feat: dual-publish plugin-scanner and refresh ecosystem docs

kantorcodes · kantorcodes · commit eb9a80e2de6a · 2026-04-07T16:20:13.000-04:00
Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -20,7 +20,7 @@ permissions:
   id-token: write
 
 concurrency:
-  group: codex-plugin-scanner-publish-${{ github.ref }}
+  group: plugin-scanner-publish-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
@@ -70,8 +70,12 @@ jobs:
         run: |
           sed -i "1,/^version = /{s/^version = .*/version = \"$VERSION\"/}" pyproject.toml
           sed -i "1,/^__version__ = /{s/^__version__ = .*/__version__ = \"$VERSION\"/}" src/codex_plugin_scanner/version.py
-      - name: Build package
+      - name: Build primary package (plugin-scanner)
         run: uv run --no-sync python -m build
+      - name: Build legacy compatibility package (codex-plugin-scanner)
+        run: |
+          sed -i "1,/^name = /{s/^name = .*/name = \"codex-plugin-scanner\"/}" pyproject.toml
+          uv run --no-sync python -m build
       - name: Verify distributions
         run: uv run --no-sync twine check dist/*
       - name: Upload artifacts
@@ -165,15 +169,19 @@ jobs:
           ${LOG}
 
           ### Installation
+          \`\`\`bash
+          uv tool install plugin-scanner==${VERSION}
+          \`\`\`
+
           \`\`\`bash
           uv tool install codex-plugin-scanner==${VERSION}
           \`\`\`
 
           \`\`\`bash
-          docker pull ghcr.io/hashgraph-online/codex-plugin-scanner:${VERSION}
+          docker pull ghcr.io/hashgraph-online/ai-plugin-scanner:${VERSION}
           \`\`\`
 
-          **Full Changelog**: https://github.com/hashgraph-online/codex-plugin-scanner/compare/${LAST_TAG}...v${VERSION}
+          **Full Changelog**: https://github.com/hashgraph-online/ai-plugin-scanner/compare/${LAST_TAG}...v${VERSION}
           EOF
 
           echo "notes_path=release-notes.md" >> $GITHUB_OUTPUT
@@ -212,7 +220,7 @@ jobs:
         env:
           VERSION: ${{ needs.build.outputs.version }}
         run: |
-          cp "${{ steps.provenance.outputs.bundle-path }}" "dist/codex-plugin-scanner-v${VERSION}.intoto.jsonl"
+          cp "${{ steps.provenance.outputs.bundle-path }}" "dist/plugin-scanner-v${VERSION}.intoto.jsonl"
       - name: Collect release asset files
         if: steps.release_exists.outputs.exists == 'false'
         id: release_assets
diff --git a/README.md b/README.md
@@ -1,25 +1,26 @@
 # HOL Plugin Ecosystem Scanner
 
-[![PyPI Version](https://img.shields.io/pypi/v/codex-plugin-scanner.svg?logo=pypi&logoColor=white&cacheSeconds=300)](https://pypi.org/project/codex-plugin-scanner/)
-[![Python Versions](https://img.shields.io/pypi/pyversions/codex-plugin-scanner)](https://pypi.org/project/codex-plugin-scanner/)
-[![PyPI Downloads](https://img.shields.io/pypi/dm/codex-plugin-scanner)](https://pypistats.org/packages/codex-plugin-scanner)
-[![CI](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/ci.yml)
-[![Publish](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/publish.yml/badge.svg)](https://github.com/hashgraph-online/codex-plugin-scanner/actions/workflows/publish.yml)
-[![Container Image](https://img.shields.io/badge/ghcr-codex--plugin--scanner-2496ED?logo=docker&logoColor=white)](https://github.com/hashgraph-online/codex-plugin-scanner/pkgs/container/codex-plugin-scanner)
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/hashgraph-online/codex-plugin-scanner/badge)](https://scorecard.dev/viewer/?uri=github.com/hashgraph-online/codex-plugin-scanner)
+[![PyPI Version](https://img.shields.io/pypi/v/plugin-scanner.svg?logo=pypi&logoColor=white&cacheSeconds=300)](https://pypi.org/project/plugin-scanner/)
+[![Legacy Namespace](https://img.shields.io/badge/legacy-codex--plugin--scanner-6b7280?logo=pypi&logoColor=white)](https://pypi.org/project/codex-plugin-scanner/)
+[![Python Versions](https://img.shields.io/pypi/pyversions/plugin-scanner)](https://pypi.org/project/plugin-scanner/)
+[![PyPI Downloads](https://img.shields.io/pypi/dm/plugin-scanner)](https://pypistats.org/packages/plugin-scanner)
+[![CI](https://github.com/hashgraph-online/ai-plugin-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/hashgraph-online/ai-plugin-scanner/actions/workflows/ci.yml)
+[![Publish](https://github.com/hashgraph-online/ai-plugin-scanner/actions/workflows/publish.yml/badge.svg)](https://github.com/hashgraph-online/ai-plugin-scanner/actions/workflows/publish.yml)
+[![Container Image](https://img.shields.io/badge/ghcr-ai--plugin--scanner-2496ED?logo=docker&logoColor=white)](https://github.com/hashgraph-online/ai-plugin-scanner/pkgs/container/ai-plugin-scanner)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/hashgraph-online/ai-plugin-scanner/badge)](https://scorecard.dev/viewer/?uri=github.com/hashgraph-online/ai-plugin-scanner)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](./LICENSE)
-[![GitHub Stars](https://img.shields.io/github/stars/hashgraph-online/codex-plugin-scanner?style=social)](https://github.com/hashgraph-online/codex-plugin-scanner/stargazers)
+[![GitHub Stars](https://img.shields.io/github/stars/hashgraph-online/ai-plugin-scanner?style=social)](https://github.com/hashgraph-online/ai-plugin-scanner/stargazers)
 [![Lint: ruff](https://img.shields.io/badge/lint-ruff-D7FF64.svg)](https://github.com/astral-sh/ruff)
 
-| ![Hashgraph Online Logo](https://hol.org/brand/Logo_Whole_Dark.png) | **The default CI gate for Codex plugins**. Lint locally, verify in CI, and ship publish-ready bundles for manifests, skills, MCP, and marketplace metadata.<br><br>Use this after [`$plugin-creator`](https://developers.openai.com/codex/plugins) and before publishing, review, or distribution.<br><br>[PyPI Package](https://pypi.org/project/codex-plugin-scanner/)<br>[HOL Plugin Registry](https://hol.org/registry/plugins)<br>[HOL GitHub Organization](https://github.com/hashgraph-online)<br>[Report an Issue](https://github.com/hashgraph-online/codex-plugin-scanner/issues) |
+| ![Hashgraph Online Logo](https://hol.org/brand/Logo_Whole_Dark.png) | **The default CI gate for AI agent plugin ecosystems**. Lint locally, verify in CI, and ship publish-ready bundles for manifests, skills, MCP, and marketplace metadata across Codex, Claude, Gemini, and OpenCode.<br><br>Use this after scaffolding and before publishing, review, or distribution.<br><br>[PyPI Package (`plugin-scanner`)](https://pypi.org/project/plugin-scanner/)<br>[Legacy Namespace (`codex-plugin-scanner`)](https://pypi.org/project/codex-plugin-scanner/)<br>[HOL Plugin Registry](https://hol.org/registry/plugins)<br>[HOL GitHub Organization](https://github.com/hashgraph-online)<br>[Report an Issue](https://github.com/hashgraph-online/ai-plugin-scanner/issues) |
 | :--- | :--- |
 
 ## Start In 30 Seconds
 
 ```bash
-# Local preflight after scaffolding with $plugin-creator
-pipx run codex-plugin-scanner lint .
-pipx run codex-plugin-scanner verify .
+# Local preflight
+pipx run plugin-scanner lint .
+pipx run plugin-scanner verify .
 ```
 
 ```yaml
@@ -36,7 +37,7 @@ If your repository uses a Codex marketplace root like `.agents/plugins/marketpla
 
 ## Use After `$plugin-creator`
 
-`codex-plugin-scanner` is designed as the quality gate between plugin creation and distribution:
+`plugin-scanner` is designed as the quality gate between plugin creation and distribution:
 
 1. Scaffold with `$plugin-creator`.
 2. Run `lint` locally to catch structure, metadata, and security issues early.
@@ -64,8 +65,8 @@ This keeps the quality grade and the trust score separate. Signals like `SECURIT
 ## Quick Start For Contributors
 
 ```bash
-git clone https://github.com/hashgraph-online/codex-plugin-scanner.git
-cd codex-plugin-scanner
+git clone https://github.com/hashgraph-online/ai-plugin-scanner.git
+cd ai-plugin-scanner
 python -m venv .venv
 source .venv/bin/activate
 pip install -e ".[dev]"
@@ -75,32 +76,39 @@ pytest -q
 ## Install
 
 ```bash
-pip install codex-plugin-scanner
+pip install plugin-scanner
 ```
 
 Cisco-backed skill scanning is optional:
 
 ```bash
-pip install "codex-plugin-scanner[cisco]"
+pip install "plugin-scanner[cisco]"
 ```
 
 The `cisco` extra installs the published `cisco-ai-skill-scanner` package from PyPI so the scanner remains publishable on PyPI and the optional Cisco analysis path works with standard package metadata.
 
 You can also run the scanner without a local install:
 
 ```bash
-pipx run codex-plugin-scanner ./my-plugin
+pipx run plugin-scanner ./my-plugin
 ```
 
 Container-first environments can use the published image instead:
 
 ```bash
 docker run --rm \
   -v "$PWD:/workspace" \
-  ghcr.io/hashgraph-online/codex-plugin-scanner:<version> \
+  ghcr.io/hashgraph-online/ai-plugin-scanner:<version> \
   scan /workspace --format text
 ```
 
+Backward compatibility remains available for teams still pinned to the historical package namespace:
+
+```bash
+pip install codex-plugin-scanner
+pipx run codex-plugin-scanner verify .
+```
+
 ## Ecosystem Support
 
 | Ecosystem | Detection Surfaces |
@@ -114,7 +122,7 @@ Use `--ecosystem auto` (default) to scan all detected packages in a repository,
 
 ## What The Scanner Covers
 
-`codex-plugin-scanner` supports a full quality suite:
+`plugin-scanner` supports a full quality suite:
 
 - `scan` for full-surface security and publishability analysis
 - `lint` for rule-oriented authoring feedback
@@ -138,54 +146,54 @@ The scanner evaluates only the surfaces a plugin actually exposes, then normaliz
 
 ```bash
 # Scan a plugin directory
-codex-plugin-scanner ./my-plugin
+plugin-scanner ./my-plugin
 
 # Auto-detect all supported ecosystems inside a repo (default)
-codex-plugin-scanner ./plugins-repo --ecosystem auto
+plugin-scanner ./plugins-repo --ecosystem auto
 
 # Scan only Claude package surfaces
-codex-plugin-scanner ./plugins-repo --ecosystem claude
+plugin-scanner ./plugins-repo --ecosystem claude
 
 # List supported ecosystems
-codex-plugin-scanner --list-ecosystems
+plugin-scanner --list-ecosystems
 
 # Output JSON
-codex-plugin-scanner ./my-plugin --json
+plugin-scanner ./my-plugin --json
 
 # Write a SARIF report for GitHub code scanning
-codex-plugin-scanner ./my-plugin --format sarif --output codex-plugin-scanner.sarif
+plugin-scanner ./my-plugin --format sarif --output plugin-scanner.sarif
 
 # Fail CI on findings at or above high severity
-codex-plugin-scanner ./my-plugin --fail-on-severity high
+plugin-scanner ./my-plugin --fail-on-severity high
 
 # Require Cisco skill scanning with a strict policy
-codex-plugin-scanner ./my-plugin --cisco-skill-scan on --cisco-policy strict
+plugin-scanner ./my-plugin --cisco-skill-scan on --cisco-policy strict
 ```
 
 ## Quality Suite Commands
 
 ```bash
 # Summary scan (legacy form still works)
-codex-plugin-scanner scan ./my-plugin --format json --profile public-marketplace
+plugin-scanner scan ./my-plugin --format json --profile public-marketplace
 
 # Scan a multi-plugin repo from the marketplace root
-codex-plugin-scanner scan . --format json
+plugin-scanner scan . --format json
 
 # Rule-oriented lint (with optional mechanical fixes)
-codex-plugin-scanner lint ./my-plugin --list-rules
-codex-plugin-scanner lint ./my-plugin --explain README_MISSING
-codex-plugin-scanner lint ./my-plugin --fix --profile strict-security
+plugin-scanner lint ./my-plugin --list-rules
+plugin-scanner lint ./my-plugin --explain README_MISSING
+plugin-scanner lint ./my-plugin --fix --profile strict-security
 
 # Runtime readiness verification
-codex-plugin-scanner verify ./my-plugin --format json
-codex-plugin-scanner verify . --format json
-codex-plugin-scanner verify ./my-plugin --online --format text
+plugin-scanner verify ./my-plugin --format json
+plugin-scanner verify . --format json
+plugin-scanner verify ./my-plugin --online --format text
 
 # Artifact-backed submission gate
-codex-plugin-scanner submit ./my-plugin --profile public-marketplace --attest dist/plugin-quality.json
+plugin-scanner submit ./my-plugin --profile public-marketplace --attest dist/plugin-quality.json
 
 # Diagnostic bundle
-codex-plugin-scanner doctor ./my-plugin --component mcp --bundle dist/doctor.zip
+plugin-scanner doctor ./my-plugin --component mcp --bundle dist/doctor.zip
 ```
 
 ## Codex Spec Alignment
@@ -219,7 +227,7 @@ severity_overrides = { CODEXIGNORE_MISSING = "low" }
 ## Example Output
 
 ```text
-🔗 Codex Plugin Scanner v2.0.0
+🔗 Plugin Scanner v2.0.0
 Scanning: ./my-plugin
 
 ── Manifest Validation (31/31) ──
@@ -480,7 +488,7 @@ The [HOL Registry Broker Codex Plugin](https://github.com/hashgraph-online/regis
 HOL Registry scores: **Trust 80** / **Review 83** / **Enforce 74**
 
 ```text
-🔗 Codex Plugin Scanner v2.0.0
+🔗 Plugin Scanner v2.0.0
 Scanning: ./registry-broker-codex-plugin
 
 ── Manifest Validation (31/31) ──
diff --git a/pyproject.toml b/pyproject.toml
@@ -3,7 +3,7 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [project]
-name = "codex-plugin-scanner"
+name = "plugin-scanner"
 version = "2.0.0"
 description = "Security, operational-security, and publishability scanner for Codex, Claude, Gemini, and OpenCode plugin ecosystems."
 readme = "README.md"
@@ -12,7 +12,7 @@ requires-python = ">=3.10"
 authors = [
     { name = "Hashgraph Online", email = "dev@hol.org" },
 ]
-keywords = ["codex", "plugin", "scanner", "security", "mcp", "cli"]
+keywords = ["plugin", "scanner", "security", "mcp", "cli", "codex", "claude", "gemini", "opencode", "ecosystem"]
 classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Environment :: Console",
@@ -49,13 +49,14 @@ publish = [
 ]
 
 [project.scripts]
+plugin-scanner = "codex_plugin_scanner.cli:main"
 codex-plugin-scanner = "codex_plugin_scanner.cli:main"
 plugin-ecosystem-scanner = "codex_plugin_scanner.cli:main"
 
 [project.urls]
-Homepage = "https://github.com/hashgraph-online/codex-plugin-scanner"
-Repository = "https://github.com/hashgraph-online/codex-plugin-scanner"
-Issues = "https://github.com/hashgraph-online/codex-plugin-scanner/issues"
+Homepage = "https://github.com/hashgraph-online/ai-plugin-scanner"
+Repository = "https://github.com/hashgraph-online/ai-plugin-scanner"
+Issues = "https://github.com/hashgraph-online/ai-plugin-scanner/issues"
 
 [tool.ruff]
 target-version = "py310"
diff --git a/tests/test_action_bundle.py b/tests/test_action_bundle.py
@@ -87,14 +87,19 @@ def test_publish_workflow_attaches_marketplace_action_bundle() -> None:
     assert """printf '%s\\n' "${VERSION}" > "${BUNDLE_ROOT}/scanner-version.txt" """[:-1] in workflow_text
     assert 'cp action/cisco-version.txt "${BUNDLE_ROOT}/cisco-version.txt"' in workflow_text
     assert 'cp action/pypi-attestations-version.txt "${BUNDLE_ROOT}/pypi-attestations-version.txt"' in workflow_text
-    assert "dist/codex-plugin-scanner-v${VERSION}.intoto.jsonl" in workflow_text
+    assert "dist/plugin-scanner-v${VERSION}.intoto.jsonl" in workflow_text
     assert "Collect release asset files" in workflow_text
     assert "find dist -maxdepth 1 -type f -print0 | sort -z" in workflow_text
     assert 'mapfile -t RELEASE_ASSETS <<\'EOF\'' in workflow_text
     assert '"${RELEASE_ASSETS[@]}"' in workflow_text
     assert "subject-path: |" in workflow_text
     assert "dist/*" in workflow_text
-    assert "docker pull ghcr.io/hashgraph-online/codex-plugin-scanner:${VERSION}" in workflow_text
+    assert "Build legacy compatibility package (codex-plugin-scanner)" in workflow_text
+    assert "codex-plugin-scanner" in workflow_text
+    assert "uv tool install plugin-scanner==${VERSION}" in workflow_text
+    assert "uv tool install codex-plugin-scanner==${VERSION}" in workflow_text
+    assert "docker pull ghcr.io/hashgraph-online/ai-plugin-scanner:${VERSION}" in workflow_text
+    assert "dist/plugin-scanner-v${VERSION}.intoto.jsonl" in workflow_text
     assert "publish-container:" in workflow_text
     assert "packages: write" in workflow_text
     assert "docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2" in workflow_text
@@ -184,7 +189,9 @@ def test_readme_uses_stable_apache_license_badge() -> None:
     assert "https://img.shields.io/github/license/hashgraph-online/codex-plugin-scanner" not in readme
     assert "publish-action-repo.yml" in readme
     assert "docs/github-action-marketplace.md" not in readme
-    assert "ghcr.io/hashgraph-online/codex-plugin-scanner:<version>" in readme
+    assert "ghcr.io/hashgraph-online/ai-plugin-scanner:<version>" in readme
+    assert "https://pypi.org/project/plugin-scanner/" in readme
+    assert "https://pypi.org/project/codex-plugin-scanner/" in readme
     assert "Container Image" in readme
 
 
