@aldegad/safedeps 2.1.1 → 2.2.0

package/lib/providers/providers.sh

@@ -10,6 +10,7 @@ SAFEDEPS_ADVISORY_LOG="${SAFEDEPS_ADVISORY_LOG:-${SAFEDEPS_HOME}/advisory.log}"
 SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS="${SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS:-86400}"
 
 SAFEDEPS_OSV_API_URL="${SAFEDEPS_OSV_API_URL:-https://api.osv.dev/v1/query}"
+SAFEDEPS_OSV_BATCH_API_URL="${SAFEDEPS_OSV_BATCH_API_URL:-https://api.osv.dev/v1/querybatch}"
 SAFEDEPS_KEV_CATALOG_URL="${SAFEDEPS_KEV_CATALOG_URL:-https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json}"
 SAFEDEPS_GHSA_API_URL="${SAFEDEPS_GHSA_API_URL:-https://api.github.com/advisories}"
 
@@ -51,6 +52,27 @@ safedeps_provider_mktemp_dir() {
   mktemp -d "${tmp_root%/}/safedeps-providers.XXXXXX"
 }
 
+safedeps_cache_response_temp() {
+  local target_path="$1"
+  local target_dir
+  local target_base
+
+  target_dir=$(dirname "${target_path}")
+  target_base=$(basename "${target_path}")
+  mkdir -p "${target_dir}" || return 1
+  mktemp "${target_dir}/.${target_base}.XXXXXX"
+}
+
+safedeps_url_host() {
+  local url="$1"
+  local host
+
+  host="${url#*://}"
+  host="${host%%/*}"
+  host="${host%%:*}"
+  printf '%s' "${host}"
+}
+
 safedeps_now_iso() {
   date -u +"%Y-%m-%dT%H:%M:%SZ"
 }
@@ -167,7 +189,7 @@ safedeps_osv_query() {
     --arg version "${version}" \
     '{version: $version, package: {name: $package, ecosystem: $ecosystem}}')
 
-  response_file="${cache_path}.$$"
+  response_file=$(safedeps_cache_response_temp "${cache_path}") || return 1
   http_status=$(curl -fsS \
     --max-time 15 \
     -H 'Content-Type: application/json' \
@@ -177,7 +199,7 @@ safedeps_osv_query() {
     "${SAFEDEPS_OSV_API_URL}" 2>/dev/null || true)
 
   if [[ "${http_status}" == "200" ]] && jq -e 'type == "object"' "${response_file}" >/dev/null 2>&1; then
-    mv "${response_file}" "${cache_path}"
+    mv -f "${response_file}" "${cache_path}"
     safedeps_provider_log "INFO" "OSV live query ok ecosystem=${osv_ecosystem} package=${package_name} version=${version}"
     cat "${cache_path}"
     return 0
@@ -192,6 +214,134 @@ safedeps_osv_query() {
   return 1
 }
 
+safedeps_osv_query_batch() {
+  local ecosystem="$1"
+  local closure_file="$2"
+  local osv_ecosystem
+  local temp_dir
+  local all_items_file
+  local miss_items_file
+  local payload_file
+  local response_file
+  local results_file
+  local http_status
+  local index=0
+  local package_name
+  local version
+  local direct
+
+  safedeps_require_json_tools || return 1
+  safedeps_providers_init
+  [[ -f "${closure_file}" ]] || return 1
+
+  osv_ecosystem=$(safedeps_osv_ecosystem "${ecosystem}")
+  temp_dir=$(safedeps_provider_mktemp_dir) || return 1
+  all_items_file="${temp_dir}/items.jsonl"
+  miss_items_file="${temp_dir}/misses.jsonl"
+  payload_file="${temp_dir}/payload.json"
+  response_file="${temp_dir}/response.json"
+  results_file="${temp_dir}/results.json"
+  : > "${all_items_file}"
+  : > "${miss_items_file}"
+
+  while IFS=$'\t' read -r package_name version direct; do
+    [[ -n "${package_name}" && -n "${version}" ]] || continue
+    local cache_key
+    local cache_path
+    cache_key=$(safedeps_cache_key "osv" "${osv_ecosystem}" "${package_name}" "${version}")
+    cache_path="${SAFEDEPS_CACHE_DIR}/osv/${cache_key}.json"
+
+    if safedeps_cache_is_fresh "${cache_path}"; then
+      safedeps_provider_log "INFO" "OSV batch cache hit ecosystem=${osv_ecosystem} package=${package_name} version=${version}"
+      jq -cn \
+        --argjson index "${index}" \
+        --arg ecosystem "${ecosystem}" \
+        --arg package "${package_name}" \
+        --arg version "${version}" \
+        --argjson direct "${direct}" \
+        --slurpfile osv "${cache_path}" \
+        '{index:$index, ecosystem:$ecosystem, package:$package, version:$version, direct:$direct, osv:($osv[0] // {vulns:[]})}' >> "${all_items_file}"
+    else
+      jq -cn \
+        --argjson index "${index}" \
+        --arg ecosystem "${ecosystem}" \
+        --arg package "${package_name}" \
+        --arg version "${version}" \
+        --argjson direct "${direct}" \
+        --arg cache_path "${cache_path}" \
+        '{index:$index, ecosystem:$ecosystem, package:$package, version:$version, direct:$direct, cache_path:$cache_path}' >> "${miss_items_file}"
+    fi
+    index=$((index + 1))
+  done < <(jq -r '.[] | [.package, (.version | tostring), ((.direct // false) | tostring)] | @tsv' "${closure_file}")
+
+  if [[ -s "${miss_items_file}" ]]; then
+    safedeps_require_http_client || {
+      safedeps_provider_log "ERROR" "OSV batch unavailable; cache miss ecosystem=${osv_ecosystem}"
+      rm -rf "${temp_dir}"
+      return 1
+    }
+
+    jq -cn --arg ecosystem "${osv_ecosystem}" --slurpfile misses "${miss_items_file}" '
+      {
+        queries: [
+          $misses[]
+          | {version: .version, package: {name: .package, ecosystem: $ecosystem}}
+        ]
+      }
+    ' > "${payload_file}"
+
+    http_status=$(curl -fsS \
+      --max-time 20 \
+      -H 'Content-Type: application/json' \
+      -o "${response_file}" \
+      -w '%{http_code}' \
+      -d @"${payload_file}" \
+      "${SAFEDEPS_OSV_BATCH_API_URL}" 2>/dev/null || true)
+
+    if [[ "${http_status}" != "200" ]] || ! jq -e '.results | type == "array"' "${response_file}" >/dev/null 2>&1; then
+      safedeps_provider_log "ERROR" "OSV batch query failed status=${http_status:-none}"
+      rm -rf "${temp_dir}"
+      return 1
+    fi
+
+    local miss_count
+    local result_count
+    miss_count=$(jq -s 'length' "${miss_items_file}")
+    result_count=$(jq '.results | length' "${response_file}")
+    if [[ "${miss_count}" != "${result_count}" ]]; then
+      safedeps_provider_log "ERROR" "OSV batch result count mismatch misses=${miss_count} results=${result_count}"
+      rm -rf "${temp_dir}"
+      return 1
+    fi
+
+    local miss_i=0
+    while IFS= read -r miss_item; do
+      local cache_path
+      local response_item_file
+      cache_path=$(jq -r '.cache_path' <<< "${miss_item}")
+      response_item_file=$(safedeps_cache_response_temp "${cache_path}") || {
+        rm -rf "${temp_dir}"
+        return 1
+      }
+      jq -c --argjson i "${miss_i}" '.results[$i] // {vulns: []}' "${response_file}" > "${response_item_file}"
+      if ! jq -e 'type == "object"' "${response_item_file}" >/dev/null 2>&1; then
+        rm -f "${response_item_file}"
+        rm -rf "${temp_dir}"
+        return 1
+      fi
+      mv -f "${response_item_file}" "${cache_path}"
+      safedeps_provider_log "INFO" "OSV batch live query ok ecosystem=${osv_ecosystem} package=$(jq -r '.package' <<< "${miss_item}") version=$(jq -r '.version' <<< "${miss_item}")"
+      jq -cn --argjson miss "${miss_item}" --slurpfile osv "${cache_path}" \
+        '$miss | del(.cache_path) | . + {osv: ($osv[0] // {vulns: []})}' >> "${all_items_file}"
+      miss_i=$((miss_i + 1))
+    done < "${miss_items_file}"
+  fi
+
+  jq -s 'sort_by(.index)' "${all_items_file}" > "${results_file}"
+  cat "${results_file}"
+  rm -rf "${temp_dir}"
+}
+
 safedeps_extract_cves_from_osv() {
   local osv_json="$1"
 
@@ -230,11 +380,11 @@ safedeps_kev_refresh_catalog() {
     return 1
   fi
 
-  response_path="${cache_path}.$$"
+  response_path=$(safedeps_cache_response_temp "${cache_path}") || return 1
   http_status=$(curl -fsS --max-time 15 -o "${response_path}" -w '%{http_code}' "${SAFEDEPS_KEV_CATALOG_URL}" 2>/dev/null || true)
 
   if [[ "${http_status}" == "200" ]] && jq -e '.vulnerabilities | type == "array"' "${response_path}" >/dev/null 2>&1; then
-    mv "${response_path}" "${cache_path}"
+    mv -f "${response_path}" "${cache_path}"
     safedeps_provider_log "INFO" "CISA KEV catalog refresh ok"
     printf '%s' "${cache_path}"
     return 0
@@ -301,6 +451,8 @@ safedeps_ghsa_query() {
   local cache_path
   local response_file
   local http_status
+  local ghsa_host
+  local curl_args
 
   safedeps_require_json_tools || return 1
   safedeps_providers_init
@@ -324,29 +476,29 @@ safedeps_ghsa_query() {
 
   encoded_ecosystem=$(safedeps_json_uri_escape "${ghsa_ecosystem}")
   encoded_package=$(safedeps_json_uri_escape "${package_name}")
-  response_file="${cache_path}.$$"
-
-  if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-    http_status=$(curl -fsS \
-      --max-time 15 \
-      -H 'Accept: application/vnd.github+json' \
-      -H 'X-GitHub-Api-Version: 2022-11-28' \
-      -H "Authorization: Bearer ${GITHUB_TOKEN}" \
-      -o "${response_file}" \
-      -w '%{http_code}' \
-      "${SAFEDEPS_GHSA_API_URL}?ecosystem=${encoded_ecosystem}&affects=${encoded_package}&per_page=100" 2>/dev/null || true)
-  else
-    http_status=$(curl -fsS \
-      --max-time 15 \
-      -H 'Accept: application/vnd.github+json' \
-      -H 'X-GitHub-Api-Version: 2022-11-28' \
-      -o "${response_file}" \
-      -w '%{http_code}' \
-      "${SAFEDEPS_GHSA_API_URL}?ecosystem=${encoded_ecosystem}&affects=${encoded_package}&per_page=100" 2>/dev/null || true)
+  response_file=$(safedeps_cache_response_temp "${cache_path}") || return 1
+  ghsa_host=$(safedeps_url_host "${SAFEDEPS_GHSA_API_URL}")
+
+  curl_args=(
+    -fsS
+    --max-time 15
+    -H 'Accept: application/vnd.github+json'
+    -H 'X-GitHub-Api-Version: 2022-11-28'
+    -o "${response_file}"
+    -w '%{http_code}'
+  )
+
+  if [[ -n "${GITHUB_TOKEN:-}" && "${ghsa_host}" == "api.github.com" ]]; then
+    curl_args+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+  elif [[ -n "${GITHUB_TOKEN:-}" ]]; then
+    safedeps_provider_log "WARN" "GHSA token withheld for non-GitHub host host=${ghsa_host}"
   fi
 
+  http_status=$(curl "${curl_args[@]}" \
+    "${SAFEDEPS_GHSA_API_URL}?ecosystem=${encoded_ecosystem}&affects=${encoded_package}&per_page=100" 2>/dev/null || true)
+
   if [[ "${http_status}" == "200" ]] && jq -e 'type == "array"' "${response_file}" >/dev/null 2>&1; then
-    mv "${response_file}" "${cache_path}"
+    mv -f "${response_file}" "${cache_path}"
     safedeps_provider_log "INFO" "GHSA live query ok ecosystem=${ghsa_ecosystem} package=${package_name}"
     jq -cn --arg queried_at "${queried_at}" --slurpfile advisories "${cache_path}" \
       '{queried_at: $queried_at, status: "live", advisories: $advisories[0]}'
@@ -459,6 +611,66 @@ safedeps_providers_query() {
   rm -rf "${temp_dir}"
 }
 
+safedeps_providers_query_batch() {
+  local ecosystem="$1"
+  local closure_file="$2"
+  local queried_at
+  local temp_dir
+  local osv_batch_file
+  local results_file
+
+  safedeps_require_json_tools || return 1
+  queried_at=$(safedeps_now_iso)
+  temp_dir=$(safedeps_provider_mktemp_dir) || return 1
+  osv_batch_file="${temp_dir}/osv-batch.json"
+  results_file="${temp_dir}/results.jsonl"
+  : > "${results_file}"
+
+  if ! safedeps_osv_query_batch "${ecosystem}" "${closure_file}" > "${osv_batch_file}"; then
+    rm -rf "${temp_dir}"
+    return 1
+  fi
+
+  while IFS= read -r item; do
+    local osv_file
+    local kev_json
+    local status
+    osv_file="${temp_dir}/osv-item.json"
+    jq -c '.osv' <<< "${item}" > "${osv_file}"
+    kev_json=$(safedeps_kev_overlay "${osv_file}" "${queried_at}")
+    status=$(jq -r --argjson kev "${kev_json}" '
+      if $kev.exploited then "hard_block"
+      elif ((.osv.vulns // []) | length) > 0 then "vulnerable"
+      else "clean"
+      end
+    ' <<< "${item}")
+    jq -cn \
+      --argjson item "${item}" \
+      --arg queried_at "${queried_at}" \
+      --arg status "${status}" \
+      --argjson kev "${kev_json}" \
+      '{
+        index: $item.index,
+        ecosystem: $item.ecosystem,
+        package: $item.package,
+        version: $item.version,
+        direct: ($item.direct // false),
+        queried_at: $queried_at,
+        status: $status,
+        vulnerabilities: ($item.osv.vulns // []),
+        kev: $kev,
+        provider_status: {
+          osv: {status: "ok", canonical: true, batch: true},
+          kev: {status: ($kev.status // "ok"), overlay: true},
+          ghsa: {status: "skipped", enrichment: true, reason: "closure batch omits GHSA enrichment"}
+        }
+      }' >> "${results_file}"
+  done < <(jq -c '.[]' "${osv_batch_file}")
+
+  jq -s 'sort_by(.index)' "${results_file}"
+  rm -rf "${temp_dir}"
+}
+
 if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
   command_name="${1:-}"
   shift || true
@@ -471,8 +683,15 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
       fi
       safedeps_providers_query "$@"
       ;;
+    query-batch)
+      if [[ "$#" -ne 2 ]]; then
+        printf 'usage: %s query-batch <ecosystem> <closure-json-file>\n' "$0" >&2
+        exit 2
+      fi
+      safedeps_providers_query_batch "$@"
+      ;;
     *)
-      printf 'usage: %s query <ecosystem> <package> <version>\n' "$0" >&2
+      printf 'usage: %s {query|query-batch} ...\n' "$0" >&2
       exit 2
       ;;
   esac

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aldegad/safedeps",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Dependency install safety gate with OSV-backed advisory checks, approved-spec ledger enforcement, and reorg rollback hooks",
   "main": "bin/safedeps",
   "bin": {

package/scripts/install/install-safedeps-hooks.mjs

@@ -11,18 +11,20 @@
 //   node scripts/install/install-safedeps-hooks.mjs --uninstall
 //   node scripts/install/install-safedeps-hooks.mjs --link-bin   (optional ~/.local/bin/safedeps)
 
-import { existsSync, lstatSync, readFileSync, writeFileSync, copyFileSync, mkdirSync, symlinkSync, unlinkSync, readlinkSync } from "node:fs";
+import { existsSync, lstatSync, readFileSync, writeFileSync, copyFileSync, mkdirSync, symlinkSync, unlinkSync, readlinkSync, renameSync } from "node:fs";
 import { homedir } from "node:os";
-import { dirname, join, resolve } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
 const HERE = dirname(fileURLToPath(import.meta.url));
 const REPO_ROOT = resolve(HERE, "..", "..");
-const HOME = homedir();
+const HOME = process.env.HOME || homedir();
 
 const SKILL_ID = "safedeps";
-const PRE_HOOK = join(REPO_ROOT, "scripts", "safedeps-pre-guard.sh");
-const POST_HOOK = join(REPO_ROOT, "scripts", "safedeps-post-verify.sh");
+const PRE_HOOK_NAME = "safedeps-pre-guard.sh";
+const POST_HOOK_NAME = "safedeps-post-verify.sh";
+const REPO_PRE_HOOK = join(REPO_ROOT, "scripts", PRE_HOOK_NAME);
+const REPO_POST_HOOK = join(REPO_ROOT, "scripts", POST_HOOK_NAME);
 const CLI_BIN = join(REPO_ROOT, "bin", "safedeps");
 
 const args = new Set(process.argv.slice(2));
@@ -71,7 +73,14 @@ function writeJsonWithBackup(path, value) {
   } else {
     mkdirSync(dirname(path), { recursive: true });
   }
-  writeFileSync(path, JSON.stringify(value, null, 2) + "\n");
+  const tmpPath = `${path}.tmp.${process.pid}.${Date.now()}`;
+  writeFileSync(tmpPath, JSON.stringify(value, null, 2) + "\n");
+  renameSync(tmpPath, path);
+}
+
+function engineHookCommand(engineRoot, hookName) {
+  const engineName = basename(engineRoot).replace(/^\./u, "");
+  return `~/.${engineName}/skills/${SKILL_ID}/scripts/${hookName}`;
 }
 
 function ensureHook(config, eventName, command) {
@@ -79,6 +88,13 @@ function ensureHook(config, eventName, command) {
   config.hooks[eventName] = config.hooks[eventName] ?? [];
   const buckets = config.hooks[eventName];
 
+  const already = buckets.some((bucket) =>
+    bucket?.matcher === "Bash" &&
+    Array.isArray(bucket?.hooks) &&
+    bucket.hooks.some((h) => h && h.type === "command" && h.command === command),
+  );
+  if (already) return false;
+
   let bashBucket = buckets.find((b) => b && b.matcher === "Bash");
   if (!bashBucket) {
     bashBucket = { matcher: "Bash", hooks: [] };
@@ -86,9 +102,6 @@ function ensureHook(config, eventName, command) {
   }
   bashBucket.hooks = bashBucket.hooks ?? [];
 
-  const already = bashBucket.hooks.some((h) => h && h.type === "command" && h.command === command);
-  if (already) return false;
-
   bashBucket.hooks.push({ type: "command", command });
   return true;
 }
@@ -106,25 +119,49 @@ function removeHook(config, eventName, command) {
   return changed;
 }
 
-function pruneLegacySafedepsHooks(config, eventName) {
+function isSafedepsHookCommand(command, hookName) {
+  if (typeof command !== "string") return false;
+  const normalized = command.replace(/\\/gu, "/");
+  if (normalized.includes("npm-reorg-guard")) return true;
+  return normalized.includes("/safedeps/") && normalized.endsWith(`/scripts/${hookName}`);
+}
+
+function pruneNonCanonicalSafedepsHooks(config, eventName, canonicalCommand, hookName) {
   const buckets = config?.hooks?.[eventName];
   if (!Array.isArray(buckets)) return false;
   let changed = false;
+  let seenCanonical = false;
   for (const bucket of buckets) {
-    if (!bucket || bucket.matcher !== "Bash" || !Array.isArray(bucket.hooks)) continue;
+    if (!bucket || !Array.isArray(bucket.hooks)) continue;
     const before = bucket.hooks.length;
     bucket.hooks = bucket.hooks.filter((h) => {
       const command = h?.command;
-      if (typeof command !== "string") return true;
-      const legacySafedeps = command.includes("npm-reorg-guard") || command.includes("/safedeps/");
-      const legacyHookName = command.endsWith("/scripts/guard.sh") || command.endsWith("/scripts/verify.sh");
-      return !(legacySafedeps && legacyHookName);
+      if (command === canonicalCommand) {
+        if (bucket.matcher !== "Bash") return false;
+        if (seenCanonical) return false;
+        seenCanonical = true;
+        return true;
+      }
+      return command === canonicalCommand || !isSafedepsHookCommand(command, hookName);
     });
     if (bucket.hooks.length !== before) changed = true;
   }
   return changed;
 }
 
+function pruneAllSafedepsHooks(config, eventName, hookName) {
+  const buckets = config?.hooks?.[eventName];
+  if (!Array.isArray(buckets)) return false;
+  let changed = false;
+  for (const bucket of buckets) {
+    if (!bucket || !Array.isArray(bucket.hooks)) continue;
+    const before = bucket.hooks.length;
+    bucket.hooks = bucket.hooks.filter((h) => !isSafedepsHookCommand(h?.command, hookName));
+    if (bucket.hooks.length !== before) changed = true;
+  }
+  return changed;
+}
+
 function installInEngine({ engineRoot, configPath, label }) {
   if (!existsSync(engineRoot)) {
     warn(`skip ${label} (${engineRoot} not present)`);
@@ -132,13 +169,15 @@ function installInEngine({ engineRoot, configPath, label }) {
   }
   const skillsRoot = join(engineRoot, "skills");
   const skillLink = join(skillsRoot, SKILL_ID);
+  const preCommand = engineHookCommand(engineRoot, PRE_HOOK_NAME);
+  const postCommand = engineHookCommand(engineRoot, POST_HOOK_NAME);
 
   if (UNINSTALL) {
     removeSymlink(skillLink);
     if (existsSync(configPath)) {
       const cfg = readJson(configPath);
-      const pre = removeHook(cfg, "PreToolUse", PRE_HOOK);
-      const post = removeHook(cfg, "PostToolUse", POST_HOOK);
+      const pre = removeHook(cfg, "PreToolUse", preCommand) || pruneAllSafedepsHooks(cfg, "PreToolUse", PRE_HOOK_NAME);
+      const post = removeHook(cfg, "PostToolUse", postCommand) || pruneAllSafedepsHooks(cfg, "PostToolUse", POST_HOOK_NAME);
       if (pre || post) {
         writeJsonWithBackup(configPath, cfg);
         log(`patched ${configPath} (removed safedeps hooks)`);
@@ -152,10 +191,10 @@ function installInEngine({ engineRoot, configPath, label }) {
   ensureSymlink(REPO_ROOT, skillLink);
 
   const cfg = readJson(configPath);
-  const legacyPreRemoved = pruneLegacySafedepsHooks(cfg, "PreToolUse");
-  const legacyPostRemoved = pruneLegacySafedepsHooks(cfg, "PostToolUse");
-  const preAdded = ensureHook(cfg, "PreToolUse", PRE_HOOK);
-  const postAdded = ensureHook(cfg, "PostToolUse", POST_HOOK);
+  const legacyPreRemoved = pruneNonCanonicalSafedepsHooks(cfg, "PreToolUse", preCommand, PRE_HOOK_NAME);
+  const legacyPostRemoved = pruneNonCanonicalSafedepsHooks(cfg, "PostToolUse", postCommand, POST_HOOK_NAME);
+  const preAdded = ensureHook(cfg, "PreToolUse", preCommand);
+  const postAdded = ensureHook(cfg, "PostToolUse", postCommand);
   if (legacyPreRemoved || legacyPostRemoved || preAdded || postAdded) {
     writeJsonWithBackup(configPath, cfg);
     log(`patched ${configPath} (pre=${preAdded ? "added" : "ok"}, post=${postAdded ? "added" : "ok"}, legacy=${legacyPreRemoved || legacyPostRemoved ? "removed" : "ok"})`);
@@ -181,8 +220,8 @@ function unlinkBin() {
 }
 
 function main() {
-  if (!existsSync(PRE_HOOK) || !existsSync(POST_HOOK)) {
-    throw new Error(`hook scripts not found at ${PRE_HOOK} / ${POST_HOOK}`);
+  if (!existsSync(REPO_PRE_HOOK) || !existsSync(REPO_POST_HOOK)) {
+    throw new Error(`hook scripts not found at ${REPO_PRE_HOOK} / ${REPO_POST_HOOK}`);
   }
 
   installInEngine({