@bookedsolid/rea 0.11.0 → 0.13.0

package/dist/policy/loader.d.ts

@@ -34,14 +34,29 @@ declare const PolicySchema: z.ZodObject<{
         codex_required: z.ZodOptional<z.ZodBoolean>;
         concerns_blocks: z.ZodOptional<z.ZodBoolean>;
         timeout_ms: z.ZodOptional<z.ZodNumber>;
+        last_n_commits: z.ZodOptional<z.ZodNumber>;
+        /**
+         * Auto-narrow threshold (J / 0.13.0). When the resolved diff base is more
+         * than N commits away from HEAD, the gate auto-scopes to
+         * `last_n_commits` (or the 0.13 fallback default of 10) and emits a
+         * stderr warning. Default 30 when unset; explicit 0 disables auto-narrow
+         * entirely. Suppressed when the operator pinned `--last-n-commits`,
+         * `--base`, or `policy.review.last_n_commits` (those are explicit
+         * intent and auto-narrow stays out of the way).
+         */
+        auto_narrow_threshold: z.ZodOptional<z.ZodNumber>;
     }, "strict", z.ZodTypeAny, {
         codex_required?: boolean | undefined;
         concerns_blocks?: boolean | undefined;
         timeout_ms?: number | undefined;
+        last_n_commits?: number | undefined;
+        auto_narrow_threshold?: number | undefined;
     }, {
         codex_required?: boolean | undefined;
         concerns_blocks?: boolean | undefined;
         timeout_ms?: number | undefined;
+        last_n_commits?: number | undefined;
+        auto_narrow_threshold?: number | undefined;
     }>>;
     redact: z.ZodOptional<z.ZodObject<{
         match_timeout_ms: z.ZodOptional<z.ZodNumber>;
@@ -135,6 +150,8 @@ declare const PolicySchema: z.ZodObject<{
         codex_required?: boolean | undefined;
         concerns_blocks?: boolean | undefined;
         timeout_ms?: number | undefined;
+        last_n_commits?: number | undefined;
+        auto_narrow_threshold?: number | undefined;
     } | undefined;
     redact?: {
         match_timeout_ms?: number | undefined;
@@ -178,6 +195,8 @@ declare const PolicySchema: z.ZodObject<{
         codex_required?: boolean | undefined;
         concerns_blocks?: boolean | undefined;
         timeout_ms?: number | undefined;
+        last_n_commits?: number | undefined;
+        auto_narrow_threshold?: number | undefined;
     } | undefined;
     redact?: {
         match_timeout_ms?: number | undefined;

package/dist/policy/loader.js

@@ -27,6 +27,17 @@ const ReviewPolicySchema = z
     codex_required: z.boolean().optional(),
     concerns_blocks: z.boolean().optional(),
     timeout_ms: z.number().int().positive().optional(),
+    last_n_commits: z.number().int().positive().optional(),
+    /**
+     * Auto-narrow threshold (J / 0.13.0). When the resolved diff base is more
+     * than N commits away from HEAD, the gate auto-scopes to
+     * `last_n_commits` (or the 0.13 fallback default of 10) and emits a
+     * stderr warning. Default 30 when unset; explicit 0 disables auto-narrow
+     * entirely. Suppressed when the operator pinned `--last-n-commits`,
+     * `--base`, or `policy.review.last_n_commits` (those are explicit
+     * intent and auto-narrow stays out of the way).
+     */
+    auto_narrow_threshold: z.number().int().nonnegative().optional(),
 })
     .strict();
 /**

package/dist/policy/types.d.ts

@@ -54,12 +54,82 @@ export interface ReviewPolicy {
     /**
      * Hard cap on the `codex exec review` subprocess in milliseconds. Exceeding
      * this kills the subprocess and the gate returns exit 2 with a timeout
-     * error (audited). Default when unset is 600_000 (10 minutes) — matches
-     * the upper bound we observe for a 500-line diff review on a slow link.
+     * error (audited). Default when unset is 1_800_000 (30 minutes) as of
+     * 0.12.0 — raised from 10 minutes after the helixir migration session
+     * 2026-04-26 showed realistic feature-branch diffs routinely exceeded
+     * the previous default. Operators with explicit `timeout_ms:` in
+     * `.rea/policy.yaml` are unaffected.
      *
      * Positive integer only. The loader rejects zero/negative values.
      */
     timeout_ms?: number;
+    /**
+     * When set, `rea hook push-gate` resolves the diff base to `HEAD~N`
+     * instead of the upstream → origin/HEAD ladder. Useful when a feature
+     * branch accumulates many commits and the full origin/main diff
+     * overwhelms the reviewer (the helixir 2026-04-26 case: 50+ commits
+     * relative to origin/main produced non-deterministic Codex verdicts and
+     * 10-minute timeouts).
+     *
+     * Precedence: explicit `--base <ref>` flag wins; then `--last-n-commits N`
+     * flag; then this policy key; then refspec-aware base resolution; then
+     * the upstream-ladder fallback. When `--base` AND
+     * `--last-n-commits`/`policy.last_n_commits` are both set, `--base`
+     * wins and a stderr warning is emitted.
+     *
+     * Resolution: `git rev-parse HEAD~N`. When `HEAD~N` is unreachable
+     * the resolver consults `git rev-parse --is-shallow-repository` to
+     * pick the right clamp:
+     *
+     *   - FULL clone, branch shorter than N: clamps to the empty-tree
+     *     sentinel so the root commit's changes are included
+     *     (`git diff base..HEAD` excludes `base`, so diffing against
+     *     `HEAD~K` would silently drop the root commit). Reports
+     *     `last_n_commits: K+1` — every commit on the branch reviewed.
+     *
+     *   - SHALLOW clone: clamps to `HEAD~K` (the deepest LOCALLY
+     *     resolvable ancestor) since older history exists on the remote
+     *     but isn't fetched. Using empty-tree here would balloon the
+     *     review to every tracked file in the checkout. Reports
+     *     `last_n_commits: K`. The K-th commit's content is excluded —
+     *     accepted as the cost of the shallow clone.
+     *
+     * A stderr warning surfaces the requested-vs-clamped numbers in
+     * both cases. Audit metadata records `base_source: 'last-n-commits'`,
+     * `last_n_commits: <count actually reviewed>`, and
+     * `last_n_commits_requested: N` (only present when clamped).
+     *
+     * Positive integer. The loader rejects zero/negative values.
+     */
+    last_n_commits?: number;
+    /**
+     * Auto-narrow threshold (J / 0.13.0). When the resolved diff base is more
+     * than N commits behind HEAD, the gate automatically scopes the review to
+     * the last 10 commits (or `last_n_commits` if pinned) and emits a stderr
+     * warning explaining the auto-narrow + how to override.
+     *
+     * Default `30` when unset. Explicit `0` disables auto-narrow entirely.
+     *
+     * Auto-narrow is SUPPRESSED when the operator already expressed explicit
+     * intent — any of these prevents auto-narrow from firing:
+     *
+     *   - `--last-n-commits N` flag (the operator picked an exact window)
+     *   - `--base <ref>` flag (the operator picked an exact base)
+     *   - `policy.review.last_n_commits` (persistent narrow-window config)
+     *
+     * Audit metadata records `auto_narrowed: true|false` and
+     * `original_commit_count: N` on every reviewed event so operators can
+     * grep their audit log for narrowed reviews.
+     *
+     * Background: large feature branches (50+ commits relative to origin/main)
+     * routinely produced non-deterministic Codex verdicts, 10-minute timeouts,
+     * and the "thrashing" reported in helixir migration 2026-04-26. The 0.12.0
+     * `last_n_commits` knob fixed it for operators who knew to set it; J makes
+     * the protective default automatic.
+     *
+     * Non-negative integer. The loader rejects negative values.
+     */
+    auto_narrow_threshold?: number;
 }
 /**
  * User-supplied redaction pattern entry. Each pattern has a stable `name` used

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.11.0",
+  "version": "0.13.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/scripts/tarball-smoke.sh

@@ -74,8 +74,13 @@ echo "[smoke]   → $VERSION_OUT"
 echo "[smoke] rea --help"
 ./node_modules/.bin/rea --help >/dev/null
 
-echo "[smoke] rea init --yes --profile open-source"
-./node_modules/.bin/rea init --yes --profile open-source
+echo "[smoke] rea init --yes --profile open-source-no-codex"
+# 0.12.0+: doctor hard-fails when policy.review.codex_required: true and codex
+# is not on PATH (fix C of the helixir migration unblocker — see PR #85). CI
+# does not provision the codex CLI, so the smoke uses the -no-codex profile
+# variant which defaults codex_required: false. The new doctor probe is
+# covered by unit tests in src/cli/doctor.test.ts.
+./node_modules/.bin/rea init --yes --profile open-source-no-codex
 
 # Verify the installed layout matches what init claims it wrote.
 for expected in .rea/policy.yaml .rea/registry.yaml .claude/settings.json CLAUDE.md .rea/install-manifest.json; do