plugin-scanner 2.0.73__tar.gz → 2.0.75__tar.gz

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.73
+Version: 2.0.75
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner
@@ -22,7 +22,7 @@ Classifier: Topic :: Security
 Classifier: Topic :: Software Development :: Quality Assurance
 Requires-Python: >=3.10
 Requires-Dist: cisco-ai-skill-scanner~=2.0.9
-Requires-Dist: cryptography>=46.0.0
+Requires-Dist: cryptography>=47.0.0
 Requires-Dist: rich>=13.0
 Requires-Dist: tomli>=2.0; python_version < '3.11'
 Provides-Extra: cisco

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/docker-requirements.txt

@@ -366,56 +366,56 @@ confusable-homoglyphs==3.3.1 \
     --hash=sha256:84c92cb79dc7f55aa290d0762b2349abd8dee4c16fbe6f99eac978d394e2e6a1 \
     --hash=sha256:b995001c9b2e1b4cea0cf5f3840a7c79188a8cbbad053d693572bd8c1c1ec460
     # via cisco-ai-skill-scanner
-cryptography==46.0.6 \
-    --hash=sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70 \
-    --hash=sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d \
-    --hash=sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a \
-    --hash=sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0 \
-    --hash=sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97 \
-    --hash=sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30 \
-    --hash=sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759 \
-    --hash=sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c \
-    --hash=sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead \
-    --hash=sha256:2ef9e69886cbb137c2aef9772c2e7138dc581fad4fcbcf13cc181eb5a3ab6275 \
-    --hash=sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58 \
-    --hash=sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f \
-    --hash=sha256:3c21d92ed15e9cfc6eb64c1f5a0326db22ca9c2566ca46d845119b45b4400361 \
-    --hash=sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507 \
-    --hash=sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa \
-    --hash=sha256:4668298aef7cddeaf5c6ecc244c2302a2b8e40f384255505c22875eebb47888b \
-    --hash=sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b \
-    --hash=sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8 \
-    --hash=sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8 \
-    --hash=sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72 \
-    --hash=sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175 \
-    --hash=sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e \
-    --hash=sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124 \
-    --hash=sha256:69cf0056d6947edc6e6760e5f17afe4bea06b56a9ac8a06de9d2bd6b532d4f3a \
-    --hash=sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c \
-    --hash=sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f \
-    --hash=sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d \
-    --hash=sha256:7f417f034f91dcec1cb6c5c35b07cdbb2ef262557f701b4ecd803ee8cefed4f4 \
-    --hash=sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c \
-    --hash=sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290 \
-    --hash=sha256:8ce35b77aaf02f3b59c90b2c8a05c73bac12cea5b4e8f3fbece1f5fddea5f0ca \
-    --hash=sha256:8e7304c4f4e9490e11efe56af6713983460ee0780f16c63f219984dab3af9d2d \
-    --hash=sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a \
-    --hash=sha256:97c8115b27e19e592a05c45d0dd89c57f81f841cc9880e353e0d3bf25b2139ed \
-    --hash=sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a \
-    --hash=sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb \
-    --hash=sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8 \
-    --hash=sha256:aad75154a7ac9039936d50cf431719a2f8d4ed3d3c277ac03f3339ded1a5e707 \
-    --hash=sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410 \
-    --hash=sha256:b928a3ca837c77a10e81a814a693f2295200adb3352395fad024559b7be7a736 \
-    --hash=sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2 \
-    --hash=sha256:c797e2517cb7880f8297e2c0f43bb910e91381339336f75d2c1c2cbf811b70b4 \
-    --hash=sha256:c89eb37fae9216985d8734c1afd172ba4927f5a05cfd9bf0e4863c6d5465b013 \
-    --hash=sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19 \
-    --hash=sha256:d24c13369e856b94892a89ddf70b332e0b70ad4a5c43cf3e9cb71d6d7ffa1f7b \
-    --hash=sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738 \
-    --hash=sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463 \
-    --hash=sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77 \
-    --hash=sha256:ed418c37d095aeddf5336898a132fba01091f0ac5844e3e8018506f014b6d2c4
+cryptography==47.0.0 \
+    --hash=sha256:0024b87d47ae2399165a6bfb20d24888881eeab83ae2566d62467c5ff0030ce7 \
+    --hash=sha256:07efe86201817e7d3c18781ca9770bc0db04e1e48c994be384e4602bc38f8f27 \
+    --hash=sha256:09f6d7bf6724f8db8b32f11eccf23efc8e759924bc5603800335cf8859a3ddbd \
+    --hash=sha256:11438c7518132d95f354fa01a4aa2f806d172a061a7bed18cf18cbdacdb204d7 \
+    --hash=sha256:11dbb9f50a0f1bb9757b3d8c27c1101780efb8f0bdecfb12439c22a74d64c001 \
+    --hash=sha256:14432c8a9bcb37009784f9594a62fae211a2ae9543e96c92b2a8e4c3cd5cd0c4 \
+    --hash=sha256:1581aef4219f7ca2849d0250edaa3866212fb74bf5667284f46aa92f9e65c1ca \
+    --hash=sha256:160ad728f128972d362e714054f6ba0067cab7fb350c5202a9ae8ae4ce3ef1a0 \
+    --hash=sha256:1a405c08857258c11016777e11c02bacbe7ef596faf259305d282272a3a05cbe \
+    --hash=sha256:1e47422b5557bb82d3fff997e8d92cff4e28b9789576984f08c248d2b3535d93 \
+    --hash=sha256:20fdbe3e38fb67c385d233c89371fa27f9909f6ebca1cecc20c13518dae65475 \
+    --hash=sha256:2207a498b03275d0051589e326b79d4cf59985c99031b05bb292ac52631c37fe \
+    --hash=sha256:256d07c78a04d6b276f5df935a9923275f53bd1522f214447fdf365494e2d515 \
+    --hash=sha256:2b45761c6ec22b7c726d6a829558777e32d0f1c8be7c3f3480f9c912d5ee8a10 \
+    --hash=sha256:2ebd84adf0728c039a3be2700289378e1c164afc6748df1a5ed456767bef9ba7 \
+    --hash=sha256:34b4358b925a5ea3e14384ca781a2c0ef7ac219b57bb9eacc4457078e2b19f92 \
+    --hash=sha256:3fb8fa48075fad7193f2e5496135c6a76ac4b2aa5a38433df0a539296b377829 \
+    --hash=sha256:4e1de79e047e25d6e9f8cea71c86b4a53aced64134f0f003bbcbf3655fd172c8 \
+    --hash=sha256:4f7722c97826770bab8ae92959a2e7b20a5e9e9bf4deae68fd86c3ca457bab52 \
+    --hash=sha256:51c9313e90bd1690ec5a75ed047c27c0b8e6c570029712943d6116ef9a90620b \
+    --hash=sha256:5d0e362ff51041b0c0d219cc7d6924d7b8996f57ce5712bdcef71eb3c65a59cc \
+    --hash=sha256:6651d32eff255423503aa276739da98c30f26c40cbeffcc6048e0d54ef704c0c \
+    --hash=sha256:6eebcaf0df1d21ce1f90605c9b432dd2c4f4ab665ac29a40d5e3fc68f51b5e63 \
+    --hash=sha256:6f29f36582e6151d9686235e586dd35bb67491f024767d10b842e520dc6a07ac \
+    --hash=sha256:7a02675e2fabd0c0fc04c868b8781863cbf1967691543c22f5470500ff840b31 \
+    --hash=sha256:7f1207974a904e005f762869996cf620e9bf79ecb4622f148550bb48e0eb35a7 \
+    --hash=sha256:7f68d6fbc7fbbcfb0939fea72c3b96a9f9a6edfc0e1b1d29778a2066030418b1 \
+    --hash=sha256:7fda2f02c9015db3f42bb8a22324a454516ed10a8c29ca6ece6cdbb5efe2a203 \
+    --hash=sha256:80887c5cbd1774683cb126f0ab4184567f080071d5acf62205acb354b4b753b7 \
+    --hash=sha256:835d2d7f47cdc53b3224e90810fb1d36ca94ea29cc1801fb4c1bc43876735769 \
+    --hash=sha256:8c1a736bbb3288005796c3f7ccb9453360d7fed483b13b9f468aea5171432923 \
+    --hash=sha256:9af828c0d5a65c70ec729cd7495a4bf1a67ecb66417b8f02ff125ab8a6326a74 \
+    --hash=sha256:9c59ab0e0fa3a180a5a9c59f3a5abe3ef90d474bc56d7fadfbe80359491b615b \
+    --hash=sha256:9f8e55fe4e63613a5e1cc5819030f27b97742d720203a087802ce4ce9ceb52bb \
+    --hash=sha256:9fe6b7c64926c765f9dff301f9c1b867febcda5768868ca084e18589113732ab \
+    --hash=sha256:a49a3eb5341b9503fa3000a9a0db033161db90d47285291f53c2a9d2cd1b7f76 \
+    --hash=sha256:a9b761f012a943b7de0e828843c5688d0de94a0578d44d6c85a1bae32f87791f \
+    --hash=sha256:b1c76fca783aa7698eb21eb14f9c4aa09452248ee54a627d125025a43f83e7a7 \
+    --hash=sha256:b9a8943e359b7615db1a3ba587994618e094ff3d6fa5a390c73d079ce18b3973 \
+    --hash=sha256:be12cb6a204f77ed968bcefe68086eb061695b540a3dd05edac507a3111b25f0 \
+    --hash=sha256:cffbba3392df0fa8629bb7f43454ee2925059ee158e23c54620b9063912b86c8 \
+    --hash=sha256:ed67ea4e0cfb5faa5bc7ecb6e2b8838f3807a03758eec239d6c21c8769355310 \
+    --hash=sha256:edd4da498015da5b9f26d38d3bfc2e90257bfa9cbed1f6767c282a0025ae649b \
+    --hash=sha256:ef6b3634087f18d2155b1e8ce264e5345a753da2c5fa9815e7d41315c90f8318 \
+    --hash=sha256:f1557695e5c2b86e204f6ce9470497848634100787935ab7adc5397c54abd7ab \
+    --hash=sha256:f5c15764f261394b22aef6b00252f5195f46f2ca300bec57149474e2538b31f8 \
+    --hash=sha256:f5c3296dab66202f1b18a91fa266be93d6aa0c2806ea3d67762c69f60adc71aa \
+    --hash=sha256:f7db373287273d8af1414cf95dc4118b13ffdc62be521997b0f2b270771fef50 \
+    --hash=sha256:f9a034b642b960767fb343766ae5ba6ad653f2e890ddd82955aef288ffea8736
     # via
     #   hol-guard
     #   msoffcrypto-tool

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.73"
+version = "2.0.75"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"
@@ -28,7 +28,7 @@ classifiers = [
 ]
 dependencies = [
     "rich>=13.0",
-    "cryptography>=46.0.0",
+    "cryptography>=47.0.0",
     "tomli>=2.0; python_version < '3.11'",
     "cisco-ai-skill-scanner~=2.0.9",
 ]

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.73"
+version = "2.0.75"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"
@@ -28,7 +28,7 @@ classifiers = [
 ]
 dependencies = [
     "rich>=13.0",
-    "cryptography>=46.0.0",
+    "cryptography>=47.0.0",
     "tomli>=2.0; python_version < '3.11'",
     "cisco-ai-skill-scanner~=2.0.9",
 ]

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -112,6 +112,7 @@ _GUARD_HELP_GROUPS = (
     "Everyday protection:\n"
     "  start        First-run setup and the Guard operating loop\n"
     "  status       Current local protection state and next actions\n"
+    "  dashboard    Open the local Guard dashboard in your browser\n"
     "  run          Enforce Guard before a harness launch\n"
     "  approvals    Resolve the current request queue\n"
     "  receipts     Review recent local decisions\n"
@@ -204,7 +205,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
         required=True,
         parser_class=FriendlyArgumentParser,
         metavar=(
-            "{start,status,bootstrap,detect,install,update,uninstall,run,protect,preflight,scan,diff,receipts,inventory,abom,"
+            "{start,status,dashboard,bootstrap,detect,install,update,uninstall,run,protect,preflight,scan,diff,receipts,inventory,abom,"
             "approvals,explain,allow,deny,policies,exceptions,advisories,events,doctor,connect,login,sync,device,bridge}"
         ),
     )
@@ -217,6 +218,17 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     _add_guard_common_args(status_parser)
     status_parser.add_argument("--json", action="store_true")
 
+    dashboard_parser = guard_subparsers.add_parser(
+        "dashboard",
+        help="Open the local Guard dashboard in your browser",
+    )
+    _add_guard_common_args(dashboard_parser)
+    dashboard_parser.add_argument("--json", action="store_true")
+
+    admin_parser = guard_subparsers.add_parser("admin", help=argparse.SUPPRESS)
+    _add_guard_common_args(admin_parser)
+    admin_parser.add_argument("--json", action="store_true")
+
     bootstrap_parser = guard_subparsers.add_parser(
         "bootstrap",
         help="Detect a harness, start the approval center, and install Guard for the best local target",
@@ -513,6 +525,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     hermes_mcp_proxy_parser.add_argument("--server", required=True)
     hermes_mcp_proxy_parser.add_argument("--stdio", action="store_true")
     hidden_commands = {
+        "admin",
         "hook",
         "daemon",
         "codex-mcp-proxy",
@@ -660,6 +673,43 @@ def run_guard_command(
         _emit("status", payload, getattr(args, "json", False))
         return 0
 
+    if args.guard_command in {"dashboard", "admin"}:
+        try:
+            approval_center_url = ensure_guard_daemon(guard_home)
+        except RuntimeError as error:
+            if getattr(args, "json", False):
+                _emit(
+                    "dashboard",
+                    {
+                        "generated_at": _now(),
+                        "opened": False,
+                        "error": str(error),
+                    },
+                    True,
+                )
+            else:
+                print(str(error), file=sys.stderr)
+            return 1
+        open_result = _open_approval_center(
+            approval_center_url,
+            store=store,
+            config=config,
+            open_key="dashboard",
+            force_open=True,
+        )
+        _emit(
+            "dashboard",
+            {
+                "generated_at": _now(),
+                "approval_center_url": approval_center_url,
+                "browser_url": open_result.get("browser_url"),
+                "opened": bool(open_result.get("opened")),
+                "reason": str(open_result.get("reason") or "unknown"),
+            },
+            getattr(args, "json", False),
+        )
+        return 0
+
     if args.guard_command == "bootstrap":
         try:
             payload = build_guard_bootstrap_payload(
@@ -3278,17 +3328,28 @@ def _headless_approval_resolver(
     return resolve
 
 
-def _open_approval_center(approval_center_url: str, *, store: GuardStore, config, open_key: str | None = None) -> None:
+def _open_approval_center(
+    approval_center_url: str,
+    *,
+    store: GuardStore,
+    config: GuardConfig,
+    open_key: str | None = None,
+    force_open: bool = False,
+) -> dict[str, object]:
     surface_runtime = GuardSurfaceRuntime(store)
     auth_token = load_guard_daemon_auth_token(store.guard_home)
-    surface_runtime.ensure_surface(
+    browser_url = _approval_center_browser_url(approval_center_url, auth_token)
+    open_result = surface_runtime.ensure_surface(
         surface="approval-center",
         approval_center_url=approval_center_url,
-        browser_url=_approval_center_browser_url(approval_center_url, auth_token),
+        browser_url=browser_url,
         approval_surface_policy=config.approval_surface_policy,
         open_key=open_key or approval_center_url,
+        force_open=force_open,
         opener=webbrowser.open,
     )
+    open_result["browser_url"] = _public_approval_center_url(browser_url) or approval_center_url
+    return open_result
 
 
 def _approval_center_browser_url(approval_center_url: str, auth_token: str | None) -> str | None:
@@ -3304,6 +3365,18 @@ def _approval_center_browser_url(approval_center_url: str, auth_token: str | Non
     return urllib.parse.urlunparse(parsed._replace(fragment=urllib.parse.urlencode(fragment_pairs)))
 
 
+def _public_approval_center_url(browser_url: str | None) -> str | None:
+    if browser_url is None:
+        return None
+    parsed = urllib.parse.urlparse(browser_url)
+    fragment_pairs = [
+        (key, value)
+        for key, value in urllib.parse.parse_qsl(parsed.fragment, keep_blank_values=True)
+        if key != "guard-token"
+    ]
+    return urllib.parse.urlunparse(parsed._replace(fragment=urllib.parse.urlencode(fragment_pairs)))
+
+
 def _approval_surface_policy_for_flow(config_policy: str, approval_flow: dict[str, object]) -> str:
     if approval_flow.get("tier") != "approval-center":
         return "notify-only"

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/src/codex_plugin_scanner/guard/cli/render.py

@@ -654,6 +654,14 @@ def _render_connect(console: Console, payload: dict[str, object]) -> None:
     console.print(_build_steps_panel(_coerce_dict_list(payload.get("next_steps"))))
 
 
+def _render_dashboard(console: Console, payload: dict[str, object]) -> None:
+    body = Table.grid(padding=(0, 1))
+    body.add_row("Dashboard", str(payload.get("approval_center_url") or "unknown"))
+    if payload.get("opened") is not None:
+        body.add_row("Browser opened", _bool_label(bool(payload.get("opened"))))
+    console.print(Panel(body, title="HOL Guard dashboard", border_style="cyan"))
+
+
 def _render_sync(console: Console, payload: dict[str, object]) -> None:
     body = Table.grid(padding=(0, 1))
     body.add_row("Synced at", str(payload.get("synced_at") or "unknown"))
@@ -1615,6 +1623,7 @@ _RENDERERS: dict[str, Any] = {
     "approvals": _render_approvals,
     "start": _render_start,
     "status": _render_status,
+    "dashboard": _render_dashboard,
     "connect": _render_connect,
     "bootstrap": _render_bootstrap,
     "detect": _render_detect,

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/src/codex_plugin_scanner/guard/runtime/surface_server.py

@@ -332,10 +332,15 @@ class GuardSurfaceRuntime:
         approval_surface_policy: str,
         open_key: str,
         opener: Callable[[str], object],
+        force_open: bool = False,
     ) -> dict[str, object]:
-        if approval_surface_policy in {"notify-only", "never-auto-open"}:
+        if approval_surface_policy in {"notify-only", "never-auto-open"} and not force_open:
             return {"surface": surface, "opened": False, "reason": "policy-disabled", "open_key": open_key}
-        if approval_surface_policy == "auto-open-once" and self.has_surface_opened(surface, open_key):
+        if (
+            approval_surface_policy == "auto-open-once"
+            and not force_open
+            and self.has_surface_opened(surface, open_key)
+        ):
             return {"surface": surface, "opened": False, "reason": "already-opened", "open_key": open_key}
         if self.has_live_surface(surface):
             return {"surface": surface, "opened": False, "reason": "live-client", "open_key": open_key}

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.73"
+__version__ = "2.0.75"

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/tests/test_guard_cli.py

@@ -6048,6 +6048,100 @@ url = http://127.0.0.1:8787/guard-canary
         assert connect_output["reason"] == "Guard sync requires a Pro or Team plan."
         assert connect_output["sync_message"] == "Guard sync requires a Pro or Team plan."
 
+    def test_guard_dashboard_opens_local_approval_center(self, tmp_path, capsys, monkeypatch):
+        home_dir = tmp_path / "home"
+        opened_urls: list[str] = []
+        open_keys: list[str | None] = []
+        force_open_flags: list[bool] = []
+
+        monkeypatch.setattr(
+            guard_commands_module,
+            "ensure_guard_daemon",
+            lambda guard_home: "http://127.0.0.1:5474",
+        )
+        monkeypatch.setattr(
+            guard_commands_module,
+            "_open_approval_center",
+            lambda approval_center_url, *, store, config, open_key=None, force_open=False: (
+                opened_urls.append(approval_center_url),
+                open_keys.append(open_key),
+                force_open_flags.append(force_open),
+                {"opened": True, "reason": "opened", "browser_url": approval_center_url},
+            )[-1],
+        )
+
+        rc = main(["guard", "dashboard", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert opened_urls == ["http://127.0.0.1:5474"]
+        assert open_keys == ["dashboard"]
+        assert force_open_flags == [True]
+        assert output["approval_center_url"] == "http://127.0.0.1:5474"
+        assert output["browser_url"] == "http://127.0.0.1:5474"
+        assert output["opened"] is True
+        assert output["reason"] == "opened"
+
+    def test_guard_admin_alias_opens_local_approval_center(self, tmp_path, capsys, monkeypatch):
+        home_dir = tmp_path / "home"
+        opened_urls: list[str] = []
+        open_keys: list[str | None] = []
+        force_open_flags: list[bool] = []
+
+        monkeypatch.setattr(
+            guard_commands_module,
+            "ensure_guard_daemon",
+            lambda guard_home: "http://127.0.0.1:5474",
+        )
+        monkeypatch.setattr(
+            guard_commands_module,
+            "_open_approval_center",
+            lambda approval_center_url, *, store, config, open_key=None, force_open=False: (
+                opened_urls.append(approval_center_url),
+                open_keys.append(open_key),
+                force_open_flags.append(force_open),
+                {"opened": False, "reason": "policy-disabled", "browser_url": approval_center_url},
+            )[-1],
+        )
+
+        rc = main(["guard", "admin", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert opened_urls == ["http://127.0.0.1:5474"]
+        assert open_keys == ["dashboard"]
+        assert force_open_flags == [True]
+        assert output["approval_center_url"] == "http://127.0.0.1:5474"
+        assert output["browser_url"] == "http://127.0.0.1:5474"
+        assert output["opened"] is False
+        assert output["reason"] == "policy-disabled"
+
+    def test_guard_dashboard_returns_error_when_daemon_start_fails(self, tmp_path, capsys, monkeypatch):
+        home_dir = tmp_path / "home"
+
+        monkeypatch.setattr(
+            guard_commands_module,
+            "ensure_guard_daemon",
+            lambda guard_home: (_ for _ in ()).throw(RuntimeError("dashboard_unavailable")),
+        )
+
+        rc = main(["guard", "dashboard", "--home", str(home_dir), "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 1
+        assert output["opened"] is False
+        assert output["error"] == "dashboard_unavailable"
+
+    def test_public_approval_center_url_strips_guard_token(self):
+        browser_url = guard_commands_module._approval_center_browser_url(
+            "http://127.0.0.1:5474#section=inbox",
+            "secret-token",
+        )
+
+        assert browser_url is not None
+        assert "guard-token=secret-token" in browser_url
+        assert "guard-token=" not in guard_commands_module._public_approval_center_url(browser_url)
+
     def test_guard_connect_pending_output_uses_product_copy_for_sign_in_gap(self, capsys):
         emit_guard_payload(
             "connect",

{plugin_scanner-2.0.73 → plugin_scanner-2.0.75}/tests/test_guard_surface_server.py

@@ -1620,3 +1620,46 @@ class TestGuardSurfaceServer:
         assert operation["operation_type"] == "run"
         assert approval["request_ids"] == ["req-1", "req-2"]
         assert resumed["status"] == "completed"
+
+    def test_guard_surface_runtime_force_open_bypasses_auto_open_once(self, tmp_path) -> None:
+        store = GuardStore(tmp_path / "guard-home")
+        runtime = GuardSurfaceRuntime(store)
+        opened_urls: list[str] = []
+
+        first_result = runtime.ensure_surface(
+            surface="approval-center",
+            approval_center_url="http://127.0.0.1:5474",
+            approval_surface_policy="auto-open-once",
+            open_key="dashboard",
+            opener=lambda url: opened_urls.append(url) or True,
+        )
+        second_result = runtime.ensure_surface(
+            surface="approval-center",
+            approval_center_url="http://127.0.0.1:5474",
+            approval_surface_policy="auto-open-once",
+            open_key="dashboard",
+            force_open=True,
+            opener=lambda url: opened_urls.append(url) or True,
+        )
+
+        assert first_result["opened"] is True
+        assert second_result["opened"] is True
+        assert opened_urls == ["http://127.0.0.1:5474", "http://127.0.0.1:5474"]
+
+    def test_guard_surface_runtime_force_open_overrides_disabled_policy(self, tmp_path) -> None:
+        store = GuardStore(tmp_path / "guard-home")
+        runtime = GuardSurfaceRuntime(store)
+        opened_urls: list[str] = []
+
+        result = runtime.ensure_surface(
+            surface="approval-center",
+            approval_center_url="http://127.0.0.1:5474",
+            approval_surface_policy="never-auto-open",
+            open_key="dashboard",
+            force_open=True,
+            opener=lambda url: opened_urls.append(url) or True,
+        )
+
+        assert result["opened"] is True
+        assert result["reason"] == "opened"
+        assert opened_urls == ["http://127.0.0.1:5474"]