@bookedsolid/rea 0.13.3 → 0.15.0

package/hooks/_lib/cmd-segments.sh

@@ -0,0 +1,155 @@
+# shellcheck shell=bash
+# hooks/_lib/cmd-segments.sh — shell-segment splitting for Bash-tier hooks.
+#
+# Background: hooks that gate `Bash` tool calls grep `.tool_input.command`
+# for danger words (`rm -rf`, `git restore`, `pnpm install`, etc.). Pre-
+# 0.15.0 every hook ran a single `grep -qE PATTERN "$cmd"` against the
+# whole command string. That false-positives on heredoc bodies and
+# commit messages where the trigger word appears inside content rather
+# than as a command:
+#
+#   git commit -m "$(cat <<'EOF'
+#   docs: explain why we don't run rm -rf node_modules in CI
+#   EOF
+#   )"
+#
+# The unanchored regex matches `rm -rf` inside the heredoc body and the
+# hook blocks a perfectly safe commit. Hit during the 2026-05-03 session
+# repeatedly — the pattern that motivated dependency-audit-gate's 0.15.0
+# segment-split fix.
+#
+# This helper exposes two primitives every Bash-tier hook should use:
+#
+#   for_each_segment "$CMD" CALLBACK
+#     Splits $CMD on shell command separators (`;`, `&&`, `||`, `|`,
+#     newlines) and invokes CALLBACK with each segment as $1, plus the
+#     leading-prefix-stripped form as $2 (with `sudo`/`exec`/`time`/
+#     `then`/`do`/env-var-assignment prefixes removed). Returns 0 if
+#     CALLBACK returned 0 for every segment, or the first non-zero
+#     CALLBACK exit otherwise.
+#
+#   any_segment_matches "$CMD" PATTERN
+#     Iterates segments and returns 0 if any segment's prefix-stripped
+#     form matches PATTERN (a `grep -qiE` extended regex). Returns 1
+#     if no segment matches.
+#
+# Quoting awareness: the splitter is NOT quote-aware. A separator inside
+# a quoted string would be split. This is INTENTIONAL and SAFE: the
+# segments-vs-callback contract is "find segments that anchor on a
+# trigger word." Over-splitting produces extra segments that don't
+# anchor; they're ignored. Under-splitting (treating a quoted separator
+# as part of one segment) is what the original bug was. The trade-off
+# explicitly accepts over-splitting.
+#
+# Quoting note for future maintainers: do not "fix" the over-splitting
+# without breaking the security property. Quote-aware splitting in pure
+# bash is a real lift; if needed it should move to a Node helper.
+
+# Split $1 on shell command separators. Emits one segment per line on
+# stdout (empty segments preserved). Used by both higher-level helpers
+# below; not generally called by hooks directly.
+_rea_split_segments() {
+  local cmd="$1"
+  # GNU sed and BSD sed both honor `s/PATTERN/\n/g` with `-E` for ERE.
+  # We use printf+sed instead of bash IFS=$'...' read so the splitter
+  # behaves identically across BSD and GNU sed.
+  printf '%s\n' "$cmd" | sed -E 's/(\|\||&&|;|\|)/\n/g'
+}
+
+# Strip leading whitespace and well-known command prefixes from a single
+# segment. Returns the prefix-stripped form on stdout. Examples:
+#   "  sudo pnpm install foo"        → "pnpm install foo"
+#   "NODE_ENV=production pnpm add x" → "pnpm add x"
+#   "then pnpm add lodash"           → "pnpm add lodash"
+_rea_strip_prefix() {
+  local seg="$1"
+  # Trim leading whitespace.
+  seg="${seg#"${seg%%[![:space:]]*}"}"
+  # Strip ONE prefix at a time, looping. This handles compounds like
+  # `sudo NODE_ENV=production pnpm add foo`.
+  while :; do
+    case "$seg" in
+      sudo[[:space:]]*|exec[[:space:]]*|time[[:space:]]*|then[[:space:]]*|do[[:space:]]*|else[[:space:]]*)
+        # Drop the prefix word and any subsequent whitespace.
+        seg="${seg#* }"
+        seg="${seg#"${seg%%[![:space:]]*}"}"
+        ;;
+      *)
+        # Env-var assignment prefix (`KEY=value `) — only strip if the
+        # token before the first space looks like NAME=value.
+        if [[ "$seg" =~ ^[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+ ]]; then
+          seg="${seg#* }"
+          seg="${seg#"${seg%%[![:space:]]*}"}"
+        else
+          break
+        fi
+        ;;
+    esac
+  done
+  printf '%s' "$seg"
+}
+
+# Iterate every segment of $1 and invoke $2 (a function name) with the
+# raw segment as $1 and the prefix-stripped form as $2. The callback's
+# return value is honored: a non-zero return aborts the iteration and
+# becomes the helper's return value.
+for_each_segment() {
+  local cmd="$1"
+  local callback="$2"
+  local segment stripped rc
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    "$callback" "$segment" "$stripped"
+    rc=$?
+    if [ "$rc" -ne 0 ]; then
+      return "$rc"
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 0
+}
+
+# Return 0 if any segment of $1 (after prefix-stripping) matches the
+# extended regex $2 ANYWHERE (not anchored). Case-insensitive. Returns 1
+# if no segment matches.
+#
+# Use this for patterns that may legitimately appear mid-segment, e.g.
+# `Co-Authored-By:` in a commit message body. For "is the segment a
+# call to <command>" use `any_segment_starts_with` instead — that
+# anchors on the start so `echo "rm -rf foo"` doesn't trip an
+# `rm -rf` detector.
+any_segment_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "$pattern"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
+# Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
+# the extended regex $2. Case-insensitive. Returns 1 if no segment
+# starts with the pattern.
+#
+# This is the right shape for "is this segment a call to <command>"
+# checks. `echo "rm -rf foo"` does NOT trigger an `rm -rf` detector
+# because the segment starts with `echo`, not `rm`. Compare to
+# `any_segment_matches`, which matches anywhere in the segment and
+# would fire on the echo'd argument.
+any_segment_starts_with() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    # `^` anchor + caller pattern. `(?:)` non-capturing group not
+    # supported in BSD ERE; we use a simple literal `^` prepend.
+    if printf '%s' "$stripped" | grep -qiE "^${pattern}"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}

package/hooks/_lib/protected-paths.sh

@@ -0,0 +1,39 @@
+# shellcheck shell=bash
+# hooks/_lib/protected-paths.sh — single source of truth for the
+# hard-protected path list shared between the Write/Edit tier
+# (`settings-protection.sh`) and the Bash tier (`protected-paths-bash-gate.sh`).
+#
+# Pre-0.15.0 this list was duplicated inline in settings-protection.sh;
+# the bash-redirect bypass (`> .rea/HALT`, `tee .rea/policy.yaml`,
+# `cp X .claude/settings.json`, `sed -i .husky/pre-push`) was caught
+# by the principal-engineer audit. The fix: factor the list out so
+# both hooks read the same data, and protect against shell redirects
+# in addition to Write/Edit/MultiEdit tools.
+
+# The path list is bash glob patterns matched against project-root-
+# relative paths. Suffix `/` indicates a prefix match; no suffix means
+# exact match. Mirrors the array in settings-protection.sh §6.
+REA_PROTECTED_PATTERNS=(
+  '.claude/settings.json'
+  '.claude/settings.local.json'
+  '.husky/'
+  '.rea/policy.yaml'
+  '.rea/HALT'
+)
+
+# Test whether a project-relative path matches any protected pattern.
+# Usage: if rea_path_is_protected ".rea/HALT"; then echo "blocked"; fi
+# Returns 0 on match, 1 on no match.
+rea_path_is_protected() {
+  local p="$1"
+  local pattern
+  for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+    if [[ "$p" == "$pattern" ]]; then
+      return 0
+    fi
+    if [[ "$pattern" == */ ]] && [[ "$p" == "$pattern"* ]]; then
+      return 0
+    fi
+  done
+  return 1
+}

package/hooks/attribution-advisory.sh

@@ -50,14 +50,23 @@ if [[ -z "$CMD" ]]; then
   exit 0
 fi
 
+# 0.15.0: source the shared shell-segment splitter. Pre-fix, the
+# attribution patterns greped the FULL command — `git commit -m "Note:
+# Co-Authored-By with AI was removed in 0.14"` matched and the commit
+# was blocked even though the message was COMMENTING on attribution
+# rather than including it. Per-segment anchoring scopes detection to
+# segments whose first token is `git commit` / `gh pr create|edit`.
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 # ── 6. Check if this is a relevant command ────────────────────────────────────
 IS_RELEVANT=0
 
-if printf '%s' "$CMD" | grep -qiE 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
+if any_segment_matches "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
   IS_RELEVANT=1
 fi
 
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit'; then
+if any_segment_matches "$CMD" 'git[[:space:]]+commit'; then
   IS_RELEVANT=1
 fi
 
@@ -70,27 +79,27 @@ fi
 FOUND=0
 
 # Co-Authored-By with noreply@ email
-if printf '%s' "$CMD" | grep -qiE 'Co-Authored-By:.*noreply@'; then
+if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@'; then
   FOUND=1
 fi
 
 # Co-Authored-By with known AI names
-if printf '%s' "$CMD" | grep -qiE 'Co-Authored-By:.*\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|Aider|Anthropic|OpenAI|GitHub Copilot)\b'; then
+if any_segment_matches "$CMD" 'Co-Authored-By:.*\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|Aider|Anthropic|OpenAI|GitHub Copilot)\b'; then
   FOUND=1
 fi
 
 # "Generated/Built/Powered with/by [AI Tool]" lines
-if printf '%s' "$CMD" | grep -qiE '(Generated|Created|Built|Powered|Authored|Written|Produced)[[:space:]]+(with|by)[[:space:]]+(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|Devin|Windsurf|Cline|Aider|AI|an? AI)\b'; then
+if any_segment_matches "$CMD" '(Generated|Created|Built|Powered|Authored|Written|Produced)[[:space:]]+(with|by)[[:space:]]+(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|Devin|Windsurf|Cline|Aider|AI|an? AI)\b'; then
   FOUND=1
 fi
 
 # Markdown-linked attribution
-if printf '%s' "$CMD" | grep -qiE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
+if any_segment_matches "$CMD" '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
   FOUND=1
 fi
 
 # Emoji attribution
-if printf '%s' "$CMD" | grep -qE '🤖.*[Gg]enerated'; then
+if any_segment_matches "$CMD" '🤖.*[Gg]enerated'; then
   FOUND=1
 fi
 

package/hooks/blocked-paths-enforcer.sh

@@ -106,13 +106,59 @@ normalize_path() {
   if [[ "$p" == "$root"/* ]]; then
     p="${p#$root/}"
   fi
-  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g')
+  # 0.15.0 fix: include `\` (and `%5C` percent-encoded form) in the
+  # normalization. Without this, a path like
+  # `.github\workflows\release.yml` under Windows / Git Bash reaches
+  # that file but compares as a different string than
+  # `.github/workflows/release.yml`, missing the literal blocked-paths
+  # match. Mirrors settings-protection.sh §4 which has had backslash
+  # normalization since 0.10.x.
+  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g; s/%5[Cc]/\\/g')
+  p=$(printf '%s' "$p" | tr '\\\\' '/')
   p="${p#./}"
   printf '%s' "$p"
 }
 
 NORMALIZED=$(normalize_path "$FILE_PATH")
 
+# ── 5a. Path-traversal rejection (0.14.0 iron-gate fix) ───────────────────────
+# Reject any path containing a `..` segment BEFORE the literal-match below.
+# Without this, `foo/../CODEOWNERS` would get past `normalize_path()` (which
+# only strips leading project root + URL-decodes) and the literal-match
+# loop would compare `foo/../CODEOWNERS` against the literal `CODEOWNERS`
+# entry — which doesn't match, so the policy lets the write through. The
+# downstream Write/Edit tool then resolves the traversal and writes to
+# `CODEOWNERS` anyway, defeating the gate.
+#
+# Mirrors settings-protection.sh §5a (which has had this guard since
+# 0.10.x). Both pre- and post-decode forms are checked because
+# normalize_path() URL-decodes earlier and an attacker could split the
+# traversal across encodings (`%2E%2E/`, `..%2F`, etc.).
+raw_has_traversal=0
+norm_has_traversal=0
+case "/$FILE_PATH/" in
+  */../*) raw_has_traversal=1 ;;
+esac
+case "/$NORMALIZED/" in
+  */../*) norm_has_traversal=1 ;;
+esac
+# Also catch URL-encoded traversal in case some tool routes raw-encoded
+# paths through here (e.g. file:// inputs). normalize_path()'s decoder
+# only handles a fixed set; an unrecognized encoding would slip past.
+case "$FILE_PATH" in
+  *%2[Ee]%2[Ee]*|*%2[Ee].*|*.%2[Ee]*) raw_has_traversal=1 ;;
+esac
+if [[ "$raw_has_traversal" -eq 1 ]] || [[ "$norm_has_traversal" -eq 1 ]]; then
+  {
+    printf 'BLOCKED PATH: path traversal rejected\n'
+    printf '\n'
+    printf '  File: %s\n' "$FILE_PATH"
+    printf "  Rule: path contains a '..' segment; rewrite to a canonical\n"
+    printf '        project-relative path without traversal.\n'
+  } >&2
+  exit 2
+fi
+
 for writable in "${AGENT_WRITABLE[@]}"; do
   if [[ "$NORMALIZED" == "$writable" ]] || [[ "$NORMALIZED" == "$writable"* && "$writable" == */ ]]; then
     exit 0

package/hooks/changeset-security-gate.sh

@@ -23,8 +23,12 @@ check_halt
 INPUT="$(cat)"
 TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
 
-# Only handle Write and Edit
-if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
+# 0.15.0 fix: MultiEdit was not in the allowed tool_name set, so the gate
+# silently exited 0 on every MultiEdit call against `.changeset/*.md` —
+# letting GHSA / CVE pre-disclosure through and skipping frontmatter
+# validation. Same bypass shape as the secret-scanner MultiEdit issue
+# fixed in 0.14.0; this is the second hook in the same family.
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" && "$TOOL_NAME" != "MultiEdit" ]]; then
   exit 0
 fi
 
@@ -37,12 +41,22 @@ fi
 
 require_jq
 
-# Extract the content being written
+# Extract the content being written. MultiEdit content lives at
+# `tool_input.edits[].new_string` (an array, not a scalar) — see the
+# corresponding extraction in hooks/secret-scanner.sh. We use the same
+# defensive coercion (`tostring` + `if type=="array" then . else [] end`)
+# so a malformed payload fails closed: either yields the empty string
+# (no scan needed, exit 0) or yields a pattern-scannable string.
 if [[ "$TOOL_NAME" == "Write" ]]; then
   CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // ""')
-else
-  # For Edit: check the new_string being inserted
+elif [[ "$TOOL_NAME" == "Edit" ]]; then
   CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // ""')
+else
+  CONTENT=$(echo "$INPUT" | jq -r '
+    (.tool_input.edits // [] | if type=="array" then . else [] end)
+    | map((.new_string // "") | tostring)
+    | join("\n")
+  ')
 fi
 
 # ─── 1. SECURITY DISCLOSURE CHECK ───────────────────────────────────────────
@@ -90,6 +104,19 @@ fi
 #
 # A changeset without valid frontmatter is silently ignored by the changesets
 # tool — the package bump and CHANGELOG entry never appear in the release.
+#
+# 0.15.0 fix: skip frontmatter validation for MultiEdit. MultiEdit's
+# `tool_input.edits[].new_string` payload is a list of partial string
+# replacements, not the full file body — running the frontmatter
+# validator against the concatenation of new_strings would reject every
+# legitimate MultiEdit on an existing changeset (none of the edit
+# fragments individually contains a frontmatter block, even though the
+# resulting file does). The disclosure scan above still runs on
+# MultiEdit content because GHSA/CVE patterns match per-fragment without
+# any structural assumption.
+if [[ "$TOOL_NAME" == "MultiEdit" ]]; then
+  exit 0
+fi
 
 # Must start with ---
 if ! echo "$CONTENT" | head -1 | grep -qE '^---'; then
@@ -107,9 +134,20 @@ Brief description of what changed and why (close #N if applicable).
 Bump types: patch (bug fix/security), minor (new feature), major (breaking change)"
 fi
 
-# Must have at least one package bump entry and a closing ---
+# Must have at least one package bump entry and a closing ---.
+# 0.15.0 fix: accept single-quoted, double-quoted, AND unquoted package
+# names (all three are valid YAML for the same string). Pre-fix the
+# regex required single quotes, so a tool or human authoring the
+# changeset with `"@scope/name": patch` was rejected as malformed even
+# though the Changesets tool itself accepts every form.
+#
+# Codex round-1 P2-1 fix: explicit-alternation form (no backref) so
+# the unquoted variant matches on BSD grep too. The earlier
+# `^([\"']?)[^\"']+\1: ...` shape relied on backref-with-empty-capture
+# semantics that BSD's grep rejects when the capture group's `?` made
+# it absent — quoted forms matched on macOS but unquoted did not.
 FRONTMATTER=$(echo "$CONTENT" | awk '/^---/{count++; if(count==2){exit} next} count==1{print}')
-if ! echo "$FRONTMATTER" | grep -qE "^'.+': (patch|minor|major)"; then
+if ! echo "$FRONTMATTER" | grep -qE "^(\"[^\"]+\"|'[^']+'|[^\"'[:space:]]+): (patch|minor|major)"; then
   json_output "block" \
     "CHANGESET FORMAT GATE: Frontmatter does not contain a valid package bump entry.
 

package/hooks/dangerous-bash-interceptor.sh

@@ -15,6 +15,15 @@
 
 set -uo pipefail
 
+# Source shared shell-segment splitter (0.15.0). Provides
+# `any_segment_matches "$CMD" PATTERN` which iterates segments split on
+# &&/||/;/| and runs the pattern with `grep -qiE` against each
+# prefix-stripped segment. Replaces full-command grep that
+# false-positives on heredoc bodies and commit messages mentioning
+# trigger words.
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 # ── 1. Read ALL stdin immediately before doing anything else ──────────────────
 INPUT=$(cat)
 
@@ -84,26 +93,21 @@ add_medium() {
 }
 
 # ── 7. Per-segment evaluation helper ──────────────────────────────────────────
-# Split on &&, ||, ;, and newlines and test a pattern against each segment.
-# Returns 0 if ANY segment matches the pattern.
-any_segment_matches() {
-  local PATTERN="$1"
-  while IFS= read -r SEG; do
-    if printf '%s' "$SEG" | grep -qiE "$PATTERN"; then
-      return 0
-    fi
-  done < <(printf '%s' "$CMD" | sed 's/&&/\n/g; s/||/\n/g; s/;/\n/g')
-  return 1
-}
+# (Migrated to `_lib/cmd-segments.sh::any_segment_matches` as of 0.15.0.
+# The previous inline helper was defined here but never called — H3-H17
+# all greped the WHOLE command, which false-positived on heredoc bodies
+# and commit messages mentioning trigger words. Migration: every check
+# now uses `any_segment_matches "$CMD" PATTERN` with the helper sourced
+# at the top of this file.)
 
 # ── 8. Smart exclusion flags ──────────────────────────────────────────────────
 CMD_IS_REBASE_SAFE=0
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+(rebase)[[:space:]].*(--abort|--continue)'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+(rebase)[[:space:]].*(--abort|--continue)'; then
   CMD_IS_REBASE_SAFE=1
 fi
 
 CMD_IS_CLEAN_DRY=0
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+clean.*([ \t]-n|--dry-run)'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+clean.*([ \t]-n|--dry-run)'; then
   CMD_IS_CLEAN_DRY=1
 fi
 
@@ -111,26 +115,41 @@ fi
 
 # H1: git push --force or -f (per-segment — prevents --force-with-lease poisoning)
 # A segment containing --force-with-lease is excluded; other segments are not.
-while IFS= read -r SEGMENT; do
-  SEGMENT=$(printf '%s' "$SEGMENT" | sed 's/^[[:space:]]*//')
-  [[ -z "$SEGMENT" ]] && continue
-  # Skip segments that use the safe --force-with-lease
-  if printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*--force-with-lease'; then
-    continue
+# 0.15.0: also catches `git push origin +<branch>` (refspec-prefix force-push
+# shorthand) which the previous version missed.
+_h1_check() {
+  local _raw="$1" SEGMENT="$2"
+  [[ -z "$SEGMENT" ]] && return 0
+  # 0.15.0 codex P1 fix: anchor on `^git push`. Pre-fix the unanchored
+  # match meant `echo "git push --force is bad"` triggered H1 even
+  # though no actual push was happening (the segment after prefix-strip
+  # was `echo "..."`, not `git push`). Anchoring scopes detection to
+  # segments whose first token IS git push.
+  printf '%s' "$SEGMENT" | grep -qiE '^git[[:space:]]+push([[:space:]]|$)' || return 0
+  # Skip segments that use the safe --force-with-lease.
+  if printf '%s' "$SEGMENT" | grep -qiE -- '--force-with-lease'; then
+    return 0
   fi
-  if printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*(--force|-f[[:space:]])' || \
-     printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*(--force|-f)$'; then
+  # 0.15.0 codex P1 fix: combined-flag forms (`-fu`, `-uf`, `-Fu`) and
+  # long-form `--force=value` were not caught by the previous
+  # `-f[[:space:]]` shape. The flag-cluster pattern `-[a-zA-Z]*f[a-zA-Z]*`
+  # (followed by space or EOS) mirrors how H11 handles rm flag clusters.
+  # The refspec-prefix `+` on a branch name is git's force-push shorthand.
+  if printf '%s' "$SEGMENT" | grep -qiE -- '--force([[:space:]]|=|$)' || \
+     printf '%s' "$SEGMENT" | grep -qiE -- '(^|[[:space:]])-[a-zA-Z]*f[a-zA-Z]*([[:space:]]|$)' || \
+     printf '%s' "$SEGMENT" | grep -qE -- '[[:space:]]\+[A-Za-z0-9_./-]'; then
     add_high \
       "git push --force — force push detected" \
       "Force-pushing rewrites public history and breaks collaborators' local copies." \
       "Alt: Use 'git push --force-with-lease' — blocks if upstream has new commits you haven't pulled."
-    break
   fi
-done < <(printf '%s' "$CMD" | sed 's/&&/\n/g; s/||/\n/g; s/;/\n/g')
+  return 0
+}
+for_each_segment "$CMD" _h1_check
 
 # H2: git rebase — advisory (MEDIUM)
 if [[ $CMD_IS_REBASE_SAFE -eq 0 ]]; then
-  if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+rebase([[:space:]]|$)'; then
+  if any_segment_starts_with "$CMD" 'git[[:space:]]+rebase([[:space:]]|$)'; then
     add_medium \
       "git rebase — rewrites commit history (advisory)" \
       "Rebase changes commit SHAs. Safe on local feature branches; dangerous on shared/published branches." \
@@ -140,7 +159,7 @@ if [[ $CMD_IS_REBASE_SAFE -eq 0 ]]; then
 fi
 
 # H3: git checkout -- .
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+checkout[[:space:]]+--[[:space:]]+\.'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+checkout[[:space:]]+--[[:space:]]+\.'; then
   add_high \
     "git checkout -- . — discards all uncommitted changes" \
     "Overwrites working tree changes with HEAD. Uncommitted work is lost permanently." \
@@ -148,8 +167,8 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+checkout[[:space:]]+--[[:space
 fi
 
 # H4: git restore . (any form — with or without --staged flag)
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+restore[[:space:]].*[[:space:]]\.([[:space:]]|$)' || \
-   printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+restore[[:space:]]+\.[[:space:]]*$'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+restore[[:space:]].*[[:space:]]\.([[:space:]]|$)' || \
+   any_segment_starts_with "$CMD" 'git[[:space:]]+restore[[:space:]]+\.[[:space:]]*$'; then
   add_high \
     "git restore . — discards all uncommitted changes" \
     "Restores every tracked file to HEAD, permanently discarding all working tree modifications." \
@@ -158,7 +177,7 @@ fi
 
 # H5: git clean -f
 if [[ $CMD_IS_CLEAN_DRY -eq 0 ]]; then
-  if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'; then
+  if any_segment_starts_with "$CMD" 'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'; then
     add_high \
       "git clean -f — removes untracked files" \
       "Permanently deletes untracked files from the working tree. Cannot be undone via git." \
@@ -167,7 +186,7 @@ if [[ $CMD_IS_CLEAN_DRY -eq 0 ]]; then
 fi
 
 # H6: DROP TABLE or DROP DATABASE in psql
-if printf '%s' "$CMD" | grep -qiE '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DATABASE|SCHEMA)'; then
+if any_segment_matches "$CMD" '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DATABASE|SCHEMA)'; then
   add_high \
     "DROP TABLE/DATABASE via psql — destructive DDL" \
     "Running destructive DDL directly in psql bypasses migration pipeline safety checks." \
@@ -175,7 +194,7 @@ if printf '%s' "$CMD" | grep -qiE '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DAT
 fi
 
 # H7: kill -9 with pgrep subshell
-if printf '%s' "$CMD" | grep -qiE 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
+if any_segment_starts_with "$CMD" 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
   add_high \
     "kill -9 with pgrep subshell — aggressive process termination" \
     "Sends SIGKILL to processes matched by name, which may kill unintended processes." \
@@ -183,7 +202,7 @@ if printf '%s' "$CMD" | grep -qiE 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
 fi
 
 # H8: killall -9
-if printf '%s' "$CMD" | grep -qiE 'killall[[:space:]]+-9[[:space:]]+\S'; then
+if any_segment_starts_with "$CMD" 'killall[[:space:]]+-9[[:space:]]+\S'; then
   add_high \
     "killall -9 — SIGKILL all matching processes" \
     "Immediately terminates all processes with the given name without cleanup." \
@@ -191,7 +210,7 @@ if printf '%s' "$CMD" | grep -qiE 'killall[[:space:]]+-9[[:space:]]+\S'; then
 fi
 
 # H9: git commit --no-verify
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--no-verify'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+commit.*--no-verify'; then
   add_high \
     "git commit --no-verify — skipping pre-commit hooks" \
     "Bypasses all pre-commit safety gates including secret scanning and linting." \
@@ -199,7 +218,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--no-verify'; then
 fi
 
 # H10: HUSKY=0 bypass — suppresses all git hooks without --no-verify
-if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
+if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
   add_high \
     "HUSKY=0 — bypasses all husky git hooks" \
     "Setting HUSKY=0 disables pre-commit, commit-msg, and pre-push safety gates without --no-verify." \
@@ -208,13 +227,18 @@ fi
 
 # H11: rm -rf with broad targets
 # Covers combined flags (rm -rf, rm -fr), split flags (rm -r -f), and long flags (rm --recursive --force)
-BROAD_TARGETS='(\/|~\/|\.\/\*|\*|\.|src|dist|build|node_modules)'
-if printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*f[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[[:space:]]+-[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*f[[:space:]]+-[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+--recursive[[:space:]]+--force[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+--force[[:space:]]+--recursive[[:space:]]+${BROAD_TARGETS}"; then
+# 0.15.0 fix: anchored each target on word boundary (whitespace-or-EOS).
+# The previous form had a bare `\.` which matched `rm -rf .git/foo`
+# (legitimate `.git/`-tree cleanup). Each token now requires either
+# end-of-string or whitespace after — so `.` alone matches `rm -rf .`
+# (the cwd, dangerous) but NOT `rm -rf .git/foo`.
+BROAD_TARGETS='(\/|~\/|\.\/\*|\*|\.|src|dist|build|node_modules)([[:space:]]|$)'
+if any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*f[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[[:space:]]+-[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*f[[:space:]]+-[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+--recursive[[:space:]]+--force[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+--force[[:space:]]+--recursive[[:space:]]+${BROAD_TARGETS}"; then
   add_high \
     "rm -rf with broad target — mass file deletion" \
     "Permanently deletes files and directories. Cannot be undone." \
@@ -222,7 +246,7 @@ if printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]
 fi
 
 # H12: curl/wget piped directly to shell (supply chain attack vector)
-if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
+if any_segment_matches "$CMD" '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \
@@ -230,7 +254,7 @@ if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fi
 fi
 
 # H13: git push --no-verify — bypasses pre-push hooks
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+push.*--no-verify'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+push.*--no-verify'; then
   add_high \
     "git push --no-verify — skipping pre-push hooks" \
     "Bypasses all pre-push safety gates including CI checks." \
@@ -238,7 +262,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+push.*--no-verify'; then
 fi
 
 # H14: git -c core.hooksPath= — redirects or disables hook execution
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+-c[[:space:]]+core\.hookspath'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+-c[[:space:]]+core\.hookspath'; then
   add_high \
     "git -c core.hooksPath — overriding hooks directory" \
     "Redirecting the hooks path can disable all safety hooks." \
@@ -246,7 +270,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+-c[[:space:]]+core\.hookspath'
 fi
 
 # H15: REA_BYPASS env var — attempted escape hatch
-if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
+if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
   add_high \
     "REA_BYPASS env var — unauthorized bypass attempt" \
     "Setting REA_BYPASS is not a supported escape mechanism and indicates a bypass attempt." \
@@ -254,7 +278,7 @@ if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]
 fi
 
 # H16: alias/function definitions containing bypass strings
-if printf '%s' "$CMD" | grep -qiE '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
+if any_segment_matches "$CMD" '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
   add_high \
     "Alias/function definition with bypass — circumventing safety gates" \
     "Defining aliases or functions that embed bypass flags defeats safety hooks." \
@@ -307,7 +331,7 @@ fi
 # ── 10. MEDIUM severity checks ────────────────────────────────────────────────
 
 # M1: npm install --force
-if printf '%s' "$CMD" | grep -qiE 'npm[[:space:]]+(install|i)[[:space:]].*--force'; then
+if any_segment_matches "$CMD" 'npm[[:space:]]+(install|i)[[:space:]].*--force'; then
   add_medium \
     "npm install --force — bypasses dependency resolution" \
     "--force skips conflict checks and can install incompatible package versions." \