@bookedsolid/rea 0.1.0

package/dist/gateway/rate-limiter.js

@@ -0,0 +1,75 @@
+const WINDOW_MS = 60_000;
+/**
+ * In-memory per-server rate limiter and concurrency cap.
+ *
+ * Concurrency: tracks active in-flight calls. If at the limit, new calls
+ * are rejected immediately with a structured error.
+ *
+ * Rate: sliding window — calls in the last 60 seconds must not exceed the
+ * configured calls_per_minute. 0 means unlimited for either dimension.
+ */
+export class RateLimiter {
+    state = new Map();
+    constructor(gatewayConfig) {
+        if (!gatewayConfig)
+            return;
+        for (const [name, serverCfg] of Object.entries(gatewayConfig.servers)) {
+            this.state.set(name, {
+                activeCalls: 0,
+                callTimestamps: [],
+                maxConcurrent: serverCfg.max_concurrent_calls ?? 0,
+                callsPerMinute: serverCfg.calls_per_minute ?? 0,
+            });
+        }
+    }
+    /**
+     * Try to acquire a slot for a call to `serverName`.
+     * Returns null on success, or a LimitExceededError if rejected.
+     */
+    tryAcquire(serverName) {
+        let s = this.state.get(serverName);
+        if (!s) {
+            s = {
+                activeCalls: 0,
+                callTimestamps: [],
+                maxConcurrent: 0,
+                callsPerMinute: 0,
+            };
+            this.state.set(serverName, s);
+        }
+        const now = Date.now();
+        s.callTimestamps = s.callTimestamps.filter((t) => now - t < WINDOW_MS);
+        if (s.callsPerMinute > 0 && s.callTimestamps.length >= s.callsPerMinute) {
+            return {
+                type: 'rate',
+                serverName,
+                current: s.callTimestamps.length,
+                limit: s.callsPerMinute,
+                message: `Rate limit exceeded for server "${serverName}": ${s.callTimestamps.length}/${s.callsPerMinute} calls in the last 60s`,
+            };
+        }
+        if (s.maxConcurrent > 0 && s.activeCalls >= s.maxConcurrent) {
+            return {
+                type: 'concurrency',
+                serverName,
+                current: s.activeCalls,
+                limit: s.maxConcurrent,
+                message: `Concurrency limit exceeded for server "${serverName}": ${s.activeCalls}/${s.maxConcurrent} active calls`,
+            };
+        }
+        s.activeCalls++;
+        s.callTimestamps.push(now);
+        return null;
+    }
+    /** Release a previously acquired concurrency slot. No-op for unknown servers. */
+    release(serverName) {
+        const s = this.state.get(serverName);
+        if (!s)
+            return;
+        if (s.activeCalls > 0)
+            s.activeCalls--;
+    }
+    getState(serverName) {
+        return this.state.get(serverName);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { loadPolicy } from './policy/loader.js';
+export type { Policy, AutonomyLevel } from './policy/types.js';
+export { createMiddlewareChain } from './gateway/middleware/chain.js';

package/dist/index.js

@@ -0,0 +1,2 @@
+export { loadPolicy } from './policy/loader.js';
+export { createMiddlewareChain } from './gateway/middleware/chain.js';

package/dist/policy/loader.d.ts

@@ -0,0 +1,80 @@
+import { z } from 'zod';
+import { AutonomyLevel } from './types.js';
+import type { Policy } from './types.js';
+declare const PolicySchema: z.ZodObject<{
+    version: z.ZodString;
+    profile: z.ZodString;
+    installed_by: z.ZodString;
+    installed_at: z.ZodString;
+    autonomy_level: z.ZodNativeEnum<typeof AutonomyLevel>;
+    max_autonomy_level: z.ZodNativeEnum<typeof AutonomyLevel>;
+    promotion_requires_human_approval: z.ZodBoolean;
+    block_ai_attribution: z.ZodDefault<z.ZodBoolean>;
+    blocked_paths: z.ZodArray<z.ZodString, "many">;
+    notification_channel: z.ZodDefault<z.ZodString>;
+    injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
+    context_protection: z.ZodOptional<z.ZodObject<{
+        delegate_to_subagent: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        max_bash_output_lines: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        delegate_to_subagent: string[];
+        max_bash_output_lines?: number | undefined;
+    }, {
+        delegate_to_subagent?: string[] | undefined;
+        max_bash_output_lines?: number | undefined;
+    }>>;
+}, "strict", z.ZodTypeAny, {
+    version: string;
+    profile: string;
+    installed_by: string;
+    installed_at: string;
+    autonomy_level: AutonomyLevel;
+    max_autonomy_level: AutonomyLevel;
+    promotion_requires_human_approval: boolean;
+    block_ai_attribution: boolean;
+    blocked_paths: string[];
+    notification_channel: string;
+    injection_detection?: "block" | "warn" | undefined;
+    context_protection?: {
+        delegate_to_subagent: string[];
+        max_bash_output_lines?: number | undefined;
+    } | undefined;
+}, {
+    version: string;
+    profile: string;
+    installed_by: string;
+    installed_at: string;
+    autonomy_level: AutonomyLevel;
+    max_autonomy_level: AutonomyLevel;
+    promotion_requires_human_approval: boolean;
+    blocked_paths: string[];
+    block_ai_attribution?: boolean | undefined;
+    notification_channel?: string | undefined;
+    injection_detection?: "block" | "warn" | undefined;
+    context_protection?: {
+        delegate_to_subagent?: string[] | undefined;
+        max_bash_output_lines?: number | undefined;
+    } | undefined;
+}>;
+/**
+ * Async policy loader with TTL cache and mtime-based invalidation.
+ *
+ * TTL is configurable via REA_POLICY_CACHE_TTL_MS.
+ *
+ * SECURITY: mtime invalidation ensures a tightened policy takes effect on the next call.
+ * CONCURRENCY: inflightReads map guarantees at most one disk read per baseDir at a time.
+ */
+export declare function loadPolicyAsync(baseDir: string): Promise<Policy>;
+/**
+ * Synchronous policy loader — for CLI startup paths that must be sync.
+ * Does NOT use the cache — always reads from disk.
+ *
+ * Prefer loadPolicyAsync for middleware and any async context.
+ */
+export declare function loadPolicy(baseDir: string): Policy;
+/**
+ * Invalidate the cache for a given baseDir.
+ * Exposed for testing — production code relies on TTL and mtime invalidation.
+ */
+export declare function invalidatePolicyCache(baseDir?: string): void;
+export { PolicySchema };

package/dist/policy/loader.js

@@ -0,0 +1,146 @@
+import fs from 'node:fs';
+import fsPromises from 'node:fs/promises';
+import path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+import { z } from 'zod';
+import { AutonomyLevel } from './types.js';
+const LEVEL_ORDER = {
+    [AutonomyLevel.L0]: 0,
+    [AutonomyLevel.L1]: 1,
+    [AutonomyLevel.L2]: 2,
+    [AutonomyLevel.L3]: 3,
+};
+const ContextProtectionSchema = z.object({
+    delegate_to_subagent: z.array(z.string()).default([]),
+    max_bash_output_lines: z.number().int().positive().optional(),
+});
+const PolicySchema = z
+    .object({
+    version: z.string(),
+    profile: z.string(),
+    installed_by: z.string(),
+    installed_at: z.string(),
+    autonomy_level: z.nativeEnum(AutonomyLevel),
+    max_autonomy_level: z.nativeEnum(AutonomyLevel),
+    promotion_requires_human_approval: z.boolean(),
+    block_ai_attribution: z.boolean().default(false),
+    blocked_paths: z.array(z.string()),
+    notification_channel: z.string().default(''),
+    injection_detection: z.enum(['block', 'warn']).optional(),
+    context_protection: ContextProtectionSchema.optional(),
+})
+    .strict();
+const DEFAULT_CACHE_TTL_MS = 30_000;
+const POLICY_DIR = '.rea';
+const POLICY_FILE = 'policy.yaml';
+/**
+ * SECURITY: Cache never serves a more permissive policy than disk.
+ * mtime invalidation ensures policy tightening takes effect before TTL expires.
+ */
+const policyCache = new Map();
+const inflightReads = new Map();
+/**
+ * Convert `{ key: undefined }` to omitted keys so Policy satisfies
+ * exactOptionalPropertyTypes. Zod defaults produce explicit undefined.
+ */
+function stripUndefined(input) {
+    const result = {};
+    for (const [k, v] of Object.entries(input)) {
+        if (v !== undefined)
+            result[k] = v;
+    }
+    return result;
+}
+function applyMaxCeiling(policy) {
+    if (LEVEL_ORDER[policy.autonomy_level] > LEVEL_ORDER[policy.max_autonomy_level]) {
+        console.error(`[rea] WARNING: autonomy_level ${policy.autonomy_level} exceeds max_autonomy_level ${policy.max_autonomy_level} — clamping to ${policy.max_autonomy_level}`);
+        return { ...policy, autonomy_level: policy.max_autonomy_level };
+    }
+    return policy;
+}
+function parseRawPolicy(raw, policyPath) {
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch (yamlErr) {
+        throw new Error(`Failed to parse policy YAML at ${policyPath}: ${yamlErr instanceof Error ? yamlErr.message : yamlErr}`);
+    }
+    let parsedPolicy;
+    try {
+        parsedPolicy = PolicySchema.parse(parsed);
+    }
+    catch (zodErr) {
+        throw new Error(`Invalid policy schema at ${policyPath}: ${zodErr instanceof Error ? zodErr.message : zodErr}`);
+    }
+    return applyMaxCeiling(stripUndefined(parsedPolicy));
+}
+function policyPathFor(baseDir) {
+    return path.join(baseDir, POLICY_DIR, POLICY_FILE);
+}
+async function readPolicyFromDisk(baseDir, policyPath, currentMtime) {
+    const raw = await fsPromises.readFile(policyPath, 'utf8');
+    const policy = parseRawPolicy(raw, policyPath);
+    policyCache.set(baseDir, { policy, cachedAt: Date.now(), mtimeMs: currentMtime });
+    return policy;
+}
+/**
+ * Async policy loader with TTL cache and mtime-based invalidation.
+ *
+ * TTL is configurable via REA_POLICY_CACHE_TTL_MS.
+ *
+ * SECURITY: mtime invalidation ensures a tightened policy takes effect on the next call.
+ * CONCURRENCY: inflightReads map guarantees at most one disk read per baseDir at a time.
+ */
+export async function loadPolicyAsync(baseDir) {
+    const policyPath = policyPathFor(baseDir);
+    const ttlMs = Number(process.env.REA_POLICY_CACHE_TTL_MS ?? DEFAULT_CACHE_TTL_MS);
+    const now = Date.now();
+    let currentMtime;
+    try {
+        const stat = await fsPromises.stat(policyPath);
+        currentMtime = stat.mtimeMs;
+    }
+    catch {
+        throw new Error(`Policy file not found: ${policyPath}`);
+    }
+    const cached = policyCache.get(baseDir);
+    if (cached !== undefined && cached.mtimeMs === currentMtime && now - cached.cachedAt < ttlMs) {
+        return cached.policy;
+    }
+    const inflight = inflightReads.get(baseDir);
+    if (inflight)
+        return inflight;
+    const read = readPolicyFromDisk(baseDir, policyPath, currentMtime).finally(() => {
+        inflightReads.delete(baseDir);
+    });
+    inflightReads.set(baseDir, read);
+    return read;
+}
+/**
+ * Synchronous policy loader — for CLI startup paths that must be sync.
+ * Does NOT use the cache — always reads from disk.
+ *
+ * Prefer loadPolicyAsync for middleware and any async context.
+ */
+export function loadPolicy(baseDir) {
+    const policyPath = policyPathFor(baseDir);
+    if (!fs.existsSync(policyPath)) {
+        throw new Error(`Policy file not found: ${policyPath}`);
+    }
+    const raw = fs.readFileSync(policyPath, 'utf8');
+    return parseRawPolicy(raw, policyPath);
+}
+/**
+ * Invalidate the cache for a given baseDir.
+ * Exposed for testing — production code relies on TTL and mtime invalidation.
+ */
+export function invalidatePolicyCache(baseDir) {
+    if (baseDir === undefined) {
+        policyCache.clear();
+    }
+    else {
+        policyCache.delete(baseDir);
+    }
+}
+export { PolicySchema };

package/dist/policy/types.d.ts

@@ -0,0 +1,34 @@
+export declare enum Tier {
+    Read = "read",
+    Write = "write",
+    Destructive = "destructive"
+}
+export declare enum AutonomyLevel {
+    L0 = "L0",
+    L1 = "L1",
+    L2 = "L2",
+    L3 = "L3"
+}
+export declare enum InvocationStatus {
+    Allowed = "allowed",
+    Denied = "denied",
+    Error = "error"
+}
+export interface ContextProtection {
+    delegate_to_subagent: string[];
+    max_bash_output_lines?: number;
+}
+export interface Policy {
+    version: string;
+    profile: string;
+    installed_by: string;
+    installed_at: string;
+    autonomy_level: AutonomyLevel;
+    max_autonomy_level: AutonomyLevel;
+    promotion_requires_human_approval: boolean;
+    block_ai_attribution: boolean;
+    blocked_paths: string[];
+    notification_channel: string;
+    injection_detection?: 'block' | 'warn';
+    context_protection?: ContextProtection;
+}

package/dist/policy/types.js

@@ -0,0 +1,19 @@
+export var Tier;
+(function (Tier) {
+    Tier["Read"] = "read";
+    Tier["Write"] = "write";
+    Tier["Destructive"] = "destructive";
+})(Tier || (Tier = {}));
+export var AutonomyLevel;
+(function (AutonomyLevel) {
+    AutonomyLevel["L0"] = "L0";
+    AutonomyLevel["L1"] = "L1";
+    AutonomyLevel["L2"] = "L2";
+    AutonomyLevel["L3"] = "L3";
+})(AutonomyLevel || (AutonomyLevel = {}));
+export var InvocationStatus;
+(function (InvocationStatus) {
+    InvocationStatus["Allowed"] = "allowed";
+    InvocationStatus["Denied"] = "denied";
+    InvocationStatus["Error"] = "error";
+})(InvocationStatus || (InvocationStatus = {}));

package/hooks/_lib/common.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# hooks/_lib/common.sh — shared utilities for rea hooks
+# Source via: source "$(dirname "$0")/_lib/common.sh"
+
+# Find the .rea/ directory by walking up from CLAUDE_PROJECT_DIR or cwd
+rea_root() {
+  local dir="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+  while [[ "$dir" != "/" ]]; do
+    if [[ -d "$dir/.rea" ]]; then
+      printf '%s' "$dir"
+      return 0
+    fi
+    dir=$(dirname "$dir")
+  done
+  # Fallback to CLAUDE_PROJECT_DIR or cwd
+  printf '%s' "${CLAUDE_PROJECT_DIR:-$(pwd)}"
+}
+
+# Exit with code 2 if .rea/HALT exists
+check_halt() {
+  local root
+  root=$(rea_root)
+  local halt_file="${root}/.rea/HALT"
+  if [ -f "$halt_file" ]; then
+    printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
+      "$(head -c 1024 "$halt_file" 2>/dev/null || echo 'Reason unknown')" >&2
+    exit 2
+  fi
+}
+
+# Verify jq is available, exit 2 if not
+require_jq() {
+  if ! command -v jq >/dev/null 2>&1; then
+    printf 'REA ERROR: jq is required but not installed.\n' >&2
+    printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+    exit 2
+  fi
+}
+
+# Build a structured JSON response for hook output
+# Usage: json_output "status" "message" ["decision"]
+#   status: "block" | "allow" | "advisory"
+#   message: human-readable description
+#   decision: optional additionalContext for the agent
+json_output() {
+  local status="$1"
+  local message="$2"
+  local decision="${3:-}"
+
+  if [[ "$status" == "block" ]]; then
+    printf '%s\n' "$message" >&2
+    if [[ -n "$decision" ]]; then
+      printf '%s\n' "$decision" >&2
+    fi
+    exit 2
+  elif [[ "$status" == "advisory" ]]; then
+    printf '%s\n' "$message" >&2
+    exit 0
+  else
+    exit 0
+  fi
+}
+
+# Exit 0 (skip) if the project's tech_profile does not match the expected type.
+# Usage: check_project_type "lit-wc"
+# Reads tech_profile from .rea/policy.yaml; if absent or mismatched, exits 0.
+check_project_type() {
+  local expected_type="$1"
+  local root
+  root=$(rea_root)
+  local policy="${root}/.rea/policy.yaml"
+  if [[ ! -f "$policy" ]]; then
+    exit 0
+  fi
+  local actual_type
+  actual_type=$(grep -E '^tech_profile:' "$policy" 2>/dev/null | sed 's/^tech_profile:[[:space:]]*//' | tr -d '"' || echo "")
+  if [[ -z "$actual_type" || "$actual_type" != "$expected_type" ]]; then
+    exit 0
+  fi
+}
+
+# Score a diff for triage purposes
+# Reads from stdin (expects unified diff output)
+# Returns: "trivial" (<20 lines), "standard" (20-200), "significant" (>200)
+# Also checks for sensitive paths — upgrades to "significant" if found
+triage_score() {
+  local diff_input
+  diff_input=$(cat)
+  local line_count
+  line_count=$(printf '%s' "$diff_input" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || echo "0")
+
+  # Check for sensitive paths
+  local sensitive=0
+  if printf '%s' "$diff_input" | grep -qE '^\+\+\+ .*(\.rea/|\.claude/|\.env|auth|security|\.github/workflows)'; then
+    sensitive=1
+  fi
+
+  if [[ $sensitive -eq 1 ]] || [[ $line_count -gt 200 ]]; then
+    printf 'significant'
+  elif [[ $line_count -ge 20 ]]; then
+    printf 'standard'
+  else
+    printf 'trivial'
+  fi
+}

package/hooks/_lib/halt-check.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# hooks/_lib/halt-check.sh — HALT gate helper for rea hooks
+# Source via: source "$(dirname "$0")/_lib/halt-check.sh"
+#
+# Every hook that can block a tool call must gate on .rea/HALT. When the file
+# exists, all agent operations are suspended — the hook must deny the tool
+# call with a clear error that surfaces the file's contents so the operator
+# knows why the system was frozen.
+
+set -euo pipefail
+
+# Find the .rea/ directory by walking up from CLAUDE_PROJECT_DIR or cwd.
+# Falls back to CLAUDE_PROJECT_DIR or the current working directory when no
+# .rea/ ancestor is found (which is fine — check_halt will simply no-op).
+rea_root() {
+  local dir="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+  while [[ "$dir" != "/" ]]; do
+    if [[ -d "$dir/.rea" ]]; then
+      printf '%s' "$dir"
+      return 0
+    fi
+    dir=$(dirname "$dir")
+  done
+  printf '%s' "${CLAUDE_PROJECT_DIR:-$(pwd)}"
+}
+
+# Exit with code 2 (deny) if .rea/HALT exists.
+# Prints the first 1024 bytes of HALT to stderr so the operator sees the
+# reason the system was frozen. Safe to call from any hook.
+check_halt() {
+  local root
+  root=$(rea_root)
+  local halt_file="${root}/.rea/HALT"
+  if [ -f "$halt_file" ]; then
+    printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
+      "$(head -c 1024 "$halt_file" 2>/dev/null || echo 'Reason unknown')" >&2
+    exit 2
+  fi
+}

package/hooks/_lib/policy-read.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# hooks/_lib/policy-read.sh — policy.yaml read helpers for rea hooks
+# Source via: source "$(dirname "$0")/_lib/policy-read.sh"
+#
+# Minimal shell-only parsers for .rea/policy.yaml. Keeps hooks dependency-free
+# (no yq required). Functions assume the caller has already resolved the
+# project root via rea_root() from halt-check.sh, but will re-derive it if
+# REA_ROOT is unset.
+
+set -euo pipefail
+
+# Resolve the path to .rea/policy.yaml for the current project.
+# Prints an empty string if no policy file is found — callers should treat
+# a missing policy as "default / advisory" rather than an error.
+policy_path() {
+  local root="${REA_ROOT:-}"
+  if [[ -z "$root" ]]; then
+    if command -v rea_root >/dev/null 2>&1; then
+      root=$(rea_root)
+    else
+      root="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+    fi
+  fi
+  local policy="${root}/.rea/policy.yaml"
+  if [[ -f "$policy" ]]; then
+    printf '%s' "$policy"
+  fi
+}
+
+# Read a top-level scalar field from policy.yaml.
+# Usage: policy_scalar "autonomy_level"
+# Strips surrounding quotes. Prints empty string when unset or no policy.
+policy_scalar() {
+  local key="$1"
+  local policy
+  policy=$(policy_path)
+  [[ -z "$policy" ]] && return 0
+  grep -E "^${key}:" "$policy" 2>/dev/null \
+    | head -n1 \
+    | sed -E "s/^${key}:[[:space:]]*//; s/^[\"']//; s/[\"']$//"
+}
+
+# Test whether a boolean-valued top-level field is true.
+# Usage: policy_bool_true "block_ai_attribution" && ...
+# Returns 0 when the value is literal "true", 1 otherwise (including missing).
+policy_bool_true() {
+  local key="$1"
+  local value
+  value=$(policy_scalar "$key")
+  [[ "$value" == "true" ]]
+}
+
+# Read a list of scalars from a top-level sequence block.
+# Usage: mapfile -t patterns < <(policy_list "delegate_to_subagent")
+# Handles inline "[]" as empty. Stops at the first non-"-" continuation line.
+policy_list() {
+  local key="$1"
+  local policy
+  policy=$(policy_path)
+  [[ -z "$policy" ]] && return 0
+  local in_block=0
+  while IFS= read -r line; do
+    if printf '%s' "$line" | grep -qE "^[[:space:]]*${key}:"; then
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[\]"; then
+        return 0
+      fi
+      in_block=1
+      continue
+    fi
+    if [[ $in_block -eq 1 ]]; then
+      if printf '%s' "$line" | grep -qE '^[[:space:]]*-[[:space:]]'; then
+        printf '%s' "$line" | sed -E "s/^[[:space:]]*-[[:space:]]*//; s/^[\"']//; s/[\"']$//"
+        printf '\n'
+      else
+        return 0
+      fi
+    fi
+  done < "$policy"
+}

package/hooks/architecture-review-gate.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# PostToolUse hook: architecture-review-gate.sh
+# Fires AFTER every Write or Edit tool call.
+# Lightweight advisory: flags when writing to architecture-sensitive paths.
+# Does NOT block — only returns advisory context.
+#
+# Exit codes:
+#   0 = always (advisory only, never blocks)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ──────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  exit 0
+fi
+
+# ── 3. HALT check ────────────────────────────────────────────────────────────
+REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REA_ROOT}/.rea/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Check if enabled ──────────────────────────────────────────────────────
+POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
+if [[ -f "$POLICY_FILE" ]]; then
+  if grep -qE 'architecture_advisory:[[:space:]]*false' "$POLICY_FILE" 2>/dev/null; then
+    exit 0
+  fi
+fi
+
+# ── 5. Extract file path ─────────────────────────────────────────────────────
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+if [[ -z "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+# Normalize to relative path
+if [[ "$FILE_PATH" == "$REA_ROOT"/* ]]; then
+  FILE_PATH="${FILE_PATH#$REA_ROOT/}"
+fi
+
+# ── 6. Check architecture-sensitive paths ─────────────────────────────────────
+ARCH_PATTERNS=(
+  'src/types/'
+  'src/gateway/'
+  'src/config/'
+  'src/cli/commands/init/'
+  'hooks/_lib/'
+  'templates/'
+  'profiles/'
+)
+
+MATCHED=""
+for pattern in "${ARCH_PATTERNS[@]}"; do
+  if [[ "$FILE_PATH" == "$pattern"* ]]; then
+    MATCHED="$pattern"
+    break
+  fi
+done
+
+if [[ -z "$MATCHED" ]]; then
+  exit 0
+fi
+
+# ── 7. Advisory output ───────────────────────────────────────────────────────
+{
+  printf 'ARCHITECTURE ADVISORY: Sensitive path modified\n'
+  printf '\n'
+  printf '  File: %s\n' "$FILE_PATH"
+  printf '  Category: %s\n' "$MATCHED"
+  printf '\n'
+  printf '  This file is in an architecture-sensitive directory.\n'
+  printf '  Consider: Does this change maintain backward compatibility?\n'
+  printf '  Consider: Should this be reviewed by the principal-engineer agent?\n'
+} >&2
+
+exit 0