From e8e678b9b0628194e6e1c6c97916956ab7417feb Mon Sep 17 00:00:00 2001
From: Mickael Farina <farina.mickael@gmail.com>
Date: Mon, 18 May 2026 01:07:25 +0200
Subject: [PATCH 1/2] fix(security): AppleScript injection fixes + plugin trust
 hardening (D-13, D-18, D-21)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes three audit findings that share a "untrusted input crosses a trust
boundary" pattern, even though the surfaces differ:

- D-13 (MEDIUM): AppleScript injection in imessage_send recipient field
- D-21 (LOW): AppleScript injection in do_screenshot_question OCR ctx
- D-18 (MEDIUM): plugin hooks have full Python privileges with no isolation

## D-13 — imessage_send recipient validation

_validate_recipient enforces strict phone/email regex before any
AppleScript interpolation. Phone: ^\+?[1-9]\d{9,14}$ (E.164-ish).
Email: ^[\w.+\-]+@[\w\-]+(?:\.[\w\-]+)+$. Both anchored, length cap
254 (RFC 5321). Quotes, newlines, tabs, carriage returns, backslashes
all rejected — the audit's documented breakout
(`xx@x.com" of targetService\nactivate application "Calculator"...`)
fails the regex. Audit emit `imessage_send_blocked` on refusal.
Text body escape extended to cover `\\`, `\"`, `\r`, `\n`, `\t`.

## D-21 — do_screenshot_question argv binding

The OCR summary is no longer interpolated into the AppleScript source.
The new pattern uses `on run argv` + `item 1 of argv`: Python passes
the body as `osascript -e <script> <body>`, AppleScript reads it from
argv[1] inside the script handler. Adversarial OCR text like
`"\n display dialog "PWNED"` arrives as a literal AppleScript string,
not as additional script source — cannot escape the variable context.

## D-18 — Plugin SHA-256 allowlist + thread-timeout

Three layers:

1. SHA-256 allowlist gate. ~/.codec/plugins.allowlist (0600, atomic
   write) keys plugins by basename. PluginRegistry.get_fn computes
   the file's current SHA-256 and refuses to call exec_module if
   the hash isn't in the allowlist OR has changed. Refusal emits
   `plugin_load_blocked` with reason and optional AST `detail`.

2. Daemon-thread timeout. Every hook fire runs inside
   threading.Thread(daemon=True) with hard timeout (default 500ms,
   configurable via plugin_hook_timeout_ms). On timeout: emit
   `plugin_hook_timeout`, return None, calling thread continues.

3. Grandfather migration. First scan() after PR-2F with no allowlist
   file present seeds it with current hashes of all existing plugins
   (approved_by: "initial_migration"). Idempotent.

Allowlist IS the trust decision; AST is only consulted to enrich the
refusal audit emit. Same pattern as PR-1A's skills/.manifest.json.
self_improve.py imports os/subprocess (would fail AST) but its hash
is in the allowlist so it loads.

New operator-only skill: `plugin_approve <filename.py>` writes the
allowlist entry. SKILL_MCP_EXPOSE=False — claude.ai cannot extend
the plugin trust boundary.

## Refactor: per-registry allowlist path

PluginRegistry now owns its allowlist_path attribute (derived from
plugins_dir's parent by default). Tests pointing at tmp plugins dirs
get tmp allowlists — no pollution of the operator's real allowlist.

## Tests

53 new tests across three files:
- tests/test_imessage_send.py (32): regex accepts/rejects, escape,
  audit emit on refusal, no-subprocess-call on invalid recipient
- tests/test_screenshot_question.py (4): source invariant, runtime
  argv binding, adversarial OCR safety
- tests/test_plugin_registry.py (17): allowlist gate, hash mismatch,
  AST detail in refusal audit, grandfather migration idempotent,
  approve_plugin path traversal rejection, hook timeout + emit,
  source-level invariants

146 PR-2-related tests pass; 24 pre-existing failures unchanged.

AGENTS.md §3 + §10 + docs/audits/PHASE-1-SECURITY.md + docs/audits/
PHASE-1-CONSOLIDATED-TRIAGE.md updated with closure documentation.

Reference: docs/audits/PHASE-1-SECURITY.md findings D-13, D-18, D-21.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 AGENTS.md                                  |  12 +-
 codec.py                                   |  32 +-
 codec_hooks.py                             | 493 +++++++++++++++++++--
 docs/audits/PHASE-1-CONSOLIDATED-TRIAGE.md |   2 +-
 docs/audits/PHASE-1-SECURITY.md            |  16 +
 skills/.manifest.json                      |   3 +-
 skills/imessage_send.py                    |  77 +++-
 skills/plugin_approve.py                   |  68 +++
 tests/test_imessage_send.py                | 230 ++++++++++
 tests/test_plugin_registry.py              | 440 ++++++++++++++++++
 tests/test_screenshot_question.py          | 140 ++++++
 11 files changed, 1472 insertions(+), 41 deletions(-)
 create mode 100644 skills/plugin_approve.py
 create mode 100644 tests/test_imessage_send.py
 create mode 100644 tests/test_plugin_registry.py
 create mode 100644 tests/test_screenshot_question.py

diff --git a/AGENTS.md b/AGENTS.md
index 2dab16f..0cc61c2 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -93,9 +93,15 @@ CODEC supports user-authored Python plugins at `~/.codec/plugins/*.py` that regi
 
 **Audit:** every successful hook fire emits `hook_fired`; plugin-internal exceptions emit `hook_error` with `level="warning"` (operation still succeeded). `correlation_id` inherits from the wrapping operation per Step 1 §1.4 — never regenerated.
 
-**Trust model:** local Python files curated by the user. No marketplace, no auto-install, no inter-plugin sandbox. Same trust model as skills.
+**Trust model (PR-2F, closes D-18):** local Python files curated by the user, plus a SHA-256 allowlist gate + daemon-thread timeout. Same chokepoint pattern as PR-1A's `skills/.manifest.json` for skills:
 
-Implementation: `codec_hooks.py` (run_with_hooks + PluginRegistry), wired into `codec_dispatch.py:run_skill` (covers wake-word + chat pre-LLM + chat post-LLM tag), `codec_agents.py:Agent.run` (crew), `codec_voice.py:dispatch_skill` (voice WebSocket), `codec_mcp.py:tool_fn` (MCP stdio + HTTP). Voice WebSocket also fires `emit_operation_start` / `emit_operation_end` from `VoicePipeline.run` start/finally.
+- **`~/.codec/plugins.allowlist`** (JSON, 0600, atomic-write) keys plugins by basename → `{sha256, approved_at, approved_by}`. `PluginRegistry.get_fn` computes the file's current SHA-256 and refuses to call `exec_module` if the hash isn't in the allowlist OR has changed. Refusal → `plugin_load_blocked` audit (`reason ∈ {not_in_allowlist, hash_mismatch, file_unreadable}`, optional `detail` field with the AST result from `is_dangerous_skill_code` for forensic clarity).
+- **Allowlist IS the trust decision, AST IS NOT.** The same pattern as PR-1A: a plugin that imports `subprocess` (e.g. `self_improve.py`) would fail the AST check, but its hash is in the allowlist so it loads. AST is only consulted to enrich the audit emit for refused plugins.
+- **Grandfather migration.** First `scan()` after PR-2F lands with no allowlist file present + plugins in `~/.codec/plugins/*.py` writes their current hashes to the allowlist with `approved_by: "initial_migration"` + emits `plugin_allowlist_migrated`. Idempotent — subsequent scans no-op.
+- **Daemon-thread timeout.** Every hook fire runs inside `threading.Thread(daemon=True)` with a hard timeout (default 500ms, configurable via `~/.codec/config.json:plugin_hook_timeout_ms`). On timeout: `plugin_hook_timeout` audit, return `None`, calling thread continues. Daemon=True so process shutdown isn't blocked.
+- **Operator approval flow.** New skill `plugin_approve` (`SKILL_MCP_EXPOSE=False`) — invoked via chat "approve plugin newhook.py" — computes the file's SHA-256, writes the allowlist entry with `approved_by: "operator"`, clears any prior refusal cache, emits `plugin_approved`. The skill is NEVER MCP-exposed (claude.ai can't extend the plugin trust boundary).
+
+Implementation: `codec_hooks.py` (run_with_hooks + PluginRegistry — now owns its `allowlist_path` for per-test isolation), wired into `codec_dispatch.py:run_skill` (covers wake-word + chat pre-LLM + chat post-LLM tag), `codec_agents.py:Agent.run` (crew), `codec_voice.py:dispatch_skill` (voice WebSocket), `codec_mcp.py:tool_fn` (MCP stdio + HTTP). Voice WebSocket also fires `emit_operation_start` / `emit_operation_end` from `VoicePipeline.run` start/finally.
 
 ### AskUserQuestion + stuck detection + step budget (Phase 1 Step 3)
 
@@ -818,6 +824,8 @@ These zones break running infrastructure if changed without coordination. NEVER
 - `~/.codec/oauth_state.json` — clearing this invalidates ALL claude.ai connections; touch only after explicit user OK + `pm2 restart codec-mcp-http`
 - Keychain entry `ai.avadigital.codec.internal_token` (Phase 1 Wave 2, PR-2D) — deleting forces a full token regen across every CODEC daemon. Heartbeat / scheduler / skills miss for ≤30s while their cache misses; `internal_token_autogenerated` audits emit. Use only for rotation. The legacy `X-Internal: codec` literal header is no longer recognized anywhere in `AuthMiddleware` — restoring it would re-open D-11.
 - Keychain entry `ai.avadigital.codec.audit_hmac_secret` (Phase 1 Wave 2, PR-2E) — backs HMAC-SHA256 signing of `~/.codec/audit.log`. Deleting it forces a fresh bootstrap on next write; subsequent `verify_audit_log()` will count lines signed by the OLD secret as `broken` (stdlib WARNING at bootstrap time tells the operator). Rotate only as part of a planned forensic cycle (export the old log first via the verify utility). NEVER call `codec_audit.log_event` from inside `codec_keychain.get_audit_hmac_secret()` — circular write path → deadlock on the non-reentrant `_LOCK`. The silent bootstrap path in PR-2E exists exactly to avoid this.
+- `~/.codec/plugins.allowlist` (Phase 1 Wave 2, PR-2F) — SHA-256 allowlist that gates plugin loading. Deleting it forces every plugin in `~/.codec/plugins/` to fall through grandfather migration on next scan, which re-adds them all with `approved_by: "initial_migration"` — effectively a "trust everything currently in the dir again" reset. Use cautiously: if a malicious file is in the plugins dir at the time of deletion, the migration grandfathers it too. Atomic-write contract — never hand-edit; use the `plugin_approve` skill (operator-only, `SKILL_MCP_EXPOSE=False`) or `codec_hooks.approve_plugin(filename)`. File perms enforced at 0600.
+- `~/.codec/config.json:plugin_hook_timeout_ms` (Phase 1 Wave 2, PR-2F) — default 500ms. Lower than ~50ms and legitimate hooks (notably the synchronous body of `self_improve.py`'s `on_operation_end`, which does a snapshot + daemon-thread spawn) start tripping the timeout. Higher than ~2000ms reintroduces DoS risk via a malicious hook blocking the calling thread. Keep in the [100, 1000] band unless surfaced.
 - `~/.codec/audit.log` (Phase 1 Wave 2, PR-2E) — tampering with existing lines or appending forged lines is detected by HMAC verification (`verify_audit_log()` / `audit_verify` skill). Whole-line deletion is **NOT** detected by per-line HMAC (documented limitation of Q5=a — hash-chain considered too fragile on rotation). File perms enforced at 0600. Direct edits via shell are technically possible but observable post-hoc; do not edit by hand.
 - `~/.codec/pending_questions.json` (Phase 1 Step 3) — direct edits race in-flight `threading.Event` waiters; agents will hang or skip answers. Use `POST /api/agents/answer/{qid}` or `codec_ask_user.submit_answer()` instead.
 - `~/.codec/voice_session.json` (Phase 1 Step 3) — voice-session active-marker; `VoicePipeline.run` owns its lifecycle.
diff --git a/codec.py b/codec.py
index 37164b1..060475f 100644
--- a/codec.py
+++ b/codec.py
@@ -797,16 +797,30 @@ def do_screenshot_question():
         push(lambda: show_overlay('Screenshot failed', '#ff3333', 2000))
         return
     print(f"[CODEC] Screenshot captured ({len(ctx)} chars)")
-    # Show brief summary of what was captured, then open question dialog
-    summary = ctx[:120].replace('"', '\\"').replace('\n', ' ')
+    # PR-2F (closes D-21): pass the OCR summary as an osascript ARGV argument
+    # rather than interpolating it into the script source. AppleScript reads
+    # `summary` from `item 1 of argv` — NO string interpolation means an
+    # adversarial OCR result (`"\n display dialog "PWNED"`) is treated as
+    # literal text by AppleScript and cannot break out of the string context.
+    summary = ctx[:120]
+    body = f"I captured your screen:\n\n{summary}…\n\nWhat would you like to know about it?"
+    script = (
+        'on run argv\n'
+        '  set bodyText to item 1 of argv\n'
+        '  tell application "System Events"\n'
+        '    set frontmost of first process whose frontmost is true to true\n'
+        '  end tell\n'
+        '  set t to text returned of (display dialog bodyText '
+        'default answer "" with title "CODEC Screenshot" '
+        'buttons {"Cancel","Ask"} default button "Ask")\n'
+        '  return t\n'
+        'end run'
+    )
     try:
-        r = subprocess.run(["osascript", "-e",
-            f'tell application "System Events"\nset frontmost of first process whose frontmost is true to true\nend tell\n'
-            f'set t to text returned of (display dialog '
-            f'"I captured your screen:\\n\\n{summary}…\\n\\nWhat would you like to know about it?" '
-            f'default answer "" with title "CODEC Screenshot" '
-            f'buttons {{"Cancel","Ask"}} default button "Ask")'],
-            capture_output=True, text=True, timeout=120)
+        r = subprocess.run(
+            ["osascript", "-e", script, body],
+            capture_output=True, text=True, timeout=120,
+        )
         question = r.stdout.strip()
         if question:
             task = question + " [SCREEN CONTEXT: " + ctx[:800] + "]"
diff --git a/codec_hooks.py b/codec_hooks.py
index e0ca8cd..8212712 100644
--- a/codec_hooks.py
+++ b/codec_hooks.py
@@ -22,13 +22,18 @@
 from __future__ import annotations
 
 import ast
+import hashlib
 import importlib.util
+import json
 import logging
 import os
+import queue
+import stat
 import threading
 import time
 from dataclasses import dataclass, field, replace
 from datetime import datetime, timezone
+from pathlib import Path
 from typing import Any, Callable, Dict, List, Optional, Union
 
 from codec_audit import log_event as _log_event, _PREVIEW_MAX, _truncate
@@ -37,6 +42,27 @@
 
 # ── Storage ────────────────────────────────────────────────────────────────────
 _PLUGINS_DIR_DEFAULT = os.path.expanduser("~/.codec/plugins")
+_PLUGINS_ALLOWLIST_DEFAULT = os.path.expanduser("~/.codec/plugins.allowlist")
+
+# PR-2F (D-18): hook timeout default. Set high enough not to false-positive on
+# legitimate hooks (self_improve.py's on_operation_end does a buffer snapshot +
+# spawns a daemon thread for the slow Qwen call — synchronous body is <10ms).
+# Operator can override via ~/.codec/config.json:plugin_hook_timeout_ms.
+_HOOK_TIMEOUT_DEFAULT_S = 0.5
+
+
+def _hook_timeout_seconds() -> float:
+    """Read the hook timeout from config. Falls through to default on any
+    error. Read lazily so config changes take effect on next hook fire
+    (no restart needed for tuning)."""
+    try:
+        from codec_config import cfg
+        ms = cfg.get("plugin_hook_timeout_ms", _HOOK_TIMEOUT_DEFAULT_S * 1000)
+        if isinstance(ms, (int, float)) and ms > 0:
+            return float(ms) / 1000.0
+    except Exception:
+        pass
+    return _HOOK_TIMEOUT_DEFAULT_S
 
 # Lifecycle hook names. AST discovery looks for top-level def's matching
 # any of these. Plugins implement any subset.
@@ -69,6 +95,285 @@
 _PLUGIN_FILE_SUFFIX = ".py"
 
 
+# ── PR-2F (D-18): SHA-256 allowlist + AST gate ────────────────────────────────
+#
+# Plugins are local Python with full process privileges. Before PR-2F, any
+# file dropped into ~/.codec/plugins/*.py would auto-load on next restart.
+# Now a plugin's SHA-256 must be in `~/.codec/plugins.allowlist` (operator-
+# managed) before `spec.loader.exec_module` runs. Mirrors PR-1A's hash-pinned
+# `skills/.manifest.json` chokepoint: hash-pinned trust IS the security
+# decision, not the AST check.
+#
+# AST check (via `codec_config.is_dangerous_skill_code`) is still run when
+# the file is NOT in the allowlist — but only to enrich the `plugin_load_blocked`
+# audit event with a specific reason ("ast_dangerous: subprocess.run" vs
+# "not_in_allowlist"). Either reason → refuse. Both checks must pass for a
+# plugin to load — hash match OR (well, the hash match alone is sufficient;
+# AST is only run when hash misses, for forensic clarity).
+#
+# Migration: existing plugins at `~/.codec/plugins/*.py` on first run after
+# PR-2F are grandfathered — their current hashes are written to the
+# allowlist with `approved_by: "initial_migration"` and an `info`-level
+# audit event. This avoids surprising the operator on upgrade.
+
+_ALLOWLIST_LOCK = threading.Lock()
+
+
+def _default_allowlist_path_for(plugins_dir: str) -> str:
+    """Derive the allowlist path from the plugins dir. Production:
+    `~/.codec/plugins/` → `~/.codec/plugins.allowlist`. Tests pointing
+    at a tmp plugins dir get a sibling allowlist in the same tmp tree,
+    so they don't touch the operator's real allowlist file."""
+    parent = os.path.dirname(os.path.abspath(plugins_dir.rstrip(os.sep)))
+    return os.path.join(parent, "plugins.allowlist")
+
+
+def _allowlist_path_for(plugins_dir: str) -> Path:
+    """Resolved allowlist path for a given plugins dir."""
+    return Path(_default_allowlist_path_for(plugins_dir))
+
+
+def _read_allowlist(path: Optional[Path] = None) -> Dict[str, Dict[str, Any]]:
+    """Load the allowlist as a dict keyed by plugin filename. Returns {} on
+    any error (missing file, parse error, wrong shape) — fail-closed: no
+    file = no allowed plugins."""
+    p = path if path is not None else Path(_PLUGINS_ALLOWLIST_DEFAULT)
+    if not p.exists():
+        return {}
+    try:
+        raw = p.read_text(encoding="utf-8")
+        obj = json.loads(raw)
+        if not isinstance(obj, dict):
+            log.warning("[plugins] allowlist root is not a dict; treating as empty")
+            return {}
+        # Validate shape — each entry must have a sha256 hex string.
+        clean: Dict[str, Dict[str, Any]] = {}
+        for fname, entry in obj.items():
+            if not isinstance(entry, dict):
+                continue
+            h = entry.get("sha256")
+            if isinstance(h, str) and len(h) == 64 and all(c in "0123456789abcdef" for c in h.lower()):
+                clean[fname] = entry
+        return clean
+    except (OSError, json.JSONDecodeError) as e:
+        log.warning("[plugins] allowlist read failed: %s", e)
+        return {}
+
+
+def _write_allowlist(allowlist: Dict[str, Dict[str, Any]],
+                     path: Optional[Path] = None) -> bool:
+    """Atomic-write the allowlist with 0600 perms. Returns True on success."""
+    p = path if path is not None else Path(_PLUGINS_ALLOWLIST_DEFAULT)
+    try:
+        p.parent.mkdir(parents=True, exist_ok=True)
+        tmp = p.with_suffix(p.suffix + ".tmp")
+        tmp.write_text(json.dumps(allowlist, indent=2, sort_keys=True),
+                       encoding="utf-8")
+        os.chmod(tmp, stat.S_IRUSR | stat.S_IWUSR)
+        os.replace(tmp, p)
+        try:
+            os.chmod(p, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            pass
+        return True
+    except OSError as e:
+        log.warning("[plugins] allowlist write failed: %s", e)
+        return False
+
+
+def _file_sha256(path: str) -> Optional[str]:
+    """SHA-256 hex digest of file contents. None on read error."""
+    try:
+        with open(path, "rb") as f:
+            return hashlib.sha256(f.read()).hexdigest()
+    except OSError:
+        return None
+
+
+def _maybe_grandfather_existing_plugins(plugins_dir: str,
+                                          allowlist_path: Optional[Path] = None) -> None:
+    """One-shot migration: if no allowlist file exists yet AND the plugins
+    dir has .py files, write their current hashes to the allowlist with
+    `approved_by: "initial_migration"`. Idempotent — runs once at the
+    upgrade boundary, then becomes a no-op.
+
+    `allowlist_path` defaults to the sibling of `plugins_dir` (i.e.
+    `<dirname(plugins_dir)>/plugins.allowlist`) so tests pointing at a
+    tmp plugins dir get a tmp allowlist, not the real one."""
+    if allowlist_path is None:
+        allowlist_path = _allowlist_path_for(plugins_dir)
+    if allowlist_path.exists():
+        return
+    if not os.path.isdir(plugins_dir):
+        return
+    pys = [f for f in os.listdir(plugins_dir)
+           if f.endswith(_PLUGIN_FILE_SUFFIX) and not f.startswith("_")]
+    if not pys:
+        # No plugins to grandfather — still create an empty allowlist so
+        # subsequent loads don't re-attempt migration on every restart.
+        _write_allowlist({}, allowlist_path)
+        return
+    seed: Dict[str, Dict[str, Any]] = {}
+    now = datetime.now(timezone.utc).isoformat(timespec="seconds")
+    for fname in pys:
+        fpath = os.path.join(plugins_dir, fname)
+        h = _file_sha256(fpath)
+        if h is None:
+            continue
+        seed[fname] = {
+            "sha256": h,
+            "approved_at": now,
+            "approved_by": "initial_migration",
+        }
+    if _write_allowlist(seed, allowlist_path):
+        log.info("[plugins] grandfathered %d existing plugin(s) into allowlist", len(seed))
+        try:
+            _log_event(
+                "plugin_allowlist_migrated", "codec-hooks",
+                f"grandfathered {len(seed)} plugin(s)",
+                extra={"plugin_count": len(seed), "filenames": sorted(seed.keys())},
+                level="info", outcome="ok",
+            )
+        except Exception:
+            pass
+
+
+def _is_plugin_allowed(filepath: str,
+                       allowlist_path: Optional[Path] = None) -> tuple[bool, str]:
+    """Return (allowed, reason). `allowed` True only if the file's current
+    SHA-256 matches an entry in the allowlist keyed by basename. Tamper
+    detection: a previously-approved plugin whose content changed will
+    have a hash mismatch and be refused until re-approved."""
+    if allowlist_path is None:
+        allowlist_path = _allowlist_path_for(os.path.dirname(filepath))
+    fname = os.path.basename(filepath)
+    h = _file_sha256(filepath)
+    if h is None:
+        return False, "file_unreadable"
+    allowlist = _read_allowlist(allowlist_path)
+    entry = allowlist.get(fname)
+    if entry is None:
+        return False, "not_in_allowlist"
+    if entry.get("sha256") != h:
+        return False, "hash_mismatch"
+    return True, ""
+
+
+def _emit_plugin_load_blocked(plugin_name: str, filepath: str,
+                              reason: str, extra_detail: str = "") -> None:
+    """Audit emit for plugin load refusal. Fire-and-forget."""
+    extra: Dict[str, Any] = {
+        "plugin_name": plugin_name,
+        "plugin_path": filepath,
+        "reason": reason,
+    }
+    if extra_detail:
+        extra["detail"] = extra_detail[:200]
+    try:
+        _log_event(
+            "plugin_load_blocked", "codec-hooks",
+            f"Plugin {plugin_name!r} refused: {reason}",
+            extra=extra,
+            level="warning", outcome="error",
+        )
+    except Exception:
+        pass
+
+
+# ── PR-2F (D-18): thread-with-timeout for hook execution ───────────────────────
+#
+# Before PR-2F, hook functions ran in the calling thread. A slow / malicious
+# `pre_tool` could block the entire chat / voice / crew turn. Now every hook
+# fires inside a daemon thread with a hard timeout (default 500ms, configurable
+# via `~/.codec/config.json:plugin_hook_timeout_ms`). On timeout, the calling
+# thread receives a sentinel and the audit log records `plugin_hook_timeout`.
+# The daemon thread keeps running in the background; daemon=True means it
+# doesn't block process shutdown.
+
+
+class _HookTimedOut:
+    """Sentinel returned by `_run_hook_with_timeout` when the timeout
+    elapsed. Distinct from None (which means "no return"); callers check
+    `isinstance(result, _HookTimedOut)` to decide whether to log timeout."""
+    __slots__ = ("hook_name", "plugin_name", "timeout_s")
+
+    def __init__(self, *, hook_name: str, plugin_name: str, timeout_s: float):
+        self.hook_name = hook_name
+        self.plugin_name = plugin_name
+        self.timeout_s = timeout_s
+
+
+def _run_hook_with_timeout(
+    fn: Callable,
+    args: tuple,
+    *,
+    hook_name: str,
+    plugin_name: str,
+    timeout_s: Optional[float] = None,
+) -> tuple[Any, Optional[BaseException]]:
+    """Run `fn(*args)` in a daemon thread with a hard timeout. Returns
+    `(result, exception)`:
+      - on success → `(retval, None)`
+      - on hook exception → `(None, exception)` (caller emits hook_error)
+      - on timeout → `(_HookTimedOut(...), None)` (caller emits plugin_hook_timeout)
+    Never raises. The daemon thread keeps running on timeout; daemon=True
+    so process shutdown isn't blocked.
+    """
+    if timeout_s is None:
+        timeout_s = _hook_timeout_seconds()
+    result_q: "queue.Queue" = queue.Queue(maxsize=1)
+    exc_q: "queue.Queue" = queue.Queue(maxsize=1)
+
+    def _runner():
+        try:
+            result_q.put(fn(*args))
+        except BaseException as e:
+            try:
+                exc_q.put(e)
+            except Exception:
+                pass
+
+    t = threading.Thread(target=_runner, daemon=True,
+                          name=f"codec-hook:{plugin_name}.{hook_name}")
+    t.start()
+    t.join(timeout=timeout_s)
+
+    if t.is_alive():
+        # Abandon — thread keeps running but caller doesn't wait.
+        return _HookTimedOut(
+            hook_name=hook_name, plugin_name=plugin_name,
+            timeout_s=timeout_s,
+        ), None
+    if not exc_q.empty():
+        return None, exc_q.get_nowait()
+    if not result_q.empty():
+        return result_q.get_nowait(), None
+    return None, None
+
+
+def _emit_plugin_hook_timeout(plugin_name: str, hook_name: str,
+                              tool_name: Optional[str], transport: str,
+                              correlation_id: str, timeout_s: float) -> None:
+    """Audit emit for hook timeout. level=warning per Step 2 §7.5 contract
+    (operational signal, not operation failure)."""
+    try:
+        _log_event(
+            "plugin_hook_timeout", "codec-hooks",
+            f"plugin {plugin_name}.{hook_name} exceeded {timeout_s * 1000:.0f}ms",
+            extra={
+                "plugin_name": plugin_name,
+                "hook_name": hook_name,
+                "tool_name": tool_name,
+                "timeout_ms": int(timeout_s * 1000),
+            },
+            level="warning", outcome="error",
+            transport=transport, tool=tool_name or "",
+            correlation_id=correlation_id,
+        )
+    except Exception as e:
+        log.debug("plugin_hook_timeout emit failed: %s", e)
+
+
 # ── HookCtx + HookVeto ─────────────────────────────────────────────────────────
 @dataclass(frozen=True)
 class HookCtx:
@@ -212,8 +517,14 @@ class PluginRegistry:
     Exposed for tests; production uses the module-level _registry instance.
     """
 
-    def __init__(self, plugins_dir: str):
+    def __init__(self, plugins_dir: str,
+                 allowlist_path: Optional[str] = None):
         self.plugins_dir = plugins_dir
+        # PR-2F: each registry owns its allowlist path. Default derives from
+        # plugins_dir's parent, so tests with tmp plugins dirs get a tmp
+        # allowlist (no pollution of the operator's real ~/.codec/plugins.allowlist).
+        self.allowlist_path = Path(allowlist_path or
+                                     _default_allowlist_path_for(plugins_dir))
         # Sort key: (priority asc, filename asc) per §5.1
         self._plugins: List[_PluginMeta] = []
         # name → loaded module (populated on first fire)
@@ -223,7 +534,13 @@ def __init__(self, plugins_dir: str):
         self._lock = threading.Lock()
 
     def scan(self) -> int:
-        """AST-parse every plugin file; cache metadata. Cheap — no imports."""
+        """AST-parse every plugin file; cache metadata. Cheap — no imports.
+
+        PR-2F (D-18): runs the one-shot grandfather migration on first
+        encounter (no allowlist file + plugins dir has .py files →
+        seed allowlist with current hashes). Idempotent — once the
+        allowlist file exists, migration is a no-op."""
+        _maybe_grandfather_existing_plugins(self.plugins_dir, self.allowlist_path)
         plugins: List[_PluginMeta] = []
         if os.path.isdir(self.plugins_dir):
             for fname in sorted(os.listdir(self.plugins_dir)):
@@ -257,13 +574,46 @@ def for_hook(self, hook_name: str, tool_name: Optional[str] = None) -> List[_Plu
     def get_fn(self, plugin: _PluginMeta, hook_name: str) -> Optional[Callable]:
         """Lazy-load the plugin module and return the named hook function.
 
-        Returns None on import failure (plugin marked broken) or if the
-        function turns out to not be defined at runtime.
+        PR-2F (D-18): a two-stage gate runs BEFORE `exec_module`:
+          1. SHA-256 hash of the file must match an entry in
+             `~/.codec/plugins.allowlist` keyed by basename.
+          2. If the hash doesn't match (not in allowlist OR content changed),
+             also run `is_dangerous_skill_code` for forensic clarity in the
+             refusal audit event. Either way, refuse the load.
+
+        On refusal the plugin is marked broken and `plugin_load_blocked`
+        is emitted with the specific reason. Returns None.
+
+        On success the module is cached for the process lifetime.
         """
         if plugin.name in self._broken:
             return None
         mod = self._modules.get(plugin.name)
         if mod is None:
+            # ── Two-stage trust gate ──
+            allowed, reason = _is_plugin_allowed(
+                plugin.file_path, self.allowlist_path)
+            if not allowed:
+                # Run AST check too, so the audit event captures the SPECIFIC
+                # dangerous pattern if there is one — helps the operator
+                # decide whether to approve the file.
+                detail = ""
+                try:
+                    with open(plugin.file_path, "r", encoding="utf-8",
+                              errors="ignore") as f:
+                        src = f.read()
+                    from codec_config import is_dangerous_skill_code
+                    dangerous, ast_reason = is_dangerous_skill_code(src)
+                    if dangerous:
+                        detail = f"ast_dangerous: {ast_reason}"
+                except Exception:
+                    pass
+                _emit_plugin_load_blocked(
+                    plugin.name, plugin.file_path, reason, detail,
+                )
+                self._broken.add(plugin.name)
+                return None
+
             try:
                 import sys
                 module_name = f"codec_plugin_{plugin.name}"
@@ -282,7 +632,8 @@ def get_fn(self, plugin: _PluginMeta, hook_name: str) -> Optional[Callable]:
                     sys.modules.pop(module_name, None)  # roll back on failure
                     raise
                 self._modules[plugin.name] = mod
-                log.info("Lazy-loaded plugin: %s", plugin.name)
+                log.info("Lazy-loaded plugin: %s (sha256 allowlist-approved)",
+                         plugin.name)
             except Exception as e:
                 log.warning("Plugin import error (%s): %s", plugin.name, e)
                 self._broken.add(plugin.name)
@@ -387,25 +738,34 @@ def _emit_tool_vetoed(*, tool_name: str, transport: str, correlation_id: str,
 def _fire_one_pre_tool(plugin: _PluginMeta, ctx: HookCtx) -> Any:
     """Run one plugin's pre_tool. Returns None / dict / HookVeto / sentinel-skip.
 
-    Internal contract: on plugin exception, logs + emits hook_error and
-    returns None (skip — operation continues with unmutated state).
+    PR-2F (D-18): wrapped in daemon-thread timeout. On timeout, emits
+    `plugin_hook_timeout` audit and returns None (operation continues
+    with unmutated state — never block the calling thread on a slow plugin).
     """
     fn = _registry.get_fn(plugin, "pre_tool")
     if fn is None:
         return None
     plugin_ctx = replace(ctx, plugin_name=plugin.name)
     t0 = time.monotonic()
-    try:
-        ret = fn(plugin_ctx)
-    except BaseException as e:
-        elapsed = (time.monotonic() - t0) * 1000.0
+    ret, exc = _run_hook_with_timeout(
+        fn, (plugin_ctx,),
+        hook_name="pre_tool", plugin_name=plugin.name,
+    )
+    elapsed = (time.monotonic() - t0) * 1000.0
+    if isinstance(ret, _HookTimedOut):
+        _emit_plugin_hook_timeout(
+            plugin_name=plugin.name, hook_name="pre_tool",
+            tool_name=ctx.tool_name, transport=ctx.transport,
+            correlation_id=ctx.correlation_id, timeout_s=ret.timeout_s,
+        )
+        return None
+    if exc is not None:
         _emit_hook_error(
             plugin_name=plugin.name, hook_name="pre_tool",
             tool_name=ctx.tool_name, transport=ctx.transport,
-            correlation_id=ctx.correlation_id, duration_ms=elapsed, exc=e,
+            correlation_id=ctx.correlation_id, duration_ms=elapsed, exc=exc,
         )
         return None
-    elapsed = (time.monotonic() - t0) * 1000.0
     mutated = isinstance(ret, dict) and bool(ret)
     vetoed = isinstance(ret, HookVeto)
     if vetoed and ret.plugin_name is None:
@@ -421,22 +781,31 @@ def _fire_one_pre_tool(plugin: _PluginMeta, ctx: HookCtx) -> Any:
 
 
 def _fire_one_post_tool(plugin: _PluginMeta, ctx: HookCtx, result: str) -> Any:
+    """Run one plugin's post_tool. Wrapped in daemon-thread timeout (PR-2F)."""
     fn = _registry.get_fn(plugin, "post_tool")
     if fn is None:
         return None
     plugin_ctx = replace(ctx, plugin_name=plugin.name)
     t0 = time.monotonic()
-    try:
-        ret = fn(plugin_ctx, result)
-    except BaseException as e:
-        elapsed = (time.monotonic() - t0) * 1000.0
+    ret, exc = _run_hook_with_timeout(
+        fn, (plugin_ctx, result),
+        hook_name="post_tool", plugin_name=plugin.name,
+    )
+    elapsed = (time.monotonic() - t0) * 1000.0
+    if isinstance(ret, _HookTimedOut):
+        _emit_plugin_hook_timeout(
+            plugin_name=plugin.name, hook_name="post_tool",
+            tool_name=ctx.tool_name, transport=ctx.transport,
+            correlation_id=ctx.correlation_id, timeout_s=ret.timeout_s,
+        )
+        return None
+    if exc is not None:
         _emit_hook_error(
             plugin_name=plugin.name, hook_name="post_tool",
             tool_name=ctx.tool_name, transport=ctx.transport,
-            correlation_id=ctx.correlation_id, duration_ms=elapsed, exc=e,
+            correlation_id=ctx.correlation_id, duration_ms=elapsed, exc=exc,
         )
         return None
-    elapsed = (time.monotonic() - t0) * 1000.0
     mutated = isinstance(ret, str)
     _emit_hook_fired(
         plugin_name=plugin.name, hook_name="post_tool",
@@ -449,23 +818,32 @@ def _fire_one_post_tool(plugin: _PluginMeta, ctx: HookCtx, result: str) -> Any:
 
 def _fire_one_observe(plugin: _PluginMeta, hook_name: str, ctx: HookCtx,
                       *extra_args: Any) -> None:
-    """Run one observe-only hook (on_error / on_operation_*). Return ignored."""
+    """Run one observe-only hook (on_error / on_operation_*). Return ignored.
+    Wrapped in daemon-thread timeout (PR-2F)."""
     fn = _registry.get_fn(plugin, hook_name)
     if fn is None:
         return
     plugin_ctx = replace(ctx, plugin_name=plugin.name)
     t0 = time.monotonic()
-    try:
-        fn(plugin_ctx, *extra_args)
-    except BaseException as e:
-        elapsed = (time.monotonic() - t0) * 1000.0
+    ret, exc = _run_hook_with_timeout(
+        fn, (plugin_ctx, *extra_args),
+        hook_name=hook_name, plugin_name=plugin.name,
+    )
+    elapsed = (time.monotonic() - t0) * 1000.0
+    if isinstance(ret, _HookTimedOut):
+        _emit_plugin_hook_timeout(
+            plugin_name=plugin.name, hook_name=hook_name,
+            tool_name=ctx.tool_name, transport=ctx.transport,
+            correlation_id=ctx.correlation_id, timeout_s=ret.timeout_s,
+        )
+        return
+    if exc is not None:
         _emit_hook_error(
             plugin_name=plugin.name, hook_name=hook_name,
             tool_name=ctx.tool_name, transport=ctx.transport,
-            correlation_id=ctx.correlation_id, duration_ms=elapsed, exc=e,
+            correlation_id=ctx.correlation_id, duration_ms=elapsed, exc=exc,
         )
         return
-    elapsed = (time.monotonic() - t0) * 1000.0
     _emit_hook_fired(
         plugin_name=plugin.name, hook_name=hook_name,
         tool_name=ctx.tool_name, transport=ctx.transport,
@@ -646,6 +1024,68 @@ def emit_operation_end(
         _fire_one_observe(p, "on_operation_end", ctx)
 
 
+def approve_plugin(filename: str, *, approved_by: str = "operator") -> dict:
+    """Public API for the `plugin_approve` skill (PR-2F, D-18).
+
+    Resolves `filename` to `<plugins_dir>/<filename>`, computes its SHA-256,
+    writes/updates the entry in `~/.codec/plugins.allowlist`, and returns
+    a summary dict: `{ok, sha256, last8, filename, reason}`.
+
+    Caller MUST be the operator (the skill is `SKILL_MCP_EXPOSE=False`).
+    """
+    # Reject path traversal — only accept a basename
+    if "/" in filename or ".." in filename or filename.startswith("."):
+        return {"ok": False, "reason": "invalid_filename: must be a basename"}
+    if not filename.endswith(_PLUGIN_FILE_SUFFIX):
+        return {"ok": False, "reason": f"must end with {_PLUGIN_FILE_SUFFIX}"}
+
+    # Use the singleton registry's plugins_dir + allowlist_path so the
+    # operator can wire in a custom registry (tests do).
+    plugins_dir = _registry.plugins_dir
+    allowlist_path = _registry.allowlist_path
+
+    fpath = os.path.join(plugins_dir, filename)
+    if not os.path.exists(fpath):
+        return {"ok": False, "reason": f"plugin file not found: {filename}"}
+
+    h = _file_sha256(fpath)
+    if h is None:
+        return {"ok": False, "reason": "could not read plugin file"}
+
+    with _ALLOWLIST_LOCK:
+        allowlist = _read_allowlist(allowlist_path)
+        allowlist[filename] = {
+            "sha256": h,
+            "approved_at": datetime.now(timezone.utc).isoformat(timespec="seconds"),
+            "approved_by": approved_by,
+        }
+        if not _write_allowlist(allowlist, allowlist_path):
+            return {"ok": False, "reason": "allowlist write failed"}
+
+    # Invalidate the broken-plugin cache so the plugin is re-attempted on
+    # next fire (the operator just approved it; clear the prior refusal).
+    plugin_name = filename[:-len(_PLUGIN_FILE_SUFFIX)]
+    with _registry._lock:
+        _registry._broken.discard(plugin_name)
+        _registry._modules.pop(plugin_name, None)
+
+    try:
+        _log_event(
+            "plugin_approved", "codec-hooks",
+            f"Plugin {filename} approved",
+            extra={"filename": filename, "sha256_last8": h[-8:],
+                   "approved_by": approved_by},
+            level="info", outcome="ok",
+        )
+    except Exception:
+        pass
+
+    return {
+        "ok": True, "sha256": h, "last8": h[-8:],
+        "filename": filename, "approved_by": approved_by,
+    }
+
+
 __all__ = [
     "HookCtx",
     "HookVeto",
@@ -653,4 +1093,5 @@ def emit_operation_end(
     "run_with_hooks",
     "emit_operation_start",
     "emit_operation_end",
+    "approve_plugin",
 ]
diff --git a/docs/audits/PHASE-1-CONSOLIDATED-TRIAGE.md b/docs/audits/PHASE-1-CONSOLIDATED-TRIAGE.md
index 40c1143..faf9fb0 100644
--- a/docs/audits/PHASE-1-CONSOLIDATED-TRIAGE.md
+++ b/docs/audits/PHASE-1-CONSOLIDATED-TRIAGE.md
@@ -226,7 +226,7 @@ Mirror the Intake Phase 3 wave pattern. 7 waves planned; sizes are PR-counts, NO
 - PR-2C: D-9 + D-10 — `python_exec` sandbox + `/api/execute` removal-or-strict-consent
 - PR-2D: D-11 — replace `x-internal: codec` header trust with per-process HMAC token in macOS Keychain ✅ (branch `fix/pr2d-internal-token-replacement`; token never lands on disk in plaintext — `codec_keychain.get_internal_token()` bootstraps to Keychain or 0600 envelope-encrypted fallback)
 - PR-2E: D-12 + D-19 + D-22 — audit log HMAC-SHA256-per-line + secret redaction + chmod 0600 ✅ (branch `fix/pr2e-audit-log-hmac-redaction`; secret in macOS Keychain `ai.avadigital.codec.audit_hmac_secret`; 15-pattern redaction sweep applied before truncation; `verify_audit_log()` utility + operator-only `audit_verify` skill)
-- PR-2F: D-13 — AppleScript injection fix in `imessage_send`; D-21 — same for `do_screenshot_question`; D-18 — plugin AST validation + thread-timeout
+- PR-2F: D-13 — AppleScript injection fix in `imessage_send`; D-21 — same for `do_screenshot_question`; D-18 — plugin AST validation + thread-timeout ✅ (branch `fix/pr2f-applescript-and-plugin-hardening`; strict phone/email regex gate for recipient; argv-binding for screenshot dialog so adversarial OCR text can't escape the string context; SHA-256 allowlist at `~/.codec/plugins.allowlist` + 500ms daemon-thread hook timeout + new operator-only `plugin_approve` skill; existing plugins grandfathered via one-time migration)
 - PR-2G: D-14 + D-16 + D-20 — path-blocklist hardening across `codec_agent_plan`, `extract_user_paths`, `file_ops`
 
 **Rationale:** these 17 don't share a single chokepoint, so they break into 4-6 themed PRs. Wave 2 closes the rest of the security debt.
diff --git a/docs/audits/PHASE-1-SECURITY.md b/docs/audits/PHASE-1-SECURITY.md
index d8b6094..7af431f 100644
--- a/docs/audits/PHASE-1-SECURITY.md
+++ b/docs/audits/PHASE-1-SECURITY.md
@@ -277,6 +277,9 @@ In addition, **no secret redaction patterns** are applied before writing. `task_
 ### D-13 — AppleScript injection in `imessage_send` recipient field [MEDIUM]
 **Location:** `skills/imessage_send.py:53-73` (`_send`)
 **CWE / OWASP:** CWE-78 OS Command Injection (via AppleScript) / OWASP A03 Injection
+
+> **Closed by PR-2F** (branch `fix/pr2f-applescript-and-plugin-hardening`). `imessage_send._validate_recipient` enforces strict phone/email format before any AppleScript interpolation. Phone regex: `^\+?[1-9]\d{9,14}$` (E.164-ish, 10-15 digits with optional `+`). Email regex: `^[\w.+\-]+@[\w\-]+(?:\.[\w\-]+)+$`. Both anchored — no prefix matches. Length cap 254 (RFC 5321 SMTP). All AppleScript metachars (quotes, newlines, carriage returns, tabs, backslashes, control chars) and the audit's documented breakout (`xx@x.com" of targetService\nactivate application "Calculator"\n...`) are rejected before `osascript` runs; audit emit `imessage_send_blocked` fires on every refusal with reason=`invalid_recipient_format` and `recipient_preview` truncated to 32 chars. Text body escape extended to cover `\\`, `\"`, `\r`, `\n`, `\t` (backslash first so subsequent escapes don't re-escape its own backslash). 32 tests in `tests/test_imessage_send.py`.
+
 **Description:** `recipient` is interpolated into AppleScript WITHOUT escaping (only `text` is escaped at line 54). An attacker who controls the recipient string (e.g., LLM-controlled, or user-typed with adversarial intent) can craft:
 `recipient = 'xx@x.com" of targetService\nactivate application "Calculator"\nset targetBuddy to buddy "yy@y.com'`
 The AppleScript breaks out of the string literal and executes arbitrary AppleScript. The blocker for `osascript -e 'tell application "System Events"` in DANGEROUS_PATTERNS doesn't cover this because the embedded AppleScript can use any app name.
@@ -356,6 +359,16 @@ Plus: `socket` is in DANGEROUS_MODULES, but `urllib.request` is not. `from urlli
 ### D-18 — Plugin lifecycle hooks have no privilege isolation and can suppress audit [MEDIUM]
 **Location:** `codec_hooks.py:265-300` (PluginRegistry.get_fn → exec_module), `codec_hooks.py:302-358` (audit emit helpers)
 **CWE / OWASP:** CWE-269 Improper Privilege Management / OWASP A04 Insecure Design / Agentic A09 Overreliance
+
+> **Closed by PR-2F** (branch `fix/pr2f-applescript-and-plugin-hardening`). Three layers:
+> 1. **SHA-256 allowlist gate.** `~/.codec/plugins.allowlist` (0600, atomic-write) keys plugins by basename → `{sha256, approved_at, approved_by}`. `PluginRegistry.get_fn` computes the file's current SHA-256 and refuses to load (`exec_module` never runs) if the hash isn't in the allowlist OR doesn't match. Refusal emits `plugin_load_blocked` with reason=`not_in_allowlist`, `hash_mismatch`, or `file_unreadable`. Defense-in-depth — `is_dangerous_skill_code` runs additionally for not-allowlisted plugins and its result rides under `extra.detail` so the operator sees both signals when reviewing refusals.
+> 2. **Daemon-thread timeout.** Every hook fire (`pre_tool`, `post_tool`, `on_error`, `on_operation_start`, `on_operation_end`) runs inside a `threading.Thread(daemon=True)` with a hard timeout (default 500ms, configurable via `~/.codec/config.json:plugin_hook_timeout_ms`). On timeout: emit `plugin_hook_timeout` audit, return `None`, calling thread continues (never blocks). Daemon=True so process shutdown isn't held up by a runaway hook.
+> 3. **Grandfather migration.** First scan after PR-2F lands seeds the allowlist with the current hashes of every plugin in `~/.codec/plugins/*.py` (`approved_by: "initial_migration"`, emit `plugin_allowlist_migrated`). Idempotent — once the allowlist file exists, migration is a no-op. Avoids surprising the operator at upgrade time.
+>
+> New skill `plugin_approve` (`SKILL_MCP_EXPOSE=False` — never reachable from claude.ai) is the operator's tool for approving subsequently-added plugins: it computes the file's SHA-256, writes the allowlist entry with `approved_by: "operator"`, clears any prior refusal cache, and emits `plugin_approved`. 17 tests in `tests/test_plugin_registry.py` (gate, mismatch, migration, approve helper, timeout, source-level invariants).
+>
+> **Allowlist is the trust decision, not the AST check.** PR-1A's manifest-pinned skills can use dangerous imports because the operator hash-pinned them; same here — `self_improve.py` plugin imports `os`, `threading` etc., which would fail the AST check, but its hash is in the allowlist so it loads. AST is only consulted to enrich the audit emit for refused plugins.
+
 **Description:** Per CLAUDE.md §3, plugins in `~/.codec/plugins/*.py` are "local Python files curated by the user. No marketplace, no auto-install, no inter-plugin sandbox. Same trust model as skills." They wrap EVERY tool call (`pre_tool`, `post_tool`, `on_error`, `on_operation_start`, `on_operation_end`).
 A malicious plugin can:
 - Mutate `task` / `context` arbitrarily in `pre_tool`. The runner accepts the mutation (codec_hooks.py:478-509) — only "identity fields" (tool_name, correlation_id, etc.) are immutable. So a plugin could rewrite "schedule a meeting" → "rm -rf /" before it reaches `terminal` skill — `is_dangerous` runs on the original task at the dashboard level, but if the plugin mutates between that check and skill execution, the check is bypassed.
@@ -401,6 +414,9 @@ The audit emit path `_emit_hook_fired` / `_emit_hook_error` is robust against ho
 ### D-21 — `do_screenshot_question` interpolates OCR text into AppleScript with minimal escaping [LOW]
 **Location:** `codec.py:799-809`
 **CWE / OWASP:** CWE-78 / Agentic A01 Memory Poisoning
+
+> **Closed by PR-2F** (branch `fix/pr2f-applescript-and-plugin-hardening`). `do_screenshot_question` no longer interpolates the OCR summary into the AppleScript source. The new pattern uses `on run argv` + `item 1 of argv`: Python passes the body as `osascript -e <script> <body>`, AppleScript reads it from `argv[1]` inside the script handler, and the string literally cannot escape its variable context — `"\n display dialog "PWNED"` arrives as a literal AppleScript string, not as additional script source. Tkinter was considered (audit's suggested alternative) but the argv-binding approach kept the existing focus-stealing-friendly dialog behavior intact (matters for the PM2 daemon context). 4 tests in `tests/test_screenshot_question.py` — including a runtime test with an adversarial OCR payload that asserts the script body contains no interpolation of the adversarial text.
+
 **Description:** `summary = ctx[:120].replace('"', '\\"').replace('\n', ' ')` then interpolated into `display dialog "..."` AppleScript. If the screen contains adversarial text (a malicious webpage shows text designed to break out), `\\` and other escape sequences are not handled. AppleScript supports `\r`, `\t`, `\"`, `\\`, and hex escapes — only `"` and `\n` are filtered.
 **Impact:** AppleScript dialog tampering. Low severity because it requires attacker-controlled screen content AND user pressing the screenshot hotkey.
 **Recommended fix:** Use the heredoc / variable-binding AppleScript pattern instead of string interpolation: `set summaryVar to "..." \n display dialog summaryVar`. Or use Python's `tkinter.simpledialog.askstring` instead.
diff --git a/skills/.manifest.json b/skills/.manifest.json
index 99e404b..bf0d0b4 100644
--- a/skills/.manifest.json
+++ b/skills/.manifest.json
@@ -40,7 +40,7 @@
     "google_slides.py": "30193598c0214305c03412911781dd32794e6c9d6349ed6a242753c38eb49101",
     "google_tasks.py": "505dbe4dcb4e9d86ecbe2e74b2258d6544c623923f7c31b1b4e42214555e484a",
     "health_check.py": "ee295d393b1e1424dc07002d72a06a070e324737e4ed6b6deb5a0e60863471aa",
-    "imessage_send.py": "9bac1d5fff21fe0ee2a4905c97bf4fa2aff27d65661f83f2f8f686df499a0e85",
+    "imessage_send.py": "ba8a2577d78b5dc93f4c2c3882e5447661bb192d596182b001de4b35068ab18c",
     "json_formatter.py": "995ad15bff5405cfde9ff9dd312998e7bac4337b4ad48e60c27342c7d27e54b2",
     "lucy.py": "696d21c81ea37e156d254b0a7bba2ea769e37cd906452e48b9dc2891edc9c40f",
     "memory_entities.py": "5865b8a0bf7c29e2c2e9ee4b3bc1d1c20c90ef19df833bd3d4fce3e30b4da36d",
@@ -55,6 +55,7 @@
     "password_generator.py": "17f8e23d876d74cb100a652507d4dbb88a92d81c954e7728df24375f143ea21d",
     "philips_hue.py": "bcc2ef1b7e6c0e5e5f0165aae397fd6a3fd27367a3f100b949cd0efddac43496",
     "pilot.py": "33fe0a8cb1f3f577f3ddf801ad6d4e1cb3c9ceae8e6b748edd29ef33149ec1c7",
+    "plugin_approve.py": "5f35db44de13bf1a9b72120806e3f414fc92efb30c2a344838c0ae42e93e54b9",
     "pm2_control.py": "1f67e3158920987c1f0d2452fcadd7405624b28a799297483a2d11f5d5c90d17",
     "pomodoro.py": "ab6816d25c16e7132f899b4584d7fa6d5082d0c50811ffbd79d087e34c8861a5",
     "process_manager.py": "742126eb470b89f91231b58d6e30da6a6683fdb435a2b05f6b070954853a19f9",
diff --git a/skills/imessage_send.py b/skills/imessage_send.py
index b1d371b..18d9cdf 100644
--- a/skills/imessage_send.py
+++ b/skills/imessage_send.py
@@ -1,4 +1,15 @@
-"""CODEC Skill: Send iMessage via AppleScript"""
+"""CODEC Skill: Send iMessage via AppleScript.
+
+PR-2F (closes D-13): recipient is validated against a strict phone/email
+regex BEFORE AppleScript interpolation. Any input that fails the regex —
+including the audit's documented breakout (`xx@x.com" of targetService\n
+activate application "Calculator"\nset targetBuddy to buddy "yy@y.com`) —
+is refused with `imessage_send_blocked` audit emit. Text body escape is
+extended to cover `\\`, `\r`, `\t`, `\"`, `\n`. The recipient sits inside
+an AppleScript identifier context (`buddy "..."`), not a string literal,
+so injection there is higher-impact than the text body — validation
+gates that surface entirely.
+"""
 SKILL_NAME = "imessage_send"
 SKILL_DESCRIPTION = "Send an iMessage to a contact (phone number or Apple ID email)"
 SKILL_TRIGGERS = [
@@ -15,6 +26,55 @@
     "message", "text", "sms",
 )
 
+# PR-2F (D-13): strict format gate. Anchored — no partial matches. No
+# AppleScript metachars (quotes, newlines, backslashes, tabs, control chars)
+# can survive these patterns. Length cap 254 = RFC 5321 SMTP email limit.
+_PHONE_RE = re.compile(r"^\+?[1-9]\d{9,14}$")  # E.164-ish: 10-15 digits, optional +
+_EMAIL_RE = re.compile(r"^[\w.+\-]+@[\w\-]+(?:\.[\w\-]+)+$")
+_RECIPIENT_MAX_LEN = 254
+
+
+def _validate_recipient(recipient: str) -> bool:
+    """True if `recipient` is a syntactically valid phone or email AND
+    contains no AppleScript metachars. Rejects everything else."""
+    if not recipient or not isinstance(recipient, str):
+        return False
+    if len(recipient) > _RECIPIENT_MAX_LEN:
+        return False
+    return bool(_PHONE_RE.match(recipient) or _EMAIL_RE.match(recipient))
+
+
+def _escape_text(text: str) -> str:
+    """Escape every AppleScript metachar in the message body. Recipient
+    is gated by validation (above); text body still goes through string
+    interpolation, so escape all metachars here. Order matters: backslash
+    first so subsequent escapes don't re-escape its own backslash."""
+    if not isinstance(text, str):
+        text = str(text)
+    return (text
+            .replace("\\", "\\\\")
+            .replace('"', '\\"')
+            .replace("\r", "\\r")
+            .replace("\n", "\\n")
+            .replace("\t", "\\t"))
+
+
+def _emit_blocked(reason: str, recipient_preview: str) -> None:
+    """Audit emit for D-13 refusals. Recipient preview truncated to 32
+    chars so adversarial multi-line breakouts don't bloat the log line."""
+    try:
+        from codec_audit import log_event
+        log_event(
+            "imessage_send_blocked",
+            source="codec-skill-imessage-send",
+            message=f"imessage_send refused: {reason}",
+            level="warning",
+            outcome="error",
+            extra={"reason": reason, "recipient_preview": recipient_preview[:32]},
+        )
+    except Exception:
+        pass
+
 
 def _parse(task: str):
     """Return (recipient, body) or (None, None).
@@ -51,7 +111,13 @@ def _parse(task: str):
 
 
 def _send(recipient: str, text: str) -> bool:
-    escaped = text.replace("\\", "\\\\").replace('"', '\\"').replace("\n", "\\n")
+    # PR-2F: validation gate — refuse anything that isn't a syntactically
+    # valid phone or email. This blocks the D-13 AppleScript breakout
+    # before any string interpolation happens.
+    if not _validate_recipient(recipient):
+        _emit_blocked("invalid_recipient_format", recipient or "")
+        return False
+    escaped = _escape_text(text)
     scripts = [
         f'''tell application "Messages"
             set targetService to 1st account whose service type = iMessage
@@ -79,6 +145,13 @@ def run(task, app="", ctx=""):
         return ("Format: 'text <recipient> <message>' — e.g. "
                 "'text +34612345678 running late' or "
                 "'imessage mom@icloud.com hi'")
+    if not _validate_recipient(recipient):
+        # Surface the refusal to the user with a clear message; the audit
+        # emit happens inside _send via _emit_blocked.
+        _emit_blocked("invalid_recipient_format", recipient)
+        return (f"❌ Refused to send: '{recipient[:32]}' isn't a valid phone "
+                f"number or email. Use E.164 phone (+34612345678) or "
+                f"user@example.com.")
     ok = _send(recipient, body)
     if ok:
         return f"✅ Sent to {recipient}: {body[:80]}"
diff --git a/skills/plugin_approve.py b/skills/plugin_approve.py
new file mode 100644
index 0000000..b4016f8
--- /dev/null
+++ b/skills/plugin_approve.py
@@ -0,0 +1,68 @@
+"""CODEC Skill: Approve a plugin file by adding its SHA-256 to the allowlist (PR-2F, D-18).
+
+Operator-only (SKILL_MCP_EXPOSE=False). claude.ai over MCP cannot approve
+plugins — only the local operator can extend the plugin trust boundary.
+
+Usage:
+    "approve plugin <filename>"
+    "approve plugin self_improve.py"
+    "trust plugin newhook.py"
+
+The skill computes the SHA-256 of the file currently at
+`~/.codec/plugins/<filename>`, writes/updates the entry in
+`~/.codec/plugins.allowlist`, and reports the hash's last 8 chars
+for operator verification. On the next plugin fire after approval,
+the plugin loads normally.
+"""
+SKILL_NAME = "plugin_approve"
+SKILL_DESCRIPTION = (
+    "Approve a plugin file by adding its SHA-256 to the allowlist. "
+    "Operator-only — required after dropping a new plugin into ~/.codec/plugins/."
+)
+SKILL_TRIGGERS = [
+    "approve plugin", "plugin approve", "trust plugin",
+]
+SKILL_MCP_EXPOSE = False  # Operator-only; never expose plugin trust over MCP
+
+
+def _extract_filename(task: str) -> str:
+    """Pull a plugin filename out of the task text. Accepts:
+        "approve plugin self_improve.py"
+        "trust plugin newhook.py"
+        "plugin approve foo.py"
+    """
+    import re
+    t = task.strip()
+    # Strip trigger phrases
+    for trigger in ("approve plugin", "trust plugin", "plugin approve"):
+        if t.lower().startswith(trigger):
+            t = t[len(trigger):].strip()
+            break
+    # First .py token
+    m = re.search(r"([\w.-]+\.py)\b", t)
+    if m:
+        return m.group(1)
+    return t
+
+
+def run(task: str = "", app: str = "", ctx: str = "") -> str:
+    """Approve a plugin filename. Returns operator-readable confirmation."""
+    filename = _extract_filename(task)
+    if not filename or not filename.endswith(".py"):
+        return (
+            "Usage: 'approve plugin <filename>.py' — e.g. "
+            "'approve plugin self_improve.py'."
+        )
+
+    try:
+        from codec_hooks import approve_plugin
+    except Exception as e:
+        return f"Plugin approve unavailable: codec_hooks import failed: {e}"
+
+    result = approve_plugin(filename, approved_by="operator")
+    if not result.get("ok"):
+        return f"❌ Refused to approve {filename}: {result.get('reason', 'unknown')}"
+    return (
+        f"✅ Plugin {filename} approved. SHA-256 …{result['last8']}. "
+        f"Plugin will load on next hook fire."
+    )
diff --git a/tests/test_imessage_send.py b/tests/test_imessage_send.py
new file mode 100644
index 0000000..92c130d
--- /dev/null
+++ b/tests/test_imessage_send.py
@@ -0,0 +1,230 @@
+"""Tests for skills/imessage_send.py recipient validation (D-13 closure).
+
+Closes audit finding D-13 (MEDIUM) — AppleScript injection via the
+`recipient` field. The skill is `SKILL_MCP_EXPOSE=True` and reachable
+from claude.ai over MCP HTTP, so an attacker controlling MCP calls
+could craft a recipient that breaks out of the AppleScript string
+literal context and executes arbitrary AppleScript.
+
+PR-2F gates the AppleScript surface entirely: `_validate_recipient`
+rejects any string that isn't a valid phone (E.164) or email.
+Audit emit `imessage_send_blocked` fires on every refusal.
+
+Reference: docs/audits/PHASE-1-SECURITY.md finding D-13.
+"""
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import pytest
+
+REPO = Path(__file__).resolve().parent.parent
+sys.path.insert(0, str(REPO))
+sys.path.insert(0, str(REPO / "skills"))
+
+import imessage_send  # noqa: E402
+
+
+# ── _validate_recipient tests ───────────────────────────────────────────────
+
+
+@pytest.mark.parametrize("good", [
+    "+15551234567",
+    "+34612345678",
+    "+447911123456",
+    "+819012345678",
+    "5551234567",        # without leading +
+    "user@example.com",
+    "first.last+tag@example.co.uk",
+    "mickael@avadigital.ai",
+])
+def test_validate_recipient_accepts_legitimate(good):
+    """Phone numbers (E.164-ish) and emails must pass."""
+    assert imessage_send._validate_recipient(good), f"Should accept: {good!r}"
+
+
+@pytest.mark.parametrize("bad", [
+    # D-13 audit's documented breakout
+    'xx@x.com" of targetService\nactivate application "Calculator"\nset targetBuddy to buddy "yy@y.com',
+    # Quotes
+    '"; activate application "Finder";"',
+    # Newlines + AppleScript keyword
+    "a@b.com\ntell application",
+    # Carriage return
+    "a@b.com\rtell",
+    # Tab
+    "a@b.com\ttell",
+    # Backslash escape
+    "a@b.com\\u0022 of targetService",
+    # AppleScript identifier breakout
+    '" of (1st account)\ntell',
+    # Empty / whitespace
+    "",
+    "   ",
+    # Just metachars
+    '""',
+    "tell application Calculator",
+    # Spaces
+    "+1 555 123 4567",
+    # Pure text
+    "mom",
+    # Phone too short
+    "+1234",
+    # Phone with non-digits
+    "+1-555-CALL-NOW",
+])
+def test_validate_recipient_rejects_metachar_and_invalid(bad):
+    """All AppleScript-injection-capable inputs must be refused."""
+    assert not imessage_send._validate_recipient(bad), (
+        f"Should reject: {bad!r}"
+    )
+
+
+def test_validate_recipient_rejects_overlength():
+    """Strings over 254 chars are refused even if they'd otherwise look
+    email-ish. RFC 5321 SMTP path limit."""
+    long_email = "a" * 250 + "@b.com"  # 256 chars
+    assert not imessage_send._validate_recipient(long_email)
+
+
+def test_validate_recipient_rejects_non_string():
+    """None / int / bytes must not crash the validator."""
+    assert not imessage_send._validate_recipient(None)
+    # `int` isn't a string at all → reject without raising
+    assert not imessage_send._validate_recipient(12345)
+    assert not imessage_send._validate_recipient(b"+15551234567")
+
+
+# ── _escape_text tests ──────────────────────────────────────────────────────
+
+
+def test_escape_text_handles_all_metachars():
+    """The text body still goes through string interpolation in the
+    AppleScript; the escape MUST cover \\, \", \r, \n, \t. Order matters
+    — backslash first."""
+    raw = 'line1\\backslash\n"quote"\r\ttab'
+    escaped = imessage_send._escape_text(raw)
+    # Backslash escaped first
+    assert "\\\\" in escaped
+    # Quote escaped
+    assert '\\"' in escaped
+    # Newline + carriage return + tab escaped
+    assert "\\n" in escaped
+    assert "\\r" in escaped
+    assert "\\t" in escaped
+    # Raw control chars must NOT appear in escaped string
+    assert "\n" not in escaped
+    assert "\r" not in escaped
+    assert "\t" not in escaped
+
+
+def test_escape_text_idempotent_safe():
+    """Re-escaping an already-escaped string doubles slashes but doesn't
+    crash. Pin behavior."""
+    escaped_once = imessage_send._escape_text("hello\nworld")
+    escaped_twice = imessage_send._escape_text(escaped_once)
+    assert "\\\\n" in escaped_twice  # the \n escape itself was escaped
+
+
+# ── _send refusal + audit emit ──────────────────────────────────────────────
+
+
+def test_send_refuses_invalid_recipient_no_subprocess_call(monkeypatch):
+    """When recipient is invalid, `_send` must NOT call osascript at all.
+    Defense-in-depth: even if validation falsely accepts, subprocess
+    shouldn't run for a non-validating input. (Audit's Keychain shellout
+    to /usr/bin/security is fine — only osascript must be blocked.)"""
+    osascript_calls = {"count": 0}
+    real_run = imessage_send.subprocess.run
+
+    class _Result:
+        returncode = 1
+        stdout = ""
+        stderr = ""
+
+    def fake_run(args, **kwargs):
+        if args and isinstance(args, (list, tuple)) and "osascript" in str(args[0]):
+            osascript_calls["count"] += 1
+            raise AssertionError(
+                f"osascript called with invalid recipient: {args!r}"
+            )
+        return _Result()
+
+    monkeypatch.setattr(imessage_send.subprocess, "run", fake_run)
+    try:
+        result = imessage_send._send(
+            '"; activate application "Calculator";"', "hi",
+        )
+    finally:
+        monkeypatch.setattr(imessage_send.subprocess, "run", real_run)
+    assert result is False
+    assert osascript_calls["count"] == 0, (
+        "osascript must not be called for invalid recipient"
+    )
+
+
+def test_send_emits_blocked_audit_on_invalid(monkeypatch):
+    """Refusal must emit `imessage_send_blocked` audit event."""
+    captured = []
+
+    def fake_log_event(event_type, *args, **kwargs):
+        captured.append({"event_type": event_type, "args": args, "kwargs": kwargs})
+
+    monkeypatch.setattr("codec_audit.log_event", fake_log_event)
+    imessage_send._send(
+        'xx@x.com" of targetService\nactivate application "Calculator', "x",
+    )
+    matches = [c for c in captured if c["event_type"] == "imessage_send_blocked"]
+    assert len(matches) == 1, f"Expected one blocked event; got {captured!r}"
+    extra = matches[0]["kwargs"].get("extra", {})
+    assert extra.get("reason") == "invalid_recipient_format"
+    assert "recipient_preview" in extra
+    # Preview must be capped at 32 chars so adversarial multi-line input
+    # can't bloat the audit log
+    assert len(extra["recipient_preview"]) <= 32
+
+
+def test_send_accepts_legitimate_recipient_calls_subprocess(monkeypatch):
+    """Validated recipient → osascript IS called. Sanity test that the
+    validation gate doesn't block legitimate sends."""
+    called = {"count": 0, "last_args": None}
+
+    class _Result:
+        returncode = 0
+        stdout = ""
+        stderr = ""
+
+    def fake_run(args, **kwargs):
+        called["count"] += 1
+        called["last_args"] = args
+        return _Result()
+
+    monkeypatch.setattr(imessage_send.subprocess, "run", fake_run)
+    result = imessage_send._send("+15551234567", "hello")
+    assert result is True
+    assert called["count"] >= 1
+    # The osascript invocation must contain the validated recipient AND
+    # the escaped message body
+    assert "osascript" in called["last_args"][0]
+
+
+# ── run() integration ───────────────────────────────────────────────────────
+
+
+def test_run_refuses_invalid_recipient_with_user_message(monkeypatch):
+    """`run()` returns an operator-readable refusal for invalid recipient.
+    Skill is MCP-exposed so the message goes back to claude.ai if used
+    remotely."""
+    monkeypatch.setattr("codec_audit.log_event", lambda *a, **kw: None)
+    result = imessage_send.run(
+        'recipient: "; tell app "Finder" to delete; " | body: hi'
+    )
+    assert "Refused" in result or "valid" in result.lower()
+
+
+def test_validate_recipient_anchor_prevents_prefix_match():
+    """The regex is anchored — `+15551234567 extra junk` must fail because
+    of the trailing junk, not be a prefix match."""
+    assert not imessage_send._validate_recipient("+15551234567 extra")
+    assert not imessage_send._validate_recipient("user@example.com tell application")
diff --git a/tests/test_plugin_registry.py b/tests/test_plugin_registry.py
new file mode 100644
index 0000000..dcb9146
--- /dev/null
+++ b/tests/test_plugin_registry.py
@@ -0,0 +1,440 @@
+"""Tests for codec_hooks plugin trust model (D-18 closure).
+
+Closes audit finding D-18 (MEDIUM) — plugins have no privilege isolation.
+PR-2F gates plugin loading on:
+  1. SHA-256 in `~/.codec/plugins.allowlist` (operator-managed).
+  2. AST check via `codec_config.is_dangerous_skill_code` for files not
+     in the allowlist (refused; AST result included in audit emit for
+     forensic clarity).
+And wraps every hook fire in a daemon thread with a hard timeout
+(default 500ms, configurable via `plugin_hook_timeout_ms`).
+
+Reference: docs/audits/PHASE-1-SECURITY.md finding D-18.
+"""
+from __future__ import annotations
+
+import json
+import os
+import sys
+import time
+from pathlib import Path
+
+import pytest
+
+REPO = Path(__file__).resolve().parent.parent
+sys.path.insert(0, str(REPO))
+
+
+# ── Per-test isolation: tmp plugins dir + tmp allowlist ────────────────────
+
+
+@pytest.fixture
+def plugin_env(tmp_path, monkeypatch):
+    """Isolated plugins dir + allowlist file per test. Returns
+    (plugins_dir, allowlist_path, registry) where registry is a fresh
+    PluginRegistry pointing at the tmp dir. The registry derives its
+    allowlist path from `plugins_dir`'s parent (PR-2F design), so the
+    fixture doesn't need to monkeypatch module-level constants —
+    creating the registry with the tmp plugins_dir is sufficient."""
+    import codec_hooks
+    plugins_dir = tmp_path / "plugins"
+    plugins_dir.mkdir()
+    # Allowlist derives from plugins_dir's parent → `<tmp_path>/plugins.allowlist`
+    allowlist_path = tmp_path / "plugins.allowlist"
+
+    reg = codec_hooks.PluginRegistry(str(plugins_dir), str(allowlist_path))
+    return plugins_dir, allowlist_path, reg, codec_hooks
+
+
+def _write_plugin(plugins_dir: Path, name: str, body: str):
+    """Helper: write a plugin file and return its path."""
+    p = plugins_dir / name
+    p.write_text(body, encoding="utf-8")
+    return p
+
+
+def _allowlist_entry(plugins_dir: Path, fname: str) -> dict:
+    """Compute the SHA-256 of a plugin file and build an allowlist entry."""
+    import hashlib
+    h = hashlib.sha256((plugins_dir / fname).read_bytes()).hexdigest()
+    return {
+        "sha256": h,
+        "approved_at": "2026-05-18T00:00:00",
+        "approved_by": "test",
+    }
+
+
+_BENIGN_PLUGIN = '''"""benign plugin"""
+PLUGIN_NAME = "{name}"
+def pre_tool(ctx):
+    return None
+'''
+
+_DANGEROUS_PLUGIN = '''"""dangerous plugin — uses subprocess"""
+PLUGIN_NAME = "{name}"
+import subprocess
+def pre_tool(ctx):
+    subprocess.run(["ls"])
+    return None
+'''
+
+
+# ── D-18 (a): Plugin AST + allowlist gate at load ─────────────────────────
+
+
+def test_plugin_load_blocked_not_in_allowlist(plugin_env, monkeypatch):
+    """Plugin with no allowlist entry must be refused at load + emit
+    `plugin_load_blocked` with reason=`not_in_allowlist`."""
+    plugins_dir, allowlist_path, reg, codec_hooks = plugin_env
+    _write_plugin(plugins_dir, "test_unauth.py",
+                   _BENIGN_PLUGIN.format(name="test_unauth"))
+    # Empty allowlist
+    allowlist_path.write_text("{}")
+
+    captured = []
+    monkeypatch.setattr(codec_hooks, "_log_event",
+                         lambda *args, **kw: captured.append({"args": args, "kw": kw}))
+
+    reg.scan()
+    plugins = reg.all()
+    assert len(plugins) == 1
+    fn = reg.get_fn(plugins[0], "pre_tool")
+    assert fn is None, "Plugin without allowlist entry must NOT load"
+
+    matches = [c for c in captured
+               if c["args"] and c["args"][0] == "plugin_load_blocked"]
+    assert len(matches) >= 1, f"Expected plugin_load_blocked emit; got {captured!r}"
+    assert matches[0]["kw"].get("extra", {}).get("reason") == "not_in_allowlist"
+
+
+def test_plugin_load_succeeds_with_allowlist_entry(plugin_env):
+    """Plugin with matching hash in allowlist must load (skip AST check)."""
+    plugins_dir, allowlist_path, reg, _ = plugin_env
+    _write_plugin(plugins_dir, "test_ok.py",
+                   _BENIGN_PLUGIN.format(name="test_ok"))
+    allowlist = {"test_ok.py": _allowlist_entry(plugins_dir, "test_ok.py")}
+    allowlist_path.write_text(json.dumps(allowlist))
+
+    reg.scan()
+    plugins = reg.all()
+    assert len(plugins) == 1
+    fn = reg.get_fn(plugins[0], "pre_tool")
+    assert fn is not None, "Plugin with valid allowlist entry must load"
+    assert callable(fn)
+
+
+def test_plugin_load_refused_when_hash_mismatches(plugin_env, monkeypatch):
+    """Allowlist has hash A; file content modified → hash B; must refuse
+    + emit `plugin_load_blocked` with reason=`hash_mismatch`."""
+    plugins_dir, allowlist_path, reg, codec_hooks = plugin_env
+    _write_plugin(plugins_dir, "test_mismatch.py",
+                   _BENIGN_PLUGIN.format(name="test_mismatch"))
+    # Allowlist contains a BOGUS hash (not the file's actual hash)
+    allowlist = {
+        "test_mismatch.py": {
+            "sha256": "0" * 64,
+            "approved_at": "2026-01-01T00:00:00",
+            "approved_by": "test",
+        }
+    }
+    allowlist_path.write_text(json.dumps(allowlist))
+
+    captured = []
+    monkeypatch.setattr(codec_hooks, "_log_event",
+                         lambda *args, **kw: captured.append({"args": args, "kw": kw}))
+
+    reg.scan()
+    plugins = reg.all()
+    fn = reg.get_fn(plugins[0], "pre_tool")
+    assert fn is None
+
+    matches = [c for c in captured
+               if c["args"] and c["args"][0] == "plugin_load_blocked"]
+    assert matches, "Expected plugin_load_blocked on hash mismatch"
+    assert matches[0]["kw"].get("extra", {}).get("reason") == "hash_mismatch"
+
+
+def test_plugin_load_blocked_emits_ast_detail_when_dangerous(plugin_env, monkeypatch):
+    """When a plugin is NOT in the allowlist AND its AST is dangerous,
+    the `plugin_load_blocked` audit must include the specific AST reason
+    in `detail`. Forensic clarity — operator sees both signals."""
+    plugins_dir, allowlist_path, reg, codec_hooks = plugin_env
+    _write_plugin(plugins_dir, "test_dangerous.py",
+                   _DANGEROUS_PLUGIN.format(name="test_dangerous"))
+    allowlist_path.write_text("{}")
+
+    captured = []
+    monkeypatch.setattr(codec_hooks, "_log_event",
+                         lambda *args, **kw: captured.append({"args": args, "kw": kw}))
+
+    reg.scan()
+    plugins = reg.all()
+    fn = reg.get_fn(plugins[0], "pre_tool")
+    assert fn is None
+
+    matches = [c for c in captured
+               if c["args"] and c["args"][0] == "plugin_load_blocked"]
+    assert matches
+    extra = matches[0]["kw"].get("extra", {})
+    assert extra.get("reason") == "not_in_allowlist"
+    # Detail should mention the AST reason (subprocess.run or import subprocess)
+    detail = extra.get("detail", "")
+    assert "ast_dangerous" in detail
+    assert "subprocess" in detail
+
+
+# ── D-18 (b): SHA-256 allowlist + grandfather migration ────────────────────
+
+
+def test_initial_migration_grandfathers_existing_plugins(plugin_env):
+    """First scan with no allowlist file + plugins in dir → auto-seed
+    the allowlist with current hashes. Idempotent (second scan is no-op)."""
+    plugins_dir, allowlist_path, reg, _ = plugin_env
+    assert not allowlist_path.exists()
+    _write_plugin(plugins_dir, "legacy_plugin.py",
+                   _BENIGN_PLUGIN.format(name="legacy_plugin"))
+
+    reg.scan()
+    assert allowlist_path.exists(), "scan() must create allowlist on first migration"
+
+    allowlist = json.loads(allowlist_path.read_text())
+    assert "legacy_plugin.py" in allowlist
+    assert allowlist["legacy_plugin.py"]["approved_by"] == "initial_migration"
+    # Hash matches file content
+    import hashlib
+    expected = hashlib.sha256(
+        (plugins_dir / "legacy_plugin.py").read_bytes()
+    ).hexdigest()
+    assert allowlist["legacy_plugin.py"]["sha256"] == expected
+
+
+def test_grandfather_migration_idempotent(plugin_env):
+    """If allowlist already exists, scan() must NOT overwrite it.
+    Operator's deliberate additions must survive subsequent scans."""
+    plugins_dir, allowlist_path, reg, _ = plugin_env
+    custom = {"custom.py": {"sha256": "deadbeef" * 8,
+                              "approved_at": "2025-01-01T00:00:00",
+                              "approved_by": "manual"}}
+    allowlist_path.write_text(json.dumps(custom))
+
+    _write_plugin(plugins_dir, "new_plugin.py",
+                   _BENIGN_PLUGIN.format(name="new_plugin"))
+    reg.scan()
+
+    after = json.loads(allowlist_path.read_text())
+    # Existing custom entry survived
+    assert "custom.py" in after
+    assert after["custom.py"]["sha256"] == "deadbeef" * 8
+    # New plugin was NOT auto-grandfathered (operator must approve)
+    assert "new_plugin.py" not in after
+
+
+def test_allowlist_file_has_0600_perms(plugin_env):
+    """The allowlist file contains operator trust decisions — must be
+    operator-readable only."""
+    plugins_dir, allowlist_path, reg, _ = plugin_env
+    _write_plugin(plugins_dir, "p.py", _BENIGN_PLUGIN.format(name="p"))
+    reg.scan()
+    assert allowlist_path.exists()
+    mode = os.stat(allowlist_path).st_mode & 0o777
+    assert mode == 0o600, f"plugins.allowlist must be 0600; got 0o{mode:o}"
+
+
+def test_approve_plugin_helper_adds_entry(plugin_env, monkeypatch):
+    """`codec_hooks.approve_plugin` adds a fresh allowlist entry."""
+    plugins_dir, allowlist_path, reg, codec_hooks = plugin_env
+    # Make codec_hooks's module-level _registry point at our tmp registry
+    monkeypatch.setattr(codec_hooks, "_registry", reg)
+
+    _write_plugin(plugins_dir, "newhook.py", _BENIGN_PLUGIN.format(name="newhook"))
+    # Pre-allowlist is empty
+    allowlist_path.write_text("{}")
+
+    result = codec_hooks.approve_plugin("newhook.py", approved_by="operator")
+    assert result["ok"] is True
+    assert result["filename"] == "newhook.py"
+    assert len(result["sha256"]) == 64
+    assert len(result["last8"]) == 8
+
+    # Allowlist now contains the entry
+    allowlist = json.loads(allowlist_path.read_text())
+    assert "newhook.py" in allowlist
+    assert allowlist["newhook.py"]["approved_by"] == "operator"
+
+
+def test_approve_plugin_rejects_path_traversal(plugin_env, monkeypatch):
+    """`../../../etc/passwd` and other path-traversal must be refused."""
+    _, _, reg, codec_hooks = plugin_env
+    monkeypatch.setattr(codec_hooks, "_registry", reg)
+    for bad in ("../etc/passwd", "../../foo.py", "/etc/passwd", ".hidden.py"):
+        result = codec_hooks.approve_plugin(bad)
+        assert result["ok"] is False, f"Should reject path traversal: {bad!r}"
+
+
+def test_approve_plugin_rejects_missing_file(plugin_env, monkeypatch):
+    _, _, reg, codec_hooks = plugin_env
+    monkeypatch.setattr(codec_hooks, "_registry", reg)
+    result = codec_hooks.approve_plugin("nonexistent.py")
+    assert result["ok"] is False
+    assert "not found" in result["reason"]
+
+
+def test_approve_plugin_clears_broken_cache(plugin_env, monkeypatch):
+    """If a plugin was previously refused (in _broken), approving it
+    must clear that entry so the next fire retries."""
+    plugins_dir, allowlist_path, reg, codec_hooks = plugin_env
+    monkeypatch.setattr(codec_hooks, "_registry", reg)
+
+    _write_plugin(plugins_dir, "retry.py", _BENIGN_PLUGIN.format(name="retry"))
+    allowlist_path.write_text("{}")
+
+    # Simulate a prior load failure
+    reg._broken.add("retry")
+
+    codec_hooks.approve_plugin("retry.py", approved_by="operator")
+    assert "retry" not in reg._broken, "approve_plugin must clear broken cache"
+
+
+# ── D-18 (c): hook timeout ──────────────────────────────────────────────────
+
+
+def test_run_hook_with_timeout_returns_value_for_fast_hook():
+    """Fast hooks return their value normally."""
+    import codec_hooks
+    result, exc = codec_hooks._run_hook_with_timeout(
+        lambda x: x * 2, (21,),
+        hook_name="pre_tool", plugin_name="fast",
+        timeout_s=1.0,
+    )
+    assert result == 42
+    assert exc is None
+
+
+def test_run_hook_with_timeout_aborts_slow_hook():
+    """A hook that takes longer than the timeout returns _HookTimedOut.
+    The calling thread is NOT blocked beyond the timeout."""
+    import codec_hooks
+
+    def slow(_x):
+        time.sleep(1.0)
+        return "never seen"
+
+    t0 = time.monotonic()
+    result, exc = codec_hooks._run_hook_with_timeout(
+        slow, (None,),
+        hook_name="pre_tool", plugin_name="slow",
+        timeout_s=0.05,
+    )
+    elapsed = time.monotonic() - t0
+    assert isinstance(result, codec_hooks._HookTimedOut)
+    assert result.timeout_s == 0.05
+    # Must not have blocked for the full 1s — accept up to 200ms slack
+    assert elapsed < 0.3, f"Calling thread blocked too long: {elapsed:.2f}s"
+    assert exc is None
+
+
+def test_run_hook_with_timeout_captures_exception():
+    """If the hook raises, the exception is returned (not raised)."""
+    import codec_hooks
+
+    def boom(_x):
+        raise ValueError("plugin bug")
+
+    result, exc = codec_hooks._run_hook_with_timeout(
+        boom, (None,),
+        hook_name="pre_tool", plugin_name="boomer",
+        timeout_s=1.0,
+    )
+    assert result is None
+    assert isinstance(exc, ValueError)
+    assert str(exc) == "plugin bug"
+
+
+def test_fire_one_pre_tool_emits_plugin_hook_timeout(plugin_env, monkeypatch):
+    """Wired test: a slow `pre_tool` hook triggers `plugin_hook_timeout`
+    audit via `_fire_one_pre_tool`."""
+    plugins_dir, allowlist_path, reg, codec_hooks = plugin_env
+    monkeypatch.setattr(codec_hooks, "_registry", reg)
+
+    slow_src = (
+        '"""slow plugin"""\n'
+        'PLUGIN_NAME = "slow"\n'
+        'import time\n'
+        'def pre_tool(ctx):\n'
+        '    time.sleep(1.0)\n'
+        '    return None\n'
+    )
+    _write_plugin(plugins_dir, "slow.py", slow_src)
+    allowlist = {"slow.py": _allowlist_entry(plugins_dir, "slow.py")}
+    allowlist_path.write_text(json.dumps(allowlist))
+
+    # Tight timeout for the test (override via config)
+    from codec_config import cfg
+    monkeypatch.setitem(cfg, "plugin_hook_timeout_ms", 50)
+
+    captured = []
+    monkeypatch.setattr(codec_hooks, "_log_event",
+                         lambda *args, **kw: captured.append({"args": args, "kw": kw}))
+
+    reg.scan()
+    ctx = codec_hooks.HookCtx(
+        transport="chat",
+        correlation_id="testcid000000",
+        plugin_name="",
+        timestamp_utc="2026-05-18T00:00:00.000+00:00",
+        tool_name="weather",
+    )
+    plugins = reg.for_hook("pre_tool", "weather")
+    assert plugins, "Slow plugin should be in pre_tool list"
+
+    t0 = time.monotonic()
+    codec_hooks._fire_one_pre_tool(plugins[0], ctx)
+    elapsed = time.monotonic() - t0
+    assert elapsed < 0.3, f"Slow hook blocked too long: {elapsed:.2f}s"
+
+    matches = [c for c in captured
+               if c["args"] and c["args"][0] == "plugin_hook_timeout"]
+    assert matches, f"Expected plugin_hook_timeout emit; got {captured!r}"
+    extra = matches[0]["kw"].get("extra", {})
+    assert extra["plugin_name"] == "slow"
+    assert extra["hook_name"] == "pre_tool"
+
+
+# ── Source-level invariants ─────────────────────────────────────────────────
+
+
+def test_codec_hooks_source_has_allowlist_gate():
+    """Belt-and-suspenders: `get_fn` MUST call `_is_plugin_allowed`
+    before any `exec_module` call."""
+    src = (REPO / "codec_hooks.py").read_text()
+    idx = src.find("def get_fn")
+    assert idx >= 0
+    body = src[idx:idx + 3000]
+    assert "_is_plugin_allowed" in body, (
+        "get_fn must check the allowlist before exec_module"
+    )
+    # The check must come BEFORE the spec.loader.exec_module(mod) call
+    # (search for the call form so we don't false-positive on docstring
+    # mentions of "exec_module")
+    allowed_idx = body.find("_is_plugin_allowed(\n")  # multi-line call form
+    if allowed_idx < 0:
+        allowed_idx = body.find("_is_plugin_allowed(plugin")
+    exec_idx = body.find("spec.loader.exec_module(")
+    assert allowed_idx >= 0, "_is_plugin_allowed call not found in get_fn body"
+    assert exec_idx >= 0, "spec.loader.exec_module call not found"
+    assert allowed_idx < exec_idx, (
+        "_is_plugin_allowed must run BEFORE spec.loader.exec_module"
+    )
+
+
+def test_plugin_approve_skill_is_not_mcp_exposed():
+    """Plugin trust extension must never be reachable from claude.ai/MCP."""
+    skills_dir = REPO / "skills"
+    sys.path.insert(0, str(skills_dir))
+    try:
+        import plugin_approve
+        import importlib
+        importlib.reload(plugin_approve)
+        assert getattr(plugin_approve, "SKILL_MCP_EXPOSE", True) is False
+    finally:
+        sys.path.remove(str(skills_dir))
diff --git a/tests/test_screenshot_question.py b/tests/test_screenshot_question.py
new file mode 100644
index 0000000..4bfc79f
--- /dev/null
+++ b/tests/test_screenshot_question.py
@@ -0,0 +1,140 @@
+"""Tests for codec.do_screenshot_question AppleScript safety (D-21 closure).
+
+Closes audit finding D-21 (LOW) — `do_screenshot_question` interpolates
+OCR text (potentially adversarial — a malicious webpage shows text
+designed to break out of the string literal) into AppleScript with
+only `"` and `\\n` escaped. AppleScript supports many other escapes
+(`\\r`, `\\t`, `\\"`, `\\\\`, hex escapes) — the escape was insufficient.
+
+PR-2F removes interpolation entirely. The OCR summary is passed as
+an osascript ARGV argument; AppleScript reads it from `item 1 of argv`
+inside the script body, NEVER concatenated into the script source.
+
+Reference: docs/audits/PHASE-1-SECURITY.md finding D-21.
+"""
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+REPO = Path(__file__).resolve().parent.parent
+sys.path.insert(0, str(REPO))
+
+
+def test_codec_source_no_longer_interpolates_summary_into_script():
+    """Source-level invariant: `do_screenshot_question` MUST NOT contain
+    an f-string that interpolates `summary` into the AppleScript body.
+    Belt-and-suspenders for the runtime tests below."""
+    src = (REPO / "codec.py").read_text()
+    # Find the function body
+    idx = src.find("def do_screenshot_question")
+    assert idx >= 0
+    body = src[idx:idx + 3000]
+    # The pre-PR-2F pattern was f'... "{summary}…\\n\\n{question}" ...'.
+    # No f-string with {summary} interpolation may remain.
+    assert 'f\'tell application "System Events"' not in body, (
+        "Legacy f-string interpolation of summary into AppleScript must be removed"
+    )
+    # The new pattern uses `on run argv` + `item 1 of argv`
+    assert "on run argv" in body, (
+        "PR-2F pattern: AppleScript must read summary from argv, not interpolation"
+    )
+    assert "item 1 of argv" in body
+
+
+def test_screenshot_question_passes_body_as_argv(monkeypatch):
+    """Runtime test: when `do_screenshot_question` runs, the osascript
+    invocation MUST pass the OCR body as a CLI argument (post-script),
+    NOT interpolate it into the script source."""
+    import codec as codec_mod
+
+    captured = {"args": None, "stdout": ""}
+
+    class _Result:
+        returncode = 0
+        stdout = ""
+        stderr = ""
+
+    def fake_run(args, **kwargs):
+        captured["args"] = args
+        return _Result()
+
+    # Stub all the things do_screenshot_question touches
+    monkeypatch.setattr(codec_mod, "push", lambda fn: None)
+    monkeypatch.setattr(codec_mod, "show_overlay", lambda *a, **kw: None)
+    adversarial = '" \n display dialog "PWNED" \n display dialog "'
+    monkeypatch.setattr(codec_mod, "screenshot_ctx", lambda: adversarial)
+    monkeypatch.setattr(codec_mod, "dispatch", lambda task: None)
+    monkeypatch.setattr(codec_mod.subprocess, "run", fake_run)
+
+    codec_mod.do_screenshot_question()
+
+    assert captured["args"] is not None
+    # argv shape: ["osascript", "-e", "<script>", "<body>"]
+    assert captured["args"][0] == "osascript"
+    assert captured["args"][1] == "-e"
+    script = captured["args"][2]
+    # The script body must NOT contain the adversarial text — that means
+    # interpolation didn't happen.
+    assert "PWNED" not in script, (
+        f"Adversarial OCR text leaked into script body: {script[:200]!r}"
+    )
+    assert "display dialog" in script  # legitimate AppleScript verb
+    # The body must be passed as argv[3]
+    assert len(captured["args"]) >= 4
+    body = captured["args"][3]
+    assert "PWNED" in body, "Adversarial OCR text should appear in argv body (where AppleScript treats it as literal)"
+
+
+def test_screenshot_question_argv_unescaped_quotes_safe(monkeypatch):
+    """Adversarial OCR with bare quotes must arrive at argv as literal
+    quotes — AppleScript's `item 1 of argv` handles the string boundary,
+    not source-level escaping. Quotes in the OCR text must NOT escape
+    the script's string context."""
+    import codec as codec_mod
+
+    captured = {"args": None}
+
+    class _Result:
+        returncode = 0
+        stdout = ""
+        stderr = ""
+
+    def fake_run(args, **kwargs):
+        captured["args"] = args
+        return _Result()
+
+    monkeypatch.setattr(codec_mod, "push", lambda fn: None)
+    monkeypatch.setattr(codec_mod, "show_overlay", lambda *a, **kw: None)
+    monkeypatch.setattr(codec_mod, "screenshot_ctx",
+                         lambda: 'OCR with "double" and \'single\' quotes')
+    monkeypatch.setattr(codec_mod, "dispatch", lambda task: None)
+    monkeypatch.setattr(codec_mod.subprocess, "run", fake_run)
+
+    codec_mod.do_screenshot_question()
+
+    assert captured["args"] is not None
+    script = captured["args"][2]
+    body = captured["args"][3]
+    # Script source must not contain the OCR — proves no interpolation
+    assert '"double"' not in script
+    # But argv body MUST contain it (literal)
+    assert "double" in body or "OCR" in body
+
+
+def test_screenshot_question_no_screen_context_early_returns(monkeypatch):
+    """Sanity: when `screenshot_ctx` returns empty, no subprocess fires."""
+    import codec as codec_mod
+    fired = {"run": 0}
+
+    def fake_run(*a, **kw):
+        fired["run"] += 1
+        raise AssertionError("subprocess.run must not fire on empty ctx")
+
+    monkeypatch.setattr(codec_mod, "push", lambda fn: None)
+    monkeypatch.setattr(codec_mod, "show_overlay", lambda *a, **kw: None)
+    monkeypatch.setattr(codec_mod, "screenshot_ctx", lambda: "")
+    monkeypatch.setattr(codec_mod.subprocess, "run", fake_run)
+
+    codec_mod.do_screenshot_question()
+    assert fired["run"] == 0

From 87657ec3604c3d38280cd9831a0b18785fd29e40 Mon Sep 17 00:00:00 2001
From: Mickael Farina <farina.mickael@gmail.com>
Date: Mon, 18 May 2026 01:12:44 +0200
Subject: [PATCH 2/2] fix(security): regen skill manifest after
 plugin_approve.py ruff cleanup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Stale manifest from PR-2F — plugin_approve.py was edited (moved
`import re` inside the function for E402 compliance) after the
prior manifest write. CI's `--check` caught the drift.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 skills/.manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/skills/.manifest.json b/skills/.manifest.json
index bf0d0b4..a25a029 100644
--- a/skills/.manifest.json
+++ b/skills/.manifest.json
@@ -55,7 +55,7 @@
     "password_generator.py": "17f8e23d876d74cb100a652507d4dbb88a92d81c954e7728df24375f143ea21d",
     "philips_hue.py": "bcc2ef1b7e6c0e5e5f0165aae397fd6a3fd27367a3f100b949cd0efddac43496",
     "pilot.py": "33fe0a8cb1f3f577f3ddf801ad6d4e1cb3c9ceae8e6b748edd29ef33149ec1c7",
-    "plugin_approve.py": "5f35db44de13bf1a9b72120806e3f414fc92efb30c2a344838c0ae42e93e54b9",
+    "plugin_approve.py": "c93861353be2a9ebe08df212ca167bea646962dbeafe704b1864cd78a8cf57cc",
     "pm2_control.py": "1f67e3158920987c1f0d2452fcadd7405624b28a799297483a2d11f5d5c90d17",
     "pomodoro.py": "ab6816d25c16e7132f899b4584d7fa6d5082d0c50811ffbd79d087e34c8861a5",
     "process_manager.py": "742126eb470b89f91231b58d6e30da6a6683fdb435a2b05f6b070954853a19f9",