fix: mark mixed marketplace scans as repository scope

kantorcodes · kantorcodes · commit ed3b9f45e42b · 2026-04-07T16:01:46.000-04:00
Signed-off-by: Michael Kantor &lt;6068672+kantorcodes@users.noreply.github.com&gt;
diff --git a/src/codex_plugin_scanner/scanner.py b/src/codex_plugin_scanner/scanner.py
@@ -477,6 +477,15 @@ def _scan_mixed_packages(scan_root: Path, packages: list[NormalizedPackage], opt
     score = _score_categories(tuple(categories))
     trust_report = build_repository_trust_report(tuple(codex_trust_reports)) if codex_trust_reports else None
     reported_packages = tuple(processed_packages) if processed_packages else tuple(packages)
+    marketplace_candidates = tuple(
+        package
+        for package in reported_packages
+        if package.ecosystem == Ecosystem.CODEX and package.package_kind == "marketplace"
+    )
+    scope = "repository" if marketplace_candidates else "plugin"
+    marketplace_file = (
+        str(marketplace_candidates[0].manifest_path) if len(marketplace_candidates) == 1 else None
+    )
     return ScanResult(
         score=score,
         grade=get_grade(score),
@@ -486,6 +495,8 @@ def _scan_mixed_packages(scan_root: Path, packages: list[NormalizedPackage], opt
         findings=findings,
         severity_counts=build_severity_counts(findings),
         integrations=tuple(integrations),
+        scope=scope,
+        marketplace_file=marketplace_file,
         trust_report=trust_report,
         ecosystems=tuple(sorted({package.ecosystem.value for package in reported_packages})),
         packages=tuple(_summarize_package(package) for package in reported_packages),
diff --git a/tests/test_ecosystems.py b/tests/test_ecosystems.py
@@ -91,6 +91,8 @@ def test_scan_auto_repository_includes_non_codex_packages(tmp_path: Path) -> Non
 
     result = scan_plugin(repo_root, ScanOptions(ecosystem="auto", cisco_skill_scan="off"))
 
+    assert result.scope == "repository"
+    assert result.marketplace_file is not None
     assert set(result.ecosystems) >= {"codex", "gemini"}
     assert any(category.name.startswith("[gemini:") for category in result.categories)
     assert all(finding.rule_id != "PLUGIN_JSON_MISSING" for finding in result.findings)
