@bookedsolid/rea 0.10.3 → 0.12.0

package/README.md

@@ -1,6 +1,6 @@
 # REA
 
-**Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review.**
+**Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and a stateless pre-push Codex review gate.**
 
 [![npm version](https://img.shields.io/npm/v/%40bookedsolid%2Frea?color=cb3837&label=npm)](https://www.npmjs.com/package/@bookedsolid/rea)
 [![CI](https://github.com/bookedsolidtech/rea/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/bookedsolidtech/rea/actions/workflows/ci.yml)
@@ -9,68 +9,169 @@
 [![DCO](https://img.shields.io/badge/DCO-required-green)](https://developercertificate.org/)
 [![Node](https://img.shields.io/badge/node-%3E%3D22-brightgreen)](https://nodejs.org/)
 
-> Status: `0.9.x` — published to npm with provenance. See
+> Status: `0.11.0` — published to npm with SLSA v1 provenance. See
 > [CHANGELOG.md](./CHANGELOG.md) for the per-release history.
 
+REA is a single npm package that gates and audits agentic tool calls made by
+Claude Code — shell commands, filesystem writes, and MCP tool invocations —
+against an operator-defined policy file. It ships an MCP middleware gateway,
+a set of hook scripts, a pre-push Codex review gate, a hash-chained audit
+log, and a hard kill-switch. Every layer fails closed.
+
+**What changed in 0.11.0.** Through 0.10.x the push-review gate asked "has a
+qualifying Codex receipt been recorded for this HEAD SHA?" and consulted a
+`.rea/review-cache.jsonl` + audit-record lookup to decide. Agents spent a
+meaningful fraction of every push cycle fabricating attestations with `rea
+cache set` and `rea audit record codex-review --also-set-cache`, and the
+bash core around the gate grew to ~1,250 lines. 0.11.0 deletes that stack
+and replaces it with a single subcommand — `rea hook push-gate` — that
+**runs Codex on every push**, parses the verdict from the streamed review
+output, writes the findings to `.rea/last-review.json`, and blocks exit
+code `2` on `[P1]` or (by default) `[P2]` findings. Readers landing on
+0.9/0.10-era docs should treat the "record-and-cache" flow as gone — see
+the [migration section](#migration-from-010x) below.
+
+---
+
+## Table of contents
+
+- [Quickstart](#quickstart)
+- [What REA is](#what-rea-is)
+- [What REA is NOT](#what-rea-is-not)
+- [The pre-push Codex gate](#the-pre-push-codex-gate)
+- [MCP gateway](#mcp-gateway)
+- [Policy file](#policy-file)
+- [Hooks shipped](#hooks-shipped)
+- [Slash commands](#slash-commands)
+- [Curated agents](#curated-agents)
+- [CLI reference](#cli-reference)
+- [Migration from 0.10.x](#migration-from-010x)
+- [Contributor quality gates](#contributor-quality-gates)
+- [Threat model and security](#threat-model-and-security)
+- [Non-goals](#non-goals)
+- [License and contributing](#license-and-contributing)
+
 ---
 
-## Installation
+## Quickstart
 
 ```bash
 npx @bookedsolid/rea init
 ```
 
-The `init` command is an interactive wizard. It detects your project, writes
-`.rea/policy.yaml`, copies hooks and slash commands into `.claude/`, wires
-`.mcp.json` to run `rea serve` as a governance gateway, installs a
-`.husky/commit-msg` hook, and appends a managed fragment to `CLAUDE.md`.
+The `init` wizard detects your project, writes `.rea/policy.yaml`, copies
+curated hooks and slash commands into `.claude/`, wires `.mcp.json` to run
+`rea serve` as a governance gateway, installs `.husky/commit-msg` and
+`.husky/pre-push` hooks, and appends a managed fragment to `CLAUDE.md`. Run
+it non-interactively with `-y`:
+
+```bash
+npx @bookedsolid/rea init -y --profile bst-internal
+```
+
+Node 22+ and pnpm 9.12+ are required. The package is published with npm
+provenance (SLSA v1) from the `main` branch via GitHub Actions OIDC.
+
+**Your first push.** After a feature commit, `git push` will:
+
+1. `.husky/pre-push` checks `.rea/HALT` and delegates to `rea hook push-gate`.
+2. `rea hook push-gate` loads `.rea/policy.yaml`, resolves a base ref, and
+   shells out to `codex exec review --base <ref> --json --ephemeral`.
+3. Codex streams JSONL events back; the gate parses `[P1]`/`[P2]`/`[P3]`
+   findings out of the `agent_message` text.
+4. A severity-sorted summary is printed to stderr; full findings with file
+   and line detail are written atomically to `.rea/last-review.json`.
+5. An audit record (`rea.push_gate.reviewed`) is appended to
+   `.rea/audit.jsonl`.
+6. Exit code is `0` (pass), `1` (HALT), or `2` (blocked by verdict or
+   Codex error).
+
+On a blocking verdict the push fails; the in-session Claude agent reads the
+stderr summary and the `.rea/last-review.json` payload, fixes the issues,
+commits, and pushes again. No cache, no receipt to fabricate.
 
-Node 22+ and pnpm 9+ required.
+Verify the install:
+
+```bash
+rea doctor
+```
+
+Freeze everything if something unexpected happens:
+
+```bash
+rea freeze --reason "incident triage; investigate unexpected .env write"
+# later
+rea unfreeze
+```
+
+---
 
 ## What REA is
 
-REA is a governance layer for Claude Code. It is a single npm package that
-ships four things:
-
-1. A **hook layer** — 14 shell scripts total. 12 are registered in the
-   shipped `.claude/settings.json` and fire on Claude Code's `PreToolUse`
-   / `PostToolUse` events (secret scanning, dangerous-command
-   interception, blocked-path protection, settings protection,
-   attribution rejection, env-file protection, disclosure-policy
-   routing, dependency audit, changeset security, architecture advisory,
-   PR-issue-link advisory, and the Claude-Code push-review adapter).
-   One more shipped hook, `commit-review-gate.sh`, is a Claude
-   `PreToolUse: Bash` hook that matches `git commit` — it is shipped
-   ready-to-wire but intentionally NOT registered in the default
-   `.claude/settings.json`, so operators who want commit-time review can
-   opt in by adding a rule. The final script,
-   `push-review-gate-git.sh`, is a thin native-git adapter that sources
-   `hooks/_lib/push-review-core.sh` (the same shared core used by the
-   Claude-Code push-review adapter), so a fix to the push-review logic
-   lands in one place. It ships for consumers who manually configure
-   a wrapper-based `.husky/pre-push` (and as scaffolding for a future
-   installer revision). The default `rea init` installer emits a
-   standalone inline `.husky/pre-push` body instead of wiring the
-   adapter — see the Hooks section for details.
-2. A **gateway layer** — an MCP server (`rea serve`) that proxies downstream
-   MCP servers through a middleware chain. Every tool call — native or
-   proxied — is classified, policy-checked, redacted, audited, and
-   size-capped before it executes. The gateway also supervises downstream
-   child processes: unexpected deaths are detected eagerly, the circuit
-   breaker never reuses a zombie client, and a `SESSION_BLOCKER` audit
-   event fires when a downstream crosses the per-session failure threshold.
-3. A **policy runtime** — `.rea/policy.yaml` with a strict zod-validated
-   schema. Defines autonomy level, a hard ceiling (`max_autonomy_level`),
-   blocked paths, attribution rules, context protection, redaction and
-   injection tuning, review/cache knobs, and an optional Discord
-   notification webhook.
-4. A **kill switch** — `.rea/HALT` is a single file. If it exists, every
-   tool call is denied at the middleware and hook layers. Use
-   `rea freeze --reason "..."` to create it and `rea unfreeze --reason "..."`
-   to remove it.
-
-REA is one tool that does one thing: gate and audit agentic tool calls
-against operator-defined policy. That is the whole product.
+REA is a governance layer for Claude Code. It ships four things.
+
+### 1. A policy runtime
+
+`.rea/policy.yaml`, validated by a strict zod schema — unknown fields are
+**rejected**, not ignored. The policy defines:
+
+- `autonomy_level` (L0–L3) and a hard `max_autonomy_level` ceiling
+- `blocked_paths` (globs; `.rea/` is always blocked regardless)
+- `block_ai_attribution` — enforced by the commit-msg hook
+- `review.codex_required` — whether the pre-push gate runs Codex at all
+- `review.concerns_blocks` — whether `[P2]` verdicts halt the push
+- `review.timeout_ms` — hard cap on the Codex subprocess
+- Redaction patterns, injection tuning, audit rotation, and MCP gateway knobs
+
+Policy is re-read on every middleware invocation and every hook run. Editing
+`.rea/policy.yaml` takes effect on the next tool call — no restart, no
+cache invalidation.
+
+### 2. A kill switch
+
+`.rea/HALT` is a single file. If it exists, every governed tool call is
+denied — the MCP gateway middleware returns an error, the bash hooks `exit
+1`, and the pre-push gate returns exit `1` with the reason printed to
+stderr. Use `rea freeze --reason "..."` to create it and `rea unfreeze` to
+remove it. Both operations write audit records. The middleware never
+clears HALT on its own.
+
+HALT is checked before policy in every flow. A corrupted `.rea/policy.yaml`
+does not prevent the kill-switch from firing.
+
+### 3. A hook layer
+
+Eleven shell scripts ship in `hooks/` and are copied into `.claude/hooks/`
+by `rea init`. All eleven are wired into the default `.claude/settings.json`
+and fire on Claude Code's `PreToolUse` / `PostToolUse` events (secret
+scanning, dangerous-command interception, blocked-path enforcement,
+settings protection, attribution rejection, env-file protection,
+disclosure-policy routing, dependency audit, changeset security,
+PR-issue-link advisory, architecture advisory). Each hook uses
+`set -euo pipefail` (or `set -uo pipefail` for stdin-JSON consumers) and
+runs a HALT check near the top. See [Hooks shipped](#hooks-shipped) for
+the full inventory.
+
+The hook layer runs independently of the MCP gateway — bypassing one does
+not disable the other. That redundancy is intentional.
+
+### 4. An MCP gateway
+
+`rea serve` is an MCP stdio server that proxies downstream MCP servers
+declared in `.rea/registry.yaml` through a middleware chain. Every tool
+call — native rea tools or proxied downstream tools — is classified,
+policy-checked, redacted, audited, and size-capped before it executes. See
+[MCP gateway](#mcp-gateway) for the chain ordering and supervisor
+behavior.
+
+**Plus** a stateless pre-push Codex review gate (new in 0.11.0) that fires
+via `.husky/pre-push` on every `git push` and is covered in the next
+section.
+
+REA does one thing: gate and audit agentic tool calls against
+operator-defined policy. That is the whole product.
+
+---
 
 ## What REA is NOT
 
@@ -78,187 +179,258 @@ These are non-goals. PRs adding any of these will be closed with a pointer
 to build a separate package that composes with REA.
 
 - **Not a project manager.** No task CRUD, no GitHub issue sync, no board
-  scaffolding. No `task_create`, `task_update`, `repo_scaffold`.
+  scaffolding.
 - **Not an Obsidian integration.** No vault journaling, no note creation,
-  no precompact summaries, no pre/post-compact Obsidian hooks.
-- **Not an account manager.** No `rea account add/list/env/rotate/remove`.
-  No Keychain, no OAuth, no multi-tenant token vault. Env vars only.
-- **Not a Discord bot.** No Discord MCP tools. A Discord webhook URL in
-  `policy.yaml` is the maximum surface area — one outbound POST, opt-in.
+  no pre/post-compact hooks.
+- **Not an account manager.** No `rea account` tree, no Keychain, no OAuth,
+  no multi-tenant token vault. Env vars only.
+- **Not a Discord bot.** A Discord webhook URL in `policy.yaml` is the
+  entire surface area — one outbound POST, opt-in, no MCP tools.
 - **Not a daemon supervisor.** `rea serve` is started by Claude Code via
   `.mcp.json`. Claude Code owns the lifecycle. There is no `rea start`,
-  no `rea stop`, no systemd unit. A short-lived `.rea/serve.pid`
-  breadcrumb is written at startup so `rea status` can detect a live
-  gateway — it is removed on graceful shutdown and never used for
-  locking or lifecycle management. A per-session `.rea/serve.state.json`
-  snapshot accompanies it for live per-downstream introspection.
-- **Not a hosted service.** There is no REA Cloud, no SaaS tier, no
-  multi-token workstreams, no workload isolation platform.
-- **Not a 70-agent roster.** 10 curated agents ship in the package. Four
-  profiles layer additional specialists on top. No kitchen sink.
+  no `rea stop`, no systemd unit.
+- **Not a hosted service.** No REA Cloud, no SaaS tier, no multi-tenant
+  workload isolation.
+- **Not a 70-agent roster.** Ten curated agents ship in the package.
+  Profiles layer additional specialists.
+- **Not a full policy engine.** No OPA/Rego, no CEL, no attribute-based
+  access control. A YAML file with a small, fixed schema is the entire
+  policy language.
+- **Not a CI replacement.** REA gates agent behavior at author time. CI
+  still runs lint, typecheck, tests, and build on every PR.
+- **Not a secret manager.** REA detects secrets in writes and redacts them
+  in audit records; it does not store, rotate, or provision them.
+
+The non-goals are the product.
 
-The non-goals are the product. Every "but what if we just added X" belongs
-in a separate package.
+---
 
-## Quick start
+## The pre-push Codex gate
 
-### 1. Write a policy
+The 0.11.0 gate is stateless. Every `git push` runs Codex on the diff, and
+the gate's decision is a function of the review output — not of a cached
+receipt or an audit record from a prior run.
 
-`.rea/policy.yaml`:
+### Flow
 
-```yaml
-version: "1"
-profile: "bst-internal"
-autonomy_level: L1
-max_autonomy_level: L2
-promotion_requires_human_approval: true
-blocked_paths:
-  - ".env"
-  - ".env.*"
-  - "secrets/**"
-block_ai_attribution: true
-context_protection:
-  delegate_to_subagent:
-    - "pnpm run preflight"
-    - "pnpm run test"
-    - "pnpm run build"
-  max_bash_output_lines: 100
-notification_channel: "" # optional Discord webhook
+```
+$ git push
+    │
+    ▼
+┌─────────────────────────────────────────────────────────┐
+│ .husky/pre-push                                         │
+│   1. Check .rea/HALT — exit 1 if present                │
+│   2. Locate rea binary (node_modules, dist, PATH, npx)  │
+│   3. exec rea hook push-gate "$@"                       │
+└─────────────────────────────────────────────────────────┘
+    │
+    ▼
+┌─────────────────────────────────────────────────────────┐
+│ rea hook push-gate                                      │
+│   1. HALT check (again, defense-in-depth)               │
+│   2. Load .rea/policy.yaml (zod-validated)              │
+│   3. codex_required=false → status:disabled, exit 0     │
+│   4. REA_SKIP_PUSH_GATE / REA_SKIP_CODEX_REVIEW=<reason>│
+│      → skipped, exit 0 (audit records skip_var)         │
+│   5. Parse pre-push stdin refspecs                      │
+│   6. Resolve base ref (--base → --last-n-commits N      │
+│      → policy.review.last_n_commits → refspec →         │
+│      upstream → origin/HEAD → main/master → empty-tree) │
+│   7. Empty-diff check → status:empty-diff, exit 0       │
+│   8. codex exec review --base <ref> --json --ephemeral  │
+│   9. Parse [P1]/[P2]/[P3] findings                      │
+│  10. Infer verdict: P1 → blocking; else P2 → concerns;  │
+│      else pass                                          │
+│  11. Atomic write .rea/last-review.json (redacted)      │
+│  12. Render stderr banner                               │
+│  13. Append audit record rea.push_gate.reviewed         │
+│  14. Exit 0 (pass/disabled/skipped/empty-diff) |        │
+│       1 (HALT) | 2 (blocked, timeout, or error)         │
+└─────────────────────────────────────────────────────────┘
 ```
 
-`autonomy_level` can be raised up to `max_autonomy_level` and no further.
-The loader rejects the file at parse time if `autonomy_level` exceeds the
-ceiling. The ceiling is set by the human operator and never by an agent.
-
-### 2. Freeze when you need to stop everything
+### Verdicts and exit codes
 
-```bash
-rea freeze --reason "incident triage; investigate unexpected .env write"
+| Verdict | Default behavior | Exit code | Notes |
+| --- | --- | --- | --- |
+| `pass` | Push proceeds | `0` | No `[P1]` or `[P2]` findings in the review |
+| `concerns` | Push blocks (default) | `2` | `[P2]` findings present; override with `REA_ALLOW_CONCERNS=1` or `review.concerns_blocks: false` |
+| `blocking` | Push blocks always | `2` | `[P1]` findings present; no override |
+| HALT | Push blocks | `1` | `.rea/HALT` is active; run `rea unfreeze` |
+| `disabled` | Push proceeds | `0` | `review.codex_required: false` in policy |
+| `skipped` | Push proceeds | `0` | `REA_SKIP_PUSH_GATE=<reason>` or `REA_SKIP_CODEX_REVIEW=<reason>` set; audited |
+| `empty-diff` | Push proceeds | `0` | No file changes between base and head |
+| `error` | Push blocks | `2` | Codex not installed, timeout, subprocess error, malformed policy, head-sha resolution failure |
+
+### The auto-fix loop
+
+Previous gate: pre-run Codex manually, record an attestation with `rea
+audit record codex-review --also-set-cache`, push, and hope the
+attestation's SHA matches the tip. Agents working at speed ended up
+fabricating attestations or running Codex out-of-band and recording the
+verdict without anyone actually reading the output. Friction was paid on
+every push.
+
+New gate: the gate **is** the review. Codex runs on the same diff the push
+is about to send, so the verdict is causally tied to the push. When the
+gate blocks:
+
+1. The stderr banner prints the verdict, base ref, head SHA, finding
+   count, duration, and up to 20 severity-sorted findings with file:line
+   pointers. Because the pre-push hook's stderr reaches Claude as the
+   tool output of `Bash(git push)`, the banner is the primary fast-path
+   signal for the in-session agent.
+2. `.rea/last-review.json` is written atomically with the full findings,
+   each carrying `severity`, `title`, `body`, and optional `file`/`line`.
+   This file is the source of truth for the auto-fix loop — the stderr
+   banner is capped at 20 findings; the JSON is not.
+3. Claude reads both, applies fixes, commits (with `-s` and no AI
+   attribution), and pushes again. The gate runs Codex fresh on the new
+   diff. Repeat until `pass`.
+
+See [CHANGELOG 0.11.0](./CHANGELOG.md) for the longer rationale on why
+the cache-attestation design was removed.
+
+### `.rea/last-review.json` schema
+
+```jsonc
+{
+  "schema_version": 1,
+  "generated_at": "2026-04-22T18:04:01.123Z",
+  "verdict": "blocking",                 // "pass" | "concerns" | "blocking"
+  "base_ref": "origin/main",
+  "head_sha": "c5ec101…",
+  "finding_count": 3,
+  "findings": [
+    {
+      "severity": "P1",                  // "P1" | "P2" | "P3"
+      "title": "missing input validation on /auth/callback",
+      "file": "src/routes/auth.ts",      // optional
+      "line": 42,                        // optional
+      "body": "The callback accepts raw state without…"
+    }
+    // …
+  ],
+  "review_text": "[P1] missing input validation…\n[P2] …",
+  "event_count": 37,
+  "duration_seconds": 12.4
+}
 ```
 
-`rea freeze` writes `.rea/HALT`. Every subsequent tool call is denied
-until an operator runs:
+The file is:
 
-```bash
-rea unfreeze --reason "false alarm — resolved"
-```
+- **Atomic.** Written to `.rea/last-review.json.tmp.<pid>-<rand>`, fsynced,
+  then `rename(2)`d. Partial writes never surface to readers.
+- **Redacted.** Both `findings[].title`/`body` and `review_text` are run
+  through the same `SECRET_PATTERNS` list the redact middleware uses. If
+  Codex quotes a credential out of the diff it never hits disk in cleartext.
+- **Overwritten every push.** There is no rolling history on disk; the
+  audit log is the rolling history.
+- **Gitignored.** The default `rea init` install adds `/.rea/last-review.json`
+  to `.gitignore`.
 
-Both calls produce audit entries. The middleware never clears HALT on
-its own.
+### Environment variables
 
-### 3. Verify the install
+| Variable | Purpose |
+| --- | --- |
+| `REA_SKIP_PUSH_GATE=<reason>` | Value-carrying waiver. When set to a non-empty string, the gate short-circuits to `status:skipped` (exit 0) and appends `rea.push_gate.skipped` with the reason and `skip_var: REA_SKIP_PUSH_GATE` as metadata. HALT **always** wins over this — a frozen install still blocks. Use sparingly; every use is audited. |
+| `REA_SKIP_CODEX_REVIEW=<reason>` | Equivalent alias for `REA_SKIP_PUSH_GATE`, added in 0.12.0. Same exit behavior; audit metadata records `skip_var: REA_SKIP_CODEX_REVIEW` so operators can grep their audit log to see which variant agents used. When both env vars are set, `REA_SKIP_PUSH_GATE` wins. |
+| `REA_ALLOW_CONCERNS=1` | One-push override for `concerns` verdict. Accepts `1`, `true`, or `yes` (case-insensitive). Does **not** override `blocking`. The audit record is stamped `concerns_override: true` so reviewers can see the override was used. |
 
-```bash
-rea doctor
+### Policy knobs
+
+```yaml
+# .rea/policy.yaml
+review:
+  codex_required: true        # default true — run Codex on every push
+  concerns_blocks: true       # default true — [P2] halts the push
+  timeout_ms: 1800000         # default 1800000 (30 minutes; raised from
+                              #   600000 in 0.12.0 — see CHANGELOG)
+  last_n_commits: 10          # OPTIONAL — narrow review to the last N commits
+                              #   (diff vs HEAD~N). Defaults unset.
 ```
 
-`rea doctor` checks `.rea/` directory presence, policy parse, registry
-parse, curated-agent presence, hook coverage, `.claude/settings.json`
-wiring, commit-msg / pre-push git hooks, Codex CLI + agent availability
-(when `codex_required: true`), and the TOFU fingerprint store. It
-returns a pass/fail summary with specific remediation hints. In non-git
-directories (knowledge repos, docs-only projects) the commit-msg and
-pre-push checks are skipped cleanly — REA governs policy and injection
-detection there, not pushes. Audit hash-chain integrity is verified by
-a separate command — `rea check` (on-disk tail) or the full replay
-verifier — not by `rea doctor`.
+| Key | Type | Default | Purpose |
+| --- | --- | --- | --- |
+| `review.codex_required` | boolean | `true` | Master on/off. `false` short-circuits the gate to `status:disabled`, still audited. `-no-codex` profiles set this to `false`. |
+| `review.concerns_blocks` | boolean | `true` | When `true`, `[P2]` verdicts return exit 2. Flip to `false` for a looser posture where only `[P1]` halts the push. |
+| `review.timeout_ms` | number | `1800000` | Hard cap on the `codex exec review` subprocess in milliseconds. Exceeding it kills the subprocess and returns exit 2 with a `timeout` kind. Positive integer; zero/negative is rejected at load. **Raised from 600000 (10 min) to 1800000 (30 min) in 0.12.0** after operator data showed realistic feature-branch reviews routinely exceeded 10 minutes; pin `timeout_ms: 600000` explicitly to retain the old default. |
+| `review.last_n_commits` | number | unset | When set, the gate diffs against `HEAD~N` instead of running the upstream → origin/HEAD → main/master ladder. Useful when a feature branch has accumulated many commits and the full base diff overwhelms the reviewer. Positive integer. CLI `--last-n-commits N` overrides this; `--base <ref>` overrides both. When `HEAD~N` is unreachable the resolver clamps based on whether the repo is a shallow clone: **(full clone, branch shorter than N)** clamps to the empty-tree sentinel so the root commit's changes are included (reviewing all `K+1` commits on the branch); **(shallow clone)** clamps to `HEAD~K` SHA — the deepest locally resolvable ancestor — so the review does not balloon to every tracked file (older history exists on the remote but isn't fetched). A stderr warning surfaces the requested-vs-clamped numbers in both cases. Audit metadata records `base_source: 'last-n-commits'`, `last_n_commits: <count actually reviewed>`, and `last_n_commits_requested: N` (only present when clamped). |
 
-### 4. Watch the running gateway
+### Codex CLI dependency
 
-```bash
-rea status              # human-readable summary
-rea status --json       # JSON — pipe to jq
+The gate shells out to `codex`. **`codex` is a hard prerequisite** when
+`policy.review.codex_required: true` (the default for every profile other
+than the `-no-codex` variants). As of 0.12.0 `rea doctor` runs a
+`codex CLI on PATH` check that **fails** when codex is required by policy
+but the binary is not on `PATH` — surfacing the prereq during install
+rather than at first push:
+
+```
+[fail] codex CLI on PATH
+       codex not found on PATH. policy.review.codex_required: true requires
+       the codex binary. Install: https://github.com/openai/codex
+       (e.g. `npm i -g @openai/codex`). To disable the push-gate instead,
+       set policy.review.codex_required: false in .rea/policy.yaml.
 ```
 
-`rea status` is the live-process view. It reads the pidfile written by
-`rea serve`, verifies the pid is alive, and surfaces the session id,
-policy summary (profile, autonomy, HALT state), audit stats (lines,
-last timestamp, whether the tail record's hash looks well-formed), and
-— as of 0.9.0 — a **per-downstream live block** sourced from
-`.rea/serve.state.json`. Each downstream entry includes:
-
-| Field                       | Type                                 | Meaning                                                         |
-| --------------------------- | ------------------------------------ | --------------------------------------------------------------- |
-| `name`                      | string                               | Registry server name                                            |
-| `connected`                 | boolean                              | MCP client currently holds an open stdio transport              |
-| `healthy`                   | boolean                              | Gateway considers the server safe to route calls to             |
-| `circuit_state`             | `closed` \| `open` \| `half-open`    | Current breaker position                                        |
-| `retry_at`                  | ISO timestamp \| `null`              | Next allowed half-open probe, when `open`                       |
-| `last_error`                | string \| `null`                     | Bounded, redacted diagnostic from the most recent failure       |
-| `tools_count`               | integer \| `null`                    | Tool count from the last successful `tools/list`                |
-| `open_transitions`          | integer                              | Cumulative circuit-open events in this session                  |
-| `session_blocker_emitted`   | boolean                              | Whether `SESSION_BLOCKER` has fired for this server yet         |
-
-`.rea/serve.state.json` is the authoritative live source — it is written
-atomically (temp+rename) on every circuit transition and supervisor
-event, debounced through a 250 ms trailing timer so a flap storm can't
-spam disk. State files written by a pre-0.9.0 gateway degrade gracefully:
-`downstreams` surfaces as `null` with a hint to upgrade.
-
-Use `rea check` when you want the pure on-disk view (policy + HALT +
-tail audit) without probing for a live process.
-
-### 5. Optional Prometheus `/metrics` endpoint
-
-`rea serve` can expose a loopback-only Prometheus endpoint when the
-`REA_METRICS_PORT` environment variable is set:
+If a push is attempted without codex on PATH, the gate also returns exit 2
+with the same install hint:
 
-```bash
-REA_METRICS_PORT=9464 rea serve
-# in another shell
-curl http://127.0.0.1:9464/metrics
+```
+codex CLI not found on PATH. Install with `npm i -g @openai/codex`,
+or set `review.codex_required: false` in .rea/policy.yaml to disable
+the push-gate.
 ```
 
-Metrics exposed: per-downstream call and error counters, in-flight
-gauge, audit-lines-appended counter, circuit-breaker state gauge, and a
-seconds-since-last-HALT-check gauge. The listener binds to `127.0.0.1`
-only, serves only `GET /metrics` (everything else is a fixed-body 404),
-and never binds by default — "no silent listeners" is a design rule.
-There is no TLS; scrape through SSH/a reverse proxy if you need
-cross-host access.
+Operators who do not have Codex available can either:
 
-Set `REA_LOG_LEVEL=debug` for verbose gateway logs; the default is
-`info`. Records are JSON lines on a non-TTY stderr and pretty-printed
-on an interactive terminal.
+- Run `rea init --profile bst-internal-no-codex` (or `open-source-no-codex`),
+  which sets `review.codex_required: false` on install.
+- Flip `review.codex_required: false` in an existing policy file.
 
-### 6. Ask the gateway how it's doing — `__rea__health`
+### Standalone usage
 
-The gateway advertises a single built-in tool, `__rea__health`, in
-every `listTools` response regardless of downstream state. Calling it
-returns a snapshot of gateway version, uptime, HALT state, policy
-summary, and per-downstream health. The handler **short-circuits the
-middleware chain** — it is callable under HALT and at any autonomy
-level — because it is the tool an operator reaches for when everything
-else is frozen. Every invocation still writes an audit record.
+`rea hook push-gate` is invoked by `.husky/pre-push`, but it is also a
+first-class CLI. Run it manually to test a review without pushing:
 
-The wire response is **sanitized by default**: `halt_reason` and
-`downstreams[].last_error` surface as `null`. Full diagnostic detail
-lives in the audit record's metadata (`halt_reason`,
-`downstream_errors[]`) — local disk, hash-chained, not
-LLM-reachable — which is the right sink for trusted-operator text.
+```bash
+# Review the working tree against the resolved base (@{upstream}, else
+# origin/HEAD, else main/master, else empty-tree).
+rea hook push-gate
 
-Operators who genuinely need error strings on the MCP wire can opt in:
+# Review against an explicit base.
+rea hook push-gate --base origin/main
+rea hook push-gate --base refs/remotes/upstream/main
 
-```yaml
-# .rea/policy.yaml
-gateway:
-  health:
-    expose_diagnostics: true
+# Narrow the review to the last N commits (diff vs HEAD~N). Loses to
+# --base when both are set; mirrors policy.review.last_n_commits.
+rea hook push-gate --last-n-commits 10
 ```
 
-Opt-in mode still runs the full sanitizer pass: `redactSecrets` replaces
-known secret patterns with `[REDACTED:*]`, `classifyInjection` replaces
-any non-`clean` diagnostic string (verdicts `suspicious` or
-`likely_injection`) with the exported `INJECTION_REDACTED_PLACEHOLDER`
-token — the literal string `<redacted: suspected injection>` — and
-oversize values are bounded before scanning so an adversarial downstream
-can't DoS the tool with a multi-megabyte error.
+Exit codes match the pre-push contract. The JSON payload is written to
+`.rea/last-review.json` regardless of invocation context.
 
-## Architecture
+### What happens to a protected ref?
+
+The gate has no concept of protected vs. unprotected branches; it reviews
+whatever diff git is about to push. Protect-main is enforced by GitHub
+branch protection (required status checks, required reviews, no direct
+pushes to `main`), not by the gate. The gate's job is to surface blocking
+issues before the push reaches the remote.
+
+---
+
+## MCP gateway
+
+`rea serve` is an MCP stdio server. Claude Code starts it via `.mcp.json`
+at the start of a session; it runs for the life of that session. The
+server proxies downstream MCP servers declared in `.rea/registry.yaml`
+through a fixed middleware chain.
 
 ### Middleware chain
 
-Every native MCP tool call AND every proxied downstream call flows through
+Every native rea tool call AND every proxied downstream call flows through
 one chain. The order matters — each layer fails closed.
 
 ```
@@ -273,13 +445,14 @@ tool call
 │ blocked-paths      — .rea/ + operator paths       │
 │ rate-limit         — token bucket per server      │
 │ circuit-breaker    — trip on downstream failure   │
+│ injection (args)   — prompt-injection in args     │
 │ redact (args)      — secrets in arguments         │
 │                                                   │
 │ ==== EXECUTE ====                                 │
 │                                                   │
 │ result-size-cap    — bounded response             │
 │ redact (result)    — secrets in result            │
-│ injection          — prompt-injection in result   │
+│ injection (result) — prompt-injection in result   │
 │ audit.exit         — hash-chained record close    │
 └───────────────────────────────────────────────────┘
     │
@@ -287,415 +460,524 @@ tool call
 result
 ```
 
-`.rea/` is hardcoded as an always-blocked path. It cannot be unblocked
-from policy. Policy is re-read on every invocation — any edit to
-`policy.yaml` takes effect on the next tool call.
-
-The `__rea__health` meta-tool is the one documented exception: it
-short-circuits the chain (see §6 above) and writes an audit record from
-the short-circuit handler itself.
-
-### Gateway supervisor
-
-Downstream MCP servers run as child processes over stdio. The
-`DownstreamConnection` wrapper wires the SDK `StdioClientTransport`'s
-`onclose` + `onerror` callbacks, so an unexpected child death — OS
-OOM-kill, unhandled exception in the child, stdio pipe error outside a
-caller-initiated close — is detected **eagerly**: the client and
-transport are nulled before the next `callTool` tries to use them. The
-following call forces a genuine reconnect rather than invoking through a
-stale handle.
-
-"Not connected" errors from the SDK (the in-flight fallback) are
-promoted to the same respawn path with the same eager invalidation.
-A 30-second flapping guard refuses a second reconnect that lands too
-quickly after the previous one — the child is clearly unhealthy and the
-circuit breaker is a better place to handle it.
-
-`SessionBlockerTracker` subscribes to circuit-breaker
-`onStateChange` events and counts circuit-open transitions per
-`(session_id, server_name)`. Once the threshold (default: 3) is
-crossed, exactly one `SESSION_BLOCKER` audit record is appended and a
-LOUD structured log line is emitted — subsequent opens do not re-fire
-until recovery (a transition to `closed`) re-arms the emit. A new
-session (new `rea serve` process) drops every counter and starts fresh.
-
-### Live state
-
-`.rea/serve.state.json` is the on-disk live snapshot. It is written
-once at boot and again on every circuit transition or supervisor event,
-debounced through a 250 ms trailing timer and flushed atomically via
-temp-file + rename. The snapshot carries a `session_id` (boot-time
-ownership key) and `owner_pid`; a newly-started `rea serve` whose
-predecessor crashed without cleanup can detect the abandoned file and
-take over ownership rather than stalling forever. `rea status` is a
-read-only consumer of this file.
+`.rea/` is hardcoded as an always-blocked path. It cannot be unblocked from
+policy. Policy is re-read on every invocation — any edit to `policy.yaml`
+takes effect on the next tool call.
+
+### `__rea__health` meta-tool
+
+The gateway advertises a single built-in tool, `__rea__health`, in every
+`listTools` response. Calling it returns gateway version, uptime, HALT
+state, policy summary, and per-downstream health. The handler
+**short-circuits the middleware chain** — it is callable under HALT and at
+any autonomy level — because it is the tool an operator reaches for when
+everything else is frozen. Every invocation still writes an audit record.
+
+The wire response is sanitized by default: `halt_reason` and
+`downstreams[].last_error` surface as `null`. Full detail lives in the
+audit record. Operators who genuinely need error strings on the MCP wire
+can opt in via `policy.gateway.health.expose_diagnostics: true`; the
+short-circuit still runs the full redact + injection-classify sanitizer
+pass before emitting.
+
+### Audit log
+
+`.rea/audit.jsonl` is a hash-chained, append-only JSONL file. Each record
+is a single line with:
+
+- `seq` — monotonic integer
+- `ts` — ISO-8601 UTC
+- `session_id` — generated at `rea serve` boot
+- `server_name`, `tool_name`, `tier` (`read` | `write` | `destructive`)
+- `status` (`allowed` | `denied` | `error`)
+- `metadata` — tool-specific structured fields (argument digest, target,
+  deny reason, verdict)
+- `prev_hash` — SHA-256 of the previous record; tampering is detectable by
+  `rea audit verify`
+
+Records are redacted on write (secrets swapped for `[REDACTED:*]`,
+injection payloads swapped for `INJECTION_REDACTED_PLACEHOLDER`), never
+LLM-reachable. Rotation is policy-driven (`policy.audit.rotation.max_bytes`
+and/or `max_age_days`); rotation preserves the hash chain by seeding the
+new file with a rotation marker record.
+
+### TOFU drift detection
+
+Downstream MCP servers are fingerprinted on first sight and stored in
+`.rea/fingerprints.json`. On every `rea serve` boot, each server's canonical
+shape (command path, env-key set, vault list) is hashed and compared
+against the stored fingerprint:
+
+- `first-seen` — new server; fingerprint recorded.
+- `unchanged` — match; proceed.
+- `drifted` — mismatch; fail-close. The operator uses `rea tofu list` to
+  inspect and `rea tofu accept <name> --reason "..."` to rebase.
+
+The drift-accept operation appends a `tofu.drift_accepted_by_cli` audit
+record with the reason. The next boot classifies the server as
+`unchanged`.
 
 ### Downstream environment safety
 
-`rea serve` does **not** forward `process.env` wholesale to downstream
-children. Each child gets:
+`rea serve` does **not** forward `process.env` wholesale. Each downstream
+child gets:
 
 1. A fixed allowlist of neutral OS vars (`PATH`, `HOME`, `TZ`,
    `NODE_OPTIONS`, …).
-2. Any names opted into via `registry.yaml#servers[].env_passthrough` —
-   the schema refuses secret-looking names (`*_TOKEN`, `*_KEY`,
-   `*_SECRET`, …), so secrets must be named explicitly.
-3. Values from the registry's `env:` mapping, which may contain
-   `${VAR}` placeholders resolved against the host environment
-   (0.3.0). Secret-looking values are redacted in logs by default.
-   A `${VAR}` whose host variable is unset is treated as fatal — the
-   downstream is marked unhealthy rather than handed an unresolved
-   placeholder.
-
-### Hook layer
-
-Hooks are shell scripts. 14 ship in the package; 12 are wired into
-the default `.claude/settings.json` and run at Claude Code
-tool-invocation time, independently of the gateway. The remaining
-two (`commit-review-gate.sh` and `push-review-gate-git.sh`) ship
-ready-to-wire but are not registered by default — see "What REA is"
-above and the inventory table at the end of this section for the full
-picture. Both layers (hooks and the gateway middleware) fail closed.
-Bypassing one does not disable the other.
-
-Every hook uses `set -euo pipefail` (or `set -uo pipefail` for the
-ones that process stdin JSON) and performs a HALT check near the top.
-The review-gate hooks (`push-review-gate.sh`, `push-review-gate-git.sh`,
-`commit-review-gate.sh`) additionally anchor `REA_ROOT` to their own
-on-disk location (BUG-012 fix, 0.6.2) — for those hooks,
-`CLAUDE_PROJECT_DIR` is accepted only as an advisory signal because it
-is caller-controlled. The remaining hooks (e.g. `secret-scanner.sh`,
-`settings-protection.sh`, `blocked-paths-enforcer.sh`,
-`dangerous-bash-interceptor.sh`) still derive `REA_ROOT` from
-`${CLAUDE_PROJECT_DIR:-$(pwd)}`; extending the script-anchor idiom to
-those hooks is tracked as an open hardening item. Cross-repo
-invocations (running a review-gate hook from a consumer project that
-is not the rea install) short-circuit cleanly using
-`git --git-common-dir` comparison (0.6.1).
-
-The two push-review adapters that ship in `hooks/` share a single
-implementation core at `hooks/_lib/push-review-core.sh` (0.7.0 BUG-008
-cleanup) so a fix lands in one place: `push-review-gate.sh` consumes
-Claude-Code PreToolUse JSON and is what `rea init` copies to
-`.claude/hooks/`; `push-review-gate-git.sh` consumes git's native
-`.husky/pre-push` refspec lines and is shipped for consumers who wire
-a wrapper-based `.husky/pre-push` that execs it directly. The default
-`rea init` installer does NOT currently emit that wrapper — it writes
-a standalone inline gate body as `.husky/pre-push` (source of truth:
-`src/cli/install/pre-push.ts`). The native-git adapter and the
-inline installer currently implement the same protected-path logic
-separately; unifying the husky installer on the adapter is tracked as
-follow-up hardening. `commit-review-gate.sh` is a standalone Claude
-`PreToolUse: Bash` hook that matches `git commit`; it does not source
-the push-review core.
-
-### Slash commands
-
-Five commands ship in the package and are copied into `.claude/commands/`
-during `rea init`.
-
-### Agent roster
-
-Ten curated agents ship in the package: `rea-orchestrator`, `code-reviewer`,
-`codex-adversarial`, `security-engineer`, `accessibility-engineer`,
-`typescript-specialist`, `frontend-specialist`, `backend-engineer`,
-`qa-engineer`, `technical-writer`. Profiles
-(`client-engagement`, `bst-internal`, `bst-internal-no-codex`,
-`lit-wc`, `open-source`, `open-source-no-codex`, `minimal`) layer
-additional specialists on top. The `-no-codex` variants match their
-parents but default `review.codex_required: false` so teams without a
-Codex CLI on the bench get a first-class opt-out rather than relying on
-`REA_SKIP_CODEX_REVIEW`.
-
-The orchestrator is the single entry point for non-trivial tasks. The
-CLAUDE.md template installed by `rea init` instructs the host agent:
-_"For any non-trivial task, delegate to the `rea-orchestrator` agent
-FIRST."_
-
-## The Plan / Build / Review loop
-
-Codex is a first-class part of REA. It is not a bolt-on. The BST
-engineering process bakes adversarial review into the default flow, and
-REA ships it out of the box.
-
-| Phase | Primary model | Codex role | Governance |
-| --- | --- | --- | --- |
-| Plan | Claude Opus | — | Full middleware chain |
-| Pre-implementation review | — | `/codex:review` — review the PLAN before code | Audited |
-| Build | Claude Opus | — | Full middleware chain |
-| Adversarial review | — | `/codex:adversarial-review` on the diff (independent perspective) | Audited, redacted, kill-switched |
-| Pre-merge gate | — | `/codex:adversarial-review` re-run; recorded in audit.jsonl | Required status check (recommended) |
-
-Three things make this work:
-
-1. The **`codex-adversarial` agent** in the curated roster wraps
-   `/codex:adversarial-review`. The orchestrator delegates to it after
-   any non-trivial change.
-2. The **`/codex-review` slash command** is one of the five shipped
-   commands. It produces an audit entry including the request summary,
-   response summary, and pass/fail signal.
-3. The **`push-review-gate.sh` hook** blocks (exit 2) every protected-path
-   push that does not carry a matching `codex.review` audit entry for the
-   pushed `head_sha` with a `verdict` of `pass` or `concerns`. The only
-   other way through the protected-path branch is an active Codex-only
-   waiver (`REA_SKIP_CODEX_REVIEW=<reason>`, 0.8.0 narrowing). For
-   **non-protected-path** pushes the gate runs a separate review-cache
-   lookup — this is where the cache predicate and pushed-ref key
-   hardening live. The cache-hit predicate requires
-   `.hit == true and .result == "pass"` (0.8.0 hardening — a cached
-   `fail` verdict no longer satisfies the gate), and the cache key is
-   derived from the **pushed source ref** (from pre-push stdin) rather
-   than the checkout branch, so `git push origin hotfix:main` from a
-   `feature` checkout correctly looks up the `hotfix` cache entry.
-
-### Codex-only waiver semantics (0.8.0)
-
-Through 0.7.0, `REA_SKIP_CODEX_REVIEW=<reason>` short-circuited the
-**entire** push-review gate — operators reached for it to silence a
-transient Codex outage and accidentally bypassed HALT, the cross-repo
-guard, and the general push-review gate. 0.8.0 narrows it to what the
-name implies: the waiver satisfies **only** the protected-path Codex
-audit requirement. HALT, cross-repo guard, ref-resolution failures, and
-push-review-cache misses still block. The skip audit record is still
-named `codex.review.skipped` and still fails the `codex.review` jq
-predicate — skipping a review is not a review.
-
-For the previous whole-gate bypass, use `REA_SKIP_PUSH_REVIEW=<reason>`
-(unchanged, 0.5.0). It writes `push.review.skipped` with an
-`os_identity` sub-object (uid, whoami, hostname, pid, ppid, tty, ci)
-so auditors can distinguish a real operator from a forged git-config
-actor, and refuses on CI runners unless the policy opts in via
-`review.allow_skip_in_ci: true`.
-
-Codex responses are treated as untrusted input. They flow through the
-`redact` and `injection` middleware on return — same treatment as any
-other downstream tool result. Codex never receives `.rea/policy.yaml`
-content in its prompts; Codex reviews diffs, not policy.
-
-If Codex is not installed, `rea doctor` warns with a one-line install
-hint. REA does not require Codex to function — the `bst-internal-no-codex`
-and `open-source-no-codex` profiles disable the requirement entirely,
-and `ClaudeSelfReviewer` is the in-process fallback (tagged
-`degraded: true` in the audit record so self-review is visible and
-countable).
-
-## Agent push workflow — satisfying the push-review gate
-
-When `git push` is blocked by `push-review-gate.sh` the gate prints
-remediation steps. This section is the canonical one-command flow the
-steps reduce to. Agents should copy-paste this verbatim; humans should
-expect agents to.
-
-### 1. Run the adversarial review
+2. Names opted into via `registry.yaml#servers[].env_passthrough` — the
+   schema refuses secret-looking names (`*_TOKEN`, `*_KEY`, `*_SECRET`, …),
+   so secrets must be named explicitly.
+3. Values from the registry's `env:` mapping, which may contain `${VAR}`
+   placeholders resolved against the host environment. A `${VAR}` whose
+   host variable is unset is treated as fatal — the downstream is marked
+   unhealthy rather than handed an unresolved placeholder.
 
-```bash
-# From an interactive Claude Code session:
-/codex-review
-```
+### Live state
 
-This invokes the `codex-adversarial` agent, which records a
-`codex.review` audit entry with `verdict: pass | concerns | blocking |
-error` and a `finding_count`. The push gate looks up that entry by
-`head_sha + verdict ∈ {pass, concerns}`.
+`.rea/serve.state.json` is the on-disk live snapshot. It is written once
+at boot and again on every circuit transition or supervisor event,
+debounced through a 250 ms trailing timer and flushed atomically via
+temp-file + rename. `rea status` reads this file to render a
+per-downstream table; a new `rea serve` whose predecessor crashed can
+detect the abandoned file and take over ownership rather than stalling.
 
-### 2. Record-and-cache in one CLI call
+### Optional Prometheus metrics
 
-If you already have a review verdict (from `/codex-review`, or from a
-manual Codex run, or from an offline review) emit the audit record AND
-update the push-review cache with a single command:
+`rea serve` can expose a loopback-only Prometheus endpoint when
+`REA_METRICS_PORT` is set:
 
 ```bash
-rea audit record codex-review \
-  --head-sha "$(git rev-parse HEAD)" \
-  --branch   "$(git rev-parse --abbrev-ref HEAD)" \
-  --target   main \
-  --verdict  pass \
-  --finding-count 0 \
-  --summary  "no findings" \
-  --also-set-cache
+REA_METRICS_PORT=9464 rea serve
+curl http://127.0.0.1:9464/metrics
 ```
 
-`--also-set-cache` writes both `.rea/audit.jsonl` and
-`.rea/review-cache.jsonl` in the same invocation (two sequential
-appends, not a two-phase commit — but close enough in practice that the
-push-gate lookup cannot see the audit record without the cache entry
-unless a crash lands between them). Without it, the audit record lands
-but the cache stays cold — and the next `git push` pays for a re-review
-even though the audit trail already shows the review happened.
-`--also-set-cache` is what the gate's remediation text should be reduced
-to.
+Metrics: per-downstream call and error counters, in-flight gauge,
+audit-lines-appended counter, circuit-breaker state gauge, and a
+seconds-since-last-HALT-check gauge. The listener binds to `127.0.0.1`
+only, serves only `GET /metrics`, and never binds by default. No TLS;
+scrape through SSH or a reverse proxy for cross-host access.
+
+---
+
+## Policy file
 
-Verdict mapping for the cache leg:
+`.rea/policy.yaml` fields. The schema is zod-strict — unknown fields are
+rejected at parse time, not ignored.
 
-| `--verdict`  | Cache `result` | Cache `reason` |
-| ------------ | -------------- | -------------- |
-| `pass`       | `pass`         | — (omitted) |
-| `concerns`   | `pass`         | `codex:concerns` |
-| `blocking`   | `fail`         | `codex:blocking` |
-| `error`      | `fail`         | `codex:error` |
+### Required fields
 
-### 3. Push
+| Field | Type | Purpose |
+| --- | --- | --- |
+| `version` | `"1"` | Schema version; only `"1"` accepted in the current major |
+| `profile` | string | Profile name (see below) |
+| `installed_by` | string | Stamped by `rea init` — identifies the installing version |
+| `installed_at` | ISO-8601 | Stamped by `rea init` — install timestamp |
+| `autonomy_level` | `L0` \| `L1` \| `L2` \| `L3` | Current autonomy. `L0` = read-only; `L3` = full tool access |
+| `max_autonomy_level` | `L0` \| `L1` \| `L2` \| `L3` | Hard ceiling. `autonomy_level` cannot exceed this |
+| `promotion_requires_human_approval` | boolean | Require operator confirmation to raise autonomy |
+| `block_ai_attribution` | boolean | Enforce no-AI-attribution in commits and PR bodies |
+| `blocked_paths` | string[] | Glob patterns. `.rea/` is always blocked regardless |
+| `notification_channel` | string | Optional Discord webhook URL; empty string = disabled |
 
-```bash
-git push
-```
+### Optional blocks
 
-The gate hits the cache, sees `{"hit":true,"result":"pass"}`, and exits
-0 on the first attempt. No `!`-bash escapes, no manual audit writing,
-no separate `rea cache set` invocation.
-
-### SDK alternative
-
-When embedding the flow in a TypeScript tool instead of shelling out,
-import the public audit helper:
-
-```ts
-import {
-  appendAuditRecord,
-  CODEX_REVIEW_SERVER_NAME,
-  CODEX_REVIEW_TOOL_NAME,
-  InvocationStatus,
-  Tier,
-} from '@bookedsolid/rea/audit';
-
-await appendAuditRecord(process.cwd(), {
-  tool_name: CODEX_REVIEW_TOOL_NAME,
-  server_name: CODEX_REVIEW_SERVER_NAME,
-  tier: Tier.Read,
-  status: InvocationStatus.Allowed,
-  metadata: {
-    head_sha: headSha,
-    target: 'main',
-    finding_count: 0,
-    verdict: 'pass',
-  },
-});
+```yaml
+injection_detection: block        # "block" | "warn" — legacy 0.2.x knob
+injection:
+  suspicious_blocks_writes: true  # suspicious verdict on write/destructive tier denies
+context_protection:
+  delegate_to_subagent:
+    - pnpm run build
+    - pnpm run test
+  max_bash_output_lines: 100
+review:
+  codex_required: true
+  concerns_blocks: true
+  timeout_ms: 1800000
+  # last_n_commits: 10            # optional — narrow review to HEAD~N
+redact:
+  match_timeout_ms: 100
+  patterns:
+    - name: custom-api-key
+      regex: 'acme_[A-Za-z0-9]{32}'
+      flags: 'g'
+audit:
+  rotation:
+    max_bytes: 52428800           # 50 MiB
+    max_age_days: 30
+gateway:
+  health:
+    expose_diagnostics: false
 ```
 
-The CLI wraps exactly this — use the CLI unless the host is already a
-TypeScript process that wants to avoid the subprocess roundtrip.
+User-supplied `redact.patterns[]` are validated via `safe-regex` at load —
+any pattern flagged unsafe fails the load with a specific error naming
+the offender.
 
-### Agent autonomy self-consistency
+### Autonomy levels
 
-At autonomy `L1`, `rea cache check`, `rea audit record codex-review`,
-`rea doctor`, and `rea status` are classified **Read tier** — they
-cannot be denied by REA's own middleware. `rea cache set` is Write
-tier and is still allowed at L1. `rea freeze` is Destructive tier and
-is denied at L1 (deny-reason includes the subcommand, e.g.
-`Bash (rea freeze)`, not just `Bash`).
+| Level | Effect |
+| --- | --- |
+| `L0` | Read-only — every write/destructive tier call denies |
+| `L1` | Default. Reads allowed; writes allowed; destructive tier denied |
+| `L2` | Writes and destructive tier allowed |
+| `L3` | No autonomy gate — only hook-layer and policy-layer checks remain |
+
+`autonomy_level > max_autonomy_level` is rejected at parse time.
+`promotion_requires_human_approval: false` requires the CLI flag
+`--i-understand-the-risks` on any operation that raises autonomy.
 
-## Hooks
+### Profiles
 
-Fourteen hooks. Each does one thing.
+Seven profiles ship in `profiles/`. The profile name is recorded in
+`policy.yaml#profile` and governs which agents `rea init` copies and what
+defaults apply.
 
-| Hook | Event | One-line purpose |
+| Profile | Intended use | Codex default |
 | --- | --- | --- |
-| `dangerous-bash-interceptor` | PreToolUse: Bash | Block categories of destructive shell commands |
-| `env-file-protection` | PreToolUse: Bash | Block reads of `.env*` files |
-| `dependency-audit-gate` | PreToolUse: Bash | Verify packages exist on the registry before install |
-| `commit-review-gate` | PreToolUse: Bash | Intercept `git commit`; require review on non-trivial diffs |
-| `push-review-gate` | PreToolUse: Bash | Intercept `git push` (Claude-Code-JSON adapter); protected-path + Codex audit |
-| `push-review-gate-git` | `.husky/pre-push` | Native git adapter around the same core |
-| `attribution-advisory` | PreToolUse: Bash | Block commits / PRs containing AI attribution markers |
-| `pr-issue-link-gate` | PreToolUse: Bash | Advisory warn when `gh pr create` has no linked issue |
-| `security-disclosure-gate` | PreToolUse: Bash | Route security-keyword `gh issue create` to private disclosure |
-| `secret-scanner` | PreToolUse: Write\|Edit | Scan file writes for credential patterns |
-| `settings-protection` | PreToolUse: Write\|Edit | Block agent writes to `.claude/settings.json`, hook dirs, policy |
-| `blocked-paths-enforcer` | PreToolUse: Write\|Edit | Enforce `blocked_paths` from policy |
-| `changeset-security-gate` | PreToolUse: Write\|Edit | Guard changesets against GHSA leaks and malformed frontmatter |
-| `architecture-review-gate` | PostToolUse: Write\|Edit | Flag edits crossing architectural boundaries (advisory) |
+| `minimal` | Smallest possible install — curated 10 + opinionated minimal hooks | `true` |
+| `client-engagement` | Consulting engagement where the repo is client-owned | `true` |
+| `bst-internal` | Booked Solid internal projects; conservative posture | `true` |
+| `bst-internal-no-codex` | Same as above; no Codex CLI available | `false` |
+| `lit-wc` | Lit web-component library projects | `true` |
+| `open-source` | OSS library / CLI projects; liberal but audited | `true` |
+| `open-source-no-codex` | Same; no Codex CLI available | `false` |
+
+The `-no-codex` variants default `review.codex_required: false` on
+install so teams without a Codex bench get a first-class opt-out. Flip
+`--codex` / `--no-codex` on the `rea init` command line to override.
+
+---
+
+## Hooks shipped
+
+Eleven hooks ship in `hooks/` and are copied into `.claude/hooks/` by
+`rea init`. All eleven are wired by default in the shipped
+`.claude/settings.json`.
+
+| Hook | Event | Purpose | Default |
+| --- | --- | --- | --- |
+| `dangerous-bash-interceptor.sh` | `PreToolUse: Bash` | Block categories of destructive shell commands (`rm -rf`, `git reset --hard`, `--no-verify`, …) | Registered |
+| `env-file-protection.sh` | `PreToolUse: Bash` | Block reads of `.env*` files | Registered |
+| `dependency-audit-gate.sh` | `PreToolUse: Bash` | Verify packages exist on the registry before install | Registered |
+| `security-disclosure-gate.sh` | `PreToolUse: Bash` | Route security-keyword `gh issue create` to private disclosure | Registered |
+| `pr-issue-link-gate.sh` | `PreToolUse: Bash` | Advisory warn when `gh pr create` has no linked issue | Registered |
+| `attribution-advisory.sh` | `PreToolUse: Bash` | Block commits/PRs containing AI attribution markers | Registered |
+| `secret-scanner.sh` | `PreToolUse: Write\|Edit` | Scan file writes for credential patterns | Registered |
+| `settings-protection.sh` | `PreToolUse: Write\|Edit` | Block agent writes to `.claude/settings.json`, hook dirs, policy | Registered |
+| `blocked-paths-enforcer.sh` | `PreToolUse: Write\|Edit` | Enforce `blocked_paths` from policy | Registered |
+| `changeset-security-gate.sh` | `PreToolUse: Write\|Edit` | Guard changesets against GHSA leaks and malformed frontmatter | Registered |
+| `architecture-review-gate.sh` | `PostToolUse: Write\|Edit` | Flag edits crossing architectural boundaries (advisory) | Registered |
+
+The 0.10.x review-gate scripts (`push-review-gate.sh`,
+`push-review-gate-git.sh`, `commit-review-gate.sh`) and the 1,250-line
+shared bash core (`hooks/_lib/push-review-core.sh`) were removed in
+0.11.0. The `hooks/_lib/` directory now contains only the three shared
+helpers — `common.sh`, `halt-check.sh`, `policy-read.sh` — used by the
+remaining hooks.
+
+Every hook uses `set -euo pipefail` (or `set -uo pipefail` for stdin-JSON
+consumers) and performs a HALT check near the top. Both the hook layer
+and the MCP gateway middleware fail closed; bypassing one does not
+disable the other.
+
+---
 
 ## Slash commands
 
+Five commands ship in `commands/` and are copied into `.claude/commands/`
+by `rea init`.
+
 | Command | Purpose |
 | --- | --- |
-| `/rea` | Session status — autonomy level, HALT state, last audit entries, next action |
+| `/rea` | Session status — autonomy level, HALT state, recent audit entries, next action |
 | `/review` | Invoke the `code-reviewer` agent on current changes |
-| `/codex-review` | Invoke the `codex-adversarial` agent → `/codex:adversarial-review` |
+| `/codex-review` | Invoke the `codex-adversarial` agent via the Codex plugin |
 | `/freeze` | Prompt for a reason and write `.rea/HALT` |
-| `/halt-check` | Verify every middleware and hook respects HALT |
+| `/halt-check` | Smoke test — verify every hook and middleware respects HALT |
 
-## Policy file reference
+---
 
-`.rea/policy.yaml` fields. The schema is zod-strict — unknown fields are
-rejected, not ignored.
+## Curated agents
 
-| Field | Type | Purpose |
-| --- | --- | --- |
-| `version` | string, `"1"` | Schema version; only `"1"` accepted in the current major |
-| `profile` | string | Profile name from `profiles/` (e.g. `bst-internal`) |
-| `autonomy_level` | `L0`\|`L1`\|`L2`\|`L3` | Current autonomy. `L0` = read-only; `L3` = full tool access |
-| `max_autonomy_level` | `L0`\|`L1`\|`L2`\|`L3` | Hard ceiling. `autonomy_level` cannot exceed this |
-| `promotion_requires_human_approval` | boolean | Require operator confirmation to raise autonomy. Default `true` |
-| `blocked_paths` | string[] | Glob patterns. `.rea/` is always blocked regardless of this list |
-| `block_ai_attribution` | boolean | Enforce no-AI-attribution in commits and PR bodies |
-| `context_protection.delegate_to_subagent` | string[] | Commands that must run in a subagent context to preserve the parent's context window |
-| `context_protection.max_bash_output_lines` | number | Truncate long bash output at this line count |
-| `notification_channel` | string | Optional Discord webhook URL. Empty string = no notifications |
-| `review.codex_required` | boolean | When `false`, protected-path pushes don't require a Codex audit (first-class no-Codex mode). Default `true` |
-| `review.cache_max_age_seconds` | number | TTL for entries in `.rea/review-cache.jsonl`. Default 3600 |
-| `review.allow_skip_in_ci` | boolean | When `true`, `REA_SKIP_PUSH_REVIEW` is accepted on CI runners. Default `false` |
-| `injection.suspicious_blocks_writes` | boolean | `bst-internal` posture — `suspicious` verdict on a write/destructive tool denies instead of warning. Default `false` |
-| `redact.patterns[]` | string[] | User-supplied secret patterns; vetted via `safe-regex` at load |
-| `redact.match_timeout_ms` | number | Per-call regex budget. Default 100 |
-| `gateway.health.expose_diagnostics` | boolean | When `true`, `__rea__health` emits redacted+classified diagnostic strings on the wire. Default `false` (null) |
-
-`autonomy_level > max_autonomy_level` is rejected at parse time. Setting
-`promotion_requires_human_approval: false` requires the CLI flag
-`--i-understand-the-risks`.
+Ten specialist agents ship in `agents/` and are copied into `.claude/agents/`
+by `rea init`. Profiles layer additional specialists on top for specific
+project shapes.
+
+| Agent | When to use |
+| --- | --- |
+| `rea-orchestrator` | **First stop for any non-trivial task.** Reads policy, checks HALT, routes to the right specialist(s), coordinates multi-step work, enforces the plan/build/review loop. |
+| `code-reviewer` | Structured review of a working-tree diff; surfaces correctness, clarity, and consistency issues without adversarial framing. |
+| `codex-adversarial` | Adversarial review via the Codex plugin (`/codex:adversarial-review`). Independent model perspective; produces an audit entry with verdict. |
+| `security-engineer` | Security-sensitive implementation and review — auth flows, secret handling, injection surfaces. |
+| `accessibility-engineer` | WCAG review, ARIA semantics, keyboard navigation, screen-reader fact-checking. |
+| `typescript-specialist` | Strict-mode TypeScript correctness, generics, narrowing, inference edge cases. |
+| `frontend-specialist` | UI component work, framework idioms (React, Lit, Astro), CSS architecture. |
+| `backend-engineer` | API design, database schema, background jobs, MCP server implementation. |
+| `qa-engineer` | Test strategy, fixture design, regression reproducers, flake triage. |
+| `technical-writer` | User-facing documentation, API references, migration guides, changelog narratives. |
+
+The `rea-orchestrator` is the single entry point for non-trivial tasks.
+The CLAUDE.md fragment installed by `rea init` instructs the host agent
+to route there first; delegation contracts are defined in each agent's
+markdown file.
+
+---
+
+## CLI reference
+
+```
+rea <command> [options]
+```
+
+Run `rea <command> --help` for full per-command options.
+
+### `rea init`
+
+Interactive wizard — write `.rea/policy.yaml`, install `.claude/`, the
+commit-msg hook, and a CLAUDE.md fragment.
+
+```bash
+rea init
+rea init -y --profile bst-internal       # non-interactive
+rea init --from-reagent                  # migrate from .reagent/
+rea init --profile open-source-no-codex  # disable Codex by default
+rea init --force                         # overwrite existing artifacts
+```
+
+### `rea upgrade`
+
+Sync `.claude/`, `.husky/`, and managed fragments with this rea version.
+Prompts on drift; silently refreshes unmodified files.
+
+```bash
+rea upgrade --dry-run   # show what would change; write nothing
+rea upgrade             # interactive
+rea upgrade -y          # non-interactive, keep drifted files
+rea upgrade --force     # non-interactive, overwrite drift
+```
+
+### `rea serve`
+
+Start the MCP gateway. Invoked by Claude Code via `.mcp.json`; not a
+daemon. Stdio transport only.
+
+```bash
+rea serve
+REA_METRICS_PORT=9464 rea serve
+REA_LOG_LEVEL=debug rea serve
+```
+
+### `rea freeze` / `rea unfreeze`
+
+Write or remove `.rea/HALT`. Every call writes an audit record.
+
+```bash
+rea freeze --reason "incident triage"
+rea unfreeze
+rea unfreeze -y   # skip confirmation
+```
+
+### `rea check`
+
+On-disk status — autonomy, HALT, profile, recent audit entries. No live
+process probe.
+
+### `rea status`
+
+Running-process view — reads `.rea/serve.pid` + `.rea/serve.state.json`
+to render per-downstream health.
+
+```bash
+rea status
+rea status --json   # pipe to jq
+```
+
+### `rea doctor`
+
+Validate the install — policy parses, `.rea/` layout, hooks, Codex plugin
+presence, TOFU fingerprint store.
+
+```bash
+rea doctor
+rea doctor --metrics   # also print 7-day Codex telemetry summary
+rea doctor --drift     # report drift vs. install manifest (read-only)
+```
+
+In non-git directories the commit-msg and pre-push checks are skipped
+cleanly. Audit hash-chain integrity is verified by `rea audit verify`,
+not by `rea doctor`.
 
-## Migration from `@bookedsolid/reagent`
+### `rea audit rotate` / `rea audit verify`
 
 ```bash
-npx @bookedsolid/rea init --from-reagent
+rea audit rotate                      # force rotation now
+rea audit verify                      # re-hash the chain; exit 1 on first tamper
+rea audit verify --since <file>       # walk forward from a rotated file
 ```
 
-`--from-reagent`:
+### `rea tofu list` / `rea tofu accept`
+
+```bash
+rea tofu list
+rea tofu list --json
+rea tofu accept my-mcp-server --reason "added vault path /Volumes/Work"
+```
+
+### `rea hook push-gate`
+
+Pre-push Codex review gate. Normally invoked by `.husky/pre-push`; run
+manually to test.
+
+```bash
+rea hook push-gate
+rea hook push-gate --base origin/main
+```
+
+---
+
+## Migration from 0.10.x
+
+`rea upgrade` handles the policy and on-disk pieces. You run it once:
+
+```bash
+rea upgrade
+```
+
+It performs:
+
+1. **Backup** — writes `.rea/policy.yaml.bak-<timestamp>` before any edit.
+2. **Strip removed fields** — removes `review.cache_max_age_seconds` and
+   `review.allow_skip_in_ci` from the policy file. Both were cache-gate
+   concepts with no meaning under the stateless gate.
+3. **Add defaults** — inserts `review.concerns_blocks: true` if absent.
+4. **Prune settings.json** — removes hook registrations for the removed
+   scripts (`push-review-gate`, `commit-review-gate`) from
+   `.claude/settings.json`, leaving the other registrations intact.
+5. **Refresh `.claude/hooks/`** — deletes the removed scripts with a
+   change-log entry.
+6. **Rewrite `.husky/pre-push`** iff it carries a rea marker. A
+   foreign `.husky/pre-push` (no marker) is left untouched and a loud
+   warning is printed.
+7. **Refresh `.git/hooks/pre-push`** fallback with the new 15-line stub
+   (when `core.hooksPath` is unset and git is using the default hooks
+   directory).
+
+### What the new `.husky/pre-push` looks like
 
-- Reads `.reagent/policy.yaml` and translates field-for-field into
-  `.rea/policy.yaml`. Field names are identical, so the translation is a
-  rename.
-- Moves `.reagent/audit.jsonl` to `.rea/audit.jsonl` and verifies the
-  hash chain.
-- Un-wires dropped hooks (Obsidian, PM-layer, account) from
-  `.claude/settings.json`.
-- Replaces `reagent` slash commands and agents with the REA equivalents.
-- Leaves `.reagent/` in place; you delete it manually after verifying
-  `rea doctor` passes and a dogfood run completes.
+Fifteen lines of POSIX `sh`. HALT check, locate the rea binary, `exec rea
+hook push-gate "$@"`. That is the entire body — all real work lives in
+the TypeScript gate composer at `src/hooks/push-gate/index.ts`.
 
-See [MIGRATION-0.5.0.md](./MIGRATION-0.5.0.md) for the BUG-008 / BUG-009
-/ BUG-010 coordinated fix window. Between 0.5.0 and 0.9.0, the breaking
-semantic change worth calling out is 0.8.0's narrowing of
-`REA_SKIP_CODEX_REVIEW` to a Codex-only waiver — see the CHANGELOG
-entry for the migration steps.
+### Rollback
 
-## Security
+If the stateless gate's behavior is blocking a specific workflow you
+cannot yet address:
+
+```bash
+npm install -g @bookedsolid/rea@0.10.3
+# restore policy from the backup rea upgrade wrote
+cp .rea/policy.yaml.bak-<ts> .rea/policy.yaml
+# re-run the 0.10.3 install to put the old hooks back
+rea init --force
+```
+
+The 0.10.3 cache-attestation gate remains on npm and continues to work.
+Rollback is a supported path — the `rea upgrade` backup is specifically
+there to make it a one-liner.
+
+### What you will not need to do anymore
+
+- `rea cache check` / `rea cache set` / `rea cache list` / `rea cache clear`
+  — all removed. The stateless gate consults no cache.
+- `rea audit record codex-review --also-set-cache` — removed. The gate
+  writes its own audit records from the actual Codex run.
+- Setting `REA_SKIP_PUSH_REVIEW` — removed. Use either
+  `REA_SKIP_PUSH_GATE=<reason>` or `REA_SKIP_CODEX_REVIEW=<reason>`
+  (both value-carrying and always audited; identical effect, distinct
+  `skip_var` in audit metadata) or flip `review.codex_required: false`
+  in policy. `REA_SKIP_CODEX_REVIEW` was reinstated in 0.12.0 as an
+  audited alias for `REA_SKIP_PUSH_GATE` — it had been documented in the
+  gateway-tier reviewers but not in the push-gate, leaving agents
+  setting the documented variant blocked.
+
+---
+
+## Contributor quality gates
+
+Before push, run the four checks locally. CI runs them as required status
+checks on every PR to `main`:
+
+```bash
+pnpm lint        # ESLint 10 — zero warnings
+pnpm type-check  # tsc --noEmit (strict)
+pnpm test        # vitest run
+pnpm build       # tsc -p tsconfig.build.json
+```
+
+Additionally, every PR needs:
+
+- **DCO sign-off** on all commits (`git commit -s`). The DCO bot rejects
+  unsigned commits.
+- **Changeset** entry (`pnpm changeset`) unless the change is purely
+  non-publishable (CI, docs, meta). CI flags missing changesets.
+- **Secret scan** clean. Gitleaks runs in CI and via the
+  `secret-scanner.sh` hook.
+- **No AI attribution** anywhere — commit messages, PR bodies, code
+  comments, changeset content. The commit-msg hook and
+  `attribution-advisory.sh` reject structural attribution.
+
+Security-sensitive paths (`src/gateway/middleware/**`, `src/policy/**`,
+`src/hooks/**`, `hooks/**`, `.github/workflows/**`) require explicit
+maintainer review and a threat-model update in the same PR.
+
+Releases flow through Changesets: a "Version Packages" PR is auto-opened
+when a changeset lands on `main`. Merging it triggers `npm publish
+--provenance` via OIDC from `.github/workflows/release.yml`. Do not
+manually `npm publish`.
+
+---
+
+## Threat model and security
 
 - [SECURITY.md](./SECURITY.md) — disclosure policy, supported versions,
-  and scope. Do not report vulnerabilities via public GitHub issues.
+  GHSA coordination. 72-hour acknowledgment target, 90-day window. Do
+  not report vulnerabilities via public GitHub issues.
 - [THREAT_MODEL.md](./THREAT_MODEL.md) — attack surface, mitigations,
-  residual risks. This is the contract REA holds itself to.
+  residual risks. The contract rea holds itself to.
 
-Short version: gateway and hook layers operate independently. Both fail
-closed. `.rea/` is always blocked. Audit is hash-chained. Policy is
-re-read on every invocation. npm publish uses OIDC provenance, not
-long-lived tokens.
+Short version: the MCP gateway and the hook layer run independently.
+Both fail closed. `.rea/` is always blocked. The audit log is
+hash-chained. Policy is re-read on every invocation. npm publish uses
+OIDC provenance, not long-lived tokens. The pre-push gate runs Codex
+on every push and treats Codex responses as untrusted input — findings
+flow through the same redact pattern set used by the middleware before
+anything hits disk.
 
-## Contributing
+---
 
-See [CONTRIBUTING.md](./CONTRIBUTING.md). Short version:
+## Non-goals
 
-- DCO sign-off required on every commit (`git commit -s`). CI rejects
-  unsigned commits.
-- No AI attribution in commit messages, PR bodies, or code. The
-  commit-msg hook enforces this.
-- Conventional commits, TypeScript strict, ESLint zero-warnings,
-  Prettier, vitest.
-- Security-sensitive paths (`src/gateway/middleware/**`, `src/policy/**`,
-  `hooks/**`, `.github/workflows/**`) require explicit maintainer
-  review and a threat-model update in the same PR.
+See [What REA is NOT](#what-rea-is-not) above. Every "but what if we
+just added X" belongs in a separate package that composes with REA. The
+non-goals are the product.
+
+---
 
-## License
+## License and contributing
 
-[MIT](./LICENSE)
+[MIT](./LICENSE). See [CONTRIBUTING.md](./CONTRIBUTING.md) for the full
+contributor guide and [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md) for
+the Contributor Covenant.
+
+- DCO sign-off required (`git commit -s`) — no CLA.
+- Conventional commits, TypeScript strict, ESLint zero-warnings,
+  Prettier, vitest.
+- Changeset on every publishable change; merge the auto-generated
+  Version Packages PR to release.
+- Security-sensitive paths gated by CODEOWNERS; human review required.
+
+This repo dogfoods itself. rea's governance layer enforces rea's own
+commit, hook, and attribution rules. The install under `.rea/`,
+`.claude/`, and `.husky/` is the reference example of the
+`bst-internal` profile.