@bookedsolid/rea 0.14.0 → 0.16.0

package/agents/codex-adversarial.md

@@ -36,7 +36,7 @@ You may read additional files in the repo if needed for context, but do so read-
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).
-8. **Emit an audit entry** (optional in 0.11.0+) — the pre-push gate does not consult audit records to decide pass/fail, so you are no longer REQUIRED to emit a `codex.review` record on every interactive review. However, append one anyway via the public `@bookedsolid/rea/audit` helper when it helps forensic traceability (investigation of an intermittent verdict, review-history audit, etc.):
+8. **Emit an audit entry — REQUIRED** for every `/codex-review` invocation. The pre-push gate does not consult audit records to decide pass/fail (post-0.11.0 the gate is stateless), but the `/codex-review` slash command's Step 3 verifies an audit entry was appended for this run and surfaces "review never happened" to the user when one is missing. The two specs are a contract pair — audit emission is what tells the operator their interactive review actually completed. Append via the public `@bookedsolid/rea/audit` helper:
 
    ```ts
    import { appendAuditRecord, CODEX_REVIEW_TOOL_NAME, CODEX_REVIEW_SERVER_NAME, Tier, InvocationStatus } from '@bookedsolid/rea/audit';

package/commands/codex-review.md

@@ -7,6 +7,7 @@ allowed-tools:
   - Bash(git branch:*)
   - Bash(git rev-parse:*)
   - Read
+  - Agent
 ---
 
 # /codex-review — Adversarial Review via Codex
@@ -54,23 +55,17 @@ Invoke the `codex-adversarial` agent with:
 
 The agent wraps `/codex:adversarial-review` and returns structured findings.
 
-## Step 3 — Record to audit log
+## Step 3 — (Optional) verify audit entry
 
-Every Codex invocation produces an audit entry. The `codex-adversarial` agent writes it via the middleware chain automatically, but verify the entry was recorded:
+Audit emission is **optional** in 0.11.0+. The pre-push gate is stateless and does not consult audit records to decide pass/fail; the agent's structured findings ARE the review. The agent will append an audit entry when it helps forensic traceability (intermittent verdicts, review-history audits) but its absence is not a failure.
+
+If you want to confirm an entry was written for this run:
 
 ```bash
 tail -n 1 .rea/audit.jsonl
 ```
 
-The entry must include:
-
-- `tool: "codex-adversarial-review"`
-- `head_sha: <SHA>`
-- `target: <ref>`
-- `finding_count: <N>`
-- `verdict: pass | concerns | blocking`
-
-If the audit entry is missing, report it clearly — do not proceed as if the review happened.
+A `codex-adversarial-review` entry with `head_sha`, `target`, `finding_count`, and `verdict` fields is informative — but DO NOT treat its absence as a failure. The review happened if the agent returned text. (Pre-0.15.0 this step was a hard verification gate that contradicted the agent's "audit optional" contract — see Helix Finding 3, 2026-05-03.)
 
 ## Step 4 — Report
 

package/commands/freeze.md

@@ -3,6 +3,7 @@ description: Activate the REA kill switch — writes .rea/HALT with a reason, bl
 argument-hint: "<reason>"
 allowed-tools:
   - Bash(npx rea freeze:*)
+  - Read
 ---
 
 # /freeze — Activate the Kill Switch

package/commands/review.md

@@ -7,6 +7,7 @@ allowed-tools:
   - Bash(git branch:*)
   - Bash(git status:*)
   - Read
+  - Agent
 ---
 
 # /review — Code Review on Current Changes

package/dist/cli/doctor.js

@@ -203,7 +203,7 @@ function checkSettingsJson(baseDir) {
     const settingsPath = path.join(baseDir, '.claude', 'settings.json');
     if (!fs.existsSync(settingsPath)) {
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
             status: 'fail',
             detail: `missing: ${settingsPath}`,
         };
@@ -216,23 +216,30 @@ function checkSettingsJson(baseDir) {
         const needs = [];
         if (!matchers.has('Bash'))
             needs.push('Bash');
-        if (!matchers.has('Write|Edit'))
-            needs.push('Write|Edit');
+        // 0.16.0: matcher widened to `Write|Edit|MultiEdit|NotebookEdit`. Doctor
+        // accepts any of the three historical shapes so pre-0.14.0 / pre-0.16.0
+        // installs that haven't run `rea upgrade` still report accurately. The
+        // canonical from `defaultDesiredHooks()` is the widest matcher.
+        if (!matchers.has('Write|Edit|MultiEdit|NotebookEdit') &&
+            !matchers.has('Write|Edit|MultiEdit') &&
+            !matchers.has('Write|Edit')) {
+            needs.push('Write|Edit|MultiEdit|NotebookEdit');
+        }
         if (needs.length === 0) {
             return {
-                label: 'settings.json matchers cover Bash + Write|Edit',
+                label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
                 status: 'pass',
             };
         }
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
             status: 'fail',
             detail: `missing PreToolUse matchers: ${needs.join(', ')}`,
         };
     }
     catch (e) {
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
             status: 'fail',
             detail: e instanceof Error ? e.message : String(e),
         };

package/dist/cli/install/settings-merge.js

@@ -259,6 +259,7 @@ export function defaultDesiredHooks() {
             hooks: [
                 { type: 'command', command: `${base}/dangerous-bash-interceptor.sh`, timeout: 10000, statusMessage: 'Checking command safety...' },
                 { type: 'command', command: `${base}/env-file-protection.sh`, timeout: 5000, statusMessage: 'Checking for .env file reads...' },
+                { type: 'command', command: `${base}/protected-paths-bash-gate.sh`, timeout: 5000, statusMessage: 'Checking for shell-redirect to protected paths...' },
                 { type: 'command', command: `${base}/dependency-audit-gate.sh`, timeout: 15000, statusMessage: 'Verifying package exists...' },
                 { type: 'command', command: `${base}/security-disclosure-gate.sh`, timeout: 5000, statusMessage: 'Checking disclosure policy...' },
                 { type: 'command', command: `${base}/pr-issue-link-gate.sh`, timeout: 5000, statusMessage: 'Checking PR for issue reference...' },
@@ -267,7 +268,7 @@ export function defaultDesiredHooks() {
         },
         {
             event: 'PreToolUse',
-            matcher: 'Write|Edit',
+            matcher: 'Write|Edit|MultiEdit|NotebookEdit',
             hooks: [
                 { type: 'command', command: `${base}/secret-scanner.sh`, timeout: 15000, statusMessage: 'Scanning for credentials...' },
                 { type: 'command', command: `${base}/settings-protection.sh`, timeout: 5000, statusMessage: 'Checking settings protection...' },
@@ -277,7 +278,7 @@ export function defaultDesiredHooks() {
         },
         {
             event: 'PostToolUse',
-            matcher: 'Write|Edit',
+            matcher: 'Write|Edit|MultiEdit|NotebookEdit',
             hooks: [
                 { type: 'command', command: `${base}/architecture-review-gate.sh`, timeout: 10000, statusMessage: 'Checking architecture impact...' },
             ],

package/hooks/_lib/cmd-segments.sh

@@ -0,0 +1,176 @@
+# shellcheck shell=bash
+# hooks/_lib/cmd-segments.sh — shell-segment splitting for Bash-tier hooks.
+#
+# Background: hooks that gate `Bash` tool calls grep `.tool_input.command`
+# for danger words (`rm -rf`, `git restore`, `pnpm install`, etc.). Pre-
+# 0.15.0 every hook ran a single `grep -qE PATTERN "$cmd"` against the
+# whole command string. That false-positives on heredoc bodies and
+# commit messages where the trigger word appears inside content rather
+# than as a command:
+#
+#   git commit -m "$(cat <<'EOF'
+#   docs: explain why we don't run rm -rf node_modules in CI
+#   EOF
+#   )"
+#
+# The unanchored regex matches `rm -rf` inside the heredoc body and the
+# hook blocks a perfectly safe commit. Hit during the 2026-05-03 session
+# repeatedly — the pattern that motivated dependency-audit-gate's 0.15.0
+# segment-split fix.
+#
+# This helper exposes two primitives every Bash-tier hook should use:
+#
+#   for_each_segment "$CMD" CALLBACK
+#     Splits $CMD on shell command separators (`;`, `&&`, `||`, `|`,
+#     newlines) and invokes CALLBACK with each segment as $1, plus the
+#     leading-prefix-stripped form as $2 (with `sudo`/`exec`/`time`/
+#     `then`/`do`/env-var-assignment prefixes removed). Returns 0 if
+#     CALLBACK returned 0 for every segment, or the first non-zero
+#     CALLBACK exit otherwise.
+#
+#   any_segment_matches "$CMD" PATTERN
+#     Iterates segments and returns 0 if any segment's prefix-stripped
+#     form matches PATTERN (a `grep -qiE` extended regex). Returns 1
+#     if no segment matches.
+#
+# Quoting awareness: the splitter is NOT quote-aware. A separator inside
+# a quoted string would be split. This is INTENTIONAL and SAFE: the
+# segments-vs-callback contract is "find segments that anchor on a
+# trigger word." Over-splitting produces extra segments that don't
+# anchor; they're ignored. Under-splitting (treating a quoted separator
+# as part of one segment) is what the original bug was. The trade-off
+# explicitly accepts over-splitting.
+#
+# Quoting note for future maintainers: do not "fix" the over-splitting
+# without breaking the security property. Quote-aware splitting in pure
+# bash is a real lift; if needed it should move to a Node helper.
+
+# Split $1 on shell command separators. Emits one segment per line on
+# stdout (empty segments preserved). Used by both higher-level helpers
+# below; not generally called by hooks directly.
+_rea_split_segments() {
+  local cmd="$1"
+  # GNU sed and BSD sed both honor `s/PATTERN/\n/g` with `-E` for ERE.
+  # We use printf+sed instead of bash IFS=$'...' read so the splitter
+  # behaves identically across BSD and GNU sed.
+  #
+  # 0.16.0 codex P1 fix (helix-015 #3): the prior sed split on bare `|`
+  # which broke bash's `>|` (noclobber-override redirect) into two
+  # segments — `printf x >` then ` .rea/HALT`. The redirect detector
+  # then never saw a complete `>|` operator and the bash-gate let the
+  # write through.
+  #
+  # 0.16.0 codex P2-1 fix: the placeholder must NOT collide with any
+  # legal byte the agent could supply. The earlier `\x01` (SOH) is a
+  # legal UTF-8 byte and rare-but-possible in commands; if a payload
+  # contained `\x01` literally, the third sed pass would manufacture
+  # a `>|` operator that wasn't in the original — corrupting downstream
+  # parsing in either fail-open or fail-closed directions depending on
+  # what came after. The new sentinel `__REA_GTPIPE_a8f2c1__` is
+  # multi-byte alphanumeric, impossible to collide with shell input
+  # under any encoding we care about (any agent that intentionally
+  # included this string would already be obviously trying to confuse
+  # the splitter — and even then, the worst case is fail-closed).
+  printf '%s\n' "$cmd" \
+    | sed -E 's/>\|/__REA_GTPIPE_a8f2c1__/g' \
+    | sed -E 's/(\|\||&&|;|\|)/\n/g' \
+    | sed -E 's/__REA_GTPIPE_a8f2c1__/>|/g'
+}
+
+# Strip leading whitespace and well-known command prefixes from a single
+# segment. Returns the prefix-stripped form on stdout. Examples:
+#   "  sudo pnpm install foo"        → "pnpm install foo"
+#   "NODE_ENV=production pnpm add x" → "pnpm add x"
+#   "then pnpm add lodash"           → "pnpm add lodash"
+_rea_strip_prefix() {
+  local seg="$1"
+  # Trim leading whitespace.
+  seg="${seg#"${seg%%[![:space:]]*}"}"
+  # Strip ONE prefix at a time, looping. This handles compounds like
+  # `sudo NODE_ENV=production pnpm add foo`.
+  while :; do
+    case "$seg" in
+      sudo[[:space:]]*|exec[[:space:]]*|time[[:space:]]*|then[[:space:]]*|do[[:space:]]*|else[[:space:]]*)
+        # Drop the prefix word and any subsequent whitespace.
+        seg="${seg#* }"
+        seg="${seg#"${seg%%[![:space:]]*}"}"
+        ;;
+      *)
+        # Env-var assignment prefix (`KEY=value `) — only strip if the
+        # token before the first space looks like NAME=value.
+        if [[ "$seg" =~ ^[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+ ]]; then
+          seg="${seg#* }"
+          seg="${seg#"${seg%%[![:space:]]*}"}"
+        else
+          break
+        fi
+        ;;
+    esac
+  done
+  printf '%s' "$seg"
+}
+
+# Iterate every segment of $1 and invoke $2 (a function name) with the
+# raw segment as $1 and the prefix-stripped form as $2. The callback's
+# return value is honored: a non-zero return aborts the iteration and
+# becomes the helper's return value.
+for_each_segment() {
+  local cmd="$1"
+  local callback="$2"
+  local segment stripped rc
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    "$callback" "$segment" "$stripped"
+    rc=$?
+    if [ "$rc" -ne 0 ]; then
+      return "$rc"
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 0
+}
+
+# Return 0 if any segment of $1 (after prefix-stripping) matches the
+# extended regex $2 ANYWHERE (not anchored). Case-insensitive. Returns 1
+# if no segment matches.
+#
+# Use this for patterns that may legitimately appear mid-segment, e.g.
+# `Co-Authored-By:` in a commit message body. For "is the segment a
+# call to <command>" use `any_segment_starts_with` instead — that
+# anchors on the start so `echo "rm -rf foo"` doesn't trip an
+# `rm -rf` detector.
+any_segment_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "$pattern"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
+# Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
+# the extended regex $2. Case-insensitive. Returns 1 if no segment
+# starts with the pattern.
+#
+# This is the right shape for "is this segment a call to <command>"
+# checks. `echo "rm -rf foo"` does NOT trigger an `rm -rf` detector
+# because the segment starts with `echo`, not `rm`. Compare to
+# `any_segment_matches`, which matches anywhere in the segment and
+# would fire on the echo'd argument.
+any_segment_starts_with() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    # `^` anchor + caller pattern. `(?:)` non-capturing group not
+    # supported in BSD ERE; we use a simple literal `^` prepend.
+    if printf '%s' "$stripped" | grep -qiE "^${pattern}"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}

package/hooks/_lib/halt-check.sh

@@ -7,7 +7,13 @@
 # call with a clear error that surfaces the file's contents so the operator
 # knows why the system was frozen.
 
-set -euo pipefail
+# NOTE: do NOT set `-e` here. This file is sourced by hooks that
+# intentionally tolerate non-zero exits (e.g. secret-scanner.sh runs
+# multiple grep passes that may legitimately produce non-zero from
+# patterns that don't match). Setting -e in the sourced lib would
+# propagate to the caller and cause spurious exit-1s on any benign
+# non-zero return. Only set the safer subset.
+set -uo pipefail
 
 # Find the .rea/ directory by walking up from CLAUDE_PROJECT_DIR or cwd.
 # Falls back to CLAUDE_PROJECT_DIR or the current working directory when no

package/hooks/_lib/path-normalize.sh

@@ -0,0 +1,72 @@
+# shellcheck shell=bash
+# hooks/_lib/path-normalize.sh — canonical path normalization shared
+# across every hook that compares `tool_input.file_path` against a
+# literal/glob policy entry.
+#
+# Pre-0.16.0 each hook reimplemented its own normalize_path. Drift
+# was the result: settings-protection.sh translated `\` → `/` and
+# decoded `%5C` since 0.10.x; blocked-paths-enforcer caught up only
+# in 0.15.0; architecture-review-gate has never normalized at all.
+# This single helper is now the source of truth for both forms.
+#
+# normalize_path PATH
+#   Strip $REA_ROOT prefix → URL-decode `%2F`/`%2E`/`%20`/`%5C`
+#   → translate `\` → `/` → strip leading `./` segments. Echoes
+#   the project-relative form.
+#
+# resolve_parent_realpath PATH
+#   Resolve the realpath of the parent dir of PATH via `cd -P && pwd -P`.
+#   Returns the empty string if the parent doesn't exist (legitimate
+#   "we are creating the parent" case — caller should NOT treat
+#   empty as a fail). Used to detect intermediate-symlink bypass:
+#   if the realpath of the parent doesn't contain the protected
+#   surface anymore, the path resolved out of the surface.
+#
+# All normalization happens in pure bash + sed/tr — no python/perl/
+# readlink -f dependency, so it works on macOS, Alpine, and minimal
+# CI containers.
+
+# REA_ROOT is required to be set by the caller (every rea hook sets
+# it from CLAUDE_PROJECT_DIR or pwd). Default to current dir if missing
+# so this lib is sourceable from a test harness that hasn't set it.
+: "${REA_ROOT:=${CLAUDE_PROJECT_DIR:-$(pwd)}}"
+
+normalize_path() {
+  local p="$1"
+  # Strip $REA_ROOT/ prefix (with or without trailing slash).
+  if [[ "$p" == "$REA_ROOT"/* ]]; then
+    p="${p#"$REA_ROOT"/}"
+  fi
+  # URL-decode common sequences. Include %5C for backslash so
+  # Windows / Git Bash percent-encoded paths normalize the same as
+  # forward-slash forms.
+  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g; s/%5[Cc]/\\/g')
+  # Translate any backslash separators to forward slashes.
+  p=$(printf '%s' "$p" | tr '\\\\' '/')
+  # Strip leading `./` segments. We deliberately do NOT strip
+  # interior `./` — that transformation corrupts `..` traversals
+  # (e.g. `.../` collapsed to `../`) and hides traversal from any
+  # downstream check.
+  while [[ "$p" == ./* ]]; do
+    p="${p#./}"
+  done
+  printf '%s' "$p"
+}
+
+resolve_parent_realpath() {
+  local target_path="$1"
+  local parent_dir
+  parent_dir=$(dirname -- "$target_path")
+  if [[ ! -d "$parent_dir" ]]; then
+    # Parent doesn't exist yet — caller should treat as "no realpath
+    # available" and fall back to logical-path checks. Return empty.
+    printf ''
+    return 0
+  fi
+  # `cd -P` follows symlinks; `pwd -P` prints the resolved physical
+  # path. Subshell scopes the cd so we don't pollute the caller's
+  # working directory.
+  local resolved
+  resolved=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved=""
+  printf '%s' "$resolved"
+}

package/hooks/_lib/payload-read.sh

@@ -0,0 +1,66 @@
+# shellcheck shell=bash
+# hooks/_lib/payload-read.sh — shared payload extraction across the
+# write-tier tools (Write, Edit, MultiEdit, NotebookEdit).
+#
+# Pre-0.16.0 every content-scanning hook (secret-scanner.sh,
+# changeset-security-gate.sh) carried its own jq expression that
+# walked tool_input.{content, new_string, edits[].new_string}. When
+# Anthropic added MultiEdit (0.14.0 fix) every hook needed a
+# parallel patch and one was missed. NotebookEdit is the next tool
+# in the same family — `tool_input.notebook_path` (path) +
+# `tool_input.new_source` (cell content). This single helper handles
+# all four tools so adding the next one is a one-line edit here, not
+# a sweep across N hooks.
+#
+# extract_write_content INPUT_JSON
+#   Echo the content of the about-to-be-written payload, regardless
+#   of which write tool produced it. Tries in order:
+#     1. .tool_input.content                      (Write)
+#     2. .tool_input.new_string                   (Edit)
+#     3. .tool_input.edits[].new_string           (MultiEdit, joined \n)
+#     4. .tool_input.new_source                   (NotebookEdit cell)
+#   Returns empty string when none of these are present (caller
+#   should treat empty as "nothing to scan, exit 0"). Defensive
+#   coercion via `tostring` + array-type-guard so a malformed
+#   payload (non-string new_string, non-array edits) fails closed
+#   to the empty string rather than fail-open via jq error.
+#
+# extract_file_path INPUT_JSON
+#   Echo the file_path / notebook_path of the payload. NotebookEdit
+#   uses notebook_path; Write/Edit/MultiEdit use file_path. Returns
+#   empty string when neither is present.
+#
+# Both helpers require jq.
+
+extract_write_content() {
+  local input="$1"
+  printf '%s' "$input" | jq -r '
+    # Try Write content first.
+    if (.tool_input.content // "") != "" then
+      .tool_input.content
+    # Then Edit new_string.
+    elif (.tool_input.new_string // "") != "" then
+      .tool_input.new_string
+    # Then MultiEdit edits[].new_string (defensive: type-guard +
+    # tostring so heterogeneous types do not error jq).
+    elif ((.tool_input.edits // [] | if type=="array" then . else [] end | length) > 0) then
+      (.tool_input.edits // [] | if type=="array" then . else [] end)
+      | map((.new_string // "") | tostring)
+      | join("\n")
+    # Then NotebookEdit new_source (notebook cell content).
+    elif (.tool_input.new_source // "") != "" then
+      .tool_input.new_source
+    else
+      ""
+    end
+  ' 2>/dev/null
+}
+
+extract_file_path() {
+  local input="$1"
+  printf '%s' "$input" | jq -r '
+    .tool_input.file_path
+    // .tool_input.notebook_path
+    // empty
+  ' 2>/dev/null
+}

package/hooks/_lib/policy-read.sh

@@ -7,7 +7,10 @@
 # project root via rea_root() from halt-check.sh, but will re-derive it if
 # REA_ROOT is unset.
 
-set -euo pipefail
+# NOTE: do NOT set `-e` here — see hooks/_lib/halt-check.sh for the
+# rationale. This is a sourced library; -e would propagate to callers
+# and cause spurious exit-1s on benign non-zero returns from grep/sed.
+set -uo pipefail
 
 # Resolve the path to .rea/policy.yaml for the current project.
 # Prints an empty string if no policy file is found — callers should treat

package/hooks/_lib/protected-paths.sh

@@ -0,0 +1,50 @@
+# shellcheck shell=bash
+# hooks/_lib/protected-paths.sh — single source of truth for the
+# hard-protected path list shared between the Write/Edit tier
+# (`settings-protection.sh`) and the Bash tier (`protected-paths-bash-gate.sh`).
+#
+# Pre-0.15.0 this list was duplicated inline in settings-protection.sh;
+# the bash-redirect bypass (`> .rea/HALT`, `tee .rea/policy.yaml`,
+# `cp X .claude/settings.json`, `sed -i .husky/pre-push`) was caught
+# by the principal-engineer audit. The fix: factor the list out so
+# both hooks read the same data, and protect against shell redirects
+# in addition to Write/Edit/MultiEdit tools.
+
+# The path list is bash glob patterns matched against project-root-
+# relative paths. Suffix `/` indicates a prefix match; no suffix means
+# (case-insensitive) exact match — see `rea_path_is_protected` for the
+# helix-015 #2 lowercase-comparison rationale. Mirrors the array in
+# settings-protection.sh §6.
+REA_PROTECTED_PATTERNS=(
+  '.claude/settings.json'
+  '.claude/settings.local.json'
+  '.husky/'
+  '.rea/policy.yaml'
+  '.rea/HALT'
+)
+
+# Test whether a project-relative path matches any protected pattern.
+# Usage: if rea_path_is_protected ".rea/HALT"; then echo "blocked"; fi
+# Returns 0 on match, 1 on no match.
+#
+# 0.16.0 codex P1 fix (helix-015 #2): match case-insensitively.
+# macOS APFS (default case-insensitive) lets `.ClAuDe/settings.json`
+# land on the same file as `.claude/settings.json`. settings-protection.sh
+# §6 has had a CI matcher since 0.10.x; this helper was missing it.
+# We lowercase BOTH sides so the comparison is symmetric — callers can
+# pass either case.
+rea_path_is_protected() {
+  local p_lc
+  p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
+  local pattern pattern_lc
+  for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+    pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+    if [[ "$p_lc" == "$pattern_lc" ]]; then
+      return 0
+    fi
+    if [[ "$pattern_lc" == */ ]] && [[ "$p_lc" == "$pattern_lc"* ]]; then
+      return 0
+    fi
+  done
+  return 1
+}

package/hooks/architecture-review-gate.sh

@@ -18,13 +18,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Check if enabled ──────────────────────────────────────────────────────
 POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
@@ -41,10 +39,15 @@ if [[ -z "$FILE_PATH" ]]; then
   exit 0
 fi
 
-# Normalize to relative path
-if [[ "$FILE_PATH" == "$REA_ROOT"/* ]]; then
-  FILE_PATH="${FILE_PATH#$REA_ROOT/}"
-fi
+# 0.16.0 fix D.1: normalize via shared `_lib/path-normalize.sh` so
+# Windows / Git Bash backslash paths and URL-encoded forms are handled
+# uniformly with the rest of the hook layer. Pre-fix, this hook only
+# stripped $REA_ROOT prefix — `src\gateway\foo.ts` (Windows) or
+# `src%2Fgateway%2Ffoo.ts` (URL-encoded) silently bypassed the
+# architectural review.
+# shellcheck source=_lib/path-normalize.sh
+source "$(dirname "$0")/_lib/path-normalize.sh"
+FILE_PATH=$(normalize_path "$FILE_PATH")
 
 # ── 6. Check architecture-sensitive paths ─────────────────────────────────────
 ARCH_PATTERNS=(

package/hooks/attribution-advisory.sh

@@ -26,13 +26,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ─────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Check if attribution blocking is enabled ──────────────────────────────
 POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
@@ -50,14 +48,23 @@ if [[ -z "$CMD" ]]; then
   exit 0
 fi
 
+# 0.15.0: source the shared shell-segment splitter. Pre-fix, the
+# attribution patterns greped the FULL command — `git commit -m "Note:
+# Co-Authored-By with AI was removed in 0.14"` matched and the commit
+# was blocked even though the message was COMMENTING on attribution
+# rather than including it. Per-segment anchoring scopes detection to
+# segments whose first token is `git commit` / `gh pr create|edit`.
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 # ── 6. Check if this is a relevant command ────────────────────────────────────
 IS_RELEVANT=0
 
-if printf '%s' "$CMD" | grep -qiE 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
+if any_segment_matches "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
   IS_RELEVANT=1
 fi
 
-if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit'; then
+if any_segment_matches "$CMD" 'git[[:space:]]+commit'; then
   IS_RELEVANT=1
 fi
 
@@ -70,27 +77,27 @@ fi
 FOUND=0
 
 # Co-Authored-By with noreply@ email
-if printf '%s' "$CMD" | grep -qiE 'Co-Authored-By:.*noreply@'; then
+if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@'; then
   FOUND=1
 fi
 
 # Co-Authored-By with known AI names
-if printf '%s' "$CMD" | grep -qiE 'Co-Authored-By:.*\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|Aider|Anthropic|OpenAI|GitHub Copilot)\b'; then
+if any_segment_matches "$CMD" 'Co-Authored-By:.*\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|Aider|Anthropic|OpenAI|GitHub Copilot)\b'; then
   FOUND=1
 fi
 
 # "Generated/Built/Powered with/by [AI Tool]" lines
-if printf '%s' "$CMD" | grep -qiE '(Generated|Created|Built|Powered|Authored|Written|Produced)[[:space:]]+(with|by)[[:space:]]+(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|Devin|Windsurf|Cline|Aider|AI|an? AI)\b'; then
+if any_segment_matches "$CMD" '(Generated|Created|Built|Powered|Authored|Written|Produced)[[:space:]]+(with|by)[[:space:]]+(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|Devin|Windsurf|Cline|Aider|AI|an? AI)\b'; then
   FOUND=1
 fi
 
 # Markdown-linked attribution
-if printf '%s' "$CMD" | grep -qiE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
+if any_segment_matches "$CMD" '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
   FOUND=1
 fi
 
 # Emoji attribution
-if printf '%s' "$CMD" | grep -qE '🤖.*[Gg]enerated'; then
+if any_segment_matches "$CMD" '🤖.*[Gg]enerated'; then
   FOUND=1
 fi