@aldegad/safedeps 2.1.0

package/scripts/safedeps-pre-guard.sh

@@ -0,0 +1,427 @@
+#!/usr/bin/env bash
+# safedeps: PreToolUse hook
+# Dependency install safety gate with reorg rollback support
+# Detects package install commands and snapshots lock files before execution
+
+set -euo pipefail
+
+GUARD_DIR="${SAFEDEPS_HOME:-${HOME}/.safedeps}"
+SNAPSHOT_DIR="${GUARD_DIR}/snapshots"
+STATE_LOCK_DIR="${GUARD_DIR}/state.lock"
+
+SAFEDEPS_LOCK_FILES=(
+  "package-lock.json"
+  "pnpm-lock.yaml"
+  "yarn.lock"
+  "poetry.lock"
+  "uv.lock"
+  "Pipfile.lock"
+  "requirements.txt"
+  "Cargo.lock"
+  "go.sum"
+  "Gemfile.lock"
+  "packages.lock.json"
+)
+
+SAFEDEPS_MANIFEST_FILES=(
+  "package.json"
+  "pyproject.toml"
+  "Pipfile"
+  "Cargo.toml"
+  "go.mod"
+  "Gemfile"
+  "pom.xml"
+)
+
+umask 077
+mkdir -p "${GUARD_DIR}" "${SNAPSHOT_DIR}"
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "safedeps: jq is not installed; skipping guard hook." >&2
+  exit 0
+fi
+
+acquire_state_lock() {
+  local attempts=0
+
+  while ! mkdir "${STATE_LOCK_DIR}" 2>/dev/null; do
+    # Detect stale locks left by SIGKILL/OOM (V-005)
+    if [[ -d "${STATE_LOCK_DIR}" ]]; then
+      local lock_mtime=""
+      if lock_mtime=$(stat -f %m "${STATE_LOCK_DIR}" 2>/dev/null) || \
+         lock_mtime=$(stat -c %Y "${STATE_LOCK_DIR}" 2>/dev/null); then
+        local now
+        now=$(date +%s)
+        if [[ $(( now - lock_mtime )) -gt 60 ]]; then
+          echo "safedeps: removing stale lock ($(( now - lock_mtime ))s old)." >&2
+          rmdir "${STATE_LOCK_DIR}" 2>/dev/null || true
+          continue
+        fi
+      fi
+    fi
+
+    attempts=$((attempts + 1))
+    if [[ ${attempts} -ge 100 ]]; then
+      echo "safedeps: could not acquire state lock; skipping guard hook." >&2
+      exit 0
+    fi
+    sleep 0.1
+  done
+}
+
+release_state_lock() {
+  rmdir "${STATE_LOCK_DIR}" 2>/dev/null || true
+}
+
+write_state_file() {
+  local target_path="$1"
+  local value="$2"
+  local temp_path="${target_path}.$$"
+
+  printf '%s\n' "${value}" > "${temp_path}"
+  mv "${temp_path}" "${target_path}"
+}
+
+compute_dir_hash() {
+  local input_dir="$1"
+
+  if command -v md5sum >/dev/null 2>&1; then
+    printf '%s' "${input_dir}" | md5sum | cut -d' ' -f1
+  elif command -v md5 >/dev/null 2>&1; then
+    md5 -q -s "${input_dir}"
+  else
+    printf '%s' "${input_dir}" | cksum | cut -d' ' -f1
+  fi
+}
+
+command_is_dependency_install() {
+  local command="$1"
+  local scan_command
+  local install_pattern
+
+  scan_command=$(command_scan_text "${command}")
+  install_pattern='(^|[;&|]+[[:space:]]*)((npm[[:space:]]+(install|i|add|update|up|upgrade))|npx[[:space:]]|pnpm[[:space:]]+(add|install|update|up|dlx)|yarn[[:space:]]+(add|install|upgrade|dlx)|((python3?|py)[[:space:]]+-m[[:space:]]+pip|pip3?)[[:space:]]+install|poetry[[:space:]]+add|uv[[:space:]]+(add|pip[[:space:]]+install)|pipenv[[:space:]]+install|cargo[[:space:]]+(add|install)|go[[:space:]]+(get|install)|gem[[:space:]]+install|bundle[[:space:]]+add|mvn[[:space:]]+dependency:get|dotnet[[:space:]]+add[[:space:]]+package)([[:space:]]|$)'
+
+  echo "${scan_command}" | grep -qEi "${install_pattern}"
+}
+
+command_hides_dependency_install() {
+  local command="$1"
+  local manager_pattern
+  local verb_pattern
+
+  manager_pattern='(npm|npx|pnpm|yarn|pip3?|python3?[[:space:]]+-m[[:space:]]+pip|poetry|uv|pipenv|cargo|go|gem|bundle|mvn|dotnet)'
+  verb_pattern='(install|i|add|update|up|upgrade|dlx|get|dependency:get|package)'
+
+  echo "${command}" | grep -qEi '(eval[[:space:]]|\$\(|`)' && \
+    echo "${command}" | grep -qEi "${manager_pattern}.*${verb_pattern}"
+}
+
+command_scan_text() {
+  local input="$1"
+  local output=""
+  local quote=""
+  local char
+  local prev=""
+  local i
+
+  for ((i = 0; i < ${#input}; i++)); do
+    char="${input:i:1}"
+
+    if [[ -z "${quote}" ]]; then
+      if [[ "${char}" == "'" ]]; then
+        quote="single"
+        output="${output} "
+      elif [[ "${char}" == '"' ]]; then
+        quote="double"
+        output="${output} "
+      else
+        output="${output}${char}"
+      fi
+    elif [[ "${quote}" == "single" && "${char}" == "'" ]]; then
+      quote=""
+      output="${output} "
+    elif [[ "${quote}" == "double" && "${char}" == '"' && "${prev}" != "\\" ]]; then
+      quote=""
+      output="${output} "
+    else
+      output="${output} "
+    fi
+
+    prev="${char}"
+  done
+
+  printf '%s' "${output}"
+}
+
+snapshot_project_file() {
+  local relative_file="$1"
+  local category="${2:-manifest}"
+  local source_path="${PROJECT_DIR}/${relative_file}"
+  local snapshot_path="${SNAPSHOT_DIR}/${SNAPSHOT_ID}_${relative_file}"
+
+  printf '%s\n' "${relative_file}" >> "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_monitored_files.list"
+
+  if [[ -f "${source_path}" ]]; then
+    cp "${source_path}" "${snapshot_path}"
+    if command -v shasum &>/dev/null; then
+      shasum -a 256 "${source_path}" > "${snapshot_path}.sha256"
+    elif command -v sha256sum &>/dev/null; then
+      sha256sum "${source_path}" > "${snapshot_path}.sha256"
+    fi
+    if [[ "${category}" == "lock" ]]; then
+      SNAPSHOTTED=true
+    fi
+  else
+    touch "${snapshot_path}.missing"
+  fi
+}
+
+# Read tool input from stdin
+INPUT=$(cat)
+
+# Extract tool name and command
+TOOL_NAME=$(echo "${INPUT}" | jq -r '.tool_name // empty' 2>/dev/null)
+COMMAND=$(echo "${INPUT}" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+# Only intercept Bash tool calls
+if [[ "${TOOL_NAME}" != "Bash" ]] || [[ -z "${COMMAND}" ]]; then
+  exit 0
+fi
+
+if ! command_is_dependency_install "${COMMAND}"; then
+  # Catch indirection patterns that hide install commands (V-002)
+  if command_hides_dependency_install "${COMMAND}"; then
+    : # Fall through — treat as install candidate
+  else
+    exit 0
+  fi
+fi
+
+# --- Reorg Guard Activated ---
+
+# Find lock files in common locations
+# Per Claude Code / Codex CLI hook spec, `cwd` is top-level. Fall back to `pwd`
+# only when the hook is invoked outside the engine (manual test, no stdin payload).
+PROJECT_DIR=$(echo "${INPUT}" | jq -r '.cwd // empty' 2>/dev/null)
+if [[ -z "${PROJECT_DIR}" ]]; then
+  PROJECT_DIR=$(pwd)
+fi
+
+# Canonicalize to prevent path traversal (V-003)
+if command -v realpath >/dev/null 2>&1; then
+  PROJECT_DIR=$(realpath "${PROJECT_DIR}" 2>/dev/null || echo "${PROJECT_DIR}")
+elif command -v readlink >/dev/null 2>&1; then
+  PROJECT_DIR=$(readlink -f "${PROJECT_DIR}" 2>/dev/null || echo "${PROJECT_DIR}")
+fi
+
+TIMESTAMP=$(date +%s)
+DIR_HASH=$(compute_dir_hash "${PROJECT_DIR}")
+SNAPSHOT_ID="${TIMESTAMP}_${DIR_HASH}"
+
+acquire_state_lock
+trap 'release_state_lock' EXIT
+
+PARENT_SNAPSHOT_ID=""
+CONFIRMED_FILE="${GUARD_DIR}/confirmed_${DIR_HASH}"
+if [[ -f "${CONFIRMED_FILE}" ]]; then
+  PARENT_SNAPSHOT_ID=$(cat "${CONFIRMED_FILE}" 2>/dev/null || true)
+fi
+
+if [[ -n "${PARENT_SNAPSHOT_ID}" ]] && [[ ! -f "${SNAPSHOT_DIR}/${PARENT_SNAPSHOT_ID}_meta.json" ]]; then
+  # Fallback: check legacy global confirmed file for migration
+  if [[ -f "${GUARD_DIR}/confirmed" ]]; then
+    PARENT_SNAPSHOT_ID=$(cat "${GUARD_DIR}/confirmed" 2>/dev/null || true)
+    if [[ -n "${PARENT_SNAPSHOT_ID}" ]] && [[ ! -f "${SNAPSHOT_DIR}/${PARENT_SNAPSHOT_ID}_meta.json" ]]; then
+      PARENT_SNAPSHOT_ID=""
+    fi
+  else
+    PARENT_SNAPSHOT_ID=""
+  fi
+fi
+
+PARENT_SNAPSHOT_JSON=$(printf '%s' "${PARENT_SNAPSHOT_ID}" | jq -Rs 'if length == 0 then null else . end')
+
+# Snapshot lock and manifest files that define dependency truth.
+SNAPSHOTTED=false
+: > "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_monitored_files.list"
+
+for lock_file in "${SAFEDEPS_LOCK_FILES[@]}"; do
+  snapshot_project_file "${lock_file}" "lock"
+done
+
+for manifest_file in "${SAFEDEPS_MANIFEST_FILES[@]}"; do
+  snapshot_project_file "${manifest_file}" "manifest"
+done
+
+while IFS= read -r csproj_file; do
+  snapshot_project_file "$(basename "${csproj_file}")" "manifest"
+done < <(find "${PROJECT_DIR}" -maxdepth 1 -type f -name "*.csproj" 2>/dev/null | sort)
+
+# Save pre-install listings for diff-based detection (avoids mtime-based find -newer)
+if [[ -d "${PROJECT_DIR}/node_modules" ]]; then
+  find "${PROJECT_DIR}/node_modules" -maxdepth 3 -name "package.json" 2>/dev/null | sort > "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_packages.list"
+  { ls "${PROJECT_DIR}/node_modules/.bin/" 2>/dev/null || true; } | sort > "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_bins.list"
+else
+  touch "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_packages.list"
+  touch "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_bins.list"
+fi
+
+# Store metadata for PostToolUse verification
+cat > "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_meta.json" << META_EOF
+{
+  "snapshot_id": "${SNAPSHOT_ID}",
+  "parent_snapshot_id": ${PARENT_SNAPSHOT_JSON},
+  "timestamp": ${TIMESTAMP},
+  "project_dir": $(printf '%s' "${PROJECT_DIR}" | jq -Rs .),
+  "command": $(printf '%s' "${COMMAND}" | jq -Rs .),
+  "lock_files_found": ${SNAPSHOTTED}
+}
+META_EOF
+
+# --- Pre-flight security checks on the command itself ---
+
+SUSPICIOUS=false
+REASONS=()
+
+# Check for piped install from suspicious sources
+if echo "${COMMAND}" | grep -qEi 'curl.*\|[[:space:]]*(bash|sh|node)'; then
+  SUSPICIOUS=true
+  REASONS+=("Command pipes remote content to shell execution")
+fi
+
+# Check for install with --ignore-scripts being removed (attacker might want scripts to run)
+if echo "${COMMAND}" | grep -qEi 'npm[[:space:]]+config[[:space:]]+set[[:space:]]+ignore-scripts[[:space:]]+false'; then
+  SUSPICIOUS=true
+  REASONS+=("Command explicitly enables install scripts")
+fi
+
+# Check for registry override to unknown registry
+if echo "${COMMAND}" | grep -qEi -- '--registry([=[:space:]]+)'; then
+  if ! echo "${COMMAND}" | grep -qEi -- '--registry([=[:space:]]+)https?://(registry\.npmjs\.org|registry\.yarnpkg\.com)(/|[[:space:]]|$)'; then
+    SUSPICIOUS=true
+    REASONS+=("Command uses non-standard npm registry")
+  fi
+fi
+
+# Check for packages with suspicious naming patterns (typosquatting indicators)
+TYPOSQUAT_PATTERNS='(lod[bcdfghjklmnpqrstvwxyz]sh|lodahs|loadsh|lodashh|reacct|exprss|axois|babeel|webpackk|esliint|l0dash|m0ment|4xios|reqeusts|requets|djagno|numppy|panddas|pilliow|tensorfow|scikit-learnn|serde_jsonn|tokioo|reqwestt|clapp|github\.con/|githb\.com/|railss|sinatraa|nokogirri|log4jj|springframewrok|commons-collectionss|newtonsoft\.josn|serilogg|nunittt)'
+if echo "${COMMAND}" | grep -qEi "${TYPOSQUAT_PATTERNS}"; then
+  SUSPICIOUS=true
+  REASONS+=("Package name matches known typosquatting patterns")
+fi
+
+if [[ "${SUSPICIOUS}" == "true" ]]; then
+  REASON_STR=$(printf '%s; ' "${REASONS[@]}")
+  jq -nc --arg reason "safedeps: ${REASON_STR%%; }" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:$reason}}'
+  exit 0
+fi
+
+# --- Phase 2 advisory gate — ledger enforcement -------------------------------
+# For commands that name specific packages, require an entry in the approved-
+# spec ledger. Miss/expired → block with a structured message that names the
+# exact `safedeps check` command the caller (agent or human) should run next.
+#
+# Conservative: only block when at least one pkg@spec token is parseable. Bare
+# `npm install` (lockfile install) falls through to the v1 reorg checks.
+
+SAFEDEPS_LEDGER_LIB="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/lib/ledger/ledger.sh"
+SAFEDEPS_REPO_BIN="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/bin/safedeps"
+
+guard_detect_ecosystem() {
+  local cmd="$1"
+  local scan_cmd
+
+  scan_cmd=$(command_scan_text "${cmd}")
+  if echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(npm|pnpm|yarn|npx)([[:space:]]|$)'; then
+    printf 'npm'
+  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(pip3?|poetry|uv|pipenv|((python3?|py)[[:space:]]+-m[[:space:]]+pip))([[:space:]]|$)'; then
+    printf 'pypi'
+  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)cargo([[:space:]]|$)'; then
+    printf 'crates.io'
+  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)go([[:space:]]|$)'; then
+    printf 'go'
+  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(gem|bundle)([[:space:]]|$)'; then
+    printf 'rubygems'
+  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)mvn([[:space:]]|$)'; then
+    printf 'maven'
+  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)dotnet([[:space:]]|$)'; then
+    printf 'nuget'
+  else
+    printf ''
+  fi
+}
+
+guard_extract_specs() {
+  # Echo one "pkg<TAB>spec" line per pkg@spec token found in the command.
+  # Captures @scope/name@spec and bare-name@spec forms.
+  local cmd="$1"
+  echo "${cmd}" \
+    | grep -oE '(@[a-zA-Z0-9._/-]+/)?[a-zA-Z][a-zA-Z0-9._-]*@[a-zA-Z0-9._^~|<>=*+-]+' \
+    | while IFS= read -r token; do
+        local pkg spec
+        if [[ "${token}" =~ ^(@[^@]+)@(.+)$ ]]; then
+          pkg="${BASH_REMATCH[1]}"
+          spec="${BASH_REMATCH[2]}"
+        else
+          pkg="${token%@*}"
+          spec="${token##*@}"
+        fi
+        printf '%s\t%s\n' "${pkg}" "${spec}"
+      done
+}
+
+LEDGER_ECOSYSTEM=$(guard_detect_ecosystem "${COMMAND}")
+LEDGER_SPECS=()
+while IFS= read -r ledger_spec_line; do
+  [[ -z "${ledger_spec_line}" ]] && continue
+  LEDGER_SPECS+=("${ledger_spec_line}")
+done < <(guard_extract_specs "${COMMAND}")
+
+if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 && -f "${SAFEDEPS_LEDGER_LIB}" ]]; then
+  # shellcheck source=../lib/ledger/ledger.sh
+  source "${SAFEDEPS_LEDGER_LIB}"
+
+  GUARD_BLOCKED_CMDS=()
+  for entry in "${LEDGER_SPECS[@]}"; do
+    pkg="${entry%%$'\t'*}"
+    spec="${entry##*$'\t'}"
+    [[ -z "${pkg}" || -z "${spec}" ]] && continue
+    if ! safedeps_ledger_check "${LEDGER_ECOSYSTEM}" "${pkg}" "${spec}" 2>/dev/null \
+        | jq -e '.approved == true' >/dev/null 2>&1; then
+      GUARD_BLOCKED_CMDS+=("safedeps check ${LEDGER_ECOSYSTEM} ${pkg}@${spec}")
+    fi
+  done
+
+  if [[ ${#GUARD_BLOCKED_CMDS[@]} -gt 0 ]]; then
+    NEXT_CMD=""
+    for ((i = 0; i < ${#GUARD_BLOCKED_CMDS[@]}; i++)); do
+      if [[ -z "${NEXT_CMD}" ]]; then
+        NEXT_CMD="${GUARD_BLOCKED_CMDS[$i]}"
+      else
+        NEXT_CMD="${NEXT_CMD} && ${GUARD_BLOCKED_CMDS[$i]}"
+      fi
+    done
+    REASON_JSON=$(jq -nc \
+      --arg next "${NEXT_CMD}" \
+      --arg ecosystem "${LEDGER_ECOSYSTEM}" \
+      '{
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: ("safedeps: install not approved (ecosystem=" + $ecosystem + ") — run `" + $next + "` first, then retry the install using the approved version (see install_hint in the check output).")
+        }
+      }')
+    printf '%s\n' "${REASON_JSON}"
+    exit 0
+  fi
+fi
+
+# Write current state atomically for PostToolUse (V-004: single file prevents TOCTOU)
+CURRENT_STATE=$(jq -n --arg sid "${SNAPSHOT_ID}" --arg pdir "${PROJECT_DIR}" --arg dhash "${DIR_HASH}" \
+  '{snapshot_id: $sid, project_dir: $pdir, dir_hash: $dhash}')
+write_state_file "${GUARD_DIR}/current_state" "${CURRENT_STATE}"
+
+# Allow the command to proceed — PostToolUse will verify the result
+exit 0

package/scripts/safedeps-recheck-alert.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# Run safedeps re-check and notify only when attention is needed.
+
+set -euo pipefail
+
+ROOT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)
+SAFEDEPS_BIN="${SAFEDEPS_BIN:-${ROOT_DIR}/bin/safedeps}"
+SAFEDEPS_HOME="${SAFEDEPS_HOME:-${HOME}/.safedeps}"
+SAFEDEPS_RECHECK_LOG="${SAFEDEPS_RECHECK_LOG:-${SAFEDEPS_HOME}/recheck.log}"
+SAFEDEPS_RECHECK_ERR_LOG="${SAFEDEPS_RECHECK_ERR_LOG:-${SAFEDEPS_HOME}/recheck.err.log}"
+SAFEDEPS_RECHECK_ALERTS="${SAFEDEPS_RECHECK_ALERTS:-${SAFEDEPS_HOME}/recheck-alerts.jsonl}"
+SAFEDEPS_NOTIFY="${SAFEDEPS_NOTIFY:-1}"
+
+mkdir -p "${SAFEDEPS_HOME}" "$(dirname "${SAFEDEPS_RECHECK_LOG}")" "$(dirname "${SAFEDEPS_RECHECK_ALERTS}")"
+
+now_utc() {
+  date -u +"%Y-%m-%dT%H:%M:%SZ"
+}
+
+notify() {
+  local title="$1"
+  local message="$2"
+
+  [[ "${SAFEDEPS_NOTIFY}" == "1" ]] || return 0
+  command -v osascript >/dev/null 2>&1 || return 0
+
+  osascript - "${title}" "${message}" <<'OSA' >/dev/null 2>&1 || true
+on run argv
+  display notification (item 2 of argv) with title (item 1 of argv)
+end run
+OSA
+}
+
+append_alert() {
+  local alert_json="$1"
+  printf '%s\n' "${alert_json}" >> "${SAFEDEPS_RECHECK_ALERTS}"
+}
+
+tmp_root="${TMPDIR:-/tmp}"
+mkdir -p "${tmp_root}"
+tmp_json=$(mktemp "${tmp_root%/}/safedeps-recheck.XXXXXX")
+tmp_err=$(mktemp "${tmp_root%/}/safedeps-recheck-err.XXXXXX")
+cleanup() {
+  rm -f "${tmp_json}" "${tmp_err}"
+}
+trap cleanup EXIT
+
+run_at=$(now_utc)
+status=0
+
+if [[ -n "${SAFEDEPS_RECHECK_FIXTURE_JSON:-}" ]]; then
+  cat "${SAFEDEPS_RECHECK_FIXTURE_JSON}" > "${tmp_json}"
+else
+  "${SAFEDEPS_BIN}" re-check --json > "${tmp_json}" 2> "${tmp_err}" || status=$?
+fi
+
+{
+  printf '[%s] safedeps re-check status=%s\n' "${run_at}" "${status}"
+  cat "${tmp_json}" 2>/dev/null || true
+  printf '\n'
+} >> "${SAFEDEPS_RECHECK_LOG}"
+
+if [[ -s "${tmp_err}" ]]; then
+  {
+    printf '[%s] safedeps re-check stderr\n' "${run_at}"
+    cat "${tmp_err}"
+    printf '\n'
+  } >> "${SAFEDEPS_RECHECK_ERR_LOG}"
+fi
+
+if [[ "${status}" -ne 0 ]]; then
+  alert=$(jq -cn \
+    --arg at "${run_at}" \
+    --argjson status "${status}" \
+    --rawfile stderr "${tmp_err}" \
+    '{kind:"recheck_failed", at:$at, exit_status:$status, stderr:$stderr}')
+  append_alert "${alert}"
+  notify "safedeps re-check failed" "Daily dependency approval re-check exited ${status}. See ~/.safedeps/recheck.err.log"
+  exit "${status}"
+fi
+
+if ! jq -e '.command == "re-check"' "${tmp_json}" >/dev/null 2>&1; then
+  alert=$(jq -cn \
+    --arg at "${run_at}" \
+    --rawfile output "${tmp_json}" \
+    '{kind:"recheck_invalid_output", at:$at, output:$output}')
+  append_alert "${alert}"
+  notify "safedeps re-check failed" "Daily re-check returned invalid JSON. See ~/.safedeps/recheck.log"
+  exit 1
+fi
+
+checked=$(jq -r '.checked // 0' "${tmp_json}")
+still_clean=$(jq -r '.still_clean // 0' "${tmp_json}")
+newly_vulnerable=$(jq -r '(.newly_vulnerable // []) | length' "${tmp_json}")
+kev_hit=$(jq -r '(.kev_hit // []) | length' "${tmp_json}")
+revoked=$(jq -r '(.revoked // []) | length' "${tmp_json}")
+skipped=$(( checked - still_clean - revoked ))
+if [[ "${skipped}" -lt 0 ]]; then
+  skipped=0
+fi
+
+if [[ "${newly_vulnerable}" -gt 0 || "${kev_hit}" -gt 0 || "${revoked}" -gt 0 || "${skipped}" -gt 0 ]]; then
+  alert=$(jq -c \
+    --arg at "${run_at}" \
+    --argjson skipped "${skipped}" \
+    '. + {kind:"recheck_attention", at:$at, provider_skipped:$skipped}' \
+    "${tmp_json}")
+  append_alert "${alert}"
+
+  message="${revoked} revoked, ${newly_vulnerable} new CVE, ${kev_hit} KEV"
+  if [[ "${skipped}" -gt 0 ]]; then
+    message="${message}, ${skipped} provider skipped"
+  fi
+  notify "safedeps attention needed" "${message}. See ~/.safedeps/recheck-alerts.jsonl"
+fi

package/scripts/test/e2e.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)
+cd "${ROOT_DIR}"
+
+pass() {
+  printf 'ok - %s\n' "$1"
+}
+
+fail() {
+  printf 'not ok - %s\n' "$1" >&2
+  exit 1
+}
+
+tmp_root=$(mktemp -d "${TMPDIR:-/tmp}/safedeps-e2e.XXXXXX")
+cleanup() {
+  if [[ -n "${server_pid:-}" ]]; then
+    kill "${server_pid}" 2>/dev/null || true
+    wait "${server_pid}" 2>/dev/null || true
+  fi
+  rm -rf "${tmp_root}"
+}
+trap cleanup EXIT
+
+port_file="${tmp_root}/port"
+state_file="${tmp_root}/state.json"
+printf '%s\n' '{"vulnerable":[]}' > "${state_file}"
+node scripts/test/fixture-provider.mjs "${port_file}" "${state_file}" &
+server_pid=$!
+
+for _ in {1..50}; do
+  [[ -s "${port_file}" ]] && break
+  sleep 0.1
+done
+[[ -s "${port_file}" ]] || fail "fixture provider starts"
+port=$(cat "${port_file}")
+
+export SAFEDEPS_HOME="${tmp_root}/safe"
+export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
+export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
+export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
+
+clean_json=$(./bin/safedeps --json check npm fixture-clean@1.0.0)
+[[ "$(jq -r '.result' <<< "${clean_json}")" == "clean" ]] || fail "clean fixture approved"
+pass "clean advisory approval"
+
+patched_json=$(./bin/safedeps --json check npm fixture-vuln@1.0.0)
+[[ "$(jq -r '.result' <<< "${patched_json}")" == "patched_available" ]] || fail "patched fixture narrows"
+[[ "$(jq -r '.suggested_spec' <<< "${patched_json}")" == "1.0.1" ]] || fail "patched fixture suggests fixed version"
+pass "patched advisory narrowing"
+
+set +e
+unpatched_json=$(./bin/safedeps --json check npm fixture-unpatched@1.0.0)
+unpatched_status=$?
+kev_json=$(./bin/safedeps --json check npm fixture-kev@1.0.0)
+kev_status=$?
+set -e
+[[ "${unpatched_status}" -eq 2 ]] || fail "unpatched fixture exits 2"
+[[ "$(jq -r '.result' <<< "${unpatched_json}")" == "cve_unpatched" ]] || fail "unpatched fixture reports cve_unpatched"
+[[ "${kev_status}" -eq 3 ]] || fail "kev fixture exits 3"
+[[ "$(jq -r '.result' <<< "${kev_json}")" == "kev_hard_block" ]] || fail "kev fixture reports kev_hard_block"
+pass "block classifications"
+
+project_dir="${tmp_root}/project"
+mkdir -p "${project_dir}"
+printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
+hook_allow=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-vuln@1.0.1"},"cwd":"${project_dir}"}
+EOF
+)
+[[ -z "${hook_allow}" ]] || fail "hook allows narrowed approved spec"
+pass "hook allows approved narrowed spec"
+
+printf '%s\n' '{"vulnerable":["fixture-clean@1.0.0"]}' > "${state_file}"
+recheck_json=$(./bin/safedeps --json re-check)
+[[ "$(jq -r '.revoked | length' <<< "${recheck_json}")" == "1" ]] || fail "re-check revokes newly vulnerable spec"
+[[ "$(jq -r '.revoked[0].package' <<< "${recheck_json}")" == "fixture-clean" ]] || fail "re-check revoked expected package"
+pass "re-check revocation"
+
+legacy_home="${tmp_root}/legacy"
+target_home="${tmp_root}/migrated"
+mkdir -p "${legacy_home}/approved-specs"
+printf 'legacy\n' > "${legacy_home}/approved-specs/example.json"
+migrate_json=$(SAFEDEPS_LEGACY_HOME="${legacy_home}" SAFEDEPS_HOME="${target_home}" ./bin/safedeps --json migrate)
+[[ "$(jq -r '.migrated' <<< "${migrate_json}")" == "true" ]] || fail "legacy state migrated"
+[[ -f "${target_home}/approved-specs/example.json" ]] || fail "legacy state copied"
+[[ ! -e "${legacy_home}" ]] || fail "legacy root archived"
+pass "legacy state migration"
+
+installer_home="${tmp_root}/installer-home"
+mkdir -p "${installer_home}/.claude" "${installer_home}/.codex"
+cat > "${installer_home}/.claude/settings.json" <<EOF
+{"hooks":{"PreToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/guard.sh"}]}],"PostToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/verify.sh"}]}]}}
+EOF
+HOME="${installer_home}" node scripts/install/install-safedeps-hooks.mjs >/dev/null
+jq -e --arg pre "${ROOT_DIR}/scripts/safedeps-pre-guard.sh" '
+  [.hooks.PreToolUse[]?.hooks[]?.command] | index($pre)
+' "${installer_home}/.claude/settings.json" >/dev/null || fail "installer writes new pre hook"
+if jq -e '[.. | strings] | any(contains("npm-reorg-guard"))' "${installer_home}/.claude/settings.json" >/dev/null; then
+  fail "installer removes legacy hook"
+fi
+pass "installer legacy hook cleanup"
+
+printf 'e2e passed\n'