fix: skip test-only plugin install scan findings

2026-05-06 13:10:43 +00:00 · 2026-04-27 15:00:50 +01:00
parent 82b4049744
commit d69eeeb2a8
6 changed files with 133 additions and 3 deletions
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -412,6 +412,10 @@ marketplace installs persist marketplace source metadata instead of an npm spec.
 positives from the built-in dangerous-code scanner. It allows plugin installs
 and plugin updates to continue past built-in `critical` findings, but it still
 does not bypass plugin `before_install` policy blocks or scan-failure blocking.
+Install scans ignore common test files and directories such as `tests/`,
+`__tests__/`, `*.test.*`, and `*.spec.*` to avoid blocking packaged test mocks;
+declared plugin runtime entrypoints are still scanned even if they use one of
+those names.

 This CLI flag applies to plugin install/update flows only. Gateway-backed skill
 dependency installs use the matching `dangerouslyForceUnsafeInstall` request