_summary["runtime_session_id"]

plugin_scanner-2.0.65/src/codex_plugin_scanner/guard/edge_events.py

@@ -0,0 +1,88 @@
+"""Builders for Guard Cloud v1 events emitted by the local edge runtime."""
+
+from __future__ import annotations
+
+import hashlib
+from typing import cast
+
+from .models import GuardReceipt
+from .schemas.guard_event_v1 import GuardEventType, GuardEventV1
+
+
+def build_receipt_event(
+    receipt: GuardReceipt,
+    *,
+    device_id: str | None = None,
+    workspace_id: str | None = None,
+) -> GuardEventV1:
+    payload: dict[str, object] = {
+        "receiptId": receipt.receipt_id,
+        "harness": receipt.harness,
+        "artifactId": receipt.artifact_id,
+        "artifactHash": receipt.artifact_hash,
+        "artifactName": receipt.artifact_name,
+        "sourceScope": receipt.source_scope,
+        "policyDecision": receipt.policy_decision,
+        "capabilitiesSummary": receipt.capabilities_summary,
+        "changedCapabilities": list(receipt.changed_capabilities),
+        "provenanceSummary": receipt.provenance_summary,
+        "userOverride": receipt.user_override,
+    }
+    event_id = f"guard-event-{_fingerprint('receipt.created', receipt.receipt_id)[:32]}"
+    return GuardEventV1(
+        event_id=event_id,
+        idempotency_key=f"receipt.created:{receipt.receipt_id}",
+        event_type="receipt.created",
+        source="edge",
+        occurred_at=receipt.timestamp,
+        workspace_id=workspace_id,
+        device_id=device_id,
+        payload=payload,
+    )
+
+
+def build_approval_event(
+    *,
+    request_id: str,
+    event_type: str,
+    occurred_at: str,
+    payload: dict[str, object],
+    device_id: str | None = None,
+    workspace_id: str | None = None,
+) -> GuardEventV1:
+    if event_type not in {"approval.created", "approval.resolved"}:
+        raise ValueError("Approval event type must be approval.created or approval.resolved")
+    return GuardEventV1(
+        event_id=f"guard-event-{_fingerprint(event_type, request_id, occurred_at)[:32]}",
+        idempotency_key=f"{event_type}:{request_id}:{occurred_at}",
+        event_type=cast(GuardEventType, event_type),
+        source="approval-center",
+        occurred_at=occurred_at,
+        workspace_id=workspace_id,
+        device_id=device_id,
+        payload=payload,
+    )
+
+
+def build_policy_event(
+    *,
+    policy_key: str,
+    occurred_at: str,
+    payload: dict[str, object],
+    device_id: str | None = None,
+    workspace_id: str | None = None,
+) -> GuardEventV1:
+    return GuardEventV1(
+        event_id=f"guard-event-{_fingerprint('policy.changed', policy_key, occurred_at)[:32]}",
+        idempotency_key=f"policy.changed:{policy_key}:{occurred_at}",
+        event_type="policy.changed",
+        source="policy",
+        occurred_at=occurred_at,
+        workspace_id=workspace_id,
+        device_id=device_id,
+        payload=payload,
+    )
+
+
+def _fingerprint(*parts: str) -> str:
+    return hashlib.sha256(":".join(parts).encode()).hexdigest()

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/src/codex_plugin_scanner/guard/runtime/__init__.py

@@ -4,6 +4,7 @@ from .runner import (
     GuardSyncNotAvailableError,
     GuardSyncNotConfiguredError,
     guard_run,
+    sync_guard_events,
     sync_receipts,
     sync_runtime_session,
 )
@@ -12,6 +13,7 @@ __all__ = [
     "GuardSyncNotAvailableError",
     "GuardSyncNotConfiguredError",
     "guard_run",
+    "sync_guard_events",
     "sync_receipts",
     "sync_runtime_session",
 ]

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/src/codex_plugin_scanner/guard/runtime/runner.py

@@ -480,10 +480,69 @@ def sync_receipts(store: GuardStore) -> dict[str, object]:
         "inventory": 0,
         "inventory_tracked": len(inventory),
     }
+    summary["guard_events_v1"] = sync_guard_events(store)
     store.set_sync_payload("sync_summary", summary, now)
     return summary
 
 
+def sync_guard_events(store: GuardStore) -> dict[str, object]:
+    """Push pending GuardEventV1 envelopes to Guard Cloud."""
+
+    credentials = store.get_sync_credentials()
+    if credentials is None:
+        raise GuardSyncNotConfiguredError("Guard is not logged in.")
+    sync_url = _guard_events_sync_url(str(credentials["sync_url"]))
+    total_events = 0
+    total_accepted = 0
+    synced_at = _now()
+    while True:
+        pending_events = store.list_guard_events_v1(uploaded=False, limit=200)
+        if not pending_events:
+            break
+        body = json.dumps({"events": [event["payload"] for event in pending_events]}).encode("utf-8")
+        request = urllib.request.Request(
+            sync_url,
+            data=body,
+            method="POST",
+            headers=_guard_sync_headers(str(credentials["token"])),
+        )
+        try:
+            payload = _urlopen_json_with_timeout_retry(
+                request=request,
+                timeout_seconds=_SYNC_HTTP_TIMEOUT_SECONDS,
+                retry_timeout_seconds=_SYNC_HTTP_RETRY_TIMEOUT_SECONDS,
+            )
+        except urllib.error.HTTPError as error:
+            if error.code == 404:
+                summary = {
+                    "synced_at": synced_at,
+                    "events": total_events,
+                    "accepted": total_accepted,
+                    "sync_skipped": True,
+                    "sync_reason": "guard_events_endpoint_unavailable",
+                }
+                store.set_sync_payload("guard_events_v1_summary", summary, synced_at)
+                return summary
+            if error.code == 403:
+                is_plan, message = _check_plan_restriction_403(error)
+                if is_plan:
+                    raise GuardSyncNotAvailableError(message) from error
+                raise RuntimeError(message) from error
+            raise RuntimeError(_sync_http_error_message(error)) from error
+        except OSError as error:
+            raise RuntimeError(_sync_url_error_message(error)) from error
+        completed_ids = _completed_guard_event_ids(payload)
+        synced_at = _sync_timestamp(payload)
+        uploaded = store.mark_guard_events_v1_uploaded(completed_ids, synced_at)
+        total_events += len(pending_events)
+        total_accepted += uploaded
+        if uploaded == 0 or len(pending_events) < 200:
+            break
+    summary = {"synced_at": synced_at, "events": total_events, "accepted": total_accepted}
+    store.set_sync_payload("guard_events_v1_summary", summary, synced_at)
+    return summary
+
+
 def sync_runtime_session(
     store: GuardStore,
     *,
@@ -951,6 +1010,45 @@ def _normalized_runtime_sessions_sync_url(sync_url: str) -> str:
     )
 
 
+def _guard_events_sync_url(sync_url: str) -> str:
+    parsed = urllib.parse.urlsplit(_normalized_receipts_sync_url(sync_url))
+    if parsed.path.rstrip("/").endswith("/api/v1/guard/events"):
+        return urllib.parse.urlunsplit((parsed.scheme, parsed.netloc, parsed.path.rstrip("/"), parsed.query, ""))
+    path = parsed.path.rstrip("/")
+    for suffix in (
+        "/api/guard/receipts/sync",
+        "/guard/receipts/sync",
+        "/registry/api/v1/guard/receipts/sync",
+    ):
+        if path.endswith(suffix):
+            path = path[: -len(suffix)]
+            break
+    return urllib.parse.urlunsplit(
+        (
+            parsed.scheme,
+            parsed.netloc,
+            path.rstrip("/") + "/api/v1/guard/events",
+            parsed.query,
+            "",
+        )
+    )
+
+
+def _completed_guard_event_ids(payload: dict[str, object]) -> list[str]:
+    statuses = payload.get("statuses")
+    if not isinstance(statuses, list):
+        return []
+    completed: list[str] = []
+    for item in statuses:
+        if not isinstance(item, dict):
+            continue
+        status = str(item.get("status") or "")
+        event_id = item.get("eventId")
+        if status in {"accepted", "duplicate", "rejected"} and isinstance(event_id, str):
+            completed.append(event_id)
+    return completed
+
+
 def _cloud_sync_receipts_payload(store: GuardStore, receipts: list[dict[str, object]]) -> list[dict[str, object]]:
     device_id, device_name = _guard_device_metadata(store)
     return [_cloud_sync_receipt_payload(receipt, device_id=device_id, device_name=device_name) for receipt in receipts]

plugin_scanner-2.0.65/src/codex_plugin_scanner/guard/schemas/guard_event_v1.py

@@ -0,0 +1,74 @@
+"""Guard Cloud event schema shared by the edge runtime and v1 ingest API."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Literal, cast
+
+GuardEventSource = Literal["edge", "approval-center", "policy", "protect-api"]
+GuardEventType = Literal["receipt.created", "approval.created", "approval.resolved", "policy.changed"]
+
+
+@dataclass(frozen=True, slots=True)
+class GuardEventV1:
+    """Versioned event envelope for replay-safe Guard Cloud sync."""
+
+    event_id: str
+    idempotency_key: str
+    event_type: GuardEventType
+    source: GuardEventSource
+    occurred_at: str
+    workspace_id: str | None = None
+    device_id: str | None = None
+    payload: dict[str, object] = field(default_factory=dict)
+    schema_version: str = "guard.event.v1"
+
+    def to_dict(self) -> dict[str, object]:
+        return {
+            "schemaVersion": self.schema_version,
+            "eventId": self.event_id,
+            "idempotencyKey": self.idempotency_key,
+            "eventType": self.event_type,
+            "source": self.source,
+            "occurredAt": self.occurred_at,
+            "workspaceId": self.workspace_id,
+            "deviceId": self.device_id,
+            "payload": self.payload,
+        }
+
+    @classmethod
+    def from_dict(cls, payload: dict[str, object]) -> GuardEventV1:
+        schema_version = str(payload.get("schemaVersion") or "")
+        if schema_version != "guard.event.v1":
+            raise ValueError("Guard event schemaVersion must be guard.event.v1")
+        event_id = _required_string(payload, "eventId")
+        idempotency_key = _required_string(payload, "idempotencyKey")
+        event_type = _required_string(payload, "eventType")
+        source = _required_string(payload, "source")
+        occurred_at = _required_string(payload, "occurredAt")
+        event_payload = payload.get("payload")
+        if not isinstance(event_payload, dict):
+            raise ValueError("Guard event payload must be an object")
+        if event_type not in {"receipt.created", "approval.created", "approval.resolved", "policy.changed"}:
+            raise ValueError(f"Unsupported Guard event type: {event_type}")
+        if source not in {"edge", "approval-center", "policy", "protect-api"}:
+            raise ValueError(f"Unsupported Guard event source: {source}")
+        workspace_id = payload.get("workspaceId")
+        device_id = payload.get("deviceId")
+        return cls(
+            event_id=event_id,
+            idempotency_key=idempotency_key,
+            event_type=cast(GuardEventType, event_type),
+            source=cast(GuardEventSource, source),
+            occurred_at=occurred_at,
+            workspace_id=workspace_id if isinstance(workspace_id, str) else None,
+            device_id=device_id if isinstance(device_id, str) else None,
+            payload={str(key): value for key, value in event_payload.items()},
+        )
+
+
+def _required_string(payload: dict[str, object], key: str) -> str:
+    value = payload.get(key)
+    if not isinstance(value, str) or not value.strip():
+        raise ValueError(f"Guard event {key} must be a non-empty string")
+    return value

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/src/codex_plugin_scanner/guard/store.py

@@ -17,7 +17,9 @@ from uuid import uuid4
 
 from cryptography.fernet import Fernet, InvalidToken
 
+from .edge_events import build_receipt_event
 from .models import GuardApprovalRequest, GuardArtifact, GuardReceipt, GuardRuntimeState, PolicyDecision
+from .schemas.guard_event_v1 import GuardEventV1
 from .store_approvals import (
     add_approval_request as persist_approval_request,
 )
@@ -548,6 +550,20 @@ class GuardStore:
             )
             """,
             """
+            create table if not exists guard_cloud_events (
+              event_id text primary key,
+              idempotency_key text not null unique,
+              event_type text not null,
+              payload_json text not null,
+              occurred_at text not null,
+              uploaded_at text
+            )
+            """,
+            """
+            create index if not exists idx_guard_cloud_events_sync
+            on guard_cloud_events (uploaded_at, occurred_at)
+            """,
+            """
             create table if not exists guard_runtime_state (
               state_key text primary key,
               session_id text not null,
@@ -1213,6 +1229,19 @@ class GuardStore:
                     receipt.timestamp,
                 ),
             )
+            self._ensure_local_device(connection)
+            row = connection.execute(
+                "select installation_id from guard_devices where device_key = ?",
+                (_DEVICE_ROW_KEY,),
+            ).fetchone()
+            device_id = str(row["installation_id"]) if row is not None else None
+            self._add_guard_event_v1(
+                connection,
+                build_receipt_event(
+                    receipt,
+                    device_id=device_id,
+                ),
+            )
 
     def list_receipts(self, limit: int = 50) -> list[dict[str, object]]:
         with self._connect() as connection:
@@ -1698,6 +1727,72 @@ class GuardStore:
                 (state_key,),
             )
 
+    def add_guard_event_v1(self, event: GuardEventV1) -> None:
+        with self._connect() as connection:
+            self._add_guard_event_v1(connection, event)
+
+    @staticmethod
+    def _add_guard_event_v1(connection: sqlite3.Connection, event: GuardEventV1) -> None:
+        payload = event.to_dict()
+        connection.execute(
+            """
+            insert or ignore into guard_cloud_events (
+              event_id, idempotency_key, event_type, payload_json, occurred_at, uploaded_at
+            )
+            values (?, ?, ?, ?, ?, null)
+            """,
+            (
+                event.event_id,
+                event.idempotency_key,
+                event.event_type,
+                json.dumps(payload, sort_keys=True),
+                event.occurred_at,
+            ),
+        )
+
+    def list_guard_events_v1(self, *, uploaded: bool | None = None, limit: int = 200) -> list[dict[str, object]]:
+        query = """
+            select event_id, idempotency_key, event_type, payload_json, occurred_at, uploaded_at
+            from guard_cloud_events
+        """
+        params: list[object] = []
+        if uploaded is True:
+            query += " where uploaded_at is not null"
+        elif uploaded is False:
+            query += " where uploaded_at is null"
+        query += " order by occurred_at asc, event_id asc limit ?"
+        params.append(limit)
+        with self._connect() as connection:
+            rows = connection.execute(query, tuple(params)).fetchall()
+        events: list[dict[str, object]] = []
+        for row in rows:
+            payload = json.loads(str(row["payload_json"]))
+            if not isinstance(payload, dict):
+                payload = {}
+            events.append(
+                {
+                    "event_id": str(row["event_id"]),
+                    "idempotency_key": str(row["idempotency_key"]),
+                    "event_type": str(row["event_type"]),
+                    "occurred_at": str(row["occurred_at"]),
+                    "uploaded_at": row["uploaded_at"],
+                    "payload": payload,
+                }
+            )
+        return events
+
+    def mark_guard_events_v1_uploaded(self, event_ids: list[str], uploaded_at: str) -> int:
+        clean_ids = [event_id for event_id in event_ids if event_id.strip()]
+        if not clean_ids:
+            return 0
+        placeholders = ", ".join("?" for _ in clean_ids)
+        with self._connect() as connection:
+            cursor = connection.execute(
+                f"update guard_cloud_events set uploaded_at = ? where event_id in ({placeholders})",
+                (uploaded_at, *clean_ids),
+            )
+            return int(cursor.rowcount)
+
     def add_event(self, event_name: str, payload: dict[str, object], now: str) -> None:
         with self._connect() as connection:
             connection.execute(

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.64"
+__version__ = "2.0.65"

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/tests/test_guard_cli.py

@@ -224,6 +224,8 @@ class _SyncRequestHandler(BaseHTTPRequestHandler):
     response_code = 200
     captured_headers: ClassVar[dict[str, str]] = {}
     captured_body: ClassVar[dict[str, object] | None] = None
+    captured_bodies: ClassVar[list[dict[str, object]]] = []
+    captured_paths: ClassVar[list[str]] = []
     raw_response_body: ClassVar[str | None] = None
     response_payload: ClassVar[dict[str, object]] = {
         "syncedAt": "2026-04-09T00:00:00Z",
@@ -235,6 +237,8 @@ class _SyncRequestHandler(BaseHTTPRequestHandler):
         body = self.rfile.read(length).decode("utf-8") if length else "{}"
         _SyncRequestHandler.captured_headers = {key.lower(): value for key, value in self.headers.items()}
         _SyncRequestHandler.captured_body = json.loads(body)
+        _SyncRequestHandler.captured_bodies.append(_SyncRequestHandler.captured_body)
+        _SyncRequestHandler.captured_paths.append(self.path)
         self.send_response(self.response_code)
         self.send_header("Content-Type", "application/json")
         self.end_headers()
@@ -5401,6 +5405,8 @@ url = http://127.0.0.1:8787/guard-canary
             "syncedAt": "2026-04-09T00:00:00Z",
             "receiptsStored": 1,
         }
+        _SyncRequestHandler.captured_bodies = []
+        _SyncRequestHandler.captured_paths = []
 
         server = HTTPServer(("127.0.0.1", 0), _SyncRequestHandler)
         thread = threading.Thread(target=server.serve_forever, daemon=True)
@@ -5464,10 +5470,16 @@ url = http://127.0.0.1:8787/guard-canary
         assert status_output["cloud_state"] == "paired_active"
         assert status_output["last_sync_at"] == "2026-04-09T00:00:00Z"
         assert _SyncRequestHandler.captured_headers["authorization"] == "Bearer demo-token"
-        assert _SyncRequestHandler.captured_body is not None
-        assert len(_SyncRequestHandler.captured_body["receipts"]) >= 1
-        assert "inventory" not in _SyncRequestHandler.captured_body
-        first_receipt = _SyncRequestHandler.captured_body["receipts"][0]
+        receipt_body = next(
+            body
+            for body in _SyncRequestHandler.captured_bodies
+            if isinstance(body.get("receipts"), list) and len(body["receipts"]) >= 1
+        )
+        event_body = next(body for body in _SyncRequestHandler.captured_bodies if "events" in body)
+        assert len(receipt_body["receipts"]) >= 1
+        assert "inventory" not in receipt_body
+        assert len(event_body["events"]) >= 1
+        first_receipt = receipt_body["receipts"][0]
         assert "artifactId" in first_receipt
         assert "artifact_id" not in first_receipt
         assert "receiptId" in first_receipt
@@ -5805,10 +5817,10 @@ url = http://127.0.0.1:8787/guard-canary
         finally:
             daemon.stop()
 
-        assert connect_rc == 0
-        assert connect_output["connected"] is True
-        assert connect_output["status"] == "connected"
-        assert connect_output["milestone"] == "first_sync_pending"
+        assert connect_rc == 1
+        assert connect_output["connected"] is False
+        assert connect_output["status"] == "retry_required"
+        assert connect_output["milestone"] == "first_sync_failed"
         assert connect_output["reason"] == "sync_unreachable"
         assert connect_output["sync_message"] == "sync_unreachable"
 
@@ -5898,10 +5910,10 @@ url = http://127.0.0.1:8787/guard-canary
                 "receiptsStored": 1,
             }
 
-        assert connect_rc == 0
-        assert connect_output["connected"] is True
-        assert connect_output["status"] == "connected"
-        assert connect_output["milestone"] == "sync_not_available"
+        assert connect_rc == 1
+        assert connect_output["connected"] is False
+        assert connect_output["status"] == "retry_required"
+        assert connect_output["milestone"] == "first_sync_failed"
         assert connect_output["reason"] == "Guard sync requires a Pro or Team plan."
         assert connect_output["sync_message"] == "Guard sync requires a Pro or Team plan."
 
@@ -6239,9 +6251,9 @@ url = http://127.0.0.1:8787/guard-canary
             wait_timeout_seconds=1,
         )
 
-        assert payload["connected"] is True
-        assert payload["status"] == "connected"
-        assert payload["milestone"] == "first_sync_pending"
+        assert payload["connected"] is False
+        assert payload["status"] == "retry_required"
+        assert payload["milestone"] == "first_sync_failed"
         assert payload["sync_message"] == "<urlopen error offline>"
 
     def test_guard_connect_persists_success_when_daemon_result_write_fails(self, tmp_path, monkeypatch):
@@ -6413,9 +6425,9 @@ url = http://127.0.0.1:8787/guard-canary
             wait_timeout_seconds=1,
         )
 
-        assert payload["connected"] is True
-        assert payload["status"] == "connected"
-        assert payload["milestone"] == "first_sync_pending"
+        assert payload["connected"] is False
+        assert payload["status"] == "retry_required"
+        assert payload["milestone"] == "first_sync_failed"
         assert payload["sync_message"] == "Guard Cloud sync requires a paid Guard plan"
 
     def test_guard_connect_reports_guard_plan_required_without_failing_pairing(self, tmp_path, monkeypatch):
@@ -6496,9 +6508,9 @@ url = http://127.0.0.1:8787/guard-canary
             wait_timeout_seconds=1,
         )
 
-        assert payload["connected"] is True
-        assert payload["status"] == "connected"
-        assert payload["milestone"] == "first_sync_pending"
+        assert payload["connected"] is False
+        assert payload["status"] == "retry_required"
+        assert payload["milestone"] == "first_sync_failed"
         assert payload["sync_message"] == "Guard plan required"
 
     def test_guard_sync_persists_advisories_from_endpoint(self, tmp_path, capsys):

{plugin_scanner-2.0.64 → plugin_scanner-2.0.65}/tests/test_guard_connect_flow.py

@@ -156,9 +156,9 @@ def test_guard_connect_preserves_pairing_when_first_sync_fails(
     finally:
         daemon.stop()
 
-    assert payload["connected"] is True
-    assert payload["status"] == "connected"
-    assert payload["milestone"] == "first_sync_pending"
+    assert payload["connected"] is False
+    assert payload["status"] == "retry_required"
+    assert payload["milestone"] == "first_sync_failed"
     assert payload["reason"] == "sync_unreachable"
     assert payload["sync_message"] == "sync_unreachable"
     assert payload["request_id"].startswith("connect-")
@@ -235,9 +235,9 @@ def test_guard_connect_prefers_paid_plan_sync_note_over_runtime_sync_timeout(
     finally:
         daemon.stop()
 
-    assert payload["connected"] is True
-    assert payload["status"] == "connected"
-    assert payload["milestone"] == "first_sync_pending"
+    assert payload["connected"] is False
+    assert payload["status"] == "retry_required"
+    assert payload["milestone"] == "first_sync_failed"
     assert payload["reason"] == "Guard Cloud sync requires a paid Guard plan"
     assert payload["sync_message"] == "Guard Cloud sync requires a paid Guard plan"
 
@@ -311,9 +311,9 @@ def test_guard_connect_preserves_http_402_payment_required_sync_note(
     finally:
         daemon.stop()
 
-    assert payload["connected"] is True
-    assert payload["status"] == "connected"
-    assert payload["milestone"] == "first_sync_pending"
+    assert payload["connected"] is False
+    assert payload["status"] == "retry_required"
+    assert payload["milestone"] == "first_sync_failed"
     assert payload["reason"] == "HTTP Error 402: Payment Required"
     assert payload["sync_message"] == "HTTP Error 402: Payment Required"