PyPI - plugin-scanner - Versions diffs - 2.0.95__tar.gz → 2.0.97__tar.gz - Mend

plugin-scanner 2.0.95tar.gz → 2.0.97tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (341) hide show

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.95
+Version: 2.0.97
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.95"
+version = "2.0.97"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.95"
+version = "2.0.97"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/approvals.py RENAMED Viewed

@@ -4,6 +4,7 @@ from __future__ import annotations
 import time
 import uuid
+from collections.abc import Mapping
 from dataclasses import replace
 from datetime import datetime, timezone
 from pathlib import Path
@@ -86,6 +87,7 @@ def queue_blocked_approvals(
             why_now=incident["why_now"],
             launch_summary=incident["launch_summary"],
             risk_headline=incident["risk_headline"],
+            action_envelope_json=_item_action_envelope_json(item),
         )
         persisted_request_id = store.add_approval_request(request, timestamp)
         if persisted_request_id != request.request_id:
@@ -333,6 +335,13 @@ def _item_risk_signals(item: dict[str, object], artifact) -> tuple[str, ...]:
     return artifact_risk_signals(artifact) if artifact is not None else ()
+def _item_action_envelope_json(item: dict[str, object]) -> dict[str, object] | None:
+    value = item.get("action_envelope_json")
+    if not isinstance(value, Mapping):
+        return None
+    return {str(key): item_value for key, item_value in value.items() if isinstance(key, str)}
 def _string_list(value: object) -> list[str]:
     if not isinstance(value, list):
         return []

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -80,6 +80,7 @@ from ..proxy import (
 )
 from ..receipts import build_receipt
 from ..risk import artifact_risk_signals, artifact_risk_summary
+from ..runtime.actions import GuardActionEnvelope, normalize_harness_payload
 from ..runtime.runner import (
     GuardSyncNotConfiguredError,
     extract_prompt_requests,
@@ -1206,6 +1207,12 @@ def run_guard_command(
                     runtime_workspace = current_workspace
         if args.harness == "copilot":
             runtime_workspace = _resolve_copilot_workspace_root(runtime_workspace)
+        action_envelope = _hook_action_envelope(
+            harness=args.harness,
+            payload=payload,
+            home_dir=context.home_dir,
+            workspace=runtime_workspace,
+        )
         copilot_hook_stage = _copilot_hook_stage(payload) if args.harness == "copilot" else None
         copilot_runtime_tool_call = (
             _copilot_runtime_tool_call(
@@ -1309,6 +1316,7 @@ def run_guard_command(
                         "launch_target": json.dumps(runtime_arguments, sort_keys=True)
                         if runtime_arguments is not None
                         else runtime_artifact.command,
+                        "action_envelope_json": _action_envelope_json(action_envelope),
                     }
                 ]
             }
@@ -1667,6 +1675,7 @@ def run_guard_command(
                                 "source_scope": runtime_artifact.source_scope,
                                 "config_path": runtime_artifact.config_path,
                                 "launch_target": _runtime_request_summary(runtime_artifact),
+                                "action_envelope_json": _action_envelope_json(action_envelope),
                             }
                         ]
                     }
@@ -3619,6 +3628,32 @@ def _load_hook_payload(event_file: str | None, *, input_text: str | None = None)
     return _normalize_hook_payload(payload) if isinstance(payload, dict) else {}
+_ACTION_ENVELOPE_HARNESSES = frozenset({"codex", "claude-code", "opencode", "copilot", "gemini"})
+def _hook_action_envelope(
+    *,
+    harness: str,
+    payload: dict[str, object],
+    home_dir: Path,
+    workspace: Path | None,
+) -> GuardActionEnvelope | None:
+    canonical_harness = _canonical_harness_name(harness)
+    if canonical_harness not in _ACTION_ENVELOPE_HARNESSES:
+        return None
+    return normalize_harness_payload(
+        canonical_harness,
+        _hook_event_name(payload) or "PreToolUse",
+        payload,
+        workspace=workspace,
+        home_dir=home_dir,
+    )
+def _action_envelope_json(envelope: GuardActionEnvelope | None) -> dict[str, object] | None:
+    return envelope.to_dict() if envelope is not None else None
 def _normalize_hook_payload(payload: dict[str, object]) -> dict[str, object]:
     normalized = dict(payload)
     for source_key, target_key in (

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/models.py RENAMED Viewed

@@ -141,6 +141,7 @@ class GuardReceipt:
     user_override: str | None = None
     artifact_name: str | None = None
     source_scope: str | None = None
+    action_envelope_json: dict[str, object] | None = None
     def to_dict(self) -> dict[str, object]:
         payload = asdict(self)
@@ -177,6 +178,7 @@ class GuardApprovalRequest:
     why_now: str | None = None
     launch_summary: str | None = None
     risk_headline: str | None = None
+    action_envelope_json: dict[str, object] | None = None
     def to_dict(self) -> dict[str, object]:
         payload = asdict(self)

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/runtime/actions.py RENAMED Viewed

@@ -73,9 +73,12 @@ _SENSITIVE_RAW_KEYS = frozenset(
 )
 _SENSITIVE_RAW_KEY_ALIASES = frozenset(key.replace("_", "") for key in _SENSITIVE_RAW_KEYS)
 _HOOK_EVENT_NAME_MAP = {
+    "prompt": "UserPromptSubmit",
     "userpromptsubmit": "UserPromptSubmit",
     "userpromptsubmitted": "UserPromptSubmit",
+    "pretool": "PreToolUse",
     "pretooluse": "PreToolUse",
+    "posttool": "PostToolUse",
     "posttooluse": "PostToolUse",
     "permissionrequest": "PermissionRequest",
 }
@@ -229,11 +232,122 @@ def normalize_codex_hook_payload(
 ) -> GuardActionEnvelope:
     """Normalize a Codex hook payload into a typed action envelope."""
+    return _normalize_action_payload(
+        payload,
+        harness="codex",
+        default_event_name=None,
+        workspace=workspace,
+        home_dir=home_dir,
+    )
+def normalize_claude_hook_payload(
+    payload: Mapping[str, object],
+    *,
+    workspace: Path | str | None = None,
+    home_dir: Path | str | None = None,
+) -> GuardActionEnvelope:
+    """Normalize a Claude Code hook payload into a typed action envelope."""
+    return _normalize_action_payload(
+        payload,
+        harness="claude-code",
+        default_event_name=None,
+        workspace=workspace,
+        home_dir=home_dir,
+    )
+def normalize_opencode_payload(
+    payload: Mapping[str, object],
+    *,
+    workspace: Path | str | None = None,
+    home_dir: Path | str | None = None,
+) -> GuardActionEnvelope:
+    """Normalize an OpenCode runtime payload into a typed action envelope."""
+    return _normalize_action_payload(
+        payload,
+        harness="opencode",
+        default_event_name=None,
+        workspace=workspace,
+        home_dir=home_dir,
+    )
+def normalize_copilot_payload(
+    payload: Mapping[str, object],
+    *,
+    workspace: Path | str | None = None,
+    home_dir: Path | str | None = None,
+) -> GuardActionEnvelope:
+    """Normalize a Copilot runtime payload into a typed action envelope."""
+    return _normalize_action_payload(
+        payload,
+        harness="copilot",
+        default_event_name=None,
+        workspace=workspace,
+        home_dir=home_dir,
+    )
+def normalize_gemini_payload(
+    payload: Mapping[str, object],
+    *,
+    workspace: Path | str | None = None,
+    home_dir: Path | str | None = None,
+) -> GuardActionEnvelope:
+    """Normalize a Gemini runtime payload into a typed action envelope."""
+    return _normalize_action_payload(
+        payload,
+        harness="gemini",
+        default_event_name=None,
+        workspace=workspace,
+        home_dir=home_dir,
+    )
+def normalize_harness_payload(
+    harness: str,
+    event_name: str,
+    payload: Mapping[str, object],
+    *,
+    workspace: Path | str | None = None,
+    home_dir: Path | str | None = None,
+) -> GuardActionEnvelope:
+    """Normalize any supported Guard harness payload into a typed action envelope."""
+    normalized_harness = harness.strip().lower()
+    normalizers = {
+        "codex": normalize_codex_hook_payload,
+        "claude": normalize_claude_hook_payload,
+        "claude-code": normalize_claude_hook_payload,
+        "opencode": normalize_opencode_payload,
+        "copilot": normalize_copilot_payload,
+        "gemini": normalize_gemini_payload,
+    }
+    normalizer = normalizers.get(normalized_harness)
+    if normalizer is None:
+        raise ValueError(f"Unsupported Guard harness for action normalization: {harness}")
+    normalized_payload = _payload_with_default_event(payload, event_name)
+    return normalizer(normalized_payload, workspace=workspace, home_dir=home_dir)
+def _normalize_action_payload(
+    payload: Mapping[str, object],
+    *,
+    harness: str,
+    default_event_name: str | None,
+    workspace: Path | str | None,
+    home_dir: Path | str | None,
+) -> GuardActionEnvelope:
     normalized_payload = dict(payload)
+    if default_event_name is not None:
+        normalized_payload = _payload_with_default_event(normalized_payload, default_event_name)
     event_name = _hook_event_name(normalized_payload)
-    explicit_tool_name = _string_value(normalized_payload.get("tool_name")) or _string_value(
-        normalized_payload.get("toolName")
-    )
+    explicit_tool_name = _tool_name_from_payload(normalized_payload)
     tool_call_name, tool_call_input = _tool_call_from_payload(
         normalized_payload.get("toolCalls"),
         expected_tool_name=explicit_tool_name,
@@ -244,10 +358,10 @@ def normalize_codex_hook_payload(
         tool_input = tool_call_input
     raw_command = _command_from_payload(tool_input)
     command = _command_detail(raw_command, home_dir=home_dir)
-    prompt_text = _prompt_text(normalized_payload.get("prompt"))
+    prompt_text = _prompt_text(_prompt_value(normalized_payload))
     prompt_excerpt = _prompt_excerpt(prompt_text)
-    mcp_server, mcp_tool = _mcp_parts(tool_name)
-    action_type = _codex_action_type(
+    mcp_server, mcp_tool = _mcp_details(normalized_payload, tool_name)
+    action_type = _action_type(
         event_name=event_name,
         tool_name=tool_name,
         command=raw_command,
@@ -266,7 +380,7 @@ def normalize_codex_hook_payload(
     return GuardActionEnvelope(
         schema_version=_SCHEMA_VERSION,
         action_id="",
-        harness="codex",
+        harness=harness,
         event_name=event_name,
         action_type=action_type,
         workspace=workspace_label,
@@ -329,6 +443,26 @@ def _mapping_value(value: object) -> Mapping[str, object]:
     return {}
+def _payload_with_default_event(payload: Mapping[str, object], event_name: str) -> dict[str, object]:
+    normalized_payload = dict(payload)
+    if not event_name.strip():
+        return normalized_payload
+    for key in ("event", "eventName", "hook_event_name", "hookEventName", "hook_name", "hookName"):
+        value = normalized_payload.get(key)
+        if isinstance(value, str) and value.strip():
+            return normalized_payload
+    normalized_payload["hook_event_name"] = event_name
+    return normalized_payload
+def _tool_name_from_payload(payload: Mapping[str, object]) -> str | None:
+    for key in ("tool_name", "toolName", "name", "tool"):
+        value = _string_value(payload.get(key))
+        if value is not None:
+            return value
+    return None
 def _tool_input_from_payload(payload: Mapping[str, object]) -> Mapping[str, object]:
     for key in ("tool_input", "toolInput", "toolArgs", "arguments"):
         parsed = _mapping_from_value(payload.get(key))
@@ -375,7 +509,7 @@ def _mapping_from_value(value: object) -> Mapping[str, object] | None:
 def _hook_event_name(payload: Mapping[str, object]) -> str:
-    for key in ("event", "hook_event_name", "hookEventName", "hook_name"):
+    for key in ("event", "eventName", "hook_event_name", "hookEventName", "hook_name", "hookName"):
         value = payload.get(key)
         if isinstance(value, str) and value.strip():
             stripped = value.strip()
@@ -383,6 +517,14 @@ def _hook_event_name(payload: Mapping[str, object]) -> str:
     return "PreToolUse"
+def _prompt_value(payload: Mapping[str, object]) -> object:
+    for key in ("prompt", "userPrompt", "user_prompt", "message", "text", "input"):
+        value = payload.get(key)
+        if isinstance(value, str) and value.strip():
+            return value
+    return None
 def _command_from_payload(tool_input: Mapping[str, object]) -> str | None:
     for key in _COMMAND_KEYS:
         value = tool_input.get(key)
@@ -413,16 +555,70 @@ def _prompt_excerpt(prompt_text: str | None) -> str | None:
     return prompt_text[:_PROMPT_EXCERPT_LIMIT]
-def _mcp_parts(tool_name: str | None) -> tuple[str | None, str | None]:
-    if tool_name is None or not tool_name.startswith("mcp__"):
+def _mcp_details(payload: Mapping[str, object], tool_name: str | None) -> tuple[str | None, str | None]:
+    explicit_server = _string_from_keys(payload, ("mcp_server", "mcpServer", "server", "serverName"))
+    explicit_tool = _string_from_keys(payload, ("mcp_tool", "mcpTool"))
+    tool_name_value = _string_from_keys(payload, ("tool_name", "toolName"))
+    parts_server, parts_tool = _mcp_parts(tool_name, known_servers=_known_mcp_servers(payload))
+    server = explicit_server or parts_server
+    tool = explicit_tool or parts_tool
+    if tool is None and server is not None and tool_name_value is not None:
+        tool = tool_name_value
+    return server, tool
+def _string_from_keys(payload: Mapping[str, object], keys: tuple[str, ...]) -> str | None:
+    for key in keys:
+        value = _string_value(payload.get(key))
+        if value is not None:
+            return value
+    return None
+def _known_mcp_servers(payload: Mapping[str, object]) -> tuple[str, ...]:
+    servers: set[str] = set()
+    for key in ("mcp_servers", "mcpServers", "servers"):
+        value = payload.get(key)
+        if isinstance(value, Mapping):
+            servers.update(str(server_name).strip() for server_name in value if isinstance(server_name, str))
+        elif isinstance(value, list):
+            servers.update(item.strip() for item in value if isinstance(item, str) and item.strip())
+    return tuple(
+        sorted(
+            (server for server in servers if server), key=lambda server: len(_mcp_server_token(server)), reverse=True
+        )
+    )
+def _mcp_parts(tool_name: str | None, *, known_servers: tuple[str, ...] = ()) -> tuple[str | None, str | None]:
+    if tool_name is None:
+        return None, None
+    if "/" in tool_name:
+        server, tool = tool_name.split("/", 1)
+        return (server, tool) if server and tool else (None, None)
+    if tool_name.startswith("mcp__"):
+        parts = tool_name.split("__", 2)
+        if len(parts) == 3 and parts[1] and parts[2]:
+            return parts[1], parts[2]
         return None, None
-    parts = tool_name.split("__", 2)
-    if len(parts) != 3 or not parts[1] or not parts[2]:
+    if tool_name.startswith("mcp_"):
+        suffix = tool_name[len("mcp_") :]
+        for server in known_servers:
+            server_token = _mcp_server_token(server)
+            prefix = f"{server_token}_"
+            if suffix.startswith(prefix):
+                tool = suffix[len(prefix) :]
+                return (server, tool) if tool else (None, None)
         return None, None
-    return parts[1], parts[2]
+    return None, None
+def _mcp_server_token(value: str) -> str:
+    token = re.sub(r"[^a-z0-9]+", "_", value.strip().lower())
+    return token.strip("_")
-def _codex_action_type(
+def _action_type(
     *,
     event_name: str,
     tool_name: str | None,
@@ -573,7 +769,12 @@ def _normalized_command(command: str | None) -> str | None:
 __all__ = [
     "GuardActionEnvelope",
     "GuardActionType",
+    "normalize_claude_hook_payload",
     "normalize_codex_hook_payload",
+    "normalize_copilot_payload",
+    "normalize_gemini_payload",
+    "normalize_harness_payload",
+    "normalize_opencode_payload",
     "redacted_workspace_label",
     "stable_action_hash",
 ]

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/runtime/runner.py RENAMED Viewed

@@ -12,6 +12,7 @@ import urllib.error
 import urllib.parse
 import urllib.request
 from collections.abc import Callable
+from contextlib import suppress
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any
@@ -24,6 +25,7 @@ from ..consumer import detect_harness, evaluate_detection
 from ..models import GuardArtifact, HarnessDetection, PolicyDecision
 from ..store import GuardStore
 from ..types import PromptRequest, RemediationAction
+from .actions import GuardActionEnvelope, redacted_workspace_label
 _APPROVAL_METADATA_KEYS = (
     "approval_center_url",
@@ -233,12 +235,18 @@ def guard_run(
         if not evaluation["blocked"]:
             evaluation = evaluate_detection(detection, store, config, default_action=default_action, persist=True)
+    action_envelope = _guard_run_action_envelope(harness, context, passthrough_args)
+    if evaluation["blocked"]:
+        evaluation = _evaluation_with_action_envelope(evaluation, action_envelope)
     if not dry_run and interactive_resolver is not None and evaluation["blocked"]:
         evaluation = interactive_resolver(detection, evaluation)
     elif not dry_run and blocked_resolver is not None and evaluation["blocked"]:
         pending_evaluation = blocked_resolver(detection, evaluation)
         detection = _detection_with_prompt_artifacts(detect_harness(harness, context), context, passthrough_args)
         reevaluated = evaluate_detection(detection, store, config, default_action=default_action, persist=True)
+        if reevaluated["blocked"]:
+            reevaluated = _evaluation_with_action_envelope(reevaluated, action_envelope)
         for key in _APPROVAL_METADATA_KEYS:
             if key in pending_evaluation:
                 reevaluated[key] = pending_evaluation[key]
@@ -274,6 +282,61 @@ def guard_run(
     return evaluation
+def _guard_run_action_envelope(
+    harness: str,
+    context: HarnessContext,
+    passthrough_args: list[str],
+) -> GuardActionEnvelope:
+    workspace = context.workspace_dir
+    workspace_hash = None
+    if workspace is not None:
+        workspace_path = workspace.expanduser()
+        with suppress(OSError):
+            workspace_path = workspace_path.resolve()
+        workspace_hash = hashlib.sha256(str(workspace_path).encode("utf-8")).hexdigest()
+    return GuardActionEnvelope(
+        schema_version=1,
+        action_id="",
+        harness=harness,
+        event_name="HarnessStart",
+        action_type="harness_start",
+        workspace=redacted_workspace_label(workspace, home_dir=context.home_dir),
+        workspace_hash=workspace_hash,
+        tool_name=None,
+        command=None,
+        prompt_excerpt=None,
+        target_paths=(),
+        network_hosts=(),
+        mcp_server=None,
+        mcp_tool=None,
+        package_manager=None,
+        package_name=None,
+        script_name=None,
+        raw_payload_redacted={"passthrough_arg_count": len(passthrough_args)},
+    )
+def _evaluation_with_action_envelope(
+    evaluation: dict[str, Any],
+    action_envelope: GuardActionEnvelope,
+) -> dict[str, Any]:
+    artifacts = evaluation.get("artifacts")
+    if not isinstance(artifacts, list):
+        return evaluation
+    action_payload = action_envelope.to_dict()
+    normalized_artifacts: list[object] = []
+    changed = False
+    for item in artifacts:
+        if isinstance(item, dict) and "action_envelope_json" not in item:
+            normalized_artifacts.append({**item, "action_envelope_json": action_payload})
+            changed = True
+        else:
+            normalized_artifacts.append(item)
+    if not changed:
+        return evaluation
+    return {**evaluation, "artifacts": normalized_artifacts}
 def _guard_run_config_paths(
     *,
     detection: HarnessDetection,

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/store.py RENAMED Viewed

@@ -666,6 +666,7 @@ class GuardStore:
             self._ensure_approval_column(connection, "why_now", "text")
             self._ensure_approval_column(connection, "launch_summary", "text")
             self._ensure_approval_column(connection, "risk_headline", "text")
+            self._ensure_approval_column(connection, "action_envelope_json", "text")
             self._ensure_approval_column(connection, "workspace", "text")
             self._ensure_attachment_column(connection, "lease_id", "text not null default ''")
             self._ensure_attachment_column(connection, "lease_expires_at", "text")

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/guard/store_approvals.py RENAMED Viewed

@@ -30,12 +30,13 @@ def approval_schema_statement() -> str:
           risk_signals_json text not null default '[]',
           artifact_label text,
           source_label text,
-          trigger_summary text,
-          why_now text,
-          launch_summary text,
-          risk_headline text,
-          review_command text not null,
-          approval_url text not null,
+           trigger_summary text,
+           why_now text,
+           launch_summary text,
+           risk_headline text,
+           action_envelope_json text,
+           review_command text not null,
+           approval_url text not null,
           status text not null,
           resolution_action text,
           resolution_scope text,
@@ -68,7 +69,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
                 recommended_scope = ?, changed_fields_json = ?, source_scope = ?, config_path = ?, workspace = ?,
                 launch_target = ?, transport = ?, risk_summary = ?, risk_signals_json = ?,
                 artifact_label = ?, source_label = ?, trigger_summary = ?, why_now = ?, launch_summary = ?,
-                risk_headline = ?,
+                risk_headline = ?, action_envelope_json = ?,
                 review_command = ?, approval_url = ?, created_at = ?
             where request_id = ?
             """,
@@ -93,6 +94,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
                 request.why_now,
                 request.launch_summary,
                 request.risk_headline,
+                json.dumps(request.action_envelope_json) if request.action_envelope_json is not None else None,
                 review_command,
                 approval_url,
                 now,
@@ -105,12 +107,12 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
         insert into approval_requests (
           request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
           recommended_scope, changed_fields_json, source_scope, config_path, workspace,
-          launch_target, transport, risk_summary,
-          risk_signals_json, artifact_label, source_label, trigger_summary, why_now, launch_summary, risk_headline,
-          review_command,
-          approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
-        )
-        values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+           launch_target, transport, risk_summary,
+           risk_signals_json, artifact_label, source_label, trigger_summary, why_now, launch_summary, risk_headline,
+           action_envelope_json, review_command,
+           approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
+         )
+         values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
         """,
         (
             request.request_id,
@@ -136,6 +138,7 @@ def add_approval_request(connection: sqlite3.Connection, request: GuardApprovalR
             request.why_now,
             request.launch_summary,
             request.risk_headline,
+            json.dumps(request.action_envelope_json) if request.action_envelope_json is not None else None,
             request.review_command,
             request.approval_url,
             "pending",
@@ -182,9 +185,9 @@ def list_approval_requests(
     query = f"""
         select request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
                recommended_scope, changed_fields_json, source_scope, config_path, workspace, launch_target, transport,
-               risk_summary, risk_signals_json, artifact_label, source_label, trigger_summary, why_now,
-               launch_summary, risk_headline, review_command,
-               approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
+                risk_summary, risk_signals_json, artifact_label, source_label, trigger_summary, why_now,
+                launch_summary, risk_headline, action_envelope_json, review_command,
+                approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
         from approval_requests
         {where_clause}
         order by created_at desc
@@ -201,9 +204,9 @@ def get_approval_request(connection: sqlite3.Connection, request_id: str) -> dic
         """
         select request_id, harness, artifact_id, artifact_name, artifact_type, artifact_hash, publisher, policy_action,
                recommended_scope, changed_fields_json, source_scope, config_path, workspace, launch_target, transport,
-               risk_summary, risk_signals_json, artifact_label, source_label, trigger_summary, why_now,
-               launch_summary, risk_headline, review_command,
-               approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
+                risk_summary, risk_signals_json, artifact_label, source_label, trigger_summary, why_now,
+                launch_summary, risk_headline, action_envelope_json, review_command,
+                approval_url, status, resolution_action, resolution_scope, reason, created_at, resolved_at
         from approval_requests
         where request_id = ?
         """,
@@ -273,6 +276,7 @@ def _row_to_payload(row: sqlite3.Row) -> dict[str, object]:
         "why_now": row["why_now"],
         "launch_summary": row["launch_summary"],
         "risk_headline": row["risk_headline"],
+        "action_envelope_json": _optional_json_object(row["action_envelope_json"]),
         "review_command": str(row["review_command"]),
         "approval_url": str(row["approval_url"]),
         "status": str(row["status"]),
@@ -282,3 +286,15 @@ def _row_to_payload(row: sqlite3.Row) -> dict[str, object]:
         "created_at": str(row["created_at"]),
         "resolved_at": row["resolved_at"],
     }
+def _optional_json_object(value: object) -> dict[str, object] | None:
+    if value is None:
+        return None
+    try:
+        parsed = json.loads(str(value))
+    except (json.JSONDecodeError, TypeError, ValueError):
+        return None
+    if isinstance(parsed, dict):
+        return {str(key): item for key, item in parsed.items() if isinstance(key, str)}
+    return None

{plugin_scanner-2.0.95 → plugin_scanner-2.0.97}/src/codex_plugin_scanner/version.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
-__version__ = "2.0.95"
+__version__ = "2.0.97"

plugin-scanner 2.0.95__tar.gz → 2.0.97__tar.gz

plugin-scanner 2.0.95tar.gz → 2.0.97tar.gz