@aldegad/safedeps 2.1.1 → 2.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aldegad/safedeps",
-  "version": "2.1.1",
+  "version": "2.4.0",
   "description": "Dependency install safety gate with OSV-backed advisory checks, approved-spec ledger enforcement, and reorg rollback hooks",
   "main": "bin/safedeps",
   "bin": {
@@ -16,6 +16,7 @@
     "ARCHITECTURE.md",
     "ROADMAP.md",
     "SKILL.md",
+    "SECURITY.md",
     "LICENSE"
   ],
   "scripts": {

package/scripts/install/install-safedeps-hooks.mjs

@@ -11,18 +11,20 @@
 //   node scripts/install/install-safedeps-hooks.mjs --uninstall
 //   node scripts/install/install-safedeps-hooks.mjs --link-bin   (optional ~/.local/bin/safedeps)
 
-import { existsSync, lstatSync, readFileSync, writeFileSync, copyFileSync, mkdirSync, symlinkSync, unlinkSync, readlinkSync } from "node:fs";
+import { existsSync, lstatSync, readFileSync, writeFileSync, copyFileSync, mkdirSync, symlinkSync, unlinkSync, readlinkSync, renameSync } from "node:fs";
 import { homedir } from "node:os";
-import { dirname, join, resolve } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
 const HERE = dirname(fileURLToPath(import.meta.url));
 const REPO_ROOT = resolve(HERE, "..", "..");
-const HOME = homedir();
+const HOME = process.env.HOME || homedir();
 
 const SKILL_ID = "safedeps";
-const PRE_HOOK = join(REPO_ROOT, "scripts", "safedeps-pre-guard.sh");
-const POST_HOOK = join(REPO_ROOT, "scripts", "safedeps-post-verify.sh");
+const PRE_HOOK_NAME = "safedeps-pre-guard.sh";
+const POST_HOOK_NAME = "safedeps-post-verify.sh";
+const REPO_PRE_HOOK = join(REPO_ROOT, "scripts", PRE_HOOK_NAME);
+const REPO_POST_HOOK = join(REPO_ROOT, "scripts", POST_HOOK_NAME);
 const CLI_BIN = join(REPO_ROOT, "bin", "safedeps");
 
 const args = new Set(process.argv.slice(2));
@@ -71,7 +73,14 @@ function writeJsonWithBackup(path, value) {
   } else {
     mkdirSync(dirname(path), { recursive: true });
   }
-  writeFileSync(path, JSON.stringify(value, null, 2) + "\n");
+  const tmpPath = `${path}.tmp.${process.pid}.${Date.now()}`;
+  writeFileSync(tmpPath, JSON.stringify(value, null, 2) + "\n");
+  renameSync(tmpPath, path);
+}
+
+function engineHookCommand(engineRoot, hookName) {
+  const engineName = basename(engineRoot).replace(/^\./u, "");
+  return `~/.${engineName}/skills/${SKILL_ID}/scripts/${hookName}`;
 }
 
 function ensureHook(config, eventName, command) {
@@ -79,6 +88,13 @@ function ensureHook(config, eventName, command) {
   config.hooks[eventName] = config.hooks[eventName] ?? [];
   const buckets = config.hooks[eventName];
 
+  const already = buckets.some((bucket) =>
+    bucket?.matcher === "Bash" &&
+    Array.isArray(bucket?.hooks) &&
+    bucket.hooks.some((h) => h && h.type === "command" && h.command === command),
+  );
+  if (already) return false;
+
   let bashBucket = buckets.find((b) => b && b.matcher === "Bash");
   if (!bashBucket) {
     bashBucket = { matcher: "Bash", hooks: [] };
@@ -86,9 +102,6 @@ function ensureHook(config, eventName, command) {
   }
   bashBucket.hooks = bashBucket.hooks ?? [];
 
-  const already = bashBucket.hooks.some((h) => h && h.type === "command" && h.command === command);
-  if (already) return false;
-
   bashBucket.hooks.push({ type: "command", command });
   return true;
 }
@@ -106,25 +119,49 @@ function removeHook(config, eventName, command) {
   return changed;
 }
 
-function pruneLegacySafedepsHooks(config, eventName) {
+function isSafedepsHookCommand(command, hookName) {
+  if (typeof command !== "string") return false;
+  const normalized = command.replace(/\\/gu, "/");
+  if (normalized.includes("npm-reorg-guard")) return true;
+  return normalized.includes("/safedeps/") && normalized.endsWith(`/scripts/${hookName}`);
+}
+
+function pruneNonCanonicalSafedepsHooks(config, eventName, canonicalCommand, hookName) {
   const buckets = config?.hooks?.[eventName];
   if (!Array.isArray(buckets)) return false;
   let changed = false;
+  let seenCanonical = false;
   for (const bucket of buckets) {
-    if (!bucket || bucket.matcher !== "Bash" || !Array.isArray(bucket.hooks)) continue;
+    if (!bucket || !Array.isArray(bucket.hooks)) continue;
     const before = bucket.hooks.length;
     bucket.hooks = bucket.hooks.filter((h) => {
       const command = h?.command;
-      if (typeof command !== "string") return true;
-      const legacySafedeps = command.includes("npm-reorg-guard") || command.includes("/safedeps/");
-      const legacyHookName = command.endsWith("/scripts/guard.sh") || command.endsWith("/scripts/verify.sh");
-      return !(legacySafedeps && legacyHookName);
+      if (command === canonicalCommand) {
+        if (bucket.matcher !== "Bash") return false;
+        if (seenCanonical) return false;
+        seenCanonical = true;
+        return true;
+      }
+      return command === canonicalCommand || !isSafedepsHookCommand(command, hookName);
     });
     if (bucket.hooks.length !== before) changed = true;
   }
   return changed;
 }
 
+function pruneAllSafedepsHooks(config, eventName, hookName) {
+  const buckets = config?.hooks?.[eventName];
+  if (!Array.isArray(buckets)) return false;
+  let changed = false;
+  for (const bucket of buckets) {
+    if (!bucket || !Array.isArray(bucket.hooks)) continue;
+    const before = bucket.hooks.length;
+    bucket.hooks = bucket.hooks.filter((h) => !isSafedepsHookCommand(h?.command, hookName));
+    if (bucket.hooks.length !== before) changed = true;
+  }
+  return changed;
+}
+
 function installInEngine({ engineRoot, configPath, label }) {
   if (!existsSync(engineRoot)) {
     warn(`skip ${label} (${engineRoot} not present)`);
@@ -132,13 +169,15 @@ function installInEngine({ engineRoot, configPath, label }) {
   }
   const skillsRoot = join(engineRoot, "skills");
   const skillLink = join(skillsRoot, SKILL_ID);
+  const preCommand = engineHookCommand(engineRoot, PRE_HOOK_NAME);
+  const postCommand = engineHookCommand(engineRoot, POST_HOOK_NAME);
 
   if (UNINSTALL) {
     removeSymlink(skillLink);
     if (existsSync(configPath)) {
       const cfg = readJson(configPath);
-      const pre = removeHook(cfg, "PreToolUse", PRE_HOOK);
-      const post = removeHook(cfg, "PostToolUse", POST_HOOK);
+      const pre = removeHook(cfg, "PreToolUse", preCommand) || pruneAllSafedepsHooks(cfg, "PreToolUse", PRE_HOOK_NAME);
+      const post = removeHook(cfg, "PostToolUse", postCommand) || pruneAllSafedepsHooks(cfg, "PostToolUse", POST_HOOK_NAME);
       if (pre || post) {
         writeJsonWithBackup(configPath, cfg);
         log(`patched ${configPath} (removed safedeps hooks)`);
@@ -152,10 +191,10 @@ function installInEngine({ engineRoot, configPath, label }) {
   ensureSymlink(REPO_ROOT, skillLink);
 
   const cfg = readJson(configPath);
-  const legacyPreRemoved = pruneLegacySafedepsHooks(cfg, "PreToolUse");
-  const legacyPostRemoved = pruneLegacySafedepsHooks(cfg, "PostToolUse");
-  const preAdded = ensureHook(cfg, "PreToolUse", PRE_HOOK);
-  const postAdded = ensureHook(cfg, "PostToolUse", POST_HOOK);
+  const legacyPreRemoved = pruneNonCanonicalSafedepsHooks(cfg, "PreToolUse", preCommand, PRE_HOOK_NAME);
+  const legacyPostRemoved = pruneNonCanonicalSafedepsHooks(cfg, "PostToolUse", postCommand, POST_HOOK_NAME);
+  const preAdded = ensureHook(cfg, "PreToolUse", preCommand);
+  const postAdded = ensureHook(cfg, "PostToolUse", postCommand);
   if (legacyPreRemoved || legacyPostRemoved || preAdded || postAdded) {
     writeJsonWithBackup(configPath, cfg);
     log(`patched ${configPath} (pre=${preAdded ? "added" : "ok"}, post=${postAdded ? "added" : "ok"}, legacy=${legacyPreRemoved || legacyPostRemoved ? "removed" : "ok"})`);
@@ -181,8 +220,8 @@ function unlinkBin() {
 }
 
 function main() {
-  if (!existsSync(PRE_HOOK) || !existsSync(POST_HOOK)) {
-    throw new Error(`hook scripts not found at ${PRE_HOOK} / ${POST_HOOK}`);
+  if (!existsSync(REPO_PRE_HOOK) || !existsSync(REPO_POST_HOOK)) {
+    throw new Error(`hook scripts not found at ${REPO_PRE_HOOK} / ${REPO_POST_HOOK}`);
   }
 
   installInEngine({
@@ -203,6 +242,9 @@ function main() {
     log("uninstall done.");
   } else {
     log("install done. New hook events fire on the next session start.");
+    // The dependency-install gate is global. The secret-leak lane is per-repo
+    // and stays opt-in (its policy lives in each repo). Nudge, do not auto-write.
+    log("secret-leak lane is per-repo — in a repo run: safedeps doctor (then `safedeps doctor --fix` to scaffold + activate).");
   }
 }
 

package/scripts/release-gates.sh

@@ -0,0 +1,252 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT=""
+STRICT=0
+NO_RUN=0
+
+usage() {
+  cat <<'EOF'
+Usage: run-release-gates.sh [--root <repo>] [--strict] [--no-run]
+
+Runs release-time security gates for the current repository tree.
+EOF
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --root)
+      ROOT="${2:-}"
+      shift 2
+      ;;
+    --strict)
+      STRICT=1
+      shift
+      ;;
+    --no-run)
+      NO_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+if [ -z "$ROOT" ]; then
+  ROOT="$(pwd)"
+fi
+
+if command -v realpath >/dev/null 2>&1; then
+  ROOT="$(realpath "$ROOT")"
+else
+  ROOT="$(cd "$ROOT" && pwd)"
+fi
+
+if [ ! -d "$ROOT" ]; then
+  printf 'ERROR: repo root does not exist: %s\n' "$ROOT" >&2
+  exit 1
+fi
+
+cd "$ROOT"
+
+FAILURES=0
+WARNINGS=0
+RAN=0
+
+section() {
+  printf '\n== %s ==\n' "$1"
+}
+
+pass() {
+  printf 'PASS [%s] %s\n' "$1" "$2"
+}
+
+warn() {
+  WARNINGS=$((WARNINGS + 1))
+  printf 'WARN [%s] %s\n' "$1" "$2" >&2
+}
+
+fail() {
+  FAILURES=$((FAILURES + 1))
+  printf 'FAIL [%s] %s\n' "$1" "$2" >&2
+}
+
+strict_or_warn() {
+  if [ "$STRICT" -eq 1 ]; then
+    fail "$1" "$2"
+  else
+    warn "$1" "$2"
+  fi
+}
+
+run_cmd() {
+  local gate="$1"
+  local desc="$2"
+  shift 2
+
+  RAN=$((RAN + 1))
+  printf 'RUN  [%s] %s\n' "$gate" "$desc"
+  printf 'CMD  [%s] %s\n' "$gate" "$*"
+
+  if [ "$NO_RUN" -eq 1 ]; then
+    pass "$gate" "planned only (--no-run)"
+    return 0
+  fi
+
+  if "$@"; then
+    pass "$gate" "$desc"
+  else
+    fail "$gate" "$desc"
+  fi
+}
+
+has_file() {
+  [ -f "$1" ]
+}
+
+has_npm_script() {
+  local script_name="$1"
+  has_file package.json || return 1
+  command -v node >/dev/null 2>&1 || return 1
+  node -e '
+const fs = require("node:fs");
+const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
+process.exit(pkg.scripts && Object.prototype.hasOwnProperty.call(pkg.scripts, process.argv[1]) ? 0 : 1);
+' "$script_name"
+}
+
+run_npm_script_if_present() {
+  local script_name="$1"
+  local gate="$2"
+  if has_npm_script "$script_name"; then
+    run_cmd "$gate" "npm run $script_name" npm run "$script_name"
+    return 0
+  fi
+  return 1
+}
+
+detect_python_surface() {
+  find . -maxdepth 3 \
+    \( -name 'requirements*.txt' -o -name 'pyproject.toml' -o -name 'poetry.lock' -o -name 'uv.lock' -o -name 'Pipfile.lock' \) \
+    -not -path './node_modules/*' \
+    -not -path './.git/*' \
+    -print
+}
+
+detect_requirements_files() {
+  find . -maxdepth 3 \
+    -name 'requirements*.txt' \
+    -not -path './node_modules/*' \
+    -not -path './.git/*' \
+    -print | sort
+}
+
+hook_file_mentions_reorg_guard() {
+  local file="$1"
+  [ -f "$file" ] || return 1
+  grep -q 'safedeps' "$file"
+}
+
+safedeps_install_guard_present() {
+  [ -d "$HOME/.claude/skills/safedeps" ] && return 0
+  [ -d "$HOME/.codex/skills/safedeps" ] && return 0
+  hook_file_mentions_reorg_guard "$HOME/.claude/settings.json" && return 0
+  hook_file_mentions_reorg_guard "$HOME/.codex/hooks.json" && return 0
+  return 1
+}
+
+section "repo"
+printf 'root: %s\n' "$ROOT"
+if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  pass repo "inside git worktree"
+else
+  strict_or_warn repo "not inside a git worktree"
+fi
+
+if [ -f docs/security-release-gates.md ] || [ -f SECURITY.md ]; then
+  pass repo "release/security documentation present"
+else
+  warn repo "no docs/security-release-gates.md or SECURITY.md"
+fi
+
+section "secrets"
+if run_npm_script_if_present "security:hooks:check" "secrets"; then
+  :
+fi
+if run_npm_script_if_present "security:scan:worktree" "secrets"; then
+  :
+elif [ -x scripts/security/run-gitleaks.sh ]; then
+  run_cmd secrets "repo gitleaks wrapper" bash scripts/security/run-gitleaks.sh --worktree
+elif command -v gitleaks >/dev/null 2>&1 && { [ -f .gitleaks.toml ] || [ -f gitleaks.toml ]; }; then
+  config=".gitleaks.toml"
+  [ -f "$config" ] || config="gitleaks.toml"
+  run_cmd secrets "gitleaks dir scan" gitleaks dir --no-banner --redact --verbose --config "$config" .
+else
+  strict_or_warn secrets "no gitleaks gate detected"
+fi
+
+section "node"
+if has_file package.json; then
+  pass node "package.json detected"
+  if run_npm_script_if_present "security:audit" "node"; then
+    :
+  elif has_file package-lock.json || has_file npm-shrinkwrap.json; then
+    run_cmd node "npm audit --audit-level=moderate" npm audit --audit-level=moderate
+  else
+    strict_or_warn node "package.json exists but no npm lockfile/audit script was detected"
+  fi
+
+  if safedeps_install_guard_present; then
+    pass install-guard "safedeps appears installed/configured"
+  elif [ "$STRICT" -eq 1 ] || [ "${SECURITY_RELEASE_GATES_REQUIRE_INSTALL_GUARD:-0}" = "1" ]; then
+    fail install-guard "npm project has no detectable safedeps install-time guard"
+  else
+    warn install-guard "safedeps not detected; release gate can continue, install-time guard is separate"
+  fi
+else
+  pass node "no package.json detected"
+fi
+
+section "python"
+PYTHON_SURFACE="$(detect_python_surface || true)"
+if [ -z "$PYTHON_SURFACE" ]; then
+  pass python "no Python dependency surface detected"
+elif [ -n "${SECURITY_RELEASE_GATES_PYTHON_AUDIT_COMMAND:-}" ]; then
+  run_cmd python "custom Python audit command" bash -lc "$SECURITY_RELEASE_GATES_PYTHON_AUDIT_COMMAND"
+elif command -v pip-audit >/dev/null 2>&1; then
+  REQUIREMENTS="$(detect_requirements_files || true)"
+  if [ -n "$REQUIREMENTS" ]; then
+    while IFS= read -r requirements_file; do
+      [ -n "$requirements_file" ] || continue
+      run_cmd python "pip-audit $requirements_file" pip-audit -r "$requirements_file"
+    done <<EOF_REQ
+$REQUIREMENTS
+EOF_REQ
+  else
+    strict_or_warn python "Python lock/project files detected, but no requirements*.txt or repo-provided Python audit command exists"
+  fi
+else
+  strict_or_warn python "Python dependency files detected, but pip-audit is not installed and no custom audit command was provided"
+fi
+
+section "ci"
+if find .github/workflows -maxdepth 1 -type f 2>/dev/null | xargs grep -E 'security:|gitleaks|pip-audit|npm audit' >/dev/null 2>&1; then
+  pass ci "workflow appears to run security gates"
+else
+  warn ci "no obvious GitHub security gate workflow detected"
+fi
+
+section "summary"
+printf 'gates_run=%s warnings=%s failures=%s strict=%s no_run=%s\n' "$RAN" "$WARNINGS" "$FAILURES" "$STRICT" "$NO_RUN"
+
+if [ "$FAILURES" -gt 0 ]; then
+  exit 1
+fi
+
+exit 0