feat: complete v1.2 operational hardening PRD

[kantorcodes]

Purpose

Complete the v1.2 operational-hardening PRD end to end for codex-plugin-scanner.

This PR turns the scanner into a stronger publishability and operational-security gate by adding:

• Codex interface metadata and asset validation
• MCP remote transport hardening
• Operational-security checks for GitHub Actions and dependency hygiene
• A scoped PRD documenting the release
• Real Cisco smoke coverage without mocks when the Cisco package is installed

Affected paths

• src/codex_plugin_scanner/checks/manifest.py
• src/codex_plugin_scanner/checks/security.py
• src/codex_plugin_scanner/checks/operational_security.py
• src/codex_plugin_scanner/scanner.py
• src/codex_plugin_scanner/cli.py
• src/codex_plugin_scanner/__init__.py
• README.md
• pyproject.toml
• tests/fixtures/good-plugin/.codex-plugin/plugin.json
• tests/fixtures/good-plugin/assets/*
• tests/test_manifest.py
• tests/test_security.py
• tests/test_operational_security.py
• tests/test_integration.py
• tests/test_scanner.py
• tests/test_cli.py
• tests/test_live_cisco_smoke.py

Setup / env notes

• The scanner still works without the Cisco extra.
• Live Cisco smoke coverage auto-skips when cisco-ai-skill-scanner is not installed.
• Local verification in this branch used the repo venv with the Cisco package installed.

Verification

Automated:

• ./.venv/bin/python -m pytest
• ./.venv/bin/ruff check src tests
• ./.venv/bin/python -m build

Live, without mocks:

• ./.venv/bin/codex-plugin-scanner tests/fixtures/good-plugin --format json
• ./.venv/bin/codex-plugin-scanner tests/fixtures/good-plugin --format json --cisco-skill-scan on --cisco-policy balanced
• ./.venv/bin/python -m pytest tests/test_live_cisco_smoke.py -q

Notes

• PR feat: add Cisco skill scanning and security ops reporting #1 is already merged, so this is the follow-on PR for the v1.2 completion work.

[gemini-code-assist]

Code Review

This pull request updates the Codex Plugin Scanner to version 1.2.0, introducing significant enhancements for publishability and operational security. Key changes include new manifest validation for interface metadata and assets, MCP transport hardening to enforce HTTPS for remote endpoints, and a new 'Operational Security' category that checks for GitHub Actions pinning, workflow permissions, and dependency lockfile hygiene. The PR also includes a comprehensive PRD, updated test fixtures, and new integration tests. One issue was identified regarding broken or future-dated documentation links for the Model Context Protocol specification.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Resolved from Previous Review (7 issues)

All issues from prior reviews remain fixed:

#	Previous Issue	Resolution
1	_is_loopback_host only checked 127.0.0.1	Now uses ipaddress.ip_address().is_loopback for full 127.0.0.0/8 range
2	Malformed .mcp.json silently passed	Now returns passed=False with MCP_CONFIG_INVALID_JSON finding
3	_collect_mcp_urls false-positive on metadata URLs	Added IGNORED_MCP_URL_CONTEXT skip set and targeted _extract_mcp_urls
4	Dependabot ecosystem detection used brittle string matching	Now uses DEPENDABOT_ECOSYSTEM_RE regex with optional quotes
5	_has_lockfiles required lockfile even with pinned requirements.txt	requirements_pinned now satisfies Python lockfile requirement
6	Docstring said "25 points" but actual total was 31	Corrected to "31 points"
7	MCP_TRANSPORT_CONTAINER_KEYS was dead code	Removed entirely

Incremental Changes (new commit 5441d5e)

Single commit: fix: restore python 3.10 enum compatibility

• src/codex_plugin_scanner/models.py — Severity(StrEnum) → Severity(str, Enum)
• src/codex_plugin_scanner/integrations/cisco_skill_scanner.py — CiscoIntegrationStatus(StrEnum) → CiscoIntegrationStatus(str, Enum)

Correct fix: StrEnum was added in Python 3.11, but pyproject.toml declares requires-python = ">=3.10". The str, Enum mixin is the idiomatic backward-compatible pattern.

Files Reviewed (22 files)

• README.md - Updated docs for v1.2.0 features
• pyproject.toml - Version bump to 1.2.0
• src/codex_plugin_scanner/__init__.py - Version bump
• src/codex_plugin_scanner/checks/manifest.py - New check_interface_metadata and check_interface_assets checks
• src/codex_plugin_scanner/checks/operational_security.py - New module: SHA pinning, write-all, privileged checkout, Dependabot, lockfile checks
• src/codex_plugin_scanner/checks/security.py - Added MCP transport hardening with loopback validation
• src/codex_plugin_scanner/checks/skill_security.py - Formatting cleanup
• src/codex_plugin_scanner/cli.py - Removed duplicate format_text, added new CLI options
• src/codex_plugin_scanner/integrations/cisco_skill_scanner.py - Python 3.10 enum compat
• src/codex_plugin_scanner/models.py - Python 3.10 enum compat
• src/codex_plugin_scanner/reporting.py - Added SARIF output, formatting cleanup
• src/codex_plugin_scanner/scanner.py - Added Operational Security category
• tests/fixtures/good-plugin/.codex-plugin/plugin.json - Updated test fixture
• tests/fixtures/good-plugin/assets/ - New test asset fixtures
• tests/test_cli.py - Updated tests
• tests/test_integration.py - Updated tests (deterministic max-points test)
• tests/test_live_cisco_smoke.py - Updated tests
• tests/test_manifest.py - New tests for interface checks
• tests/test_operational_security.py - New tests for opsec checks
• tests/test_scanner.py - Updated tests
• tests/test_security.py - Updated tests for MCP transport

---

_{Reviewed by mimo-v2-pro-20260318 · Incremental review of commit 5441d5e}

---

_{Reviewed by mimo-v2-pro-20260318 · 165,741 tokens}