@bookedsolid/rea 0.1.0 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -28,6 +28,10 @@
     "./middleware": {
       "types": "./dist/gateway/middleware/chain.d.ts",
       "import": "./dist/gateway/middleware/chain.js"
+    },
+    "./audit": {
+      "types": "./dist/audit/append.d.ts",
+      "import": "./dist/audit/append.js"
     }
   },
   "sideEffects": false,
@@ -41,6 +45,8 @@
     "agents/",
     "profiles/",
     "templates/",
+    "scripts/",
+    ".husky/",
     "LICENSE",
     "README.md",
     "SECURITY.md",
@@ -60,15 +66,18 @@
     "adversarial-review"
   ],
   "dependencies": {
+    "@anthropic-ai/sdk": "^0.90.0",
     "@clack/prompts": "^1.2.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "commander": "^14.0.3",
+    "safe-regex": "^2.1.1",
     "yaml": "^2.7.0",
     "zod": "^3.23.0"
   },
   "devDependencies": {
     "@changesets/cli": "^2.30.0",
     "@types/node": "^25.5.2",
+    "@types/safe-regex": "^1.1.6",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "@typescript-eslint/parser": "^8.0.0",
     "@vitest/coverage-v8": "^3.2.4",
@@ -79,7 +88,9 @@
   },
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "lint": "eslint .",
+    "postinstall": "node scripts/postinstall.mjs",
+    "lint": "pnpm run lint:regex && eslint .",
+    "lint:regex": "node scripts/lint-safe-regex.mjs",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "test": "vitest run",

package/profiles/bst-internal-no-codex.yaml

@@ -0,0 +1,40 @@
+# profiles/bst-internal-no-codex.yaml
+#
+# bst-internal variant with Codex adversarial review disabled.
+#
+# Same governance settings as `bst-internal.yaml` — L1 autonomy with an L2
+# ceiling, the same blocked-paths list, the same context-protection rules.
+# The only difference: the installed `.rea/policy.yaml` will carry
+# `review.codex_required: false`, and `rea init` surfaces that choice as
+# the wizard default.
+#
+# Pick this variant when:
+#   - The team does not have an OpenAI account / Codex CLI on the bench.
+#   - A BST internal project is scoped such that Claude self-review is
+#     considered sufficient.
+#   - Codex is temporarily unavailable (rate limits, outage) and you want
+#     a durable opt-out rather than relying on REA_SKIP_CODEX_REVIEW.
+#
+# To re-enable Codex later, edit `.rea/policy.yaml` and set
+# `review.codex_required: true` (or remove the field entirely — true is
+# the documented default).
+autonomy_level: L1
+max_autonomy_level: L2
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+  - .rea/policy.yaml
+  - .rea/HALT
+  - CODEOWNERS
+  - .github/workflows/release.yml
+  - SECURITY.md
+  - THREAT_MODEL.md
+notification_channel: ""
+context_protection:
+  delegate_to_subagent:
+    - pnpm run build
+    - pnpm run test
+    - pnpm run lint
+  max_bash_output_lines: 100

package/profiles/bst-internal.yaml

@@ -0,0 +1,23 @@
+# profiles/bst-internal.yaml
+# Booked Solid internal projects. Mirrors the current .rea/policy.yaml in the
+# rea repository itself — this is the canonical dogfood profile.
+autonomy_level: L1
+max_autonomy_level: L2
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+  - .rea/policy.yaml
+  - .rea/HALT
+  - CODEOWNERS
+  - .github/workflows/release.yml
+  - SECURITY.md
+  - THREAT_MODEL.md
+notification_channel: ""
+context_protection:
+  delegate_to_subagent:
+    - pnpm run build
+    - pnpm run test
+    - pnpm run lint
+  max_bash_output_lines: 100

package/profiles/client-engagement.yaml

@@ -0,0 +1,23 @@
+# profiles/client-engagement.yaml
+# Zero-trust client projects. Starts at the lowest meaningful autonomy level,
+# max ceiling held at L1 — promotion requires explicit maintainer approval.
+autonomy_level: L0
+max_autonomy_level: L1
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+  - .rea/policy.yaml
+  - .rea/HALT
+  - CODEOWNERS
+  - SECURITY.md
+  - THREAT_MODEL.md
+  - secrets/
+  - credentials/
+notification_channel: ""
+context_protection:
+  delegate_to_subagent:
+    - pnpm run build
+    - pnpm run test
+  max_bash_output_lines: 100

package/profiles/lit-wc.yaml

@@ -0,0 +1,17 @@
+# profiles/lit-wc.yaml
+# Lit / web component libraries. Typical dev ergonomics; protects publish paths
+# and the design-system contract files.
+autonomy_level: L1
+max_autonomy_level: L2
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+  - .rea/policy.yaml
+  - .rea/HALT
+  - CODEOWNERS
+  - .github/workflows/release.yml
+  - .github/workflows/publish.yml
+  - tokens/
+notification_channel: ""

package/profiles/minimal.yaml

@@ -0,0 +1,11 @@
+# profiles/minimal.yaml
+# Bare policy defaults — nothing profile-specific. Suitable as a starting point
+# for a project that wants rea's governance but will tune the rest by hand.
+autonomy_level: L1
+max_autonomy_level: L2
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+notification_channel: ""

package/profiles/open-source-no-codex.yaml

@@ -0,0 +1,33 @@
+# profiles/open-source-no-codex.yaml
+#
+# open-source variant with Codex adversarial review disabled.
+#
+# Same governance settings as `open-source.yaml` — L1 autonomy with an L2
+# ceiling, the same blocked-paths list (sensitive release and disclosure
+# files flagged for human-only edits). The only difference: the installed
+# `.rea/policy.yaml` will carry `review.codex_required: false`.
+#
+# Pick this variant when:
+#   - Your public OSS project does not have a Codex account or does not
+#     want to require one from every contributor.
+#   - Contributors are expected to run a locally-hosted adversarial review
+#     instead (Claude self-review is the shipped fallback).
+#
+# To re-enable Codex later, edit `.rea/policy.yaml` and set
+# `review.codex_required: true` (or remove the field entirely — true is
+# the documented default).
+autonomy_level: L1
+max_autonomy_level: L2
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+  - .rea/policy.yaml
+  - .rea/HALT
+  - CODEOWNERS
+  - LICENSE
+  - SECURITY.md
+  - .github/workflows/release.yml
+  - .github/workflows/publish.yml
+notification_channel: ""

package/profiles/open-source.yaml

@@ -0,0 +1,18 @@
+# profiles/open-source.yaml
+# Public OSS repositories. Slightly looser autonomy, strict attribution rules,
+# and sensitive files flagged for human-only edits.
+autonomy_level: L1
+max_autonomy_level: L2
+promotion_requires_human_approval: true
+block_ai_attribution: true
+blocked_paths:
+  - .env
+  - .env.*
+  - .rea/policy.yaml
+  - .rea/HALT
+  - CODEOWNERS
+  - LICENSE
+  - SECURITY.md
+  - .github/workflows/release.yml
+  - .github/workflows/publish.yml
+notification_channel: ""

package/scripts/lint-safe-regex.mjs

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+// G3 — Static ReDoS lint.
+//
+// Every default pattern built into rea's middleware is passed through
+// `safe-regex`. Any pattern flagged as unsafe fails the build.
+//
+// Run as part of `pnpm lint` (wired in package.json#scripts), BEFORE eslint —
+// a bad regex is a security defect and must short-circuit the pipeline.
+//
+// This script reads the compiled `dist/**` output rather than importing the TS
+// source directly: `lint` runs in CI after `build`, so `dist/` is authoritative.
+// If `dist/` does not exist, we exit non-zero with a build hint.
+
+import { existsSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+import safeRegex from 'safe-regex';
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(here, '..');
+const distRoot = path.join(repoRoot, 'dist');
+
+if (!existsSync(distRoot)) {
+  console.error('[lint:regex] dist/ not found — run `pnpm build` first.');
+  process.exit(2);
+}
+
+const redactModulePath = path.join(distRoot, 'gateway', 'middleware', 'redact.js');
+const injectionModulePath = path.join(distRoot, 'gateway', 'middleware', 'injection.js');
+
+if (!existsSync(redactModulePath) || !existsSync(injectionModulePath)) {
+  console.error(
+    '[lint:regex] Expected dist outputs not found:\n' +
+      `  - ${redactModulePath}\n` +
+      `  - ${injectionModulePath}\n` +
+      'Run `pnpm build` first.',
+  );
+  process.exit(2);
+}
+
+const redact = await import(redactModulePath);
+const injection = await import(injectionModulePath);
+
+const offenders = [];
+
+// Check every SECRET_PATTERN.
+for (const { name, pattern } of redact.SECRET_PATTERNS) {
+  if (!safeRegex(pattern)) {
+    offenders.push({ layer: 'redact.SECRET_PATTERNS', name, pattern: pattern.toString() });
+  }
+}
+
+// Check injection regex constants.
+const injectionPatterns = [
+  { name: 'INJECTION_BASE64_PATTERN', pattern: injection.INJECTION_BASE64_PATTERN },
+  { name: 'INJECTION_BASE64_SHAPE', pattern: injection.INJECTION_BASE64_SHAPE },
+];
+for (const { name, pattern } of injectionPatterns) {
+  if (!safeRegex(pattern)) {
+    offenders.push({ layer: 'injection', name, pattern: pattern.toString() });
+  }
+}
+
+if (offenders.length > 0) {
+  console.error('[lint:regex] UNSAFE REGEX DETECTED:');
+  for (const o of offenders) {
+    console.error(`  - ${o.layer} / ${o.name}: ${o.pattern}`);
+  }
+  console.error(
+    '\nSafe-regex flagged these patterns as potentially ReDoS-vulnerable. Rewrite them with' +
+      ' bounded quantifiers / no nested repetition / no disjoint alternation, then re-run.',
+  );
+  process.exit(1);
+}
+
+console.log(
+  `[lint:regex] OK — ${redact.SECRET_PATTERNS.length} redact patterns, ${injectionPatterns.length} injection patterns cleared.`,
+);

package/scripts/postinstall.mjs

@@ -0,0 +1,131 @@
+#!/usr/bin/env node
+/**
+ * G12 — postinstall version-drift nudge.
+ *
+ * Printed exactly once when a consumer's `@bookedsolid/rea` installed version
+ * disagrees with the version recorded in their `.rea/install-manifest.json`.
+ * The message points at `rea upgrade`. NEVER fails the install — this script
+ * returns 0 under every code path.
+ *
+ * Silence rules:
+ *   - Only runs when invoked from a consumer project (i.e. when this script
+ *     lives inside `node_modules/@bookedsolid/rea/scripts/`). When running
+ *     from the rea repo itself, the INIT_CWD/workspace check skips.
+ *   - No output when CI (any common CI var set) — we don't want to spam build
+ *     logs with governance reminders.
+ *   - No output when a manifest does not exist (pre-G12 install) — `rea init`
+ *     will write the first manifest; nothing to reconcile.
+ *   - No output when versions match.
+ *
+ * Everything else is best-effort. Any error is swallowed.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import process from 'node:process';
+import { fileURLToPath } from 'node:url';
+
+const NOTE = (lines) => {
+  process.stderr.write('\n');
+  for (const line of lines) process.stderr.write(`rea: ${line}\n`);
+  process.stderr.write('\n');
+};
+
+/** CI detection: check the union of vars that package managers and runners set.
+ * `CI=true` covers GitHub Actions / CircleCI / Travis / GitLab / BuildKite /
+ * Netlify / Vercel; the rest cover Jenkins, Buildkite agent, and npm's own
+ * `npm_config_ci`. A conservative default: silent if any is set. */
+function isCI() {
+  const env = process.env;
+  if (env.CI === 'true' || env.CI === '1') return true;
+  if (env.CONTINUOUS_INTEGRATION === 'true' || env.CONTINUOUS_INTEGRATION === '1') return true;
+  if (env.BUILD_NUMBER !== undefined && env.BUILD_NUMBER !== '') return true; // Jenkins
+  if (env.RUN_ID !== undefined && env.RUN_ID !== '') return true;
+  if (env.GITHUB_ACTIONS === 'true') return true;
+  if (env.npm_config_ci === 'true') return true;
+  return false;
+}
+
+/** Resolve this script's directory without relying on `new URL().pathname`,
+ * which is broken on Windows (leading `/` + backslash decoding). */
+function selfDir() {
+  return path.dirname(fileURLToPath(import.meta.url));
+}
+
+/** Rea-repo self-detection. Any of these means we're running inside the rea
+ * source tree (not a consumer install) and should be silent. */
+function isOwnRepo(consumerRoot, selfPkgPath) {
+  try {
+    const consumerPkgPath = path.join(consumerRoot, 'package.json');
+    if (fs.existsSync(consumerPkgPath)) {
+      const consumerPkg = JSON.parse(fs.readFileSync(consumerPkgPath, 'utf8'));
+      if (consumerPkg?.name === '@bookedsolid/rea') return true;
+    }
+  } catch {
+    /* consumer package.json unreadable — fall through */
+  }
+  // If our own package.json lives directly under consumerRoot, the consumer
+  // IS the rea repo (no node_modules nesting). This covers `pnpm install` at
+  // the top of the rea repo where INIT_CWD and selfDir's parent match.
+  try {
+    const selfPkgDir = path.dirname(selfPkgPath);
+    if (path.resolve(selfPkgDir) === path.resolve(consumerRoot)) return true;
+  } catch {
+    /* fall through */
+  }
+  return false;
+}
+
+try {
+  if (isCI()) process.exit(0);
+
+  // INIT_CWD is the directory where `npm/pnpm/yarn install` was invoked — i.e.
+  // the consumer project root. If it's unset, npm is either very old or we're
+  // running outside a package manager; either way, nothing to do.
+  const consumerRoot = process.env.INIT_CWD;
+  if (typeof consumerRoot !== 'string' || consumerRoot.length === 0) process.exit(0);
+
+  // `fileURLToPath` handles Windows (`file:///C:/...`) correctly, unlike the
+  // old `new URL(import.meta.url).pathname` which left a leading `/` on Win32.
+  const selfPkgPath = path.join(selfDir(), '..', 'package.json');
+
+  if (isOwnRepo(consumerRoot, selfPkgPath)) process.exit(0);
+
+  const manifestPath = path.join(consumerRoot, '.rea', 'install-manifest.json');
+  if (!fs.existsSync(manifestPath)) process.exit(0);
+
+  let installedVersion = null;
+  if (fs.existsSync(selfPkgPath)) {
+    try {
+      const selfPkg = JSON.parse(fs.readFileSync(selfPkgPath, 'utf8'));
+      if (typeof selfPkg?.version === 'string') installedVersion = selfPkg.version;
+    } catch {
+      process.exit(0);
+    }
+  }
+  if (installedVersion === null) process.exit(0);
+
+  let manifestVersion = null;
+  try {
+    const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+    if (typeof manifest?.version === 'string') manifestVersion = manifest.version;
+  } catch {
+    process.exit(0);
+  }
+  if (manifestVersion === null) process.exit(0);
+
+  if (manifestVersion === installedVersion) process.exit(0);
+
+  // Package-manager-agnostic message. Any of `npx rea upgrade`,
+  // `pnpm exec rea upgrade`, or `yarn rea upgrade` works; recommending `npx`
+  // covers the widest audience without privileging pnpm in error output.
+  NOTE([
+    `@bookedsolid/rea v${installedVersion} installed; manifest at v${manifestVersion}.`,
+    `Run  \`npx rea upgrade\`  to sync .claude/, .husky/, and managed fragments.`,
+    `(Or  \`npx rea doctor --drift\`  to preview without changes.)`,
+  ]);
+} catch {
+  // Any uncaught failure → silent success. Never break the consumer's install.
+}
+
+process.exit(0);