plugin-scanner 2.0.91__tar.gz → 2.0.93__tar.gz

{plugin_scanner-2.0.91 → plugin_scanner-2.0.93}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.91
+Version: 2.0.93
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.91 → plugin_scanner-2.0.93}/dashboard/src/guard-api.ts

@@ -18,24 +18,31 @@ import {
 } from "./guard-demo";
 
 const GUARD_TOKEN_PARAM = "guard-token";
+const GUARD_DAEMON_PARAM = "guardDaemon";
 
 async function readJson<T>(input: RequestInfo, init?: RequestInit): Promise<T> {
-  const response = await fetch(input, init);
+  const response = await fetch(guardApiInput(input), withGuardAuth(init));
   if (!response.ok) {
     throw new Error(`Request failed with ${response.status}`);
   }
   return (await response.json()) as T;
 }
 
-function guardTokenFromHash(): string | null {
-  const fragment = window.location.hash.startsWith("#")
-    ? window.location.hash.slice(1)
-    : window.location.hash;
-  return new URLSearchParams(fragment).get(GUARD_TOKEN_PARAM);
+function guardParams(): URLSearchParams {
+  const params = new URLSearchParams(window.location.search);
+  const fragment = window.location.hash.startsWith("#") ? window.location.hash.slice(1) : window.location.hash;
+  for (const [key, value] of new URLSearchParams(fragment)) {
+    params.set(key, value);
+  }
+  return params;
+}
+
+function guardParam(name: string): string | null {
+  return guardParams().get(name);
 }
 
 function readGuardToken(): string | null {
-  const guardToken = guardTokenFromHash();
+  const guardToken = guardParam(GUARD_TOKEN_PARAM);
   if (guardToken) {
     window.sessionStorage.setItem(GUARD_TOKEN_PARAM, guardToken);
     return guardToken;
@@ -43,6 +50,55 @@ function readGuardToken(): string | null {
   return window.sessionStorage.getItem(GUARD_TOKEN_PARAM);
 }
 
+function readGuardDaemonOrigin(): string | null {
+  const rawDaemonUrl = guardParam(GUARD_DAEMON_PARAM);
+  if (rawDaemonUrl) {
+    const daemonOrigin = localGuardDaemonOrigin(rawDaemonUrl);
+    if (daemonOrigin) {
+      window.sessionStorage.setItem(GUARD_DAEMON_PARAM, daemonOrigin);
+      return daemonOrigin;
+    }
+  }
+  const storedDaemonUrl = window.sessionStorage.getItem(GUARD_DAEMON_PARAM);
+  return storedDaemonUrl ? localGuardDaemonOrigin(storedDaemonUrl) : null;
+}
+
+function localGuardDaemonOrigin(rawUrl: string): string | null {
+  try {
+    const url = new URL(rawUrl);
+    if (url.protocol !== "http:" || !["127.0.0.1", "localhost", "[::1]", "::1"].includes(url.hostname)) {
+      return null;
+    }
+    if (url.username || url.password || (url.pathname && url.pathname !== "/") || url.search || url.hash) {
+      return null;
+    }
+    return url.origin;
+  } catch {
+    return null;
+  }
+}
+
+function guardApiInput(input: RequestInfo): RequestInfo {
+  const daemonOrigin = readGuardDaemonOrigin();
+  if (!daemonOrigin || typeof input !== "string" || !input.startsWith("/")) {
+    return input;
+  }
+  return `${daemonOrigin}${input}`;
+}
+
+function withGuardAuth(init?: RequestInit): RequestInit | undefined {
+  const guardToken = readGuardToken();
+  if (!guardToken) {
+    return init;
+  }
+  const headers = new Headers(init?.headers);
+  headers.set("X-Guard-Token", guardToken);
+  return {
+    ...init,
+    headers
+  };
+}
+
 function guardAuthHeaders(): HeadersInit {
   const guardToken = readGuardToken();
   return guardToken ? { "X-Guard-Token": guardToken } : {};
@@ -59,7 +115,12 @@ export function guardAwareHref(href: string): string {
     return href;
   }
 
-  url.hash = new URLSearchParams([[GUARD_TOKEN_PARAM, guardToken]]).toString();
+  const fragmentPairs = [[GUARD_TOKEN_PARAM, guardToken]];
+  const daemonOrigin = readGuardDaemonOrigin();
+  if (daemonOrigin) {
+    fragmentPairs.push([GUARD_DAEMON_PARAM, daemonOrigin]);
+  }
+  url.hash = new URLSearchParams(fragmentPairs).toString();
   if (href.startsWith("http://") || href.startsWith("https://")) {
     return url.toString();
   }
@@ -193,7 +254,7 @@ export async function fetchLatestReceipt(
   if (isGuardDemoMode()) {
     return getDemoReceipts().find((entry) => entry.artifact_id === artifactId) ?? null;
   }
-  const response = await fetch(
+  const response = await fetchGuardApi(
     `/v1/receipts/latest?harness=${encodeURIComponent(harness)}&artifact_id=${encodeURIComponent(artifactId)}`
   );
   if (response.status === 404) {
@@ -252,7 +313,7 @@ export async function fetchDiff(
   if (isGuardDemoMode()) {
     return getDemoDiff(artifactId, harness);
   }
-  const response = await fetch(
+  const response = await fetchGuardApi(
     `/v1/artifacts/${encodeURIComponent(artifactId)}/diff?harness=${encodeURIComponent(harness)}`
   );
   if (response.status === 404) {
@@ -264,6 +325,10 @@ export async function fetchDiff(
   return (await response.json()) as GuardArtifactDiff;
 }
 
+function fetchGuardApi(input: RequestInfo, init?: RequestInit): Promise<Response> {
+  return fetch(guardApiInput(input), withGuardAuth(init));
+}
+
 export async function resolveRequest(input: {
   requestId: string;
   action: "allow" | "block";

{plugin_scanner-2.0.91 → plugin_scanner-2.0.93}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.91"
+version = "2.0.93"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.91 → plugin_scanner-2.0.93}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.91"
+version = "2.0.93"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.91 → plugin_scanner-2.0.93}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -86,6 +86,7 @@ from ..runtime.runner import (
     guard_run,
     prompt_requests_to_artifacts,
     sync_receipts,
+    sync_runtime_session,
 )
 from ..runtime.secret_file_requests import (
     build_file_read_request_artifact,
@@ -108,6 +109,9 @@ from .product import build_guard_start_payload, build_guard_status_payload
 from .update_commands import run_guard_update
 
 _GUARD_CLIENT_VERSION = "2.0.0"
+_SERVICE_RUNTIME_PROFILE_STATE_KEY = "service_runtime_profile"
+_SERVICE_RUNTIME_CHOICES = ("hermes", "openclaw", "custom")
+_SERVICE_RUNTIME_SURFACE = "agent-sdk"
 _GUARD_HELP_GROUPS = (
     "Everyday protection:\n"
     "  start        First-run setup and the Guard operating loop\n"
@@ -121,6 +125,7 @@ _GUARD_HELP_GROUPS = (
     "  connect      Pair this machine to Guard Cloud\n"
     "  login        Compatibility alias for browser pairing\n"
     "  sync         Send local decisions to Guard Cloud\n"
+    "  service      Manage hosted-runtime Guard Cloud login and sync\n"
     "  device       Inspect or rotate this machine identity\n"
     "  bridge       Forward Guard signals to external channels\n"
     "\n"
@@ -437,6 +442,41 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     sync_parser.add_argument("--guard-home")
     sync_parser.add_argument("--json", action="store_true")
 
+    service_parser = guard_subparsers.add_parser(
+        "service",
+        help="Manage headless hosted-runtime Guard Cloud login, sync, and status",
+    )
+    service_subparsers = service_parser.add_subparsers(
+        dest="service_command",
+        required=True,
+        parser_class=FriendlyArgumentParser,
+    )
+
+    service_login_parser = service_subparsers.add_parser(
+        "login",
+        help="Save a hosted-runtime Guard Cloud token and runtime profile",
+    )
+    _add_guard_common_args(service_login_parser)
+    service_login_parser.add_argument("--runtime", choices=_SERVICE_RUNTIME_CHOICES, required=True)
+    service_login_parser.add_argument("--label", required=True)
+    service_login_parser.add_argument("--sync-url", required=True, type=_guard_http_url)
+    service_login_parser.add_argument("--token", required=True)
+    service_login_parser.add_argument("--json", action="store_true")
+
+    service_sync_parser = service_subparsers.add_parser(
+        "sync",
+        help="Publish the hosted runtime session, then sync receipts",
+    )
+    _add_guard_common_args(service_sync_parser)
+    service_sync_parser.add_argument("--json", action="store_true")
+
+    service_status_parser = service_subparsers.add_parser(
+        "status",
+        help="Show hosted-runtime Guard Cloud login state and latest sync summaries",
+    )
+    _add_guard_common_args(service_status_parser)
+    service_status_parser.add_argument("--json", action="store_true")
+
     device_parser = guard_subparsers.add_parser("device", help="Manage local Guard installation identity")
     _add_guard_common_args(device_parser)
     device_parser.add_argument("--json", action="store_true")
@@ -1093,6 +1133,35 @@ def run_guard_command(
         _emit("sync", payload, getattr(args, "json", False))
         return 0
 
+    if args.guard_command == "service":
+        service_command = getattr(args, "service_command", None)
+        if service_command == "login":
+            payload, exit_code = _guard_service_login_payload(args=args, store=store)
+            _emit("service-login", payload, getattr(args, "json", False))
+            return exit_code
+        if service_command == "sync":
+            try:
+                payload = _guard_service_sync_payload(store)
+            except (GuardSyncNotConfiguredError, RuntimeError) as error:
+                message = (
+                    _guard_service_sync_prerequisite_message()
+                    if isinstance(error, GuardSyncNotConfiguredError)
+                    else str(error)
+                )
+                if getattr(args, "json", False):
+                    _emit("service-sync", {"synced": False, "error": message}, True)
+                else:
+                    print(message, file=sys.stderr)
+                return 1
+            _emit("service-sync", payload, getattr(args, "json", False))
+            return 0
+        if service_command == "status":
+            payload = _guard_service_status_payload(store)
+            _emit("service-status", payload, getattr(args, "json", False))
+            return 0
+        print("service subcommand is required", file=sys.stderr)
+        return 2
+
     if args.guard_command == "device":
         command = getattr(args, "device_command", None)
         now = _now()
@@ -5218,6 +5287,143 @@ def _manual_guard_login_payload(
     return {"logged_in": True, "sync_url": manual_sync_url}, 0
 
 
+def _guard_service_runtime_profile(
+    store: GuardStore,
+) -> dict[str, str] | None:
+    payload = store.get_sync_payload(_SERVICE_RUNTIME_PROFILE_STATE_KEY)
+    if not isinstance(payload, dict):
+        return None
+    runtime = _optional_string(payload.get("runtime"))
+    label = _optional_string(payload.get("label"))
+    surface = _optional_string(payload.get("surface"))
+    client_name = _optional_string(payload.get("client_name"))
+    client_title = _optional_string(payload.get("client_title"))
+    client_version = _optional_string(payload.get("client_version"))
+    if (
+        runtime not in _SERVICE_RUNTIME_CHOICES
+        or label is None
+        or surface is None
+        or client_name is None
+        or client_title is None
+        or client_version is None
+    ):
+        return None
+    return {
+        "runtime": runtime,
+        "label": label,
+        "workspace": _optional_string(payload.get("workspace")) or "",
+        "surface": surface,
+        "client_name": client_name,
+        "client_title": client_title,
+        "client_version": client_version,
+    }
+
+
+def _guard_service_login_payload(
+    *,
+    args: argparse.Namespace,
+    store: GuardStore,
+) -> tuple[dict[str, object], int]:
+    now = _now()
+    label = str(args.label).strip()
+    workspace = _optional_string(args.workspace) or ""
+    sync_url = str(args.sync_url).strip()
+    token = str(args.token).strip()
+    if not token:
+        return {
+            "logged_in": False,
+            "error": "Hosted Guard runtime token cannot be empty.",
+        }, 2
+    runtime = str(args.runtime)
+    service_profile = {
+        "runtime": runtime,
+        "label": label,
+        "workspace": workspace,
+        "surface": _SERVICE_RUNTIME_SURFACE,
+        "client_name": "hol-guard",
+        "client_title": label,
+        "client_version": _GUARD_CLIENT_VERSION,
+    }
+    store.set_sync_credentials(sync_url, token, now)
+    store.set_sync_payload(_SERVICE_RUNTIME_PROFILE_STATE_KEY, service_profile, now)
+    device = store.set_device_label(label, now)
+    store.add_event(
+        "service_sign_in",
+        {
+            "runtime": runtime,
+            "label": label,
+            "workspace": workspace or None,
+            "sync_url": sync_url,
+            "source": "hosted-runtime-cli",
+        },
+        now,
+    )
+    return {
+        "logged_in": True,
+        "sync_url": sync_url,
+        "service": service_profile,
+        "device": device,
+    }, 0
+
+
+def _guard_service_sync_prerequisite_message() -> str:
+    return (
+        "Hosted Guard runtime is not configured yet. Run `hol-guard service login --runtime <runtime> "
+        '--label "<label>" --sync-url "<url>" --token "<token>"` first.'
+    )
+
+
+def _guard_service_status_payload(store: GuardStore) -> dict[str, object]:
+    credentials = store.get_sync_credentials()
+    service_profile = _guard_service_runtime_profile(store)
+    return {
+        "configured": credentials is not None and service_profile is not None,
+        "connection": {
+            "configured": credentials is not None,
+            "sync_url": credentials["sync_url"] if credentials is not None else None,
+        },
+        "service": service_profile,
+        "runtime": store.get_sync_payload("runtime_session_summary") or {},
+        "receipts": store.get_sync_payload("sync_summary") or {},
+    }
+
+
+def _guard_service_sync_payload(store: GuardStore) -> dict[str, object]:
+    service_profile = _guard_service_runtime_profile(store)
+    if service_profile is None:
+        raise GuardSyncNotConfiguredError(_guard_service_sync_prerequisite_message())
+    runtime_summary = sync_runtime_session(
+        store,
+        session={
+            "harness": service_profile["runtime"],
+            "surface": service_profile["surface"],
+            "status": "active",
+            "client_name": service_profile["client_name"],
+            "client_title": service_profile["client_title"],
+            "client_version": service_profile["client_version"],
+            "workspace": service_profile["workspace"],
+            "capabilities": ["hosted-runtime", "guard-cloud-sync"],
+        },
+    )
+    receipts_summary = sync_receipts(store)
+    store.add_event(
+        "service_sync",
+        {
+            "runtime": service_profile["runtime"],
+            "workspace": service_profile["workspace"] or None,
+            "runtime_session_id": runtime_summary.get("runtime_session_id"),
+            "synced_at": receipts_summary.get("synced_at"),
+        },
+        _now(),
+    )
+    return {
+        "synced": True,
+        "service": service_profile,
+        "runtime": runtime_summary,
+        "receipts": receipts_summary,
+    }
+
+
 def _guard_sync_prerequisite_message() -> str:
     return (
         "Guard Cloud is not connected yet. Run `hol-guard connect` to sign in and pair this machine, "

{plugin_scanner-2.0.91 → plugin_scanner-2.0.93}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -54,6 +54,7 @@ _CLAUDE_HOOK_EXECUTION_LOCK = threading.Lock()
 _DEFAULT_GUARD_DAEMON_IDLE_TIMEOUT_SECONDS = 30 * 60
 _EPHEMERAL_GUARD_DAEMON_IDLE_TIMEOUT_SECONDS = 5
 _GUARD_DAEMON_IDLE_POLL_INTERVAL_SECONDS = 0.5
+_HOSTED_GUARD_DASHBOARD_ORIGINS = frozenset({"https://hol.org", "https://www.hol.org"})
 
 
 class _GuardDaemonHandler(BaseHTTPRequestHandler):
@@ -64,21 +65,31 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if origin is None:
             self._write_empty(status=400)
             return
-        if not self._origin_is_allowed():
+        headers = self._cors_headers_for_request(
+            allow_methods="GET, POST, OPTIONS",
+            allow_headers="Content-Type, X-Guard-Token",
+        )
+        if headers is None:
             self._write_empty(status=403)
             return
-        self._write_empty(
-            status=200,
-            extra_headers=self._cors_headers(
-                origin, allow_methods="GET, POST, OPTIONS", allow_headers="Content-Type, X-Guard-Token"
-            ),
-        )
+        self._write_empty(status=200, extra_headers=headers)
 
     def do_GET(self) -> None:
         store = self.server.store  # type: ignore[attr-defined]
         parsed = urlparse(self.path)
         self._touch_runtime_heartbeat(parsed.path)
         path_parts = [part for part in parsed.path.split("/") if part]
+        if not self._origin_is_allowed_for_request(parsed.path, path_parts):
+            self._write_json({"error": "forbidden_origin"}, status=403)
+            return
+        if (
+            self._is_hosted_dashboard_origin()
+            and self._is_hosted_dashboard_api_path(parsed.path, path_parts)
+            and parsed.path != "/v1/connect/state"
+            and not self._header_token_is_valid()
+        ):
+            self._write_json({"error": "unauthorized"}, status=401)
+            return
         if parsed.path == "/healthz":
             self._write_json(
                 {
@@ -204,16 +215,15 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
     def do_POST(self) -> None:
         parsed = urlparse(self.path)
         self._touch_runtime_heartbeat(parsed.path)
-        if parsed.path != "/v1/connect/complete" and not self._origin_is_allowed():
+        path_parts = [part for part in parsed.path.split("/") if part]
+        if parsed.path != "/v1/connect/complete" and not self._origin_is_allowed_for_request(parsed.path, path_parts):
             self._write_json({"error": "forbidden_origin"}, status=403)
             return
-        path_parts = [part for part in parsed.path.split("/") if part]
         if self._requires_header_token(parsed.path, path_parts) and not self._header_token_is_valid():
-            origin = self._normalize_origin(self.headers.get("Origin"))
             self._write_json(
                 {"error": "unauthorized"},
                 status=401,
-                extra_headers=self._cors_headers(origin) if origin is not None else None,
+                extra_headers=self._cors_headers_for_request(),
             )
             return
         payload, body_error = self._load_request_body()
@@ -801,7 +811,7 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         finally:
             self._decrement_active_stream_clients()
 
-    def _origin_is_allowed(self) -> bool:
+    def _origin_is_allowed_for_request(self, path: str, path_parts: list[str]) -> bool:
         origin = self.headers.get("Origin")
         if origin is None:
             return True
@@ -809,7 +819,36 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if normalized_origin is None:
             return False
         parsed = urlparse(normalized_origin)
-        return parsed.hostname in {"127.0.0.1", "localhost", "::1"}
+        local_origin = parsed.hostname in {"127.0.0.1", "localhost", "::1"}
+        if local_origin:
+            return True
+        return normalized_origin in _HOSTED_GUARD_DASHBOARD_ORIGINS and self._is_hosted_dashboard_api_path(
+            path, path_parts
+        )
+
+    @staticmethod
+    def _is_hosted_dashboard_api_path(path: str, path_parts: list[str]) -> bool:
+        if path in {
+            "/v1/inventory",
+            "/v1/connect/state",
+            "/v1/policy",
+            "/v1/policy/clear",
+            "/v1/receipts",
+            "/v1/receipts/latest",
+            "/v1/requests",
+            "/v1/runtime",
+            "/v1/settings",
+        }:
+            return True
+        if len(path_parts) == 3 and path_parts[:2] in (["v1", "requests"], ["v1", "receipts"]):
+            return True
+        if len(path_parts) == 4 and path_parts[:2] == ["v1", "requests"] and path_parts[3] in {"approve", "block"}:
+            return True
+        return len(path_parts) == 4 and path_parts[:2] == ["v1", "artifacts"] and path_parts[3] == "diff"
+
+    def _is_hosted_dashboard_origin(self) -> bool:
+        origin = self._normalize_origin(self.headers.get("Origin"))
+        return origin in _HOSTED_GUARD_DASHBOARD_ORIGINS
 
     @staticmethod
     def _normalize_origin(origin: str | None) -> str | None:
@@ -852,6 +891,19 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             "Vary": "Origin",
         }
 
+    def _cors_headers_for_request(
+        self,
+        *,
+        allow_methods: str = "POST, OPTIONS",
+        allow_headers: str = "Content-Type, X-Guard-Token",
+    ) -> dict[str, str] | None:
+        parsed = urlparse(self.path)
+        path_parts = [part for part in parsed.path.split("/") if part]
+        origin = self._normalize_origin(self.headers.get("Origin"))
+        if origin is None or not self._origin_is_allowed_for_request(parsed.path, path_parts):
+            return None
+        return self._cors_headers(origin, allow_methods=allow_methods, allow_headers=allow_headers)
+
     def _handle_policy_upsert(self, payload: dict[str, object]) -> None:
         harness = payload.get("harness")
         scope = payload.get("scope")
@@ -964,10 +1016,14 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         extra_headers: dict[str, str] | None = None,
     ) -> None:
         body = json.dumps(payload).encode("utf-8")
+        headers = dict(extra_headers or {})
+        cors_headers = self._cors_headers_for_request(allow_methods="GET, POST, OPTIONS")
+        if cors_headers is not None:
+            headers = {**cors_headers, **headers}
         self.send_response(status)
         self.send_header("Content-Type", "application/json")
         self.send_header("Content-Length", str(len(body)))
-        for key, value in self._validated_headers(extra_headers).items():
+        for key, value in self._validated_headers(headers).items():
             self.send_header(key, value)
         self.end_headers()
         self.wfile.write(body)