plugin-scanner 2.0.70__tar.gz → 2.0.72__tar.gz

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.70
+Version: 2.0.72
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/docs/guard/harness-support.md

@@ -8,11 +8,13 @@ Current Guard support in this repo:
   - parses configured MCP servers
   - installs Guard-owned Codex `PreToolUse` Bash hooks so native shell commands can be denied before execution even when Codex itself is running in YOLO mode
   - supports wrapper-mode `guard run codex`
+  - wrapper prompt screening now suppresses copied debug and incident context while still escalating risky prompt intent
   - uses same-chat MCP elicitation for live managed MCP tool approvals in the interactive CLI and Codex App
   - falls back to the local approval center only for nonresponsive or headless Codex sessions such as `codex exec`
 - `claude-code`
   - detects global and project settings, hooks, `.mcp.json`, and workspace agents
   - supports local hook install and uninstall in `.claude/settings.local.json`
+  - has native `UserPromptSubmit` and `PreToolUse` Guard hook coverage
   - is the best current harness for graceful approval deferral
 - `copilot`
   - detects read-only user config in `~/.copilot/config.json` and `~/.copilot/mcp-config.json`
@@ -20,9 +22,11 @@ Current Guard support in this repo:
   - detects repo-local Copilot CLI hooks from `.github/hooks/*.json`
   - installs and removes Guard-owned repo hooks in `.github/hooks/hol-guard-copilot.json`
   - supports wrapper-mode `guard run copilot`
+  - has native `userPromptSubmitted`, `preToolUse`, and `postToolUse` hook coverage normalized onto the shared Guard runtime
 - `cursor`
   - detects global and project `mcp.json`
   - supports wrapper-mode management state
+  - wrapper prompt screening is covered for benign debug prompts and risky secret-read prompts
   - leaves native Cursor tool approval in place and focuses Guard on artifact trust
 - `antigravity`
   - detects Antigravity user settings, installed extension profiles, and Antigravity-owned MCP and skill roots
@@ -31,6 +35,7 @@ Current Guard support in this repo:
 - `gemini`
   - detects `.gemini/settings.json`, local extension manifests, embedded MCP declarations, hooks, and Gemini skill directories
   - supports wrapper-mode management state
+  - wrapper prompt screening is covered for benign debug prompts and risky secret-read prompts
   - falls back to the local approval center when Guard blocks a launch
 - `hermes`
   - detects Hermes skills plus MCP servers from `~/.hermes/config.yaml` and `~/.hermes/mcp_servers.json`
@@ -42,6 +47,7 @@ Current Guard support in this repo:
     plugin files, and OpenCode-compatible skill directories
   - supports wrapper-mode management state plus a Guard-owned runtime overlay for native skill approval prompts
   - supports wrapper-mode `guard run opencode`
+  - wrapper prompt screening is covered for benign debug prompts and risky secret-read prompts
   - keeps managed MCP tools on OpenCode native ask so the user can allow once, allow for the session, or reject inline
   - blocks newly introduced OpenCode MCP, plugin, and skill artifacts before launch when local Guard policy requires
     approval
@@ -54,6 +60,14 @@ Approval tiers:
 
 The harness adapters are designed to prefer discovery and reversible overlay behavior over invasive config mutation.
 
+The Guard Surface Server now provides one shared runtime shape across harnesses:
+
+- session attach
+- operation start and status updates
+- approval request items
+- approval-center lease and heartbeat tracking
+- resume or completion after approval
+
 Runtime intent protections:
 
 - Guard evaluates prompt and tool intent for secret-bearing files beyond `.env`, including SSH, AWS, kubeconfig, Docker, npm, and Python credential files.

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/docs/guard/testing-matrix.md

@@ -4,6 +4,8 @@ Automated coverage in this phase includes:
 
 - Guard CLI behavior tests for detect, scan, run, diff, receipts, install, uninstall, login, and sync
 - Guard product-flow tests for `hol-guard start`, `hol-guard status`, and launcher shim creation
+- prompt-risk regressions for Codex, Cursor, Gemini, and OpenCode wrapper launches
+- native prompt-hook regressions for Claude Code and Copilot hook events
 - SQLite persistence through real command execution in temporary homes and workspaces
 - consumer-mode JSON contract generation against scanner fixtures
 - local HTTP sync against a live in-process server instead of mocked transport
@@ -20,6 +22,8 @@ Manual verification should include:
 - `hol-guard detect opencode --json`
 - `hol-guard install opencode --json`
 - `hol-guard update --dry-run --json`
+- `hol-guard run cursor --dry-run --default-action allow --json`
+- `hol-guard run gemini --dry-run --default-action allow --json`
 - `hol-guard run opencode --dry-run --default-action allow --json`
 - `hol-guard run opencode --default-action require-reapproval --json`
 - `hol-guard approvals --json`

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.70"
+version = "2.0.72"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.70"
+version = "2.0.72"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/adapters/copilot.py

@@ -25,7 +25,7 @@ from .mcp_servers import (
     skipped_stdio_server_names,
 )
 
-_MANAGED_HOOK_EVENTS = ("preToolUse", "postToolUse", "permissionRequest")
+_MANAGED_HOOK_EVENTS = ("userPromptSubmitted", "preToolUse", "postToolUse", "permissionRequest")
 _DETECTABLE_HOOK_EVENTS = (
     "sessionStart",
     "sessionEnd",

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/adapters/cursor.py

@@ -2,6 +2,8 @@
 
 from __future__ import annotations
 
+from pathlib import Path
+
 from ..models import GuardArtifact, HarnessDetection
 from .base import HarnessAdapter, HarnessContext, _command_available, _json_payload, _run_command_probe
 
@@ -25,6 +27,11 @@ class CursorHarnessAdapter(HarnessAdapter):
             return "project"
         return "global"
 
+    def policy_path(self, context: HarnessContext) -> Path:
+        if context.workspace_dir is not None:
+            return context.workspace_dir / ".cursor" / "mcp.json"
+        return context.home_dir / ".cursor" / "mcp.json"
+
     def detect(self, context: HarnessContext) -> HarnessDetection:
         config_paths = [context.home_dir / ".cursor" / "mcp.json"]
         if context.workspace_dir is not None:

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/adapters/gemini.py

@@ -39,6 +39,11 @@ class GeminiHarnessAdapter(HarnessAdapter):
             return ()
         return tuple(str(value) for value in raw_args if isinstance(value, str))
 
+    def policy_path(self, context: HarnessContext) -> Path:
+        if context.workspace_dir is not None:
+            return context.workspace_dir / ".gemini" / "settings.json"
+        return context.home_dir / ".gemini" / "settings.json"
+
     def detect(self, context: HarnessContext) -> HarnessDetection:
         artifacts: list[GuardArtifact] = []
         found_paths: list[str] = []

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/adapters/opencode.py

@@ -97,6 +97,11 @@ class OpenCodeHarnessAdapter(HarnessAdapter):
             return "project"
         return "global"
 
+    def policy_path(self, context: HarnessContext) -> Path:
+        if context.workspace_dir is not None:
+            return context.workspace_dir / "opencode.json"
+        return context.home_dir / ".config" / "opencode" / "opencode.json"
+
     def detect(self, context: HarnessContext) -> HarnessDetection:
         artifacts = []
         found_paths: list[str] = []

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/approvals.py

@@ -119,7 +119,7 @@ def apply_approval_resolution(
     if scope == "publisher" and not isinstance(request.get("publisher"), str):
         raise ValueError(f"Approval request {request_id} has no publisher scope to approve.")
     decision = PolicyDecision(
-        harness=str(request["harness"]),
+        harness="*" if scope == "global" else str(request["harness"]),
         scope=scope,
         action="allow" if action == "allow" else "block",
         artifact_id=str(request["artifact_id"]) if scope == "artifact" else None,
@@ -130,8 +130,9 @@ def apply_approval_resolution(
     )
     store.upsert_policy(decision, now or _now())
     resolved_at = now or _now()
+    resolution_harness = None if scope == "global" else str(request["harness"])
     resolved_ids = store.resolve_matching_approval_requests(
-        harness=str(request["harness"]),
+        harness=resolution_harness,
         scope=scope,
         artifact_id=str(request["artifact_id"]) if scope == "artifact" else None,
         workspace=workspace if scope == "workspace" else None,

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -1484,14 +1484,6 @@ def run_guard_command(
                         artifact=runtime_artifact,
                         artifact_hash=runtime_artifact_hash,
                     )
-                if _should_allow_claude_user_prompt_submit_without_output(
-                    args,
-                    event_name=event_name,
-                    policy_action=policy_action,
-                    artifact=runtime_artifact,
-                    output_stream=output_stream,
-                ):
-                    return 0
                 if _should_emit_copilot_hook_response(args):
                     _emit_copilot_hook_response(
                         policy_action=policy_action,
@@ -1866,23 +1858,6 @@ def _should_emit_prequeue_native_hook_response(
     return output_stream is not None
 
 
-def _should_allow_claude_user_prompt_submit_without_output(
-    args: argparse.Namespace,
-    *,
-    event_name: str,
-    policy_action: str,
-    artifact: GuardArtifact,
-    output_stream: TextIO | None,
-) -> bool:
-    return (
-        _canonical_harness_name(args.harness) == "claude-code"
-        and event_name == "UserPromptSubmit"
-        and policy_action == "require-reapproval"
-        and not _prompt_requires_hard_block(artifact)
-        and (not getattr(args, "json", False) or output_stream is not None)
-    )
-
-
 def _emit_claude_permission_request_passthrough(*, output_stream: TextIO | None = None) -> None:
     if output_stream is not None:
         output_stream.write("")
@@ -3070,6 +3045,8 @@ def _emit_native_hook_response(
                 "hookEventName": event_name,
                 "additionalContext": additional_context,
             }
+        elif _canonical_harness_name(harness) in {"claude-code", "codex"}:
+            payload["hookSpecificOutput"] = {"hookEventName": event_name}
         if payload:
             _write_json_line(payload, output_stream=output_stream)
         return
@@ -3432,11 +3409,20 @@ def _optional_string(value: object | None) -> str | None:
     return None
 
 
+_HOOK_EVENT_NAME_MAP = {
+    "userpromptsubmitted": "UserPromptSubmit",
+    "pretooluse": "PreToolUse",
+    "posttooluse": "PostToolUse",
+    "permissionrequest": "PermissionRequest",
+}
+
+
 def _hook_event_name(payload: dict[str, object]) -> str | None:
     for key in ("event", "hook_event_name", "hookEventName", "hook_name"):
         value = payload.get(key)
         if isinstance(value, str) and value.strip():
-            return value.strip()
+            normalized = value.strip()
+            return _HOOK_EVENT_NAME_MAP.get(normalized.lower(), normalized)
     return None
 
 

{plugin_scanner-2.0.70 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -26,6 +26,7 @@ from ..store import GuardStore
 from .manager import (
     GUARD_DAEMON_COMPATIBILITY_VERSION,
     clear_guard_daemon_state,
+    load_guard_daemon_auth_token,
     write_guard_daemon_state,
 )
 
@@ -59,18 +60,19 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
     _MAX_BODY_BYTES = 1_000_000
 
     def do_OPTIONS(self) -> None:
-        parsed = urlparse(self.path)
-        if parsed.path in {"/v1/connect/complete", "/v1/connect/state"}:
-            origin = self._normalize_origin(self.headers.get("Origin"))
-            if origin is None:
-                self._write_empty(status=400)
-                return
-            self._write_empty(
-                status=200,
-                extra_headers=self._cors_headers(origin, allow_methods="GET, POST, OPTIONS"),
-            )
+        origin = self._normalize_origin(self.headers.get("Origin"))
+        if origin is None:
+            self._write_empty(status=400)
+            return
+        if not self._origin_is_allowed():
+            self._write_empty(status=403)
             return
-        self._write_empty(status=404)
+        self._write_empty(
+            status=200,
+            extra_headers=self._cors_headers(
+                origin, allow_methods="GET, POST, OPTIONS", allow_headers="Content-Type, X-Guard-Token"
+            ),
+        )
 
     def do_GET(self) -> None:
         store = self.server.store  # type: ignore[attr-defined]
@@ -205,11 +207,19 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if parsed.path != "/v1/connect/complete" and not self._origin_is_allowed():
             self._write_json({"error": "forbidden_origin"}, status=403)
             return
+        path_parts = [part for part in parsed.path.split("/") if part]
+        if self._requires_header_token(parsed.path, path_parts) and not self._header_token_is_valid():
+            origin = self._normalize_origin(self.headers.get("Origin"))
+            self._write_json(
+                {"error": "unauthorized"},
+                status=401,
+                extra_headers=self._cors_headers(origin) if origin is not None else None,
+            )
+            return
         payload, body_error = self._load_request_body()
         if body_error is not None:
             self._write_json({"error": body_error}, status=400)
             return
-        path_parts = [part for part in parsed.path.split("/") if part]
         if parsed.path == "/v1/initialize":
             self._handle_initialize(payload)
             return
@@ -217,78 +227,42 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             self._handle_claude_hook(payload, parsed.query)
             return
         if parsed.path == "/v1/clients/attach":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_client_attach(payload)
             return
         if parsed.path == "/v1/clients/heartbeat":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_client_heartbeat(payload)
             return
         if parsed.path == "/v1/sessions/start":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_session_start(payload)
             return
         if parsed.path == "/v1/operations/start":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_start(payload)
             return
         if parsed.path == "/v1/connect/requests":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_connect_request_create(payload)
             return
         if parsed.path == "/v1/connect/complete":
             self._handle_connect_complete(payload)
             return
         if parsed.path == "/v1/connect/result":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_connect_result_update(payload)
             return
         if parsed.path == "/v1/operations/block":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_block(payload)
             return
         if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] == "items":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_item(path_parts[2], payload)
             return
         if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] == "status":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_status(path_parts[2], payload)
             return
         if parsed.path == "/v1/policy/decisions":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_policy_upsert(payload)
             return
         if parsed.path == "/v1/policy/clear":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_policy_clear(payload)
             return
         if parsed.path == "/v1/settings":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_settings_update(payload)
             return
         request_id, action, matched = self._resolve_request_action(path_parts, payload)
@@ -296,9 +270,6 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             self.send_response(404)
             self.end_headers()
             return
-        if not self._header_token_is_valid():
-            self._write_json({"error": "unauthorized"}, status=401)
-            return
         if action is None:
             self._write_json({"resolved": False, "error": "missing_required_fields"}, status=400)
             return
@@ -868,11 +839,16 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         return f"{parsed.scheme}://{host}{port_suffix}"
 
     @staticmethod
-    def _cors_headers(origin: str, *, allow_methods: str = "POST, OPTIONS") -> dict[str, str]:
+    def _cors_headers(
+        origin: str,
+        *,
+        allow_methods: str = "POST, OPTIONS",
+        allow_headers: str = "Content-Type, X-Guard-Token",
+    ) -> dict[str, str]:
         return {
             "Access-Control-Allow-Origin": origin,
             "Access-Control-Allow-Methods": allow_methods,
-            "Access-Control-Allow-Headers": "Content-Type",
+            "Access-Control-Allow-Headers": allow_headers,
             "Vary": "Origin",
         }
 
@@ -959,6 +935,27 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             return path_parts[1], action.strip(), True
         return None, None, False
 
+    @staticmethod
+    def _requires_header_token(path: str, path_parts: list[str]) -> bool:
+        if path in {
+            "/v1/clients/attach",
+            "/v1/clients/heartbeat",
+            "/v1/sessions/start",
+            "/v1/operations/start",
+            "/v1/connect/requests",
+            "/v1/connect/result",
+            "/v1/operations/block",
+            "/v1/policy/decisions",
+            "/v1/policy/clear",
+            "/v1/settings",
+        }:
+            return True
+        if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] in {"items", "status"}:
+            return True
+        if len(path_parts) == 4 and path_parts[:2] == ["v1", "requests"] and path_parts[3] in {"approve", "block"}:
+            return True
+        return len(path_parts) == 3 and path_parts[0] == "approvals" and path_parts[2] == "decision"
+
     def _write_json(
         self,
         payload: dict[str, Any],
@@ -1080,7 +1077,7 @@ class GuardDaemonServer:
         self._server = _GuardDaemonHttpServer((host, port), _GuardDaemonHandler)
         self._server.store = store
         self._server.runtime = GuardSurfaceRuntime(store)
-        self._server.auth_token = uuid.uuid4().hex
+        self._server.auth_token = load_guard_daemon_auth_token(store.guard_home) or uuid.uuid4().hex
         self._server.runtime_host = host
         self._server.runtime_session_id = uuid.uuid4().hex
         self._server.runtime_started_at = _now()