plugin-scanner 2.0.65__tar.gz → 2.0.67__tar.gz

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.65
+Version: 2.0.67
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.65"
+version = "2.0.67"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.65"
+version = "2.0.67"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/src/codex_plugin_scanner/guard/adapters/claude_code.py

@@ -23,7 +23,6 @@ CLAUDE_GUARD_POST_TOOL_MATCHER = f"{CLAUDE_GUARD_TOOL_MATCHER}|AskUserQuestion"
 CLAUDE_GUARD_NOTIFICATION_MATCHER = "permission_prompt"
 CLAUDE_GUARD_SESSION_START_MATCHERS = ("startup", "resume", "clear", "compact")
 CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS = 30
-CLAUDE_GUARD_PROMPT_TIMEOUT_SECONDS = 20
 CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS = 10
 CLAUDE_GUARD_SESSION_START_TIMEOUT_SECONDS = 10
 CLAUDE_GUARD_STOP_TIMEOUT_SECONDS = 10
@@ -47,7 +46,6 @@ def _sync_runtime_hook_groups(hooks: dict[str, object], hook_command: str) -> No
         ("PreToolUse", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
         ("PermissionRequest", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
         ("PostToolUse", CLAUDE_GUARD_POST_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
-        ("UserPromptSubmit", None, CLAUDE_GUARD_PROMPT_TIMEOUT_SECONDS),
         ("Notification", CLAUDE_GUARD_NOTIFICATION_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
         ("Stop", None, CLAUDE_GUARD_STOP_TIMEOUT_SECONDS),
     ):
@@ -60,7 +58,7 @@ def _sync_runtime_hook_groups(hooks: dict[str, object], hook_command: str) -> No
 
 
 def _remove_unsupported_guard_hook_groups(hooks: dict[str, object]) -> None:
-    for key in ("PermissionDenied",):
+    for key in ("PermissionDenied", "UserPromptSubmit"):
         entries = hooks.get(key)
         if not isinstance(entries, list):
             continue

plugin_scanner-2.0.67/src/codex_plugin_scanner/guard/cli/approval_commands.py

@@ -0,0 +1,119 @@
+"""CLI helpers for Guard approval queue workflows."""
+
+from __future__ import annotations
+
+import argparse
+from datetime import datetime, timezone
+from pathlib import Path
+
+from ..approvals import apply_approval_resolution, build_runtime_snapshot
+from ..daemon import load_guard_daemon_url
+from ..store import GuardStore
+
+
+def add_approval_parser(
+    guard_subparsers: argparse._SubParsersAction[argparse.ArgumentParser],
+    add_common_args,
+) -> None:
+    approvals_parser = guard_subparsers.add_parser(
+        "approvals",
+        help="List, resolve, or clear Guard approval history",
+    )
+    approvals_subparsers = approvals_parser.add_subparsers(dest="approvals_command")
+
+    add_common_args(approvals_parser)
+    approvals_parser.add_argument("--json", action="store_true")
+
+    for name, action in (("approve", "allow"), ("deny", "block")):
+        decision_parser = approvals_subparsers.add_parser(name, help=f"{name.title()} a pending approval request")
+        decision_parser.add_argument("request_id")
+        decision_parser.add_argument(
+            "--scope",
+            choices=("artifact", "publisher", "workspace", "harness", "global"),
+            default="artifact",
+        )
+        decision_parser.add_argument("--reason")
+        add_common_args(decision_parser)
+        decision_parser.add_argument("--json", action="store_true")
+        decision_parser.set_defaults(approval_action=action)
+
+    clear_history_parser = approvals_subparsers.add_parser(
+        "clear-history",
+        help="Clear saved allow/deny history so flows can be re-tested",
+    )
+    clear_history_parser.add_argument(
+        "--harness",
+        help="The harness to clear history for (for example: codex, claude-code, opencode, copilot)",
+    )
+    clear_history_parser.add_argument(
+        "--all",
+        action="store_true",
+        help="Clear approval history across every harness; cannot be combined with --harness",
+    )
+    clear_history_parser.add_argument(
+        "--source",
+        help="Optional source filter for policy decisions (for example: manual, claude-ask-user-question)",
+    )
+    add_common_args(clear_history_parser)
+    clear_history_parser.add_argument("--json", action="store_true")
+
+
+def run_approval_command(
+    args: argparse.Namespace,
+    *,
+    store: GuardStore,
+    workspace: Path | None,
+) -> dict[str, object]:
+    command = getattr(args, "approvals_command", None)
+    if command is None:
+        return build_runtime_snapshot(
+            store=store,
+            approval_center_url=load_guard_daemon_url(store.guard_home),
+            now=_now(),
+        )
+    if command == "clear-history":
+        harness = getattr(args, "harness", None)
+        clear_all = bool(getattr(args, "all", False))
+        if clear_all and harness is not None:
+            return {
+                "history_cleared": False,
+                "error": "Choose either --all or --harness <name> when clearing approval history.",
+                "cleared_policies": 0,
+                "cleared_resolved_requests": 0,
+                "exit_code": 2,
+            }
+        if not clear_all and harness is None:
+            return {
+                "history_cleared": False,
+                "error": "Choose --harness <name> or --all when clearing approval history.",
+                "cleared_policies": 0,
+                "cleared_resolved_requests": 0,
+                "exit_code": 2,
+            }
+        target_harness = None if clear_all else harness
+        source = getattr(args, "source", None)
+        cleared_resolved_requests = 0
+        if source is None:
+            cleared_resolved_requests = store.clear_approval_requests(harness=target_harness, status="resolved")
+        return {
+            "history_cleared": True,
+            "harness": target_harness,
+            "source": source,
+            "cleared_policies": store.clear_policy_decisions(target_harness, source),
+            "cleared_resolved_requests": cleared_resolved_requests,
+            "exit_code": 0,
+        }
+    item = apply_approval_resolution(
+        store=store,
+        request_id=args.request_id,
+        action=args.approval_action,
+        scope=args.scope,
+        workspace=str(workspace) if workspace is not None else None,
+        reason=args.reason,
+        now=_now(),
+    )
+    return {"resolved": True, "item": item}
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -311,8 +311,15 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
         policy_parser.add_argument("--json", action="store_true")
         policy_parser.set_defaults(policy_action=action)
 
-    policies_parser = guard_subparsers.add_parser("policies", help="List stored Guard policy decisions")
+    policies_parser = guard_subparsers.add_parser("policies", help="List or clear stored Guard policy decisions")
+    policies_parser.add_argument("policies_command", nargs="?", choices=("clear",))
     policies_parser.add_argument("--harness")
+    policies_parser.add_argument("--source")
+    policies_parser.add_argument(
+        "--all",
+        action="store_true",
+        help="Clear decisions across every harness; cannot be combined with --harness",
+    )
     _add_guard_common_args(policies_parser)
     policies_parser.add_argument("--json", action="store_true")
 
@@ -775,6 +782,46 @@ def run_guard_command(
         return 0
 
     if args.guard_command == "policies":
+        if getattr(args, "policies_command", None) == "clear":
+            harness = getattr(args, "harness", None)
+            clear_all = bool(getattr(args, "all", False))
+            if clear_all and harness is not None:
+                _emit(
+                    "policies",
+                    {
+                        "error": "Choose either --all or --harness <name> when clearing Guard policy decisions.",
+                        "cleared": 0,
+                        "harness": harness,
+                        "source": getattr(args, "source", None),
+                    },
+                    getattr(args, "json", False),
+                )
+                return 2
+            if not clear_all and harness is None:
+                _emit(
+                    "policies",
+                    {
+                        "error": "Choose --harness <name> or --all when clearing Guard policy decisions.",
+                        "cleared": 0,
+                    },
+                    getattr(args, "json", False),
+                )
+                return 2
+            cleared = store.clear_policy_decisions(
+                None if clear_all else harness,
+                getattr(args, "source", None),
+            )
+            _emit(
+                "policies",
+                {
+                    "generated_at": _now(),
+                    "cleared": cleared,
+                    "harness": None if clear_all else harness,
+                    "source": getattr(args, "source", None),
+                },
+                getattr(args, "json", False),
+            )
+            return 0
         policy_items = store.list_policy_decisions(getattr(args, "harness", None))
         items = _filter_policy_items(policy_items, active_only=True)
         _emit("policies", {"generated_at": _now(), "items": items}, getattr(args, "json", False))
@@ -808,7 +855,7 @@ def run_guard_command(
     if args.guard_command == "approvals":
         payload = run_approval_command(args, store=store, workspace=workspace)
         _emit("approvals", payload, getattr(args, "json", False))
-        return 0
+        return int(payload.get("exit_code", 0))
 
     if args.guard_command == "explain":
         payload = _build_explain_payload_with_mode(store, args.target, cisco_mode=args.cisco_mode)
@@ -1233,10 +1280,13 @@ def run_guard_command(
             )
             return 0
         if _canonical_harness_name(args.harness) == "claude-code" and _hook_event_name(payload) == "Stop":
-            denied = _persist_claude_pending_permission_denials(store, payload)
+            discarded = _discard_claude_pending_permissions(store, payload)
             store.add_event(
                 "claude/turn_stop",
-                {"session_id": payload.get("session_id"), "saved_denials": denied},
+                {
+                    "session_id": payload.get("session_id"),
+                    "discarded_pending_permissions": discarded,
+                },
                 _now(),
             )
             return 0
@@ -1371,6 +1421,14 @@ def run_guard_command(
                         artifact=runtime_artifact,
                         artifact_hash=runtime_artifact_hash,
                     )
+                if _should_allow_claude_user_prompt_submit_without_output(
+                    args,
+                    event_name=event_name,
+                    policy_action=policy_action,
+                    artifact=runtime_artifact,
+                    output_stream=output_stream,
+                ):
+                    return 0
                 if _should_emit_copilot_hook_response(args):
                     _emit_copilot_hook_response(
                         policy_action=policy_action,
@@ -1724,6 +1782,23 @@ def _should_emit_prequeue_native_hook_response(
     return output_stream is not None
 
 
+def _should_allow_claude_user_prompt_submit_without_output(
+    args: argparse.Namespace,
+    *,
+    event_name: str,
+    policy_action: str,
+    artifact: GuardArtifact,
+    output_stream: TextIO | None,
+) -> bool:
+    return (
+        _canonical_harness_name(args.harness) == "claude-code"
+        and event_name == "UserPromptSubmit"
+        and policy_action == "require-reapproval"
+        and not _prompt_requires_hard_block(artifact)
+        and (not getattr(args, "json", False) or output_stream is not None)
+    )
+
+
 def _emit_claude_permission_request_passthrough(*, output_stream: TextIO | None = None) -> None:
     if output_stream is not None:
         output_stream.write("")
@@ -2044,6 +2119,27 @@ def _persist_claude_native_permission_for_runtime_artifact(
     return True
 
 
+def _discard_claude_pending_permissions(store: GuardStore, payload: dict[str, object]) -> int:
+    session_id = _optional_string(payload.get("session_id"))
+    if session_id is None:
+        return 0
+    index_key = _claude_pending_permission_index_key(session_id)
+    try:
+        index_payload = store.get_sync_payload(index_key)
+    except (OSError, sqlite3.Error):
+        return 0
+    if not isinstance(index_payload, list):
+        return 0
+    pending_keys = [str(item) for item in index_payload]
+    if not pending_keys:
+        return 0
+    try:
+        store.delete_sync_payloads([*pending_keys, index_key])
+    except (OSError, sqlite3.Error):
+        return 0
+    return len(pending_keys)
+
+
 def _persist_claude_pending_permission_denials(store: GuardStore, payload: dict[str, object]) -> int:
     session_id = _optional_string(payload.get("session_id"))
     if session_id is None:

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/src/codex_plugin_scanner/guard/cli/render.py

@@ -295,6 +295,24 @@ def _render_inventory(console: Console, payload: dict[str, object]) -> None:
 
 
 def _render_policies(console: Console, payload: dict[str, object]) -> None:
+    if "cleared" in payload or "error" in payload:
+        error = payload.get("error")
+        cleared = int(payload.get("cleared", 0) or 0)
+        scope = str(payload.get("harness") or "all harnesses")
+        source = payload.get("source")
+        body = Table.grid(padding=(0, 1))
+        body.add_row("Outcome", str(error) if error else f"cleared {cleared} decision{'s' if cleared != 1 else ''}")
+        body.add_row("Harness", scope)
+        if source:
+            body.add_row("Source", str(source))
+        console.print(
+            Panel(
+                body,
+                title="Guard policy clear",
+                border_style="red" if error else "green",
+            )
+        )
+        return
     items = _coerce_dict_list(payload.get("items"))
     console.print(
         Panel.fit(
@@ -374,6 +392,27 @@ def _render_events(console: Console, payload: dict[str, object]) -> None:
 
 
 def _render_approvals(console: Console, payload: dict[str, object]) -> None:
+    if "history_cleared" in payload or "cleared_policies" in payload:
+        error = payload.get("error")
+        body = Table.grid(padding=(0, 1))
+        body.add_row(
+            "Outcome",
+            str(error) if error else "approval history reset",
+        )
+        body.add_row("Harness", str(payload.get("harness") or "all harnesses"))
+        source = payload.get("source")
+        if source:
+            body.add_row("Source", str(source))
+        body.add_row("Policy decisions", str(int(payload.get("cleared_policies", 0) or 0)))
+        body.add_row("Resolved requests", str(int(payload.get("cleared_resolved_requests", 0) or 0)))
+        console.print(
+            Panel(
+                body,
+                title="Approval history",
+                border_style="red" if error else "green",
+            )
+        )
+        return
     if payload.get("resolved"):
         item = payload.get("item")
         if isinstance(item, dict):

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/src/codex_plugin_scanner/guard/store.py

@@ -1526,6 +1526,22 @@ class GuardStore:
         with self._connect() as connection:
             return count_pending_approval_requests(connection, status=status)
 
+    def clear_approval_requests(self, *, harness: str | None = None, status: str | None = None) -> int:
+        conditions: list[str] = []
+        params: list[object] = []
+        if harness is not None:
+            conditions.append("harness = ?")
+            params.append(harness)
+        if status is not None:
+            conditions.append("status = ?")
+            params.append(status)
+        query = "delete from approval_requests"
+        if conditions:
+            query += " where " + " and ".join(conditions)
+        with self._connect() as connection:
+            cursor = connection.execute(query, tuple(params))
+            return int(cursor.rowcount if cursor.rowcount is not None else 0)
+
     def list_policy_decisions(self, harness: str | None = None) -> list[dict[str, object]]:
         query = """
             select harness, scope, artifact_id, artifact_hash, workspace, publisher, action, reason, owner, source,
@@ -1557,6 +1573,22 @@ class GuardStore:
             for row in rows
         ]
 
+    def clear_policy_decisions(self, harness: str | None = None, source: str | None = None) -> int:
+        conditions: list[str] = []
+        params: list[object] = []
+        if harness is not None:
+            conditions.append("harness = ?")
+            params.append(harness)
+        if source is not None:
+            conditions.append("source = ?")
+            params.append(source)
+        query = "delete from policy_decisions"
+        if conditions:
+            query += " where " + " and ".join(conditions)
+        with self._connect() as connection:
+            cursor = connection.execute(query, tuple(params))
+            return int(cursor.rowcount if cursor.rowcount is not None else 0)
+
     def get_latest_diff(self, harness: str, artifact_id: str) -> dict[str, object] | None:
         with self._connect() as connection:
             row = connection.execute(
@@ -1727,6 +1759,17 @@ class GuardStore:
                 (state_key,),
             )
 
+    def delete_sync_payloads(self, state_keys: list[str]) -> int:
+        if not state_keys:
+            return 0
+        placeholders = ",".join("?" for _ in state_keys)
+        with self._connect() as connection:
+            cursor = connection.execute(
+                f"delete from sync_state where state_key in ({placeholders})",
+                tuple(state_keys),
+            )
+            return int(cursor.rowcount if cursor.rowcount is not None else 0)
+
     def add_guard_event_v1(self, event: GuardEventV1) -> None:
         with self._connect() as connection:
             self._add_guard_event_v1(connection, event)

{plugin_scanner-2.0.65 → plugin_scanner-2.0.67}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.65"
+__version__ = "2.0.67"