@aldegad/safedeps 2.1.1 → 2.4.0

package/scripts/test/e2e.sh

@@ -38,19 +38,68 @@ port=$(cat "${port_file}")
 
 export SAFEDEPS_HOME="${tmp_root}/safe"
 export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_OSV_BATCH_API_URL="http://127.0.0.1:${port}/osv/v1/querybatch"
 export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
 export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
 export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
 
+closure_fixture="${tmp_root}/closure-fixture.json"
+cat > "${closure_fixture}" <<'EOF'
+{
+  "fixture-clean@1.0.0": [
+    {"package":"fixture-clean","version":"1.0.0","direct":true}
+  ],
+  "fixture-vuln@1.0.0": [
+    {"package":"fixture-vuln","version":"1.0.0","direct":true}
+  ],
+  "fixture-vuln@1.0.1": [
+    {"package":"fixture-vuln","version":"1.0.1","direct":true}
+  ],
+  "fixture-multi-vuln@1.0.0": [
+    {"package":"fixture-multi-vuln","version":"1.0.0","direct":true}
+  ],
+  "fixture-multi-vuln@1.0.1": [
+    {"package":"fixture-multi-vuln","version":"1.0.1","direct":true}
+  ],
+  "fixture-multi-vuln@1.0.5": [
+    {"package":"fixture-multi-vuln","version":"1.0.5","direct":true}
+  ],
+  "fixture-unpatched@1.0.0": [
+    {"package":"fixture-unpatched","version":"1.0.0","direct":true}
+  ],
+  "fixture-kev@1.0.0": [
+    {"package":"fixture-kev","version":"1.0.0","direct":true}
+  ],
+  "fixture-parent@1.0.0": [
+    {"package":"fixture-parent","version":"1.0.0","direct":true},
+    {"package":"fixture-child","version":"1.0.0","direct":false}
+  ]
+}
+EOF
+export SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON="${closure_fixture}"
+
 clean_json=$(./bin/safedeps --json check npm fixture-clean@1.0.0)
 [[ "$(jq -r '.result' <<< "${clean_json}")" == "clean" ]] || fail "clean fixture approved"
 pass "clean advisory approval"
 
+closure_json=$(./bin/safedeps --json check npm fixture-parent@1.0.0)
+[[ "$(jq -r '.result' <<< "${closure_json}")" == "clean" ]] || fail "closure fixture approved"
+[[ "$(jq -r '.transitive_count' <<< "${closure_json}")" == "1" ]] || fail "closure fixture records transitive count"
+parent_hash=$(jq -r '.spec_hash' <<< "${closure_json}")
+parent_file="${SAFEDEPS_HOME}/approved-specs/${parent_hash/:/-}.json"
+[[ "$(jq -r '.transitive_specs[0].package' "${parent_file}")" == "fixture-child" ]] || fail "ledger transitive_specs records fixture child"
+pass "closure approval records transitive_specs"
+
 patched_json=$(./bin/safedeps --json check npm fixture-vuln@1.0.0)
 [[ "$(jq -r '.result' <<< "${patched_json}")" == "patched_available" ]] || fail "patched fixture narrows"
 [[ "$(jq -r '.suggested_spec' <<< "${patched_json}")" == "1.0.1" ]] || fail "patched fixture suggests fixed version"
 pass "patched advisory narrowing"
 
+multi_patched_json=$(./bin/safedeps --json check npm fixture-multi-vuln@1.0.0)
+[[ "$(jq -r '.result' <<< "${multi_patched_json}")" == "patched_available" ]] || fail "multi patched fixture narrows"
+[[ "$(jq -r '.suggested_spec' <<< "${multi_patched_json}")" == "1.0.5" ]] || fail "multi patched fixture tries later clean fixed version"
+pass "patched advisory tries all fixed candidates"
+
 set +e
 unpatched_json=$(./bin/safedeps --json check npm fixture-unpatched@1.0.0)
 unpatched_status=$?
@@ -68,18 +117,136 @@ mkdir -p "${project_dir}"
 printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
 hook_allow=$(
   scripts/safedeps-pre-guard.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-vuln@1.0.1"},"cwd":"${project_dir}"}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-vuln@1.0.1"},"cwd":"${project_dir}","turn_id":"turn-e2e","model":"codex-test"}
 EOF
 )
 [[ -z "${hook_allow}" ]] || fail "hook allows narrowed approved spec"
 pass "hook allows approved narrowed spec"
 
+effect_project="${tmp_root}/effect-project"
+mkdir -p "${effect_project}"
+printf '{"dependencies":{}}\n' > "${effect_project}/package.json"
+
+effect_clean_pre=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${effect_project}","turn_id":"turn-e2e","model":"codex-test"}
+EOF
+)
+[[ -z "${effect_clean_pre}" ]] || fail "effect clean pre hook allows closure-approved direct spec"
+cat > "${effect_project}/package-lock.json" <<'EOF'
+{
+  "name": "effect-project",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {"dependencies": {"fixture-parent": "1.0.0"}},
+    "node_modules/fixture-parent": {"version": "1.0.0", "dependencies": {"fixture-child": "1.0.0"}},
+    "node_modules/fixture-child": {"version": "1.0.0"}
+  }
+}
+EOF
+effect_clean_post=$(
+  scripts/safedeps-post-verify.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+EOF
+)
+[[ -z "${effect_clean_post}" ]] || fail "post hook passes approved full closure"
+pass "post hook passes approved full closure"
+
+inert_project="${tmp_root}/inert-project"
+mkdir -p "${inert_project}"
+printf '{"dependencies":{}}\n' > "${inert_project}/package.json"
+inert_pre=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${inert_project}"}
+EOF
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${inert_pre}")" == "allow" ]] || fail "inert pre hook emits Claude allow"
+[[ "$(jq -r '.hookSpecificOutput.updatedInput.command' <<< "${inert_pre}")" == "npm install fixture-parent@1.0.0 --ignore-scripts" ]] || fail "inert pre hook injects ignore-scripts"
+cat > "${inert_project}/package-lock.json" <<'EOF'
+{
+  "name": "inert-project",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {"dependencies": {"fixture-parent": "1.0.0"}},
+    "node_modules/fixture-parent": {"version": "1.0.0", "dependencies": {"fixture-child": "1.0.0"}},
+    "node_modules/fixture-child": {"version": "1.0.0"}
+  }
+}
+EOF
+stub_bin="${tmp_root}/stub-bin"
+mkdir -p "${stub_bin}"
+cat > "${stub_bin}/npm" <<EOF
+#!/usr/bin/env bash
+printf '%s\n' "\$*" >> "${tmp_root}/npm-calls.log"
+exit 0
+EOF
+chmod +x "${stub_bin}/npm"
+inert_post=$(
+  PATH="${stub_bin}:${PATH}" scripts/safedeps-post-verify.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0 --ignore-scripts"}}
+EOF
+)
+[[ -z "${inert_post}" ]] || fail "post hook keeps verified inert rebuild success quiet"
+grep -qx 'rebuild' "${tmp_root}/npm-calls.log" || fail "post hook runs npm rebuild after verified injected install"
+pass "post hook rebuilds after verified inert install"
+
+export SAFEDEPS_HOME="${tmp_root}/safe-missing-transitive"
+export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_OSV_BATCH_API_URL="http://127.0.0.1:${port}/osv/v1/querybatch"
+export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
+export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
+export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
+export SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON="${closure_fixture}"
+missing_project="${tmp_root}/missing-project"
+mkdir -p "${missing_project}"
+printf '{"dependencies":{}}\n' > "${missing_project}/package.json"
+SAFEDEPS_HOME="${SAFEDEPS_HOME}" lib/ledger/ledger.sh approve npm fixture-parent 1.0.0 1.0.0 direct-only >/dev/null
+missing_pre=$(
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${missing_project}","turn_id":"turn-e2e","model":"codex-test"}
+EOF
+)
+[[ -z "${missing_pre}" ]] || fail "missing-transitive pre hook allows direct-only approved spec"
+cat > "${missing_project}/package-lock.json" <<'EOF'
+{
+  "name": "missing-project",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {"dependencies": {"fixture-parent": "1.0.0"}},
+    "node_modules/fixture-parent": {"version": "1.0.0", "dependencies": {"fixture-child": "1.0.0"}},
+    "node_modules/fixture-child": {"version": "1.0.0"}
+  }
+}
+EOF
+missing_post=$(
+  scripts/safedeps-post-verify.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+EOF
+)
+grep -q '의심스러운 패키지 변경 감지' <<< "${missing_post}" || fail "post hook reorgs unapproved transitive package"
+grep -q 'fixture-child@1.0.0' <<< "${missing_post}" || fail "post hook names unapproved transitive package"
+pass "post hook reorgs unapproved transitive package"
+
+export SAFEDEPS_HOME="${tmp_root}/safe"
+export SAFEDEPS_OSV_API_URL="http://127.0.0.1:${port}/osv/v1/query"
+export SAFEDEPS_OSV_BATCH_API_URL="http://127.0.0.1:${port}/osv/v1/querybatch"
+export SAFEDEPS_KEV_CATALOG_URL="http://127.0.0.1:${port}/kev.json"
+export SAFEDEPS_GHSA_API_URL="http://127.0.0.1:${port}/advisories"
+export SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS=0
+export SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON="${closure_fixture}"
+
 printf '%s\n' '{"vulnerable":["fixture-clean@1.0.0"]}' > "${state_file}"
 recheck_json=$(./bin/safedeps --json re-check)
 [[ "$(jq -r '.revoked | length' <<< "${recheck_json}")" == "1" ]] || fail "re-check revokes newly vulnerable spec"
 [[ "$(jq -r '.revoked[0].package' <<< "${recheck_json}")" == "fixture-clean" ]] || fail "re-check revoked expected package"
 pass "re-check revocation"
 
+SAFEDEPS_HOME="${SAFEDEPS_HOME}" lib/ledger/ledger.sh approve npm fixture-forged 1.0.0 1.0.0 forged-test >/dev/null
+forgery_json=$(./bin/safedeps --json re-check)
+[[ "$(jq -r '.suspected_forgery | length' <<< "${forgery_json}")" == "1" ]] || fail "re-check flags direct ledger write without approval provenance"
+[[ "$(jq -r '.suspected_forgery[0].package' <<< "${forgery_json}")" == "fixture-forged" ]] || fail "re-check flags expected forged package"
+pass "re-check flags ledger approval provenance mismatch"
+
 legacy_home="${tmp_root}/legacy"
 target_home="${tmp_root}/migrated"
 mkdir -p "${legacy_home}/approved-specs"
@@ -93,15 +260,72 @@ pass "legacy state migration"
 installer_home="${tmp_root}/installer-home"
 mkdir -p "${installer_home}/.claude" "${installer_home}/.codex"
 cat > "${installer_home}/.claude/settings.json" <<EOF
-{"hooks":{"PreToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/guard.sh"}]}],"PostToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/verify.sh"}]}]}}
+{"hooks":{"PreToolUse":[{"matcher":"Other","hooks":[{"type":"command","command":"~/.claude/skills/safedeps/scripts/safedeps-pre-guard.sh"}]},{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/guard.sh"}]}],"PostToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"${installer_home}/.claude/skills/npm-reorg-guard/scripts/verify.sh"}]}]}}
 EOF
 HOME="${installer_home}" node scripts/install/install-safedeps-hooks.mjs >/dev/null
-jq -e --arg pre "${ROOT_DIR}/scripts/safedeps-pre-guard.sh" '
-  [.hooks.PreToolUse[]?.hooks[]?.command] | index($pre)
+jq -e --arg pre "~/.claude/skills/safedeps/scripts/safedeps-pre-guard.sh" '
+  [.hooks.PreToolUse[]? | select(.matcher == "Bash") | .hooks[]?.command] | index($pre)
 ' "${installer_home}/.claude/settings.json" >/dev/null || fail "installer writes new pre hook"
+jq -e --arg post "~/.claude/skills/safedeps/scripts/safedeps-post-verify.sh" '
+  [.hooks.PostToolUse[]?.hooks[]?.command] | index($post)
+' "${installer_home}/.claude/settings.json" >/dev/null || fail "installer writes new post hook"
+jq -e --arg pre "~/.codex/skills/safedeps/scripts/safedeps-pre-guard.sh" '
+  [.hooks.PreToolUse[]?.hooks[]?.command] | index($pre)
+' "${installer_home}/.codex/hooks.json" >/dev/null || fail "installer writes codex pre hook"
+jq -e --arg post "~/.codex/skills/safedeps/scripts/safedeps-post-verify.sh" '
+  [.hooks.PostToolUse[]?.hooks[]?.command] | index($post)
+' "${installer_home}/.codex/hooks.json" >/dev/null || fail "installer writes codex post hook"
 if jq -e '[.. | strings] | any(contains("npm-reorg-guard"))' "${installer_home}/.claude/settings.json" >/dev/null; then
   fail "installer removes legacy hook"
 fi
 pass "installer legacy hook cleanup"
 
+# --- Secret-leak lane: pre-commit gate must DENY a secret, PASS clean/example -
+# The real bypass harness for the secret lane. Needs a scanner (gitleaks or
+# docker) and openssl for a synthetic high-entropy secret; skip explicitly
+# (not silently) when either is missing.
+secret_repo="${tmp_root}/secret-repo"
+mkdir -p "${secret_repo}"
+git -C "${secret_repo}" init -q
+git -C "${secret_repo}" config user.email t@safedeps.test
+git -C "${secret_repo}" config user.name safedeps-e2e
+
+# doctor flags gaps on the bare repo, then --fix scaffolds + activates the lane.
+if HOME="${tmp_root}/doc-home" "${ROOT_DIR}/bin/safedeps" doctor --root "${secret_repo}" >/dev/null 2>&1; then
+  fail "doctor flags gaps on an unconfigured repo"
+fi
+HOME="${tmp_root}/doc-home" "${ROOT_DIR}/bin/safedeps" doctor --fix --root "${secret_repo}" >/dev/null
+[[ -f "${secret_repo}/.gitleaks.toml" ]] || fail "doctor --fix scaffolds .gitleaks.toml"
+[[ -x "${secret_repo}/.githooks/pre-commit" ]] || fail "doctor --fix scaffolds executable pre-commit"
+[[ "$(git -C "${secret_repo}" config --get core.hooksPath)" == ".githooks" ]] || fail "doctor --fix activates core.hooksPath"
+pass "doctor --fix scaffolds + activates the secret lane"
+
+# The scaffolded pre-commit resolves `safedeps` via PATH, then SAFEDEPS_BIN, then
+# the skill install paths. In CI none of those exist, so point it at this repo's
+# binary; the git commit subprocess inherits the env and the hook resolves it.
+export SAFEDEPS_BIN="${ROOT_DIR}/bin/safedeps"
+
+if command -v gitleaks >/dev/null 2>&1 && command -v openssl >/dev/null 2>&1; then
+  # Regression: a clean file commits cleanly.
+  echo "hello" > "${secret_repo}/readme.txt"
+  git -C "${secret_repo}" add readme.txt
+  git -C "${secret_repo}" commit -q -m "clean" || fail "pre-commit allows a clean commit"
+
+  # Threat: a literal .env with an assigned (synthetic) secret must be blocked.
+  printf 'API_KEY=%s\n' "$(openssl rand -hex 20)" > "${secret_repo}/.env"
+  git -C "${secret_repo}" add .env
+  if git -C "${secret_repo}" commit -q -m "leak" 2>/dev/null; then
+    fail "pre-commit blocks a committed .env secret"
+  fi
+  git -C "${secret_repo}" reset -q HEAD .env >/dev/null 2>&1 || true
+
+  # Regression: the .env.example placeholder is allowlisted and commits.
+  printf 'API_KEY=your_api_key_here\n' > "${secret_repo}/.env.example"
+  git -C "${secret_repo}" add .env.example
+  git -C "${secret_repo}" commit -q -m "example" || fail "pre-commit allows the .env.example placeholder"
+  pass "pre-commit gate denies a secret, passes clean and example commits"
+else
+  printf 'ok - pre-commit gate behavior SKIPPED (needs gitleaks + openssl)\n'
+fi
+
 printf 'e2e passed\n'

package/scripts/test/fixture-provider.mjs

@@ -55,6 +55,17 @@ function osvResponse(packageName, version) {
   if (packageName === 'fixture-vuln' && version === '1.0.0') {
     return { vulns: [osvVuln('CVE-2026-1001', '1.0.1')] };
   }
+  if (packageName === 'fixture-multi-vuln' && version === '1.0.0') {
+    return {
+      vulns: [
+        osvVuln('CVE-2026-1003', '1.0.1'),
+        osvVuln('CVE-2026-1004', '1.0.5')
+      ]
+    };
+  }
+  if (packageName === 'fixture-multi-vuln' && version === '1.0.1') {
+    return { vulns: [osvVuln('CVE-2026-1004', '1.0.5')] };
+  }
   if (packageName === 'fixture-unpatched') {
     return { vulns: [osvVuln('CVE-2026-1002', null)] };
   }
@@ -74,6 +85,16 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
+  if (req.method === 'POST' && req.url === '/osv/v1/querybatch') {
+    const body = await readJson(req);
+    const queries = Array.isArray(body.queries) ? body.queries : [];
+    res.setHeader('content-type', 'application/json');
+    res.end(JSON.stringify({
+      results: queries.map((query) => osvResponse(query.package?.name || '', query.version || ''))
+    }));
+    return;
+  }
+
   if (req.method === 'GET' && req.url === '/kev.json') {
     res.setHeader('content-type', 'application/json');
     res.end(JSON.stringify({

package/scripts/test/smoke.sh

@@ -22,9 +22,16 @@ trap cleanup EXIT
 bash -n bin/safedeps
 bash -n lib/providers/providers.sh
 bash -n lib/ledger/ledger.sh
+bash -n lib/npm/closure.sh
 bash -n scripts/safedeps-pre-guard.sh
 bash -n scripts/safedeps-post-verify.sh
 bash -n scripts/safedeps-recheck-alert.sh
+bash -n scripts/release-gates.sh
+bash -n lib/gates/repo-profile.sh
+bash -n lib/gates/scan.sh
+bash -n lib/gates/audit.sh
+bash -n lib/gates/hooks.sh
+bash -n lib/gates/doctor.sh
 pass "bash syntax"
 
 node --check scripts/install/install-safedeps-hooks.mjs >/dev/null
@@ -35,7 +42,8 @@ node scripts/install/install-safedeps-recheck-agent.mjs --help >/dev/null
 pass "node syntax"
 
 version_json=$(HOME="${tmp_root}/home-version" SAFEDEPS_HOME="${tmp_root}/safe-version" ./bin/safedeps --json version)
-[[ "$(jq -r '.version' <<< "${version_json}")" == "2.1.0" ]] || fail "version json is 2.1.0"
+pkg_version=$(jq -r '.version' package.json)
+[[ "$(jq -r '.version' <<< "${version_json}")" == "${pkg_version}" ]] || fail "cli version matches package.json (${pkg_version})"
 pass "cli version"
 
 ledger_json=$(HOME="${tmp_root}/home-ledger" SAFEDEPS_HOME="${tmp_root}/safe-ledger" ./bin/safedeps --json ledger)
@@ -51,15 +59,39 @@ provider_created=$(
 [[ "${provider_created}" == "${provider_tmp%/}/safedeps-providers."* ]] || fail "provider tmp helper uses requested TMPDIR"
 pass "provider temp dir"
 
+# Portability guard: safedeps_file_mtime must return a bare integer on both BSD
+# (macOS, `stat -f`) and GNU (Linux, `stat -c`). A wrong-order stat leaks
+# filesystem info into the value and breaks the cache-freshness arithmetic.
+mtime_val=$(bash -c 'source lib/providers/providers.sh; f=$(mktemp); safedeps_file_mtime "$f"; rm -f "$f"')
+[[ "${mtime_val}" =~ ^[0-9]+$ ]] || fail "safedeps_file_mtime returns a bare integer (got: ${mtime_val})"
+pass "file mtime is a portable integer"
+
 project_dir="${tmp_root}/project"
 mkdir -p "${project_dir}"
 printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
 
+run_hook_command() {
+  local home_dir="$1"
+  local safe_dir="$2"
+  local command="$3"
+
+  jq -nc --arg command "${command}" --arg cwd "${project_dir}" \
+    '{tool_name:"Bash",tool_input:{command:$command},cwd:$cwd}' |
+    HOME="${home_dir}" SAFEDEPS_HOME="${safe_dir}" scripts/safedeps-pre-guard.sh
+}
+
+run_codex_hook_command() {
+  local home_dir="$1"
+  local safe_dir="$2"
+  local command="$3"
+
+  jq -nc --arg command "${command}" --arg cwd "${project_dir}" \
+    '{tool_name:"Bash",tool_input:{command:$command},cwd:$cwd,turn_id:"turn-smoke",model:"codex-test"}' |
+    HOME="${home_dir}" SAFEDEPS_HOME="${safe_dir}" scripts/safedeps-pre-guard.sh
+}
+
 deny_json=$(
-  HOME="${tmp_root}/home-hook" SAFEDEPS_HOME="${tmp_root}/safe-hook" \
-  scripts/safedeps-pre-guard.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install left-pad@1.3.0"},"cwd":"${project_dir}"}
-EOF
+  run_hook_command "${tmp_root}/home-hook" "${tmp_root}/safe-hook" "npm install left-pad@1.3.0"
 )
 [[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${deny_json}")" == "deny" ]] || fail "hook denies unapproved install"
 pass "hook denies unapproved install"
@@ -67,13 +99,148 @@ pass "hook denies unapproved install"
 mkdir -p "${tmp_root}/safe-hook-allow"
 SAFEDEPS_HOME="${tmp_root}/safe-hook-allow" lib/ledger/ledger.sh approve npm left-pad 1.3.0 1.3.0 smoke >/dev/null
 allow_output=$(
-  HOME="${tmp_root}/home-hook-allow" SAFEDEPS_HOME="${tmp_root}/safe-hook-allow" \
-  scripts/safedeps-pre-guard.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install left-pad@1.3.0"},"cwd":"${project_dir}"}
+  run_hook_command "${tmp_root}/home-hook-allow" "${tmp_root}/safe-hook-allow" "npm install left-pad@1.3.0"
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${allow_output}")" == "allow" ]] || fail "hook emits Claude allow decision for approved install"
+[[ "$(jq -r '.hookSpecificOutput.updatedInput.command' <<< "${allow_output}")" == "npm install left-pad@1.3.0 --ignore-scripts" ]] || fail "hook injects --ignore-scripts for Claude npm install"
+allow_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-allow/current_state")
+jq -e '.ignore_scripts_injected == true' "${tmp_root}/safe-hook-allow/snapshots/${allow_sid}_meta.json" >/dev/null || fail "hook records injected meta flag"
+pass "hook injects --ignore-scripts for Claude approved install"
+
+mkdir -p "${tmp_root}/safe-hook-codex"
+SAFEDEPS_HOME="${tmp_root}/safe-hook-codex" lib/ledger/ledger.sh approve npm left-pad 1.3.0 1.3.0 smoke >/dev/null
+codex_allow_output=$(
+  run_codex_hook_command "${tmp_root}/home-hook-codex" "${tmp_root}/safe-hook-codex" "npm install left-pad@1.3.0"
+)
+[[ -z "${codex_allow_output}" ]] || fail "hook keeps Codex approved install as plain allow"
+codex_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-codex/current_state")
+jq -e '.ignore_scripts_injected == false' "${tmp_root}/safe-hook-codex/snapshots/${codex_sid}_meta.json" >/dev/null || fail "hook does not record injected meta flag for Codex"
+pass "hook keeps Codex approved install as plain allow"
+
+for inert_skip_cmd in "npm view left-pad" "npm run build" "npm --version"; do
+  inert_skip_output=$(run_hook_command "${tmp_root}/home-inert-skip" "${tmp_root}/safe-inert-skip" "${inert_skip_cmd}")
+  [[ -z "${inert_skip_output}" ]] || fail "hook does not inject non-install command: ${inert_skip_cmd}"
+done
+pass "hook does not inject npm non-install commands"
+
+mkdir -p "${tmp_root}/safe-hook-ignore-scripts"
+SAFEDEPS_HOME="${tmp_root}/safe-hook-ignore-scripts" lib/ledger/ledger.sh approve npm left-pad 1.3.0 1.3.0 smoke >/dev/null
+ignore_scripts_output=$(
+  run_hook_command "${tmp_root}/home-hook-ignore-scripts" "${tmp_root}/safe-hook-ignore-scripts" "npm install left-pad@1.3.0 --ignore-scripts"
+)
+[[ -z "${ignore_scripts_output}" ]] || fail "hook does not duplicate --ignore-scripts"
+ignore_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-ignore-scripts/current_state")
+jq -e '.ignore_scripts_injected == false' "${tmp_root}/safe-hook-ignore-scripts/snapshots/${ignore_sid}_meta.json" >/dev/null || fail "hook does not record injected meta flag when flag already exists"
+pass "hook does not duplicate --ignore-scripts"
+
+# Regression: `npx <tool> <args>` runs an already-installed binary. Arguments to
+# the tool (e.g. an email) must NOT be misread as a pkg@spec install and denied.
+npx_runner_output=$(
+  run_hook_command "${tmp_root}/home-npx-run" "${tmp_root}/safe-npx-run" "npx wrangler secret put ORIGIN_SHARED_SECRET --name pqc-auth-gateway dev1@block-s.io"
+)
+[[ -z "${npx_runner_output}" ]] || fail "hook allows npx tool run with @-bearing args"
+pass "hook allows npx tool run with @-bearing args"
+
+# Regression: a genuine install chained with an npx tool run must STILL be gated
+# on the real package — and must not be polluted by the npx arg email.
+mixed_output=$(
+  run_hook_command "${tmp_root}/home-mixed" "${tmp_root}/safe-mixed" "npm install evil-pkg@9.9.9 && npx wrangler secret put X dev1@block-s.io"
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${mixed_output}")" == "deny" ]] || fail "hook gates real install chained with npx run"
+reason=$(jq -r '.hookSpecificOutput.permissionDecisionReason' <<< "${mixed_output}")
+grep -q 'evil-pkg@9.9.9' <<< "${reason}" || fail "deny reason names the real package"
+[[ "${reason}" != *"dev1@block-s.io"* ]] || fail "deny reason must not name the email arg"
+pass "hook gates real install chained with npx run (email not polluted)"
+
+echo_output=$(
+  run_hook_command "${tmp_root}/home-echo" "${tmp_root}/safe-echo" "echo \"npm install evil-pkg@9.9.9\""
+)
+[[ -z "${echo_output}" ]] || fail "hook ignores quoted echo text"
+heredoc_output=$(
+  run_hook_command "${tmp_root}/home-heredoc" "${tmp_root}/safe-heredoc" $'cat <<'\''EOF'\''\nnpm install evil-pkg@9.9.9\nEOF'
+)
+[[ -z "${heredoc_output}" ]] || fail "hook ignores heredoc body text"
+pass "hook ignores echo/heredoc text"
+
+bypass_cases=(
+  "/usr/bin/npm install evil@1.2.3"
+  "bash -lc \"npm install evil@1.2.3\""
+  "env npm install evil@1.2.3"
+  "command npm install evil@1.2.3"
+  "npm --prefix sub install evil@1.2.3"
+  "pip install requests==2.31.0"
+  "gem install rails -v 7.1.0"
+  "cargo add serde --vers 1.0.0"
+  "dotnet add package X --version 1.0.0"
+)
+for bypass_cmd in "${bypass_cases[@]}"; do
+  bypass_output=$(run_hook_command "${tmp_root}/home-bypass" "${tmp_root}/safe-bypass" "${bypass_cmd}")
+  [[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${bypass_output}")" == "deny" ]] || fail "hook denies bypass: ${bypass_cmd}"
+done
+pass "hook denies install bypass forms"
+
+# Fail-closed gate: when the gate cannot run it must NOT silently pass, and the
+# outcome must be observable in the advisory log (AGENTS.md: no silent fallback).
+fc_safe="${tmp_root}/safe-failclosed"
+fc_home="${tmp_root}/home-failclosed"
+mkdir -p "${fc_safe}"
+# (a) lock unavailable on an install command → DENY (fail-closed), logged.
+mkdir -p "${fc_safe}/state.lock"
+fc_deny=$(
+  jq -nc --arg c "npm install evil@1.0.0" --arg cwd "${project_dir}" \
+    '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" SAFEDEPS_LOCK_MAX_ATTEMPTS=2 scripts/safedeps-pre-guard.sh
+)
+rmdir "${fc_safe}/state.lock" 2>/dev/null || true
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_deny}")" == "deny" ]] || fail "pre-guard fails closed (deny) when the state lock is unavailable for an install"
+grep -q 'pre-guard DENY' "${fc_safe}/advisory.log" || fail "pre-guard logs the fail-closed deny to advisory.log"
+pass "pre-guard fails closed on lock contention (observable)"
+
+# (b) jq missing → best-effort fail-closed: a likely install DENIES, a non-install
+# is allowed, both recorded in advisory.log (never a silent skip).
+fc_nojq=$(mktemp -d "${tmp_root}/nojq.XXXXXX")
+for fc_tool in bash mkdir date printf cat grep; do
+  ln -sf "$(command -v "${fc_tool}")" "${fc_nojq}/${fc_tool}" 2>/dev/null || true
+done
+fc_nojq_deny=$(
+  jq -nc --arg c "npm install x@1" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" PATH="${fc_nojq}" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_nojq_deny}")" == "deny" ]] || fail "pre-guard denies a likely install when jq is missing (best-effort fail-closed)"
+grep -q 'DENY: jq missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the jq-missing install deny to advisory.log"
+fc_nojq_allow=$(
+  jq -nc --arg c "ls -la" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" PATH="${fc_nojq}" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision // "allow"' <<< "${fc_nojq_allow}" 2>/dev/null || echo allow)" != "deny" ]] || fail "pre-guard allows a non-install command when jq is missing"
+pass "pre-guard fails closed on jq-missing installs, allows non-installs (observable)"
+
+# (c) ledger library missing → DENY (fail-closed), logged — not a silent fall-through allow.
+fc_noledger=$(
+  jq -nc --arg c "npm install x@1" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" SAFEDEPS_LEDGER_LIB="${tmp_root}/does-not-exist.sh" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_noledger}")" == "deny" ]] || fail "pre-guard denies an install when the ledger library is missing (fail-closed)"
+grep -q 'ledger library missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the missing-ledger deny to advisory.log"
+pass "pre-guard fails closed when the ledger library is missing (observable)"
+
+tamper_safe="${tmp_root}/safe-tamper"
+tamper_home="${tmp_root}/home-tamper"
+SAFEDEPS_HOME="${tamper_safe}" lib/ledger/ledger.sh approve npm ledger-tamper 1.0.0 1.0.0 smoke >/dev/null
+tamper_pre=$(run_hook_command "${tamper_home}" "${tamper_safe}" "npm install ledger-tamper@1.0.0")
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${tamper_pre}")" == "allow" ]] || fail "tamper fixture pre hook allows approved install"
+mkdir -p "${project_dir}/node_modules/ledger-tamper"
+jq '.dependencies["ledger-tamper"]="1.0.0"' "${project_dir}/package.json" > "${project_dir}/package.json.tmp"
+mv "${project_dir}/package.json.tmp" "${project_dir}/package.json"
+cat > "${project_dir}/node_modules/ledger-tamper/package.json" <<'EOF'
+{"name":"ledger-tamper","version":"1.0.0","scripts":{"postinstall":"node -e \"require('fs').writeFileSync(process.env.HOME + '/.safedeps/approved-specs/evil.json', '{}')\""}}
 EOF
+tamper_post=$(
+  jq -nc '{tool_name:"Bash",tool_input:{command:"npm install ledger-tamper@1.0.0"}}' |
+    HOME="${tamper_home}" SAFEDEPS_HOME="${tamper_safe}" scripts/safedeps-post-verify.sh
 )
-[[ -z "${allow_output}" ]] || fail "hook allows approved install"
-pass "hook allows approved install"
+grep -q '의심스러운 패키지 변경 감지' <<< "${tamper_post}" || fail "post hook reorgs safedeps ledger tamper script"
+pass "post hook reorgs safedeps ledger tamper script"
 
 fixture_json="${tmp_root}/recheck-fixture.json"
 printf '%s\n' '{"command":"re-check","checked":2,"still_clean":1,"newly_vulnerable":[],"kev_hit":[],"revoked":[]}' > "${fixture_json}"
@@ -86,4 +253,39 @@ grep -q '"checked":2' "${tmp_root}/safe-recheck/recheck.log" || fail "re-check w
 grep -q '"provider_skipped":1' "${tmp_root}/safe-recheck/recheck-alerts.jsonl" || fail "re-check wrapper alerts on skipped provider checks"
 pass "re-check alert wrapper"
 
+# Release-time lane (absorbed from security-release-gates): commands must be
+# registered and resolve their gate scripts.
+gates_help=$(HOME="${tmp_root}/home-gates" SAFEDEPS_HOME="${tmp_root}/safe-gates" ./bin/safedeps help)
+for gate_cmd in "gates" "scan secrets" "audit" "hooks" "doctor"; do
+  grep -q "${gate_cmd}" <<< "${gates_help}" || fail "release-time command listed in help: ${gate_cmd}"
+done
+for gate_script in scripts/release-gates.sh lib/gates/repo-profile.sh lib/gates/scan.sh lib/gates/audit.sh lib/gates/hooks.sh lib/gates/doctor.sh; do
+  [[ -f "${gate_script}" ]] || fail "release-time gate script present: ${gate_script}"
+done
+for tmpl in gitleaks.toml.tmpl gitleaks.private.toml.tmpl pre-commit.tmpl; do
+  [[ -f "lib/gates/templates/${tmpl}" ]] || fail "secret-lane template present: ${tmpl}"
+done
+pass "release-time gate commands registered"
+
+# Secret-leak lane: doctor diagnoses, hooks init scaffolds, hooks install
+# activates. No scanner (gitleaks/docker) needed for these structural checks.
+doctor_repo=$(mktemp -d "${tmp_root}/secret-repo.XXXXXX")
+git -C "${doctor_repo}" init -q
+# doctor exits 1 when gaps exist; capture the JSON without tripping set -e.
+doctor_json=$(HOME="${tmp_root}/home-doctor" ./bin/safedeps --json doctor --root "${doctor_repo}" || true)
+[[ "$(jq -r '.command' <<< "${doctor_json}")" == "doctor" ]] || fail "doctor --json command field"
+[[ "$(jq -r '.ok' <<< "${doctor_json}")" == "false" ]] || fail "doctor reports gaps on a bare repo"
+secret_gaps=$(jq -r '[.checks[] | select(.lane == "secret" and .status == "gap")] | length' <<< "${doctor_json}")
+[[ "${secret_gaps}" -ge 3 ]] || fail "doctor lists at least 3 secret-lane gaps (got ${secret_gaps})"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks init --root "${doctor_repo}" >/dev/null
+[[ -f "${doctor_repo}/.gitleaks.toml" ]] || fail "hooks init scaffolds .gitleaks.toml"
+[[ -x "${doctor_repo}/.githooks/pre-commit" ]] || fail "hooks init scaffolds an executable pre-commit"
+grep -q 'scan secrets --staged' "${doctor_repo}/.githooks/pre-commit" || fail "pre-commit delegates to safedeps scan"
+printf '\n# repo-owned edit marker\n' >> "${doctor_repo}/.gitleaks.toml"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks init --root "${doctor_repo}" >/dev/null
+grep -q 'repo-owned edit marker' "${doctor_repo}/.gitleaks.toml" || fail "hooks init is non-destructive (keeps repo edits)"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks install --root "${doctor_repo}" >/dev/null
+[[ "$(git -C "${doctor_repo}" config --get core.hooksPath)" == ".githooks" ]] || fail "hooks install activates core.hooksPath"
+pass "doctor + hooks init/install wire the secret lane (non-destructive)"
+
 printf 'smoke passed\n'