@aldegad/safedeps 2.2.0 → 2.4.0

package/scripts/test/smoke.sh

@@ -31,6 +31,7 @@ bash -n lib/gates/repo-profile.sh
 bash -n lib/gates/scan.sh
 bash -n lib/gates/audit.sh
 bash -n lib/gates/hooks.sh
+bash -n lib/gates/doctor.sh
 pass "bash syntax"
 
 node --check scripts/install/install-safedeps-hooks.mjs >/dev/null
@@ -58,6 +59,13 @@ provider_created=$(
 [[ "${provider_created}" == "${provider_tmp%/}/safedeps-providers."* ]] || fail "provider tmp helper uses requested TMPDIR"
 pass "provider temp dir"
 
+# Portability guard: safedeps_file_mtime must return a bare integer on both BSD
+# (macOS, `stat -f`) and GNU (Linux, `stat -c`). A wrong-order stat leaks
+# filesystem info into the value and breaks the cache-freshness arithmetic.
+mtime_val=$(bash -c 'source lib/providers/providers.sh; f=$(mktemp); safedeps_file_mtime "$f"; rm -f "$f"')
+[[ "${mtime_val}" =~ ^[0-9]+$ ]] || fail "safedeps_file_mtime returns a bare integer (got: ${mtime_val})"
+pass "file mtime is a portable integer"
+
 project_dir="${tmp_root}/project"
 mkdir -p "${project_dir}"
 printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
@@ -171,6 +179,51 @@ for bypass_cmd in "${bypass_cases[@]}"; do
 done
 pass "hook denies install bypass forms"
 
+# Fail-closed gate: when the gate cannot run it must NOT silently pass, and the
+# outcome must be observable in the advisory log (AGENTS.md: no silent fallback).
+fc_safe="${tmp_root}/safe-failclosed"
+fc_home="${tmp_root}/home-failclosed"
+mkdir -p "${fc_safe}"
+# (a) lock unavailable on an install command → DENY (fail-closed), logged.
+mkdir -p "${fc_safe}/state.lock"
+fc_deny=$(
+  jq -nc --arg c "npm install evil@1.0.0" --arg cwd "${project_dir}" \
+    '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" SAFEDEPS_LOCK_MAX_ATTEMPTS=2 scripts/safedeps-pre-guard.sh
+)
+rmdir "${fc_safe}/state.lock" 2>/dev/null || true
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_deny}")" == "deny" ]] || fail "pre-guard fails closed (deny) when the state lock is unavailable for an install"
+grep -q 'pre-guard DENY' "${fc_safe}/advisory.log" || fail "pre-guard logs the fail-closed deny to advisory.log"
+pass "pre-guard fails closed on lock contention (observable)"
+
+# (b) jq missing → best-effort fail-closed: a likely install DENIES, a non-install
+# is allowed, both recorded in advisory.log (never a silent skip).
+fc_nojq=$(mktemp -d "${tmp_root}/nojq.XXXXXX")
+for fc_tool in bash mkdir date printf cat grep; do
+  ln -sf "$(command -v "${fc_tool}")" "${fc_nojq}/${fc_tool}" 2>/dev/null || true
+done
+fc_nojq_deny=$(
+  jq -nc --arg c "npm install x@1" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" PATH="${fc_nojq}" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_nojq_deny}")" == "deny" ]] || fail "pre-guard denies a likely install when jq is missing (best-effort fail-closed)"
+grep -q 'DENY: jq missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the jq-missing install deny to advisory.log"
+fc_nojq_allow=$(
+  jq -nc --arg c "ls -la" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" PATH="${fc_nojq}" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision // "allow"' <<< "${fc_nojq_allow}" 2>/dev/null || echo allow)" != "deny" ]] || fail "pre-guard allows a non-install command when jq is missing"
+pass "pre-guard fails closed on jq-missing installs, allows non-installs (observable)"
+
+# (c) ledger library missing → DENY (fail-closed), logged — not a silent fall-through allow.
+fc_noledger=$(
+  jq -nc --arg c "npm install x@1" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" SAFEDEPS_LEDGER_LIB="${tmp_root}/does-not-exist.sh" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_noledger}")" == "deny" ]] || fail "pre-guard denies an install when the ledger library is missing (fail-closed)"
+grep -q 'ledger library missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the missing-ledger deny to advisory.log"
+pass "pre-guard fails closed when the ledger library is missing (observable)"
+
 tamper_safe="${tmp_root}/safe-tamper"
 tamper_home="${tmp_root}/home-tamper"
 SAFEDEPS_HOME="${tamper_safe}" lib/ledger/ledger.sh approve npm ledger-tamper 1.0.0 1.0.0 smoke >/dev/null
@@ -203,12 +256,36 @@ pass "re-check alert wrapper"
 # Release-time lane (absorbed from security-release-gates): commands must be
 # registered and resolve their gate scripts.
 gates_help=$(HOME="${tmp_root}/home-gates" SAFEDEPS_HOME="${tmp_root}/safe-gates" ./bin/safedeps help)
-for gate_cmd in "gates" "scan secrets" "audit" "hooks"; do
+for gate_cmd in "gates" "scan secrets" "audit" "hooks" "doctor"; do
   grep -q "${gate_cmd}" <<< "${gates_help}" || fail "release-time command listed in help: ${gate_cmd}"
 done
-for gate_script in scripts/release-gates.sh lib/gates/repo-profile.sh lib/gates/scan.sh lib/gates/audit.sh lib/gates/hooks.sh; do
+for gate_script in scripts/release-gates.sh lib/gates/repo-profile.sh lib/gates/scan.sh lib/gates/audit.sh lib/gates/hooks.sh lib/gates/doctor.sh; do
   [[ -f "${gate_script}" ]] || fail "release-time gate script present: ${gate_script}"
 done
+for tmpl in gitleaks.toml.tmpl gitleaks.private.toml.tmpl pre-commit.tmpl; do
+  [[ -f "lib/gates/templates/${tmpl}" ]] || fail "secret-lane template present: ${tmpl}"
+done
 pass "release-time gate commands registered"
 
+# Secret-leak lane: doctor diagnoses, hooks init scaffolds, hooks install
+# activates. No scanner (gitleaks/docker) needed for these structural checks.
+doctor_repo=$(mktemp -d "${tmp_root}/secret-repo.XXXXXX")
+git -C "${doctor_repo}" init -q
+# doctor exits 1 when gaps exist; capture the JSON without tripping set -e.
+doctor_json=$(HOME="${tmp_root}/home-doctor" ./bin/safedeps --json doctor --root "${doctor_repo}" || true)
+[[ "$(jq -r '.command' <<< "${doctor_json}")" == "doctor" ]] || fail "doctor --json command field"
+[[ "$(jq -r '.ok' <<< "${doctor_json}")" == "false" ]] || fail "doctor reports gaps on a bare repo"
+secret_gaps=$(jq -r '[.checks[] | select(.lane == "secret" and .status == "gap")] | length' <<< "${doctor_json}")
+[[ "${secret_gaps}" -ge 3 ]] || fail "doctor lists at least 3 secret-lane gaps (got ${secret_gaps})"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks init --root "${doctor_repo}" >/dev/null
+[[ -f "${doctor_repo}/.gitleaks.toml" ]] || fail "hooks init scaffolds .gitleaks.toml"
+[[ -x "${doctor_repo}/.githooks/pre-commit" ]] || fail "hooks init scaffolds an executable pre-commit"
+grep -q 'scan secrets --staged' "${doctor_repo}/.githooks/pre-commit" || fail "pre-commit delegates to safedeps scan"
+printf '\n# repo-owned edit marker\n' >> "${doctor_repo}/.gitleaks.toml"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks init --root "${doctor_repo}" >/dev/null
+grep -q 'repo-owned edit marker' "${doctor_repo}/.gitleaks.toml" || fail "hooks init is non-destructive (keeps repo edits)"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks install --root "${doctor_repo}" >/dev/null
+[[ "$(git -C "${doctor_repo}" config --get core.hooksPath)" == ".githooks" ]] || fail "hooks install activates core.hooksPath"
+pass "doctor + hooks init/install wire the secret lane (non-destructive)"
+
 printf 'smoke passed\n'