@aldegad/safedeps 2.1.0 → 2.2.0

package/scripts/release-gates.sh

@@ -0,0 +1,252 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT=""
+STRICT=0
+NO_RUN=0
+
+usage() {
+  cat <<'EOF'
+Usage: run-release-gates.sh [--root <repo>] [--strict] [--no-run]
+
+Runs release-time security gates for the current repository tree.
+EOF
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --root)
+      ROOT="${2:-}"
+      shift 2
+      ;;
+    --strict)
+      STRICT=1
+      shift
+      ;;
+    --no-run)
+      NO_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+if [ -z "$ROOT" ]; then
+  ROOT="$(pwd)"
+fi
+
+if command -v realpath >/dev/null 2>&1; then
+  ROOT="$(realpath "$ROOT")"
+else
+  ROOT="$(cd "$ROOT" && pwd)"
+fi
+
+if [ ! -d "$ROOT" ]; then
+  printf 'ERROR: repo root does not exist: %s\n' "$ROOT" >&2
+  exit 1
+fi
+
+cd "$ROOT"
+
+FAILURES=0
+WARNINGS=0
+RAN=0
+
+section() {
+  printf '\n== %s ==\n' "$1"
+}
+
+pass() {
+  printf 'PASS [%s] %s\n' "$1" "$2"
+}
+
+warn() {
+  WARNINGS=$((WARNINGS + 1))
+  printf 'WARN [%s] %s\n' "$1" "$2" >&2
+}
+
+fail() {
+  FAILURES=$((FAILURES + 1))
+  printf 'FAIL [%s] %s\n' "$1" "$2" >&2
+}
+
+strict_or_warn() {
+  if [ "$STRICT" -eq 1 ]; then
+    fail "$1" "$2"
+  else
+    warn "$1" "$2"
+  fi
+}
+
+run_cmd() {
+  local gate="$1"
+  local desc="$2"
+  shift 2
+
+  RAN=$((RAN + 1))
+  printf 'RUN  [%s] %s\n' "$gate" "$desc"
+  printf 'CMD  [%s] %s\n' "$gate" "$*"
+
+  if [ "$NO_RUN" -eq 1 ]; then
+    pass "$gate" "planned only (--no-run)"
+    return 0
+  fi
+
+  if "$@"; then
+    pass "$gate" "$desc"
+  else
+    fail "$gate" "$desc"
+  fi
+}
+
+has_file() {
+  [ -f "$1" ]
+}
+
+has_npm_script() {
+  local script_name="$1"
+  has_file package.json || return 1
+  command -v node >/dev/null 2>&1 || return 1
+  node -e '
+const fs = require("node:fs");
+const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
+process.exit(pkg.scripts && Object.prototype.hasOwnProperty.call(pkg.scripts, process.argv[1]) ? 0 : 1);
+' "$script_name"
+}
+
+run_npm_script_if_present() {
+  local script_name="$1"
+  local gate="$2"
+  if has_npm_script "$script_name"; then
+    run_cmd "$gate" "npm run $script_name" npm run "$script_name"
+    return 0
+  fi
+  return 1
+}
+
+detect_python_surface() {
+  find . -maxdepth 3 \
+    \( -name 'requirements*.txt' -o -name 'pyproject.toml' -o -name 'poetry.lock' -o -name 'uv.lock' -o -name 'Pipfile.lock' \) \
+    -not -path './node_modules/*' \
+    -not -path './.git/*' \
+    -print
+}
+
+detect_requirements_files() {
+  find . -maxdepth 3 \
+    -name 'requirements*.txt' \
+    -not -path './node_modules/*' \
+    -not -path './.git/*' \
+    -print | sort
+}
+
+hook_file_mentions_reorg_guard() {
+  local file="$1"
+  [ -f "$file" ] || return 1
+  grep -q 'safedeps' "$file"
+}
+
+safedeps_install_guard_present() {
+  [ -d "$HOME/.claude/skills/safedeps" ] && return 0
+  [ -d "$HOME/.codex/skills/safedeps" ] && return 0
+  hook_file_mentions_reorg_guard "$HOME/.claude/settings.json" && return 0
+  hook_file_mentions_reorg_guard "$HOME/.codex/hooks.json" && return 0
+  return 1
+}
+
+section "repo"
+printf 'root: %s\n' "$ROOT"
+if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  pass repo "inside git worktree"
+else
+  strict_or_warn repo "not inside a git worktree"
+fi
+
+if [ -f docs/security-release-gates.md ] || [ -f SECURITY.md ]; then
+  pass repo "release/security documentation present"
+else
+  warn repo "no docs/security-release-gates.md or SECURITY.md"
+fi
+
+section "secrets"
+if run_npm_script_if_present "security:hooks:check" "secrets"; then
+  :
+fi
+if run_npm_script_if_present "security:scan:worktree" "secrets"; then
+  :
+elif [ -x scripts/security/run-gitleaks.sh ]; then
+  run_cmd secrets "repo gitleaks wrapper" bash scripts/security/run-gitleaks.sh --worktree
+elif command -v gitleaks >/dev/null 2>&1 && { [ -f .gitleaks.toml ] || [ -f gitleaks.toml ]; }; then
+  config=".gitleaks.toml"
+  [ -f "$config" ] || config="gitleaks.toml"
+  run_cmd secrets "gitleaks dir scan" gitleaks dir --no-banner --redact --verbose --config "$config" .
+else
+  strict_or_warn secrets "no gitleaks gate detected"
+fi
+
+section "node"
+if has_file package.json; then
+  pass node "package.json detected"
+  if run_npm_script_if_present "security:audit" "node"; then
+    :
+  elif has_file package-lock.json || has_file npm-shrinkwrap.json; then
+    run_cmd node "npm audit --audit-level=moderate" npm audit --audit-level=moderate
+  else
+    strict_or_warn node "package.json exists but no npm lockfile/audit script was detected"
+  fi
+
+  if safedeps_install_guard_present; then
+    pass install-guard "safedeps appears installed/configured"
+  elif [ "$STRICT" -eq 1 ] || [ "${SECURITY_RELEASE_GATES_REQUIRE_INSTALL_GUARD:-0}" = "1" ]; then
+    fail install-guard "npm project has no detectable safedeps install-time guard"
+  else
+    warn install-guard "safedeps not detected; release gate can continue, install-time guard is separate"
+  fi
+else
+  pass node "no package.json detected"
+fi
+
+section "python"
+PYTHON_SURFACE="$(detect_python_surface || true)"
+if [ -z "$PYTHON_SURFACE" ]; then
+  pass python "no Python dependency surface detected"
+elif [ -n "${SECURITY_RELEASE_GATES_PYTHON_AUDIT_COMMAND:-}" ]; then
+  run_cmd python "custom Python audit command" bash -lc "$SECURITY_RELEASE_GATES_PYTHON_AUDIT_COMMAND"
+elif command -v pip-audit >/dev/null 2>&1; then
+  REQUIREMENTS="$(detect_requirements_files || true)"
+  if [ -n "$REQUIREMENTS" ]; then
+    while IFS= read -r requirements_file; do
+      [ -n "$requirements_file" ] || continue
+      run_cmd python "pip-audit $requirements_file" pip-audit -r "$requirements_file"
+    done <<EOF_REQ
+$REQUIREMENTS
+EOF_REQ
+  else
+    strict_or_warn python "Python lock/project files detected, but no requirements*.txt or repo-provided Python audit command exists"
+  fi
+else
+  strict_or_warn python "Python dependency files detected, but pip-audit is not installed and no custom audit command was provided"
+fi
+
+section "ci"
+if find .github/workflows -maxdepth 1 -type f 2>/dev/null | xargs grep -E 'security:|gitleaks|pip-audit|npm audit' >/dev/null 2>&1; then
+  pass ci "workflow appears to run security gates"
+else
+  warn ci "no obvious GitHub security gate workflow detected"
+fi
+
+section "summary"
+printf 'gates_run=%s warnings=%s failures=%s strict=%s no_run=%s\n' "$RAN" "$WARNINGS" "$FAILURES" "$STRICT" "$NO_RUN"
+
+if [ "$FAILURES" -gt 0 ]; then
+  exit 1
+fi
+
+exit 0

package/scripts/safedeps-post-verify.sh

@@ -40,6 +40,14 @@ if ! command -v jq >/dev/null 2>&1; then
   exit 0
 fi
 
+SAFEDEPS_REPO_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)
+# shellcheck source=../lib/ledger/ledger.sh
+source "${SAFEDEPS_REPO_DIR}/lib/ledger/ledger.sh"
+# shellcheck source=../lib/providers/providers.sh
+source "${SAFEDEPS_REPO_DIR}/lib/providers/providers.sh"
+# shellcheck source=../lib/npm/closure.sh
+source "${SAFEDEPS_REPO_DIR}/lib/npm/closure.sh"
+
 acquire_state_lock() {
   local attempts=0
 
@@ -75,10 +83,16 @@ release_state_lock() {
 write_state_file() {
   local target_path="$1"
   local value="$2"
-  local temp_path="${target_path}.$$"
-
+  local target_dir
+  local target_base
+  local temp_path
+
+  target_dir=$(dirname "${target_path}")
+  target_base=$(basename "${target_path}")
+  mkdir -p "${target_dir}" || return 1
+  temp_path=$(mktemp "${target_dir}/.${target_base}.XXXXXX") || return 1
   printf '%s\n' "${value}" > "${temp_path}"
-  mv "${temp_path}" "${target_path}"
+  mv -f "${temp_path}" "${target_path}"
 }
 
 compute_dir_hash() {
@@ -214,7 +228,7 @@ collect_protected_snapshot_ids() {
     local already_seen="false"
     local seen_id
 
-    for seen_id in "${seen[@]}"; do
+    for seen_id in "${seen[@]+${seen[@]}}"; do
       if [[ "${seen_id}" == "${snapshot_id}" ]]; then
         already_seen="true"
         break
@@ -305,6 +319,41 @@ restore_node_modules() {
   ROLLBACK_WARNINGS+=("node_modules reinstall failed; review the project manually")
 }
 
+run_verified_npm_rebuild_if_injected() {
+  local injected
+
+  injected=$(jq -r '.ignore_scripts_injected == true' "${META_FILE}" 2>/dev/null || printf 'false')
+  [[ "${injected}" == "true" ]] || return 0
+
+  if ! command -v npm >/dev/null 2>&1; then
+    ROLLBACK_WARNINGS+=("npm is not installed; npm rebuild was not run after verified inert install")
+    return 0
+  fi
+
+  if (cd "${PROJECT_DIR}" && npm rebuild >/dev/null 2>&1); then
+    return 0
+  fi
+
+  ROLLBACK_WARNINGS+=("npm rebuild failed after verified inert install; lifecycle scripts may need manual review")
+}
+
+emit_confirm_warnings_if_any() {
+  local warning_str
+
+  [[ ${#ROLLBACK_WARNINGS[@]} -gt 0 ]] || return 0
+
+  warning_str=$(printf '%s; ' "${ROLLBACK_WARNINGS[@]}")
+  cat >> "${GUARD_DIR}/reorg.log" << LOG_EOF
+[$(date -u +"%Y-%m-%dT%H:%M:%SZ")] CONFIRM warnings
+  Snapshot: ${SNAPSHOT_ID}
+  Project: ${PROJECT_DIR}
+  Warnings: ${warning_str%%; }
+LOG_EOF
+
+  jq -nc --arg warnings "${warning_str%%; }" \
+    '{systemMessage: ("safedeps: verified install completed, but npm rebuild warning(s) were recorded:\n" + $warnings)}'
+}
+
 # Read tool input from stdin
 INPUT=$(cat)
 
@@ -358,6 +407,32 @@ SUSPICIOUS=false
 REASONS=()
 ROLLBACK_WARNINGS=()
 
+redact_install_script_content() {
+  local script_content="$1"
+  local flattened
+  local byte_count
+  local digest
+  local suffix=""
+
+  flattened=$(printf '%s' "${script_content}" | tr '\r\n\t' '   ' | cut -c 1-160)
+  byte_count=$(printf '%s' "${script_content}" | wc -c | tr -d ' ')
+  if command -v shasum >/dev/null 2>&1; then
+    digest=$(printf '%s' "${script_content}" | shasum -a 256 | cut -d' ' -f1)
+  elif command -v sha256sum >/dev/null 2>&1; then
+    digest=$(printf '%s' "${script_content}" | sha256sum | cut -d' ' -f1)
+  else
+    digest="unavailable"
+  fi
+  if [[ "${byte_count}" -gt 160 ]]; then
+    suffix="..."
+  fi
+  printf '[redacted install script sha256=%s bytes=%s preview=%s%s]' \
+    "${digest}" \
+    "${byte_count}" \
+    "${flattened}" \
+    "${suffix}"
+}
+
 # Function: check for suspicious postinstall scripts in new/changed dependencies
 check_postinstall_scripts() {
   local pkg_json="${PROJECT_DIR}/package.json"
@@ -411,17 +486,17 @@ check_postinstall_scripts() {
         # Check for network calls in install scripts
         if echo "${script_content}" | grep -qEi '(curl|wget|fetch|http|https|net\.|socket|dns)'; then
           SUSPICIOUS=true
-          REASONS+=("Package '${pkg_name}' has install script with network access: ${script_content}")
+          REASONS+=("Package '${pkg_name}' has install script with network access: $(redact_install_script_content "${script_content}")")
         fi
 
         # Check for eval/exec in install scripts
         if echo "${script_content}" | grep -qEi '(eval|exec|spawn|child_process|Function\()'; then
           SUSPICIOUS=true
-          REASONS+=("Package '${pkg_name}' has install script with code execution: ${script_content}")
+          REASONS+=("Package '${pkg_name}' has install script with code execution: $(redact_install_script_content "${script_content}")")
         fi
 
         # Check for filesystem access outside project
-        if echo "${script_content}" | grep -qEi '(\/etc\/|\/home\/|~\/|\$HOME|\.ssh|\.env|\.aws|credentials)'; then
+        if echo "${script_content}" | grep -qEi '(\/etc\/|\/home\/|~\/|\$HOME|\.ssh|\.env|\.aws|credentials|~\/\.safedeps|\$HOME\/\.safedeps|\.safedeps\/|SAFEDEPS_HOME)'; then
           SUSPICIOUS=true
           REASONS+=("Package '${pkg_name}' has install script accessing sensitive paths")
         fi
@@ -507,7 +582,74 @@ check_binaries() {
   fi
 }
 
+check_npm_effect_closure() {
+  local lockfile="${PROJECT_DIR}/package-lock.json"
+  local closure_file
+  local provider_file
+  local miss_file
+  local package_name
+  local version
+  local miss_count
+  local vulnerable_summary
+  local kev_summary
+
+  [[ -f "${lockfile}" ]] || return 0
+
+  closure_file=$(mktemp "${TMPDIR:-/tmp}/safedeps-post-closure.XXXXXX") || return
+  provider_file=$(mktemp "${TMPDIR:-/tmp}/safedeps-post-provider.XXXXXX") || {
+    rm -f "${closure_file}"
+    return
+  }
+  miss_file=$(mktemp "${TMPDIR:-/tmp}/safedeps-post-miss.XXXXXX") || {
+    rm -f "${closure_file}" "${provider_file}"
+    return
+  }
+  : > "${miss_file}"
+
+  if ! safedeps_npm_lock_closure "${lockfile}" > "${closure_file}"; then
+    SUSPICIOUS=true
+    REASONS+=("npm package-lock closure could not be parsed")
+    rm -f "${closure_file}" "${provider_file}" "${miss_file}"
+    return
+  fi
+
+  while IFS=$'\t' read -r package_name version; do
+    [[ -n "${package_name}" && -n "${version}" ]] || continue
+    if ! safedeps_ledger_effect_check "npm" "${package_name}" "${version}" >/dev/null 2>&1; then
+      printf '%s@%s\n' "${package_name}" "${version}" >> "${miss_file}"
+    fi
+  done < <(jq -r '.[] | [.package, (.version | tostring)] | @tsv' "${closure_file}")
+
+  miss_count=$(wc -l < "${miss_file}" | tr -d ' ')
+  if [[ "${miss_count}" -gt 0 ]]; then
+    SUSPICIOUS=true
+    REASONS+=("npm closure contains ${miss_count} unapproved package(s): $(head -20 "${miss_file}" | paste -sd ', ' -)")
+  fi
+
+  if ! safedeps_providers_query_batch "npm" "${closure_file}" > "${provider_file}"; then
+    SUSPICIOUS=true
+    REASONS+=("npm closure OSV batch verification failed; fail-closed")
+    rm -f "${closure_file}" "${provider_file}" "${miss_file}"
+    return
+  fi
+
+  kev_summary=$(jq -r '[.[] | select(.status == "hard_block") | "\(.package)@\(.version)"] | join(", ")' "${provider_file}")
+  if [[ -n "${kev_summary}" ]]; then
+    SUSPICIOUS=true
+    REASONS+=("npm closure contains KEV-blocked package(s): ${kev_summary}")
+  fi
+
+  vulnerable_summary=$(jq -r '[.[] | select(.status == "vulnerable") | "\(.package)@\(.version)"] | join(", ")' "${provider_file}")
+  if [[ -n "${vulnerable_summary}" ]]; then
+    SUSPICIOUS=true
+    REASONS+=("npm closure contains vulnerable package(s): ${vulnerable_summary}")
+  fi
+
+  rm -f "${closure_file}" "${provider_file}" "${miss_file}"
+}
+
 # Run all checks
+check_npm_effect_closure
 check_postinstall_scripts
 check_lockfile_diff
 check_binaries
@@ -572,13 +714,28 @@ if [[ "${SUSPICIOUS}" == "true" ]]; then
   Rollback warnings: ${WARNING_STR%%; }
 LOG_EOF
 
-  cat << EOF
-{"systemMessage": "safedeps: 의심스러운 패키지 변경 감지, 마지막으로 confirmed 된 안전 스냅샷으로 롤백했습니다.\n\n감지된 문제:\n${REASON_STR%%; }\n\n롤백 기준 스냅샷: ${ROLLBACK_SNAPSHOT_ID}\n롤백된 파일: ${ROLLED_BACK_STR%, }\n${WARNING_STR:+\n추가 경고:\n${WARNING_STR%%; }}\n\n상세 로그: ${GUARD_DIR}/reorg.log"}
-EOF
+  jq -nc \
+    --arg reasons "${REASON_STR%%; }" \
+    --arg rollback_snapshot "${ROLLBACK_SNAPSHOT_ID}" \
+    --arg rolled_back "${ROLLED_BACK_STR%, }" \
+    --arg warnings "${WARNING_STR%%; }" \
+    --arg log_path "${GUARD_DIR}/reorg.log" \
+    '{
+      systemMessage: (
+        "safedeps: 의심스러운 패키지 변경 감지, 마지막으로 confirmed 된 안전 스냅샷으로 롤백했습니다.\n\n" +
+        "감지된 문제:\n" + $reasons + "\n\n" +
+        "롤백 기준 스냅샷: " + $rollback_snapshot + "\n" +
+        "롤백된 파일: " + $rolled_back +
+        (if $warnings == "" then "" else "\n\n추가 경고:\n" + $warnings end) +
+        "\n\n상세 로그: " + $log_path
+      )
+    }'
   exit 0
 fi
 
+run_verified_npm_rebuild_if_injected
 confirm_snapshot "${SNAPSHOT_ID}" "${DIR_HASH}"
 cleanup_old_snapshots
+emit_confirm_warnings_if_any
 
 exit 0