PyPI - plugin-scanner - Versions diffs - 2.0.90__tar.gz → 2.0.91__tar.gz - Mend

plugin-scanner 2.0.90tar.gz → 2.0.91tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.90
+Version: 2.0.91
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/docs/guard/get-started.md RENAMED Viewed

@@ -163,6 +163,15 @@ Hermes gets the normal Guard shim plus a Guard-owned bundle at `<guard-home>/her
 Guard injects the managed overlay paths through `HERMES_GUARD_MCP_OVERLAY_PATH` and `HERMES_GUARD_PRETOOL_PATH` when
 you launch Hermes through Guard.
+OpenClaw gets the normal Guard shim plus a Guard-owned bundle at `<guard-home>/openclaw/` with:
+- `overlay.json`
+- `pretool-hook.json`
+- `manifest.json`
+Guard injects the managed overlay paths through `OPENCLAW_GUARD_OVERLAY_PATH` and `OPENCLAW_GUARD_PRETOOL_PATH` when
+you launch OpenClaw through Guard. It does not mutate `~/.openclaw/openclaw.json`.
 ## Harness approval model
 Guard uses three approval tiers:
@@ -189,6 +198,9 @@ Current strategy:
 - `hermes`
   prefers the managed Hermes same-channel path when Guard owns the overlay bundle, falls back to the approval center,
   and keeps browser auto-open off for blocked requests
+- `openclaw`
+  scans OpenClaw gateway config, channel posture, MCP servers, workspace skills, user skills, and OpenClaw-owned skills,
+  then prefers native-or-center delivery once the managed overlay bundle exists
 - `gemini`
   scans `.gemini/settings.json`, extension manifests, hooks, MCP registrations, and Gemini skill directories before
   launch, then routes blocked changes to the approval center

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/docs/guard/harness-support.md RENAMED Viewed

@@ -42,6 +42,11 @@ Current Guard support in this repo:
   - supports `hol-guard hermes bootstrap` and a Guard-managed Hermes overlay bundle under Guard home
   - rewrites managed Hermes MCP entries through Guard’s existing proxy path and uses native-or-center delivery when the managed bundle is present
   - blocks sensitive file reads and Docker-sensitive native pre-tool actions through the existing Guard hook path
+- `openclaw`
+  - detects `~/.openclaw/openclaw.json`, gateway posture, channels, MCP servers, workspace skills, user skills, and OpenClaw-owned skills
+  - supports a Guard-managed OpenClaw overlay bundle under Guard home without mutating user OpenClaw config
+  - flags open DM channel posture and remote MCP endpoints before launch so chat-originated agent work can be reviewed
+  - uses native-or-center delivery when the managed bundle is present and keeps browser auto-open off for blocked requests
 - `opencode`
   - detects global and project config, MCP servers, config-defined commands, markdown commands, npm plugins, local
     plugin files, and OpenCode-compatible skill directories

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/docs/guard/testing-matrix.md RENAMED Viewed

@@ -20,7 +20,9 @@ Manual verification should include:
 - `hol-guard detect antigravity --json`
 - `hol-guard detect gemini --json`
 - `hol-guard detect opencode --json`
+- `hol-guard detect openclaw --json`
 - `hol-guard install opencode --json`
+- `hol-guard install openclaw --json`
 - `hol-guard update --dry-run --json`
 - `hol-guard run cursor --dry-run --default-action allow --json`
 - `hol-guard run gemini --dry-run --default-action allow --json`
@@ -36,6 +38,7 @@ Manual verification should include:
 - `gemini --help`
 - `opencode --help`
 - `opencode run --help`
+- `openclaw --help`
 First-party canaries for local manual validation:
@@ -53,6 +56,15 @@ real `opencode` binary:
 - a blocked prompt request queues an approval
 - approving that request lets Guard hand off to `opencode run --dir <workspace> ...`
+OpenClaw manual validation should include one isolated local gateway config where you prove all of the following against
+the real `openclaw` binary:
+- an open DM policy with wildcard senders is surfaced as a channel risk
+- a remote MCP endpoint is surfaced as a network risk
+- a newly added workspace skill blocks before launch when policy requires reapproval
+- `hol-guard install openclaw` creates the managed overlay and pre-tool bundle under Guard home
+- approving a blocked OpenClaw request resolves through native-or-center delivery without mutating user config
 Nightly release-bar coverage should include:
 - Codex on a self-hosted Linux runner

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.90"
+version = "2.0.91"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.90"
+version = "2.0.91"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.90 → plugin_scanner-2.0.91}/src/codex_plugin_scanner/guard/adapters/__init__.py RENAMED Viewed

@@ -10,6 +10,7 @@ from .copilot import CopilotHarnessAdapter
 from .cursor import CursorHarnessAdapter
 from .gemini import GeminiHarnessAdapter
 from .hermes import HermesHarnessAdapter
+from .openclaw import OpenClawHarnessAdapter
 from .opencode import OpenCodeHarnessAdapter
 ADAPTERS: tuple[HarnessAdapter, ...] = (
@@ -20,6 +21,7 @@ ADAPTERS: tuple[HarnessAdapter, ...] = (
     AntigravityHarnessAdapter(),
     GeminiHarnessAdapter(),
     HermesHarnessAdapter(),
+    OpenClawHarnessAdapter(),
     OpenCodeHarnessAdapter(),
 )

plugin_scanner-2.0.91/src/codex_plugin_scanner/guard/adapters/openclaw.py ADDED Viewed

@@ -0,0 +1,183 @@
+"""OpenClaw harness adapter."""
+from __future__ import annotations
+import json
+from pathlib import Path
+from ..models import GuardArtifact, HarnessDetection
+from ..shims import install_guard_shim, remove_guard_shim
+from .base import (
+    HarnessAdapter,
+    HarnessContext,
+    _command_available,
+    _ensure_path_within_root,
+    _json_payload,
+    _run_command_probe,
+)
+from .openclaw_config import load_config
+from .openclaw_support import (
+    config_artifacts,
+    config_path,
+    install_state,
+    managed_root,
+    overlay_payload,
+    pretool_payload,
+    skill_artifacts,
+)
+_OPENCLAW_MANAGED_APPROVAL_TIER = "native-or-center"
+_OPENCLAW_MANAGED_PROMPT_CHANNEL = "native"
+class OpenClawHarnessAdapter(HarnessAdapter):
+    """Discover OpenClaw gateway config, channels, MCP servers, and skills."""
+    harness = "openclaw"
+    executable = "openclaw"
+    approval_tier = "approval-center"
+    approval_summary = (
+        "Guard can scan OpenClaw gateway config, channels, skills, and MCP servers before agent sessions run."
+    )
+    fallback_hint = "Connect OpenClaw through the Guard-managed overlay or resolve requests in the approval center."
+    approval_prompt_channel = "native-fallback"
+    approval_auto_open_browser = False
+    def policy_path(self, context: HarnessContext) -> Path:
+        return config_path(context)
+    def detect(self, context: HarnessContext) -> HarnessDetection:
+        path = config_path(context)
+        payload = load_config(path)
+        found_paths: list[str] = []
+        artifacts: list[GuardArtifact] = []
+        if payload:
+            found_paths.append(str(path))
+            artifacts.extend(config_artifacts(context, path, payload))
+        artifacts.extend(skill_artifacts(context, payload, found_paths))
+        return HarnessDetection(
+            harness=self.harness,
+            installed=bool(found_paths) or _command_available(self.executable),
+            command_available=_command_available(self.executable),
+            config_paths=tuple(found_paths),
+            artifacts=tuple(artifacts),
+        )
+    def install(self, context: HarnessContext) -> dict[str, object]:
+        shim_manifest = install_guard_shim(self.harness, context)
+        root = managed_root(context)
+        manifest_path = root / "manifest.json"
+        overlay_path = root / "overlay.json"
+        pretool_path = root / "pretool-hook.json"
+        root.mkdir(parents=True, exist_ok=True)
+        existing_manifest = _json_payload(manifest_path)
+        state = install_state(
+            existing_manifest=existing_manifest,
+            overlay_path=overlay_path,
+            pretool_path=pretool_path,
+        )
+        detection = self.detect(context)
+        overlay_path.write_text(json.dumps(overlay_payload(detection), indent=2) + "\n", encoding="utf-8")
+        pretool_path.write_text(json.dumps(pretool_payload(context=context), indent=2) + "\n", encoding="utf-8")
+        manifest = {
+            "harness": self.harness,
+            "active": True,
+            "config_path": str(overlay_path),
+            **shim_manifest,
+            "install_state": state,
+            "managed_root": str(root),
+            "managed_manifest_path": str(manifest_path),
+            "managed_overlay_path": str(overlay_path),
+            "pretool_hook_path": str(pretool_path),
+            "capabilities": {
+                "same_channel": True,
+                "pretool": True,
+                "channel_posture": True,
+                "mcp_proxy": True,
+            },
+            "config_paths": list(detection.config_paths),
+            "artifact_count": len(detection.artifacts),
+            "notes": [
+                "Guard generated an OpenClaw overlay bundle for gateway posture and pre-tool protection.",
+                *[str(note) for note in shim_manifest.get("notes", [])],
+            ],
+        }
+        manifest_path.write_text(json.dumps(manifest, indent=2) + "\n", encoding="utf-8")
+        return manifest
+    def uninstall(self, context: HarnessContext) -> dict[str, object]:
+        shim_manifest = remove_guard_shim(self.harness, context)
+        root = managed_root(context)
+        manifest = _json_payload(root / "manifest.json")
+        removed_paths: list[str] = []
+        for key in ("managed_manifest_path", "managed_overlay_path", "pretool_hook_path"):
+            value = manifest.get(key)
+            if not isinstance(value, str) or not value:
+                continue
+            path = Path(value)
+            _ensure_path_within_root(root, path, label=key)
+            if path.exists():
+                path.unlink()
+                removed_paths.append(str(path))
+        return {
+            "harness": self.harness,
+            "active": False,
+            "config_path": str(root / "overlay.json"),
+            **shim_manifest,
+            "removed_paths": removed_paths,
+            "notes": [
+                "Guard removed the managed OpenClaw overlay bundle and kept user OpenClaw config untouched.",
+                *[str(note) for note in shim_manifest.get("notes", [])],
+            ],
+        }
+    def launch_environment(self, context: HarnessContext) -> dict[str, str]:
+        manifest = _json_payload(managed_root(context) / "manifest.json")
+        overlay_path = manifest.get("managed_overlay_path")
+        pretool_path = manifest.get("pretool_hook_path")
+        if not isinstance(overlay_path, str) or not isinstance(pretool_path, str):
+            return {}
+        return {
+            "OPENCLAW_GUARD_OVERLAY_PATH": overlay_path,
+            "OPENCLAW_GUARD_PRETOOL_PATH": pretool_path,
+            "OPENCLAW_GUARD_CHANNEL_POSTURE": "enabled",
+        }
+    def runtime_probe(self, context: HarnessContext) -> dict[str, object] | None:
+        manifest = _json_payload(managed_root(context) / "manifest.json")
+        overlay_path = manifest.get("managed_overlay_path")
+        pretool_path = manifest.get("pretool_hook_path")
+        return {
+            "command": _run_command_probe([self.executable, "--help"]) if _command_available(self.executable) else None,
+            "managed_install_present": bool(manifest),
+            "managed_install_ready": (
+                isinstance(overlay_path, str)
+                and Path(overlay_path).exists()
+                and isinstance(pretool_path, str)
+                and Path(pretool_path).exists()
+            ),
+        }
+    def approval_flow(self, *, managed_install: dict[str, object] | None = None) -> dict[str, object]:
+        manifest = managed_install.get("manifest") if isinstance(managed_install, dict) else None
+        capabilities = manifest.get("capabilities") if isinstance(manifest, dict) else None
+        same_channel = isinstance(capabilities, dict) and bool(capabilities.get("same_channel"))
+        if same_channel:
+            return {
+                "tier": _OPENCLAW_MANAGED_APPROVAL_TIER,
+                "summary": (
+                    "Guard uses OpenClaw native agent/channel delivery first and falls back to the approval center."
+                ),
+                "fallback_hint": "Use the Guard approval center if OpenClaw cannot surface the pending request inline.",
+                "prompt_channel": _OPENCLAW_MANAGED_PROMPT_CHANNEL,
+                "auto_open_browser": False,
+            }
+        return {
+            "tier": "approval-center",
+            "summary": "Guard keeps OpenClaw approvals in the local approval center without forcing a browser open.",
+            "fallback_hint": (
+                "Resolve pending OpenClaw requests from the Guard approval center or `hol-guard approvals`."
+            ),
+            "prompt_channel": "native-fallback",
+            "auto_open_browser": False,
+        }

plugin_scanner-2.0.91/src/codex_plugin_scanner/guard/adapters/openclaw_config.py ADDED Viewed

@@ -0,0 +1,286 @@
+"""OpenClaw configuration loading helpers."""
+from __future__ import annotations
+import json
+import re
+from pathlib import Path
+_MAX_INCLUDE_DEPTH = 8
+_CONFIG_SUFFIXES = {".json", ".json5", ".yaml", ".yml"}
+def load_config(path: Path) -> dict[str, object]:
+    return _load_config(path, seen=set(), depth=0)
+def _load_config(path: Path, *, seen: set[Path], depth: int) -> dict[str, object]:
+    if depth > _MAX_INCLUDE_DEPTH:
+        return {}
+    try:
+        resolved_path = path.resolve()
+    except (OSError, RuntimeError):
+        return {}
+    if resolved_path in seen:
+        return {}
+    try:
+        raw = resolved_path.read_text(encoding="utf-8")
+    except (OSError, UnicodeDecodeError):
+        return {}
+    payload = _parse_config_payload(raw)
+    if not isinstance(payload, dict):
+        return {}
+    return _resolve_includes(resolved_path, payload, seen={*seen, resolved_path}, depth=depth)
+def _resolve_includes(path: Path, payload: dict[str, object], *, seen: set[Path], depth: int) -> dict[str, object]:
+    include_value = payload.get("$include")
+    include_paths = _include_paths(path.parent, include_value)
+    merged: dict[str, object] = {}
+    for include_path in include_paths:
+        included_payload = _load_config(include_path, seen=seen, depth=depth + 1)
+        merged = _deep_merge(merged, included_payload)
+    local_payload = {key: value for key, value in payload.items() if key != "$include"}
+    return _deep_merge(merged, local_payload)
+def _include_paths(base_dir: Path, value: object) -> tuple[Path, ...]:
+    values = value if isinstance(value, list) else [value]
+    paths: list[Path] = []
+    for item in values:
+        if not isinstance(item, str) or not item.strip():
+            continue
+        candidate = Path(item.strip()).expanduser()
+        path = candidate if candidate.is_absolute() else base_dir / candidate
+        if path.suffix.lower() in _CONFIG_SUFFIXES:
+            paths.append(path)
+    return tuple(paths)
+def _deep_merge(base: dict[str, object], overlay: dict[str, object]) -> dict[str, object]:
+    result = dict(base)
+    for key, value in overlay.items():
+        existing = result.get(key)
+        if isinstance(existing, dict) and isinstance(value, dict):
+            result[key] = _deep_merge(existing, value)
+        else:
+            result[key] = value
+    return result
+def _parse_config_payload(raw: str) -> object:
+    try:
+        return json.loads(raw)
+    except json.JSONDecodeError:
+        pass
+    stripped = _strip_json_comments(raw)
+    normalized = _strip_trailing_json_commas(stripped)
+    try:
+        return json.loads(normalized)
+    except json.JSONDecodeError:
+        pass
+    json5_normalized = _strip_trailing_json_commas(
+        _convert_single_quoted_strings(_quote_unquoted_object_keys(stripped))
+    )
+    try:
+        return json.loads(json5_normalized)
+    except json.JSONDecodeError:
+        return {}
+def _strip_json_comments(text: str) -> str:
+    output: list[str] = []
+    quote: str | None = None
+    escape = False
+    in_line_comment = False
+    in_block_comment = False
+    index = 0
+    while index < len(text):
+        char = text[index]
+        next_char = text[index + 1] if index + 1 < len(text) else ""
+        if in_line_comment:
+            if char == "\n":
+                in_line_comment = False
+                output.append(char)
+            index += 1
+            continue
+        if in_block_comment:
+            if char == "*" and next_char == "/":
+                in_block_comment = False
+                index += 2
+                continue
+            if char == "\n":
+                output.append(char)
+            index += 1
+            continue
+        if quote is not None:
+            output.append(char)
+            if escape:
+                escape = False
+            elif char == "\\":
+                escape = True
+            elif char == quote:
+                quote = None
+            index += 1
+            continue
+        if char in {"'", '"'}:
+            quote = char
+            output.append(char)
+            index += 1
+            continue
+        if char == "/" and next_char == "/":
+            in_line_comment = True
+            index += 2
+            continue
+        if char == "/" and next_char == "*":
+            in_block_comment = True
+            index += 2
+            continue
+        output.append(char)
+        index += 1
+    return "".join(output)
+def _strip_trailing_json_commas(text: str) -> str:
+    output: list[str] = []
+    quote: str | None = None
+    escape = False
+    index = 0
+    while index < len(text):
+        char = text[index]
+        if quote is not None:
+            output.append(char)
+            if escape:
+                escape = False
+            elif char == "\\":
+                escape = True
+            elif char == quote:
+                quote = None
+            index += 1
+            continue
+        if char in {"'", '"'}:
+            quote = char
+            output.append(char)
+            index += 1
+            continue
+        if char == ",":
+            lookahead = index + 1
+            while lookahead < len(text) and text[lookahead] in " \t\r\n":
+                lookahead += 1
+            if lookahead < len(text) and text[lookahead] in "}]":
+                index += 1
+                continue
+        output.append(char)
+        index += 1
+    return "".join(output)
+def _quote_unquoted_object_keys(text: str) -> str:
+    output: list[str] = []
+    quote: str | None = None
+    escape = False
+    expecting_key = False
+    index = 0
+    while index < len(text):
+        char = text[index]
+        if quote is not None:
+            output.append(char)
+            if escape:
+                escape = False
+            elif char == "\\":
+                escape = True
+            elif char == quote:
+                quote = None
+            index += 1
+            continue
+        if char in {"'", '"'}:
+            quote = char
+            output.append(char)
+            index += 1
+            continue
+        if char in "{,":
+            expecting_key = True
+            output.append(char)
+            index += 1
+            continue
+        if expecting_key and char.isspace():
+            output.append(char)
+            index += 1
+            continue
+        if expecting_key and _starts_identifier(char):
+            match = re.match(r"[A-Za-z_$][A-Za-z0-9_$-]*", text[index:])
+            if match is not None:
+                key = match.group(0)
+                lookahead = index + len(key)
+                while lookahead < len(text) and text[lookahead].isspace():
+                    lookahead += 1
+                if lookahead < len(text) and text[lookahead] == ":":
+                    output.append(json.dumps(key))
+                    index += len(key)
+                    expecting_key = False
+                    continue
+        expecting_key = False
+        output.append(char)
+        index += 1
+    return "".join(output)
+def _convert_single_quoted_strings(text: str) -> str:
+    output: list[str] = []
+    quote: str | None = None
+    escape = False
+    index = 0
+    while index < len(text):
+        char = text[index]
+        if quote == "'":
+            if escape:
+                _append_single_quote_escape(output, char)
+                escape = False
+            elif char == "\\":
+                escape = True
+            elif char == "'":
+                quote = None
+                output.append('"')
+            elif char == '"':
+                output.append('\\"')
+            else:
+                output.append(char)
+            index += 1
+            continue
+        if quote == '"':
+            output.append(char)
+            if escape:
+                escape = False
+            elif char == "\\":
+                escape = True
+            elif char == '"':
+                quote = None
+            index += 1
+            continue
+        if char == "'":
+            quote = "'"
+            output.append('"')
+            index += 1
+            continue
+        if char == '"':
+            quote = '"'
+        output.append(char)
+        index += 1
+    return "".join(output)
+def _append_single_quote_escape(output: list[str], char: str) -> None:
+    if char == "'":
+        output.append("'")
+    elif char == '"':
+        output.append('\\"')
+    elif char == "\\":
+        output.append("\\\\")
+    elif char in {"b", "f", "n", "r", "t", "/"}:
+        output.append(f"\\{char}")
+    else:
+        output.append(char)
+def _starts_identifier(char: str) -> bool:
+    return char.isalpha() or char in {"_", "$"}

plugin-scanner 2.0.90__tar.gz → 2.0.91__tar.gz

plugin-scanner 2.0.90tar.gz → 2.0.91tar.gz