@bookedsolid/rea 0.1.0

package/dist/cli/doctor.js

@@ -0,0 +1,93 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { loadPolicy } from '../policy/loader.js';
+import { POLICY_FILE, REA_DIR, REGISTRY_FILE, log, reaPath } from './utils.js';
+function checkFileExists(label, filePath, fatal) {
+    const exists = fs.existsSync(filePath);
+    if (exists)
+        return { label, status: 'pass' };
+    return { label, status: fatal ? 'fail' : 'warn', detail: `missing: ${filePath}` };
+}
+function checkPolicyParses(baseDir, policyPath) {
+    if (!fs.existsSync(policyPath)) {
+        return {
+            label: 'policy.yaml parses',
+            status: 'fail',
+            detail: `missing: ${policyPath} — run \`npx rea init\``,
+        };
+    }
+    try {
+        const policy = loadPolicy(baseDir);
+        return {
+            label: 'policy.yaml parses',
+            status: 'pass',
+            detail: `profile=${policy.profile}, autonomy=${policy.autonomy_level}`,
+        };
+    }
+    catch (e) {
+        return {
+            label: 'policy.yaml parses',
+            status: 'fail',
+            detail: e instanceof Error ? e.message : String(e),
+        };
+    }
+}
+function checkCodexPlugin(baseDir) {
+    const commandsDir = path.join(baseDir, '.claude', 'commands');
+    if (!fs.existsSync(commandsDir)) {
+        return {
+            label: 'Codex plugin command(s)',
+            status: 'warn',
+            detail: 'no .claude/commands/ directory — Codex adversarial review not wired',
+        };
+    }
+    const entries = fs.readdirSync(commandsDir);
+    const codexEntry = entries.find((name) => name.toLowerCase().startsWith('codex'));
+    if (codexEntry !== undefined) {
+        return { label: 'Codex plugin command(s)', status: 'pass', detail: codexEntry };
+    }
+    return {
+        label: 'Codex plugin command(s)',
+        status: 'warn',
+        detail: 'no .claude/commands/codex* found — /codex-review will not be available',
+    };
+}
+function formatSymbol(status) {
+    if (status === 'pass')
+        return '[ok]  ';
+    if (status === 'warn')
+        return '[warn]';
+    return '[fail]';
+}
+export function runDoctor() {
+    const baseDir = process.cwd();
+    const policyPath = reaPath(baseDir, POLICY_FILE);
+    const registryPath = reaPath(baseDir, REGISTRY_FILE);
+    const reaDir = path.join(baseDir, REA_DIR);
+    const commitMsgHook = path.join(baseDir, '.git', 'hooks', 'commit-msg');
+    const checks = [
+        checkFileExists('.rea/ directory exists', reaDir, true),
+        checkPolicyParses(baseDir, policyPath),
+        checkFileExists('.rea/registry.yaml exists', registryPath, false),
+        checkFileExists('.git/hooks/commit-msg installed', commitMsgHook, false),
+        checkCodexPlugin(baseDir),
+    ];
+    console.log('');
+    log(`Doctor — ${baseDir}`);
+    console.log('');
+    let hardFail = false;
+    for (const c of checks) {
+        const detail = c.detail !== undefined ? `  (${c.detail})` : '';
+        console.log(`  ${formatSymbol(c.status)} ${c.label}${detail}`);
+        if (c.status === 'fail')
+            hardFail = true;
+    }
+    console.log('');
+    if (hardFail) {
+        log('Doctor: one or more hard checks failed.');
+        console.log('');
+        process.exit(1);
+    }
+    log('Doctor: OK (warnings do not fail the check).');
+    console.log('');
+}

package/dist/cli/freeze.d.ts

@@ -0,0 +1,8 @@
+export interface FreezeOptions {
+    reason?: string | undefined;
+}
+export interface UnfreezeOptions {
+    yes?: boolean | undefined;
+}
+export declare function runFreeze(options: FreezeOptions): void;
+export declare function runUnfreeze(options: UnfreezeOptions): Promise<void>;

package/dist/cli/freeze.js

@@ -0,0 +1,61 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import * as p from '@clack/prompts';
+import { HALT_FILE, REA_DIR, err, log, reaPath } from './utils.js';
+/**
+ * Strip control characters (terminal escape injection defense).
+ */
+function sanitize(input) {
+    return input.replace(/[\x00-\x1f\x7f]/g, '').trim();
+}
+export function runFreeze(options) {
+    const reason = options.reason !== undefined ? sanitize(options.reason) : '';
+    if (!reason) {
+        err('`rea freeze` requires `--reason "..."`');
+        console.error('');
+        console.error('  Example: rea freeze --reason "security incident — pausing agent work"');
+        console.error('');
+        process.exit(1);
+    }
+    const targetDir = process.cwd();
+    const reaDir = path.join(targetDir, REA_DIR);
+    const haltFile = reaPath(targetDir, HALT_FILE);
+    if (!fs.existsSync(reaDir)) {
+        fs.mkdirSync(reaDir, { recursive: true });
+    }
+    const timestamp = new Date().toISOString();
+    const content = `${reason} (frozen at ${timestamp})\n`;
+    fs.writeFileSync(haltFile, content, 'utf8');
+    console.log('');
+    log('REA FROZEN');
+    console.log(`       Reason: ${reason}`);
+    console.log(`       File:   .rea/HALT`);
+    console.log(`       Effect: all middleware + PreToolUse hooks will block agent operations.`);
+    console.log('');
+    console.log('       To resume: rea unfreeze');
+    console.log('');
+}
+export async function runUnfreeze(options) {
+    const targetDir = process.cwd();
+    const haltFile = reaPath(targetDir, HALT_FILE);
+    if (!fs.existsSync(haltFile)) {
+        log('Not frozen — no .rea/HALT file found.');
+        return;
+    }
+    const existingReason = fs.readFileSync(haltFile, 'utf8').trim();
+    if (options.yes !== true) {
+        const confirmed = await p.confirm({
+            message: `Remove .rea/HALT and resume agent operations?\n    Current freeze: ${existingReason}`,
+            initialValue: false,
+        });
+        if (p.isCancel(confirmed) || confirmed !== true) {
+            log('Unfreeze cancelled — HALT remains in place.');
+            return;
+        }
+    }
+    fs.unlinkSync(haltFile);
+    console.log('');
+    log('REA UNFROZEN');
+    console.log('       .rea/HALT removed — agent operations resumed.');
+    console.log('');
+}

package/dist/cli/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli/index.js

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { runCheck } from './check.js';
+import { runDoctor } from './doctor.js';
+import { runFreeze, runUnfreeze } from './freeze.js';
+import { runInit } from './init.js';
+import { runServe } from './serve.js';
+import { err, getPkgVersion } from './utils.js';
+async function main() {
+    const program = new Command();
+    program
+        .name('rea')
+        .description('Agentic governance layer for Claude Code — policy, hooks, middleware, audit.')
+        .version(getPkgVersion(), '-v, --version', 'print rea version');
+    program
+        .command('init')
+        .description('Interactive wizard — write .rea/policy.yaml and .rea/registry.yaml')
+        .option('-y, --yes', 'non-interactive mode — accept defaults for all prompts')
+        .option('--from-reagent', 'migrate from a .reagent/ directory if present')
+        .option('--profile <name>', 'profile: minimal | client-engagement | bst-internal | lit-wc | open-source')
+        .action(async (opts) => {
+        await runInit({
+            yes: opts.yes,
+            fromReagent: opts.fromReagent,
+            profile: opts.profile,
+        });
+    });
+    program
+        .command('serve')
+        .description('Start the MCP gateway (stub — prints status, verifies policy loads).')
+        .action(async () => {
+        await runServe();
+    });
+    program
+        .command('freeze')
+        .description('Write .rea/HALT to block agent operations. Requires --reason.')
+        .requiredOption('--reason <text>', 'why you are freezing (stored in .rea/HALT)')
+        .action((opts) => {
+        runFreeze({ reason: opts.reason });
+    });
+    program
+        .command('unfreeze')
+        .description('Remove .rea/HALT. Confirms interactively unless --yes is set.')
+        .option('-y, --yes', 'skip confirmation prompt')
+        .action(async (opts) => {
+        await runUnfreeze({ yes: opts.yes });
+    });
+    program
+        .command('check')
+        .description('Read-only status — autonomy, HALT, profile, recent audit entries.')
+        .action(() => {
+        runCheck();
+    });
+    program
+        .command('doctor')
+        .description('Validate the install: policy parses, .rea/ layout, hooks, Codex plugin.')
+        .action(() => {
+        runDoctor();
+    });
+    await program.parseAsync(process.argv);
+}
+main().catch((e) => {
+    err(e instanceof Error ? e.message : String(e));
+    process.exit(1);
+});

package/dist/cli/init.d.ts

@@ -0,0 +1,6 @@
+export interface InitOptions {
+    yes?: boolean | undefined;
+    fromReagent?: boolean | undefined;
+    profile?: string | undefined;
+}
+export declare function runInit(options: InitOptions): Promise<void>;

package/dist/cli/init.js

@@ -0,0 +1,237 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import * as p from '@clack/prompts';
+import { AutonomyLevel } from '../policy/types.js';
+import { POLICY_FILE, REA_DIR, REGISTRY_FILE, err, getPkgVersion, log, } from './utils.js';
+const PROFILES = [
+    'minimal',
+    'client-engagement',
+    'bst-internal',
+    'lit-wc',
+    'open-source',
+];
+const AUTONOMY_LEVELS = [
+    AutonomyLevel.L0,
+    AutonomyLevel.L1,
+    AutonomyLevel.L2,
+    AutonomyLevel.L3,
+];
+function detectReagentPolicy(targetDir) {
+    const reagentPolicy = path.join(targetDir, '.reagent', 'policy.yaml');
+    return fs.existsSync(reagentPolicy) ? reagentPolicy : null;
+}
+function detectProjectName(targetDir) {
+    const pkgPath = path.join(targetDir, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+            if (typeof pkg.name === 'string' && pkg.name.length > 0)
+                return pkg.name;
+        }
+        catch {
+            // fall through
+        }
+    }
+    return path.basename(targetDir);
+}
+function levelRank(level) {
+    return { L0: 0, L1: 1, L2: 2, L3: 3 }[level];
+}
+function isValidProfile(value) {
+    return PROFILES.includes(value);
+}
+function cancel(message) {
+    p.cancel(message);
+    process.exit(0);
+}
+async function runWizard(options, targetDir, reagentPolicyPath) {
+    const projectName = detectProjectName(targetDir);
+    p.intro(`rea init — ${projectName}`);
+    let fromReagent = options.fromReagent === true;
+    if (!fromReagent && reagentPolicyPath !== null) {
+        const migrate = await p.confirm({
+            message: `Found ${path.relative(targetDir, reagentPolicyPath)} — migrate from reagent?`,
+            initialValue: true,
+        });
+        if (p.isCancel(migrate))
+            cancel('Init cancelled.');
+        fromReagent = migrate === true;
+    }
+    // Profile selection
+    let profile;
+    if (options.profile !== undefined) {
+        if (!isValidProfile(options.profile)) {
+            p.cancel(`Unknown profile: "${options.profile}". Valid: ${PROFILES.join(', ')}`);
+            process.exit(1);
+        }
+        profile = options.profile;
+        p.log.info(`Profile: ${profile} (from --profile)`);
+    }
+    else {
+        const picked = await p.select({
+            message: 'Pick a profile',
+            initialValue: 'minimal',
+            options: [
+                { value: 'minimal', label: 'minimal', hint: 'bare policy, no extras (default)' },
+                {
+                    value: 'client-engagement',
+                    label: 'client-engagement',
+                    hint: 'zero-trust client project',
+                },
+                { value: 'bst-internal', label: 'bst-internal', hint: 'internal BST projects' },
+                { value: 'lit-wc', label: 'lit-wc', hint: 'Lit / web component libraries' },
+                { value: 'open-source', label: 'open-source', hint: 'public OSS repos' },
+            ],
+        });
+        if (p.isCancel(picked))
+            cancel('Init cancelled.');
+        profile = picked;
+    }
+    // Autonomy level
+    const autonomyPick = await p.select({
+        message: 'Starting autonomy_level',
+        initialValue: AutonomyLevel.L1,
+        options: [
+            { value: AutonomyLevel.L0, label: 'L0', hint: 'read-only; every write needs approval' },
+            { value: AutonomyLevel.L1, label: 'L1', hint: 'default — writes allowed, destructive gated' },
+            { value: AutonomyLevel.L2, label: 'L2', hint: 'wider latitude; destructive ops allowed' },
+            { value: AutonomyLevel.L3, label: 'L3', hint: 'full autonomy (rare — supervised only)' },
+        ],
+    });
+    if (p.isCancel(autonomyPick))
+        cancel('Init cancelled.');
+    const autonomyLevel = autonomyPick;
+    // Max autonomy ceiling — constrain to levels >= autonomy
+    const maxCandidates = AUTONOMY_LEVELS.filter((lvl) => levelRank(lvl) >= levelRank(autonomyLevel));
+    const defaultMax = maxCandidates.find((l) => l === AutonomyLevel.L2) ?? autonomyLevel;
+    const maxOptions = maxCandidates.map((lvl) => {
+        if (lvl === autonomyLevel) {
+            return { value: lvl, label: lvl, hint: 'same as starting level' };
+        }
+        return { value: lvl, label: lvl };
+    });
+    const maxPick = await p.select({
+        message: 'max_autonomy_level (ceiling — cannot be exceeded at runtime)',
+        initialValue: defaultMax,
+        // Cast: clack's Option type is a discriminated union over the literal values,
+        // but here we build it dynamically from the AutonomyLevel enum.
+        options: maxOptions,
+    });
+    if (p.isCancel(maxPick))
+        cancel('Init cancelled.');
+    const maxAutonomyLevel = maxPick;
+    // block_ai_attribution
+    const attribPick = await p.confirm({
+        message: 'Enforce block_ai_attribution (reject AI-authored commit trailers)?',
+        initialValue: true,
+    });
+    if (p.isCancel(attribPick))
+        cancel('Init cancelled.');
+    const blockAiAttribution = attribPick === true;
+    p.outro('Config collected — writing files.');
+    return {
+        profile,
+        autonomyLevel,
+        maxAutonomyLevel,
+        blockAiAttribution,
+        fromReagent,
+        reagentPolicyPath,
+    };
+}
+function writePolicyYaml(targetDir, config) {
+    const policyPath = path.join(targetDir, REA_DIR, POLICY_FILE);
+    const installedBy = process.env.USER ?? os.userInfo().username ?? 'unknown';
+    const installedAt = new Date().toISOString();
+    const lines = [
+        `# .rea/policy.yaml — managed by rea v${getPkgVersion()}`,
+        `# Edit carefully: tightening takes effect on next load; loosening requires human approval.`,
+        `version: "1"`,
+        `profile: ${JSON.stringify(config.profile)}`,
+        `installed_by: ${JSON.stringify(installedBy)}`,
+        `installed_at: ${JSON.stringify(installedAt)}`,
+        `autonomy_level: ${config.autonomyLevel}`,
+        `max_autonomy_level: ${config.maxAutonomyLevel}`,
+        `promotion_requires_human_approval: true`,
+        `block_ai_attribution: ${config.blockAiAttribution ? 'true' : 'false'}`,
+        `blocked_paths:`,
+        `  - ".env"`,
+        `  - ".env.*"`,
+        `notification_channel: ""`,
+        ``,
+    ];
+    fs.writeFileSync(policyPath, lines.join('\n'), 'utf8');
+    return policyPath;
+}
+function writeRegistryYaml(targetDir) {
+    const registryPath = path.join(targetDir, REA_DIR, REGISTRY_FILE);
+    const content = [
+        `# .rea/registry.yaml — downstream MCP servers proxied through rea serve.`,
+        `# Every entry below is subject to the same middleware chain as native tool calls.`,
+        `version: "1"`,
+        `servers: []`,
+        ``,
+    ].join('\n');
+    fs.writeFileSync(registryPath, content, 'utf8');
+    return registryPath;
+}
+export async function runInit(options) {
+    const targetDir = process.cwd();
+    const reagentPolicyPath = detectReagentPolicy(targetDir);
+    const reaDir = path.join(targetDir, REA_DIR);
+    const policyPath = path.join(reaDir, POLICY_FILE);
+    if (fs.existsSync(policyPath) && options.yes !== true) {
+        err(`.rea/policy.yaml already exists at ${policyPath}`);
+        console.error('');
+        console.error('  Refusing to overwrite. Pass --yes to force, or remove the file first.');
+        console.error('');
+        process.exit(1);
+    }
+    let config;
+    if (options.yes === true) {
+        const profile = options.profile !== undefined && isValidProfile(options.profile)
+            ? options.profile
+            : 'minimal';
+        config = {
+            profile,
+            autonomyLevel: AutonomyLevel.L1,
+            maxAutonomyLevel: AutonomyLevel.L2,
+            blockAiAttribution: true,
+            fromReagent: options.fromReagent === true,
+            reagentPolicyPath,
+        };
+        log(`Non-interactive init: profile=${profile}, autonomy=L1, max=L2, attribution-block=true`);
+    }
+    else {
+        config = await runWizard(options, targetDir, reagentPolicyPath);
+    }
+    if (!fs.existsSync(reaDir)) {
+        fs.mkdirSync(reaDir, { recursive: true });
+    }
+    const written = [];
+    written.push(writePolicyYaml(targetDir, config));
+    written.push(writeRegistryYaml(targetDir));
+    // TODO: copy hooks/commands/agents once templates directory ships
+    // TODO: merge .claude/settings.json once hook registration is defined
+    // TODO: install .husky/commit-msg + .git/hooks/commit-msg for block_ai_attribution
+    console.log('');
+    log('init complete');
+    for (const file of written) {
+        console.log(`  + ${path.relative(targetDir, file)}`);
+    }
+    console.log('');
+    console.log('Next steps:');
+    console.log('  1. Review .rea/policy.yaml and commit it.');
+    console.log('  2. Run `rea doctor` to validate the install.');
+    console.log('  3. Run `rea check` to see current status.');
+    if (config.fromReagent) {
+        console.log('');
+        console.log('Reagent migration:');
+        console.log(`  Source: ${config.reagentPolicyPath ?? '(none)'}`);
+        console.log('  Field-for-field translation is not yet automated — review both files manually.');
+        console.log('  Once satisfied, you can remove the .reagent/ directory.');
+    }
+    console.log('');
+    console.log('  Hooks, slash commands, and agents are not installed yet — coming in a follow-up.');
+    console.log('');
+}

package/dist/cli/serve.d.ts

@@ -0,0 +1 @@
+export declare function runServe(): Promise<void>;

package/dist/cli/serve.js

@@ -0,0 +1,19 @@
+import { loadPolicy } from '../policy/loader.js';
+import { POLICY_FILE, err, exitWithMissingPolicy, log, reaPath } from './utils.js';
+export async function runServe() {
+    const baseDir = process.cwd();
+    const policyPath = reaPath(baseDir, POLICY_FILE);
+    try {
+        const policy = loadPolicy(baseDir);
+        log(`MCP gateway not yet implemented — install complete, policy loaded (profile=${policy.profile}, autonomy=${policy.autonomy_level}).`);
+        process.exit(0);
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        if (message.includes('not found')) {
+            exitWithMissingPolicy(policyPath);
+        }
+        err(`Failed to load policy: ${message}`);
+        process.exit(1);
+    }
+}

package/dist/cli/utils.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Package root, resolved from the compiled CLI module location.
+ * Compiled path: dist/cli/utils.js → package root is two levels up.
+ */
+export declare const PKG_ROOT: string;
+export declare function getPkgVersion(): string;
+export declare const REA_DIR = ".rea";
+export declare const POLICY_FILE = "policy.yaml";
+export declare const REGISTRY_FILE = "registry.yaml";
+export declare const HALT_FILE = "HALT";
+export declare const AUDIT_FILE = "audit.jsonl";
+export declare function reaPath(baseDir: string, ...segments: string[]): string;
+/**
+ * Standard log prefix so users notice the transition from reagent → rea.
+ */
+export declare function log(message: string): void;
+export declare function warn(message: string): void;
+export declare function err(message: string): void;
+/**
+ * Print a "policy missing — run init" message and exit 1.
+ * Used by commands that require a policy file to operate.
+ */
+export declare function exitWithMissingPolicy(policyPath: string): never;

package/dist/cli/utils.js

@@ -0,0 +1,51 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+/**
+ * Package root, resolved from the compiled CLI module location.
+ * Compiled path: dist/cli/utils.js → package root is two levels up.
+ */
+export const PKG_ROOT = path.resolve(__dirname, '..', '..');
+export function getPkgVersion() {
+    try {
+        const pkgPath = path.join(PKG_ROOT, 'package.json');
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+        return pkg.version ?? '0.0.0';
+    }
+    catch {
+        return '0.0.0';
+    }
+}
+export const REA_DIR = '.rea';
+export const POLICY_FILE = 'policy.yaml';
+export const REGISTRY_FILE = 'registry.yaml';
+export const HALT_FILE = 'HALT';
+export const AUDIT_FILE = 'audit.jsonl';
+export function reaPath(baseDir, ...segments) {
+    return path.join(baseDir, REA_DIR, ...segments);
+}
+/**
+ * Standard log prefix so users notice the transition from reagent → rea.
+ */
+export function log(message) {
+    console.log(`[rea] ${message}`);
+}
+export function warn(message) {
+    console.warn(`[rea] WARN: ${message}`);
+}
+export function err(message) {
+    console.error(`[rea] ERROR: ${message}`);
+}
+/**
+ * Print a "policy missing — run init" message and exit 1.
+ * Used by commands that require a policy file to operate.
+ */
+export function exitWithMissingPolicy(policyPath) {
+    err(`Policy file not found: ${policyPath}`);
+    console.error('');
+    console.error('  Run `npx rea init` to initialize REA in this directory.');
+    console.error('');
+    process.exit(1);
+}

package/dist/config/tier-map.d.ts

@@ -0,0 +1,11 @@
+import { Tier } from '../policy/types.js';
+import type { GatewayConfig } from './types.js';
+/**
+ * Classify a tool by its tier. Checks gateway config overrides first,
+ * then static map, then naming conventions, then defaults to Write.
+ */
+export declare function classifyTool(toolName: string, serverName: string, gatewayConfig?: GatewayConfig): Tier;
+/**
+ * Check if a tool is explicitly blocked in gateway config.
+ */
+export declare function isToolBlocked(toolName: string, serverName: string, gatewayConfig?: GatewayConfig): boolean;