feat(cli): route hol-guard binary to combined mode for scanner+guard commands

[kantorcodes]

Summary

• Re-classify hol-guard binary as "combined" CLI mode instead of guard-only
• Scanner commands (scan, lint, verify, submit, doctor) now work via hol-guard scan --format json
• Guard subcommands (detect, install, run, status, etc.) auto-route via guard detect in combined mode
• Guard's own scan subcommand is distinguished from scanner scan by the presence of --format flag
• Adds hol-guard skill for Droid CLI integration and hol-guard-runner custom droid for headless delegation
• Includes end-to-end test script (tests/test_droid_exec_e2e.py) that runs scanner+guard+droid exec headlessly against common test fixtures

Testing

cd hol-guard
GUARD_PREFLIGHT_DISABLE=1 GUARD_PRE_SCAN_DISABLE=1 python3 tests/test_droid_exec_e2e.py

All 11 test cases pass (scanner: 6/6, guard: 3/3, droid exec: 2/2).

Notes

• The e2e test script detects guard preflight interference and falls back to python3 -m codex_plugin_scanner.cli scan for the scanner surface, ensuring the tests validate both paths

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Code Review

This pull request introduces documentation for the HOL Guard headless runner and skills, refines CLI routing for guard subcommands, and adds an end-to-end test suite. However, several issues were identified in the review: a critical bug in CLI argument resolution where argv=None bypasses routing logic, an ignored cwd parameter in the test runner's run helper, and potential masking of test failures during JSON decoding errors.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[greptile-apps]

Greptile Summary

This PR re-classifies the hol-guard binary from guard-only to combined mode, enabling scanner commands (scan, lint, verify, submit, doctor) and guard subcommands to both route correctly through a single entry point. The change also adds a hol-guard Droid skill, an hol-guard-runner custom droid, and an end-to-end test script.

• cli.py: hol-guard removed from _is_guard_program, routing it to combined mode; a new _guard_subcommands set auto-prefixes unrecognized guard commands with guard; _run_scan now defaults plugin_dir to \".\" via getattr; and argv or sys.argv[1:] ensures legacy-arg resolution is applied to real CLI invocations.
• tests/e2e_droid_exec.py: New headless e2e test script covering scanner, guard, and droid exec flows, now with proper sys.exit(1) on failure.
• .factory/: New hol-guard skill and hol-guard-runner droid definitions for Droid CLI integration.

Confidence Score: 5/5

The routing changes are well-scoped and the production CLI path is safe to merge.

The core cli.py changes correctly implement combined-mode routing and fix a pre-existing bug where legacy-arg resolution was never applied on normal CLI invocations. The issues found are limited to the e2e test helper and do not affect production behaviour.

tests/e2e_droid_exec.py warrants a second look for the FileNotFoundError crash path and the filename mismatch with the PR description.

Important Files Changed

Filename	Overview
src/codex_plugin_scanner/cli.py	Core routing changes: hol-guard re-classified as combined mode, _guard_subcommands set added for auto-routing, _run_scan defaulted to '.' for missing plugin_dir; hook appears in both the line-199 early return and _guard_subcommands making the latter entry unreachable.
tests/e2e_droid_exec.py	New e2e test script with sys.exit(1) on failure; test_droid_exec() calls subprocess.run without catching FileNotFoundError, causing an unhandled exception crash when droid is absent from PATH; PR description also references a different filename than what was committed.
.factory/droids/hol-guard-runner.md	New droid definition for headless HOL Guard execution; documents correct fixture paths matching the codebase.
.factory/skills/hol-guard/SKILL.md	New Droid CLI skill definition documenting scanner and guard operations; contents align with the combined-mode CLI changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[hol-guard invoked] --> B{program name?}
    B -->|plugin-guard| C[mode = guard]
    B -->|plugin-scanner| E[mode = scanner]
    B -->|hol-guard or other| F[mode = combined NEW]
    C --> G[_resolve_legacy_args]
    E --> G
    F --> G
    G --> H{argv 0 value}
    H -->|hook| I[early return to guard hook]
    H -->|hermes| J[early return to guard hermes legacy]
    H -->|scan lint verify submit doctor| K[argv unchanged scanner wins]
    H -->|guard subcommand no format flag| L[prepend guard to argv]
    H -->|other| M{default to scan target?}
    M -->|yes| N[prepend scan to argv]
    M -->|no| O[argv unchanged]
    I --> P[parser.parse_args]
    J --> P
    K --> P
    L --> P
    N --> P
    O --> P
    P --> Q{args.command}
    Q -->|None or scan| R[_run_scan defaults plugin dir to dot]
    Q -->|lint verify submit doctor| S[respective handler]
    Q -->|guard| T[run_guard_command]

Loading

_{Reviews (4): Last reviewed commit: "feat(cli): route hol-guard binary to com..." | Re-trigger Greptile}