plugin-scanner 2.0.77__tar.gz → 2.0.79__tar.gz

{plugin_scanner-2.0.77 → plugin_scanner-2.0.79}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.77
+Version: 2.0.79
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.77 → plugin_scanner-2.0.79}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.77"
+version = "2.0.79"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.77 → plugin_scanner-2.0.79}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.77"
+version = "2.0.79"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.77 → plugin_scanner-2.0.79}/src/codex_plugin_scanner/guard/adapters/codex.py

@@ -5,6 +5,7 @@ from __future__ import annotations
 import hashlib
 import json
 import os
+import re
 import shlex
 import sys
 from copy import deepcopy
@@ -43,11 +44,13 @@ def _read_toml(path: Path) -> dict[str, object]:
 _MANAGED_HOOK_STATUS_MESSAGE = "HOL Guard checking tool action"
 _MANAGED_PROMPT_HOOK_STATUS_MESSAGE = "HOL Guard checking prompt"
 _MANAGED_PERMISSION_HOOK_STATUS_MESSAGE = "HOL Guard checking Codex approval request"
+_MANAGED_POST_TOOL_HOOK_STATUS_MESSAGE = "HOL Guard checking tool result"
 _LEGACY_MANAGED_HOOK_STATUS_MESSAGES = {
     "HOL Guard checking Bash command",
     _MANAGED_HOOK_STATUS_MESSAGE,
     _MANAGED_PROMPT_HOOK_STATUS_MESSAGE,
     _MANAGED_PERMISSION_HOOK_STATUS_MESSAGE,
+    _MANAGED_POST_TOOL_HOOK_STATUS_MESSAGE,
 }
 
 
@@ -113,7 +116,7 @@ def _pre_tool_hook_group(context: HarnessContext) -> dict[str, object]:
             {
                 "type": "command",
                 "command": _hook_command(context),
-                "timeoutSec": 30,
+                "timeout": 30,
                 "statusMessage": _MANAGED_HOOK_STATUS_MESSAGE,
             }
         ],
@@ -126,7 +129,7 @@ def _prompt_hook_group(context: HarnessContext) -> dict[str, object]:
             {
                 "type": "command",
                 "command": _hook_command(context),
-                "timeoutSec": 30,
+                "timeout": 30,
                 "statusMessage": _MANAGED_PROMPT_HOOK_STATUS_MESSAGE,
             }
         ],
@@ -140,18 +143,33 @@ def _permission_request_hook_group(context: HarnessContext) -> dict[str, object]
             {
                 "type": "command",
                 "command": _hook_command(context),
-                "timeoutSec": 30,
+                "timeout": 30,
                 "statusMessage": _MANAGED_PERMISSION_HOOK_STATUS_MESSAGE,
             }
         ],
     }
 
 
+def _post_tool_hook_group(context: HarnessContext) -> dict[str, object]:
+    return {
+        "matcher": "Bash",
+        "hooks": [
+            {
+                "type": "command",
+                "command": _hook_command(context),
+                "timeout": 30,
+                "statusMessage": _MANAGED_POST_TOOL_HOOK_STATUS_MESSAGE,
+            }
+        ],
+    }
+
+
 def _managed_hook_groups(context: HarnessContext) -> dict[str, dict[str, object]]:
     return {
         "PreToolUse": _pre_tool_hook_group(context),
         "PermissionRequest": _permission_request_hook_group(context),
         "UserPromptSubmit": _prompt_hook_group(context),
+        "PostToolUse": _post_tool_hook_group(context),
     }
 
 
@@ -179,14 +197,13 @@ def _is_managed_hook_command(command: object) -> bool:
     if tokens[1] != "-c":
         return False
     code = tokens[2]
-    return (
-        "codex_plugin_scanner.cli" in code
-        and "main([" in code
-        and "'guard'" in code
-        and "'hook'" in code
-        and "'--harness'" in code
-        and "'codex'" in code
+    has_guard_call = (
+        re.search(r"['\"]guard['\"]", code) is not None
+        and re.search(r"['\"]hook['\"]", code) is not None
+        and re.search(r"['\"]--harness['\"]", code) is not None
+        and re.search(r"['\"]codex['\"]", code) is not None
     )
+    return "codex_plugin_scanner.cli" in code and "main([" in code and has_guard_call
 
 
 def _argv_targets_codex(argv: list[str]) -> bool:
@@ -249,7 +266,7 @@ def _remove_hook_groups(groups: object) -> list[object]:
 def _remove_managed_hook_events(hooks: dict[str, object]) -> tuple[dict[str, object], bool]:
     updated_hooks = dict(hooks)
     changed = False
-    for event_name in ("PreToolUse", "PermissionRequest", "UserPromptSubmit"):
+    for event_name in ("PreToolUse", "PermissionRequest", "UserPromptSubmit", "PostToolUse"):
         original_groups = deepcopy(updated_hooks.get(event_name))
         remaining = _remove_hook_groups(original_groups)
         managed_removed = isinstance(original_groups, list) and remaining != original_groups
@@ -273,6 +290,7 @@ def codex_native_hook_state(context: HarnessContext) -> dict[str, object]:
     pre_tool_groups = hooks.get("PreToolUse") if isinstance(hooks, dict) else None
     permission_groups = hooks.get("PermissionRequest") if isinstance(hooks, dict) else None
     prompt_groups = hooks.get("UserPromptSubmit") if isinstance(hooks, dict) else None
+    post_tool_groups = hooks.get("PostToolUse") if isinstance(hooks, dict) else None
     pre_tool_hook_installed = isinstance(pre_tool_groups, list) and any(
         _is_managed_hook_group(group) for group in pre_tool_groups
     )
@@ -282,7 +300,12 @@ def codex_native_hook_state(context: HarnessContext) -> dict[str, object]:
     prompt_hook_installed = isinstance(prompt_groups, list) and any(
         _is_managed_hook_group(group) for group in prompt_groups
     )
-    managed_hook_installed = pre_tool_hook_installed and permission_hook_installed and prompt_hook_installed
+    post_tool_hook_installed = isinstance(post_tool_groups, list) and any(
+        _is_managed_hook_group(group) for group in post_tool_groups
+    )
+    managed_hook_installed = (
+        pre_tool_hook_installed and permission_hook_installed and prompt_hook_installed and post_tool_hook_installed
+    )
     return {
         "config_path": str(config_path),
         "config_present": config_path.is_file(),
@@ -292,6 +315,7 @@ def codex_native_hook_state(context: HarnessContext) -> dict[str, object]:
         "managed_pre_tool_hook_installed": pre_tool_hook_installed,
         "managed_permission_request_hook_installed": permission_hook_installed,
         "managed_prompt_hook_installed": prompt_hook_installed,
+        "managed_post_tool_hook_installed": post_tool_hook_installed,
         "managed_hook_installed": managed_hook_installed,
         "protection_active": isinstance(features, dict)
         and features.get("codex_hooks") is True

plugin_scanner-2.0.79/src/codex_plugin_scanner/guard/advisory_model.py

@@ -0,0 +1,150 @@
+"""Guard advisory identity helpers."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from urllib.parse import urlsplit
+
+_PACKAGE_URL_ECOSYSTEMS = {
+    "npm": "npm",
+    "pnpm": "npm",
+    "yarn": "npm",
+    "pip": "pypi",
+    "uv": "pypi",
+    "go": "golang",
+}
+
+
+@dataclass(frozen=True, slots=True)
+class ProtectTargetIdentity:
+    """Subset of install target data advisory matching needs."""
+
+    artifact_id: str
+    artifact_name: str
+    ecosystem: str
+    package_name: str | None
+    package_url: str | None
+    source_url: str | None
+
+
+def build_package_url(ecosystem: str, package_name: str | None, version: str | None) -> str | None:
+    """Build a simple purl-style identifier for registry package installs."""
+
+    if package_name is None:
+        return None
+    purl_type = _PACKAGE_URL_ECOSYSTEMS.get(ecosystem)
+    if purl_type is None:
+        return None
+    base = f"pkg:{purl_type}/{normalize_identity_value(package_name)}"
+    if version is None or not version.strip():
+        return base
+    return f"{base}@{version.strip()}"
+
+
+def advisory_matches_target(advisory: dict[str, object], target: ProtectTargetIdentity) -> bool:
+    """Match advisories against install targets using stable identities first."""
+
+    advisory_id = advisory.get("artifact_id")
+    if isinstance(advisory_id, str) and advisory_id == target.artifact_id:
+        return True
+
+    advisory_ecosystem = advisory.get("ecosystem")
+    if isinstance(advisory_ecosystem, str) and advisory_ecosystem not in {target.ecosystem, "*"}:
+        return False
+
+    package_url = advisory.get("package_url")
+    if isinstance(package_url, str) and _package_url_matches(package_url, target.package_url):
+        return True
+
+    if _normalized_membership(advisory.get("aliases"), target.package_name, target.artifact_name):
+        return True
+
+    advisory_package = advisory.get("package") or advisory.get("name")
+    normalized_advisory_package = (
+        normalize_identity_value(advisory_package) if isinstance(advisory_package, str) else ""
+    )
+    if normalized_advisory_package != "" and normalized_advisory_package in {
+        normalize_identity_value(target.package_name),
+        normalize_identity_value(target.artifact_name),
+    }:
+        return True
+
+    publisher = advisory.get("publisher")
+    normalized_publisher = normalize_identity_value(publisher) if isinstance(publisher, str) else ""
+    if normalized_publisher != "" and normalized_publisher == normalize_identity_value(target.package_name):
+        return True
+
+    if _normalized_membership(advisory.get("publisher_identities"), target.package_name):
+        return True
+
+    if _endpoint_indicator_matches(advisory.get("endpoint_indicators"), target.source_url):
+        return True
+
+    advisory_source_url = advisory.get("source_url")
+    if not isinstance(advisory_source_url, str):
+        return False
+
+    normalized_advisory_source = _normalized_url_indicator(advisory_source_url)
+    normalized_target_source = _normalized_url_indicator(target.source_url)
+    return (
+        normalized_advisory_source != ""
+        and normalized_target_source != ""
+        and normalized_advisory_source == normalized_target_source
+    )
+
+
+def normalize_identity_value(value: str | None) -> str:
+    return value.strip().lower() if isinstance(value, str) and value.strip() else ""
+
+
+def _normalized_membership(values: object, *candidates: str | None) -> bool:
+    if not isinstance(values, list):
+        return False
+    normalized_values = {normalize_identity_value(item) for item in values if isinstance(item, str)}
+    normalized_candidates = {normalize_identity_value(candidate) for candidate in candidates if candidate is not None}
+    normalized_candidates.discard("")
+    return bool(normalized_values & normalized_candidates)
+
+
+def _package_url_matches(advisory_url: str, target_url: str | None) -> bool:
+    if target_url is None:
+        return False
+    normalized_advisory = _package_url_base(advisory_url)
+    normalized_target = _package_url_base(target_url)
+    return normalized_advisory != "" and normalized_advisory == normalized_target
+
+
+def _package_url_base(package_url: str) -> str:
+    normalized = normalize_identity_value(package_url)
+    for separator in ("?", "#"):
+        normalized = normalized.split(separator, 1)[0]
+    last_at = normalized.rfind("@")
+    if last_at == -1 or last_at < normalized.rfind("/"):
+        return normalized
+    return normalized[:last_at]
+
+
+def _endpoint_indicator_matches(values: object, source_url: str | None) -> bool:
+    if source_url is None or not isinstance(values, list):
+        return False
+    normalized_source = _normalized_url_indicator(source_url)
+    return any(
+        isinstance(item, str) and _url_indicator_matches(normalized_source, _normalized_url_indicator(item))
+        for item in values
+    )
+
+
+def _normalized_url_indicator(value: str | None) -> str:
+    if value is None:
+        return ""
+    parsed = urlsplit(value)
+    if not parsed.scheme or not parsed.netloc:
+        return normalize_identity_value(value)
+    path = parsed.path.rstrip("/")
+    return normalize_identity_value(f"{parsed.netloc}{path}")
+
+
+def _url_indicator_matches(normalized_source: str, normalized_indicator: str) -> bool:
+    if normalized_source == "" or normalized_indicator == "":
+        return False
+    return normalized_source == normalized_indicator or normalized_source.startswith(f"{normalized_indicator}/")

{plugin_scanner-2.0.77 → plugin_scanner-2.0.79}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -285,6 +285,7 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     )
     _add_guard_common_args(protect_parser)
     protect_parser.add_argument("--dry-run", action="store_true")
+    protect_parser.add_argument("--unsafe-raw-output", action="store_true")
     protect_parser.add_argument("--json", action="store_true")
     protect_parser.add_argument("protect_command", nargs=argparse.REMAINDER)
 
@@ -659,6 +660,7 @@ def run_guard_command(
             workspace_dir=workspace or Path.cwd(),
             dry_run=bool(getattr(args, "dry_run", False)),
             now=_now(),
+            unsafe_raw_output=bool(getattr(args, "unsafe_raw_output", False)),
         )
         _emit("protect", payload, getattr(args, "json", False))
         return exit_code
@@ -1417,11 +1419,13 @@ def run_guard_command(
             artifact_id = runtime_artifact.artifact_id
             artifact_name = runtime_artifact.name
             policy_harness = _canonical_harness_name(args.harness)
-            stored_policy_action = store.resolve_policy(
-                policy_harness,
-                artifact_id,
-                runtime_artifact_hash,
-                str(runtime_workspace) if runtime_workspace else None,
+            stored_policy_action = _runtime_stored_policy_action(
+                store=store,
+                harness=policy_harness,
+                artifact=runtime_artifact,
+                artifact_id=artifact_id,
+                artifact_hash=runtime_artifact_hash,
+                workspace=str(runtime_workspace) if runtime_workspace else None,
             )
             if stored_policy_action is None:
                 legacy_artifact = _legacy_claude_alias_runtime_artifact(
@@ -1431,11 +1435,13 @@ def run_guard_command(
                     workspace=runtime_workspace,
                 )
                 if legacy_artifact is not None:
-                    stored_policy_action = store.resolve_policy(
-                        args.harness,
-                        legacy_artifact.artifact_id,
-                        artifact_hash(legacy_artifact),
-                        str(runtime_workspace) if runtime_workspace else None,
+                    stored_policy_action = _runtime_stored_policy_action(
+                        store=store,
+                        harness=args.harness,
+                        artifact=legacy_artifact,
+                        artifact_id=legacy_artifact.artifact_id,
+                        artifact_hash=artifact_hash(legacy_artifact),
+                        workspace=str(runtime_workspace) if runtime_workspace else None,
                     )
             policy_action = _coalesce_string(
                 getattr(args, "policy_action", None),
@@ -2769,6 +2775,37 @@ def _native_approval_center_context(response_payload: dict[str, object], *, harn
     )
 
 
+def _runtime_stored_policy_action(
+    *,
+    store: GuardStore,
+    harness: str,
+    artifact: GuardArtifact,
+    artifact_id: str,
+    artifact_hash: str,
+    workspace: str | None,
+) -> str | None:
+    decision = store.resolve_policy_decision(
+        harness,
+        artifact_id,
+        artifact_hash,
+        workspace,
+        artifact.publisher,
+    )
+    if decision is None:
+        return None
+    action = _optional_string(decision.get("action"))
+    if action is None:
+        return None
+    scope = _optional_string(decision.get("scope"))
+    if (
+        action in {"allow", "warn", "review"}
+        and scope in {"workspace", "publisher", "harness", "global"}
+        and _runtime_artifact_risk_classes(artifact)
+    ):
+        return None
+    return action
+
+
 def _runtime_artifact_policy_action(config: GuardConfig, artifact: GuardArtifact, harness: str) -> str:
     if _prompt_requires_hard_block(artifact):
         return "block"
@@ -2931,6 +2968,13 @@ def _runtime_artifact_native_reason(artifact: GuardArtifact, response_payload: d
         harness = response_payload.get("harness")
         prompt_classes = _prompt_request_classes(artifact)
         if harness == "codex" and "secret_read" in prompt_classes:
+            prompt_summary = artifact.metadata.get("prompt_summary")
+            if isinstance(prompt_summary, str) and "credential-looking local file" in prompt_summary:
+                return (
+                    "HOL Guard stopped this Codex prompt before Codex could open a credential-looking local file. "
+                    "Codex does not expose native approval prompts for Read-tool file reads, so Guard blocks this "
+                    "request at prompt time."
+                )
             return (
                 "HOL Guard stopped this Codex prompt before Codex could open a sensitive local file. Codex does not "
                 "expose native approval prompts for Read-tool file reads, so Guard blocks this request at prompt time."
@@ -3162,6 +3206,13 @@ def _emit_native_hook_response(
         if payload:
             _write_json_line(payload, output_stream=output_stream)
         return
+    if event_name == "PostToolUse" and policy_action in {"block", "sandbox-required", "require-reapproval"}:
+        payload["decision"] = "block"
+        payload["reason"] = reason
+        payload["continue"] = False
+        payload["stopReason"] = reason
+        _write_json_line(payload, output_stream=output_stream)
+        return
     permission_decision = _native_hook_permission_decision(policy_action, harness=harness)
     if harness == "codex" and event_name == "PreToolUse" and permission_decision is None:
         return
@@ -3592,6 +3643,14 @@ def _hook_runtime_artifact(
 ) -> GuardArtifact | None:
     harness = _canonical_harness_name(harness)
     event_name = _hook_event_name(payload)
+    if harness == "codex" and event_name == "PostToolUse":
+        output_artifact = _codex_post_tool_output_artifact(
+            payload=payload,
+            config_path=str(_runtime_policy_path(harness, home_dir, workspace)),
+            source_scope=_coalesce_string(payload.get("source_scope"), "project"),
+        )
+        if output_artifact is not None:
+            return output_artifact
     if event_name == "UserPromptSubmit":
         prompt_text = payload.get("prompt")
         if isinstance(prompt_text, str) and prompt_text.strip():
@@ -3617,6 +3676,13 @@ def _hook_runtime_artifact(
                 )
                 if prompt_artifacts:
                     return _merged_prompt_runtime_artifact(harness, prompt_artifacts)
+            prompt_file_artifact = _codex_prompt_credential_file_artifact(
+                prompt_text=prompt_text,
+                cwd=workspace,
+                config_path=config_path,
+            )
+            if prompt_file_artifact is not None:
+                return prompt_file_artifact
     request = extract_sensitive_file_read_request(
         payload.get("tool_name"),
         payload.get("tool_input", payload.get("arguments")),
@@ -3648,6 +3714,180 @@ def _hook_runtime_artifact(
     )
 
 
+_CODEX_SECRET_OUTPUT_PATTERN = re.compile(
+    r"(?i)(?:fake[_-]?credential|fake[_-]?secret|"
+    r"(?:api[_-]?key|auth[_-]?token|credential|npm[_-]?token|private[_-]?key|secret|token|password)\s*[:=])"
+)
+_CODEX_TOOL_RESPONSE_MAX_DEPTH = 5
+_CODEX_TOOL_RESPONSE_TEXT_LIMIT = 20000
+_CODEX_PROMPT_FILE_FINGERPRINT_LENGTH = 24
+
+
+def _codex_post_tool_output_artifact(
+    *,
+    payload: dict[str, object],
+    config_path: str,
+    source_scope: str,
+) -> GuardArtifact | None:
+    response_text = _collect_codex_tool_response_text(payload.get("tool_response"))
+    if not response_text or _CODEX_SECRET_OUTPUT_PATTERN.search(response_text) is None:
+        return None
+    tool_name = _coalesce_string(payload.get("tool_name"), "Bash")
+    tool_input = payload.get("tool_input")
+    command_text = ""
+    if isinstance(tool_input, dict):
+        command = tool_input.get("command")
+        if isinstance(command, str):
+            command_text = command.strip()
+    if not command_text:
+        command_text = tool_name
+    fingerprint = hashlib.sha256(
+        json.dumps(
+            {
+                "tool_name": tool_name,
+                "command_text": command_text,
+                "output_class": "credential-looking output",
+            },
+            sort_keys=True,
+        ).encode("utf-8")
+    ).hexdigest()
+    return GuardArtifact(
+        artifact_id=f"codex:{source_scope}:tool-output:{fingerprint}",
+        name=f"{tool_name} credential-looking output",
+        harness="codex",
+        artifact_type="tool_action_request",
+        source_scope=source_scope,
+        config_path=config_path,
+        metadata={
+            "tool_name": tool_name,
+            "command_text": command_text,
+            "action_class": "credential exfiltration shell command",
+            "request_summary": (
+                f"Codex tool `{tool_name}` produced credential-looking output while running `{command_text}`."
+            ),
+            "runtime_request_signals": ["tool output contains credential-looking material"],
+            "runtime_request_summary": (
+                "Requests a sensitive native tool action: credential-looking output reached Codex."
+            ),
+            "runtime_request_reason": (
+                "Guard inspects supported Codex tool output before Codex uses it, so accidental secret reads can be "
+                "stopped even when the filename was not obviously sensitive."
+            ),
+        },
+    )
+
+
+def _collect_codex_tool_response_text(value: object, *, depth: int = 0) -> str:
+    if depth > _CODEX_TOOL_RESPONSE_MAX_DEPTH:
+        return ""
+    if isinstance(value, str):
+        return value[:_CODEX_TOOL_RESPONSE_TEXT_LIMIT]
+    if isinstance(value, dict):
+        parts: list[str] = []
+        for key, child in value.items():
+            key_text = str(key).lower()
+            if key_text in {"stdout", "stderr", "output", "text", "content", "result", "message"} or depth > 0:
+                text = _collect_codex_tool_response_text(child, depth=depth + 1)
+                if text:
+                    parts.append(text)
+        return "\n".join(parts)[:_CODEX_TOOL_RESPONSE_TEXT_LIMIT]
+    if isinstance(value, list):
+        return "\n".join(_collect_codex_tool_response_text(item, depth=depth + 1) for item in value)[
+            :_CODEX_TOOL_RESPONSE_TEXT_LIMIT
+        ]
+    return ""
+
+
+_PROMPT_PATH_TOKEN_PATTERN = re.compile(
+    r"(?<![\w/.-])\.[A-Za-z0-9][A-Za-z0-9_.-]{0,255}|"
+    r"(?:~|\.{1,2}|/)[^\s'\"`<>|;(){}\[\]]{0,255}"
+)
+_PROMPT_FILE_READ_VERB_PATTERN = re.compile(r"\b(?:read|open|print|show|dump|cat|head|tail|less|view|display)\b", re.I)
+_PROMPT_CONTENT_SCAN_MAX_BYTES = 64 * 1024
+_PROMPT_CONTENT_SCAN_SKIP_BASENAMES = frozenset(
+    {
+        ".env",
+        ".npmrc",
+        ".pypirc",
+        ".netrc",
+        ".git-credentials",
+    }
+)
+
+
+def _codex_prompt_credential_file_artifact(
+    *,
+    prompt_text: str,
+    cwd: Path | None,
+    config_path: str,
+) -> GuardArtifact | None:
+    if _PROMPT_FILE_READ_VERB_PATTERN.search(prompt_text) is None:
+        return None
+    for match in _PROMPT_PATH_TOKEN_PATTERN.finditer(prompt_text):
+        requested_path = match.group(0)
+        path = _resolve_prompt_scan_path(requested_path, cwd=cwd)
+        if path is None or path.name in _PROMPT_CONTENT_SCAN_SKIP_BASENAMES:
+            continue
+        if not path.name.startswith("."):
+            continue
+        if not path.is_file():
+            continue
+        try:
+            with path.open("rb") as handle:
+                content = handle.read(_PROMPT_CONTENT_SCAN_MAX_BYTES).decode("utf-8", errors="ignore")
+        except OSError:
+            continue
+        if _CODEX_SECRET_OUTPUT_PATTERN.search(content) is None:
+            continue
+        normalized_path = str(path)
+        fingerprint = hashlib.sha256(
+            json.dumps(
+                {
+                    "harness": "codex",
+                    "prompt_path": normalized_path,
+                    "content_class": "credential-looking local file",
+                },
+                sort_keys=True,
+            ).encode("utf-8")
+        ).hexdigest()[:_CODEX_PROMPT_FILE_FINGERPRINT_LENGTH]
+        return GuardArtifact(
+            artifact_id=f"codex:project:prompt-file:{fingerprint}",
+            name=f"credential-looking local file {path.name}",
+            harness="codex",
+            artifact_type="prompt_request",
+            source_scope="project",
+            config_path=config_path,
+            metadata={
+                "prompt_signals": ["requested file content contains credential-looking material"],
+                "prompt_summary": "Prompt asks Codex to read a credential-looking local file.",
+                "prompt_matched_text": requested_path,
+                "prompt_request_class": "secret_read",
+                "prompt_request_classes": ["secret_read"],
+                "runtime_request_summary": "Prompt requests direct access to a credential-looking local file.",
+                "runtime_request_reason": (
+                    "Guard scanned a small local dotfile before Codex read it and found credential-looking text."
+                ),
+                "normalized_path": normalized_path,
+            },
+        )
+    return None
+
+
+def _resolve_prompt_scan_path(requested_path: str, *, cwd: Path | None) -> Path | None:
+    stripped = requested_path.strip().strip("'\"").rstrip(".,;:!?)]}")
+    if not stripped:
+        return None
+    try:
+        expanded = Path(stripped).expanduser()
+    except RuntimeError:
+        return None
+    if not expanded.is_absolute():
+        expanded = (cwd or Path.cwd()) / expanded
+    with suppress(OSError):
+        return expanded.resolve(strict=False)
+    return expanded
+
+
 def _legacy_claude_alias_runtime_artifact(
     *,
     artifact: GuardArtifact,