feat: update guard flow (#62)

* feat: migrate action identity to ai plugin scanner

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: move action output defaults into runner

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: shorten canonical action slug

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: gate action tag publication on bundle changes

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: derive action tags from both published repos

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: avoid action release tag collisions

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: ignore peeled action tag refs

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: preserve action outputs on failure paths

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: keep action release tags aligned across repos

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* feat: improve guard cli diagnostics

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: align guard files with ci formatting

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: use active interpreter for claude hooks

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: preserve empty hook override state

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: tighten guard cli behavior

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: validate scoped guard policies

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: tighten guard artifact tracking

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: harden guard policy state

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: scope guard adapter artifact ids

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: preserve blocked guard baselines

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: harden guard runtime fallbacks

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: harden guard command validation

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

* fix: harden guard cli fallbacks

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

---------

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

Author: kantorcodes

.github/workflows/publish-action-repo.yml

@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: codex-plugin-scanner-action-repo-${{ github.ref }}
+  group: ai-plugin-scanner-action-repo-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
@@ -20,7 +20,8 @@ jobs:
     permissions:
       contents: read
     env:
-      ACTION_REPOSITORY: ${{ vars.ACTION_REPOSITORY != '' && vars.ACTION_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
+      ACTION_CANONICAL_REPOSITORY: ${{ vars.ACTION_CANONICAL_REPOSITORY != '' && vars.ACTION_CANONICAL_REPOSITORY || 'hashgraph-online/ai-plugin-scanner-action' }}
+      ACTION_COMPAT_REPOSITORY: ${{ vars.ACTION_COMPAT_REPOSITORY != '' && vars.ACTION_COMPAT_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
       SOURCE_REF: ${{ github.sha }}
       SOURCE_REPOSITORY: ${{ github.repository }}
       SOURCE_SERVER_URL: ${{ github.server_url }}
@@ -44,7 +45,38 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
         run: |
-          LAST_TAG=$(gh release list --repo "$ACTION_REPOSITORY" --limit 1 --json tagName --jq '.[0].tagName // ""')
+          latest_release_tag() {
+            target_repo="$1"
+            if ! gh repo view "$target_repo" >/dev/null 2>&1; then
+              return
+            fi
+            gh release list --repo "$target_repo" --limit 1 --json tagName --jq '.[0].tagName // ""'
+          }
+
+          latest_remote_tag() {
+            target_repo="$1"
+            if ! gh repo view "$target_repo" >/dev/null 2>&1; then
+              return
+            fi
+            git ls-remote --tags --refs "https://x-access-token:${GH_TOKEN}@github.com/${target_repo}.git" "refs/tags/v*" \
+              | awk -F'/' '{print $3}' \
+              | sort -V \
+              | tail -n1
+          }
+
+          LAST_TAG=""
+          for candidate in \
+            "$(latest_release_tag "$ACTION_CANONICAL_REPOSITORY")" \
+            "$(latest_release_tag "$ACTION_COMPAT_REPOSITORY")" \
+            "$(latest_remote_tag "$ACTION_CANONICAL_REPOSITORY")" \
+            "$(latest_remote_tag "$ACTION_COMPAT_REPOSITORY")"; do
+            if [ -z "$candidate" ]; then
+              continue
+            fi
+            if [ -z "$LAST_TAG" ] || [ "$(printf '%s\n%s\n' "$LAST_TAG" "$candidate" | sort -V | tail -n1)" = "$candidate" ]; then
+              LAST_TAG="$candidate"
+            fi
+          done
 
           if [ -z "$LAST_TAG" ]; then
             TAG="v1.0.0"
@@ -82,88 +114,93 @@ jobs:
           fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Clone action repository
-        env:
-          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
-        run: gh repo clone "$ACTION_REPOSITORY" action-repo -- --depth 1
-
-      - name: Configure authenticated action repository remote
-        working-directory: action-repo
+      - name: Sync canonical and compatibility action repositories
         env:
           ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+          TAG: ${{ steps.version.outputs.tag }}
+          SCANNER_VERSION: ${{ steps.scanner_version.outputs.version }}
         run: |
-          git remote set-url origin "https://x-access-token:${ACTION_REPO_TOKEN}@github.com/$ACTION_REPOSITORY.git"
+          any_repo_changed="false"
 
-      - name: Sync root-ready action bundle
-        working-directory: action-repo
-        run: |
-          cp "${GITHUB_WORKSPACE}/action/action.yml" action.yml
-          cp "${GITHUB_WORKSPACE}/action/README.md" README.md
-          printf '%s\n' "${{ steps.scanner_version.outputs.version }}" > scanner-version.txt
-          cp "${GITHUB_WORKSPACE}/action/cisco-version.txt" cisco-version.txt
-          cp "${GITHUB_WORKSPACE}/action/pypi-attestations-version.txt" pypi-attestations-version.txt
-          cp "${GITHUB_WORKSPACE}/LICENSE" LICENSE
-          cp "${GITHUB_WORKSPACE}/SECURITY.md" SECURITY.md
-          cp "${GITHUB_WORKSPACE}/CONTRIBUTING.md" CONTRIBUTING.md
-
-      - name: Detect sync changes
-        id: diff
-        working-directory: action-repo
-        run: |
-          if [ -n "$(git status --short -- action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md)" ]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "changed=false" >> "$GITHUB_OUTPUT"
-          fi
+          publish_action_release() {
+            target_repo="$1"
+            repo_dir="$2"
 
-      - name: Commit synced bundle
-        if: steps.diff.outputs.changed == 'true'
-        working-directory: action-repo
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md
-          git commit -m "chore: publish action bundle ${{ steps.version.outputs.tag }}"
-
-      - name: Push action repository branch and tags
-        if: steps.diff.outputs.changed == 'true'
-        working-directory: action-repo
-        run: |
-          TAG="${{ steps.version.outputs.tag }}"
-          git push origin HEAD:main
-          git tag "$TAG"
-          git push origin "refs/tags/${TAG}"
-          git tag -fa v1 -m "Update floating major tag to ${TAG}"
-          git push origin refs/tags/v1 --force
-
-      - name: Check action release state
-        id: release_state
-        working-directory: action-repo
-        env:
-          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
-        run: |
-          TAG="${{ steps.version.outputs.tag }}"
+            git -C "$repo_dir" tag -fa v1 -m "Update floating major tag to ${TAG}"
+            if git -C "$repo_dir" ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
+              echo "Refusing to publish action bundle with colliding existing tag ${TAG} in ${target_repo}." >&2
+              exit 1
+            fi
+            git -C "$repo_dir" tag "${TAG}"
+            git -C "$repo_dir" push origin "refs/tags/${TAG}"
+            git -C "$repo_dir" push origin refs/tags/v1 --force
+
+            if ! gh release view "${TAG}" --repo "$target_repo" >/dev/null 2>&1; then
+              gh release create "${TAG}" \
+                --repo "$target_repo" \
+                --title "${TAG}" \
+                --generate-notes \
+                --notes "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"
+            fi
+          }
+
+          sync_action_repo() {
+            target_repo="$1"
+            readme_source="$2"
+            repo_description="$3"
+            repo_dir="$GITHUB_WORKSPACE/action-repos/${target_repo##*/}"
+            repo_changed="false"
+
+            if gh repo view "$target_repo" >/dev/null 2>&1; then
+              gh repo edit "$target_repo" --description "$repo_description"
+              gh repo clone "$target_repo" "$repo_dir" -- --depth 1
+            else
+              gh repo create "$target_repo" --public --description "$repo_description" --clone
+              mv "${target_repo##*/}" "$repo_dir"
+            fi
 
-          if gh release view "${TAG}" --repo "$ACTION_REPOSITORY" >/dev/null 2>&1; then
-            echo "release_exists=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "release_exists=false" >> "$GITHUB_OUTPUT"
-          fi
+            git -C "$repo_dir" remote set-url origin "https://x-access-token:${ACTION_REPO_TOKEN}@github.com/${target_repo}.git"
+
+            cp "${GITHUB_WORKSPACE}/action/action.yml" "${repo_dir}/action.yml"
+            cp "$readme_source" "${repo_dir}/README.md"
+            printf '%s\n' "$SCANNER_VERSION" > "${repo_dir}/scanner-version.txt"
+            cp "${GITHUB_WORKSPACE}/action/cisco-version.txt" "${repo_dir}/cisco-version.txt"
+            cp "${GITHUB_WORKSPACE}/action/pypi-attestations-version.txt" "${repo_dir}/pypi-attestations-version.txt"
+            cp "${GITHUB_WORKSPACE}/LICENSE" "${repo_dir}/LICENSE"
+            cp "${GITHUB_WORKSPACE}/SECURITY.md" "${repo_dir}/SECURITY.md"
+            cp "${GITHUB_WORKSPACE}/CONTRIBUTING.md" "${repo_dir}/CONTRIBUTING.md"
+
+            if [ -n "$(git -C "$repo_dir" status --short -- action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md)" ]; then
+              repo_changed="true"
+              git -C "$repo_dir" config user.name "github-actions[bot]"
+              git -C "$repo_dir" config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git -C "$repo_dir" add action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md
+              git -C "$repo_dir" commit -m "chore: publish action bundle ${TAG}"
+              git -C "$repo_dir" push origin HEAD:main
+              any_repo_changed="true"
+            fi
 
-          if git ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
-            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
+            printf '%s\t%s\n' "$target_repo" "$repo_dir" >> "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"
+          }
+
+          mkdir -p "$GITHUB_WORKSPACE/action-repos"
+          : > "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"
+
+          sync_action_repo \
+            "$ACTION_CANONICAL_REPOSITORY" \
+            "${GITHUB_WORKSPACE}/action/README.md" \
+            "HOL AI Plugin Scanner GitHub Action"
+
+          sync_action_repo \
+            "$ACTION_COMPAT_REPOSITORY" \
+            "${GITHUB_WORKSPACE}/action/README.legacy.md" \
+            "Compatibility alias for HOL AI Plugin Scanner GitHub Action"
+
+          if [ "$any_repo_changed" != "true" ]; then
+            exit 0
           fi
 
-      - name: Create action repository release
-        if: steps.release_state.outputs.release_exists == 'false' && (steps.diff.outputs.changed == 'true' || steps.release_state.outputs.tag_exists == 'true')
-        env:
-          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
-        run: |
-          TAG="${{ steps.version.outputs.tag }}"
-          gh release create "${TAG}" \
-            --repo "$ACTION_REPOSITORY" \
-            --title "$TAG" \
-            --generate-notes \
-            --notes "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"
+          while IFS=$'\t' read -r target_repo repo_dir; do
+            publish_action_release "$target_repo" "$repo_dir"
+          done < "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"

.github/workflows/publish.yml

@@ -193,7 +193,7 @@ jobs:
         run: |
           VERSION="${{ needs.build.outputs.version }}"
           BUNDLE_ROOT="dist/github-action-bundle"
-          BUNDLE_PATH="dist/hol-codex-plugin-scanner-action-v${VERSION}.zip"
+          BUNDLE_PATH="dist/ai-plugin-scanner-action-v${VERSION}.zip"
 
           mkdir -p "${BUNDLE_ROOT}"
           cp action/action.yml "${BUNDLE_ROOT}/action.yml"

README.md

@@ -25,8 +25,8 @@ pipx run plugin-scanner verify .
 
 ```yaml
 # GitHub Actions PR gate
-- name: Codex plugin quality gate
-  uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+- name: AI plugin quality gate
+  uses: hashgraph-online/ai-plugin-scanner-action@v1
   with:
     plugin_dir: "."
     fail_on_severity: high
@@ -213,7 +213,7 @@ For repo-scoped marketplaces, `scan`, `lint`, `verify`, and `doctor` can target
 ## Config + Baseline Example
 
 ```toml
-# .codex-plugin-scanner.toml
+# .plugin-scanner.toml
 [scanner]
 profile = "public-marketplace"
 baseline_file = "baseline.txt"
@@ -303,7 +303,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+      - uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           mode: scan
@@ -322,9 +322,9 @@ Local pre-commit style hook:
 repos:
   - repo: local
     hooks:
-      - id: codex-plugin-scanner
-        name: Codex Plugin Scanner
-        entry: codex-plugin-scanner
+      - id: plugin-scanner
+        name: Plugin Scanner
+        entry: plugin-scanner
         language: system
         types: [directory]
         pass_filenames: false
@@ -351,25 +351,27 @@ The source repository can publish the GitHub Action automatically into a dedicat
 Configure:
 
 - repository secret `ACTION_REPO_TOKEN`
-  It should be a token that can create or update repositories and releases in the target repository.
-- optional repository variable `ACTION_REPOSITORY`
+  It should be a token that can create or update repositories and releases in the canonical and compatibility action repositories.
+- optional repository variable `ACTION_CANONICAL_REPOSITORY`
+  Defaults to `hashgraph-online/ai-plugin-scanner-action`.
+- optional repository variable `ACTION_COMPAT_REPOSITORY`
   Defaults to `hashgraph-online/hol-codex-plugin-scanner-action`.
 
-When a tagged release is published, [publish-action-repo.yml](./.github/workflows/publish-action-repo.yml) will:
+When changes land on `main`, [publish-action-repo.yml](./.github/workflows/publish-action-repo.yml) will:
 
-- create the dedicated action repository if it does not already exist
-- sync the root-ready `action.yml`, `README.md`, `LICENSE`, and `SECURITY.md`
+- create the canonical Marketplace repository if it does not already exist
+- sync the root-ready `action.yml`, repo-specific `README.md`, `LICENSE`, and `SECURITY.md` into both the canonical repo and the legacy compatibility repo
 - push the immutable release tag such as `v2.0.0`
 - move the floating `v1` tag
-- create or update the corresponding release in the action repository
+- create or update the corresponding release in each action repository
 
 GitHub Marketplace still requires the one-time listing publication step in the dedicated action repository UI, but after that this repository can keep the action repository current automatically.
 
 ### Plugin Author Submission Flow
 
 The action can also handle submission intake. A plugin repository can wire the scanner into CI so a passing scan opens or reuses a submission issue in [awesome-codex-plugins](https://github.com/hashgraph-online/awesome-codex-plugins).
 
-It also emits Codex-friendly machine outputs:
+It also emits automation-friendly machine outputs:
 
 - `score`, `grade`, `grade_label`, `max_severity`, and `findings_total` as GitHub Action outputs
 - a concise markdown summary in the job summary by default
@@ -397,7 +399,7 @@ jobs:
 
       - name: Scan and submit if eligible
         id: scan
-        uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+        uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           min_score: 80
@@ -413,9 +415,9 @@ jobs:
 
 `submission_token` is required when `submission_enabled: true`. This flow is idempotent. If the plugin repository was already submitted, the action reuses the existing open issue instead of opening duplicates by matching an exact hidden plugin URL marker in the existing issue body.
 
-### Registry Payload For Codex Ecosystem Automation
+### Registry Payload For Plugin Ecosystem Automation
 
-If you want to feed the same scan into a registry, badge pipeline, or another Codex automation step, request a registry payload file directly from the action:
+If you want to feed the same scan into a registry, badge pipeline, or another plugin ecosystem automation step, request a registry payload file directly from the action:
 
 ```yaml
 permissions:
@@ -429,12 +431,12 @@ jobs:
 
       - name: Scan plugin
         id: scan
-        uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+        uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           format: sarif
-          output: codex-plugin-scanner.sarif
-          registry_payload_output: codex-plugin-registry-payload.json
+          output: ai-plugin-scanner.sarif
+          registry_payload_output: ai-plugin-registry-payload.json
 
       - name: Show trust signals
         run: |
@@ -445,7 +447,7 @@ jobs:
       - name: Upload registry payload
         uses: actions/upload-artifact@v6
         with:
-          name: codex-plugin-registry-payload
+          name: ai-plugin-registry-payload
           path: ${{ steps.scan.outputs.registry_payload_path }}
 ```
 

action/README.legacy.md

@@ -0,0 +1,25 @@
+# HOL AI Plugin Scanner GitHub Action
+
+[![Latest Release](https://img.shields.io/github/v/release/hashgraph-online/hol-codex-plugin-scanner-action?display_name=tag)](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action/releases/latest)
+[![Compatibility Alias](https://img.shields.io/badge/legacy-slug-supported-6b7280)](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action)
+[![Canonical Repository](https://img.shields.io/badge/canonical-ai--plugin--scanner--action-0A84FF)](https://github.com/hashgraph-online/ai-plugin-scanner-action)
+[![Source of Truth](https://img.shields.io/badge/source-ai--plugin--scanner-111827)](https://github.com/hashgraph-online/ai-plugin-scanner/tree/main/action)
+
+This repository remains supported as a compatibility alias for existing workflows that use:
+
+```yaml
+uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+```
+
+New integrations should move to the canonical action slug:
+
+```yaml
+uses: hashgraph-online/ai-plugin-scanner-action@v1
+```
+
+The action behavior, release train, and source of truth are shared with the canonical repository:
+
+- Canonical action repo: [hashgraph-online/ai-plugin-scanner-action](https://github.com/hashgraph-online/ai-plugin-scanner-action)
+- Source repo: [hashgraph-online/ai-plugin-scanner](https://github.com/hashgraph-online/ai-plugin-scanner)
+
+The compatibility alias continues to receive the same reviewed root bundle, release tags, and floating `v1` major tag so existing consumers do not break during the identity migration.