@bookedsolid/rea 0.14.0 → 0.16.0

package/hooks/env-file-protection.sh

@@ -17,6 +17,12 @@
 
 set -uo pipefail
 
+# Source shared shell-segment splitter (0.15.0). Replaces full-command
+# grep that false-positives on commit messages mentioning `.env` (e.g.
+# `git commit -m "stop reading .env via cat"`).
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
 INPUT=$(cat)
 
 # ── Dependency check ──────────────────────────────────────────────────────────
@@ -27,13 +33,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── HALT check ────────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 
@@ -70,17 +74,21 @@ PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
 MATCHES_UTILITY=0
 MATCHES_ENV_FILE=0
 
-if printf '%s' "$CMD" | grep -qE "$PATTERN_UTILITY"; then
+# 0.15.0: per-segment match. Pre-fix this greped the FULL command which
+# false-positived on commit messages: `git commit -m "stop reading .env
+# files via cat"` matched both PATTERN_UTILITY (cat) and PATTERN_ENV_FILE
+# (.env) and the hook blocked a perfectly safe commit.
+if any_segment_matches "$CMD" "$PATTERN_UTILITY"; then
   MATCHES_UTILITY=1
 fi
 
-if printf '%s' "$CMD" | grep -qE "$PATTERN_ENV_FILE"; then
+if any_segment_matches "$CMD" "$PATTERN_ENV_FILE"; then
   MATCHES_ENV_FILE=1
 fi
 
 # Direct source/cp of .env files — always block
-if printf '%s' "$CMD" | grep -qE "$PATTERN_SOURCE" || \
-   printf '%s' "$CMD" | grep -qE "$PATTERN_CP_ENV"; then
+if any_segment_matches "$CMD" "$PATTERN_SOURCE" || \
+   any_segment_matches "$CMD" "$PATTERN_CP_ENV"; then
   TRUNCATED_CMD=$(truncate_cmd "$CMD")
   {
     printf 'ENV FILE PROTECTION: Direct sourcing or copying of .env files is blocked.\n'

package/hooks/protected-paths-bash-gate.sh

@@ -0,0 +1,303 @@
+#!/bin/bash
+# PreToolUse hook: protected-paths-bash-gate.sh
+# Fires BEFORE every Bash tool call.
+# Refuses Bash commands that write to PROTECTED_PATTERNS via shell
+# redirection or write-flag utilities — the kill-switch and policy
+# files MUST be unreachable via any tool surface, including Bash.
+#
+# Pre-0.15.0, settings-protection.sh §6 protected `.rea/HALT`,
+# `.rea/policy.yaml`, `.claude/settings.json`, `.husky/*` against
+# Write/Edit/MultiEdit tool calls. But shell redirects bypassed it
+# entirely:
+#
+#   printf '...' > .rea/HALT          # bypass — Bash matcher only
+#   tee .rea/policy.yaml < new.yaml   # bypass
+#   cp new-settings.json .claude/settings.json
+#   sed -i '' '/foo/d' .husky/pre-push
+#   dd of=.rea/HALT
+#
+# This hook closes that gap by detecting redirect/write patterns
+# whose target matches the same `_lib/protected-paths.sh` allowlist.
+#
+# Exit codes:
+#   0 = no protected-path write detected — allow
+#   2 = protected-path write via Bash detected — block
+
+set -uo pipefail
+
+# shellcheck source=_lib/protected-paths.sh
+source "$(dirname "$0")/_lib/protected-paths.sh"
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+
+INPUT=$(cat)
+
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REA ERROR: jq is required but not installed.\n' >&2
+  exit 2
+fi
+
+REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+
+# HALT check — uniform with other hooks.
+HALT_FILE="${REA_ROOT}/.rea/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Normalize a path token. 0.16.0 codex P1 fixes (helix Findings 015):
+#   - resolve `..` segments via realpath when the path exists, OR reject
+#     them outright when it doesn't (`.claude/hooks/../settings.json`
+#     writes to `.claude/settings.json` but the literal-string match
+#     missed it pre-fix)
+#   - lowercase the result so case-insensitive matchers (macOS APFS,
+#     `.ClAuDe/settings.json`) still match the canonical lowercase
+#     pattern (`.claude/settings.json`)
+#   - apply shared `_lib/path-normalize.sh::normalize_path` for backslash
+#     translation + URL decode + leading-`./` strip
+# shellcheck source=_lib/path-normalize.sh
+source "$(dirname "$0")/_lib/path-normalize.sh"
+
+_normalize_target() {
+  local t="$1"
+  # Strip matching surrounding quotes.
+  if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  # If the path contains `..` segments, resolve them aggressively. We
+  # cannot rely on `realpath` being installed; do a manual resolution
+  # by walking segments. This is the helix-015 P1 fix: pre-fix, the
+  # literal `.claude/hooks/../settings.json` did not match the
+  # `.claude/settings.json` pattern even though the OS would resolve
+  # the write to that target.
+  case "/$t/" in
+    */../*)
+      # Build absolute then walk and normalize segments.
+      # 0.16.0 codex P1-1 fix: use `read -ra` with IFS=/ instead of an
+      # unquoted `for part in $abs` loop. The unquoted `for` was subject
+      # to pathname expansion — `.claude/*/../settings.json` would glob
+      # `*` against the agent's CWD, mangling the resolved path and
+      # bypassing the protected-paths matcher. `read -ra` with an
+      # explicit delimiter disables both word-splitting (via IFS) AND
+      # pathname expansion (read does not glob).
+      local abs="$t"
+      [[ "$abs" != /* ]] && abs="$REA_ROOT/$abs"
+      local -a raw_parts parts=()
+      IFS='/' read -ra raw_parts <<<"$abs"
+      for part in "${raw_parts[@]}"; do
+        case "$part" in
+          ''|.) continue ;;
+          ..) [[ "${#parts[@]}" -gt 0 ]] && unset 'parts[${#parts[@]}-1]' ;;
+          *) parts+=("$part") ;;
+        esac
+      done
+      t="/$(IFS=/; printf '%s' "${parts[*]}")"
+      # 0.16.0 codex P2-3 fix: if the resolved absolute path escapes
+      # REA_ROOT, emit a sentinel so the caller refuses outright.
+      # `exit 2` here would only exit the `$()` subshell, not the parent
+      # hook process — sentinel + caller-side handling is the only
+      # cross-shell-portable way.
+      if [[ "$t" != "$REA_ROOT" && "$t" != "$REA_ROOT"/* ]]; then
+        printf '__rea_outside_root__:%s' "$t"
+        return 0
+      fi
+      ;;
+  esac
+  # Hand off to shared normalize_path (strips $REA_ROOT, URL-decodes,
+  # translates `\` → `/`, strips leading `./`).
+  t=$(normalize_path "$t")
+  # Lowercase for case-insensitive matching (helix-015 P1 fix #2 —
+  # macOS APFS allows `.ClAuDe/settings.json` to land on the same
+  # file as `.claude/settings.json`, so the matcher must compare
+  # lowercased forms).
+  printf '%s' "$t" | tr '[:upper:]' '[:lower:]'
+}
+
+# Refuse and exit 2 with a uniform error message.
+_refuse() {
+  local pattern="$1" target="$2" segment="$3"
+  {
+    printf 'PROTECTED PATH (bash): write to a package-managed file blocked\n'
+    printf '\n'
+    printf '  Pattern matched: %s\n' "$pattern"
+    printf '  Resolved target: %s\n' "$target"
+    printf '  Segment:         %s\n' "$segment"
+    printf '\n'
+    printf '  Rule: protected paths (kill-switch, policy.yaml, settings.json,\n'
+    printf '        .husky/*) are unreachable via Bash redirects too — not just\n'
+    printf '        Write/Edit/MultiEdit. To modify, a human must edit directly.\n'
+  } >&2
+  exit 2
+}
+
+# Inspect one segment for redirect / write patterns and refuse if the
+# target matches any protected pattern.
+_check_segment() {
+  local _raw="$1" segment="$2"
+  [[ -z "$segment" ]] && return 0
+
+  local target_token=""
+  local detected_form=""
+
+  # bash `[[ =~ ]]` regex literals with `|` and `(...)` parsed inline
+  # confuse some bash versions on macOS. Use named variables for each
+  # pattern so the literal stays in a string context only.
+  # 0.16.0 codex P1 fix (helix-015 #3): widened redirect regex. Pre-fix
+  # only matched `>`, `>>`, `2>`, `2>>`, `&>`. Missed:
+  #   - `1>` / `1>>` (explicit stdout fd)
+  #   - `>|` (noclobber-override redirect)
+  #   - `[0-9]+>` / `[0-9]+>>` (any fd prefix — `9>file`, `42>>file`)
+  # All of these write to the target and bypassed the gate. The new
+  # pattern accepts: optional fd-prefix, then `>` or `>>` or `>|`, with
+  # optional `&` for stderr-merge variants.
+  local re_redirect='(^|[[:space:]])(&>>|&>|[0-9]+>>|[0-9]+>\||[0-9]+>|>>|>\||>)[[:space:]]*([^[:space:]&|;<>]+)'
+  local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
+  # 0.15.0 codex P1 fix: replaced the bash-3.2-broken `(...)*` pattern
+  # for tee/truncate flag-skipping with a token-walk approach that
+  # works across BSD bash 3.2 and GNU bash 4+. Walks every token after
+  # the command, skips flags (single-dash short, double-dash long with
+  # optional =value), returns the first non-flag token as the target.
+
+  if [[ "$segment" =~ $re_redirect ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="redirect ${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_cpmv ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_sed ]]; then
+    target_token="${BASH_REMATCH[3]}"
+    detected_form="sed -i"
+  elif [[ "$segment" =~ $re_dd ]]; then
+    target_token="${BASH_REMATCH[2]}"
+    detected_form="dd of="
+  else
+    # tee / truncate / install / ln — token-walk for cross-bash safety.
+    # Read tokens, find the command, then return the first non-flag arg.
+    local prev_word="" found_cmd=""
+    local _seg_for_walk="$segment"
+    # Strip leading whitespace.
+    _seg_for_walk="${_seg_for_walk#"${_seg_for_walk%%[![:space:]]*}"}"
+    # shellcheck disable=SC2086
+    set -- $_seg_for_walk
+    while [ "$#" -gt 0 ]; do
+      local tok="$1"
+      shift
+      if [[ -z "$found_cmd" ]]; then
+        case "$tok" in
+          tee|truncate|install|ln)
+            found_cmd="$tok"
+            ;;
+        esac
+        prev_word="$tok"
+        continue
+      fi
+      # We're inside the command's argv. Skip flags.
+      case "$tok" in
+        --) continue ;;
+        --*=*) continue ;;
+        --*)
+          # Long flag — may take a value as the NEXT token (we don't
+          # know which long options take values). For safety, skip
+          # only known no-value long flags; otherwise consume the
+          # next token too if it looks like a value.
+          case "$tok" in
+            --append|--ignore-interrupts|--no-clobber|--force|--no-target-directory|--symbolic|--no-dereference|--reference=*) continue ;;
+            *) shift 2>/dev/null || true; continue ;;
+          esac
+          ;;
+        -*)
+          # Short flag cluster. Skip. truncate -s SIZE — `-s` is a flag,
+          # SIZE is its arg. We're conservative: skip the next token if
+          # the flag cluster's last char is one of the size-bearing
+          # flags (truncate -s, install -m, ln -t).
+          case "$tok" in
+            -s*|-m*|-o*|-g*|-t*) shift 2>/dev/null || true ;;
+          esac
+          continue
+          ;;
+        *)
+          # First non-flag token — this is the target (or, for cp/mv-
+          # like commands, the first source; the cpmv detector above
+          # handles those separately). We treat ALL non-flag args as
+          # potential targets and check each — that catches
+          # `tee a b c` where any of a/b/c could be a protected file.
+          target_token="$tok"
+          detected_form="$found_cmd"
+          # Check this token immediately; if not protected, keep
+          # walking — there may be more positional args.
+          local _t
+          _t=$(_normalize_target "$target_token")
+          # 0.16.0 codex P2-3: outside-REA_ROOT sentinel handling.
+          if [[ "$_t" == __rea_outside_root__:* ]]; then
+            local resolved="${_t#__rea_outside_root__:}"
+            {
+              printf 'PROTECTED PATH (bash): path traversal escapes project root\n'
+              printf '  Logical: %s\n  Resolved: %s\n' "$target_token" "$resolved"
+            } >&2
+            exit 2
+          fi
+          if rea_path_is_protected "$_t"; then
+            local matched=""
+            local pattern_lc
+            for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+              pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+              if [[ "$_t" == "$pattern_lc" ]]; then matched="$pattern"; break; fi
+              if [[ "$pattern_lc" == */ && "$_t" == "$pattern_lc"* ]]; then matched="$pattern"; break; fi
+            done
+            _refuse "$matched" "$_t" "$segment"
+          fi
+          # Reset target_token so the post-loop check doesn't double-check.
+          target_token=""
+          ;;
+      esac
+    done
+  fi
+
+  if [[ -z "$target_token" ]]; then
+    return 0
+  fi
+
+  local target
+  target=$(_normalize_target "$target_token")
+  # 0.16.0 codex P2-3 fix: outside-REA_ROOT sentinel from _normalize_target.
+  if [[ "$target" == __rea_outside_root__:* ]]; then
+    local resolved="${target#__rea_outside_root__:}"
+    {
+      printf 'PROTECTED PATH (bash): path traversal escapes project root\n'
+      printf '\n'
+      printf '  Logical:  %s\n' "$target_token"
+      printf '  Resolved: %s\n' "$resolved"
+      printf '  Segment:  %s\n' "$segment"
+      printf '\n'
+      printf '  Rule: bash redirects whose target resolves outside REA_ROOT\n'
+      printf '        are refused. Use a project-relative path without `..`\n'
+      printf '        segments.\n'
+    } >&2
+    exit 2
+  fi
+  if rea_path_is_protected "$target"; then
+    # Find the matching pattern for the error message. Both `target`
+    # and `pattern` lowercased to match `_normalize_target`'s case-
+    # insensitive output (helix-015 P1 fix).
+    local matched="" pattern_lc
+    for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+      pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+      if [[ "$target" == "$pattern_lc" ]]; then matched="$pattern"; break; fi
+      if [[ "$pattern_lc" == */ && "$target" == "$pattern_lc"* ]]; then matched="$pattern"; break; fi
+    done
+    _refuse "$matched" "$target" "$segment"
+  fi
+  return 0
+}
+
+for_each_segment "$CMD" _check_segment
+
+exit 0

package/hooks/secret-scanner.sh

@@ -29,53 +29,24 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── HALT check ────────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
-
-FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
-CONTENT_WRITE=$(printf '%s' "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
-CONTENT_EDIT=$(printf '%s' "$INPUT"  | jq -r '.tool_input.new_string // empty' 2>/dev/null)
-# MultiEdit (0.14.0 fix): the payload is at tool_input.edits[].new_string —
-# an array, not a scalar — and the prior versions of this hook never read
-# it. Result: any agent could route credential writes through MultiEdit and
-# bypass the secret scanner entirely. We extract every `new_string` value
-# from the edits array and concatenate them with newlines so the awk-based
-# pattern scan below treats them like any other write content.
-#
-# Defensive coercion (codex round-1 P1): a malformed payload where
-# `new_string` is a number, object, or array would make jq error out, the
-# `2>/dev/null` would swallow stderr, `CONTENT_MULTIEDIT` would be empty,
-# and the precedence chain below would fall through to `exit 0` —
-# silently allowing the write. Same fail-open mode for a non-array
-# `edits` value. We:
-#
-#   1. Coerce `.tool_input.edits` to `[]` if it's anything other than an
-#      array (`if type=="array" then . else [] end`)
-#   2. Coerce every `new_string` to a string via `tostring` so jq cannot
-#      fail on heterogeneous types
-#
-# Both layers fail closed: a malformed payload either yields the empty
-# string (no scan needed, exit 0 from the precedence chain) or yields a
-# pattern-scannable string. There is no path where jq errors silently and
-# the hook falls through to allow.
-CONTENT_MULTIEDIT=$(printf '%s' "$INPUT" | jq -r '
-  (.tool_input.edits // [] | if type=="array" then . else [] end)
-  | map((.new_string // "") | tostring)
-  | join("\n")
-' 2>/dev/null)
-
-if [[ -n "$CONTENT_WRITE" ]]; then
-  CONTENT="$CONTENT_WRITE"
-elif [[ -n "$CONTENT_EDIT" ]]; then
-  CONTENT="$CONTENT_EDIT"
-elif [[ -n "$CONTENT_MULTIEDIT" ]]; then
-  CONTENT="$CONTENT_MULTIEDIT"
-else
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+# 0.16.0: payload extraction moved to `_lib/payload-read.sh`. The shared
+# helpers handle Write content / Edit new_string / MultiEdit edits[] /
+# NotebookEdit new_source with the same defensive type-guards. Adding
+# the next write-tier tool is a one-line edit there, not a sweep
+# across N hooks.
+# shellcheck source=_lib/payload-read.sh
+source "$(dirname "$0")/_lib/payload-read.sh"
+
+FILE_PATH=$(extract_file_path "$INPUT")
+CONTENT=$(extract_write_content "$INPUT")
+
+if [[ -z "$CONTENT" ]]; then
   exit 0
 fi
 

package/hooks/settings-protection.sh

@@ -33,13 +33,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Extract file path from payload ─────────────────────────────────────────
 FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
@@ -157,14 +155,27 @@ LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
 # package-managed body — §5a kills it before this matcher runs.
 #
 # SECURITY (defense-in-depth): symlinks INSIDE the .d/ surface are
-# refused. A fragment is a short shell script authored in place;
-# consumers do not need symlinks here. Without this check, a sequence
-# like `ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil`
-# would be allowed by §5b's path-string match and the downstream
-# Write/Edit tool would follow the symlink, overwriting the
-# package-managed `.husky/pre-push` body that §6 is meant to protect.
-# Costs near-zero (no legitimate use case for symlinked fragments);
-# closes the path-string→symlink bypass completely.
+# refused — both final-component AND intermediate-directory symlinks.
+# A fragment is a short shell script authored in place; consumers do
+# not need symlinks here. Without these checks the gate has two
+# bypass shapes:
+#
+#   (a) Final-component symlink:
+#       ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil
+#       — caught by `[ -L "$FILE_PATH" ]`.
+#
+#   (b) Intermediate-directory symlink (helix Finding 2 / 0.15.0):
+#       mkdir .husky/pre-push.d; ln -s ../ .husky/pre-push.d/linkdir
+#       write .husky/pre-push.d/linkdir/pre-push
+#       — `[ -L $FILE_PATH ]` only inspects the FINAL component, so a
+#       not-yet-existing target whose parent contains a symlink resolves
+#       to outside the surface (here: `.husky/pre-push`), letting the
+#       attacker write through to the package-managed body.
+#
+# Resolve the realpath of the parent directory and require it to live
+# under the literal extension surface. Use a portable `cd ... && pwd -P`
+# subshell pattern (no Python or readlink -f dependency required).
+# Closes the path-string→symlink bypass completely.
 case "$LOWER_NORM" in
   .husky/commit-msg.d/*|.husky/pre-push.d/*)
     if [ -L "$FILE_PATH" ]; then
@@ -178,6 +189,34 @@ case "$LOWER_NORM" in
       } >&2
       exit 2
     fi
+    # Resolve the parent directory's realpath. If any intermediate
+    # component is a symlink whose target leaves the surface, the
+    # resolved path no longer contains `/.husky/<surface>.d/` and we
+    # refuse. The parent dir must already exist for this check; if it
+    # doesn't, the write is creating the parent, in which case there
+    # is no intermediate symlink to follow yet.
+    parent_dir=$(dirname -- "$FILE_PATH")
+    if [ -d "$parent_dir" ]; then
+      resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
+      if [ -n "$resolved_parent" ]; then
+        case "$resolved_parent" in
+          *"/.husky/commit-msg.d"*|*"/.husky/pre-push.d"*) : ;;
+          *)
+            {
+              printf 'SETTINGS PROTECTION: extension path resolves outside surface\n'
+              printf '\n'
+              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
+              printf '  Resolved: %s\n' "$resolved_parent"
+              printf '  Rule: an intermediate directory of the extension path is a\n'
+              printf '        symlink whose target leaves .husky/{commit-msg,pre-push}.d/.\n'
+              printf '        Refused to prevent symlinked-parent bypass of the\n'
+              printf '        package-managed body protection.\n'
+            } >&2
+            exit 2
+          ;;
+        esac
+      fi
+    fi
     # Documented extension surface — agents can write here freely.
     exit 0
     ;;
@@ -294,6 +333,63 @@ if match_protected_ci; then
   exit 2
 fi
 
+# ── 6c. Intermediate-symlink resolution (0.16.0 fix H.1) ──────────────────────
+# Helix Finding 2 reborn against the hard-protected list. The §5b
+# extension-surface fix (0.13.2) resolved parent realpath for the
+# `.husky/{commit-msg,pre-push}.d/*` allowlist; §6 was never given the
+# same protection. Attack:
+#
+#   mkdir innocuous_path
+#   ln -s ../.husky innocuous_path/maybe   # symlink resolves to .husky/
+#   write innocuous_path/maybe/pre-push    # writes through to .husky/pre-push
+#
+# §5a (`..` traversal) doesn't catch — the path string has no `..`.
+# §6 PROTECTED_PATTERNS sees `innocuous_path/maybe/pre-push` — doesn't
+# match `.husky/` prefix. The write succeeds and the package-managed
+# pre-push body is overwritten.
+#
+# Fix: when the parent directory of the target exists, resolve its
+# realpath via cd -P && pwd -P (same shape as §5b) and check whether
+# the resolved path falls inside any protected directory. Only resolve
+# when the parent already exists — a write that creates the parent has
+# nothing to follow.
+if [[ -e "$FILE_PATH" || -d "$(dirname -- "$FILE_PATH")" ]]; then
+  parent_dir=$(dirname -- "$FILE_PATH")
+  if [[ -d "$parent_dir" ]]; then
+    resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
+    if [[ -n "$resolved_parent" ]]; then
+      # If the resolved parent is inside REA_ROOT, compute the project-
+      # relative path and test it against the protected patterns.
+      if [[ "$resolved_parent" == "$REA_ROOT"/* ]]; then
+        relative_resolved="${resolved_parent#"$REA_ROOT"/}"
+        # Walk every PROTECTED_PATTERN that's a directory prefix and
+        # check whether the resolved parent falls inside it. Direct
+        # filename matches against PROTECTED_PATTERNS for the resolved
+        # final path (parent + basename).
+        resolved_target="${relative_resolved}/$(basename -- "$FILE_PATH")"
+        resolved_target_lc=$(printf '%s' "$resolved_target" | tr '[:upper:]' '[:lower:]')
+        for pattern in "${PROTECTED_PATTERNS[@]}"; do
+          pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+          if [[ "$resolved_target_lc" == "$pattern_lc" ]] || \
+             { [[ "$pattern_lc" == */ ]] && [[ "$resolved_target_lc" == "$pattern_lc"* ]]; }; then
+            {
+              printf 'SETTINGS PROTECTION: intermediate-symlink resolution blocked\n'
+              printf '\n'
+              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
+              printf '  Resolved: %s\n' "$resolved_target"
+              printf '  Matched:  %s\n' "$pattern"
+              printf '  Rule: an intermediate directory of the target path is a\n'
+              printf '        symlink whose target falls inside a hard-protected\n'
+              printf '        path. Refused to prevent symlinked-parent bypass.\n'
+            } >&2
+            exit 2
+          fi
+        done
+      fi
+    fi
+  fi
+fi
+
 # ── 6b. Hook-patch session (Defect I / rea#76) ───────────────────────────────
 # When REA_HOOK_PATCH_SESSION is set to a non-empty reason, allow edits under
 # .claude/hooks/ and hooks/ for this session. The session boundary IS the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.14.0",
+  "version": "0.16.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -96,9 +96,11 @@
     "lint:regex": "node scripts/lint-safe-regex.mjs",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
-    "test": "vitest run",
+    "test": "pnpm run test:dogfood && pnpm run test:bash-syntax && vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
+    "test:dogfood": "node tools/check-dogfood-drift.mjs",
+    "test:bash-syntax": "bash -c 'for f in hooks/*.sh hooks/_lib/*.sh; do bash -n \"$f\" || exit 1; done && echo \"[bash-syntax] OK — all hooks parse cleanly\"'",
     "type-check": "tsc --noEmit",
     "changeset": "changeset",
     "changeset:version": "changeset version",