@aldegad/safedeps 2.2.0 → 2.4.1

package/scripts/safedeps-pre-guard.sh

@@ -36,8 +36,26 @@ SAFEDEPS_MANIFEST_FILES=(
 umask 077
 mkdir -p "${GUARD_DIR}" "${SNAPSHOT_DIR}"
 
+# Observable record of any gate bypass / unavailability (AGENTS.md: no silent fallback —
+# every bypass must be observable and logged).
+log_advisory() {
+  printf '%s\t%s\n' "$(date -u +%Y-%m-%dT%H:%M:%SZ)" "$1" >> "${GUARD_DIR}/advisory.log" 2>/dev/null || true
+}
+
 if ! command -v jq >/dev/null 2>&1; then
-  echo "safedeps: jq is not installed; skipping guard hook." >&2
+  # jq is required to parse the hook payload. Without it we cannot read the exact
+  # command, so do a best-effort fail-closed: read the raw payload and, if it
+  # looks like a dependency install, DENY (an install we cannot verify must not
+  # proceed). Non-install commands are allowed — jq absence must not block `ls`.
+  # Either branch is recorded in advisory.log; never a silent skip.
+  raw_input=$(cat)
+  log_advisory "pre-guard: jq missing — gate cannot parse the payload."
+  if printf '%s' "${raw_input}" | grep -qiE '(npm|pnpm|yarn|bun)([^"]*)(install|add|dlx)|[^a-z]npx[[:space:]]|pip[0-9]*[[:space:]]+install|poetry[[:space:]]+add|uv[[:space:]]+(add|pip[[:space:]]+install)|pipenv[[:space:]]+install|cargo[[:space:]]+(add|install)|go[[:space:]]+(get|install)|gem[[:space:]]+install|bundle[[:space:]]+add|mvn([^"]*)dependency:get|dotnet[[:space:]]+add[[:space:]]+package'; then
+    log_advisory "pre-guard DENY: jq missing on a likely dependency-install command — fail-closed."
+    printf '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"safedeps: jq is required to gate dependency installs and is not installed — install blocked fail-closed. Install jq, then retry."}}\n'
+    exit 0
+  fi
+  echo "safedeps: jq is not installed — install gate disabled (non-install commands still allowed); logged to advisory.log." >&2
   exit 0
 fi
 
@@ -48,8 +66,10 @@ acquire_state_lock() {
     # Detect stale locks left by SIGKILL/OOM (V-005)
     if [[ -d "${STATE_LOCK_DIR}" ]]; then
       local lock_mtime=""
-      if lock_mtime=$(stat -f %m "${STATE_LOCK_DIR}" 2>/dev/null) || \
-         lock_mtime=$(stat -c %Y "${STATE_LOCK_DIR}" 2>/dev/null); then
+      # GNU (`-c %Y`, Linux) first, then BSD/macOS (`-f %m`): on Linux `stat -f`
+      # means --file-system and would not yield an mtime.
+      if lock_mtime=$(stat -c %Y "${STATE_LOCK_DIR}" 2>/dev/null) || \
+         lock_mtime=$(stat -f %m "${STATE_LOCK_DIR}" 2>/dev/null); then
         local now
         now=$(date +%s)
         if [[ $(( now - lock_mtime )) -gt 60 ]]; then
@@ -61,8 +81,11 @@ acquire_state_lock() {
     fi
 
     attempts=$((attempts + 1))
-    if [[ ${attempts} -ge 100 ]]; then
-      echo "safedeps: could not acquire state lock; skipping guard hook." >&2
+    if [[ ${attempts} -ge ${SAFEDEPS_LOCK_MAX_ATTEMPTS:-100} ]]; then
+      # acquire_state_lock is only reached for install candidates, so failing to
+      # serialize/snapshot means this install cannot be gated — fail CLOSED (deny).
+      log_advisory "pre-guard DENY: state lock unavailable for an install command — fail-closed."
+      jq -nc '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:"safedeps: could not acquire the state lock (another safedeps run may be active). Install blocked fail-closed — retry in a moment."}}'
       exit 0
     fi
     sleep 0.1
@@ -100,6 +123,24 @@ compute_dir_hash() {
   fi
 }
 
+# Per-install pending-state key (issue #5): dir hash + a hash of the command with
+# the inert-install rewrite normalized out, so PreToolUse (original command) and
+# PostToolUse (possibly `--ignore-scripts`-appended) of the SAME install resolve to
+# the same key. This keeps concurrent installs in one project on separate pending
+# files instead of clobbering a single global one.
+compute_pending_key() {
+  local dir_hash="$1" command="$2" norm cmd_hash
+  norm=$(printf '%s' "${command}" | sed -E 's/[[:space:]]+--ignore-scripts([[:space:]]|$)/ /g; s/[[:space:]]+/ /g; s/^ //; s/ $//')
+  if command -v md5sum >/dev/null 2>&1; then
+    cmd_hash=$(printf '%s' "${norm}" | md5sum | cut -d' ' -f1)
+  elif command -v md5 >/dev/null 2>&1; then
+    cmd_hash=$(md5 -q -s "${norm}")
+  else
+    cmd_hash=$(printf '%s' "${norm}" | cksum | cut -d' ' -f1)
+  fi
+  printf '%s_%s' "${dir_hash}" "${cmd_hash}"
+}
+
 command_is_dependency_install() {
   local command="$1"
   local scan_command
@@ -438,7 +479,7 @@ fi
 # Conservative: only block when at least one pkg@spec token is parseable. Bare
 # `npm install` (lockfile install) falls through to the v1 reorg checks.
 
-SAFEDEPS_LEDGER_LIB="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/lib/ledger/ledger.sh"
+SAFEDEPS_LEDGER_LIB="${SAFEDEPS_LEDGER_LIB:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/lib/ledger/ledger.sh}"
 SAFEDEPS_REPO_BIN="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/bin/safedeps"
 
 guard_detect_ecosystem() {
@@ -596,7 +637,16 @@ while IFS= read -r ledger_spec_line; do
   LEDGER_SPECS+=("${ledger_spec_line}")
 done < <(guard_extract_specs "${COMMAND}")
 
-if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 && -f "${SAFEDEPS_LEDGER_LIB}" ]]; then
+if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 ]]; then
+  if [[ ! -f "${SAFEDEPS_LEDGER_LIB}" ]]; then
+    # The ledger library is the gate for direct install specs. If it is missing
+    # (broken install / moved repo) the gate cannot run — fail CLOSED, observably,
+    # instead of falling through to allow.
+    log_advisory "pre-guard DENY: ledger library missing (${SAFEDEPS_LEDGER_LIB}) — cannot enforce ${LEDGER_ECOSYSTEM} install, fail-closed."
+    jq -nc --arg eco "${LEDGER_ECOSYSTEM}" \
+      '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:("safedeps: the ledger library is missing, so the " + $eco + " install gate cannot run — install blocked fail-closed. Reinstall safedeps: node scripts/install/install-safedeps-hooks.mjs")}}'
+    exit 0
+  fi
   # shellcheck source=../lib/ledger/ledger.sh
   source "${SAFEDEPS_LEDGER_LIB}"
 
@@ -646,10 +696,24 @@ if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 && -f "${SAFEDEPS_LE
   fi
 fi
 
-# Write current state atomically for PostToolUse (V-004: single file prevents TOCTOU)
+# Write per-install pending state for PostToolUse, keyed by (dir_hash, normalized
+# command) so concurrent installs in the same project keep separate state instead
+# of clobbering one global file (issue #5). The single-file write is still atomic
+# (write_state_file) to prevent TOCTOU within one install.
+PENDING_DIR="${GUARD_DIR}/pending"
+mkdir -p "${PENDING_DIR}"
+# GC pending entries whose PostToolUse never fired (crash/no-op). 24h is well past
+# any real install, so this never deletes an in-flight one (a 60-min window could
+# have reaped a slow native build that was still running).
+find "${PENDING_DIR}" -name '*.json' -type f -mmin +1440 -delete 2>/dev/null || true
+# Key = (dir, normalized command); the snapshot id suffix makes the filename unique
+# per install, so even two identical concurrent commands keep separate state.
+PENDING_KEY=$(compute_pending_key "${DIR_HASH}" "${COMMAND}")
 CURRENT_STATE=$(jq -n --arg sid "${SNAPSHOT_ID}" --arg pdir "${PROJECT_DIR}" --arg dhash "${DIR_HASH}" \
   '{snapshot_id: $sid, project_dir: $pdir, dir_hash: $dhash}')
-write_state_file "${GUARD_DIR}/current_state" "${CURRENT_STATE}"
+# $$ (this pre hook's PID) guarantees a unique filename even for two installs in
+# the same second (SNAPSHOT_ID has only 1s resolution).
+write_state_file "${PENDING_DIR}/${PENDING_KEY}__${SNAPSHOT_ID}_$$.json" "${CURRENT_STATE}"
 
 if ! jq -e 'has("turn_id")' <<< "${INPUT}" >/dev/null 2>&1 && \
    command_is_injectable_npm_install "${COMMAND}" && \

package/scripts/test/e2e.sh

@@ -146,7 +146,7 @@ cat > "${effect_project}/package-lock.json" <<'EOF'
 EOF
 effect_clean_post=$(
   scripts/safedeps-post-verify.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${effect_project}"}
 EOF
 )
 [[ -z "${effect_clean_post}" ]] || fail "post hook passes approved full closure"
@@ -183,7 +183,7 @@ EOF
 chmod +x "${stub_bin}/npm"
 inert_post=$(
   PATH="${stub_bin}:${PATH}" scripts/safedeps-post-verify.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0 --ignore-scripts"}}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0 --ignore-scripts"},"cwd":"${inert_project}"}
 EOF
 )
 [[ -z "${inert_post}" ]] || fail "post hook keeps verified inert rebuild success quiet"
@@ -220,7 +220,7 @@ cat > "${missing_project}/package-lock.json" <<'EOF'
 EOF
 missing_post=$(
   scripts/safedeps-post-verify.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${missing_project}"}
 EOF
 )
 grep -q '의심스러운 패키지 변경 감지' <<< "${missing_post}" || fail "post hook reorgs unapproved transitive package"
@@ -280,4 +280,52 @@ if jq -e '[.. | strings] | any(contains("npm-reorg-guard"))' "${installer_home}/
 fi
 pass "installer legacy hook cleanup"
 
+# --- Secret-leak lane: pre-commit gate must DENY a secret, PASS clean/example -
+# The real bypass harness for the secret lane. Needs a scanner (gitleaks or
+# docker) and openssl for a synthetic high-entropy secret; skip explicitly
+# (not silently) when either is missing.
+secret_repo="${tmp_root}/secret-repo"
+mkdir -p "${secret_repo}"
+git -C "${secret_repo}" init -q
+git -C "${secret_repo}" config user.email t@safedeps.test
+git -C "${secret_repo}" config user.name safedeps-e2e
+
+# doctor flags gaps on the bare repo, then --fix scaffolds + activates the lane.
+if HOME="${tmp_root}/doc-home" "${ROOT_DIR}/bin/safedeps" doctor --root "${secret_repo}" >/dev/null 2>&1; then
+  fail "doctor flags gaps on an unconfigured repo"
+fi
+HOME="${tmp_root}/doc-home" "${ROOT_DIR}/bin/safedeps" doctor --fix --root "${secret_repo}" >/dev/null
+[[ -f "${secret_repo}/.gitleaks.toml" ]] || fail "doctor --fix scaffolds .gitleaks.toml"
+[[ -x "${secret_repo}/.githooks/pre-commit" ]] || fail "doctor --fix scaffolds executable pre-commit"
+[[ "$(git -C "${secret_repo}" config --get core.hooksPath)" == ".githooks" ]] || fail "doctor --fix activates core.hooksPath"
+pass "doctor --fix scaffolds + activates the secret lane"
+
+# The scaffolded pre-commit resolves `safedeps` via PATH, then SAFEDEPS_BIN, then
+# the skill install paths. In CI none of those exist, so point it at this repo's
+# binary; the git commit subprocess inherits the env and the hook resolves it.
+export SAFEDEPS_BIN="${ROOT_DIR}/bin/safedeps"
+
+if command -v gitleaks >/dev/null 2>&1 && command -v openssl >/dev/null 2>&1; then
+  # Regression: a clean file commits cleanly.
+  echo "hello" > "${secret_repo}/readme.txt"
+  git -C "${secret_repo}" add readme.txt
+  git -C "${secret_repo}" commit -q -m "clean" || fail "pre-commit allows a clean commit"
+
+  # Threat: a literal .env with an assigned (synthetic) secret must be blocked.
+  printf 'API_KEY=%s\n' "$(openssl rand -hex 20)" > "${secret_repo}/.env"
+  git -C "${secret_repo}" add .env
+  if git -C "${secret_repo}" commit -q -m "leak" 2>/dev/null; then
+    fail "pre-commit blocks a committed .env secret"
+  fi
+  git -C "${secret_repo}" reset -q HEAD .env >/dev/null 2>&1 || true
+
+  # Regression: the .env.example placeholder is allowlisted and commits.
+  printf 'API_KEY=your_api_key_here\n' > "${secret_repo}/.env.example"
+  git -C "${secret_repo}" add .env.example
+  git -C "${secret_repo}" commit -q -m "example" || fail "pre-commit allows the .env.example placeholder"
+  pass "pre-commit gate denies a secret, passes clean and example commits"
+else
+  printf 'ok - pre-commit gate behavior SKIPPED (needs gitleaks + openssl)\n'
+fi
+
 printf 'e2e passed\n'

package/scripts/test/smoke.sh

@@ -31,6 +31,7 @@ bash -n lib/gates/repo-profile.sh
 bash -n lib/gates/scan.sh
 bash -n lib/gates/audit.sh
 bash -n lib/gates/hooks.sh
+bash -n lib/gates/doctor.sh
 pass "bash syntax"
 
 node --check scripts/install/install-safedeps-hooks.mjs >/dev/null
@@ -58,6 +59,13 @@ provider_created=$(
 [[ "${provider_created}" == "${provider_tmp%/}/safedeps-providers."* ]] || fail "provider tmp helper uses requested TMPDIR"
 pass "provider temp dir"
 
+# Portability guard: safedeps_file_mtime must return a bare integer on both BSD
+# (macOS, `stat -f`) and GNU (Linux, `stat -c`). A wrong-order stat leaks
+# filesystem info into the value and breaks the cache-freshness arithmetic.
+mtime_val=$(bash -c 'source lib/providers/providers.sh; f=$(mktemp); safedeps_file_mtime "$f"; rm -f "$f"')
+[[ "${mtime_val}" =~ ^[0-9]+$ ]] || fail "safedeps_file_mtime returns a bare integer (got: ${mtime_val})"
+pass "file mtime is a portable integer"
+
 project_dir="${tmp_root}/project"
 mkdir -p "${project_dir}"
 printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
@@ -95,7 +103,7 @@ allow_output=$(
 )
 [[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${allow_output}")" == "allow" ]] || fail "hook emits Claude allow decision for approved install"
 [[ "$(jq -r '.hookSpecificOutput.updatedInput.command' <<< "${allow_output}")" == "npm install left-pad@1.3.0 --ignore-scripts" ]] || fail "hook injects --ignore-scripts for Claude npm install"
-allow_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-allow/current_state")
+allow_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-allow/pending/"*.json)
 jq -e '.ignore_scripts_injected == true' "${tmp_root}/safe-hook-allow/snapshots/${allow_sid}_meta.json" >/dev/null || fail "hook records injected meta flag"
 pass "hook injects --ignore-scripts for Claude approved install"
 
@@ -105,7 +113,7 @@ codex_allow_output=$(
   run_codex_hook_command "${tmp_root}/home-hook-codex" "${tmp_root}/safe-hook-codex" "npm install left-pad@1.3.0"
 )
 [[ -z "${codex_allow_output}" ]] || fail "hook keeps Codex approved install as plain allow"
-codex_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-codex/current_state")
+codex_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-codex/pending/"*.json)
 jq -e '.ignore_scripts_injected == false' "${tmp_root}/safe-hook-codex/snapshots/${codex_sid}_meta.json" >/dev/null || fail "hook does not record injected meta flag for Codex"
 pass "hook keeps Codex approved install as plain allow"
 
@@ -121,7 +129,7 @@ ignore_scripts_output=$(
   run_hook_command "${tmp_root}/home-hook-ignore-scripts" "${tmp_root}/safe-hook-ignore-scripts" "npm install left-pad@1.3.0 --ignore-scripts"
 )
 [[ -z "${ignore_scripts_output}" ]] || fail "hook does not duplicate --ignore-scripts"
-ignore_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-ignore-scripts/current_state")
+ignore_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-ignore-scripts/pending/"*.json)
 jq -e '.ignore_scripts_injected == false' "${tmp_root}/safe-hook-ignore-scripts/snapshots/${ignore_sid}_meta.json" >/dev/null || fail "hook does not record injected meta flag when flag already exists"
 pass "hook does not duplicate --ignore-scripts"
 
@@ -171,6 +179,74 @@ for bypass_cmd in "${bypass_cases[@]}"; do
 done
 pass "hook denies install bypass forms"
 
+# Fail-closed gate: when the gate cannot run it must NOT silently pass, and the
+# outcome must be observable in the advisory log (AGENTS.md: no silent fallback).
+fc_safe="${tmp_root}/safe-failclosed"
+fc_home="${tmp_root}/home-failclosed"
+mkdir -p "${fc_safe}"
+# (a) lock unavailable on an install command → DENY (fail-closed), logged.
+mkdir -p "${fc_safe}/state.lock"
+fc_deny=$(
+  jq -nc --arg c "npm install evil@1.0.0" --arg cwd "${project_dir}" \
+    '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" SAFEDEPS_LOCK_MAX_ATTEMPTS=2 scripts/safedeps-pre-guard.sh
+)
+rmdir "${fc_safe}/state.lock" 2>/dev/null || true
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_deny}")" == "deny" ]] || fail "pre-guard fails closed (deny) when the state lock is unavailable for an install"
+grep -q 'pre-guard DENY' "${fc_safe}/advisory.log" || fail "pre-guard logs the fail-closed deny to advisory.log"
+pass "pre-guard fails closed on lock contention (observable)"
+
+# (b) jq missing → best-effort fail-closed: a likely install DENIES, a non-install
+# is allowed, both recorded in advisory.log (never a silent skip).
+fc_nojq=$(mktemp -d "${tmp_root}/nojq.XXXXXX")
+for fc_tool in bash mkdir date printf cat grep; do
+  ln -sf "$(command -v "${fc_tool}")" "${fc_nojq}/${fc_tool}" 2>/dev/null || true
+done
+fc_nojq_deny=$(
+  jq -nc --arg c "npm install x@1" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" PATH="${fc_nojq}" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_nojq_deny}")" == "deny" ]] || fail "pre-guard denies a likely install when jq is missing (best-effort fail-closed)"
+grep -q 'DENY: jq missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the jq-missing install deny to advisory.log"
+fc_nojq_allow=$(
+  jq -nc --arg c "ls -la" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" PATH="${fc_nojq}" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision // "allow"' <<< "${fc_nojq_allow}" 2>/dev/null || echo allow)" != "deny" ]] || fail "pre-guard allows a non-install command when jq is missing"
+pass "pre-guard fails closed on jq-missing installs, allows non-installs (observable)"
+
+# (c) ledger library missing → DENY (fail-closed), logged — not a silent fall-through allow.
+fc_noledger=$(
+  jq -nc --arg c "npm install x@1" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+    HOME="${fc_home}" SAFEDEPS_HOME="${fc_safe}" SAFEDEPS_LEDGER_LIB="${tmp_root}/does-not-exist.sh" scripts/safedeps-pre-guard.sh 2>/dev/null
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${fc_noledger}")" == "deny" ]] || fail "pre-guard denies an install when the ledger library is missing (fail-closed)"
+grep -q 'ledger library missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the missing-ledger deny to advisory.log"
+pass "pre-guard fails closed when the ledger library is missing (observable)"
+
+# Concurrency (issue #5): two installs of the SAME command in one project must
+# keep separate pending state — the per-install snapshot+PID suffix isolates them,
+# not just the command hash — and a post hook must consume exactly one.
+conc_safe="${tmp_root}/safe-concurrency"
+mkdir -p "${conc_safe}"
+SAFEDEPS_HOME="${conc_safe}" lib/ledger/ledger.sh approve npm conc-a 1.0.0 1.0.0 smoke >/dev/null
+run_hook_command "${tmp_root}/home-conc" "${conc_safe}" "npm install conc-a@1.0.0" >/dev/null
+run_hook_command "${tmp_root}/home-conc" "${conc_safe}" "npm install conc-a@1.0.0" >/dev/null
+conc_pending=$(find "${conc_safe}/pending" -name '*.json' -type f | wc -l | tr -d ' ')
+[[ "${conc_pending}" == "2" ]] || fail "two identical concurrent installs keep two separate pending files (got ${conc_pending}, want 2)"
+jq -nc --arg c "npm install conc-a@1.0.0" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+  HOME="${tmp_root}/home-conc" SAFEDEPS_HOME="${conc_safe}" scripts/safedeps-post-verify.sh >/dev/null 2>&1 || true
+conc_left=$(find "${conc_safe}/pending" -name '*.json' -type f | wc -l | tr -d ' ')
+[[ "${conc_left}" == "1" ]] || fail "post hook consumes exactly one identical-command install's pending state (left ${conc_left}, want 1)"
+pass "concurrent installs (even identical commands) keep isolated pending state (issue #5)"
+
+# A dependency-install PostToolUse with no pending state (e.g. a payload missing
+# cwd) is recorded UNVERIFIED, not dropped silently (issue #5 review finding 3).
+jq -nc '{tool_name:"Bash",tool_input:{command:"npm install orphan@1.0.0"}}' |
+  HOME="${tmp_root}/home-conc" SAFEDEPS_HOME="${conc_safe}" scripts/safedeps-post-verify.sh >/dev/null 2>&1 || true
+grep -q 'UNVERIFIED: no pending state for an install-looking command' "${conc_safe}/advisory.log" || fail "post hook records an install with no pending state as UNVERIFIED"
+pass "post hook records an install-looking command with no pending state as UNVERIFIED"
+
 tamper_safe="${tmp_root}/safe-tamper"
 tamper_home="${tmp_root}/home-tamper"
 SAFEDEPS_HOME="${tamper_safe}" lib/ledger/ledger.sh approve npm ledger-tamper 1.0.0 1.0.0 smoke >/dev/null
@@ -183,7 +259,7 @@ cat > "${project_dir}/node_modules/ledger-tamper/package.json" <<'EOF'
 {"name":"ledger-tamper","version":"1.0.0","scripts":{"postinstall":"node -e \"require('fs').writeFileSync(process.env.HOME + '/.safedeps/approved-specs/evil.json', '{}')\""}}
 EOF
 tamper_post=$(
-  jq -nc '{tool_name:"Bash",tool_input:{command:"npm install ledger-tamper@1.0.0"}}' |
+  jq -nc --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:"npm install ledger-tamper@1.0.0"},cwd:$cwd}' |
     HOME="${tamper_home}" SAFEDEPS_HOME="${tamper_safe}" scripts/safedeps-post-verify.sh
 )
 grep -q '의심스러운 패키지 변경 감지' <<< "${tamper_post}" || fail "post hook reorgs safedeps ledger tamper script"
@@ -203,12 +279,36 @@ pass "re-check alert wrapper"
 # Release-time lane (absorbed from security-release-gates): commands must be
 # registered and resolve their gate scripts.
 gates_help=$(HOME="${tmp_root}/home-gates" SAFEDEPS_HOME="${tmp_root}/safe-gates" ./bin/safedeps help)
-for gate_cmd in "gates" "scan secrets" "audit" "hooks"; do
+for gate_cmd in "gates" "scan secrets" "audit" "hooks" "doctor"; do
   grep -q "${gate_cmd}" <<< "${gates_help}" || fail "release-time command listed in help: ${gate_cmd}"
 done
-for gate_script in scripts/release-gates.sh lib/gates/repo-profile.sh lib/gates/scan.sh lib/gates/audit.sh lib/gates/hooks.sh; do
+for gate_script in scripts/release-gates.sh lib/gates/repo-profile.sh lib/gates/scan.sh lib/gates/audit.sh lib/gates/hooks.sh lib/gates/doctor.sh; do
   [[ -f "${gate_script}" ]] || fail "release-time gate script present: ${gate_script}"
 done
+for tmpl in gitleaks.toml.tmpl gitleaks.private.toml.tmpl pre-commit.tmpl; do
+  [[ -f "lib/gates/templates/${tmpl}" ]] || fail "secret-lane template present: ${tmpl}"
+done
 pass "release-time gate commands registered"
 
+# Secret-leak lane: doctor diagnoses, hooks init scaffolds, hooks install
+# activates. No scanner (gitleaks/docker) needed for these structural checks.
+doctor_repo=$(mktemp -d "${tmp_root}/secret-repo.XXXXXX")
+git -C "${doctor_repo}" init -q
+# doctor exits 1 when gaps exist; capture the JSON without tripping set -e.
+doctor_json=$(HOME="${tmp_root}/home-doctor" ./bin/safedeps --json doctor --root "${doctor_repo}" || true)
+[[ "$(jq -r '.command' <<< "${doctor_json}")" == "doctor" ]] || fail "doctor --json command field"
+[[ "$(jq -r '.ok' <<< "${doctor_json}")" == "false" ]] || fail "doctor reports gaps on a bare repo"
+secret_gaps=$(jq -r '[.checks[] | select(.lane == "secret" and .status == "gap")] | length' <<< "${doctor_json}")
+[[ "${secret_gaps}" -ge 3 ]] || fail "doctor lists at least 3 secret-lane gaps (got ${secret_gaps})"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks init --root "${doctor_repo}" >/dev/null
+[[ -f "${doctor_repo}/.gitleaks.toml" ]] || fail "hooks init scaffolds .gitleaks.toml"
+[[ -x "${doctor_repo}/.githooks/pre-commit" ]] || fail "hooks init scaffolds an executable pre-commit"
+grep -q 'scan secrets --staged' "${doctor_repo}/.githooks/pre-commit" || fail "pre-commit delegates to safedeps scan"
+printf '\n# repo-owned edit marker\n' >> "${doctor_repo}/.gitleaks.toml"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks init --root "${doctor_repo}" >/dev/null
+grep -q 'repo-owned edit marker' "${doctor_repo}/.gitleaks.toml" || fail "hooks init is non-destructive (keeps repo edits)"
+HOME="${tmp_root}/home-doctor" ./bin/safedeps hooks install --root "${doctor_repo}" >/dev/null
+[[ "$(git -C "${doctor_repo}" config --get core.hooksPath)" == ".githooks" ]] || fail "hooks install activates core.hooksPath"
+pass "doctor + hooks init/install wire the secret lane (non-destructive)"
+
 printf 'smoke passed\n'