Fix: install -t<dir> attached short bypass (sec 114, FN, Codex sweep 5 Q4)

The install walker has its own in-line flag-skip loop that
discards every `-*` token (except for the explicit
`--target-directory=val` long form). Attached `install -t/tmp
src dst` therefore landed in the generic skip branch and
never reached the boundary check — install proceeded to copy
into `/tmp` with no validation.

Verified locally before fix:

  install -t/tmp src.txt dst.txt   # ALLOW (bypass)
  install -t /tmp src.txt          # BLOCK (positional walk catches /tmp)
  install --target-directory=/tmp  # BLOCK (explicit long form)

Patch: in the install walker's `-*` arm, recognise `-t?*`
attached form before the generic continue-skip and validate
the value via `validate_command_path strict "install -t"`.
The split form keeps working because the next-token positional
walk already validates `/tmp` as a target — no change needed
there.

Tests: sec 114 in test_bypass_reproducers_pentest_d.sh — two
outside-project attached shapes block; in-project attached
allowed.

Regression: tests/test_guard.sh — 1579/1579.

Pre-existing gap; surfaced by Codex sweep 5 Q4. Not introduced
by 939c9f4 (extract_option_values is not called from the
install walker — install has its own flag-handling code).

Author: justi

hooks/lib/detectors/write_targets.sh

@@ -84,6 +84,17 @@ run_write_target_detectors() {
             validate_command_path strict "install --target-directory" "${install_tok#*=}"
             continue
           fi
+          # Attached short `-t<dir>` (Codex sweep 5 Q4): the
+          # generic `-*` skip below treated this as a plain flag,
+          # so `install -t/tmp src.txt dst.txt` slipped past the
+          # boundary entirely. Split form `install -t /tmp src`
+          # already blocks because the next-token positional walk
+          # validates `/tmp` as a target; only the attached form
+          # needs explicit handling here.
+          if [[ "$install_tok" == -t?* ]]; then
+            validate_command_path strict "install -t" "${install_tok#-t}"
+            continue
+          fi
           case "$install_tok" in
             -m|--mode|-o|--owner|-g|--group)
               install_skip_next=1 ;;

tests/test_bypass_reproducers_pentest_d.sh

@@ -1234,3 +1234,29 @@ expect_blocked "cpio -i -D /etc (real)" \
   "cpio -i -D /etc"
 
 echo ""
+
+# ============================================================
+# 114. install -t<dir> attached short bypass (FN, Codex sweep 5 Q4)
+# ------------------------------------------------------------
+# The install walker has its own in-line flag-skip loop that
+# discards every `-*` token (except for the explicit
+# --target-directory= long form). Attached `install -t/tmp src`
+# fell into the generic skip branch and never reached the
+# boundary check, so the install destination was an
+# unvalidated outside-project path.
+#
+# Split form `install -t /tmp src` already blocked because the
+# next-token positional walk validated `/tmp` as a target.
+# ============================================================
+echo "--- 114. install -t<dir> attached short ---"
+
+expect_blocked "install -t/tmp src dst (attached short)" \
+  "install -t/tmp src.txt dst.txt"
+expect_blocked "install -t/etc src (system attached)" \
+  "install -t/etc src.txt"
+
+# In-project attached must still allow.
+expect_allowed "install -t<project> src (attached, in-project)" \
+  "install -t$PROJECT src.txt"
+
+echo ""