plugin-scanner 2.0.92__tar.gz → 2.0.94__tar.gz

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.92
+Version: 2.0.94
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/dashboard/package.json

@@ -4,7 +4,8 @@
   "version": "0.0.0",
   "type": "module",
   "scripts": {
-    "build": "vite build"
+    "build": "vite build",
+    "test": "tsx src/guard-api.test.ts"
   },
   "dependencies": {
     "react": "^19.2.0",
@@ -17,6 +18,7 @@
     "@types/react-dom": "^19.2.2",
     "@vitejs/plugin-react": "^5.0.4",
     "tailwindcss": "^4.1.4",
+    "tsx": "^4.8.1",
     "typescript": "^5.9.3",
     "vite": "^7.1.10"
   }

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/dashboard/pnpm-lock.yaml

@@ -20,7 +20,7 @@ importers:
     devDependencies:
       '@tailwindcss/vite':
         specifier: ^4.1.4
-        version: 4.2.2(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0))
+        version: 4.2.2(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0))
       '@types/react':
         specifier: ^19.2.2
         version: 19.2.14
@@ -29,16 +29,19 @@ importers:
         version: 19.2.3(@types/react@19.2.14)
       '@vitejs/plugin-react':
         specifier: ^5.0.4
-        version: 5.2.0(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0))
+        version: 5.2.0(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0))
       tailwindcss:
         specifier: ^4.1.4
         version: 4.2.2
+      tsx:
+        specifier: ^4.8.1
+        version: 4.21.0
       typescript:
         specifier: ^5.9.3
         version: 5.9.3
       vite:
         specifier: ^7.1.10
-        version: 7.3.2(jiti@2.6.1)(lightningcss@1.32.0)
+        version: 7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)
 
 packages:
 
@@ -610,6 +613,9 @@ packages:
     resolution: {integrity: sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==}
     engines: {node: '>=6.9.0'}
 
+  get-tsconfig@4.14.0:
+    resolution: {integrity: sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==}
+
   graceful-fs@4.2.11:
     resolution: {integrity: sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==}
 
@@ -746,6 +752,9 @@ packages:
     resolution: {integrity: sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==}
     engines: {node: '>=0.10.0'}
 
+  resolve-pkg-maps@1.0.0:
+    resolution: {integrity: sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==}
+
   rollup@4.60.1:
     resolution: {integrity: sha512-VmtB2rFU/GroZ4oL8+ZqXgSA38O6GR8KSIvWmEFv63pQ0G6KaBH9s07PO8XTXP4vI+3UJUEypOfjkGfmSBBR0w==}
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
@@ -773,6 +782,11 @@ packages:
     resolution: {integrity: sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==}
     engines: {node: '>=12.0.0'}
 
+  tsx@4.21.0:
+    resolution: {integrity: sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==}
+    engines: {node: '>=18.0.0'}
+    hasBin: true
+
   typescript@5.9.3:
     resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
     engines: {node: '>=14.17'}
@@ -1176,12 +1190,12 @@ snapshots:
       '@tailwindcss/oxide-win32-arm64-msvc': 4.2.2
       '@tailwindcss/oxide-win32-x64-msvc': 4.2.2
 
-  '@tailwindcss/vite@4.2.2(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0))':
+  '@tailwindcss/vite@4.2.2(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0))':
     dependencies:
       '@tailwindcss/node': 4.2.2
       '@tailwindcss/oxide': 4.2.2
       tailwindcss: 4.2.2
-      vite: 7.3.2(jiti@2.6.1)(lightningcss@1.32.0)
+      vite: 7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)
 
   '@types/babel__core@7.20.5':
     dependencies:
@@ -1214,7 +1228,7 @@ snapshots:
     dependencies:
       csstype: 3.2.3
 
-  '@vitejs/plugin-react@5.2.0(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0))':
+  '@vitejs/plugin-react@5.2.0(vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0))':
     dependencies:
       '@babel/core': 7.29.0
       '@babel/plugin-transform-react-jsx-self': 7.27.1(@babel/core@7.29.0)
@@ -1222,7 +1236,7 @@ snapshots:
       '@rolldown/pluginutils': 1.0.0-rc.3
       '@types/babel__core': 7.20.5
       react-refresh: 0.18.0
-      vite: 7.3.2(jiti@2.6.1)(lightningcss@1.32.0)
+      vite: 7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)
     transitivePeerDependencies:
       - supports-color
 
@@ -1295,6 +1309,10 @@ snapshots:
 
   gensync@1.0.0-beta.2: {}
 
+  get-tsconfig@4.14.0:
+    dependencies:
+      resolve-pkg-maps: 1.0.0
+
   graceful-fs@4.2.11: {}
 
   jiti@2.6.1: {}
@@ -1391,6 +1409,8 @@ snapshots:
 
   react@19.2.5: {}
 
+  resolve-pkg-maps@1.0.0: {}
+
   rollup@4.60.1:
     dependencies:
       '@types/estree': 1.0.8
@@ -1437,6 +1457,13 @@ snapshots:
       fdir: 6.5.0(picomatch@4.0.4)
       picomatch: 4.0.4
 
+  tsx@4.21.0:
+    dependencies:
+      esbuild: 0.27.7
+      get-tsconfig: 4.14.0
+    optionalDependencies:
+      fsevents: 2.3.3
+
   typescript@5.9.3: {}
 
   update-browserslist-db@1.2.3(browserslist@4.28.2):
@@ -1445,7 +1472,7 @@ snapshots:
       escalade: 3.2.0
       picocolors: 1.1.1
 
-  vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0):
+  vite@7.3.2(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0):
     dependencies:
       esbuild: 0.27.7
       fdir: 6.5.0(picomatch@4.0.4)
@@ -1457,5 +1484,6 @@ snapshots:
       fsevents: 2.3.3
       jiti: 2.6.1
       lightningcss: 1.32.0
+      tsx: 4.21.0
 
   yallist@3.1.1: {}

plugin_scanner-2.0.94/dashboard/src/guard-api.test.ts

@@ -0,0 +1,18 @@
+import { buildDemoRuntimeSnapshot } from "./guard-api";
+
+function assert(condition: boolean, message: string): void {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+
+const snapshot = buildDemoRuntimeSnapshot();
+
+assert(snapshot.cloud_pairing_state.state === "paired_waiting", "demo snapshot exposes paired waiting state");
+assert(snapshot.cloud_pairing_state.label === snapshot.cloud_state_label, "demo pairing label matches legacy label");
+assert(snapshot.cloud_pairing_state.detail === snapshot.cloud_state_detail, "demo pairing detail matches legacy detail");
+assert(snapshot.cloud_pairing_state.sync_configured === true, "demo pairing state marks sync configured");
+assert(snapshot.cloud_pairing_state.dashboard_url === snapshot.dashboard_url, "demo dashboard URL is preserved");
+assert(snapshot.cloud_pairing_state.inbox_url === snapshot.inbox_url, "demo inbox URL is preserved");
+assert(snapshot.cloud_pairing_state.fleet_url === snapshot.fleet_url, "demo fleet URL is preserved");
+assert(snapshot.cloud_pairing_state.connect_url === snapshot.connect_url, "demo connect URL is preserved");

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/dashboard/src/guard-api.ts

@@ -18,24 +18,31 @@ import {
 } from "./guard-demo";
 
 const GUARD_TOKEN_PARAM = "guard-token";
+const GUARD_DAEMON_PARAM = "guardDaemon";
 
 async function readJson<T>(input: RequestInfo, init?: RequestInit): Promise<T> {
-  const response = await fetch(input, init);
+  const response = await fetch(guardApiInput(input), withGuardAuth(init));
   if (!response.ok) {
     throw new Error(`Request failed with ${response.status}`);
   }
   return (await response.json()) as T;
 }
 
-function guardTokenFromHash(): string | null {
-  const fragment = window.location.hash.startsWith("#")
-    ? window.location.hash.slice(1)
-    : window.location.hash;
-  return new URLSearchParams(fragment).get(GUARD_TOKEN_PARAM);
+function guardParams(): URLSearchParams {
+  const params = new URLSearchParams(window.location.search);
+  const fragment = window.location.hash.startsWith("#") ? window.location.hash.slice(1) : window.location.hash;
+  for (const [key, value] of new URLSearchParams(fragment)) {
+    params.set(key, value);
+  }
+  return params;
+}
+
+function guardParam(name: string): string | null {
+  return guardParams().get(name);
 }
 
 function readGuardToken(): string | null {
-  const guardToken = guardTokenFromHash();
+  const guardToken = guardParam(GUARD_TOKEN_PARAM);
   if (guardToken) {
     window.sessionStorage.setItem(GUARD_TOKEN_PARAM, guardToken);
     return guardToken;
@@ -43,6 +50,55 @@ function readGuardToken(): string | null {
   return window.sessionStorage.getItem(GUARD_TOKEN_PARAM);
 }
 
+function readGuardDaemonOrigin(): string | null {
+  const rawDaemonUrl = guardParam(GUARD_DAEMON_PARAM);
+  if (rawDaemonUrl) {
+    const daemonOrigin = localGuardDaemonOrigin(rawDaemonUrl);
+    if (daemonOrigin) {
+      window.sessionStorage.setItem(GUARD_DAEMON_PARAM, daemonOrigin);
+      return daemonOrigin;
+    }
+  }
+  const storedDaemonUrl = window.sessionStorage.getItem(GUARD_DAEMON_PARAM);
+  return storedDaemonUrl ? localGuardDaemonOrigin(storedDaemonUrl) : null;
+}
+
+function localGuardDaemonOrigin(rawUrl: string): string | null {
+  try {
+    const url = new URL(rawUrl);
+    if (url.protocol !== "http:" || !["127.0.0.1", "localhost", "[::1]", "::1"].includes(url.hostname)) {
+      return null;
+    }
+    if (url.username || url.password || (url.pathname && url.pathname !== "/") || url.search || url.hash) {
+      return null;
+    }
+    return url.origin;
+  } catch {
+    return null;
+  }
+}
+
+function guardApiInput(input: RequestInfo): RequestInfo {
+  const daemonOrigin = readGuardDaemonOrigin();
+  if (!daemonOrigin || typeof input !== "string" || !input.startsWith("/")) {
+    return input;
+  }
+  return `${daemonOrigin}${input}`;
+}
+
+function withGuardAuth(init?: RequestInit): RequestInit | undefined {
+  const guardToken = readGuardToken();
+  if (!guardToken) {
+    return init;
+  }
+  const headers = new Headers(init?.headers);
+  headers.set("X-Guard-Token", guardToken);
+  return {
+    ...init,
+    headers
+  };
+}
+
 function guardAuthHeaders(): HeadersInit {
   const guardToken = readGuardToken();
   return guardToken ? { "X-Guard-Token": guardToken } : {};
@@ -59,7 +115,12 @@ export function guardAwareHref(href: string): string {
     return href;
   }
 
-  url.hash = new URLSearchParams([[GUARD_TOKEN_PARAM, guardToken]]).toString();
+  const fragmentPairs = [[GUARD_TOKEN_PARAM, guardToken]];
+  const daemonOrigin = readGuardDaemonOrigin();
+  if (daemonOrigin) {
+    fragmentPairs.push([GUARD_DAEMON_PARAM, daemonOrigin]);
+  }
+  url.hash = new URLSearchParams(fragmentPairs).toString();
   if (href.startsWith("http://") || href.startsWith("https://")) {
     return url.toString();
   }
@@ -76,43 +137,65 @@ export async function fetchRequests(): Promise<GuardApprovalRequest[]> {
 
 export async function fetchRuntimeSnapshot(): Promise<GuardRuntimeSnapshot> {
   if (isGuardDemoMode()) {
-    const demoRequests = getDemoRequests();
-    const demoReceipts = getDemoReceipts();
-    return {
-      generated_at: new Date().toISOString(),
-      approval_center_url: "http://127.0.0.1:4455",
-      runtime_state: {
-        session_id: "demo-runtime",
-        daemon_host: "127.0.0.1",
-        daemon_port: 4455,
-        started_at: new Date().toISOString(),
-        last_heartbeat_at: new Date().toISOString(),
-        approval_center_url: "http://127.0.0.1:4455"
-      },
-      pending_count: demoRequests.length,
-      receipt_count: demoReceipts.length,
-      headline_state: demoRequests.length > 0 ? "blocked" : "connected",
-      headline_label: demoRequests.length > 0 ? "Blocked" : "Connected",
-      headline_detail:
-        demoRequests.length > 0
-          ? "A blocked action is waiting for review."
-          : "This machine is connected to Guard Cloud and waiting for the first shared proof to appear.",
-      sync_configured: true,
-      cloud_state: "paired_waiting",
-      cloud_state_label: "Connected",
-      cloud_state_detail:
-        "This machine is connected to Guard Cloud, but the first shared proof has not landed yet. Open Watched Apps while the first sync settles.",
-      dashboard_url: "https://hol.org/guard",
-      inbox_url: "https://hol.org/guard/inbox",
-      fleet_url: "https://hol.org/guard/fleet",
-      connect_url: "https://hol.org/guard/connect",
-      items: demoRequests,
-      latest_receipts: demoReceipts.slice(0, 10)
-    };
+    return buildDemoRuntimeSnapshot();
   }
   return readJson<GuardRuntimeSnapshot>("/v1/runtime");
 }
 
+export function buildDemoRuntimeSnapshot(): GuardRuntimeSnapshot {
+  const demoRequests = getDemoRequests();
+  const demoReceipts = getDemoReceipts();
+  const now = new Date().toISOString();
+  const cloudState = "paired_waiting";
+  const cloudLabel = "Connected";
+  const cloudDetail =
+    "This machine is connected to Guard Cloud, but the first shared proof has not landed yet. Open Watched Apps while the first sync settles.";
+  const dashboardUrl = "https://hol.org/guard";
+  const inboxUrl = "https://hol.org/guard/inbox";
+  const fleetUrl = "https://hol.org/guard/fleet";
+  const connectUrl = "https://hol.org/guard/connect";
+  return {
+    generated_at: now,
+    approval_center_url: "http://127.0.0.1:4455",
+    runtime_state: {
+      session_id: "demo-runtime",
+      daemon_host: "127.0.0.1",
+      daemon_port: 4455,
+      started_at: now,
+      last_heartbeat_at: now,
+      approval_center_url: "http://127.0.0.1:4455"
+    },
+    pending_count: demoRequests.length,
+    receipt_count: demoReceipts.length,
+    headline_state: demoRequests.length > 0 ? "blocked" : "connected",
+    headline_label: demoRequests.length > 0 ? "Blocked" : "Connected",
+    headline_detail:
+      demoRequests.length > 0
+        ? "A blocked action is waiting for review."
+        : "This machine is connected to Guard Cloud and waiting for the first shared proof to appear.",
+    sync_configured: true,
+    cloud_state: cloudState,
+    cloud_state_label: cloudLabel,
+    cloud_state_detail: cloudDetail,
+    cloud_pairing_state: {
+      state: cloudState,
+      label: cloudLabel,
+      detail: cloudDetail,
+      sync_configured: true,
+      dashboard_url: dashboardUrl,
+      inbox_url: inboxUrl,
+      fleet_url: fleetUrl,
+      connect_url: connectUrl
+    },
+    dashboard_url: dashboardUrl,
+    inbox_url: inboxUrl,
+    fleet_url: fleetUrl,
+    connect_url: connectUrl,
+    items: demoRequests,
+    latest_receipts: demoReceipts.slice(0, 10)
+  };
+}
+
 export async function fetchInventory(): Promise<GuardInventoryItem[]> {
   if (isGuardDemoMode()) {
     return [];
@@ -193,7 +276,7 @@ export async function fetchLatestReceipt(
   if (isGuardDemoMode()) {
     return getDemoReceipts().find((entry) => entry.artifact_id === artifactId) ?? null;
   }
-  const response = await fetch(
+  const response = await fetchGuardApi(
     `/v1/receipts/latest?harness=${encodeURIComponent(harness)}&artifact_id=${encodeURIComponent(artifactId)}`
   );
   if (response.status === 404) {
@@ -252,7 +335,7 @@ export async function fetchDiff(
   if (isGuardDemoMode()) {
     return getDemoDiff(artifactId, harness);
   }
-  const response = await fetch(
+  const response = await fetchGuardApi(
     `/v1/artifacts/${encodeURIComponent(artifactId)}/diff?harness=${encodeURIComponent(harness)}`
   );
   if (response.status === 404) {
@@ -264,6 +347,10 @@ export async function fetchDiff(
   return (await response.json()) as GuardArtifactDiff;
 }
 
+function fetchGuardApi(input: RequestInfo, init?: RequestInit): Promise<Response> {
+  return fetch(guardApiInput(input), withGuardAuth(init));
+}
+
 export async function resolveRequest(input: {
   requestId: string;
   action: "allow" | "block";

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/dashboard/src/guard-types.ts

@@ -47,6 +47,17 @@ export type GuardRuntimeState = {
   approval_center_url: string;
 };
 
+export type GuardCloudPairingState = {
+  state: "local_only" | "paired_waiting" | "paired_active";
+  label: string;
+  detail: string;
+  sync_configured: boolean;
+  dashboard_url: string;
+  inbox_url: string;
+  fleet_url: string;
+  connect_url: string;
+};
+
 export type GuardRuntimeSnapshot = {
   generated_at: string;
   approval_center_url: string | null;
@@ -60,6 +71,7 @@ export type GuardRuntimeSnapshot = {
   cloud_state: "local_only" | "paired_waiting" | "paired_active";
   cloud_state_label: string;
   cloud_state_detail: string;
+  cloud_pairing_state: GuardCloudPairingState;
   dashboard_url: string;
   inbox_url: string;
   fleet_url: string;

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.92"
+version = "2.0.94"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.92"
+version = "2.0.94"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/src/codex_plugin_scanner/guard/approvals.py

@@ -362,6 +362,16 @@ def _build_runtime_cloud_context(store: GuardStore) -> dict[str, object]:
         "cloud_state": cloud_state,
         "cloud_state_label": _runtime_cloud_state_label(cloud_state),
         "cloud_state_detail": _runtime_cloud_state_detail(cloud_state),
+        "cloud_pairing_state": {
+            "state": cloud_state,
+            "label": _runtime_cloud_state_label(cloud_state),
+            "detail": _runtime_cloud_state_detail(cloud_state),
+            "sync_configured": credentials is not None,
+            "dashboard_url": dashboard_url,
+            "inbox_url": inbox_url,
+            "fleet_url": fleet_url,
+            "connect_url": connect_url,
+        },
         "dashboard_url": dashboard_url,
         "inbox_url": inbox_url,
         "fleet_url": fleet_url,

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/src/codex_plugin_scanner/guard/cli/connect_flow.py

@@ -299,6 +299,7 @@ def build_connect_payload(
         "sync_available": sync_available if sync_available is not None else connected,
         "browser_opened": browser_opened,
         "connect_url": connect_url,
+        "cloud_pairing_url": connect_url,
         "sync_url": sync_url,
         "status": str(state.get("status") or "waiting"),
         "milestone": str(state.get("milestone") or "waiting_for_browser"),

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/src/codex_plugin_scanner/guard/cli/render.py

@@ -698,7 +698,8 @@ def _render_connect(console: Console, payload: dict[str, object]) -> None:
         body.add_row("Connection", _connect_status_text(payload))
         if milestone:
             body.add_row("Next step", _connect_milestone_text(payload))
-        body.add_row("Connect URL", str(payload.get("connect_url") or "unknown"))
+        cloud_pairing_url = payload.get("cloud_pairing_url") or payload.get("connect_url") or "unknown"
+        body.add_row("Cloud URL", str(cloud_pairing_url))
         body.add_row("Sync endpoint", str(payload.get("sync_url") or "unknown"))
         sync_payload = payload.get("sync")
         should_render_sync_counts = False

{plugin_scanner-2.0.92 → plugin_scanner-2.0.94}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -54,6 +54,7 @@ _CLAUDE_HOOK_EXECUTION_LOCK = threading.Lock()
 _DEFAULT_GUARD_DAEMON_IDLE_TIMEOUT_SECONDS = 30 * 60
 _EPHEMERAL_GUARD_DAEMON_IDLE_TIMEOUT_SECONDS = 5
 _GUARD_DAEMON_IDLE_POLL_INTERVAL_SECONDS = 0.5
+_HOSTED_GUARD_DASHBOARD_ORIGINS = frozenset({"https://hol.org", "https://www.hol.org"})
 
 
 class _GuardDaemonHandler(BaseHTTPRequestHandler):
@@ -64,21 +65,31 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if origin is None:
             self._write_empty(status=400)
             return
-        if not self._origin_is_allowed():
+        headers = self._cors_headers_for_request(
+            allow_methods="GET, POST, OPTIONS",
+            allow_headers="Content-Type, X-Guard-Token",
+        )
+        if headers is None:
             self._write_empty(status=403)
             return
-        self._write_empty(
-            status=200,
-            extra_headers=self._cors_headers(
-                origin, allow_methods="GET, POST, OPTIONS", allow_headers="Content-Type, X-Guard-Token"
-            ),
-        )
+        self._write_empty(status=200, extra_headers=headers)
 
     def do_GET(self) -> None:
         store = self.server.store  # type: ignore[attr-defined]
         parsed = urlparse(self.path)
         self._touch_runtime_heartbeat(parsed.path)
         path_parts = [part for part in parsed.path.split("/") if part]
+        if not self._origin_is_allowed_for_request(parsed.path, path_parts):
+            self._write_json({"error": "forbidden_origin"}, status=403)
+            return
+        if (
+            self._is_hosted_dashboard_origin()
+            and self._is_hosted_dashboard_api_path(parsed.path, path_parts)
+            and parsed.path != "/v1/connect/state"
+            and not self._header_token_is_valid()
+        ):
+            self._write_json({"error": "unauthorized"}, status=401)
+            return
         if parsed.path == "/healthz":
             self._write_json(
                 {
@@ -204,16 +215,15 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
     def do_POST(self) -> None:
         parsed = urlparse(self.path)
         self._touch_runtime_heartbeat(parsed.path)
-        if parsed.path != "/v1/connect/complete" and not self._origin_is_allowed():
+        path_parts = [part for part in parsed.path.split("/") if part]
+        if parsed.path != "/v1/connect/complete" and not self._origin_is_allowed_for_request(parsed.path, path_parts):
             self._write_json({"error": "forbidden_origin"}, status=403)
             return
-        path_parts = [part for part in parsed.path.split("/") if part]
         if self._requires_header_token(parsed.path, path_parts) and not self._header_token_is_valid():
-            origin = self._normalize_origin(self.headers.get("Origin"))
             self._write_json(
                 {"error": "unauthorized"},
                 status=401,
-                extra_headers=self._cors_headers(origin) if origin is not None else None,
+                extra_headers=self._cors_headers_for_request(),
             )
             return
         payload, body_error = self._load_request_body()
@@ -801,7 +811,7 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         finally:
             self._decrement_active_stream_clients()
 
-    def _origin_is_allowed(self) -> bool:
+    def _origin_is_allowed_for_request(self, path: str, path_parts: list[str]) -> bool:
         origin = self.headers.get("Origin")
         if origin is None:
             return True
@@ -809,7 +819,36 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         if normalized_origin is None:
             return False
         parsed = urlparse(normalized_origin)
-        return parsed.hostname in {"127.0.0.1", "localhost", "::1"}
+        local_origin = parsed.hostname in {"127.0.0.1", "localhost", "::1"}
+        if local_origin:
+            return True
+        return normalized_origin in _HOSTED_GUARD_DASHBOARD_ORIGINS and self._is_hosted_dashboard_api_path(
+            path, path_parts
+        )
+
+    @staticmethod
+    def _is_hosted_dashboard_api_path(path: str, path_parts: list[str]) -> bool:
+        if path in {
+            "/v1/inventory",
+            "/v1/connect/state",
+            "/v1/policy",
+            "/v1/policy/clear",
+            "/v1/receipts",
+            "/v1/receipts/latest",
+            "/v1/requests",
+            "/v1/runtime",
+            "/v1/settings",
+        }:
+            return True
+        if len(path_parts) == 3 and path_parts[:2] in (["v1", "requests"], ["v1", "receipts"]):
+            return True
+        if len(path_parts) == 4 and path_parts[:2] == ["v1", "requests"] and path_parts[3] in {"approve", "block"}:
+            return True
+        return len(path_parts) == 4 and path_parts[:2] == ["v1", "artifacts"] and path_parts[3] == "diff"
+
+    def _is_hosted_dashboard_origin(self) -> bool:
+        origin = self._normalize_origin(self.headers.get("Origin"))
+        return origin in _HOSTED_GUARD_DASHBOARD_ORIGINS
 
     @staticmethod
     def _normalize_origin(origin: str | None) -> str | None:
@@ -852,6 +891,19 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
             "Vary": "Origin",
         }
 
+    def _cors_headers_for_request(
+        self,
+        *,
+        allow_methods: str = "POST, OPTIONS",
+        allow_headers: str = "Content-Type, X-Guard-Token",
+    ) -> dict[str, str] | None:
+        parsed = urlparse(self.path)
+        path_parts = [part for part in parsed.path.split("/") if part]
+        origin = self._normalize_origin(self.headers.get("Origin"))
+        if origin is None or not self._origin_is_allowed_for_request(parsed.path, path_parts):
+            return None
+        return self._cors_headers(origin, allow_methods=allow_methods, allow_headers=allow_headers)
+
     def _handle_policy_upsert(self, payload: dict[str, object]) -> None:
         harness = payload.get("harness")
         scope = payload.get("scope")
@@ -964,10 +1016,14 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
         extra_headers: dict[str, str] | None = None,
     ) -> None:
         body = json.dumps(payload).encode("utf-8")
+        headers = dict(extra_headers or {})
+        cors_headers = self._cors_headers_for_request(allow_methods="GET, POST, OPTIONS")
+        if cors_headers is not None:
+            headers = {**cors_headers, **headers}
         self.send_response(status)
         self.send_header("Content-Type", "application/json")
         self.send_header("Content-Length", str(len(body)))
-        for key, value in self._validated_headers(extra_headers).items():
+        for key, value in self._validated_headers(headers).items():
             self.send_header(key, value)
         self.end_headers()
         self.wfile.write(body)