@bookedsolid/rea 0.14.0 → 0.15.0

package/agents/codex-adversarial.md

@@ -36,7 +36,7 @@ You may read additional files in the repo if needed for context, but do so read-
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).
-8. **Emit an audit entry** (optional in 0.11.0+) — the pre-push gate does not consult audit records to decide pass/fail, so you are no longer REQUIRED to emit a `codex.review` record on every interactive review. However, append one anyway via the public `@bookedsolid/rea/audit` helper when it helps forensic traceability (investigation of an intermittent verdict, review-history audit, etc.):
+8. **Emit an audit entry — REQUIRED** for every `/codex-review` invocation. The pre-push gate does not consult audit records to decide pass/fail (post-0.11.0 the gate is stateless), but the `/codex-review` slash command's Step 3 verifies an audit entry was appended for this run and surfaces "review never happened" to the user when one is missing. The two specs are a contract pair — audit emission is what tells the operator their interactive review actually completed. Append via the public `@bookedsolid/rea/audit` helper:
 
    ```ts
    import { appendAuditRecord, CODEX_REVIEW_TOOL_NAME, CODEX_REVIEW_SERVER_NAME, Tier, InvocationStatus } from '@bookedsolid/rea/audit';

package/commands/codex-review.md

@@ -7,6 +7,7 @@ allowed-tools:
   - Bash(git branch:*)
   - Bash(git rev-parse:*)
   - Read
+  - Agent
 ---
 
 # /codex-review — Adversarial Review via Codex
@@ -54,23 +55,17 @@ Invoke the `codex-adversarial` agent with:
 
 The agent wraps `/codex:adversarial-review` and returns structured findings.
 
-## Step 3 — Record to audit log
+## Step 3 — (Optional) verify audit entry
 
-Every Codex invocation produces an audit entry. The `codex-adversarial` agent writes it via the middleware chain automatically, but verify the entry was recorded:
+Audit emission is **optional** in 0.11.0+. The pre-push gate is stateless and does not consult audit records to decide pass/fail; the agent's structured findings ARE the review. The agent will append an audit entry when it helps forensic traceability (intermittent verdicts, review-history audits) but its absence is not a failure.
+
+If you want to confirm an entry was written for this run:
 
 ```bash
 tail -n 1 .rea/audit.jsonl
 ```
 
-The entry must include:
-
-- `tool: "codex-adversarial-review"`
-- `head_sha: <SHA>`
-- `target: <ref>`
-- `finding_count: <N>`
-- `verdict: pass | concerns | blocking`
-
-If the audit entry is missing, report it clearly — do not proceed as if the review happened.
+A `codex-adversarial-review` entry with `head_sha`, `target`, `finding_count`, and `verdict` fields is informative — but DO NOT treat its absence as a failure. The review happened if the agent returned text. (Pre-0.15.0 this step was a hard verification gate that contradicted the agent's "audit optional" contract — see Helix Finding 3, 2026-05-03.)
 
 ## Step 4 — Report
 

package/commands/freeze.md

@@ -3,6 +3,7 @@ description: Activate the REA kill switch — writes .rea/HALT with a reason, bl
 argument-hint: "<reason>"
 allowed-tools:
   - Bash(npx rea freeze:*)
+  - Read
 ---
 
 # /freeze — Activate the Kill Switch

package/commands/review.md

@@ -7,6 +7,7 @@ allowed-tools:
   - Bash(git branch:*)
   - Bash(git status:*)
   - Read
+  - Agent
 ---
 
 # /review — Code Review on Current Changes

package/dist/cli/doctor.js

@@ -203,7 +203,7 @@ function checkSettingsJson(baseDir) {
     const settingsPath = path.join(baseDir, '.claude', 'settings.json');
     if (!fs.existsSync(settingsPath)) {
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
             status: 'fail',
             detail: `missing: ${settingsPath}`,
         };
@@ -216,23 +216,29 @@ function checkSettingsJson(baseDir) {
         const needs = [];
         if (!matchers.has('Bash'))
             needs.push('Bash');
-        if (!matchers.has('Write|Edit'))
-            needs.push('Write|Edit');
+        // 0.15.0: matcher was widened from `Write|Edit` to `Write|Edit|MultiEdit`
+        // in 0.14.0; doctor's check missed the rename. Accept either form so
+        // pre-0.14.0 installs that haven't run `rea upgrade` still report
+        // accurately, but the canonical produced by `defaultDesiredHooks()` is
+        // the wider matcher.
+        if (!matchers.has('Write|Edit|MultiEdit') && !matchers.has('Write|Edit')) {
+            needs.push('Write|Edit|MultiEdit');
+        }
         if (needs.length === 0) {
             return {
-                label: 'settings.json matchers cover Bash + Write|Edit',
+                label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
                 status: 'pass',
             };
         }
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
             status: 'fail',
             detail: `missing PreToolUse matchers: ${needs.join(', ')}`,
         };
     }
     catch (e) {
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
             status: 'fail',
             detail: e instanceof Error ? e.message : String(e),
         };

package/dist/cli/install/settings-merge.js

@@ -259,6 +259,7 @@ export function defaultDesiredHooks() {
             hooks: [
                 { type: 'command', command: `${base}/dangerous-bash-interceptor.sh`, timeout: 10000, statusMessage: 'Checking command safety...' },
                 { type: 'command', command: `${base}/env-file-protection.sh`, timeout: 5000, statusMessage: 'Checking for .env file reads...' },
+                { type: 'command', command: `${base}/protected-paths-bash-gate.sh`, timeout: 5000, statusMessage: 'Checking for shell-redirect to protected paths...' },
                 { type: 'command', command: `${base}/dependency-audit-gate.sh`, timeout: 15000, statusMessage: 'Verifying package exists...' },
                 { type: 'command', command: `${base}/security-disclosure-gate.sh`, timeout: 5000, statusMessage: 'Checking disclosure policy...' },
                 { type: 'command', command: `${base}/pr-issue-link-gate.sh`, timeout: 5000, statusMessage: 'Checking PR for issue reference...' },
@@ -267,7 +268,7 @@ export function defaultDesiredHooks() {
         },
         {
             event: 'PreToolUse',
-            matcher: 'Write|Edit',
+            matcher: 'Write|Edit|MultiEdit',
             hooks: [
                 { type: 'command', command: `${base}/secret-scanner.sh`, timeout: 15000, statusMessage: 'Scanning for credentials...' },
                 { type: 'command', command: `${base}/settings-protection.sh`, timeout: 5000, statusMessage: 'Checking settings protection...' },
@@ -277,7 +278,7 @@ export function defaultDesiredHooks() {
         },
         {
             event: 'PostToolUse',
-            matcher: 'Write|Edit',
+            matcher: 'Write|Edit|MultiEdit',
             hooks: [
                 { type: 'command', command: `${base}/architecture-review-gate.sh`, timeout: 10000, statusMessage: 'Checking architecture impact...' },
             ],

package/hooks/_lib/cmd-segments.sh

@@ -0,0 +1,155 @@
+# shellcheck shell=bash
+# hooks/_lib/cmd-segments.sh — shell-segment splitting for Bash-tier hooks.
+#
+# Background: hooks that gate `Bash` tool calls grep `.tool_input.command`
+# for danger words (`rm -rf`, `git restore`, `pnpm install`, etc.). Pre-
+# 0.15.0 every hook ran a single `grep -qE PATTERN "$cmd"` against the
+# whole command string. That false-positives on heredoc bodies and
+# commit messages where the trigger word appears inside content rather
+# than as a command:
+#
+#   git commit -m "$(cat <<'EOF'
+#   docs: explain why we don't run rm -rf node_modules in CI
+#   EOF
+#   )"
+#
+# The unanchored regex matches `rm -rf` inside the heredoc body and the
+# hook blocks a perfectly safe commit. Hit during the 2026-05-03 session
+# repeatedly — the pattern that motivated dependency-audit-gate's 0.15.0
+# segment-split fix.
+#
+# This helper exposes two primitives every Bash-tier hook should use:
+#
+#   for_each_segment "$CMD" CALLBACK
+#     Splits $CMD on shell command separators (`;`, `&&`, `||`, `|`,
+#     newlines) and invokes CALLBACK with each segment as $1, plus the
+#     leading-prefix-stripped form as $2 (with `sudo`/`exec`/`time`/
+#     `then`/`do`/env-var-assignment prefixes removed). Returns 0 if
+#     CALLBACK returned 0 for every segment, or the first non-zero
+#     CALLBACK exit otherwise.
+#
+#   any_segment_matches "$CMD" PATTERN
+#     Iterates segments and returns 0 if any segment's prefix-stripped
+#     form matches PATTERN (a `grep -qiE` extended regex). Returns 1
+#     if no segment matches.
+#
+# Quoting awareness: the splitter is NOT quote-aware. A separator inside
+# a quoted string would be split. This is INTENTIONAL and SAFE: the
+# segments-vs-callback contract is "find segments that anchor on a
+# trigger word." Over-splitting produces extra segments that don't
+# anchor; they're ignored. Under-splitting (treating a quoted separator
+# as part of one segment) is what the original bug was. The trade-off
+# explicitly accepts over-splitting.
+#
+# Quoting note for future maintainers: do not "fix" the over-splitting
+# without breaking the security property. Quote-aware splitting in pure
+# bash is a real lift; if needed it should move to a Node helper.
+
+# Split $1 on shell command separators. Emits one segment per line on
+# stdout (empty segments preserved). Used by both higher-level helpers
+# below; not generally called by hooks directly.
+_rea_split_segments() {
+  local cmd="$1"
+  # GNU sed and BSD sed both honor `s/PATTERN/\n/g` with `-E` for ERE.
+  # We use printf+sed instead of bash IFS=$'...' read so the splitter
+  # behaves identically across BSD and GNU sed.
+  printf '%s\n' "$cmd" | sed -E 's/(\|\||&&|;|\|)/\n/g'
+}
+
+# Strip leading whitespace and well-known command prefixes from a single
+# segment. Returns the prefix-stripped form on stdout. Examples:
+#   "  sudo pnpm install foo"        → "pnpm install foo"
+#   "NODE_ENV=production pnpm add x" → "pnpm add x"
+#   "then pnpm add lodash"           → "pnpm add lodash"
+_rea_strip_prefix() {
+  local seg="$1"
+  # Trim leading whitespace.
+  seg="${seg#"${seg%%[![:space:]]*}"}"
+  # Strip ONE prefix at a time, looping. This handles compounds like
+  # `sudo NODE_ENV=production pnpm add foo`.
+  while :; do
+    case "$seg" in
+      sudo[[:space:]]*|exec[[:space:]]*|time[[:space:]]*|then[[:space:]]*|do[[:space:]]*|else[[:space:]]*)
+        # Drop the prefix word and any subsequent whitespace.
+        seg="${seg#* }"
+        seg="${seg#"${seg%%[![:space:]]*}"}"
+        ;;
+      *)
+        # Env-var assignment prefix (`KEY=value `) — only strip if the
+        # token before the first space looks like NAME=value.
+        if [[ "$seg" =~ ^[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+ ]]; then
+          seg="${seg#* }"
+          seg="${seg#"${seg%%[![:space:]]*}"}"
+        else
+          break
+        fi
+        ;;
+    esac
+  done
+  printf '%s' "$seg"
+}
+
+# Iterate every segment of $1 and invoke $2 (a function name) with the
+# raw segment as $1 and the prefix-stripped form as $2. The callback's
+# return value is honored: a non-zero return aborts the iteration and
+# becomes the helper's return value.
+for_each_segment() {
+  local cmd="$1"
+  local callback="$2"
+  local segment stripped rc
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    "$callback" "$segment" "$stripped"
+    rc=$?
+    if [ "$rc" -ne 0 ]; then
+      return "$rc"
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 0
+}
+
+# Return 0 if any segment of $1 (after prefix-stripping) matches the
+# extended regex $2 ANYWHERE (not anchored). Case-insensitive. Returns 1
+# if no segment matches.
+#
+# Use this for patterns that may legitimately appear mid-segment, e.g.
+# `Co-Authored-By:` in a commit message body. For "is the segment a
+# call to <command>" use `any_segment_starts_with` instead — that
+# anchors on the start so `echo "rm -rf foo"` doesn't trip an
+# `rm -rf` detector.
+any_segment_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "$pattern"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
+# Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
+# the extended regex $2. Case-insensitive. Returns 1 if no segment
+# starts with the pattern.
+#
+# This is the right shape for "is this segment a call to <command>"
+# checks. `echo "rm -rf foo"` does NOT trigger an `rm -rf` detector
+# because the segment starts with `echo`, not `rm`. Compare to
+# `any_segment_matches`, which matches anywhere in the segment and
+# would fire on the echo'd argument.
+any_segment_starts_with() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    # `^` anchor + caller pattern. `(?:)` non-capturing group not
+    # supported in BSD ERE; we use a simple literal `^` prepend.
+    if printf '%s' "$stripped" | grep -qiE "^${pattern}"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}

package/hooks/_lib/protected-paths.sh

@@ -0,0 +1,39 @@
+# shellcheck shell=bash
+# hooks/_lib/protected-paths.sh — single source of truth for the
+# hard-protected path list shared between the Write/Edit tier
+# (`settings-protection.sh`) and the Bash tier (`protected-paths-bash-gate.sh`).
+#
+# Pre-0.15.0 this list was duplicated inline in settings-protection.sh;
+# the bash-redirect bypass (`> .rea/HALT`, `tee .rea/policy.yaml`,
+# `cp X .claude/settings.json`, `sed -i .husky/pre-push`) was caught
+# by the principal-engineer audit. The fix: factor the list out so
+# both hooks read the same data, and protect against shell redirects
+# in addition to Write/Edit/MultiEdit tools.
+
+# The path list is bash glob patterns matched against project-root-
+# relative paths. Suffix `/` indicates a prefix match; no suffix means
+# exact match. Mirrors the array in settings-protection.sh §6.
+REA_PROTECTED_PATTERNS=(
+  '.claude/settings.json'
+  '.claude/settings.local.json'
+  '.husky/'
+  '.rea/policy.yaml'
+  '.rea/HALT'
+)
+
+# Test whether a project-relative path matches any protected pattern.
+# Usage: if rea_path_is_protected ".rea/HALT"; then echo "blocked"; fi
+# Returns 0 on match, 1 on no match.
+rea_path_is_protected() {
+  local p="$1"
+  local pattern
+  for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+    if [[ "$p" == "$pattern" ]]; then
+      return 0
+    fi
+    if [[ "$pattern" == */ ]] && [[ "$p" == "$pattern"* ]]; then
+      return 0
+    fi
+  done
+  return 1
+}

package/hooks/attribution-advisory.sh

@@ -50,14 +50,23 @@ if [[ -z "$CMD" ]]; then
   exit 0
 fi
 
+# 0.15.0: source the shared shell-segment splitter. Pre-fix, the
+# attribution patterns greped the FULL command — `git commit -m "Note:
+# Co-Authored-By with AI was removed in 0.14"` matched and the commit
+# was blocked even though the message was COMMENTING on attribution
+# rather than including it. Per-segment anchoring scopes detection to
+# segments whose first token is `git commit` / `gh pr create|edit`.
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 # ── 6. Check if this is a relevant command ────────────────────────────────────
 IS_RELEVANT=0
 
-if printf '%s' "$CMD" | grep -qiE 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
+if any_segment_matches "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
   IS_RELEVANT=1
 fi
 
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit'; then
+if any_segment_matches "$CMD" 'git[[:space:]]+commit'; then
   IS_RELEVANT=1
 fi
 
@@ -70,27 +79,27 @@ fi
 FOUND=0
 
 # Co-Authored-By with noreply@ email
-if printf '%s' "$CMD" | grep -qiE 'Co-Authored-By:.*noreply@'; then
+if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@'; then
   FOUND=1
 fi
 
 # Co-Authored-By with known AI names
-if printf '%s' "$CMD" | grep -qiE 'Co-Authored-By:.*\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|Aider|Anthropic|OpenAI|GitHub Copilot)\b'; then
+if any_segment_matches "$CMD" 'Co-Authored-By:.*\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|Aider|Anthropic|OpenAI|GitHub Copilot)\b'; then
   FOUND=1
 fi
 
 # "Generated/Built/Powered with/by [AI Tool]" lines
-if printf '%s' "$CMD" | grep -qiE '(Generated|Created|Built|Powered|Authored|Written|Produced)[[:space:]]+(with|by)[[:space:]]+(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|Devin|Windsurf|Cline|Aider|AI|an? AI)\b'; then
+if any_segment_matches "$CMD" '(Generated|Created|Built|Powered|Authored|Written|Produced)[[:space:]]+(with|by)[[:space:]]+(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|Devin|Windsurf|Cline|Aider|AI|an? AI)\b'; then
   FOUND=1
 fi
 
 # Markdown-linked attribution
-if printf '%s' "$CMD" | grep -qiE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
+if any_segment_matches "$CMD" '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
   FOUND=1
 fi
 
 # Emoji attribution
-if printf '%s' "$CMD" | grep -qE '🤖.*[Gg]enerated'; then
+if any_segment_matches "$CMD" '🤖.*[Gg]enerated'; then
   FOUND=1
 fi
 

package/hooks/blocked-paths-enforcer.sh

@@ -106,7 +106,15 @@ normalize_path() {
   if [[ "$p" == "$root"/* ]]; then
     p="${p#$root/}"
   fi
-  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g')
+  # 0.15.0 fix: include `\` (and `%5C` percent-encoded form) in the
+  # normalization. Without this, a path like
+  # `.github\workflows\release.yml` under Windows / Git Bash reaches
+  # that file but compares as a different string than
+  # `.github/workflows/release.yml`, missing the literal blocked-paths
+  # match. Mirrors settings-protection.sh §4 which has had backslash
+  # normalization since 0.10.x.
+  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g; s/%5[Cc]/\\/g')
+  p=$(printf '%s' "$p" | tr '\\\\' '/')
   p="${p#./}"
   printf '%s' "$p"
 }

package/hooks/changeset-security-gate.sh

@@ -23,8 +23,12 @@ check_halt
 INPUT="$(cat)"
 TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
 
-# Only handle Write and Edit
-if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
+# 0.15.0 fix: MultiEdit was not in the allowed tool_name set, so the gate
+# silently exited 0 on every MultiEdit call against `.changeset/*.md` —
+# letting GHSA / CVE pre-disclosure through and skipping frontmatter
+# validation. Same bypass shape as the secret-scanner MultiEdit issue
+# fixed in 0.14.0; this is the second hook in the same family.
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" && "$TOOL_NAME" != "MultiEdit" ]]; then
   exit 0
 fi
 
@@ -37,12 +41,22 @@ fi
 
 require_jq
 
-# Extract the content being written
+# Extract the content being written. MultiEdit content lives at
+# `tool_input.edits[].new_string` (an array, not a scalar) — see the
+# corresponding extraction in hooks/secret-scanner.sh. We use the same
+# defensive coercion (`tostring` + `if type=="array" then . else [] end`)
+# so a malformed payload fails closed: either yields the empty string
+# (no scan needed, exit 0) or yields a pattern-scannable string.
 if [[ "$TOOL_NAME" == "Write" ]]; then
   CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // ""')
-else
-  # For Edit: check the new_string being inserted
+elif [[ "$TOOL_NAME" == "Edit" ]]; then
   CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // ""')
+else
+  CONTENT=$(echo "$INPUT" | jq -r '
+    (.tool_input.edits // [] | if type=="array" then . else [] end)
+    | map((.new_string // "") | tostring)
+    | join("\n")
+  ')
 fi
 
 # ─── 1. SECURITY DISCLOSURE CHECK ───────────────────────────────────────────
@@ -90,6 +104,19 @@ fi
 #
 # A changeset without valid frontmatter is silently ignored by the changesets
 # tool — the package bump and CHANGELOG entry never appear in the release.
+#
+# 0.15.0 fix: skip frontmatter validation for MultiEdit. MultiEdit's
+# `tool_input.edits[].new_string` payload is a list of partial string
+# replacements, not the full file body — running the frontmatter
+# validator against the concatenation of new_strings would reject every
+# legitimate MultiEdit on an existing changeset (none of the edit
+# fragments individually contains a frontmatter block, even though the
+# resulting file does). The disclosure scan above still runs on
+# MultiEdit content because GHSA/CVE patterns match per-fragment without
+# any structural assumption.
+if [[ "$TOOL_NAME" == "MultiEdit" ]]; then
+  exit 0
+fi
 
 # Must start with ---
 if ! echo "$CONTENT" | head -1 | grep -qE '^---'; then
@@ -107,9 +134,20 @@ Brief description of what changed and why (close #N if applicable).
 Bump types: patch (bug fix/security), minor (new feature), major (breaking change)"
 fi
 
-# Must have at least one package bump entry and a closing ---
+# Must have at least one package bump entry and a closing ---.
+# 0.15.0 fix: accept single-quoted, double-quoted, AND unquoted package
+# names (all three are valid YAML for the same string). Pre-fix the
+# regex required single quotes, so a tool or human authoring the
+# changeset with `"@scope/name": patch` was rejected as malformed even
+# though the Changesets tool itself accepts every form.
+#
+# Codex round-1 P2-1 fix: explicit-alternation form (no backref) so
+# the unquoted variant matches on BSD grep too. The earlier
+# `^([\"']?)[^\"']+\1: ...` shape relied on backref-with-empty-capture
+# semantics that BSD's grep rejects when the capture group's `?` made
+# it absent — quoted forms matched on macOS but unquoted did not.
 FRONTMATTER=$(echo "$CONTENT" | awk '/^---/{count++; if(count==2){exit} next} count==1{print}')
-if ! echo "$FRONTMATTER" | grep -qE "^'.+': (patch|minor|major)"; then
+if ! echo "$FRONTMATTER" | grep -qE "^(\"[^\"]+\"|'[^']+'|[^\"'[:space:]]+): (patch|minor|major)"; then
   json_output "block" \
     "CHANGESET FORMAT GATE: Frontmatter does not contain a valid package bump entry.
 

package/hooks/dangerous-bash-interceptor.sh

@@ -15,6 +15,15 @@
 
 set -uo pipefail
 
+# Source shared shell-segment splitter (0.15.0). Provides
+# `any_segment_matches "$CMD" PATTERN` which iterates segments split on
+# &&/||/;/| and runs the pattern with `grep -qiE` against each
+# prefix-stripped segment. Replaces full-command grep that
+# false-positives on heredoc bodies and commit messages mentioning
+# trigger words.
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 # ── 1. Read ALL stdin immediately before doing anything else ──────────────────
 INPUT=$(cat)
 
@@ -84,26 +93,21 @@ add_medium() {
 }
 
 # ── 7. Per-segment evaluation helper ──────────────────────────────────────────
-# Split on &&, ||, ;, and newlines and test a pattern against each segment.
-# Returns 0 if ANY segment matches the pattern.
-any_segment_matches() {
-  local PATTERN="$1"
-  while IFS= read -r SEG; do
-    if printf '%s' "$SEG" | grep -qiE "$PATTERN"; then
-      return 0
-    fi
-  done < <(printf '%s' "$CMD" | sed 's/&&/\n/g; s/||/\n/g; s/;/\n/g')
-  return 1
-}
+# (Migrated to `_lib/cmd-segments.sh::any_segment_matches` as of 0.15.0.
+# The previous inline helper was defined here but never called — H3-H17
+# all greped the WHOLE command, which false-positived on heredoc bodies
+# and commit messages mentioning trigger words. Migration: every check
+# now uses `any_segment_matches "$CMD" PATTERN` with the helper sourced
+# at the top of this file.)
 
 # ── 8. Smart exclusion flags ──────────────────────────────────────────────────
 CMD_IS_REBASE_SAFE=0
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+(rebase)[[:space:]].*(--abort|--continue)'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+(rebase)[[:space:]].*(--abort|--continue)'; then
   CMD_IS_REBASE_SAFE=1
 fi
 
 CMD_IS_CLEAN_DRY=0
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+clean.*([ \t]-n|--dry-run)'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+clean.*([ \t]-n|--dry-run)'; then
   CMD_IS_CLEAN_DRY=1
 fi
 
@@ -111,26 +115,41 @@ fi
 
 # H1: git push --force or -f (per-segment — prevents --force-with-lease poisoning)
 # A segment containing --force-with-lease is excluded; other segments are not.
-while IFS= read -r SEGMENT; do
-  SEGMENT=$(printf '%s' "$SEGMENT" | sed 's/^[[:space:]]*//')
-  [[ -z "$SEGMENT" ]] && continue
-  # Skip segments that use the safe --force-with-lease
-  if printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*--force-with-lease'; then
-    continue
+# 0.15.0: also catches `git push origin +<branch>` (refspec-prefix force-push
+# shorthand) which the previous version missed.
+_h1_check() {
+  local _raw="$1" SEGMENT="$2"
+  [[ -z "$SEGMENT" ]] && return 0
+  # 0.15.0 codex P1 fix: anchor on `^git push`. Pre-fix the unanchored
+  # match meant `echo "git push --force is bad"` triggered H1 even
+  # though no actual push was happening (the segment after prefix-strip
+  # was `echo "..."`, not `git push`). Anchoring scopes detection to
+  # segments whose first token IS git push.
+  printf '%s' "$SEGMENT" | grep -qiE '^git[[:space:]]+push([[:space:]]|$)' || return 0
+  # Skip segments that use the safe --force-with-lease.
+  if printf '%s' "$SEGMENT" | grep -qiE -- '--force-with-lease'; then
+    return 0
   fi
-  if printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*(--force|-f[[:space:]])' || \
-     printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*(--force|-f)$'; then
+  # 0.15.0 codex P1 fix: combined-flag forms (`-fu`, `-uf`, `-Fu`) and
+  # long-form `--force=value` were not caught by the previous
+  # `-f[[:space:]]` shape. The flag-cluster pattern `-[a-zA-Z]*f[a-zA-Z]*`
+  # (followed by space or EOS) mirrors how H11 handles rm flag clusters.
+  # The refspec-prefix `+` on a branch name is git's force-push shorthand.
+  if printf '%s' "$SEGMENT" | grep -qiE -- '--force([[:space:]]|=|$)' || \
+     printf '%s' "$SEGMENT" | grep -qiE -- '(^|[[:space:]])-[a-zA-Z]*f[a-zA-Z]*([[:space:]]|$)' || \
+     printf '%s' "$SEGMENT" | grep -qE -- '[[:space:]]\+[A-Za-z0-9_./-]'; then
     add_high \
       "git push --force — force push detected" \
       "Force-pushing rewrites public history and breaks collaborators' local copies." \
       "Alt: Use 'git push --force-with-lease' — blocks if upstream has new commits you haven't pulled."
-    break
   fi
-done < <(printf '%s' "$CMD" | sed 's/&&/\n/g; s/||/\n/g; s/;/\n/g')
+  return 0
+}
+for_each_segment "$CMD" _h1_check
 
 # H2: git rebase — advisory (MEDIUM)
 if [[ $CMD_IS_REBASE_SAFE -eq 0 ]]; then
-  if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+rebase([[:space:]]|$)'; then
+  if any_segment_starts_with "$CMD" 'git[[:space:]]+rebase([[:space:]]|$)'; then
     add_medium \
       "git rebase — rewrites commit history (advisory)" \
       "Rebase changes commit SHAs. Safe on local feature branches; dangerous on shared/published branches." \
@@ -140,7 +159,7 @@ if [[ $CMD_IS_REBASE_SAFE -eq 0 ]]; then
 fi
 
 # H3: git checkout -- .
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+checkout[[:space:]]+--[[:space:]]+\.'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+checkout[[:space:]]+--[[:space:]]+\.'; then
   add_high \
     "git checkout -- . — discards all uncommitted changes" \
     "Overwrites working tree changes with HEAD. Uncommitted work is lost permanently." \
@@ -148,8 +167,8 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+checkout[[:space:]]+--[[:space
 fi
 
 # H4: git restore . (any form — with or without --staged flag)
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+restore[[:space:]].*[[:space:]]\.([[:space:]]|$)' || \
-   printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+restore[[:space:]]+\.[[:space:]]*$'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+restore[[:space:]].*[[:space:]]\.([[:space:]]|$)' || \
+   any_segment_starts_with "$CMD" 'git[[:space:]]+restore[[:space:]]+\.[[:space:]]*$'; then
   add_high \
     "git restore . — discards all uncommitted changes" \
     "Restores every tracked file to HEAD, permanently discarding all working tree modifications." \
@@ -158,7 +177,7 @@ fi
 
 # H5: git clean -f
 if [[ $CMD_IS_CLEAN_DRY -eq 0 ]]; then
-  if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'; then
+  if any_segment_starts_with "$CMD" 'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'; then
     add_high \
       "git clean -f — removes untracked files" \
       "Permanently deletes untracked files from the working tree. Cannot be undone via git." \
@@ -167,7 +186,7 @@ if [[ $CMD_IS_CLEAN_DRY -eq 0 ]]; then
 fi
 
 # H6: DROP TABLE or DROP DATABASE in psql
-if printf '%s' "$CMD" | grep -qiE '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DATABASE|SCHEMA)'; then
+if any_segment_matches "$CMD" '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DATABASE|SCHEMA)'; then
   add_high \
     "DROP TABLE/DATABASE via psql — destructive DDL" \
     "Running destructive DDL directly in psql bypasses migration pipeline safety checks." \
@@ -175,7 +194,7 @@ if printf '%s' "$CMD" | grep -qiE '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DAT
 fi
 
 # H7: kill -9 with pgrep subshell
-if printf '%s' "$CMD" | grep -qiE 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
+if any_segment_starts_with "$CMD" 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
   add_high \
     "kill -9 with pgrep subshell — aggressive process termination" \
     "Sends SIGKILL to processes matched by name, which may kill unintended processes." \
@@ -183,7 +202,7 @@ if printf '%s' "$CMD" | grep -qiE 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
 fi
 
 # H8: killall -9
-if printf '%s' "$CMD" | grep -qiE 'killall[[:space:]]+-9[[:space:]]+\S'; then
+if any_segment_starts_with "$CMD" 'killall[[:space:]]+-9[[:space:]]+\S'; then
   add_high \
     "killall -9 — SIGKILL all matching processes" \
     "Immediately terminates all processes with the given name without cleanup." \
@@ -191,7 +210,7 @@ if printf '%s' "$CMD" | grep -qiE 'killall[[:space:]]+-9[[:space:]]+\S'; then
 fi
 
 # H9: git commit --no-verify
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--no-verify'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+commit.*--no-verify'; then
   add_high \
     "git commit --no-verify — skipping pre-commit hooks" \
     "Bypasses all pre-commit safety gates including secret scanning and linting." \
@@ -199,7 +218,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--no-verify'; then
 fi
 
 # H10: HUSKY=0 bypass — suppresses all git hooks without --no-verify
-if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
+if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
   add_high \
     "HUSKY=0 — bypasses all husky git hooks" \
     "Setting HUSKY=0 disables pre-commit, commit-msg, and pre-push safety gates without --no-verify." \
@@ -208,13 +227,18 @@ fi
 
 # H11: rm -rf with broad targets
 # Covers combined flags (rm -rf, rm -fr), split flags (rm -r -f), and long flags (rm --recursive --force)
-BROAD_TARGETS='(\/|~\/|\.\/\*|\*|\.|src|dist|build|node_modules)'
-if printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*f[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[[:space:]]+-[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*f[[:space:]]+-[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+--recursive[[:space:]]+--force[[:space:]]+${BROAD_TARGETS}" || \
-   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+--force[[:space:]]+--recursive[[:space:]]+${BROAD_TARGETS}"; then
+# 0.15.0 fix: anchored each target on word boundary (whitespace-or-EOS).
+# The previous form had a bare `\.` which matched `rm -rf .git/foo`
+# (legitimate `.git/`-tree cleanup). Each token now requires either
+# end-of-string or whitespace after — so `.` alone matches `rm -rf .`
+# (the cwd, dangerous) but NOT `rm -rf .git/foo`.
+BROAD_TARGETS='(\/|~\/|\.\/\*|\*|\.|src|dist|build|node_modules)([[:space:]]|$)'
+if any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*f[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[[:space:]]+-[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*f[[:space:]]+-[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+--recursive[[:space:]]+--force[[:space:]]+${BROAD_TARGETS}" || \
+   any_segment_starts_with "$CMD" "rm[[:space:]]+--force[[:space:]]+--recursive[[:space:]]+${BROAD_TARGETS}"; then
   add_high \
     "rm -rf with broad target — mass file deletion" \
     "Permanently deletes files and directories. Cannot be undone." \
@@ -222,7 +246,7 @@ if printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]
 fi
 
 # H12: curl/wget piped directly to shell (supply chain attack vector)
-if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
+if any_segment_matches "$CMD" '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \
@@ -230,7 +254,7 @@ if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fi
 fi
 
 # H13: git push --no-verify — bypasses pre-push hooks
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+push.*--no-verify'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+push.*--no-verify'; then
   add_high \
     "git push --no-verify — skipping pre-push hooks" \
     "Bypasses all pre-push safety gates including CI checks." \
@@ -238,7 +262,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+push.*--no-verify'; then
 fi
 
 # H14: git -c core.hooksPath= — redirects or disables hook execution
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+-c[[:space:]]+core\.hookspath'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+-c[[:space:]]+core\.hookspath'; then
   add_high \
     "git -c core.hooksPath — overriding hooks directory" \
     "Redirecting the hooks path can disable all safety hooks." \
@@ -246,7 +270,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+-c[[:space:]]+core\.hookspath'
 fi
 
 # H15: REA_BYPASS env var — attempted escape hatch
-if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
+if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
   add_high \
     "REA_BYPASS env var — unauthorized bypass attempt" \
     "Setting REA_BYPASS is not a supported escape mechanism and indicates a bypass attempt." \
@@ -254,7 +278,7 @@ if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]
 fi
 
 # H16: alias/function definitions containing bypass strings
-if printf '%s' "$CMD" | grep -qiE '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
+if any_segment_matches "$CMD" '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
   add_high \
     "Alias/function definition with bypass — circumventing safety gates" \
     "Defining aliases or functions that embed bypass flags defeats safety hooks." \
@@ -307,7 +331,7 @@ fi
 # ── 10. MEDIUM severity checks ────────────────────────────────────────────────
 
 # M1: npm install --force
-if printf '%s' "$CMD" | grep -qiE 'npm[[:space:]]+(install|i)[[:space:]].*--force'; then
+if any_segment_matches "$CMD" 'npm[[:space:]]+(install|i)[[:space:]].*--force'; then
   add_medium \
     "npm install --force — bypasses dependency resolution" \
     "--force skips conflict checks and can install incompatible package versions." \

package/hooks/dependency-audit-gate.sh

@@ -43,30 +43,60 @@ fi
 extract_packages() {
   local cmd="$1"
 
-  # npm install/add with packages (skip flags and local paths)
-  if printf '%s' "$cmd" | grep -qiE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install)|yarn[[:space:]]+add)[[:space:]]'; then
-    # Extract the part after the install command
-    local after_cmd
-    after_cmd=$(printf '%s' "$cmd" | sed -E 's/.*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install)|yarn[[:space:]]+add)[[:space:]]+//')
-
-    # Split on spaces and filter
-    for token in $after_cmd; do
-      # Skip flags
-      if [[ "$token" == -* ]]; then continue; fi
-      # Skip local paths
-      if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
-      # Skip empty
-      if [[ -z "$token" ]]; then continue; fi
-      # Strip version specifier for lookup
-      local pkg_name
-      pkg_name=$(printf '%s' "$token" | sed -E 's/@[^@/]+$//')
-      # Handle scoped packages (@scope/name)
-      if [[ -z "$pkg_name" ]]; then
-        pkg_name="$token"
-      fi
-      printf '%s\n' "$pkg_name"
-    done
-  fi
+  # 0.15.0 fix: the previous parser ran `grep` against the entire bash
+  # command string with no segment boundary anchor. A heredoc body or
+  # commit-message containing `pnpm install` (e.g. inside
+  # `git commit -m "$(cat <<EOF ... pnpm install ... EOF)"`) matched the
+  # grep, the `.*` in the sed stripped up to that occurrence, and the rest
+  # of the command (`chore:`, `&&`, `||`, etc.) was passed to
+  # `npm view <token> name` and reported as missing packages. The hook
+  # then refused to commit perfectly innocent code.
+  #
+  # Fix: split the command on shell command separators (`;`, `&&`, `||`,
+  # `|`, newlines) and only run the install-detection on segments whose
+  # FIRST non-whitespace token is one of the install commands. Heredoc
+  # bodies inside `$()` substitutions are NOT split into separate segments
+  # — the entire `$(cat <<EOF ... EOF)` is one token attached to the
+  # outer command — but they're never the FIRST token on a segment, so
+  # the anchor rejects them.
+
+  # Tokenize on shell separators. Each `IFS=` entry becomes a separate
+  # segment we can anchor against. We use bash's `mapfile` with a sed
+  # to inject newlines at separators; awk-based splitting handles the
+  # quoting heuristic well enough for the realistic cases (agent-issued
+  # commands rarely have separators inside single-quoted strings that
+  # would confuse this).
+  local segments
+  segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\|)/\n/g')
+
+  while IFS= read -r segment; do
+    # Trim leading whitespace.
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    # Anchor to start: only match when the install command is the FIRST
+    # thing on the segment, optionally preceded by `sudo` / `exec` /
+    # `time` / etc.
+    if printf '%s' "$segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
+      # Strip the leading prefix wrappers + install command, leaving args.
+      local after_cmd
+      after_cmd=$(printf '%s' "$segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
+
+      for token in $after_cmd; do
+        if [[ "$token" == -* ]]; then continue; fi
+        if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
+        if [[ -z "$token" ]]; then continue; fi
+        # `npm view` can't validate `@workspace:*` / `link:` / `file:`
+        # prefixes (workspace protocols). Skip them — they're never npm
+        # registry packages.
+        if [[ "$token" == workspace:* || "$token" == link:* || "$token" == file:* || "$token" == git+* ]]; then continue; fi
+        local pkg_name
+        pkg_name=$(printf '%s' "$token" | sed -E 's/@[^@/]+$//')
+        if [[ -z "$pkg_name" ]]; then
+          pkg_name="$token"
+        fi
+        printf '%s\n' "$pkg_name"
+      done
+    fi
+  done <<< "$segments"
 }
 
 PACKAGES=$(extract_packages "$CMD")

package/hooks/env-file-protection.sh

@@ -17,6 +17,12 @@
 
 set -uo pipefail
 
+# Source shared shell-segment splitter (0.15.0). Replaces full-command
+# grep that false-positives on commit messages mentioning `.env` (e.g.
+# `git commit -m "stop reading .env via cat"`).
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 INPUT=$(cat)
 
 # ── Dependency check ──────────────────────────────────────────────────────────
@@ -70,17 +76,21 @@ PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
 MATCHES_UTILITY=0
 MATCHES_ENV_FILE=0
 
-if printf '%s' "$CMD" | grep -qE "$PATTERN_UTILITY"; then
+# 0.15.0: per-segment match. Pre-fix this greped the FULL command which
+# false-positived on commit messages: `git commit -m "stop reading .env
+# files via cat"` matched both PATTERN_UTILITY (cat) and PATTERN_ENV_FILE
+# (.env) and the hook blocked a perfectly safe commit.
+if any_segment_matches "$CMD" "$PATTERN_UTILITY"; then
   MATCHES_UTILITY=1
 fi
 
-if printf '%s' "$CMD" | grep -qE "$PATTERN_ENV_FILE"; then
+if any_segment_matches "$CMD" "$PATTERN_ENV_FILE"; then
   MATCHES_ENV_FILE=1
 fi
 
 # Direct source/cp of .env files — always block
-if printf '%s' "$CMD" | grep -qE "$PATTERN_SOURCE" || \
-   printf '%s' "$CMD" | grep -qE "$PATTERN_CP_ENV"; then
+if any_segment_matches "$CMD" "$PATTERN_SOURCE" || \
+   any_segment_matches "$CMD" "$PATTERN_CP_ENV"; then
   TRUNCATED_CMD=$(truncate_cmd "$CMD")
   {
     printf 'ENV FILE PROTECTION: Direct sourcing or copying of .env files is blocked.\n'

package/hooks/protected-paths-bash-gate.sh

@@ -0,0 +1,213 @@
+#!/bin/bash
+# PreToolUse hook: protected-paths-bash-gate.sh
+# Fires BEFORE every Bash tool call.
+# Refuses Bash commands that write to PROTECTED_PATTERNS via shell
+# redirection or write-flag utilities — the kill-switch and policy
+# files MUST be unreachable via any tool surface, including Bash.
+#
+# Pre-0.15.0, settings-protection.sh §6 protected `.rea/HALT`,
+# `.rea/policy.yaml`, `.claude/settings.json`, `.husky/*` against
+# Write/Edit/MultiEdit tool calls. But shell redirects bypassed it
+# entirely:
+#
+#   printf '...' > .rea/HALT          # bypass — Bash matcher only
+#   tee .rea/policy.yaml < new.yaml   # bypass
+#   cp new-settings.json .claude/settings.json
+#   sed -i '' '/foo/d' .husky/pre-push
+#   dd of=.rea/HALT
+#
+# This hook closes that gap by detecting redirect/write patterns
+# whose target matches the same `_lib/protected-paths.sh` allowlist.
+#
+# Exit codes:
+#   0 = no protected-path write detected — allow
+#   2 = protected-path write via Bash detected — block
+
+set -uo pipefail
+
+# shellcheck source=_lib/protected-paths.sh
+source "$(dirname "$0")/_lib/protected-paths.sh"
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
+INPUT=$(cat)
+
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REA ERROR: jq is required but not installed.\n' >&2
+  exit 2
+fi
+
+REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+
+# HALT check — uniform with other hooks.
+HALT_FILE="${REA_ROOT}/.rea/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Normalize a path token: strip enclosing quotes, strip leading
+# `$REA_ROOT/`, strip leading `./`. The result is project-relative
+# for matching against REA_PROTECTED_PATTERNS.
+_normalize_target() {
+  local t="$1"
+  # Strip matching surrounding quotes.
+  if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  # Strip $REA_ROOT prefix (with or without trailing slash).
+  if [[ "$t" == "$REA_ROOT"/* ]]; then t="${t#"$REA_ROOT"/}"; fi
+  # Strip leading ./
+  while [[ "$t" == ./* ]]; do t="${t#./}"; done
+  printf '%s' "$t"
+}
+
+# Refuse and exit 2 with a uniform error message.
+_refuse() {
+  local pattern="$1" target="$2" segment="$3"
+  {
+    printf 'PROTECTED PATH (bash): write to a package-managed file blocked\n'
+    printf '\n'
+    printf '  Pattern matched: %s\n' "$pattern"
+    printf '  Resolved target: %s\n' "$target"
+    printf '  Segment:         %s\n' "$segment"
+    printf '\n'
+    printf '  Rule: protected paths (kill-switch, policy.yaml, settings.json,\n'
+    printf '        .husky/*) are unreachable via Bash redirects too — not just\n'
+    printf '        Write/Edit/MultiEdit. To modify, a human must edit directly.\n'
+  } >&2
+  exit 2
+}
+
+# Inspect one segment for redirect / write patterns and refuse if the
+# target matches any protected pattern.
+_check_segment() {
+  local _raw="$1" segment="$2"
+  [[ -z "$segment" ]] && return 0
+
+  local target_token=""
+  local detected_form=""
+
+  # bash `[[ =~ ]]` regex literals with `|` and `(...)` parsed inline
+  # confuse some bash versions on macOS. Use named variables for each
+  # pattern so the literal stays in a string context only.
+  local re_redirect='(^|[[:space:]])(&>|2>>|2>|>>|>)[[:space:]]*([^[:space:]&|;<>]+)'
+  local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
+  # 0.15.0 codex P1 fix: replaced the bash-3.2-broken `(...)*` pattern
+  # for tee/truncate flag-skipping with a token-walk approach that
+  # works across BSD bash 3.2 and GNU bash 4+. Walks every token after
+  # the command, skips flags (single-dash short, double-dash long with
+  # optional =value), returns the first non-flag token as the target.
+
+  if [[ "$segment" =~ $re_redirect ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="redirect ${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_cpmv ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_sed ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="sed -i"
+  elif [[ "$segment" =~ $re_dd ]]; then
+    target_token="${BASH_REMATCH[2]}"
+    detected_form="dd of="
+  else
+    # tee / truncate / install / ln — token-walk for cross-bash safety.
+    # Read tokens, find the command, then return the first non-flag arg.
+    local prev_word="" found_cmd=""
+    local _seg_for_walk="$segment"
+    # Strip leading whitespace.
+    _seg_for_walk="${_seg_for_walk#"${_seg_for_walk%%[![:space:]]*}"}"
+    # shellcheck disable=SC2086
+    set -- $_seg_for_walk
+    while [ "$#" -gt 0 ]; do
+      local tok="$1"
+      shift
+      if [[ -z "$found_cmd" ]]; then
+        case "$tok" in
+          tee|truncate|install|ln)
+            found_cmd="$tok"
+            ;;
+        esac
+        prev_word="$tok"
+        continue
+      fi
+      # We're inside the command's argv. Skip flags.
+      case "$tok" in
+        --) continue ;;
+        --*=*) continue ;;
+        --*)
+          # Long flag — may take a value as the NEXT token (we don't
+          # know which long options take values). For safety, skip
+          # only known no-value long flags; otherwise consume the
+          # next token too if it looks like a value.
+          case "$tok" in
+            --append|--ignore-interrupts|--no-clobber|--force|--no-target-directory|--symbolic|--no-dereference|--reference=*) continue ;;
+            *) shift 2>/dev/null || true; continue ;;
+          esac
+          ;;
+        -*)
+          # Short flag cluster. Skip. truncate -s SIZE — `-s` is a flag,
+          # SIZE is its arg. We're conservative: skip the next token if
+          # the flag cluster's last char is one of the size-bearing
+          # flags (truncate -s, install -m, ln -t).
+          case "$tok" in
+            -s*|-m*|-o*|-g*|-t*) shift 2>/dev/null || true ;;
+          esac
+          continue
+          ;;
+        *)
+          # First non-flag token — this is the target (or, for cp/mv-
+          # like commands, the first source; the cpmv detector above
+          # handles those separately). We treat ALL non-flag args as
+          # potential targets and check each — that catches
+          # `tee a b c` where any of a/b/c could be a protected file.
+          target_token="$tok"
+          detected_form="$found_cmd"
+          # Check this token immediately; if not protected, keep
+          # walking — there may be more positional args.
+          local _t
+          _t=$(_normalize_target "$target_token")
+          if rea_path_is_protected "$_t"; then
+            local matched=""
+            for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+              if [[ "$_t" == "$pattern" ]]; then matched="$pattern"; break; fi
+              if [[ "$pattern" == */ && "$_t" == "$pattern"* ]]; then matched="$pattern"; break; fi
+            done
+            _refuse "$matched" "$_t" "$segment"
+          fi
+          # Reset target_token so the post-loop check doesn't double-check.
+          target_token=""
+          ;;
+      esac
+    done
+  fi
+
+  if [[ -z "$target_token" ]]; then
+    return 0
+  fi
+
+  local target
+  target=$(_normalize_target "$target_token")
+  if rea_path_is_protected "$target"; then
+    # Find the matching pattern for the error message.
+    local matched=""
+    for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+      if [[ "$target" == "$pattern" ]]; then matched="$pattern"; break; fi
+      if [[ "$pattern" == */ && "$target" == "$pattern"* ]]; then matched="$pattern"; break; fi
+    done
+    _refuse "$matched" "$target" "$segment"
+  fi
+  return 0
+}
+
+for_each_segment "$CMD" _check_segment
+
+exit 0

package/hooks/settings-protection.sh

@@ -157,14 +157,27 @@ LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
 # package-managed body — §5a kills it before this matcher runs.
 #
 # SECURITY (defense-in-depth): symlinks INSIDE the .d/ surface are
-# refused. A fragment is a short shell script authored in place;
-# consumers do not need symlinks here. Without this check, a sequence
-# like `ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil`
-# would be allowed by §5b's path-string match and the downstream
-# Write/Edit tool would follow the symlink, overwriting the
-# package-managed `.husky/pre-push` body that §6 is meant to protect.
-# Costs near-zero (no legitimate use case for symlinked fragments);
-# closes the path-string→symlink bypass completely.
+# refused — both final-component AND intermediate-directory symlinks.
+# A fragment is a short shell script authored in place; consumers do
+# not need symlinks here. Without these checks the gate has two
+# bypass shapes:
+#
+#   (a) Final-component symlink:
+#       ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil
+#       — caught by `[ -L "$FILE_PATH" ]`.
+#
+#   (b) Intermediate-directory symlink (helix Finding 2 / 0.15.0):
+#       mkdir .husky/pre-push.d; ln -s ../ .husky/pre-push.d/linkdir
+#       write .husky/pre-push.d/linkdir/pre-push
+#       — `[ -L $FILE_PATH ]` only inspects the FINAL component, so a
+#       not-yet-existing target whose parent contains a symlink resolves
+#       to outside the surface (here: `.husky/pre-push`), letting the
+#       attacker write through to the package-managed body.
+#
+# Resolve the realpath of the parent directory and require it to live
+# under the literal extension surface. Use a portable `cd ... && pwd -P`
+# subshell pattern (no Python or readlink -f dependency required).
+# Closes the path-string→symlink bypass completely.
 case "$LOWER_NORM" in
   .husky/commit-msg.d/*|.husky/pre-push.d/*)
     if [ -L "$FILE_PATH" ]; then
@@ -178,6 +191,34 @@ case "$LOWER_NORM" in
       } >&2
       exit 2
     fi
+    # Resolve the parent directory's realpath. If any intermediate
+    # component is a symlink whose target leaves the surface, the
+    # resolved path no longer contains `/.husky/<surface>.d/` and we
+    # refuse. The parent dir must already exist for this check; if it
+    # doesn't, the write is creating the parent, in which case there
+    # is no intermediate symlink to follow yet.
+    parent_dir=$(dirname -- "$FILE_PATH")
+    if [ -d "$parent_dir" ]; then
+      resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
+      if [ -n "$resolved_parent" ]; then
+        case "$resolved_parent" in
+          *"/.husky/commit-msg.d"*|*"/.husky/pre-push.d"*) : ;;
+          *)
+            {
+              printf 'SETTINGS PROTECTION: extension path resolves outside surface\n'
+              printf '\n'
+              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
+              printf '  Resolved: %s\n' "$resolved_parent"
+              printf '  Rule: an intermediate directory of the extension path is a\n'
+              printf '        symlink whose target leaves .husky/{commit-msg,pre-push}.d/.\n'
+              printf '        Refused to prevent symlinked-parent bypass of the\n'
+              printf '        package-managed body protection.\n'
+            } >&2
+            exit 2
+          ;;
+        esac
+      fi
+    fi
     # Documented extension surface — agents can write here freely.
     exit 0
     ;;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -96,9 +96,11 @@
     "lint:regex": "node scripts/lint-safe-regex.mjs",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
-    "test": "vitest run",
+    "test": "pnpm run test:dogfood && pnpm run test:bash-syntax && vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
+    "test:dogfood": "node tools/check-dogfood-drift.mjs",
+    "test:bash-syntax": "bash -c 'for f in hooks/*.sh hooks/_lib/*.sh; do bash -n \"$f\" || exit 1; done && echo \"[bash-syntax] OK — all hooks parse cleanly\"'",
     "type-check": "tsc --noEmit",
     "changeset": "changeset",
     "changeset:version": "changeset version",