@aldegad/safedeps 2.1.1 → 2.2.0

package/scripts/safedeps-pre-guard.sh

@@ -76,10 +76,16 @@ release_state_lock() {
 write_state_file() {
   local target_path="$1"
   local value="$2"
-  local temp_path="${target_path}.$$"
-
+  local target_dir
+  local target_base
+  local temp_path
+
+  target_dir=$(dirname "${target_path}")
+  target_base=$(basename "${target_path}")
+  mkdir -p "${target_dir}" || return 1
+  temp_path=$(mktemp "${target_dir}/.${target_base}.XXXXXX") || return 1
   printf '%s\n' "${value}" > "${temp_path}"
-  mv "${temp_path}" "${target_path}"
+  mv -f "${temp_path}" "${target_path}"
 }
 
 compute_dir_hash() {
@@ -99,10 +105,13 @@ command_is_dependency_install() {
   local scan_command
   local install_pattern
 
-  scan_command=$(command_scan_text "${command}")
-  install_pattern='(^|[;&|]+[[:space:]]*)((npm[[:space:]]+(install|i|add|update|up|upgrade))|npx[[:space:]]|pnpm[[:space:]]+(add|install|update|up|dlx)|yarn[[:space:]]+(add|install|upgrade|dlx)|((python3?|py)[[:space:]]+-m[[:space:]]+pip|pip3?)[[:space:]]+install|poetry[[:space:]]+add|uv[[:space:]]+(add|pip[[:space:]]+install)|pipenv[[:space:]]+install|cargo[[:space:]]+(add|install)|go[[:space:]]+(get|install)|gem[[:space:]]+install|bundle[[:space:]]+add|mvn[[:space:]]+dependency:get|dotnet[[:space:]]+add[[:space:]]+package)([[:space:]]|$)'
+  install_pattern='(^|[;&|]+[[:space:]]*)((npm([[:space:]]+--?[a-zA-Z0-9_-]+([=[:space:]][^[:space:]]+)?)?[[:space:]]+(install|i|add|ci|update|up|upgrade))|npx[[:space:]]|pnpm([[:space:]]+--?[a-zA-Z0-9_-]+([=[:space:]][^[:space:]]+)?)?[[:space:]]+(add|install|update|up|dlx)|yarn([[:space:]]+--?[a-zA-Z0-9_-]+([=[:space:]][^[:space:]]+)?)?[[:space:]]+(add|install|upgrade|dlx)|((python3?|py)[[:space:]]+-m[[:space:]]+pip|pip3?)[[:space:]]+install|poetry[[:space:]]+add|uv[[:space:]]+(add|pip[[:space:]]+install)|pipenv[[:space:]]+install|cargo[[:space:]]+(add|install)|go[[:space:]]+(get|install)|gem[[:space:]]+install|bundle[[:space:]]+add|mvn[[:space:]]+dependency:get|dotnet[[:space:]]+add[[:space:]]+package)([[:space:]]|$)'
 
-  echo "${scan_command}" | grep -qEi "${install_pattern}"
+  while IFS= read -r scan_command; do
+    scan_command=$(command_scan_text "${scan_command}")
+    echo "${scan_command}" | grep -qEi "${install_pattern}" && return 0
+  done < <(command_candidate_texts "${command}")
+  return 1
 }
 
 command_hides_dependency_install() {
@@ -113,7 +122,7 @@ command_hides_dependency_install() {
   manager_pattern='(npm|npx|pnpm|yarn|pip3?|python3?[[:space:]]+-m[[:space:]]+pip|poetry|uv|pipenv|cargo|go|gem|bundle|mvn|dotnet)'
   verb_pattern='(install|i|add|update|up|upgrade|dlx|get|dependency:get|package)'
 
-  echo "${command}" | grep -qEi '(eval[[:space:]]|\$\(|`)' && \
+  echo "${command}" | grep -qEi '(eval[[:space:]]|\$\(|`|(^|[[:space:];|&])(bash|sh|zsh)[[:space:]]+-[A-Za-z]*c[[:space:]])' && \
     echo "${command}" | grep -qEi "${manager_pattern}.*${verb_pattern}"
 }
 
@@ -154,6 +163,93 @@ command_scan_text() {
   printf '%s' "${output}"
 }
 
+normalize_install_text() {
+  local text="$1"
+
+  for _ in 1 2 3; do
+    text=$(printf '%s' "${text}" | sed -E \
+      -e 's#(^|[[:space:];|&])(/[^[:space:];|&]+/)(npm|npx|pnpm|yarn|pip3?|python3?|py|poetry|uv|pipenv|cargo|go|gem|bundle|mvn|dotnet)([[:space:];|&]|$)#\1\3\4#g' \
+      -e 's#(^|[;&|][[:space:]]*)(env[[:space:]]+([A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+)*|command[[:space:]]+)#\1#g')
+  done
+  printf '%s' "${text}"
+}
+
+strip_heredoc_bodies() {
+  local input="$1"
+  local line
+  local delimiter=""
+  local heredoc_re="<<-?[[:space:]]*[\"']?([A-Za-z0-9_][A-Za-z0-9_.-]*)[\"']?"
+
+  while IFS= read -r line || [[ -n "${line}" ]]; do
+    if [[ -n "${delimiter}" ]]; then
+      if [[ "${line}" == "${delimiter}" ]]; then
+        delimiter=""
+      fi
+      continue
+    fi
+
+    if [[ "${line}" =~ ${heredoc_re} ]]; then
+      delimiter="${BASH_REMATCH[1]}"
+    fi
+    printf '%s\n' "${line}"
+  done <<< "${input}"
+}
+
+extract_shell_c_payloads() {
+  local rest="$1"
+
+  while [[ "${rest}" =~ (bash|sh|zsh)[[:space:]]+-[A-Za-z]*c[[:space:]]+\"([^\"]*)\" ]]; do
+    printf '%s\n' "${BASH_REMATCH[2]}"
+    rest="${rest#*"${BASH_REMATCH[0]}"}"
+  done
+
+  rest="$1"
+  while [[ "${rest}" =~ (bash|sh|zsh)[[:space:]]+-[A-Za-z]*c[[:space:]]+\'([^\']*)\' ]]; do
+    printf '%s\n' "${BASH_REMATCH[2]}"
+    rest="${rest#*"${BASH_REMATCH[0]}"}"
+  done
+}
+
+command_candidate_texts() {
+  local command="$1"
+  local payload
+
+  command=$(strip_heredoc_bodies "${command}")
+
+  normalize_install_text "${command}"
+  printf '\n'
+  while IFS= read -r payload; do
+    [[ -z "${payload}" ]] && continue
+    normalize_install_text "${payload}"
+    printf '\n'
+  done < <(extract_shell_c_payloads "${command}")
+}
+
+command_is_injectable_npm_install() {
+  local command="$1"
+  local scan_command
+  local npm_install_pattern
+
+  npm_install_pattern='(^|[;&|]+[[:space:]]*)npm([[:space:]]+--?[a-zA-Z0-9_-]+([=[:space:]][^[:space:]]+)?)?[[:space:]]+(install|i|add|ci|update|up|upgrade)([[:space:]]|$)'
+
+  while IFS= read -r scan_command; do
+    scan_command=$(command_scan_text "${scan_command}")
+    echo "${scan_command}" | grep -qEi "${npm_install_pattern}" && return 0
+  done < <(command_candidate_texts "${command}")
+  return 1
+}
+
+command_has_ignore_scripts_flag() {
+  local command="$1"
+  local scan_command
+
+  while IFS= read -r scan_command; do
+    scan_command=$(command_scan_text "${scan_command}")
+    echo "${scan_command}" | grep -qEi -- '(^|[[:space:]])--ignore-scripts([=[:space:]]|$)' && return 0
+  done < <(command_candidate_texts "${command}")
+  return 1
+}
+
 snapshot_project_file() {
   local relative_file="$1"
   local category="${2:-manifest}"
@@ -275,10 +371,24 @@ cat > "${SNAPSHOT_DIR}/${SNAPSHOT_ID}_meta.json" << META_EOF
   "timestamp": ${TIMESTAMP},
   "project_dir": $(printf '%s' "${PROJECT_DIR}" | jq -Rs .),
   "command": $(printf '%s' "${COMMAND}" | jq -Rs .),
+  "ignore_scripts_injected": false,
   "lock_files_found": ${SNAPSHOTTED}
 }
 META_EOF
 
+mark_ignore_scripts_injected() {
+  local meta_file="${SNAPSHOT_DIR}/${SNAPSHOT_ID}_meta.json"
+  local temp_file
+
+  [[ -f "${meta_file}" ]] || return 0
+  temp_file=$(mktemp "${SNAPSHOT_DIR}/.${SNAPSHOT_ID}_meta.XXXXXX") || return 0
+  if jq '.ignore_scripts_injected = true' "${meta_file}" > "${temp_file}"; then
+    mv -f "${temp_file}" "${meta_file}"
+  else
+    rm -f "${temp_file}"
+  fi
+}
+
 # --- Pre-flight security checks on the command itself ---
 
 SUSPICIOUS=false
@@ -320,8 +430,10 @@ fi
 
 # --- Phase 2 advisory gate — ledger enforcement -------------------------------
 # For commands that name specific packages, require an entry in the approved-
-# spec ledger. Miss/expired → block with a structured message that names the
-# exact `safedeps check` command the caller (agent or human) should run next.
+# spec ledger. Miss/expired → block with a structured message that names a
+# runnable `safedeps check` command the caller (agent or human) should run
+# next — PATH command when present, else an absolute path, so the self-heal
+# loop never dead-ends on a missing PATH symlink.
 #
 # Conservative: only block when at least one pkg@spec token is parseable. Bare
 # `npm install` (lockfile install) falls through to the v1 reorg checks.
@@ -333,33 +445,132 @@ guard_detect_ecosystem() {
   local cmd="$1"
   local scan_cmd
 
-  scan_cmd=$(command_scan_text "${cmd}")
-  if echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(npm|pnpm|yarn|npx)([[:space:]]|$)'; then
-    printf 'npm'
-  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(pip3?|poetry|uv|pipenv|((python3?|py)[[:space:]]+-m[[:space:]]+pip))([[:space:]]|$)'; then
-    printf 'pypi'
-  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)cargo([[:space:]]|$)'; then
-    printf 'crates.io'
-  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)go([[:space:]]|$)'; then
-    printf 'go'
-  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(gem|bundle)([[:space:]]|$)'; then
-    printf 'rubygems'
-  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)mvn([[:space:]]|$)'; then
-    printf 'maven'
-  elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)dotnet([[:space:]]|$)'; then
-    printf 'nuget'
-  else
-    printf ''
-  fi
+  while IFS= read -r scan_cmd; do
+    scan_cmd=$(command_scan_text "${scan_cmd}")
+    if echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(npm|pnpm|yarn|npx)([[:space:]]|$)'; then
+      printf 'npm'
+      return 0
+    elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(pip3?|poetry|uv|pipenv|((python3?|py)[[:space:]]+-m[[:space:]]+pip))([[:space:]]|$)'; then
+      printf 'pypi'
+      return 0
+    elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)cargo([[:space:]]|$)'; then
+      printf 'crates.io'
+      return 0
+    elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)go([[:space:]]|$)'; then
+      printf 'go'
+      return 0
+    elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)(gem|bundle)([[:space:]]|$)'; then
+      printf 'rubygems'
+      return 0
+    elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)mvn([[:space:]]|$)'; then
+      printf 'maven'
+      return 0
+    elif echo "${scan_cmd}" | grep -qEi '(^|[;&|]+[[:space:]]*)dotnet([[:space:]]|$)'; then
+      printf 'nuget'
+      return 0
+    fi
+  done < <(command_candidate_texts "${cmd}")
+  printf ''
+}
+
+guard_runner_operands() {
+  # Runner forms (`npx`, `pnpm dlx`, `yarn dlx`) EXECUTE a package; tokens after
+  # the executed package are arguments to that program, NOT package specs. Emit
+  # only the spec-bearing operands: any `-p/--package <pkg>` value plus the first
+  # bare token (the executed package). This stops an argument such as an email
+  # (`dev1@block-s.io`) or a secret value passed to `npx wrangler ...` from being
+  # misread as a `pkg@spec` install.
+  local scan="$1"
+  local after want_value tok
+  after=$(printf '%s' "${scan}" | grep -oiE '(npx|dlx)[[:space:]].*' | head -n1 || true)
+  after="${after#* }"  # drop the runner keyword, keep its operands
+  [[ -z "${after}" ]] && return 0
+
+  want_value=false
+  for tok in ${after}; do
+    if [[ "${want_value}" == true ]]; then
+      printf '%s\n' "${tok}"
+      want_value=false
+      continue
+    fi
+    case "${tok}" in
+      -p|--package) want_value=true ;;
+      --package=*)  printf '%s\n' "${tok#--package=}" ;;
+      -*)           : ;;  # other flag (e.g. -y/--yes), skip
+      *)
+        printf '%s\n' "${tok}"  # executed package; rest are program args
+        break
+        ;;
+    esac
+  done
+}
+
+guard_extract_flagged_specs() {
+  awk '
+    {
+      for (i = 1; i <= NF; i++) {
+        if ($i ~ /^[A-Za-z][A-Za-z0-9._-]*==[A-Za-z0-9][A-Za-z0-9._+!~-]*$/) {
+          split($i, parts, "==")
+          print parts[1] "\t" parts[2]
+        }
+
+        if ($i == "gem" && $(i + 1) == "install") {
+          pkg = $(i + 2)
+          for (j = i + 3; j <= NF; j++) {
+            if (($j == "-v" || $j == "--version") && $(j + 1) != "") print pkg "\t" $(j + 1)
+            if ($j ~ /^--version=/) { sub(/^--version=/, "", $j); print pkg "\t" $j }
+          }
+        }
+
+        if ($i == "cargo" && $(i + 1) == "add") {
+          pkg = $(i + 2)
+          for (j = i + 3; j <= NF; j++) {
+            if (($j == "--vers" || $j == "--version") && $(j + 1) != "") print pkg "\t" $(j + 1)
+            if ($j ~ /^--(vers|version)=/) { sub(/^--(vers|version)=/, "", $j); print pkg "\t" $j }
+          }
+        }
+
+        if ($i == "dotnet" && $(i + 1) == "add" && $(i + 2) == "package") {
+          pkg = $(i + 3)
+          for (j = i + 4; j <= NF; j++) {
+            if ($j == "--version" && $(j + 1) != "") print pkg "\t" $(j + 1)
+            if ($j ~ /^--version=/) { sub(/^--version=/, "", $j); print pkg "\t" $j }
+          }
+        }
+      }
+    }
+  '
 }
 
 guard_extract_specs() {
-  # Echo one "pkg<TAB>spec" line per pkg@spec token found in the command.
-  # Captures @scope/name@spec and bare-name@spec forms.
+  # Echo one "pkg<TAB>spec" line per pkg@spec OPERAND genuinely being installed.
+  # Handles @scope/name@spec and bare-name@spec. Two precision rules keep
+  # non-package "@" tokens from being misread as an install:
+  #   1. Runner segments (npx / pnpm dlx / yarn dlx) contribute ONLY their
+  #      executed package — trailing tokens are program arguments, not specs
+  #      (so `npx wrangler ... dev1@block-s.io` is never read as a spec).
+  #   2. Email / host operands (user@domain.tld) are never package specs.
+  # Each shell segment is judged independently so a genuine install in one
+  # segment is still gated even when another segment just runs a tool via npx.
   local cmd="$1"
-  echo "${cmd}" \
-    | grep -oE '(@[a-zA-Z0-9._/-]+/)?[a-zA-Z][a-zA-Z0-9._-]*@[a-zA-Z0-9._^~|<>=*+-]+' \
+  local seg source=""
+
+  while IFS= read -r seg; do
+    [[ -z "${seg//[[:space:]]/}" ]] && continue
+    if printf '%s' "${seg}" | grep -qEi '(^|[[:space:]])(npx|dlx)([[:space:]]|$)'; then
+      source+="$(guard_runner_operands "${seg}")"$'\n'
+    else
+      source+="${seg}"$'\n'
+    fi
+  done < <(command_candidate_texts "${cmd}" | tr ';|&' '\n')
+
+  { printf '%s' "${source}" \
+    | grep -oE '(@[a-zA-Z0-9._/-]+/)?[a-zA-Z][a-zA-Z0-9._-]*@[a-zA-Z0-9._^~|<>=*+-]+' || true; } \
     | while IFS= read -r token; do
+        # An email / host operand (user@domain.tld) is never a package spec.
+        if [[ "${token}" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]]; then
+          continue
+        fi
         local pkg spec
         if [[ "${token}" =~ ^(@[^@]+)@(.+)$ ]]; then
           pkg="${BASH_REMATCH[1]}"
@@ -370,12 +581,18 @@ guard_extract_specs() {
         fi
         printf '%s\t%s\n' "${pkg}" "${spec}"
       done
+  printf '%s\n' "${source}" | guard_extract_flagged_specs
 }
 
 LEDGER_ECOSYSTEM=$(guard_detect_ecosystem "${COMMAND}")
 LEDGER_SPECS=()
 while IFS= read -r ledger_spec_line; do
   [[ -z "${ledger_spec_line}" ]] && continue
+  if [[ ${#LEDGER_SPECS[@]} -gt 0 ]]; then
+    for existing_spec_line in "${LEDGER_SPECS[@]}"; do
+      [[ "${existing_spec_line}" == "${ledger_spec_line}" ]] && continue 2
+    done
+  fi
   LEDGER_SPECS+=("${ledger_spec_line}")
 done < <(guard_extract_specs "${COMMAND}")
 
@@ -383,6 +600,17 @@ if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 && -f "${SAFEDEPS_LE
   # shellcheck source=../lib/ledger/ledger.sh
   source "${SAFEDEPS_LEDGER_LIB}"
 
+  # Resolve a runnable `safedeps` invocation for the block message so the
+  # self-heal loop works whether or not the CLI is on PATH. Prefer the PATH
+  # command (clean UX); otherwise name the absolute repo bin (quoted via %q so
+  # it survives spaces in $HOME). Keeps the gate self-contained — the install
+  # of a `~/.local/bin/safedeps` symlink is a convenience, never a requirement.
+  if command -v safedeps >/dev/null 2>&1; then
+    SAFEDEPS_INVOKE="safedeps"
+  else
+    printf -v SAFEDEPS_INVOKE '%q' "${SAFEDEPS_REPO_BIN}"
+  fi
+
   GUARD_BLOCKED_CMDS=()
   for entry in "${LEDGER_SPECS[@]}"; do
     pkg="${entry%%$'\t'*}"
@@ -390,7 +618,7 @@ if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 && -f "${SAFEDEPS_LE
     [[ -z "${pkg}" || -z "${spec}" ]] && continue
     if ! safedeps_ledger_check "${LEDGER_ECOSYSTEM}" "${pkg}" "${spec}" 2>/dev/null \
         | jq -e '.approved == true' >/dev/null 2>&1; then
-      GUARD_BLOCKED_CMDS+=("safedeps check ${LEDGER_ECOSYSTEM} ${pkg}@${spec}")
+      GUARD_BLOCKED_CMDS+=("${SAFEDEPS_INVOKE} check ${LEDGER_ECOSYSTEM} ${pkg}@${spec}")
     fi
   done
 
@@ -423,5 +651,15 @@ CURRENT_STATE=$(jq -n --arg sid "${SNAPSHOT_ID}" --arg pdir "${PROJECT_DIR}" --a
   '{snapshot_id: $sid, project_dir: $pdir, dir_hash: $dhash}')
 write_state_file "${GUARD_DIR}/current_state" "${CURRENT_STATE}"
 
+if ! jq -e 'has("turn_id")' <<< "${INPUT}" >/dev/null 2>&1 && \
+   command_is_injectable_npm_install "${COMMAND}" && \
+   ! command_has_ignore_scripts_flag "${COMMAND}"; then
+  UPDATED_COMMAND="${COMMAND} --ignore-scripts"
+  mark_ignore_scripts_injected
+  jq -nc --arg command "${UPDATED_COMMAND}" \
+    '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"allow",updatedInput:{command:$command}}}'
+  exit 0
+fi
+
 # Allow the command to proceed — PostToolUse will verify the result
 exit 0

package/scripts/test/e2e.sh

@@ -38,19 +38,68 @@ port=$(cat "${port_file}")
 
 export SAFEDEPS_HOME="${tmp_root}/safe"
 export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_OSV_BATCH_API_URL="http://127.0.0.1:${port}/osv/v1/querybatch"
 export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
 export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
 export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
 
+closure_fixture="${tmp_root}/closure-fixture.json"
+cat > "${closure_fixture}" <<'EOF'
+{
+  "fixture-clean@1.0.0": [
+    {"package":"fixture-clean","version":"1.0.0","direct":true}
+  ],
+  "fixture-vuln@1.0.0": [
+    {"package":"fixture-vuln","version":"1.0.0","direct":true}
+  ],
+  "fixture-vuln@1.0.1": [
+    {"package":"fixture-vuln","version":"1.0.1","direct":true}
+  ],
+  "fixture-multi-vuln@1.0.0": [
+    {"package":"fixture-multi-vuln","version":"1.0.0","direct":true}
+  ],
+  "fixture-multi-vuln@1.0.1": [
+    {"package":"fixture-multi-vuln","version":"1.0.1","direct":true}
+  ],
+  "fixture-multi-vuln@1.0.5": [
+    {"package":"fixture-multi-vuln","version":"1.0.5","direct":true}
+  ],
+  "fixture-unpatched@1.0.0": [
+    {"package":"fixture-unpatched","version":"1.0.0","direct":true}
+  ],
+  "fixture-kev@1.0.0": [
+    {"package":"fixture-kev","version":"1.0.0","direct":true}
+  ],
+  "fixture-parent@1.0.0": [
+    {"package":"fixture-parent","version":"1.0.0","direct":true},
+    {"package":"fixture-child","version":"1.0.0","direct":false}
+  ]
+}
+EOF
+export SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON="${closure_fixture}"
+
 clean_json=$(./bin/safedeps --json check npm fixture-clean@1.0.0)
 [[ "$(jq -r '.result' <<< "${clean_json}")" == "clean" ]] || fail "clean fixture approved"
 pass "clean advisory approval"
 
+closure_json=$(./bin/safedeps --json check npm fixture-parent@1.0.0)
+[[ "$(jq -r '.result' <<< "${closure_json}")" == "clean" ]] || fail "closure fixture approved"
+[[ "$(jq -r '.transitive_count' <<< "${closure_json}")" == "1" ]] || fail "closure fixture records transitive count"
+parent_hash=$(jq -r '.spec_hash' <<< "${closure_json}")
+parent_file="${SAFEDEPS_HOME}/approved-specs/${parent_hash/:/-}.json"
+[[ "$(jq -r '.transitive_specs[0].package' "${parent_file}")" == "fixture-child" ]] || fail "ledger transitive_specs records fixture child"
+pass "closure approval records transitive_specs"
+
 patched_json=$(./bin/safedeps --json check npm fixture-vuln@1.0.0)
 [[ "$(jq -r '.result' <<< "${patched_json}")" == "patched_available" ]] || fail "patched fixture narrows"
 [[ "$(jq -r '.suggested_spec' <<< "${patched_json}")" == "1.0.1" ]] || fail "patched fixture suggests fixed version"
 pass "patched advisory narrowing"
 
+multi_patched_json=$(./bin/safedeps --json check npm fixture-multi-vuln@1.0.0)
+[[ "$(jq -r '.result' <<< "${multi_patched_json}")" == "patched_available" ]] || fail "multi patched fixture narrows"
+[[ "$(jq -r '.suggested_spec' <<< "${multi_patched_json}")" == "1.0.5" ]] || fail "multi patched fixture tries later clean fixed version"
+pass "patched advisory tries all fixed candidates"
+
 set +e
 unpatched_json=$(./bin/safedeps --json check npm fixture-unpatched@1.0.0)
 unpatched_status=$?
@@ -68,18 +117,136 @@ mkdir -p "${project_dir}"
 printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
 hook_allow=$(
   scripts/safedeps-pre-guard.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-vuln@1.0.1"},"cwd":"${project_dir}"}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-vuln@1.0.1"},"cwd":"${project_dir}","turn_id":"turn-e2e","model":"codex-test"}
 EOF
 )
 [[ -z "${hook_allow}" ]] || fail "hook allows narrowed approved spec"
 pass "hook allows approved narrowed spec"
 
+effect_project="${tmp_root}/effect-project"
+mkdir -p "${effect_project}"
+printf '{"dependencies":{}}\n' > "${effect_project}/package.json"
+
+effect_clean_pre=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${effect_project}","turn_id":"turn-e2e","model":"codex-test"}
+EOF
+)
+[[ -z "${effect_clean_pre}" ]] || fail "effect clean pre hook allows closure-approved direct spec"
+cat > "${effect_project}/package-lock.json" <<'EOF'
+{
+  "name": "effect-project",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {"dependencies": {"fixture-parent": "1.0.0"}},
+    "node_modules/fixture-parent": {"version": "1.0.0", "dependencies": {"fixture-child": "1.0.0"}},
+    "node_modules/fixture-child": {"version": "1.0.0"}
+  }
+}
+EOF
+effect_clean_post=$(
+  scripts/safedeps-post-verify.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+EOF
+)
+[[ -z "${effect_clean_post}" ]] || fail "post hook passes approved full closure"
+pass "post hook passes approved full closure"
+
+inert_project="${tmp_root}/inert-project"
+mkdir -p "${inert_project}"
+printf '{"dependencies":{}}\n' > "${inert_project}/package.json"
+inert_pre=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${inert_project}"}
+EOF
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${inert_pre}")" == "allow" ]] || fail "inert pre hook emits Claude allow"
+[[ "$(jq -r '.hookSpecificOutput.updatedInput.command' <<< "${inert_pre}")" == "npm install fixture-parent@1.0.0 --ignore-scripts" ]] || fail "inert pre hook injects ignore-scripts"
+cat > "${inert_project}/package-lock.json" <<'EOF'
+{
+  "name": "inert-project",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {"dependencies": {"fixture-parent": "1.0.0"}},
+    "node_modules/fixture-parent": {"version": "1.0.0", "dependencies": {"fixture-child": "1.0.0"}},
+    "node_modules/fixture-child": {"version": "1.0.0"}
+  }
+}
+EOF
+stub_bin="${tmp_root}/stub-bin"
+mkdir -p "${stub_bin}"
+cat > "${stub_bin}/npm" <<EOF
+#!/usr/bin/env bash
+printf '%s\n' "\$*" >> "${tmp_root}/npm-calls.log"
+exit 0
+EOF
+chmod +x "${stub_bin}/npm"
+inert_post=$(
+  PATH="${stub_bin}:${PATH}" scripts/safedeps-post-verify.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0 --ignore-scripts"}}
+EOF
+)
+[[ -z "${inert_post}" ]] || fail "post hook keeps verified inert rebuild success quiet"
+grep -qx 'rebuild' "${tmp_root}/npm-calls.log" || fail "post hook runs npm rebuild after verified injected install"
+pass "post hook rebuilds after verified inert install"
+
+export SAFEDEPS_HOME="${tmp_root}/safe-missing-transitive"
+export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_OSV_BATCH_API_URL="http://127.0.0.1:${port}/osv/v1/querybatch"
+export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
+export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
+export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
+export SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON="${closure_fixture}"
+missing_project="${tmp_root}/missing-project"
+mkdir -p "${missing_project}"
+printf '{"dependencies":{}}\n' > "${missing_project}/package.json"
+SAFEDEPS_HOME="${SAFEDEPS_HOME}" lib/ledger/ledger.sh approve npm fixture-parent 1.0.0 1.0.0 direct-only >/dev/null
+missing_pre=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${missing_project}","turn_id":"turn-e2e","model":"codex-test"}
+EOF
+)
+[[ -z "${missing_pre}" ]] || fail "missing-transitive pre hook allows direct-only approved spec"
+cat > "${missing_project}/package-lock.json" <<'EOF'
+{
+  "name": "missing-project",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {"dependencies": {"fixture-parent": "1.0.0"}},
+    "node_modules/fixture-parent": {"version": "1.0.0", "dependencies": {"fixture-child": "1.0.0"}},
+    "node_modules/fixture-child": {"version": "1.0.0"}
+  }
+}
+EOF
+missing_post=$(
+  scripts/safedeps-post-verify.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+EOF
+)
+grep -q '의심스러운 패키지 변경 감지' <<< "${missing_post}" || fail "post hook reorgs unapproved transitive package"
+grep -q 'fixture-child@1.0.0' <<< "${missing_post}" || fail "post hook names unapproved transitive package"
+pass "post hook reorgs unapproved transitive package"
+
+export SAFEDEPS_HOME="${tmp_root}/safe"
+export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_OSV_BATCH_API_URL="http://127.0.0.1:${port}/osv/v1/querybatch"
+export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
+export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
+export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
+export SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON="${closure_fixture}"
+
 printf '%s\n' '{"vulnerable":["fixture-clean@1.0.0"]}' > "${state_file}"
 recheck_json=$(./bin/safedeps --json re-check)
 [[ "$(jq -r '.revoked | length' <<< "${recheck_json}")" == "1" ]] || fail "re-check revokes newly vulnerable spec"
 [[ "$(jq -r '.revoked[0].package' <<< "${recheck_json}")" == "fixture-clean" ]] || fail "re-check revoked expected package"
 pass "re-check revocation"
 
+SAFEDEPS_HOME="${SAFEDEPS_HOME}" lib/ledger/ledger.sh approve npm fixture-forged 1.0.0 1.0.0 forged-test >/dev/null
+forgery_json=$(./bin/safedeps --json re-check)
+[[ "$(jq -r '.suspected_forgery | length' <<< "${forgery_json}")" == "1" ]] || fail "re-check flags direct ledger write without approval provenance"
+[[ "$(jq -r '.suspected_forgery[0].package' <<< "${forgery_json}")" == "fixture-forged" ]] || fail "re-check flags expected forged package"
+pass "re-check flags ledger approval provenance mismatch"
+
 legacy_home="${tmp_root}/legacy"
 target_home="${tmp_root}/migrated"
 mkdir -p "${legacy_home}/approved-specs"
@@ -93,12 +260,21 @@ pass "legacy state migration"
 installer_home="${tmp_root}/installer-home"
 mkdir -p "${installer_home}/.claude" "${installer_home}/.codex"
 cat > "${installer_home}/.claude/settings.json" <<EOF
-{"hooks":{"PreToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/guard.sh"}]}],"PostToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/verify.sh"}]}]}}
+{"hooks":{"PreToolUse":[{"matcher":"Other","hooks":[{"type":"command","command":"~/.claude/skills/safedeps/scripts/safedeps-pre-guard.sh"}]},{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/guard.sh"}]}],"PostToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/verify.sh"}]}]}}
 EOF
 HOME="${installer_home}" node scripts/install/install-safedeps-hooks.mjs >/dev/null
-jq -e --arg pre "${ROOT_DIR}/scripts/safedeps-pre-guard.sh" '
-  [.hooks.PreToolUse[]?.hooks[]?.command] | index($pre)
+jq -e --arg pre "~/.claude/skills/safedeps/scripts/safedeps-pre-guard.sh" '
+  [.hooks.PreToolUse[]? | select(.matcher == "Bash") | .hooks[]?.command] | index($pre)
 ' "${installer_home}/.claude/settings.json" >/dev/null || fail "installer writes new pre hook"
+jq -e --arg post "~/.claude/skills/safedeps/scripts/safedeps-post-verify.sh" '
+  [.hooks.PostToolUse[]?.hooks[]?.command] | index($post)
+' "${installer_home}/.claude/settings.json" >/dev/null || fail "installer writes new post hook"
+jq -e --arg pre "~/.codex/skills/safedeps/scripts/safedeps-pre-guard.sh" '
+  [.hooks.PreToolUse[]?.hooks[]?.command] | index($pre)
+' "${installer_home}/.codex/hooks.json" >/dev/null || fail "installer writes codex pre hook"
+jq -e --arg post "~/.codex/skills/safedeps/scripts/safedeps-post-verify.sh" '
+  [.hooks.PostToolUse[]?.hooks[]?.command] | index($post)
+' "${installer_home}/.codex/hooks.json" >/dev/null || fail "installer writes codex post hook"
 if jq -e '[.. | strings] | any(contains("npm-reorg-guard"))' "${installer_home}/.claude/settings.json" >/dev/null; then
   fail "installer removes legacy hook"
 fi

package/scripts/test/fixture-provider.mjs

@@ -55,6 +55,17 @@ function osvResponse(packageName, version) {
   if (packageName === 'fixture-vuln' && version === '1.0.0') {
     return { vulns: [osvVuln('CVE-2026-1001', '1.0.1')] };
   }
+  if (packageName === 'fixture-multi-vuln' && version === '1.0.0') {
+    return {
+      vulns: [
+        osvVuln('CVE-2026-1003', '1.0.1'),
+        osvVuln('CVE-2026-1004', '1.0.5')
+      ]
+    };
+  }
+  if (packageName === 'fixture-multi-vuln' && version === '1.0.1') {
+    return { vulns: [osvVuln('CVE-2026-1004', '1.0.5')] };
+  }
   if (packageName === 'fixture-unpatched') {
     return { vulns: [osvVuln('CVE-2026-1002', null)] };
   }
@@ -74,6 +85,16 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
+  if (req.method === 'POST' && req.url === '/osv/v1/querybatch') {
+    const body = await readJson(req);
+    const queries = Array.isArray(body.queries) ? body.queries : [];
+    res.setHeader('content-type', 'application/json');
+    res.end(JSON.stringify({
+      results: queries.map((query) => osvResponse(query.package?.name || '', query.version || ''))
+    }));
+    return;
+  }
+
   if (req.method === 'GET' && req.url === '/kev.json') {
     res.setHeader('content-type', 'application/json');
     res.end(JSON.stringify({