@aldegad/safedeps 2.4.0 → 2.4.1

package/ROADMAP.md

@@ -56,7 +56,7 @@ The internal engine keeps the v1 `reorg-guard` assets.
 
 ### Release notes
 
-- The npm package version in `package.json` is the single source of truth. `bin/safedeps` `SAFEDEPS_VERSION` tracks it and the smoke test reads `package.json` to compare (current: v2.4.0).
+- The npm package version in `package.json` is the single source of truth. `bin/safedeps` `SAFEDEPS_VERSION` tracks it and the smoke test reads `package.json` to compare (current: v2.4.1).
 - `npm test` runs the release smoke suite; the full fixture E2E lives under `v2.1-tests`.
 - The daily re-check uses no LLM tokens. It is opt-in: a macOS `launchd` user agent runs `safedeps re-check --json` daily, installed atomically by `install-safedeps-recheck-agent.mjs`. It writes `~/.safedeps/recheck.log` and `~/.safedeps/recheck-alerts.jsonl` and raises a macOS notification on a new CVE/KEV/revoke/provider-skip. Network is used only for OSV / CISA / GHSA queries.
 
@@ -129,10 +129,15 @@ Status: shipped as v2.4.0.
 ### Verification
 
 - lock-unavailable install denies fail-closed and logs to `advisory.log`
-- jq-missing is logged as an observable allow-with-warning, never a silent skip
+- jq-missing denies a likely install (best-effort fail-closed) and logs it; only non-install commands fall through
+- a missing ledger library denies fail-closed instead of falling through to allow
 - ShellCheck (`--severity=error`) is clean across all shell sources
 - existing smoke + e2e regression suite remains green on both Linux and macOS
 
+### v2.4.1 — concurrent-install race fix (#5)
+
+The pending state PreToolUse hands to PostToolUse was a single global `current_state` file, so two installs overlapping in one project could clobber each other and the effect gate could verify the wrong install (or skip one). Pending state is now keyed **per install** — `dir_hash` + a hash of the command with the inert-install rewrite normalized out — so PreToolUse and PostToolUse of the same install agree on a key while concurrent installs stay isolated. A concurrency harness (two installs → two pending files; a post consumes only its own) guards it.
+
 ---
 
 ## v3 (future)

package/bin/safedeps

@@ -7,7 +7,7 @@
 
 set -euo pipefail
 
-SAFEDEPS_VERSION="2.4.0"
+SAFEDEPS_VERSION="2.4.1"
 
 # ---- repo / lib bootstrap ----------------------------------------------------
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aldegad/safedeps",
-  "version": "2.4.0",
+  "version": "2.4.1",
   "description": "Dependency install safety gate with OSV-backed advisory checks, approved-spec ledger enforcement, and reorg rollback hooks",
   "main": "bin/safedeps",
   "bin": {

package/scripts/safedeps-post-verify.sh

@@ -120,6 +120,21 @@ compute_dir_hash() {
   fi
 }
 
+# Per-install pending-state key (issue #5) — must match the PreToolUse derivation:
+# dir hash + a hash of the command with the inert-install rewrite normalized out.
+compute_pending_key() {
+  local dir_hash="$1" command="$2" norm cmd_hash
+  norm=$(printf '%s' "${command}" | sed -E 's/[[:space:]]+--ignore-scripts([[:space:]]|$)/ /g; s/[[:space:]]+/ /g; s/^ //; s/ $//')
+  if command -v md5sum >/dev/null 2>&1; then
+    cmd_hash=$(printf '%s' "${norm}" | md5sum | cut -d' ' -f1)
+  elif command -v md5 >/dev/null 2>&1; then
+    cmd_hash=$(md5 -q -s "${norm}")
+  else
+    cmd_hash=$(printf '%s' "${norm}" | cksum | cut -d' ' -f1)
+  fi
+  printf '%s_%s' "${dir_hash}" "${cmd_hash}"
+}
+
 hash_file() {
   local file_path="$1"
 
@@ -376,25 +391,56 @@ if [[ "${TOOL_NAME}" != "Bash" ]]; then
   exit 0
 fi
 
+# The command + cwd identify which pending install this PostToolUse belongs to
+# (issue #5), so concurrent installs do not consume each other's state.
+COMMAND=$(echo "${INPUT}" | jq -r '.tool_input.command // empty' 2>/dev/null)
+POST_CWD=$(echo "${INPUT}" | jq -r '.cwd // empty' 2>/dev/null)
+[[ -z "${POST_CWD}" ]] && POST_CWD=$(pwd)
+if command -v realpath >/dev/null 2>&1; then
+  POST_CWD=$(realpath "${POST_CWD}" 2>/dev/null || echo "${POST_CWD}")
+elif command -v readlink >/dev/null 2>&1; then
+  POST_CWD=$(readlink -f "${POST_CWD}" 2>/dev/null || echo "${POST_CWD}")
+fi
+POST_DIR_HASH=$(compute_dir_hash "${POST_CWD}")
+
 STATE_LOCK_HELD=true
 acquire_state_lock
 trap '[ "${STATE_LOCK_HELD:-}" = "true" ] && release_state_lock; STATE_LOCK_HELD=false' EXIT
 
-# Check if we have a pending snapshot to verify (V-004: atomic state file)
-if [[ ! -f "${GUARD_DIR}/current_state" ]]; then
-  # Legacy fallback for in-flight upgrades
-  if [[ ! -f "${GUARD_DIR}/current_snapshot_id" ]]; then
-    exit 0
-  fi
-  SNAPSHOT_ID=$(cat "${GUARD_DIR}/current_snapshot_id")
-  PROJECT_DIR=$(cat "${GUARD_DIR}/current_project_dir" 2>/dev/null || pwd)
-  rm -f "${GUARD_DIR}/current_snapshot_id" "${GUARD_DIR}/current_project_dir"
-else
+# Resolve THIS install's pending state by its per-install key (issue #5). The
+# filename also carries a snapshot id, so identical concurrent commands produce
+# several files; consume exactly one (they verify the same closure), leaving the
+# rest for their own post hooks. Fall back to the legacy global files for in-flight
+# upgrades from a pre-#5 PreToolUse.
+PENDING_PREFIX="${GUARD_DIR}/pending/$(compute_pending_key "${POST_DIR_HASH}" "${COMMAND}")__"
+PENDING_FILE=""
+for pending_candidate in "${PENDING_PREFIX}"*.json; do
+  [[ -f "${pending_candidate}" ]] && { PENDING_FILE="${pending_candidate}"; break; }
+done
+if [[ -n "${PENDING_FILE}" ]]; then
+  CURRENT_STATE=$(cat "${PENDING_FILE}")
+  SNAPSHOT_ID=$(echo "${CURRENT_STATE}" | jq -r '.snapshot_id // empty')
+  PROJECT_DIR=$(echo "${CURRENT_STATE}" | jq -r '.project_dir // empty')
+  DIR_HASH=$(echo "${CURRENT_STATE}" | jq -r '.dir_hash // empty')
+  rm -f "${PENDING_FILE}"
+elif [[ -f "${GUARD_DIR}/current_state" ]]; then
   CURRENT_STATE=$(cat "${GUARD_DIR}/current_state")
   SNAPSHOT_ID=$(echo "${CURRENT_STATE}" | jq -r '.snapshot_id // empty')
   PROJECT_DIR=$(echo "${CURRENT_STATE}" | jq -r '.project_dir // empty')
   DIR_HASH=$(echo "${CURRENT_STATE}" | jq -r '.dir_hash // empty')
   rm -f "${GUARD_DIR}/current_state"
+elif [[ -f "${GUARD_DIR}/current_snapshot_id" ]]; then
+  SNAPSHOT_ID=$(cat "${GUARD_DIR}/current_snapshot_id")
+  PROJECT_DIR=$(cat "${GUARD_DIR}/current_project_dir" 2>/dev/null || pwd)
+  rm -f "${GUARD_DIR}/current_snapshot_id" "${GUARD_DIR}/current_project_dir"
+else
+  # No pending state for this command. If it nonetheless looks like a dependency
+  # install, the effect gate could not verify it — record UNVERIFIED (observable)
+  # rather than disappearing silently (e.g. a payload with no `cwd`).
+  if printf '%s' "${COMMAND}" | grep -qiE '(npm|pnpm|yarn|bun)([^"]*)(install|add|dlx)|[^a-z]npx[[:space:]]|pip[0-9]*[[:space:]]+install|cargo[[:space:]]+(add|install)|go[[:space:]]+(get|install)|gem[[:space:]]+install|bundle[[:space:]]+add|poetry[[:space:]]+add|uv[[:space:]]+(add|pip)|pipenv[[:space:]]+install|mvn([^"]*)dependency:get|dotnet[[:space:]]+add[[:space:]]+package'; then
+    log_advisory "post-verify UNVERIFIED: no pending state for an install-looking command (missing cwd or pre hook never ran)."
+  fi
+  exit 0
 fi
 
 if [[ -z "${SNAPSHOT_ID}" ]]; then

package/scripts/safedeps-pre-guard.sh

@@ -123,6 +123,24 @@ compute_dir_hash() {
   fi
 }
 
+# Per-install pending-state key (issue #5): dir hash + a hash of the command with
+# the inert-install rewrite normalized out, so PreToolUse (original command) and
+# PostToolUse (possibly `--ignore-scripts`-appended) of the SAME install resolve to
+# the same key. This keeps concurrent installs in one project on separate pending
+# files instead of clobbering a single global one.
+compute_pending_key() {
+  local dir_hash="$1" command="$2" norm cmd_hash
+  norm=$(printf '%s' "${command}" | sed -E 's/[[:space:]]+--ignore-scripts([[:space:]]|$)/ /g; s/[[:space:]]+/ /g; s/^ //; s/ $//')
+  if command -v md5sum >/dev/null 2>&1; then
+    cmd_hash=$(printf '%s' "${norm}" | md5sum | cut -d' ' -f1)
+  elif command -v md5 >/dev/null 2>&1; then
+    cmd_hash=$(md5 -q -s "${norm}")
+  else
+    cmd_hash=$(printf '%s' "${norm}" | cksum | cut -d' ' -f1)
+  fi
+  printf '%s_%s' "${dir_hash}" "${cmd_hash}"
+}
+
 command_is_dependency_install() {
   local command="$1"
   local scan_command
@@ -678,10 +696,24 @@ if [[ -n "${LEDGER_ECOSYSTEM}" && ${#LEDGER_SPECS[@]} -gt 0 ]]; then
   fi
 fi
 
-# Write current state atomically for PostToolUse (V-004: single file prevents TOCTOU)
+# Write per-install pending state for PostToolUse, keyed by (dir_hash, normalized
+# command) so concurrent installs in the same project keep separate state instead
+# of clobbering one global file (issue #5). The single-file write is still atomic
+# (write_state_file) to prevent TOCTOU within one install.
+PENDING_DIR="${GUARD_DIR}/pending"
+mkdir -p "${PENDING_DIR}"
+# GC pending entries whose PostToolUse never fired (crash/no-op). 24h is well past
+# any real install, so this never deletes an in-flight one (a 60-min window could
+# have reaped a slow native build that was still running).
+find "${PENDING_DIR}" -name '*.json' -type f -mmin +1440 -delete 2>/dev/null || true
+# Key = (dir, normalized command); the snapshot id suffix makes the filename unique
+# per install, so even two identical concurrent commands keep separate state.
+PENDING_KEY=$(compute_pending_key "${DIR_HASH}" "${COMMAND}")
 CURRENT_STATE=$(jq -n --arg sid "${SNAPSHOT_ID}" --arg pdir "${PROJECT_DIR}" --arg dhash "${DIR_HASH}" \
   '{snapshot_id: $sid, project_dir: $pdir, dir_hash: $dhash}')
-write_state_file "${GUARD_DIR}/current_state" "${CURRENT_STATE}"
+# $$ (this pre hook's PID) guarantees a unique filename even for two installs in
+# the same second (SNAPSHOT_ID has only 1s resolution).
+write_state_file "${PENDING_DIR}/${PENDING_KEY}__${SNAPSHOT_ID}_$$.json" "${CURRENT_STATE}"
 
 if ! jq -e 'has("turn_id")' <<< "${INPUT}" >/dev/null 2>&1 && \
    command_is_injectable_npm_install "${COMMAND}" && \

package/scripts/test/e2e.sh

@@ -146,7 +146,7 @@ cat > "${effect_project}/package-lock.json" <<'EOF'
 EOF
 effect_clean_post=$(
   scripts/safedeps-post-verify.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${effect_project}"}
 EOF
 )
 [[ -z "${effect_clean_post}" ]] || fail "post hook passes approved full closure"
@@ -183,7 +183,7 @@ EOF
 chmod +x "${stub_bin}/npm"
 inert_post=$(
   PATH="${stub_bin}:${PATH}" scripts/safedeps-post-verify.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0 --ignore-scripts"}}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0 --ignore-scripts"},"cwd":"${inert_project}"}
 EOF
 )
 [[ -z "${inert_post}" ]] || fail "post hook keeps verified inert rebuild success quiet"
@@ -220,7 +220,7 @@ cat > "${missing_project}/package-lock.json" <<'EOF'
 EOF
 missing_post=$(
   scripts/safedeps-post-verify.sh <<EOF
-{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"}}
+{"tool_name":"Bash","tool_input":{"command":"npm install fixture-parent@1.0.0"},"cwd":"${missing_project}"}
 EOF
 )
 grep -q '의심스러운 패키지 변경 감지' <<< "${missing_post}" || fail "post hook reorgs unapproved transitive package"

package/scripts/test/smoke.sh

@@ -103,7 +103,7 @@ allow_output=$(
 )
 [[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${allow_output}")" == "allow" ]] || fail "hook emits Claude allow decision for approved install"
 [[ "$(jq -r '.hookSpecificOutput.updatedInput.command' <<< "${allow_output}")" == "npm install left-pad@1.3.0 --ignore-scripts" ]] || fail "hook injects --ignore-scripts for Claude npm install"
-allow_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-allow/current_state")
+allow_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-allow/pending/"*.json)
 jq -e '.ignore_scripts_injected == true' "${tmp_root}/safe-hook-allow/snapshots/${allow_sid}_meta.json" >/dev/null || fail "hook records injected meta flag"
 pass "hook injects --ignore-scripts for Claude approved install"
 
@@ -113,7 +113,7 @@ codex_allow_output=$(
   run_codex_hook_command "${tmp_root}/home-hook-codex" "${tmp_root}/safe-hook-codex" "npm install left-pad@1.3.0"
 )
 [[ -z "${codex_allow_output}" ]] || fail "hook keeps Codex approved install as plain allow"
-codex_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-codex/current_state")
+codex_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-codex/pending/"*.json)
 jq -e '.ignore_scripts_injected == false' "${tmp_root}/safe-hook-codex/snapshots/${codex_sid}_meta.json" >/dev/null || fail "hook does not record injected meta flag for Codex"
 pass "hook keeps Codex approved install as plain allow"
 
@@ -129,7 +129,7 @@ ignore_scripts_output=$(
   run_hook_command "${tmp_root}/home-hook-ignore-scripts" "${tmp_root}/safe-hook-ignore-scripts" "npm install left-pad@1.3.0 --ignore-scripts"
 )
 [[ -z "${ignore_scripts_output}" ]] || fail "hook does not duplicate --ignore-scripts"
-ignore_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-ignore-scripts/current_state")
+ignore_sid=$(jq -r '.snapshot_id' "${tmp_root}/safe-hook-ignore-scripts/pending/"*.json)
 jq -e '.ignore_scripts_injected == false' "${tmp_root}/safe-hook-ignore-scripts/snapshots/${ignore_sid}_meta.json" >/dev/null || fail "hook does not record injected meta flag when flag already exists"
 pass "hook does not duplicate --ignore-scripts"
 
@@ -224,6 +224,29 @@ fc_noledger=$(
 grep -q 'ledger library missing' "${fc_safe}/advisory.log" || fail "pre-guard logs the missing-ledger deny to advisory.log"
 pass "pre-guard fails closed when the ledger library is missing (observable)"
 
+# Concurrency (issue #5): two installs of the SAME command in one project must
+# keep separate pending state — the per-install snapshot+PID suffix isolates them,
+# not just the command hash — and a post hook must consume exactly one.
+conc_safe="${tmp_root}/safe-concurrency"
+mkdir -p "${conc_safe}"
+SAFEDEPS_HOME="${conc_safe}" lib/ledger/ledger.sh approve npm conc-a 1.0.0 1.0.0 smoke >/dev/null
+run_hook_command "${tmp_root}/home-conc" "${conc_safe}" "npm install conc-a@1.0.0" >/dev/null
+run_hook_command "${tmp_root}/home-conc" "${conc_safe}" "npm install conc-a@1.0.0" >/dev/null
+conc_pending=$(find "${conc_safe}/pending" -name '*.json' -type f | wc -l | tr -d ' ')
+[[ "${conc_pending}" == "2" ]] || fail "two identical concurrent installs keep two separate pending files (got ${conc_pending}, want 2)"
+jq -nc --arg c "npm install conc-a@1.0.0" --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:$c},cwd:$cwd}' |
+  HOME="${tmp_root}/home-conc" SAFEDEPS_HOME="${conc_safe}" scripts/safedeps-post-verify.sh >/dev/null 2>&1 || true
+conc_left=$(find "${conc_safe}/pending" -name '*.json' -type f | wc -l | tr -d ' ')
+[[ "${conc_left}" == "1" ]] || fail "post hook consumes exactly one identical-command install's pending state (left ${conc_left}, want 1)"
+pass "concurrent installs (even identical commands) keep isolated pending state (issue #5)"
+
+# A dependency-install PostToolUse with no pending state (e.g. a payload missing
+# cwd) is recorded UNVERIFIED, not dropped silently (issue #5 review finding 3).
+jq -nc '{tool_name:"Bash",tool_input:{command:"npm install orphan@1.0.0"}}' |
+  HOME="${tmp_root}/home-conc" SAFEDEPS_HOME="${conc_safe}" scripts/safedeps-post-verify.sh >/dev/null 2>&1 || true
+grep -q 'UNVERIFIED: no pending state for an install-looking command' "${conc_safe}/advisory.log" || fail "post hook records an install with no pending state as UNVERIFIED"
+pass "post hook records an install-looking command with no pending state as UNVERIFIED"
+
 tamper_safe="${tmp_root}/safe-tamper"
 tamper_home="${tmp_root}/home-tamper"
 SAFEDEPS_HOME="${tamper_safe}" lib/ledger/ledger.sh approve npm ledger-tamper 1.0.0 1.0.0 smoke >/dev/null
@@ -236,7 +259,7 @@ cat > "${project_dir}/node_modules/ledger-tamper/package.json" <<'EOF'
 {"name":"ledger-tamper","version":"1.0.0","scripts":{"postinstall":"node -e \"require('fs').writeFileSync(process.env.HOME + '/.safedeps/approved-specs/evil.json', '{}')\""}}
 EOF
 tamper_post=$(
-  jq -nc '{tool_name:"Bash",tool_input:{command:"npm install ledger-tamper@1.0.0"}}' |
+  jq -nc --arg cwd "${project_dir}" '{tool_name:"Bash",tool_input:{command:"npm install ledger-tamper@1.0.0"},cwd:$cwd}' |
     HOME="${tamper_home}" SAFEDEPS_HOME="${tamper_safe}" scripts/safedeps-post-verify.sh
 )
 grep -q '의심스러운 패키지 변경 감지' <<< "${tamper_post}" || fail "post hook reorgs safedeps ledger tamper script"