@bookedsolid/rea 0.13.3 → 0.15.0

package/hooks/dependency-audit-gate.sh

@@ -43,30 +43,60 @@ fi
 extract_packages() {
   local cmd="$1"
 
-  # npm install/add with packages (skip flags and local paths)
-  if printf '%s' "$cmd" | grep -qiE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install)|yarn[[:space:]]+add)[[:space:]]'; then
-    # Extract the part after the install command
-    local after_cmd
-    after_cmd=$(printf '%s' "$cmd" | sed -E 's/.*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install)|yarn[[:space:]]+add)[[:space:]]+//')
-
-    # Split on spaces and filter
-    for token in $after_cmd; do
-      # Skip flags
-      if [[ "$token" == -* ]]; then continue; fi
-      # Skip local paths
-      if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
-      # Skip empty
-      if [[ -z "$token" ]]; then continue; fi
-      # Strip version specifier for lookup
-      local pkg_name
-      pkg_name=$(printf '%s' "$token" | sed -E 's/@[^@/]+$//')
-      # Handle scoped packages (@scope/name)
-      if [[ -z "$pkg_name" ]]; then
-        pkg_name="$token"
-      fi
-      printf '%s\n' "$pkg_name"
-    done
-  fi
+  # 0.15.0 fix: the previous parser ran `grep` against the entire bash
+  # command string with no segment boundary anchor. A heredoc body or
+  # commit-message containing `pnpm install` (e.g. inside
+  # `git commit -m "$(cat <<EOF ... pnpm install ... EOF)"`) matched the
+  # grep, the `.*` in the sed stripped up to that occurrence, and the rest
+  # of the command (`chore:`, `&&`, `||`, etc.) was passed to
+  # `npm view <token> name` and reported as missing packages. The hook
+  # then refused to commit perfectly innocent code.
+  #
+  # Fix: split the command on shell command separators (`;`, `&&`, `||`,
+  # `|`, newlines) and only run the install-detection on segments whose
+  # FIRST non-whitespace token is one of the install commands. Heredoc
+  # bodies inside `$()` substitutions are NOT split into separate segments
+  # — the entire `$(cat <<EOF ... EOF)` is one token attached to the
+  # outer command — but they're never the FIRST token on a segment, so
+  # the anchor rejects them.
+
+  # Tokenize on shell separators. Each `IFS=` entry becomes a separate
+  # segment we can anchor against. We use bash's `mapfile` with a sed
+  # to inject newlines at separators; awk-based splitting handles the
+  # quoting heuristic well enough for the realistic cases (agent-issued
+  # commands rarely have separators inside single-quoted strings that
+  # would confuse this).
+  local segments
+  segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\|)/\n/g')
+
+  while IFS= read -r segment; do
+    # Trim leading whitespace.
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    # Anchor to start: only match when the install command is the FIRST
+    # thing on the segment, optionally preceded by `sudo` / `exec` /
+    # `time` / etc.
+    if printf '%s' "$segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
+      # Strip the leading prefix wrappers + install command, leaving args.
+      local after_cmd
+      after_cmd=$(printf '%s' "$segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
+
+      for token in $after_cmd; do
+        if [[ "$token" == -* ]]; then continue; fi
+        if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
+        if [[ -z "$token" ]]; then continue; fi
+        # `npm view` can't validate `@workspace:*` / `link:` / `file:`
+        # prefixes (workspace protocols). Skip them — they're never npm
+        # registry packages.
+        if [[ "$token" == workspace:* || "$token" == link:* || "$token" == file:* || "$token" == git+* ]]; then continue; fi
+        local pkg_name
+        pkg_name=$(printf '%s' "$token" | sed -E 's/@[^@/]+$//')
+        if [[ -z "$pkg_name" ]]; then
+          pkg_name="$token"
+        fi
+        printf '%s\n' "$pkg_name"
+      done
+    fi
+  done <<< "$segments"
 }
 
 PACKAGES=$(extract_packages "$CMD")

package/hooks/env-file-protection.sh

@@ -17,6 +17,12 @@
 
 set -uo pipefail
 
+# Source shared shell-segment splitter (0.15.0). Replaces full-command
+# grep that false-positives on commit messages mentioning `.env` (e.g.
+# `git commit -m "stop reading .env via cat"`).
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 INPUT=$(cat)
 
 # ── Dependency check ──────────────────────────────────────────────────────────
@@ -70,17 +76,21 @@ PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
 MATCHES_UTILITY=0
 MATCHES_ENV_FILE=0
 
-if printf '%s' "$CMD" | grep -qE "$PATTERN_UTILITY"; then
+# 0.15.0: per-segment match. Pre-fix this greped the FULL command which
+# false-positived on commit messages: `git commit -m "stop reading .env
+# files via cat"` matched both PATTERN_UTILITY (cat) and PATTERN_ENV_FILE
+# (.env) and the hook blocked a perfectly safe commit.
+if any_segment_matches "$CMD" "$PATTERN_UTILITY"; then
   MATCHES_UTILITY=1
 fi
 
-if printf '%s' "$CMD" | grep -qE "$PATTERN_ENV_FILE"; then
+if any_segment_matches "$CMD" "$PATTERN_ENV_FILE"; then
   MATCHES_ENV_FILE=1
 fi
 
 # Direct source/cp of .env files — always block
-if printf '%s' "$CMD" | grep -qE "$PATTERN_SOURCE" || \
-   printf '%s' "$CMD" | grep -qE "$PATTERN_CP_ENV"; then
+if any_segment_matches "$CMD" "$PATTERN_SOURCE" || \
+   any_segment_matches "$CMD" "$PATTERN_CP_ENV"; then
   TRUNCATED_CMD=$(truncate_cmd "$CMD")
   {
     printf 'ENV FILE PROTECTION: Direct sourcing or copying of .env files is blocked.\n'

package/hooks/protected-paths-bash-gate.sh

@@ -0,0 +1,213 @@
+#!/bin/bash
+# PreToolUse hook: protected-paths-bash-gate.sh
+# Fires BEFORE every Bash tool call.
+# Refuses Bash commands that write to PROTECTED_PATTERNS via shell
+# redirection or write-flag utilities — the kill-switch and policy
+# files MUST be unreachable via any tool surface, including Bash.
+#
+# Pre-0.15.0, settings-protection.sh §6 protected `.rea/HALT`,
+# `.rea/policy.yaml`, `.claude/settings.json`, `.husky/*` against
+# Write/Edit/MultiEdit tool calls. But shell redirects bypassed it
+# entirely:
+#
+#   printf '...' > .rea/HALT          # bypass — Bash matcher only
+#   tee .rea/policy.yaml < new.yaml   # bypass
+#   cp new-settings.json .claude/settings.json
+#   sed -i '' '/foo/d' .husky/pre-push
+#   dd of=.rea/HALT
+#
+# This hook closes that gap by detecting redirect/write patterns
+# whose target matches the same `_lib/protected-paths.sh` allowlist.
+#
+# Exit codes:
+#   0 = no protected-path write detected — allow
+#   2 = protected-path write via Bash detected — block
+
+set -uo pipefail
+
+# shellcheck source=_lib/protected-paths.sh
+source "$(dirname "$0")/_lib/protected-paths.sh"
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
+INPUT=$(cat)
+
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REA ERROR: jq is required but not installed.\n' >&2
+  exit 2
+fi
+
+REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+
+# HALT check — uniform with other hooks.
+HALT_FILE="${REA_ROOT}/.rea/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Normalize a path token: strip enclosing quotes, strip leading
+# `$REA_ROOT/`, strip leading `./`. The result is project-relative
+# for matching against REA_PROTECTED_PATTERNS.
+_normalize_target() {
+  local t="$1"
+  # Strip matching surrounding quotes.
+  if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  # Strip $REA_ROOT prefix (with or without trailing slash).
+  if [[ "$t" == "$REA_ROOT"/* ]]; then t="${t#"$REA_ROOT"/}"; fi
+  # Strip leading ./
+  while [[ "$t" == ./* ]]; do t="${t#./}"; done
+  printf '%s' "$t"
+}
+
+# Refuse and exit 2 with a uniform error message.
+_refuse() {
+  local pattern="$1" target="$2" segment="$3"
+  {
+    printf 'PROTECTED PATH (bash): write to a package-managed file blocked\n'
+    printf '\n'
+    printf '  Pattern matched: %s\n' "$pattern"
+    printf '  Resolved target: %s\n' "$target"
+    printf '  Segment:         %s\n' "$segment"
+    printf '\n'
+    printf '  Rule: protected paths (kill-switch, policy.yaml, settings.json,\n'
+    printf '        .husky/*) are unreachable via Bash redirects too — not just\n'
+    printf '        Write/Edit/MultiEdit. To modify, a human must edit directly.\n'
+  } >&2
+  exit 2
+}
+
+# Inspect one segment for redirect / write patterns and refuse if the
+# target matches any protected pattern.
+_check_segment() {
+  local _raw="$1" segment="$2"
+  [[ -z "$segment" ]] && return 0
+
+  local target_token=""
+  local detected_form=""
+
+  # bash `[[ =~ ]]` regex literals with `|` and `(...)` parsed inline
+  # confuse some bash versions on macOS. Use named variables for each
+  # pattern so the literal stays in a string context only.
+  local re_redirect='(^|[[:space:]])(&>|2>>|2>|>>|>)[[:space:]]*([^[:space:]&|;<>]+)'
+  local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
+  # 0.15.0 codex P1 fix: replaced the bash-3.2-broken `(...)*` pattern
+  # for tee/truncate flag-skipping with a token-walk approach that
+  # works across BSD bash 3.2 and GNU bash 4+. Walks every token after
+  # the command, skips flags (single-dash short, double-dash long with
+  # optional =value), returns the first non-flag token as the target.
+
+  if [[ "$segment" =~ $re_redirect ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="redirect ${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_cpmv ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_sed ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="sed -i"
+  elif [[ "$segment" =~ $re_dd ]]; then
+    target_token="${BASH_REMATCH[2]}"
+    detected_form="dd of="
+  else
+    # tee / truncate / install / ln — token-walk for cross-bash safety.
+    # Read tokens, find the command, then return the first non-flag arg.
+    local prev_word="" found_cmd=""
+    local _seg_for_walk="$segment"
+    # Strip leading whitespace.
+    _seg_for_walk="${_seg_for_walk#"${_seg_for_walk%%[![:space:]]*}"}"
+    # shellcheck disable=SC2086
+    set -- $_seg_for_walk
+    while [ "$#" -gt 0 ]; do
+      local tok="$1"
+      shift
+      if [[ -z "$found_cmd" ]]; then
+        case "$tok" in
+          tee|truncate|install|ln)
+            found_cmd="$tok"
+            ;;
+        esac
+        prev_word="$tok"
+        continue
+      fi
+      # We're inside the command's argv. Skip flags.
+      case "$tok" in
+        --) continue ;;
+        --*=*) continue ;;
+        --*)
+          # Long flag — may take a value as the NEXT token (we don't
+          # know which long options take values). For safety, skip
+          # only known no-value long flags; otherwise consume the
+          # next token too if it looks like a value.
+          case "$tok" in
+            --append|--ignore-interrupts|--no-clobber|--force|--no-target-directory|--symbolic|--no-dereference|--reference=*) continue ;;
+            *) shift 2>/dev/null || true; continue ;;
+          esac
+          ;;
+        -*)
+          # Short flag cluster. Skip. truncate -s SIZE — `-s` is a flag,
+          # SIZE is its arg. We're conservative: skip the next token if
+          # the flag cluster's last char is one of the size-bearing
+          # flags (truncate -s, install -m, ln -t).
+          case "$tok" in
+            -s*|-m*|-o*|-g*|-t*) shift 2>/dev/null || true ;;
+          esac
+          continue
+          ;;
+        *)
+          # First non-flag token — this is the target (or, for cp/mv-
+          # like commands, the first source; the cpmv detector above
+          # handles those separately). We treat ALL non-flag args as
+          # potential targets and check each — that catches
+          # `tee a b c` where any of a/b/c could be a protected file.
+          target_token="$tok"
+          detected_form="$found_cmd"
+          # Check this token immediately; if not protected, keep
+          # walking — there may be more positional args.
+          local _t
+          _t=$(_normalize_target "$target_token")
+          if rea_path_is_protected "$_t"; then
+            local matched=""
+            for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+              if [[ "$_t" == "$pattern" ]]; then matched="$pattern"; break; fi
+              if [[ "$pattern" == */ && "$_t" == "$pattern"* ]]; then matched="$pattern"; break; fi
+            done
+            _refuse "$matched" "$_t" "$segment"
+          fi
+          # Reset target_token so the post-loop check doesn't double-check.
+          target_token=""
+          ;;
+      esac
+    done
+  fi
+
+  if [[ -z "$target_token" ]]; then
+    return 0
+  fi
+
+  local target
+  target=$(_normalize_target "$target_token")
+  if rea_path_is_protected "$target"; then
+    # Find the matching pattern for the error message.
+    local matched=""
+    for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+      if [[ "$target" == "$pattern" ]]; then matched="$pattern"; break; fi
+      if [[ "$pattern" == */ && "$target" == "$pattern"* ]]; then matched="$pattern"; break; fi
+    done
+    _refuse "$matched" "$target" "$segment"
+  fi
+  return 0
+}
+
+for_each_segment "$CMD" _check_segment
+
+exit 0

package/hooks/secret-scanner.sh

@@ -40,11 +40,41 @@ fi
 FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 CONTENT_WRITE=$(printf '%s' "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
 CONTENT_EDIT=$(printf '%s' "$INPUT"  | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+# MultiEdit (0.14.0 fix): the payload is at tool_input.edits[].new_string —
+# an array, not a scalar — and the prior versions of this hook never read
+# it. Result: any agent could route credential writes through MultiEdit and
+# bypass the secret scanner entirely. We extract every `new_string` value
+# from the edits array and concatenate them with newlines so the awk-based
+# pattern scan below treats them like any other write content.
+#
+# Defensive coercion (codex round-1 P1): a malformed payload where
+# `new_string` is a number, object, or array would make jq error out, the
+# `2>/dev/null` would swallow stderr, `CONTENT_MULTIEDIT` would be empty,
+# and the precedence chain below would fall through to `exit 0` —
+# silently allowing the write. Same fail-open mode for a non-array
+# `edits` value. We:
+#
+#   1. Coerce `.tool_input.edits` to `[]` if it's anything other than an
+#      array (`if type=="array" then . else [] end`)
+#   2. Coerce every `new_string` to a string via `tostring` so jq cannot
+#      fail on heterogeneous types
+#
+# Both layers fail closed: a malformed payload either yields the empty
+# string (no scan needed, exit 0 from the precedence chain) or yields a
+# pattern-scannable string. There is no path where jq errors silently and
+# the hook falls through to allow.
+CONTENT_MULTIEDIT=$(printf '%s' "$INPUT" | jq -r '
+  (.tool_input.edits // [] | if type=="array" then . else [] end)
+  | map((.new_string // "") | tostring)
+  | join("\n")
+' 2>/dev/null)
 
 if [[ -n "$CONTENT_WRITE" ]]; then
   CONTENT="$CONTENT_WRITE"
 elif [[ -n "$CONTENT_EDIT" ]]; then
   CONTENT="$CONTENT_EDIT"
+elif [[ -n "$CONTENT_MULTIEDIT" ]]; then
+  CONTENT="$CONTENT_MULTIEDIT"
 else
   exit 0
 fi

package/hooks/settings-protection.sh

@@ -157,14 +157,27 @@ LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
 # package-managed body — §5a kills it before this matcher runs.
 #
 # SECURITY (defense-in-depth): symlinks INSIDE the .d/ surface are
-# refused. A fragment is a short shell script authored in place;
-# consumers do not need symlinks here. Without this check, a sequence
-# like `ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil`
-# would be allowed by §5b's path-string match and the downstream
-# Write/Edit tool would follow the symlink, overwriting the
-# package-managed `.husky/pre-push` body that §6 is meant to protect.
-# Costs near-zero (no legitimate use case for symlinked fragments);
-# closes the path-string→symlink bypass completely.
+# refused — both final-component AND intermediate-directory symlinks.
+# A fragment is a short shell script authored in place; consumers do
+# not need symlinks here. Without these checks the gate has two
+# bypass shapes:
+#
+#   (a) Final-component symlink:
+#       ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil
+#       — caught by `[ -L "$FILE_PATH" ]`.
+#
+#   (b) Intermediate-directory symlink (helix Finding 2 / 0.15.0):
+#       mkdir .husky/pre-push.d; ln -s ../ .husky/pre-push.d/linkdir
+#       write .husky/pre-push.d/linkdir/pre-push
+#       — `[ -L $FILE_PATH ]` only inspects the FINAL component, so a
+#       not-yet-existing target whose parent contains a symlink resolves
+#       to outside the surface (here: `.husky/pre-push`), letting the
+#       attacker write through to the package-managed body.
+#
+# Resolve the realpath of the parent directory and require it to live
+# under the literal extension surface. Use a portable `cd ... && pwd -P`
+# subshell pattern (no Python or readlink -f dependency required).
+# Closes the path-string→symlink bypass completely.
 case "$LOWER_NORM" in
   .husky/commit-msg.d/*|.husky/pre-push.d/*)
     if [ -L "$FILE_PATH" ]; then
@@ -178,6 +191,34 @@ case "$LOWER_NORM" in
       } >&2
       exit 2
     fi
+    # Resolve the parent directory's realpath. If any intermediate
+    # component is a symlink whose target leaves the surface, the
+    # resolved path no longer contains `/.husky/<surface>.d/` and we
+    # refuse. The parent dir must already exist for this check; if it
+    # doesn't, the write is creating the parent, in which case there
+    # is no intermediate symlink to follow yet.
+    parent_dir=$(dirname -- "$FILE_PATH")
+    if [ -d "$parent_dir" ]; then
+      resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
+      if [ -n "$resolved_parent" ]; then
+        case "$resolved_parent" in
+          *"/.husky/commit-msg.d"*|*"/.husky/pre-push.d"*) : ;;
+          *)
+            {
+              printf 'SETTINGS PROTECTION: extension path resolves outside surface\n'
+              printf '\n'
+              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
+              printf '  Resolved: %s\n' "$resolved_parent"
+              printf '  Rule: an intermediate directory of the extension path is a\n'
+              printf '        symlink whose target leaves .husky/{commit-msg,pre-push}.d/.\n'
+              printf '        Refused to prevent symlinked-parent bypass of the\n'
+              printf '        package-managed body protection.\n'
+            } >&2
+            exit 2
+          ;;
+        esac
+      fi
+    fi
     # Documented extension surface — agents can write here freely.
     exit 0
     ;;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.13.3",
+  "version": "0.15.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -96,9 +96,11 @@
     "lint:regex": "node scripts/lint-safe-regex.mjs",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
-    "test": "vitest run",
+    "test": "pnpm run test:dogfood && pnpm run test:bash-syntax && vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
+    "test:dogfood": "node tools/check-dogfood-drift.mjs",
+    "test:bash-syntax": "bash -c 'for f in hooks/*.sh hooks/_lib/*.sh; do bash -n \"$f\" || exit 1; done && echo \"[bash-syntax] OK — all hooks parse cleanly\"'",
     "type-check": "tsc --noEmit",
     "changeset": "changeset",
     "changeset:version": "changeset version",