GitGuardian
diff --git a/‎changelog.d/20260521_120000_ctourriere_plugin_machine_scan_loading.md‎
Lines changed: 3 additions & 0 deletions b/‎changelog.d/20260521_120000_ctourriere_plugin_machine_scan_loading.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎changelog.d/20260521_121500_ctourriere_plugin_extract_cache_cleanup.md‎
Lines changed: 3 additions & 0 deletions b/‎changelog.d/20260521_121500_ctourriere_plugin_extract_cache_cleanup.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎ggshield/cmd/plugin/install.py‎
Lines changed: 17 additions & 12 deletions b/‎ggshield/cmd/plugin/install.py‎
Lines changed: 17 additions & 12 deletions
diff --git a/‎ggshield/cmd/plugin/update.py‎
Lines changed: 12 additions & 9 deletions b/‎ggshield/cmd/plugin/update.py‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎ggshield/core/plugin/downloader.py‎
Lines changed: 14 additions & 1 deletion b/‎ggshield/core/plugin/downloader.py‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎ggshield/core/plugin/loader.py‎
Lines changed: 126 additions & 7 deletions b/‎ggshield/core/plugin/loader.py‎
Lines changed: 126 additions & 7 deletions
@@ -0,0 +1,3 @@
+### Fixed
+
+- Plugin installs and updates now enable the canonical `ggshield.plugins` entry point instead of the wheel package name, migrating any pre-existing alias row (and preserving its `auto_update` setting), and local plugin wheels extract into the active runtime cache so mixed root/admin and user executions do not silently lose registered commands.
@@ -0,0 +1,3 @@
+### Fixed
+
+- ggshield now prunes stale extracted plugin wheel caches during plugin load and removes a plugin's extracted cache on uninstall, preventing old wheel versions from accumulating in the cache directory.
@@ -26,7 +26,7 @@
     InsecureSourceError,
     PluginDownloader,
 )
-from ggshield.core.plugin.loader import resolve_config_key
+from ggshield.core.plugin.loader import enable_installed_plugin
 from ggshield.core.plugin.platform import get_platform_info
 from ggshield.core.plugin.signature import (
     SignatureVerificationError,
@@ -229,10 +229,11 @@ def _install_from_gitguardian(
                 bundle_bytes=bundle_bytes,
             )
 
-        config_key = resolve_config_key(wheel_path, fallback=plugin_name)
-        enterprise_config.enable_plugin(config_key, version=info.version)
+        installed_name = enable_installed_plugin(
+            enterprise_config, plugin_name, info.version, wheel_path
+        )
         enterprise_config.save()
-        ui.display_info(f"Installed {plugin_name} v{info.version}")
+        ui.display_info(f"Installed {installed_name} v{info.version}")
 
     except SignatureVerificationError as e:
         ui.display_error(f"Signature verification failed for {plugin_name}: {e}")
@@ -273,8 +274,9 @@ def _install_from_local_wheel(
             wheel_path, signature_mode=signature_mode
         )
 
-        config_key = resolve_config_key(installed_wheel, fallback=plugin_name)
-        enterprise_config.enable_plugin(config_key, version=version)
+        plugin_name = enable_installed_plugin(
+            enterprise_config, plugin_name, version, installed_wheel
+        )
         enterprise_config.save()
 
         ui.display_info(f"Installed {plugin_name} v{version}")
@@ -309,8 +311,9 @@ def _install_from_url(
             url, sha256, signature_mode=signature_mode
         )
 
-        config_key = resolve_config_key(installed_wheel, fallback=plugin_name)
-        enterprise_config.enable_plugin(config_key, version=version)
+        plugin_name = enable_installed_plugin(
+            enterprise_config, plugin_name, version, installed_wheel
+        )
         enterprise_config.save()
 
         ui.display_info(f"Installed {plugin_name} v{version}")
@@ -351,8 +354,9 @@ def _install_from_github_release(
             url, sha256, signature_mode=signature_mode
         )
 
-        config_key = resolve_config_key(installed_wheel, fallback=plugin_name)
-        enterprise_config.enable_plugin(config_key, version=version)
+        plugin_name = enable_installed_plugin(
+            enterprise_config, plugin_name, version, installed_wheel
+        )
         enterprise_config.save()
 
         ui.display_info(f"Installed {plugin_name} v{version}")
@@ -394,8 +398,9 @@ def _install_from_github_artifact(
             downloader.download_from_github_artifact(url, signature_mode=signature_mode)
         )
 
-        config_key = resolve_config_key(installed_wheel, fallback=plugin_name)
-        enterprise_config.enable_plugin(config_key, version=version)
+        plugin_name = enable_installed_plugin(
+            enterprise_config, plugin_name, version, installed_wheel
+        )
         enterprise_config.save()
 
         ui.display_info(f"Installed {plugin_name} v{version}")
 
@@ -24,7 +24,7 @@
     PluginSourceType,
 )
 from ggshield.core.plugin.downloader import DownloadError, PluginDownloader
-from ggshield.core.plugin.loader import PluginLoader, resolve_config_key
+from ggshield.core.plugin.loader import PluginLoader, enable_installed_plugin
 from ggshield.core.plugin.platform import get_platform_info
 from ggshield.core.plugin.signature import SignatureVerificationMode
 from ggshield.core.text_utils import pluralize
@@ -386,12 +386,6 @@ def update_cmd(
                         signature_mode=signature_mode,
                         bundle_bytes=bundle_bytes,
                     )
-                # Mirror install.py: the loader keys enablement by the
-                # wheel's entry-point name (when present), so update
-                # must use the same key — otherwise the row written
-                # below falls out of sync with discover_plugins and
-                # the plugin is silently disabled after the upgrade.
-                config_key = resolve_config_key(wheel_path, fallback=name)
                 installation_reports.append(
                     _InstallationReport(
                         name=name,
@@ -412,12 +406,21 @@ def update_cmd(
                 _, _, wheel_path = downloader.download_from_github_release(
                     download_url, signature_mode=signature_mode
                 )
-                config_key = resolve_config_key(wheel_path, fallback=name)
 
             else:
                 raise DownloadError(f"Unsupported plugin source type: {source_type}")
 
-            enterprise_config.enable_plugin(config_key, version=latest_version)
+            # Mirror install.py: the loader keys enablement by the
+            # wheel's entry-point name (when present), so update must
+            # use the same key — otherwise the row written below falls
+            # out of sync with discover_plugins and the plugin is
+            # silently disabled after the upgrade. ``name`` here is
+            # already the loader's canonical key, but a stale alias
+            # under the wheel's distribution name from a pre-fix
+            # install may still be on disk; ``enable_installed_plugin``
+            # cleans that up and carries any ``auto_update: false``
+            # forward to the canonical row.
+            enable_installed_plugin(enterprise_config, name, latest_version, wheel_path)
 
             ui.display_info(f"  Updated {name} to v{latest_version}")
             success_count += 1
 
@@ -15,7 +15,7 @@
 
 import requests
 
-from ggshield.core.dirs import get_plugins_dir
+from ggshield.core.dirs import get_cache_dir, get_plugins_dir
 from ggshield.core.plugin.client import (
     PluginDownloadInfo,
     PluginSource,
@@ -713,10 +713,23 @@ def uninstall(self, plugin_name: str) -> bool:
 
         self.trust_store.revoke_plugin(plugin_dir.name)
         shutil.rmtree(plugin_dir)
+        self._remove_extract_cache(plugin_dir.name)
 
         logger.info("Uninstalled plugin: %s", plugin_name)
         return True
 
+    def _remove_extract_cache(self, plugin_dir_name: str) -> None:
+        """Best-effort removal of extracted wheel cache for an uninstalled plugin."""
+        cache_dir = get_cache_dir() / "plugins" / plugin_dir_name
+        try:
+            shutil.rmtree(cache_dir)
+        except FileNotFoundError:
+            pass
+        except OSError as exc:
+            logger.debug(
+                "Failed to remove plugin extraction cache %s: %s", cache_dir, exc
+            )
+
     def get_installed_version(self, plugin_name: str) -> Optional[str]:
         """Get the installed version of a plugin (by package name or entry point name)."""
         manifest = self.get_manifest(plugin_name)
 
@@ -5,6 +5,8 @@
 import importlib
 import importlib.metadata
 import logging
+import os
+import shutil
 import sys
 from dataclasses import dataclass
 from pathlib import Path
@@ -15,7 +17,7 @@
 
 from ggshield import __version__ as ggshield_version
 from ggshield.core.config.enterprise_config import EnterpriseConfig
-from ggshield.core.dirs import get_plugins_dir
+from ggshield.core.dirs import get_cache_dir, get_plugins_dir
 from ggshield.core.plugin.base import GGShieldPlugin, PluginMetadata
 from ggshield.core.plugin.registry import PluginRegistry
 from ggshield.core.plugin.signature import (
@@ -106,6 +108,57 @@ def resolve_config_key(wheel_path: Path, fallback: str) -> str:
     return entry_point[0]
 
 
+def enable_installed_plugin(
+    enterprise_config: EnterpriseConfig,
+    plugin_name: str,
+    version: str,
+    wheel_path: Path,
+) -> str:
+    """Enable the canonical plugin key and migrate any stale aliases.
+
+    Older ggshield versions wrote the enable row under the wheel's
+    distribution name; the loader now keys discovery on the
+    ``ggshield.plugins`` entry-point name. After a fresh install or
+    update we therefore need to:
+
+    1. Write the canonical row under the entry-point name (so
+       ``discover_plugins`` finds it enabled).
+    2. Remove any pre-existing row under a known alias (the caller's
+       ``plugin_name`` — catalog reference or distribution name — and
+       the wheel's distribution name as encoded in
+       ``wheel_path.parent.name``).
+    3. Carry over the user's ``auto_update`` choice from any removed
+       alias so an explicit ``auto_update: false`` survives the
+       migration. When more than one alias exists, the strictest
+       (``False``) wins so user intent is never silently relaxed.
+
+    Update.py passes the loader's discovered canonical name as
+    ``plugin_name`` (already the entry-point name), so the legacy
+    alias only becomes visible via ``wheel_path.parent.name``. Install
+    paths pass either the catalog reference or the distribution name,
+    both of which become aliases here.
+    """
+    config_key = resolve_config_key(wheel_path, fallback=plugin_name)
+
+    legacy_keys = {plugin_name, wheel_path.parent.name}
+    legacy_keys.discard(config_key)
+
+    carried_auto_update: Optional[bool] = None
+    for legacy_key in legacy_keys:
+        legacy = enterprise_config.plugins.get(legacy_key)
+        if legacy is None:
+            continue
+        # Honor the strictest setting found across aliases.
+        if carried_auto_update is None or not legacy.auto_update:
+            carried_auto_update = legacy.auto_update
+        enterprise_config.remove_plugin(legacy_key)
+
+    enterprise_config.enable_plugin(config_key, version=version)
+    if carried_auto_update is not None:
+        enterprise_config.plugins[config_key].auto_update = carried_auto_update
+    return config_key
+
+
 @dataclass
 class DiscoveredPlugin:
     """Information about a discovered plugin."""
@@ -147,17 +200,25 @@ def discover_plugins(self) -> List[DiscoveredPlugin]:
             wheel_version: str = wheel_info["version"]
             entry_point_name: Optional[str] = wheel_info["entry_point_name"]
 
-            # Use entry point name as key if available, otherwise package name
+            # Use entry point name as key if available, otherwise package name.
+            # Older installs may have enabled the wheel distribution/package name
+            # before ggshield learned the entry-point key. Treat that package name
+            # as an alias so an installed+enabled plugin does not silently miss its
+            # top-level commands.
             key = entry_point_name if entry_point_name else plugin_name
             if entry_point_name:
                 local_entry_point_names.add(entry_point_name)
 
+            is_enabled = self._is_enabled(key)
+            if key not in self.enterprise_config.plugins and plugin_name != key:
+                is_enabled = self._is_enabled(plugin_name)
+
             discovered[key] = DiscoveredPlugin(
                 name=key,
                 entry_point=None,
                 wheel_path=wheel_path,
                 is_installed=True,
-                is_enabled=self._is_enabled(key),
+                is_enabled=is_enabled,
                 version=wheel_version,
             )
 
@@ -272,8 +333,11 @@ def _load_from_wheel(self, wheel_path: Path) -> Optional[GGShieldPlugin]:
                 )
                 return None
 
-        # Extract wheel to a directory alongside the wheel file
-        extract_dir = wheel_path.parent / f".{wheel_path.stem}_extracted"
+        # Extract wheel to a per-user cache directory instead of next to the
+        # installed wheel. This keeps loading working when a wheel is installed
+        # in a shared/root-owned data directory but the current user can still
+        # read it.
+        extract_dir = self._get_extract_dir(wheel_path)
 
         try:
             # In STRICT mode, always re-extract after verification so imports
@@ -282,15 +346,16 @@ def _load_from_wheel(self, wheel_path: Path) -> Optional[GGShieldPlugin]:
                 not extract_dir.exists()
                 or wheel_path.stat().st_mtime > extract_dir.stat().st_mtime
             ):
-                import shutil
-
                 if extract_dir.exists():
                     shutil.rmtree(extract_dir)
+                extract_dir.parent.mkdir(parents=True, exist_ok=True)
 
                 from ggshield.utils.archive import safe_unpack
 
                 safe_unpack(wheel_path, extract_dir)
 
+            self._prune_stale_extract_dirs(extract_dir)
+
             # Add extracted directory to sys.path
             extract_str = str(extract_dir)
             if extract_str not in sys.path:
@@ -309,6 +374,60 @@ def _load_from_wheel(self, wheel_path: Path) -> Optional[GGShieldPlugin]:
             logger.warning("Failed to load wheel %s: %s", wheel_path, e)
             return None
 
+    def _prune_stale_extract_dirs(self, keep_dir: Path) -> None:
+        """Remove stale extraction dirs for the same plugin cache bucket."""
+        parent = keep_dir.parent
+        if not parent.exists():
+            return
+
+        for path in parent.iterdir():
+            if path == keep_dir or not path.is_dir():
+                continue
+            if not path.name.endswith("_extracted"):
+                continue
+            try:
+                shutil.rmtree(path)
+            except OSError as exc:
+                logger.debug(
+                    "Failed to remove stale plugin extraction dir %s: %s", path, exc
+                )
+
+    def _get_extract_cache_dir(self) -> Path:
+        """Return the cache dir used for extracted plugin wheels.
+
+        `sudo -E` on Unix can preserve a non-root HOME, which makes platformdirs
+        point root at the invoking user's cache dir. Do not create root-owned
+        extraction trees there: use root's own cache unless GG_CACHE_DIR was set
+        explicitly.
+        """
+        if os.environ.get("GG_CACHE_DIR"):
+            return get_cache_dir()
+
+        if sys.platform != "win32" and hasattr(os, "geteuid") and os.geteuid() == 0:
+            home = os.environ.get("HOME")
+            try:
+                if home and Path(home).exists() and Path(home).stat().st_uid != 0:
+                    import pwd
+
+                    root_home = Path(pwd.getpwuid(0).pw_dir)
+                    if sys.platform == "darwin":
+                        return root_home / "Library" / "Caches" / "ggshield"
+                    return root_home / ".cache" / "ggshield"
+            except (KeyError, OSError):
+                pass
+
+        return get_cache_dir()
+
+    def _get_extract_dir(self, wheel_path: Path) -> Path:
+        """Return the per-user extraction directory for an installed wheel."""
+        wheel_hash = compute_file_sha256(wheel_path)[:16]
+        return (
+            self._get_extract_cache_dir()
+            / "plugins"
+            / wheel_path.parent.name
+            / f"{wheel_path.stem}-{wheel_hash}_extracted"
+        )
+
     def _is_trusted_unsigned_plugin(self, wheel_path: Path) -> bool:
         """Return True when the current wheel hash matches a persisted trust record."""
         plugin_name = wheel_path.parent.name
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+### Fixed`
	`2`	`+`
	`3`	+- Plugin installs and updates now enable the canonical `ggshield.plugins` entry point instead of the wheel package name, migrating any pre-existing alias row (and preserving its `auto_update` setting), and local plugin wheels extract into the active runtime cache so mixed root/admin and user executions do not silently lose registered commands.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+### Fixed`
	`2`	`+`
	`3`	`+- ggshield now prunes stale extracted plugin wheel caches during plugin load and removes a plugin's extracted cache on uninstall, preventing old wheel versions from accumulating in the cache directory.`