plugin-scanner 2.0.70__tar.gz → 2.0.71__tar.gz

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.70
+Version: 2.0.71
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/docs/guard/harness-support.md

@@ -8,11 +8,13 @@ Current Guard support in this repo:
   - parses configured MCP servers
   - installs Guard-owned Codex `PreToolUse` Bash hooks so native shell commands can be denied before execution even when Codex itself is running in YOLO mode
   - supports wrapper-mode `guard run codex`
+  - wrapper prompt screening now suppresses copied debug and incident context while still escalating risky prompt intent
   - uses same-chat MCP elicitation for live managed MCP tool approvals in the interactive CLI and Codex App
   - falls back to the local approval center only for nonresponsive or headless Codex sessions such as `codex exec`
 - `claude-code`
   - detects global and project settings, hooks, `.mcp.json`, and workspace agents
   - supports local hook install and uninstall in `.claude/settings.local.json`
+  - has native `UserPromptSubmit` and `PreToolUse` Guard hook coverage
   - is the best current harness for graceful approval deferral
 - `copilot`
   - detects read-only user config in `~/.copilot/config.json` and `~/.copilot/mcp-config.json`
@@ -20,9 +22,11 @@ Current Guard support in this repo:
   - detects repo-local Copilot CLI hooks from `.github/hooks/*.json`
   - installs and removes Guard-owned repo hooks in `.github/hooks/hol-guard-copilot.json`
   - supports wrapper-mode `guard run copilot`
+  - has native `userPromptSubmitted`, `preToolUse`, and `postToolUse` hook coverage normalized onto the shared Guard runtime
 - `cursor`
   - detects global and project `mcp.json`
   - supports wrapper-mode management state
+  - wrapper prompt screening is covered for benign debug prompts and risky secret-read prompts
   - leaves native Cursor tool approval in place and focuses Guard on artifact trust
 - `antigravity`
   - detects Antigravity user settings, installed extension profiles, and Antigravity-owned MCP and skill roots
@@ -31,6 +35,7 @@ Current Guard support in this repo:
 - `gemini`
   - detects `.gemini/settings.json`, local extension manifests, embedded MCP declarations, hooks, and Gemini skill directories
   - supports wrapper-mode management state
+  - wrapper prompt screening is covered for benign debug prompts and risky secret-read prompts
   - falls back to the local approval center when Guard blocks a launch
 - `hermes`
   - detects Hermes skills plus MCP servers from `~/.hermes/config.yaml` and `~/.hermes/mcp_servers.json`
@@ -42,6 +47,7 @@ Current Guard support in this repo:
     plugin files, and OpenCode-compatible skill directories
   - supports wrapper-mode management state plus a Guard-owned runtime overlay for native skill approval prompts
   - supports wrapper-mode `guard run opencode`
+  - wrapper prompt screening is covered for benign debug prompts and risky secret-read prompts
   - keeps managed MCP tools on OpenCode native ask so the user can allow once, allow for the session, or reject inline
   - blocks newly introduced OpenCode MCP, plugin, and skill artifacts before launch when local Guard policy requires
     approval
@@ -54,6 +60,14 @@ Approval tiers:
 
 The harness adapters are designed to prefer discovery and reversible overlay behavior over invasive config mutation.
 
+The Guard Surface Server now provides one shared runtime shape across harnesses:
+
+- session attach
+- operation start and status updates
+- approval request items
+- approval-center lease and heartbeat tracking
+- resume or completion after approval
+
 Runtime intent protections:
 
 - Guard evaluates prompt and tool intent for secret-bearing files beyond `.env`, including SSH, AWS, kubeconfig, Docker, npm, and Python credential files.

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/docs/guard/testing-matrix.md

@@ -4,6 +4,8 @@ Automated coverage in this phase includes:
 
 - Guard CLI behavior tests for detect, scan, run, diff, receipts, install, uninstall, login, and sync
 - Guard product-flow tests for `hol-guard start`, `hol-guard status`, and launcher shim creation
+- prompt-risk regressions for Codex, Cursor, Gemini, and OpenCode wrapper launches
+- native prompt-hook regressions for Claude Code and Copilot hook events
 - SQLite persistence through real command execution in temporary homes and workspaces
 - consumer-mode JSON contract generation against scanner fixtures
 - local HTTP sync against a live in-process server instead of mocked transport
@@ -20,6 +22,8 @@ Manual verification should include:
 - `hol-guard detect opencode --json`
 - `hol-guard install opencode --json`
 - `hol-guard update --dry-run --json`
+- `hol-guard run cursor --dry-run --default-action allow --json`
+- `hol-guard run gemini --dry-run --default-action allow --json`
 - `hol-guard run opencode --dry-run --default-action allow --json`
 - `hol-guard run opencode --default-action require-reapproval --json`
 - `hol-guard approvals --json`

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.70"
+version = "2.0.71"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.70"
+version = "2.0.71"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/guard/adapters/copilot.py

@@ -25,7 +25,7 @@ from .mcp_servers import (
     skipped_stdio_server_names,
 )
 
-_MANAGED_HOOK_EVENTS = ("preToolUse", "postToolUse", "permissionRequest")
+_MANAGED_HOOK_EVENTS = ("userPromptSubmitted", "preToolUse", "postToolUse", "permissionRequest")
 _DETECTABLE_HOOK_EVENTS = (
     "sessionStart",
     "sessionEnd",

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/guard/adapters/cursor.py

@@ -2,6 +2,8 @@
 
 from __future__ import annotations
 
+from pathlib import Path
+
 from ..models import GuardArtifact, HarnessDetection
 from .base import HarnessAdapter, HarnessContext, _command_available, _json_payload, _run_command_probe
 
@@ -25,6 +27,11 @@ class CursorHarnessAdapter(HarnessAdapter):
             return "project"
         return "global"
 
+    def policy_path(self, context: HarnessContext) -> Path:
+        if context.workspace_dir is not None:
+            return context.workspace_dir / ".cursor" / "mcp.json"
+        return context.home_dir / ".cursor" / "mcp.json"
+
     def detect(self, context: HarnessContext) -> HarnessDetection:
         config_paths = [context.home_dir / ".cursor" / "mcp.json"]
         if context.workspace_dir is not None:

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/guard/adapters/gemini.py

@@ -39,6 +39,11 @@ class GeminiHarnessAdapter(HarnessAdapter):
             return ()
         return tuple(str(value) for value in raw_args if isinstance(value, str))
 
+    def policy_path(self, context: HarnessContext) -> Path:
+        if context.workspace_dir is not None:
+            return context.workspace_dir / ".gemini" / "settings.json"
+        return context.home_dir / ".gemini" / "settings.json"
+
     def detect(self, context: HarnessContext) -> HarnessDetection:
         artifacts: list[GuardArtifact] = []
         found_paths: list[str] = []

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/guard/adapters/opencode.py

@@ -97,6 +97,11 @@ class OpenCodeHarnessAdapter(HarnessAdapter):
             return "project"
         return "global"
 
+    def policy_path(self, context: HarnessContext) -> Path:
+        if context.workspace_dir is not None:
+            return context.workspace_dir / "opencode.json"
+        return context.home_dir / ".config" / "opencode" / "opencode.json"
+
     def detect(self, context: HarnessContext) -> HarnessDetection:
         artifacts = []
         found_paths: list[str] = []

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -1484,14 +1484,6 @@ def run_guard_command(
                         artifact=runtime_artifact,
                         artifact_hash=runtime_artifact_hash,
                     )
-                if _should_allow_claude_user_prompt_submit_without_output(
-                    args,
-                    event_name=event_name,
-                    policy_action=policy_action,
-                    artifact=runtime_artifact,
-                    output_stream=output_stream,
-                ):
-                    return 0
                 if _should_emit_copilot_hook_response(args):
                     _emit_copilot_hook_response(
                         policy_action=policy_action,
@@ -1866,23 +1858,6 @@ def _should_emit_prequeue_native_hook_response(
     return output_stream is not None
 
 
-def _should_allow_claude_user_prompt_submit_without_output(
-    args: argparse.Namespace,
-    *,
-    event_name: str,
-    policy_action: str,
-    artifact: GuardArtifact,
-    output_stream: TextIO | None,
-) -> bool:
-    return (
-        _canonical_harness_name(args.harness) == "claude-code"
-        and event_name == "UserPromptSubmit"
-        and policy_action == "require-reapproval"
-        and not _prompt_requires_hard_block(artifact)
-        and (not getattr(args, "json", False) or output_stream is not None)
-    )
-
-
 def _emit_claude_permission_request_passthrough(*, output_stream: TextIO | None = None) -> None:
     if output_stream is not None:
         output_stream.write("")
@@ -3070,6 +3045,8 @@ def _emit_native_hook_response(
                 "hookEventName": event_name,
                 "additionalContext": additional_context,
             }
+        elif _canonical_harness_name(harness) in {"claude-code", "codex"}:
+            payload["hookSpecificOutput"] = {"hookEventName": event_name}
         if payload:
             _write_json_line(payload, output_stream=output_stream)
         return
@@ -3432,11 +3409,20 @@ def _optional_string(value: object | None) -> str | None:
     return None
 
 
+_HOOK_EVENT_NAME_MAP = {
+    "userpromptsubmitted": "UserPromptSubmit",
+    "pretooluse": "PreToolUse",
+    "posttooluse": "PostToolUse",
+    "permissionrequest": "PermissionRequest",
+}
+
+
 def _hook_event_name(payload: dict[str, object]) -> str | None:
     for key in ("event", "hook_event_name", "hookEventName", "hook_name"):
         value = payload.get(key)
         if isinstance(value, str) and value.strip():
-            return value.strip()
+            normalized = value.strip()
+            return _HOOK_EVENT_NAME_MAP.get(normalized.lower(), normalized)
     return None
 
 

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/guard/runtime/runner.py

@@ -58,22 +58,87 @@ _SECRET_ABSOLUTE_HINTS: tuple[tuple[str, str], ...] = (
     ("/.kube/config", "kubeconfig"),
     ("/.docker/config.json", "Docker credentials"),
 )
-_EXFIL_PROMPT_PATTERN = re.compile(
-    r"\b(upload|exfiltrate|send|post|sync|webhook|paste|gist|transfer)\b",
+_SECRET_READ_INTENT_PATTERN = re.compile(
+    r"\b("
+    r"read|open|print|show|dump|cat|head|tail|less|copy|cp|scp|reveal|display|summari[sz]e|inspect|extract|"
+    r"contain(?:s)?|contents?\s+of|what(?:'s| is)\s+in"
+    r")\b",
     re.IGNORECASE,
 )
-_DESTRUCTIVE_PROMPT_PATTERN = re.compile(
-    r"\b(rm\s+-rf|rm\s+|del\s+|truncate\s+|chmod\s+|chown\s+|mv\s+|overwrite)\b",
-    re.IGNORECASE,
+_EXFIL_PROMPT_PATTERNS: tuple[re.Pattern[str], ...] = (
+    re.compile(
+        r"\b(?:upload|exfiltrate|transfer|paste|gist|webhook)\b.{0,80}\b"
+        r"(?:file|contents?|data|payload|secret|token|key|credential|credentials|config|output)\b",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"\b(?:send|post|upload|transfer|paste|sync)\b.{0,80}\b"
+        r"(?:contents?|data|payload|file|secret|token|key|credential|credentials|config|output)\b"
+        r"(?:.{0,40}\b(?:to|into|onto|via|through)\b)?",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"\b(?:send|post|upload|transfer|paste|sync)\b.{0,80}\b"
+        r"(?:to|into|onto|via|through)\b.{0,40}\b"
+        r"(?:webhook|gist|pastebin|slack|discord|telegram|server|endpoint|url)\b",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"\b(?:send|post|upload|transfer|paste|sync)\b.{0,120}"
+        r"(?:"
+        r"(?<![\w-])\.env(?:\.[\w.-]+)?\b|"
+        r"(?:^|[\s'\"`])~?/.ssh(?:/|\b)|"
+        r"(?:^|[\s'\"`])~?/.aws/(?:credentials|config)\b|"
+        r"(?:^|[\s'\"`])~?/.kube/config\b|"
+        r"(?:^|[\s'\"`])~?/.docker/config\.json\b|"
+        r"(?<![\w-])\.npmrc\b|"
+        r"(?<![\w-])\.pypirc\b|"
+        r"(?<![\w-])\.git-credentials\b|"
+        r"/.ssh/|"
+        r"/.aws/credentials|"
+        r"/.aws/config|"
+        r"/.kube/config|"
+        r"/.docker/config\.json"
+        r")"
+        r".{0,80}\b(?:to|into|onto|via|through)\b.{0,80}"
+        r"(?:[a-z][a-z0-9+.-]*://|webhook|gist|pastebin|slack|discord|telegram|server|endpoint|url)\b",
+        re.IGNORECASE,
+    ),
 )
-_SUBPROCESS_PROMPT_PATTERN = re.compile(
-    r"\b(?:bash\s+-c|sh\s+-c|zsh\s+-c|powershell|cmd\s+/c|subprocess)\b|(?:exec|spawn)\s*\(",
-    re.IGNORECASE,
+_DESTRUCTIVE_PROMPT_PATTERNS: tuple[re.Pattern[str], ...] = (
+    re.compile(
+        r"\b(?:run|execute|use|call|invoke)\b.{0,40}\b(?:rm\s+-rf|rm\s+|del\s+|truncate\s+|chmod\s+|chown\s+|mv\s+)",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"(?:^|[\s'\"`(])(?:rm\s+-rf|rm\s+\S|del\s+\S|truncate\s+\S|chmod\s+\S|chown\s+\S|mv\s+\S)",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"\b(?:delete|remove|overwrite|truncate)\b.{0,60}\b(?:file|directory|repo|workspace|contents?)\b",
+        re.IGNORECASE,
+    ),
+)
+_SUBPROCESS_PROMPT_PATTERNS: tuple[re.Pattern[str], ...] = (
+    re.compile(
+        r"\b(?:run|execute|use|call|invoke|launch|spawn)\b.{0,60}\b"
+        r"(?:bash\s+-c|sh\s+-c|zsh\s+-c|powershell|cmd\s+/c|subprocess|exec\(|spawn\()",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"(?:^|[\s'\"`(])(?:bash\s+-c\b|sh\s+-c\b|zsh\s+-c\b|powershell(?:\.exe)?(?:\s|$)|cmd\s+/c(?:\s|$)|subprocess\.(?:run|Popen|call|check_call|check_output)\b|exec\(|spawn\()",
+        re.IGNORECASE,
+    ),
+    re.compile(
+        r"\b(?:use|call|invoke)\b.{0,40}\bsubprocess\b",
+        re.IGNORECASE,
+    ),
 )
 _GUARD_BYPASS_PROMPT_PATTERN = re.compile(
     r"\b(hol-guard\s+(?:disable|off|uninstall)|disable\s+hol-guard|approval_policy\s*=\s*\"never\"|guard[_-]?bypass)\b",
     re.IGNORECASE,
 )
+_PROMPT_SENTENCE_BOUNDARY_PATTERN = re.compile(r"[!?;]|[.](?=\s|$)")
 _GUARD_SYNC_USER_AGENT = f"hol-guard/{__version__}"
 _SYNC_HTTP_TIMEOUT_SECONDS = 20
 _SYNC_HTTP_RETRY_TIMEOUT_SECONDS = 120
@@ -91,6 +156,55 @@ class GuardSyncNotAvailableError(RuntimeError):
     """Raised when the sync endpoint returns 403 (free-plan restriction)."""
 
 
+def _prompt_sentence_start(text: str, index: int) -> int:
+    matches = list(_PROMPT_SENTENCE_BOUNDARY_PATTERN.finditer(text, 0, index))
+    return matches[-1].end() if matches else 0
+
+
+def _prompt_sentence_end(text: str, index: int) -> int:
+    match = _PROMPT_SENTENCE_BOUNDARY_PATTERN.search(text, index)
+    return match.end() if match is not None else len(text)
+
+
+def _prompt_secret_intent_region(text: str, *, start: int, end: int) -> str:
+    current_sentence_start = _prompt_sentence_start(text, start)
+    region_start = _prompt_sentence_start(text, max(0, current_sentence_start - 1))
+    first_sentence_end = _prompt_sentence_end(text, end)
+    second_sentence_end = (
+        _prompt_sentence_end(text, first_sentence_end) if first_sentence_end < len(text) else first_sentence_end
+    )
+    return text[region_start:second_sentence_end]
+
+
+def _prompt_has_secret_read_intent(prompt_text: str, *, start: int, end: int) -> bool:
+    return (
+        _SECRET_READ_INTENT_PATTERN.search(
+            _prompt_secret_intent_region(prompt_text, start=start, end=end),
+        )
+        is not None
+    )
+
+
+def _first_match(patterns: tuple[re.Pattern[str], ...], text: str) -> re.Match[str] | None:
+    for pattern in patterns:
+        match = pattern.search(text)
+        if match is not None:
+            return match
+    return None
+
+
+def _iter_hint_occurrences(text: str, hint: str) -> list[tuple[int, int]]:
+    occurrences: list[tuple[int, int]] = []
+    current_pos = 0
+    while True:
+        start = text.find(hint, current_pos)
+        if start == -1:
+            return occurrences
+        end = start + len(hint)
+        occurrences.append((start, end))
+        current_pos = start + 1
+
+
 def guard_run(
     harness: str,
     context: HarnessContext,
@@ -122,6 +236,12 @@ def guard_run(
             if key in pending_evaluation:
                 reevaluated[key] = pending_evaluation[key]
         evaluation = reevaluated
+    if "config_paths" not in evaluation:
+        evaluation["config_paths"] = list(detection.config_paths) or _guard_run_config_paths(
+            detection=detection,
+            context=context,
+            passthrough_args=passthrough_args,
+        )
     if evaluation["blocked"] or dry_run:
         evaluation["launched"] = False
         evaluation["launch_command"] = []
@@ -147,6 +267,20 @@ def guard_run(
     return evaluation
 
 
+def _guard_run_config_paths(
+    *,
+    detection: HarnessDetection,
+    context: HarnessContext,
+    passthrough_args: list[str],
+) -> list[str]:
+    if detection.config_paths:
+        return list(detection.config_paths)
+    prompt_text = " ".join(value.strip() for value in passthrough_args if value.strip())
+    if prompt_text:
+        return [str(_prompt_policy_path(detection, context))]
+    return []
+
+
 def _detection_with_prompt_artifacts(
     detection: HarnessDetection,
     context: HarnessContext,
@@ -210,20 +344,25 @@ def extract_prompt_requests(prompt_text: str) -> list[PromptRequest]:
         )
 
     for pattern, label in _SECRET_REQUEST_PATTERNS:
-        match = pattern.search(normalized_prompt)
-        if match is None:
-            continue
-        add_secret_request(label=label, matched=match.group(0).strip())
+        for match in pattern.finditer(normalized_prompt):
+            if not _prompt_has_secret_read_intent(normalized_prompt, start=match.start(), end=match.end()):
+                continue
+            add_secret_request(label=label, matched=match.group(0).strip())
+            break
     for hint, label in _SECRET_ABSOLUTE_HINTS:
-        if hint in lowered:
-            add_secret_request(label=label, matched=hint)
-    if _EXFIL_PROMPT_PATTERN.search(normalized_prompt):
+        for start, end in _iter_hint_occurrences(lowered, hint):
+            if _prompt_has_secret_read_intent(normalized_prompt, start=start, end=end):
+                add_secret_request(label=label, matched=hint)
+                break
+    exfil_match = _first_match(_EXFIL_PROMPT_PATTERNS, normalized_prompt)
+    if exfil_match is not None:
+        matched_text = exfil_match.group(0).strip()
         requests.append(
             PromptRequest(
-                request_id=_prompt_request_id("exfil_intent", "exfil", lowered),
+                request_id=_prompt_request_id("exfil_intent", matched_text, lowered),
                 request_class="exfil_intent",
                 summary="Prompt includes exfiltration-oriented transfer intent.",
-                matched_text="exfil-transfer",
+                matched_text=matched_text,
                 severity=8,
                 confidence=0.84,
                 remediation=(
@@ -236,13 +375,19 @@ def extract_prompt_requests(prompt_text: str) -> list[PromptRequest]:
                 ),
             )
         )
-    if _DESTRUCTIVE_PROMPT_PATTERN.search(normalized_prompt):
+    destructive_match = _first_match(_DESTRUCTIVE_PROMPT_PATTERNS, normalized_prompt)
+    if destructive_match is not None:
+        matched_text = destructive_match.group(0).strip()
         requests.append(
             PromptRequest(
-                request_id=_prompt_request_id("destructive_intent", "destructive", lowered),
+                request_id=_prompt_request_id(
+                    "destructive_intent",
+                    matched_text,
+                    lowered,
+                ),
                 request_class="destructive_intent",
                 summary="Prompt includes destructive filesystem mutation intent.",
-                matched_text="destructive-operation",
+                matched_text=matched_text,
                 severity=8,
                 confidence=0.87,
                 remediation=(
@@ -259,13 +404,19 @@ def extract_prompt_requests(prompt_text: str) -> list[PromptRequest]:
                 ),
             )
         )
-    if _SUBPROCESS_PROMPT_PATTERN.search(normalized_prompt):
+    subprocess_match = _first_match(_SUBPROCESS_PROMPT_PATTERNS, normalized_prompt)
+    if subprocess_match is not None:
+        matched_text = subprocess_match.group(0).strip()
         requests.append(
             PromptRequest(
-                request_id=_prompt_request_id("subprocess_intent", "subprocess", lowered),
+                request_id=_prompt_request_id(
+                    "subprocess_intent",
+                    matched_text,
+                    lowered,
+                ),
                 request_class="subprocess_intent",
                 summary="Prompt asks for subprocess or shell-wrapper execution.",
-                matched_text="subprocess-shell",
+                matched_text=matched_text,
                 severity=7,
                 confidence=0.8,
                 remediation=(
@@ -377,13 +528,7 @@ def _prompt_policy_path(detection: HarnessDetection, context: HarnessContext) ->
                 return candidate
     if config_candidates:
         return Path(config_candidates[0])
-    if detection.harness == "opencode":
-        if context.workspace_dir is not None:
-            return context.workspace_dir / "opencode.json"
-        return context.home_dir / ".config" / "opencode" / "opencode.json"
-    if context.workspace_dir is not None:
-        return context.workspace_dir / ".codex" / "config.toml"
-    return context.home_dir / ".codex" / "config.toml"
+    return get_adapter(detection.harness).policy_path(context)
 
 
 def _prompt_config_candidates(detection: HarnessDetection, context: HarnessContext) -> tuple[str, ...]:

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.70"
+__version__ = "2.0.71"

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/tests/test_guard_claude_adapter.py

@@ -371,7 +371,7 @@ def test_claude_daemon_hook_command_survives_shell_execution(tmp_path):
 
     assert result.returncode == 0
     assert result.stderr == ""
-    assert result.stdout == ""
+    assert json.loads(result.stdout) == {"hookSpecificOutput": {"hookEventName": "UserPromptSubmit"}}
 
 
 def test_claude_daemon_hook_command_falls_back_without_blocking_prompt_on_daemon_miss(tmp_path):
@@ -394,7 +394,13 @@ def test_claude_daemon_hook_command_falls_back_without_blocking_prompt_on_daemon
     )
     assert result.returncode == 0
     assert result.stderr == ""
-    assert result.stdout == ""
+    payload = json.loads(result.stdout)
+    assert payload["systemMessage"].startswith("HOL Guard intercepted this prompt")
+    assert payload["hookSpecificOutput"]["hookEventName"] == "UserPromptSubmit"
+    assert (
+        "HOL Guard will intercept Claude's next attempt to access local secrets"
+        in (payload["hookSpecificOutput"]["additionalContext"])
+    )
 
 
 def test_claude_daemon_hook_command_falls_back_to_native_ask_on_daemon_miss(tmp_path):

{plugin_scanner-2.0.70 → plugin_scanner-2.0.71}/tests/test_guard_copilot_adapter.py

@@ -219,6 +219,7 @@ def test_copilot_install_and_uninstall_manage_inline_config_hooks_idempotently(t
         assert first_install["active"] is True
         assert second_install["active"] is True
         assert first_install["config_path"] == str(config_path)
+        assert len(managed_hooks["userPromptSubmitted"]) == 1
         assert len(managed_hooks["preToolUse"]) == 1
         assert len(managed_hooks["postToolUse"]) == 1
         assert len(managed_hooks["permissionRequest"]) == 1
@@ -230,8 +231,10 @@ def test_copilot_install_and_uninstall_manage_inline_config_hooks_idempotently(t
         assert "copilot" in managed_hooks["preToolUse"][0]["bash"]
         assert "--workspace" not in managed_hooks["preToolUse"][0]["bash"]
         assert "from codex_plugin_scanner.cli import main" in managed_hooks["preToolUse"][0]["powershell"]
+        assert "from codex_plugin_scanner.cli import main" in managed_hooks["userPromptSubmitted"][0]["bash"]
         assert managed_hooks["postToolUse"][0]["type"] == "command"
         assert "from codex_plugin_scanner.cli import main" in managed_hooks["postToolUse"][0]["bash"]
+        assert len(managed_workspace_hooks["userPromptSubmitted"]) == 1
         assert len(managed_workspace_hooks["preToolUse"]) == 1
         assert len(managed_workspace_hooks["postToolUse"]) == 1
         assert len(managed_workspace_hooks["permissionRequest"]) == 1