PyPI - plugin-scanner - Versions diffs - 2.0.71__tar.gz → 2.0.72__tar.gz - Mend

plugin-scanner 2.0.71tar.gz → 2.0.72tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (331) hide show

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.71
+Version: 2.0.72
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.71"
+version = "2.0.72"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.71"
+version = "2.0.72"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/approvals.py RENAMED Viewed

@@ -119,7 +119,7 @@ def apply_approval_resolution(
     if scope == "publisher" and not isinstance(request.get("publisher"), str):
         raise ValueError(f"Approval request {request_id} has no publisher scope to approve.")
     decision = PolicyDecision(
-        harness=str(request["harness"]),
+        harness="*" if scope == "global" else str(request["harness"]),
         scope=scope,
         action="allow" if action == "allow" else "block",
         artifact_id=str(request["artifact_id"]) if scope == "artifact" else None,
@@ -130,8 +130,9 @@ def apply_approval_resolution(
     )
     store.upsert_policy(decision, now or _now())
     resolved_at = now or _now()
+    resolution_harness = None if scope == "global" else str(request["harness"])
     resolved_ids = store.resolve_matching_approval_requests(
-        harness=str(request["harness"]),
+        harness=resolution_harness,
         scope=scope,
         artifact_id=str(request["artifact_id"]) if scope == "artifact" else None,
         workspace=workspace if scope == "workspace" else None,

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/guard/daemon/server.py RENAMED Viewed

@@ -26,6 +26,7 @@ from ..store import GuardStore
 from .manager import (
     GUARD_DAEMON_COMPATIBILITY_VERSION,
     clear_guard_daemon_state,
+    load_guard_daemon_auth_token,
     write_guard_daemon_state,
 )
@@ -59,18 +60,19 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
     _MAX_BODY_BYTES = 1_000_000
     def do_OPTIONS(self) -> None:
-        parsed = urlparse(self.path)
-        if parsed.path in {"/v1/connect/complete", "/v1/connect/state"}:
-            origin = self._normalize_origin(self.headers.get("Origin"))
-            if origin is None:
-                self._write_empty(status=400)
-                return
-            self._write_empty(
-                status=200,
-                extra_headers=self._cors_headers(origin, allow_methods="GET, POST, OPTIONS"),
-            )
+        origin = self._normalize_origin(self.headers.get("Origin"))
+        if origin is None:
+            self._write_empty(status=400)
+            return
+        if not self._origin_is_allowed():
+            self._write_empty(status=403)
             return
-        self._write_empty(status=404)
+        self._write_empty(
+            status=200,
+            extra_headers=self._cors_headers(
+                origin, allow_methods="GET, POST, OPTIONS", allow_headers="Content-Type, X-Guard-Token"
+            ),
+        )
     def do_GET(self) -> None:
         store = self.server.store  # type: ignore[attr-defined]
@@ -205,11 +207,19 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if parsed.path != "/v1/connect/complete" and not self._origin_is_allowed():
             self._write_json({"error": "forbidden_origin"}, status=403)
             return
+        path_parts = [part for part in parsed.path.split("/") if part]
+        if self._requires_header_token(parsed.path, path_parts) and not self._header_token_is_valid():
+            origin = self._normalize_origin(self.headers.get("Origin"))
+            self._write_json(
+                {"error": "unauthorized"},
+                status=401,
+                extra_headers=self._cors_headers(origin) if origin is not None else None,
+            )
+            return
         payload, body_error = self._load_request_body()
         if body_error is not None:
             self._write_json({"error": body_error}, status=400)
             return
-        path_parts = [part for part in parsed.path.split("/") if part]
         if parsed.path == "/v1/initialize":
             self._handle_initialize(payload)
             return
@@ -217,78 +227,42 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             self._handle_claude_hook(payload, parsed.query)
             return
         if parsed.path == "/v1/clients/attach":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_client_attach(payload)
             return
         if parsed.path == "/v1/clients/heartbeat":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_client_heartbeat(payload)
             return
         if parsed.path == "/v1/sessions/start":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_session_start(payload)
             return
         if parsed.path == "/v1/operations/start":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_start(payload)
             return
         if parsed.path == "/v1/connect/requests":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_connect_request_create(payload)
             return
         if parsed.path == "/v1/connect/complete":
             self._handle_connect_complete(payload)
             return
         if parsed.path == "/v1/connect/result":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_connect_result_update(payload)
             return
         if parsed.path == "/v1/operations/block":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_block(payload)
             return
         if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] == "items":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_item(path_parts[2], payload)
             return
         if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] == "status":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_operation_status(path_parts[2], payload)
             return
         if parsed.path == "/v1/policy/decisions":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_policy_upsert(payload)
             return
         if parsed.path == "/v1/policy/clear":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_policy_clear(payload)
             return
         if parsed.path == "/v1/settings":
-            if not self._header_token_is_valid():
-                self._write_json({"error": "unauthorized"}, status=401)
-                return
             self._handle_settings_update(payload)
             return
         request_id, action, matched = self._resolve_request_action(path_parts, payload)
@@ -296,9 +270,6 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             self.send_response(404)
             self.end_headers()
             return
-        if not self._header_token_is_valid():
-            self._write_json({"error": "unauthorized"}, status=401)
-            return
         if action is None:
             self._write_json({"resolved": False, "error": "missing_required_fields"}, status=400)
             return
@@ -868,11 +839,16 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         return f"{parsed.scheme}://{host}{port_suffix}"
     @staticmethod
-    def _cors_headers(origin: str, *, allow_methods: str = "POST, OPTIONS") -> dict[str, str]:
+    def _cors_headers(
+        origin: str,
+        *,
+        allow_methods: str = "POST, OPTIONS",
+        allow_headers: str = "Content-Type, X-Guard-Token",
+    ) -> dict[str, str]:
         return {
             "Access-Control-Allow-Origin": origin,
             "Access-Control-Allow-Methods": allow_methods,
-            "Access-Control-Allow-Headers": "Content-Type",
+            "Access-Control-Allow-Headers": allow_headers,
             "Vary": "Origin",
         }
@@ -959,6 +935,27 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             return path_parts[1], action.strip(), True
         return None, None, False
+    @staticmethod
+    def _requires_header_token(path: str, path_parts: list[str]) -> bool:
+        if path in {
+            "/v1/clients/attach",
+            "/v1/clients/heartbeat",
+            "/v1/sessions/start",
+            "/v1/operations/start",
+            "/v1/connect/requests",
+            "/v1/connect/result",
+            "/v1/operations/block",
+            "/v1/policy/decisions",
+            "/v1/policy/clear",
+            "/v1/settings",
+        }:
+            return True
+        if len(path_parts) == 4 and path_parts[:2] == ["v1", "operations"] and path_parts[3] in {"items", "status"}:
+            return True
+        if len(path_parts) == 4 and path_parts[:2] == ["v1", "requests"] and path_parts[3] in {"approve", "block"}:
+            return True
+        return len(path_parts) == 3 and path_parts[0] == "approvals" and path_parts[2] == "decision"
     def _write_json(
         self,
         payload: dict[str, Any],
@@ -1080,7 +1077,7 @@ class GuardDaemonServer:
         self._server = _GuardDaemonHttpServer((host, port), _GuardDaemonHandler)
         self._server.store = store
         self._server.runtime = GuardSurfaceRuntime(store)
-        self._server.auth_token = uuid.uuid4().hex
+        self._server.auth_token = load_guard_daemon_auth_token(store.guard_home) or uuid.uuid4().hex
         self._server.runtime_host = host
         self._server.runtime_session_id = uuid.uuid4().hex
         self._server.runtime_started_at = _now()

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/src/codex_plugin_scanner/version.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
-__version__ = "2.0.71"
+__version__ = "2.0.72"

{plugin_scanner-2.0.71 → plugin_scanner-2.0.72}/tests/test_guard_approvals.py RENAMED Viewed

@@ -418,6 +418,44 @@ class TestGuardApprovals:
         assert resolved["status"] == "resolved"
         assert store.get_approval_request("req-b")["status"] == "resolved"
+    def test_guard_global_scope_resolution_clears_pending_requests_across_harnesses(self, tmp_path):
+        store = GuardStore(tmp_path / "guard-home")
+        for request_id, harness in (("req-codex", "codex"), ("req-copilot", "copilot")):
+            store.add_approval_request(
+                GuardApprovalRequest(
+                    request_id=request_id,
+                    harness=harness,
+                    artifact_id=f"{harness}:project:item",
+                    artifact_name=f"{harness}-item",
+                    artifact_hash=f"hash-{request_id}",
+                    policy_action="require-reapproval",
+                    recommended_scope="global",
+                    changed_fields=("args",),
+                    source_scope="project",
+                    config_path=str(tmp_path / harness / ".config" / "guard.toml"),
+                    review_command=f"hol-guard approvals approve {request_id}",
+                    approval_url=f"http://127.0.0.1:4455/approvals/{request_id}",
+                ),
+                "2026-04-11T00:00:00+00:00",
+            )
+        resolved = apply_approval_resolution(
+            store=store,
+            request_id="req-codex",
+            action="allow",
+            scope="global",
+            workspace=None,
+            reason="trusted globally",
+            now="2026-04-11T00:02:00+00:00",
+        )
+        pending = store.list_approval_requests(status="pending", limit=None)
+        decisions = store.list_policy_decisions()
+        assert resolved["status"] == "resolved"
+        assert pending == []
+        assert decisions[0]["harness"] == "*"
     def test_guard_broad_scope_resolution_clears_more_than_default_pending_page(self, tmp_path):
         store = GuardStore(tmp_path / "guard-home")
         for index in range(520):
@@ -692,6 +730,20 @@ class TestGuardApprovals:
         assert daemon_manager_module.load_guard_daemon_url(guard_home) is None
+    def test_guard_daemon_server_reuses_existing_auth_token(self, tmp_path):
+        store = GuardStore(tmp_path / "guard-home")
+        token_path = store.guard_home / "daemon-auth-token"
+        token_path.parent.mkdir(parents=True, exist_ok=True)
+        token_path.write_text("persisted-token", encoding="utf-8")
+        daemon = GuardDaemonServer(store, host="127.0.0.1", port=0)
+        try:
+            daemon.start()
+            assert daemon._server.auth_token == "persisted-token"
+            assert token_path.read_text(encoding="utf-8").strip() == "persisted-token"
+        finally:
+            daemon.stop()
     def test_guard_daemon_serves_approval_queue_and_resolves_requests(self, tmp_path):
         store = GuardStore(tmp_path / "guard-home")
         store.add_approval_request(
@@ -1290,7 +1342,7 @@ class TestGuardApprovals:
             request = urllib.request.Request(
                 f"http://127.0.0.1:{daemon.port}/approvals/missing/decision",
                 data=b"{not-json",
-                headers={"Content-Type": "application/json"},
+                headers=_guard_json_headers(daemon._server.auth_token),
                 method="POST",
             )
             try:
@@ -1374,6 +1426,78 @@ class TestGuardApprovals:
         assert status == 403
         assert payload["error"] == "forbidden_origin"
+    def test_guard_daemon_rejects_cross_origin_options_requests(self, tmp_path):
+        store = GuardStore(tmp_path / "guard-home")
+        daemon = GuardDaemonServer(store, host="127.0.0.1", port=0)
+        daemon.start()
+        try:
+            request = urllib.request.Request(
+                f"http://127.0.0.1:{daemon.port}/v1/requests/missing/approve",
+                headers={"Origin": "https://evil.example"},
+                method="OPTIONS",
+            )
+            try:
+                urllib.request.urlopen(request, timeout=5)
+            except urllib.error.HTTPError as error:
+                status = error.code
+            else:
+                raise AssertionError("expected HTTPError for disallowed preflight origin")
+        finally:
+            daemon.stop()
+        assert status == 403
+    def test_guard_daemon_allows_local_options_requests_with_guard_headers(self, tmp_path):
+        store = GuardStore(tmp_path / "guard-home")
+        daemon = GuardDaemonServer(store, host="127.0.0.1", port=0)
+        daemon.start()
+        try:
+            request = urllib.request.Request(
+                f"http://127.0.0.1:{daemon.port}/v1/requests/missing/approve",
+                headers={"Origin": f"http://127.0.0.1:{daemon.port}"},
+                method="OPTIONS",
+            )
+            with urllib.request.urlopen(request, timeout=5) as response:
+                allow_headers = response.headers.get("Access-Control-Allow-Headers")
+                status = response.status
+        finally:
+            daemon.stop()
+        assert status == 200
+        assert allow_headers == "Content-Type, X-Guard-Token"
+    def test_guard_daemon_includes_cors_headers_on_unauthorized_local_post(self, tmp_path):
+        store = GuardStore(tmp_path / "guard-home")
+        daemon = GuardDaemonServer(store, host="127.0.0.1", port=0)
+        daemon.start()
+        try:
+            request = urllib.request.Request(
+                f"http://127.0.0.1:{daemon.port}/v1/requests/missing/approve",
+                data=json.dumps({"scope": "artifact"}).encode("utf-8"),
+                headers={
+                    "Content-Type": "application/json",
+                    "Origin": f"http://127.0.0.1:{daemon.port}",
+                },
+                method="POST",
+            )
+            try:
+                urllib.request.urlopen(request, timeout=5)
+            except urllib.error.HTTPError as error:
+                status = error.code
+                payload = json.loads(error.read().decode("utf-8"))
+                allow_origin = error.headers.get("Access-Control-Allow-Origin")
+            else:
+                raise AssertionError("expected HTTPError for missing auth token")
+        finally:
+            daemon.stop()
+        assert status == 401
+        assert payload["error"] == "unauthorized"
+        assert allow_origin == f"http://127.0.0.1:{daemon.port}"
     def test_guard_daemon_rejects_spoofed_localhost_origin_post_requests(self, tmp_path):
         store = GuardStore(tmp_path / "guard-home")
         daemon = GuardDaemonServer(store, host="127.0.0.1", port=0)