plugin-scanner 2.0.82__tar.gz → 2.0.84__tar.gz

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.82
+Version: 2.0.84
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.82"
+version = "2.0.84"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.82"
+version = "2.0.84"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -3816,7 +3816,13 @@ _CODEX_SEARCH_OPTION_VALUE_FLAGS = frozenset(
 _CODEX_SEARCH_OPTION_VALUE_FLAGS_BY_EXECUTABLE = {
     "rg": frozenset({"-T"}),
 }
-_CODEX_SEARCH_UNSAFE_FLAGS = frozenset({"--pre"})
+_CODEX_SEARCH_UNSAFE_FLAGS = frozenset({"--dereference-recursive", "--follow", "--pre"})
+_CODEX_SEARCH_UNSAFE_SHORT_FLAGS_BY_EXECUTABLE = {
+    "egrep": frozenset({"R"}),
+    "fgrep": frozenset({"R"}),
+    "grep": frozenset({"R"}),
+    "rg": frozenset({"L"}),
+}
 _CODEX_GIT_GLOBAL_VALUE_FLAGS = frozenset(
     {"-c", "--config-env", "--exec-path", "--git-dir", "--work-tree", "--namespace"}
 )
@@ -3988,6 +3994,7 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
     positional: list[str] = []
     skip_next = False
     pattern_from_option = False
+    after_option_terminator = False
     option_value_flags = _CODEX_SEARCH_OPTION_VALUE_FLAGS | _CODEX_SEARCH_OPTION_VALUE_FLAGS_BY_EXECUTABLE.get(
         executable, frozenset()
     )
@@ -3995,7 +4002,13 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
         if skip_next:
             skip_next = False
             continue
-        if arg in _CODEX_SEARCH_UNSAFE_FLAGS or any(arg.startswith(f"{flag}=") for flag in _CODEX_SEARCH_UNSAFE_FLAGS):
+        if after_option_terminator:
+            positional.append(arg)
+            continue
+        if arg == "--":
+            after_option_terminator = True
+            continue
+        if _codex_search_arg_is_unsafe(arg, executable=executable, option_value_flags=option_value_flags):
             return False
         if arg in _CODEX_SEARCH_PATTERN_VALUE_FLAGS:
             pattern_from_option = True
@@ -4012,8 +4025,6 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
             continue
         if any(arg.startswith(f"{flag}=") for flag in option_value_flags):
             continue
-        if arg == "--":
-            continue
         if arg.startswith("-"):
             continue
         positional.append(arg)
@@ -4026,6 +4037,22 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
     return bool(targets) and all(_codex_search_target_is_source_like(target, cwd=cwd) for target in targets)
 
 
+def _codex_search_arg_is_unsafe(arg: str, *, executable: str, option_value_flags: frozenset[str]) -> bool:
+    if arg in _CODEX_SEARCH_UNSAFE_FLAGS:
+        return True
+    if any(arg.startswith(f"{flag}=") for flag in _CODEX_SEARCH_UNSAFE_FLAGS):
+        return True
+    if not arg.startswith("-") or arg.startswith("--"):
+        return False
+    unsafe_short_flags = _CODEX_SEARCH_UNSAFE_SHORT_FLAGS_BY_EXECUTABLE.get(executable, frozenset())
+    for flag in arg[1:]:
+        if flag in unsafe_short_flags:
+            return True
+        if f"-{flag}" in option_value_flags:
+            return False
+    return False
+
+
 def _codex_search_target_is_source_like(target: str, *, cwd: Path | None) -> bool:
     stripped = target.strip().strip("'\"")
     if not stripped:
@@ -4118,6 +4145,17 @@ _PROMPT_CONTENT_SCAN_SKIP_BASENAMES = frozenset(
         ".git-credentials",
     }
 )
+_PROMPT_CONTENT_SCAN_SECRET_BASENAME_MARKERS = frozenset(
+    {
+        "auth",
+        "credential",
+        "env",
+        "key",
+        "pass",
+        "secret",
+        "token",
+    }
+)
 
 
 def _codex_prompt_credential_file_artifact(
@@ -4135,6 +4173,8 @@ def _codex_prompt_credential_file_artifact(
             continue
         if not path.name.startswith("."):
             continue
+        if not _prompt_path_looks_secret_bearing(path):
+            continue
         if not path.is_file():
             continue
         try:
@@ -4181,6 +4221,11 @@ def _codex_prompt_credential_file_artifact(
     return None
 
 
+def _prompt_path_looks_secret_bearing(path: Path) -> bool:
+    lowered_name = path.name.lower()
+    return any(marker in lowered_name for marker in _PROMPT_CONTENT_SCAN_SECRET_BASENAME_MARKERS)
+
+
 def _with_codex_prompt_display_metadata(artifact: GuardArtifact, *, prompt_text: str) -> GuardArtifact:
     matched_text = artifact.metadata.get("prompt_matched_text")
     display = _codex_prompt_display_text(

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/src/codex_plugin_scanner/integrations/cisco_mcp_scanner.py

@@ -47,6 +47,13 @@ class CiscoMcpScanSummary:
     scan_mode: str = "static"
 
 
+@dataclass(frozen=True, slots=True)
+class _StaticScanTarget:
+    read_path: Path
+    tool_name: str
+    content_type: str
+
+
 def _empty_counts() -> dict[str, int]:
     return {severity.value: 0 for severity in Severity}
 
@@ -235,15 +242,24 @@ def _normalize_finding(plugin_dir: Path, file_path: Path, finding: object) -> Fi
     )
 
 
-def _collect_static_targets(plugin_dir: Path) -> tuple[Path, ...]:
+def _collect_static_targets(plugin_dir: Path) -> tuple[_StaticScanTarget, ...]:
     config_path = plugin_dir / ".mcp.json"
-    if not config_path.is_file():
+    resolved_config_path = _safe_resolved_static_target(plugin_dir, config_path)
+    if resolved_config_path is None:
         return ()
 
-    targets: list[Path] = []
+    targets: list[_StaticScanTarget] = []
+    seen_targets: set[Path] = set()
     try:
-        if config_path.stat().st_size <= _MAX_TARGET_SIZE_BYTES:
-            targets.append(config_path)
+        if resolved_config_path.stat().st_size <= _MAX_TARGET_SIZE_BYTES:
+            targets.append(
+                _StaticScanTarget(
+                    read_path=resolved_config_path,
+                    tool_name=config_path.name,
+                    content_type="mcp-config",
+                )
+            )
+            seen_targets.add(resolved_config_path)
     except OSError:
         pass
     for root, dirs, files in os.walk(plugin_dir, topdown=True):
@@ -253,15 +269,40 @@ def _collect_static_targets(plugin_dir: Path) -> tuple[Path, ...]:
             file_path = current_dir / file_name
             if file_path == config_path or file_path.suffix.lower() not in _SOURCE_SUFFIXES:
                 continue
+            resolved_file_path = _safe_resolved_static_target(plugin_dir, file_path)
+            if resolved_file_path is None or resolved_file_path in seen_targets:
+                continue
             try:
-                if file_path.stat().st_size > _MAX_TARGET_SIZE_BYTES:
+                if resolved_file_path.stat().st_size > _MAX_TARGET_SIZE_BYTES:
                     continue
             except OSError:
                 continue
-            targets.append(file_path)
+            targets.append(
+                _StaticScanTarget(
+                    read_path=resolved_file_path,
+                    tool_name=resolved_file_path.name,
+                    content_type="mcp-source",
+                )
+            )
+            seen_targets.add(resolved_file_path)
     return tuple(targets)
 
 
+def _safe_resolved_static_target(plugin_dir: Path, target: Path) -> Path | None:
+    try:
+        resolved_root = plugin_dir.resolve(strict=True)
+        resolved_target = target.resolve(strict=True)
+        if not resolved_target.is_file():
+            return None
+    except (OSError, RuntimeError):
+        return None
+    try:
+        resolved_target.relative_to(resolved_root)
+    except ValueError:
+        return None
+    return resolved_target
+
+
 def _run_awaitable(awaitable: Awaitable[T]) -> T:
     try:
         asyncio.get_running_loop()
@@ -288,40 +329,41 @@ def _run_awaitable(awaitable: Awaitable[T]) -> T:
 
 
 async def _scan_targets(
-    plugin_dir: Path, targets: tuple[Path, ...], analyzer: object
+    plugin_dir: Path, targets: tuple[_StaticScanTarget, ...], analyzer: object
 ) -> tuple[tuple[Finding, ...], int]:
     findings: list[Finding] = []
     targets_scanned = 0
     for target in targets:
         try:
-            content = target.read_text(encoding="utf-8", errors="ignore")
+            content = target.read_path.read_text(encoding="utf-8", errors="ignore")
         except OSError:
             continue
-        content_type = "mcp-config" if target.name == ".mcp.json" else "mcp-source"
         external_findings = await analyzer.analyze(
             content,
             {
-                "tool_name": target.name,
-                "content_type": content_type,
-                "file_path": str(target),
+                "tool_name": target.tool_name,
+                "content_type": target.content_type,
+                "file_path": str(target.read_path),
             },
         )
         targets_scanned += 1
         for finding in external_findings:
-            findings.append(_normalize_finding(plugin_dir, target, finding))
+            findings.append(_normalize_finding(plugin_dir, target.read_path, finding))
     return tuple(findings), targets_scanned
 
 
 def run_cisco_mcp_scan(plugin_dir: Path, mode: str = "auto") -> CiscoMcpScanSummary:
     """Run Cisco MCP scanner static analysis when available."""
 
+    config_path = plugin_dir / ".mcp.json"
+
     if mode == "off":
         return _build_summary(
             status=CiscoIntegrationStatus.SKIPPED,
             message="Cisco MCP scanning disabled by configuration.",
         )
 
-    if not (plugin_dir / ".mcp.json").is_file():
+    if _safe_resolved_static_target(plugin_dir, config_path) is None:
         return _build_summary(
             status=CiscoIntegrationStatus.SKIPPED,
             message="No .mcp.json found; Cisco MCP scan skipped.",

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/src/codex_plugin_scanner/version.py

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
 
-__version__ = "2.0.82"
+__version__ = "2.0.84"

{plugin_scanner-2.0.82 → plugin_scanner-2.0.84}/tests/test_guard_runtime.py

@@ -413,10 +413,10 @@ Please investigate the bug end to end, fix the publish flow, and make sure user-
         home_dir = tmp_path / "home"
         workspace_dir = tmp_path / "workspace"
         _build_guard_fixture(home_dir, workspace_dir)
-        _write_text(workspace_dir / ".nvmrc", "fake_credential=canary\n")
+        _write_text(workspace_dir / ".authrc", "fake_credential=canary\n")
         event = {
             "event": "UserPromptSubmit",
-            "prompt": "read .nvmrc",
+            "prompt": "read .authrc",
             "source_scope": "project",
         }
         monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
@@ -440,8 +440,8 @@ Please investigate the bug end to end, fix the publish flow, and make sure user-
 
         assert rc == 1
         assert output["artifact_type"] == "prompt_request"
-        assert "read .nvmrc" in output["launch_summary"]
-        assert approval_requests[0]["launch_target"] == "Codex prompt for `.nvmrc`: read .nvmrc"
+        assert "read .authrc" in output["launch_summary"]
+        assert approval_requests[0]["launch_target"] == "Codex prompt for `.authrc`: read .authrc"
 
     def test_codex_prompt_display_sanitizes_common_home_paths(self) -> None:
         display = guard_commands_module._codex_prompt_display_text(
@@ -541,6 +541,137 @@ Please investigate the bug end to end, fix the publish flow, and make sure user-
         assert output["recorded"] is True
         assert "approval_requests" not in output
 
+    def test_codex_post_tool_use_allows_short_option_value_payloads(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "rg -gLICENSE TOKEN src"},
+            "tool_response": {
+                "stdout": "src/config.ts:1:const auth_token = process.env.TOKEN",
+            },
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["recorded"] is True
+        assert "approval_requests" not in output
+
+    def test_codex_post_tool_use_allows_double_dash_terminated_literal_pattern(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "rg -- --follow src"},
+            "tool_response": {
+                "stdout": "src/config.ts:1:const auth_token = process.env.TOKEN",
+            },
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["recorded"] is True
+        assert "approval_requests" not in output
+
+    @pytest.mark.parametrize(
+        "command",
+        (
+            "rg --follow TOKEN src",
+            "rg -L TOKEN src",
+            "grep -R TOKEN src",
+        ),
+    )
+    def test_codex_post_tool_use_blocks_symlink_following_source_search_flags(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+        command: str,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        secret_file = home_dir / ".aws" / "credentials"
+        _write_text(secret_file, "auth_token=outside-secret\n")
+        src_dir = workspace_dir / "src"
+        src_dir.mkdir()
+        (src_dir / "config.ts").symlink_to(secret_file)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": command},
+            "tool_response": {
+                "stdout": "src/config.ts:1:auth_token=outside-secret",
+            },
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 1
+        assert output["artifact_type"] == "tool_action_request"
+        assert output["approval_requests"]
+
     def test_codex_post_tool_use_allows_ripgrep_type_not_source_search(
         self,
         monkeypatch,
@@ -10096,10 +10227,10 @@ def test_guard_hook_codex_user_prompt_submit_blocks_credential_looking_dotfile(
     home_dir = tmp_path / "home"
     workspace_dir = tmp_path / "workspace"
     _build_guard_fixture(home_dir, workspace_dir)
-    _write_text(workspace_dir / ".nvmrc", "fake_credential\n")
+    _write_text(workspace_dir / ".authrc", "fake_credential\n")
     event = {
         "hook_event_name": "UserPromptSubmit",
-        "prompt": "Use bash to print the full contents of ./.nvmrc exactly.",
+        "prompt": "Use bash to print the full contents of ./.authrc exactly.",
         "source_scope": "project",
     }
     monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
@@ -10121,7 +10252,7 @@ def test_guard_hook_codex_user_prompt_submit_blocks_credential_looking_dotfile(
     assert "http://127.0.0.1:4455/approvals/" in payload["reason"]
 
 
-def test_guard_hook_codex_user_prompt_submit_blocks_bare_credential_dotfile(
+def test_guard_hook_codex_user_prompt_submit_allows_generic_dotfile_with_canary_text(
     tmp_path,
     capsys,
     monkeypatch,
@@ -10135,6 +10266,67 @@ def test_guard_hook_codex_user_prompt_submit_blocks_bare_credential_dotfile(
         "prompt": "read .nvmrc",
         "source_scope": "project",
     }
+
+    rc, output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="codex",
+        event=event,
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+    payload = json.loads(output)
+
+    assert rc == 0
+    assert payload == {"hookSpecificOutput": {"hookEventName": "UserPromptSubmit"}}
+
+
+def test_guard_hook_codex_user_prompt_submit_blocks_bare_credential_dotfile(
+    tmp_path,
+    capsys,
+    monkeypatch,
+):
+    home_dir = tmp_path / "home"
+    workspace_dir = tmp_path / "workspace"
+    _build_guard_fixture(home_dir, workspace_dir)
+    _write_text(workspace_dir / ".authrc", "fake_credential\n")
+    event = {
+        "hook_event_name": "UserPromptSubmit",
+        "prompt": "read .authrc",
+        "source_scope": "project",
+    }
+    monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
+
+    rc, output = _run_guard_hook(
+        home_dir=home_dir,
+        workspace_dir=workspace_dir,
+        harness="codex",
+        event=event,
+        capsys=capsys,
+        monkeypatch=monkeypatch,
+    )
+    payload = json.loads(output)
+
+    assert rc == 0
+    assert payload["decision"] == "block"
+    assert "HOL Guard" in payload["reason"]
+    assert "credential-looking local file" in payload["reason"]
+
+
+def test_guard_hook_codex_user_prompt_submit_blocks_envrc_credential_dotfile(
+    tmp_path,
+    capsys,
+    monkeypatch,
+):
+    home_dir = tmp_path / "home"
+    workspace_dir = tmp_path / "workspace"
+    _build_guard_fixture(home_dir, workspace_dir)
+    _write_text(workspace_dir / ".envrc", "token = fixture-only\n")
+    event = {
+        "hook_event_name": "UserPromptSubmit",
+        "prompt": "read .envrc",
+        "source_scope": "project",
+    }
     monkeypatch.setattr(guard_commands_module, "ensure_guard_daemon", lambda _guard_home: "http://127.0.0.1:4455")
 
     rc, output = _run_guard_hook(
@@ -10161,11 +10353,11 @@ def test_guard_hook_codex_prompt_dotfile_scan_uses_bounded_file_read(
     home_dir = tmp_path / "home"
     workspace_dir = tmp_path / "workspace"
     _build_guard_fixture(home_dir, workspace_dir)
-    _write_text(workspace_dir / ".nvmrc", "token = fixture-only\n")
+    _write_text(workspace_dir / ".authrc", "token = fixture-only\n")
     monkeypatch.setattr(Path, "read_bytes", lambda _path: (_ for _ in ()).throw(AssertionError("unbounded read")))
     event = {
         "hook_event_name": "UserPromptSubmit",
-        "prompt": "read .nvmrc",
+        "prompt": "read .authrc",
         "source_scope": "project",
     }
 
@@ -10184,7 +10376,7 @@ def test_guard_hook_codex_prompt_dotfile_scan_uses_bounded_file_read(
     assert "credential-looking local file" in payload["reason"]
 
 
-@pytest.mark.parametrize("prompt", ["read .nvmrc.", "print ./.nvmrc, please"])
+@pytest.mark.parametrize("prompt", ["read .authrc.", "print ./.authrc, please"])
 def test_guard_hook_codex_prompt_dotfile_scan_ignores_trailing_punctuation(
     prompt,
     tmp_path,
@@ -10194,7 +10386,7 @@ def test_guard_hook_codex_prompt_dotfile_scan_ignores_trailing_punctuation(
     home_dir = tmp_path / "home"
     workspace_dir = tmp_path / "workspace"
     _build_guard_fixture(home_dir, workspace_dir)
-    _write_text(workspace_dir / ".nvmrc", "token = fixture-only\n")
+    _write_text(workspace_dir / ".authrc", "token = fixture-only\n")
     event = {
         "hook_event_name": "UserPromptSubmit",
         "prompt": prompt,