@bookedsolid/rea 0.15.0 → 0.16.1

package/agents/codex-adversarial.md

@@ -33,6 +33,8 @@ You may read additional files in the repo if needed for context, but do so read-
 2. **Validate Codex availability** — if `/codex` is not installed, report and stop. Do not silently fall back to another reviewer.
 3. **Prepare the Codex invocation** — construct the adversarial-review prompt with the diff, commit log, and any relevant context files.
 4. **Invoke `/codex:adversarial-review`** — this call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
+
+   **Model pinning (0.16.1+):** when the codex plugin's adversarial-review supports model overrides, request `gpt-5.4` with `model_reasoning_effort: high` to match the push-gate's iron-gate defaults. Pre-0.16.1, in-session adversarial reviews ran on whatever the plugin defaulted to (likely `codex-auto-review` at medium reasoning) — meaningfully WEAKER than the push-gate's `gpt-5.4` + `high`. This caused a "in-session review passes, push-gate review fails" pattern reported by helix across 014 / 015 / 016. If the plugin call accepts model parameters, pass them. If it does not, fall back to invoking `codex exec review --base <ref> --json --ephemeral -c model="gpt-5.4" -c model_reasoning_effort="high"` directly via `Bash` — same shape the push-gate uses (see `src/hooks/push-gate/codex-runner.ts::runCodexReview`). The cost of the stronger model is small relative to the cost of shipping a release with a P1 bypass that gets caught at consumer push time.
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).

package/dist/cli/doctor.js

@@ -203,7 +203,7 @@ function checkSettingsJson(baseDir) {
     const settingsPath = path.join(baseDir, '.claude', 'settings.json');
     if (!fs.existsSync(settingsPath)) {
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
             status: 'fail',
             detail: `missing: ${settingsPath}`,
         };
@@ -216,29 +216,30 @@ function checkSettingsJson(baseDir) {
         const needs = [];
         if (!matchers.has('Bash'))
             needs.push('Bash');
-        // 0.15.0: matcher was widened from `Write|Edit` to `Write|Edit|MultiEdit`
-        // in 0.14.0; doctor's check missed the rename. Accept either form so
-        // pre-0.14.0 installs that haven't run `rea upgrade` still report
-        // accurately, but the canonical produced by `defaultDesiredHooks()` is
-        // the wider matcher.
-        if (!matchers.has('Write|Edit|MultiEdit') && !matchers.has('Write|Edit')) {
-            needs.push('Write|Edit|MultiEdit');
+        // 0.16.0: matcher widened to `Write|Edit|MultiEdit|NotebookEdit`. Doctor
+        // accepts any of the three historical shapes so pre-0.14.0 / pre-0.16.0
+        // installs that haven't run `rea upgrade` still report accurately. The
+        // canonical from `defaultDesiredHooks()` is the widest matcher.
+        if (!matchers.has('Write|Edit|MultiEdit|NotebookEdit') &&
+            !matchers.has('Write|Edit|MultiEdit') &&
+            !matchers.has('Write|Edit')) {
+            needs.push('Write|Edit|MultiEdit|NotebookEdit');
         }
         if (needs.length === 0) {
             return {
-                label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
+                label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
                 status: 'pass',
             };
         }
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
             status: 'fail',
             detail: `missing PreToolUse matchers: ${needs.join(', ')}`,
         };
     }
     catch (e) {
         return {
-            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit',
+            label: 'settings.json matchers cover Bash + Write|Edit|MultiEdit|NotebookEdit',
             status: 'fail',
             detail: e instanceof Error ? e.message : String(e),
         };

package/dist/cli/install/settings-merge.js

@@ -268,7 +268,7 @@ export function defaultDesiredHooks() {
         },
         {
             event: 'PreToolUse',
-            matcher: 'Write|Edit|MultiEdit',
+            matcher: 'Write|Edit|MultiEdit|NotebookEdit',
             hooks: [
                 { type: 'command', command: `${base}/secret-scanner.sh`, timeout: 15000, statusMessage: 'Scanning for credentials...' },
                 { type: 'command', command: `${base}/settings-protection.sh`, timeout: 5000, statusMessage: 'Checking settings protection...' },
@@ -278,7 +278,7 @@ export function defaultDesiredHooks() {
         },
         {
             event: 'PostToolUse',
-            matcher: 'Write|Edit|MultiEdit',
+            matcher: 'Write|Edit|MultiEdit|NotebookEdit',
             hooks: [
                 { type: 'command', command: `${base}/architecture-review-gate.sh`, timeout: 10000, statusMessage: 'Checking architecture impact...' },
             ],

package/hooks/_lib/cmd-segments.sh

@@ -53,7 +53,36 @@ _rea_split_segments() {
   # GNU sed and BSD sed both honor `s/PATTERN/\n/g` with `-E` for ERE.
   # We use printf+sed instead of bash IFS=$'...' read so the splitter
   # behaves identically across BSD and GNU sed.
-  printf '%s\n' "$cmd" | sed -E 's/(\|\||&&|;|\|)/\n/g'
+  #
+  # 0.16.0 codex P1 fix (helix-015 #3): the prior sed split on bare `|`
+  # which broke bash's `>|` (noclobber-override redirect) into two
+  # segments — `printf x >` then ` .rea/HALT`. The redirect detector
+  # then never saw a complete `>|` operator and the bash-gate let the
+  # write through.
+  #
+  # 0.16.0 codex P2-1 fix: the placeholder must NOT collide with any
+  # legal byte the agent could supply. The earlier `\x01` (SOH) is a
+  # legal UTF-8 byte and rare-but-possible in commands; if a payload
+  # contained `\x01` literally, the third sed pass would manufacture
+  # a `>|` operator that wasn't in the original — corrupting downstream
+  # parsing in either fail-open or fail-closed directions depending on
+  # what came after. The new sentinel `__REA_GTPIPE_a8f2c1__` is
+  # multi-byte alphanumeric, impossible to collide with shell input
+  # under any encoding we care about (any agent that intentionally
+  # included this string would already be obviously trying to confuse
+  # the splitter — and even then, the worst case is fail-closed).
+  # 0.16.1 helix-016 P1 fix: also split on single `&` (background-process
+  # operator). Pre-fix the splitter only broke on `&&|||;|`; a command like
+  # `sleep 1 & git push --force` was treated as ONE segment whose first
+  # token is `sleep`, and `any_segment_starts_with($CMD, 'git push')`
+  # missed the force-push entirely. Add `&` to the separator set, but
+  # AFTER `&&` is already swapped out so we don't break it apart.
+  printf '%s\n' "$cmd" \
+    | sed -E 's/>\|/__REA_GTPIPE_a8f2c1__/g' \
+    | sed -E 's/&&/__REA_LOGAND_a8f2c1__/g' \
+    | sed -E 's/(\|\||;|\||&)/\n/g' \
+    | sed -E 's/__REA_LOGAND_a8f2c1__/\n/g' \
+    | sed -E 's/__REA_GTPIPE_a8f2c1__/>|/g'
 }
 
 # Strip leading whitespace and well-known command prefixes from a single
@@ -130,6 +159,30 @@ any_segment_matches() {
   return 1
 }
 
+# Return 0 if any segment of $1 (RAW — no prefix-stripping) matches the
+# extended regex $2. Use this for checks where the prefix itself IS the
+# signal — e.g. H10's `HUSKY=0 git commit` detection (the prefix-stripper
+# would strip the `HUSKY=0` before any_segment_matches sees it). Also
+# right for H15 (`REA_BYPASS=...`) and H16 (alias/function defs).
+#
+# 0.16.1 helix-016 sibling fix: H10 baseline corpus regressed from
+# 0.15.0 because it migrated to `any_segment_matches` which strips
+# env-var prefixes. The check needs the raw segment to fire.
+any_segment_raw_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment
+  while IFS= read -r segment; do
+    # Trim leading whitespace for clean anchor matching, but otherwise
+    # leave the segment intact (env-var assignments preserved).
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    if printf '%s' "$segment" | grep -qiE "$pattern"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
 # Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
 # the extended regex $2. Case-insensitive. Returns 1 if no segment
 # starts with the pattern.

package/hooks/_lib/halt-check.sh

@@ -7,7 +7,13 @@
 # call with a clear error that surfaces the file's contents so the operator
 # knows why the system was frozen.
 
-set -euo pipefail
+# NOTE: do NOT set `-e` here. This file is sourced by hooks that
+# intentionally tolerate non-zero exits (e.g. secret-scanner.sh runs
+# multiple grep passes that may legitimately produce non-zero from
+# patterns that don't match). Setting -e in the sourced lib would
+# propagate to the caller and cause spurious exit-1s on any benign
+# non-zero return. Only set the safer subset.
+set -uo pipefail
 
 # Find the .rea/ directory by walking up from CLAUDE_PROJECT_DIR or cwd.
 # Falls back to CLAUDE_PROJECT_DIR or the current working directory when no

package/hooks/_lib/path-normalize.sh

@@ -0,0 +1,72 @@
+# shellcheck shell=bash
+# hooks/_lib/path-normalize.sh — canonical path normalization shared
+# across every hook that compares `tool_input.file_path` against a
+# literal/glob policy entry.
+#
+# Pre-0.16.0 each hook reimplemented its own normalize_path. Drift
+# was the result: settings-protection.sh translated `\` → `/` and
+# decoded `%5C` since 0.10.x; blocked-paths-enforcer caught up only
+# in 0.15.0; architecture-review-gate has never normalized at all.
+# This single helper is now the source of truth for both forms.
+#
+# normalize_path PATH
+#   Strip $REA_ROOT prefix → URL-decode `%2F`/`%2E`/`%20`/`%5C`
+#   → translate `\` → `/` → strip leading `./` segments. Echoes
+#   the project-relative form.
+#
+# resolve_parent_realpath PATH
+#   Resolve the realpath of the parent dir of PATH via `cd -P && pwd -P`.
+#   Returns the empty string if the parent doesn't exist (legitimate
+#   "we are creating the parent" case — caller should NOT treat
+#   empty as a fail). Used to detect intermediate-symlink bypass:
+#   if the realpath of the parent doesn't contain the protected
+#   surface anymore, the path resolved out of the surface.
+#
+# All normalization happens in pure bash + sed/tr — no python/perl/
+# readlink -f dependency, so it works on macOS, Alpine, and minimal
+# CI containers.
+
+# REA_ROOT is required to be set by the caller (every rea hook sets
+# it from CLAUDE_PROJECT_DIR or pwd). Default to current dir if missing
+# so this lib is sourceable from a test harness that hasn't set it.
+: "${REA_ROOT:=${CLAUDE_PROJECT_DIR:-$(pwd)}}"
+
+normalize_path() {
+  local p="$1"
+  # Strip $REA_ROOT/ prefix (with or without trailing slash).
+  if [[ "$p" == "$REA_ROOT"/* ]]; then
+    p="${p#"$REA_ROOT"/}"
+  fi
+  # URL-decode common sequences. Include %5C for backslash so
+  # Windows / Git Bash percent-encoded paths normalize the same as
+  # forward-slash forms.
+  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g; s/%5[Cc]/\\/g')
+  # Translate any backslash separators to forward slashes.
+  p=$(printf '%s' "$p" | tr '\\\\' '/')
+  # Strip leading `./` segments. We deliberately do NOT strip
+  # interior `./` — that transformation corrupts `..` traversals
+  # (e.g. `.../` collapsed to `../`) and hides traversal from any
+  # downstream check.
+  while [[ "$p" == ./* ]]; do
+    p="${p#./}"
+  done
+  printf '%s' "$p"
+}
+
+resolve_parent_realpath() {
+  local target_path="$1"
+  local parent_dir
+  parent_dir=$(dirname -- "$target_path")
+  if [[ ! -d "$parent_dir" ]]; then
+    # Parent doesn't exist yet — caller should treat as "no realpath
+    # available" and fall back to logical-path checks. Return empty.
+    printf ''
+    return 0
+  fi
+  # `cd -P` follows symlinks; `pwd -P` prints the resolved physical
+  # path. Subshell scopes the cd so we don't pollute the caller's
+  # working directory.
+  local resolved
+  resolved=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved=""
+  printf '%s' "$resolved"
+}

package/hooks/_lib/payload-read.sh

@@ -0,0 +1,66 @@
+# shellcheck shell=bash
+# hooks/_lib/payload-read.sh — shared payload extraction across the
+# write-tier tools (Write, Edit, MultiEdit, NotebookEdit).
+#
+# Pre-0.16.0 every content-scanning hook (secret-scanner.sh,
+# changeset-security-gate.sh) carried its own jq expression that
+# walked tool_input.{content, new_string, edits[].new_string}. When
+# Anthropic added MultiEdit (0.14.0 fix) every hook needed a
+# parallel patch and one was missed. NotebookEdit is the next tool
+# in the same family — `tool_input.notebook_path` (path) +
+# `tool_input.new_source` (cell content). This single helper handles
+# all four tools so adding the next one is a one-line edit here, not
+# a sweep across N hooks.
+#
+# extract_write_content INPUT_JSON
+#   Echo the content of the about-to-be-written payload, regardless
+#   of which write tool produced it. Tries in order:
+#     1. .tool_input.content                      (Write)
+#     2. .tool_input.new_string                   (Edit)
+#     3. .tool_input.edits[].new_string           (MultiEdit, joined \n)
+#     4. .tool_input.new_source                   (NotebookEdit cell)
+#   Returns empty string when none of these are present (caller
+#   should treat empty as "nothing to scan, exit 0"). Defensive
+#   coercion via `tostring` + array-type-guard so a malformed
+#   payload (non-string new_string, non-array edits) fails closed
+#   to the empty string rather than fail-open via jq error.
+#
+# extract_file_path INPUT_JSON
+#   Echo the file_path / notebook_path of the payload. NotebookEdit
+#   uses notebook_path; Write/Edit/MultiEdit use file_path. Returns
+#   empty string when neither is present.
+#
+# Both helpers require jq.
+
+extract_write_content() {
+  local input="$1"
+  printf '%s' "$input" | jq -r '
+    # Try Write content first.
+    if (.tool_input.content // "") != "" then
+      .tool_input.content
+    # Then Edit new_string.
+    elif (.tool_input.new_string // "") != "" then
+      .tool_input.new_string
+    # Then MultiEdit edits[].new_string (defensive: type-guard +
+    # tostring so heterogeneous types do not error jq).
+    elif ((.tool_input.edits // [] | if type=="array" then . else [] end | length) > 0) then
+      (.tool_input.edits // [] | if type=="array" then . else [] end)
+      | map((.new_string // "") | tostring)
+      | join("\n")
+    # Then NotebookEdit new_source (notebook cell content).
+    elif (.tool_input.new_source // "") != "" then
+      .tool_input.new_source
+    else
+      ""
+    end
+  ' 2>/dev/null
+}
+
+extract_file_path() {
+  local input="$1"
+  printf '%s' "$input" | jq -r '
+    .tool_input.file_path
+    // .tool_input.notebook_path
+    // empty
+  ' 2>/dev/null
+}

package/hooks/_lib/policy-read.sh

@@ -7,7 +7,10 @@
 # project root via rea_root() from halt-check.sh, but will re-derive it if
 # REA_ROOT is unset.
 
-set -euo pipefail
+# NOTE: do NOT set `-e` here — see hooks/_lib/halt-check.sh for the
+# rationale. This is a sourced library; -e would propagate to callers
+# and cause spurious exit-1s on benign non-zero returns from grep/sed.
+set -uo pipefail
 
 # Resolve the path to .rea/policy.yaml for the current project.
 # Prints an empty string if no policy file is found — callers should treat

package/hooks/_lib/protected-paths.sh

@@ -12,7 +12,9 @@
 
 # The path list is bash glob patterns matched against project-root-
 # relative paths. Suffix `/` indicates a prefix match; no suffix means
-# exact match. Mirrors the array in settings-protection.sh §6.
+# (case-insensitive) exact match — see `rea_path_is_protected` for the
+# helix-015 #2 lowercase-comparison rationale. Mirrors the array in
+# settings-protection.sh §6.
 REA_PROTECTED_PATTERNS=(
   '.claude/settings.json'
   '.claude/settings.local.json'
@@ -24,14 +26,23 @@ REA_PROTECTED_PATTERNS=(
 # Test whether a project-relative path matches any protected pattern.
 # Usage: if rea_path_is_protected ".rea/HALT"; then echo "blocked"; fi
 # Returns 0 on match, 1 on no match.
+#
+# 0.16.0 codex P1 fix (helix-015 #2): match case-insensitively.
+# macOS APFS (default case-insensitive) lets `.ClAuDe/settings.json`
+# land on the same file as `.claude/settings.json`. settings-protection.sh
+# §6 has had a CI matcher since 0.10.x; this helper was missing it.
+# We lowercase BOTH sides so the comparison is symmetric — callers can
+# pass either case.
 rea_path_is_protected() {
-  local p="$1"
-  local pattern
+  local p_lc
+  p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
+  local pattern pattern_lc
   for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
-    if [[ "$p" == "$pattern" ]]; then
+    pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+    if [[ "$p_lc" == "$pattern_lc" ]]; then
       return 0
     fi
-    if [[ "$pattern" == */ ]] && [[ "$p" == "$pattern"* ]]; then
+    if [[ "$pattern_lc" == */ ]] && [[ "$p_lc" == "$pattern_lc"* ]]; then
       return 0
     fi
   done

package/hooks/architecture-review-gate.sh

@@ -18,13 +18,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Check if enabled ──────────────────────────────────────────────────────
 POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
@@ -41,10 +39,15 @@ if [[ -z "$FILE_PATH" ]]; then
   exit 0
 fi
 
-# Normalize to relative path
-if [[ "$FILE_PATH" == "$REA_ROOT"/* ]]; then
-  FILE_PATH="${FILE_PATH#$REA_ROOT/}"
-fi
+# 0.16.0 fix D.1: normalize via shared `_lib/path-normalize.sh` so
+# Windows / Git Bash backslash paths and URL-encoded forms are handled
+# uniformly with the rest of the hook layer. Pre-fix, this hook only
+# stripped $REA_ROOT prefix — `src\gateway\foo.ts` (Windows) or
+# `src%2Fgateway%2Ffoo.ts` (URL-encoded) silently bypassed the
+# architectural review.
+# shellcheck source=_lib/path-normalize.sh
+source "$(dirname "$0")/_lib/path-normalize.sh"
+FILE_PATH=$(normalize_path "$FILE_PATH")
 
 # ── 6. Check architecture-sensitive paths ─────────────────────────────────────
 ARCH_PATTERNS=(

package/hooks/attribution-advisory.sh

@@ -26,13 +26,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ─────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Check if attribution blocking is enabled ──────────────────────────────
 POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"

package/hooks/blocked-paths-enforcer.sh

@@ -23,13 +23,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Extract file path from payload ─────────────────────────────────────────
 FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
@@ -100,24 +98,12 @@ AGENT_WRITABLE=(
   '.rea/audit/'
 )
 
-normalize_path() {
-  local p="$1"
-  local root="$REA_ROOT"
-  if [[ "$p" == "$root"/* ]]; then
-    p="${p#$root/}"
-  fi
-  # 0.15.0 fix: include `\` (and `%5C` percent-encoded form) in the
-  # normalization. Without this, a path like
-  # `.github\workflows\release.yml` under Windows / Git Bash reaches
-  # that file but compares as a different string than
-  # `.github/workflows/release.yml`, missing the literal blocked-paths
-  # match. Mirrors settings-protection.sh §4 which has had backslash
-  # normalization since 0.10.x.
-  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g; s/%5[Cc]/\\/g')
-  p=$(printf '%s' "$p" | tr '\\\\' '/')
-  p="${p#./}"
-  printf '%s' "$p"
-}
+# 0.16.0: normalize_path migrated to shared `_lib/path-normalize.sh`.
+# Both this hook AND settings-protection.sh consume the same helper
+# so URL-decoding / backslash-translation / `./`-stripping cannot
+# drift between them again.
+# shellcheck source=_lib/path-normalize.sh
+source "$(dirname "$0")/_lib/path-normalize.sh"
 
 NORMALIZED=$(normalize_path "$FILE_PATH")
 
@@ -219,4 +205,41 @@ for blocked in "${BLOCKED_PATHS[@]}"; do
   fi
 done
 
+# ── 0.16.0 fix H.2: intermediate-symlink resolution ──────────────────────────
+# Same shape as Helix Finding 2 against blocked_paths policy entries.
+# If `secrets/` is in blocked_paths and an attacker creates
+# `pretty/ -> ../secrets/`, then writes `pretty/foo`, the literal-match
+# loop above sees `pretty/foo` (no match) and exits 0 — the downstream
+# Write tool follows the symlink and lands the body in `secrets/foo`.
+# Mirrors settings-protection.sh §6c.
+if [[ -e "$FILE_PATH" || -d "$(dirname -- "$FILE_PATH")" ]]; then
+  parent_dir=$(dirname -- "$FILE_PATH")
+  if [[ -d "$parent_dir" ]]; then
+    resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
+    if [[ -n "$resolved_parent" && "$resolved_parent" == "$REA_ROOT"/* ]]; then
+      relative_resolved="${resolved_parent#"$REA_ROOT"/}"
+      resolved_target="${relative_resolved}/$(basename -- "$FILE_PATH")"
+      resolved_target_lc=$(printf '%s' "$resolved_target" | tr '[:upper:]' '[:lower:]')
+      for blocked in "${BLOCKED_PATHS[@]}"; do
+        blocked_lc=$(printf '%s' "$blocked" | tr '[:upper:]' '[:lower:]')
+        if [[ "$resolved_target_lc" == "$blocked_lc" ]] || \
+           { [[ "$blocked_lc" == */ ]] && [[ "$resolved_target_lc" == "$blocked_lc"* ]]; }; then
+          {
+            printf 'BLOCKED PATH: intermediate-symlink resolution blocked\n'
+            printf '\n'
+            printf '  Logical:  %s\n' "$FILE_PATH"
+            printf '  Resolved: %s\n' "$resolved_target"
+            printf '  Blocked by: %s\n' "$blocked"
+            printf '  Source: .rea/policy.yaml → blocked_paths\n'
+            printf '\n'
+            printf '  Rule: an intermediate directory of the path is a symlink\n'
+            printf '        whose target falls inside a blocked policy entry.\n'
+          } >&2
+          exit 2
+        fi
+      done
+    fi
+  fi
+fi
+
 exit 0

package/hooks/changeset-security-gate.sh

@@ -26,38 +26,29 @@ TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
 # 0.15.0 fix: MultiEdit was not in the allowed tool_name set, so the gate
 # silently exited 0 on every MultiEdit call against `.changeset/*.md` —
 # letting GHSA / CVE pre-disclosure through and skipping frontmatter
-# validation. Same bypass shape as the secret-scanner MultiEdit issue
-# fixed in 0.14.0; this is the second hook in the same family.
-if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" && "$TOOL_NAME" != "MultiEdit" ]]; then
+# validation. 0.16.0: NotebookEdit added too (changesets are .md files
+# but a malicious agent could in principle route a .md write through
+# NotebookEdit's new_source path; cheap to allow, free to test).
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" && "$TOOL_NAME" != "MultiEdit" && "$TOOL_NAME" != "NotebookEdit" ]]; then
   exit 0
 fi
 
-FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // ""')
+require_jq
+
+# 0.16.0: payload extraction migrated to `_lib/payload-read.sh`. Shared
+# helpers handle every write-tier tool with the same defensive
+# coercion. Adding the next write-tier tool is a one-line edit there.
+# shellcheck source=_lib/payload-read.sh
+source "$(dirname "$0")/_lib/payload-read.sh"
+
+FILE_PATH=$(extract_file_path "$INPUT")
 
 # Only care about .changeset/*.md files — exclude README.md (changeset tool metadata)
 if ! echo "$FILE_PATH" | grep -qE '\.changeset/[^/]+\.md$' || echo "$FILE_PATH" | grep -qE '\.changeset/README\.md$'; then
   exit 0
 fi
 
-require_jq
-
-# Extract the content being written. MultiEdit content lives at
-# `tool_input.edits[].new_string` (an array, not a scalar) — see the
-# corresponding extraction in hooks/secret-scanner.sh. We use the same
-# defensive coercion (`tostring` + `if type=="array" then . else [] end`)
-# so a malformed payload fails closed: either yields the empty string
-# (no scan needed, exit 0) or yields a pattern-scannable string.
-if [[ "$TOOL_NAME" == "Write" ]]; then
-  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // ""')
-elif [[ "$TOOL_NAME" == "Edit" ]]; then
-  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // ""')
-else
-  CONTENT=$(echo "$INPUT" | jq -r '
-    (.tool_input.edits // [] | if type=="array" then . else [] end)
-    | map((.new_string // "") | tostring)
-    | join("\n")
-  ')
-fi
+CONTENT=$(extract_write_content "$INPUT")
 
 # ─── 1. SECURITY DISCLOSURE CHECK ───────────────────────────────────────────
 #

package/hooks/dangerous-bash-interceptor.sh

@@ -35,13 +35,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ─────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Parse tool_input.command from the hook payload ─────────────────────────
 CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
@@ -218,7 +216,7 @@ if any_segment_starts_with "$CMD" 'git[[:space:]]+commit.*--no-verify'; then
 fi
 
 # H10: HUSKY=0 bypass — suppresses all git hooks without --no-verify
-if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
+if any_segment_raw_matches "$CMD" '^HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
   add_high \
     "HUSKY=0 — bypasses all husky git hooks" \
     "Setting HUSKY=0 disables pre-commit, commit-msg, and pre-push safety gates without --no-verify." \
@@ -245,8 +243,15 @@ if any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]
     "Alt: Move to a temp location first, or use 'rm -ri' for interactive deletion."
 fi
 
-# H12: curl/wget piped directly to shell (supply chain attack vector)
-if any_segment_matches "$CMD" '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
+# H12: curl/wget piped directly to shell (supply chain attack vector).
+# 0.16.1 helix-016 P1 fix: this check requires BOTH the curl/wget call
+# AND the `| sh` to appear in the same shell pipeline. The 0.16.0
+# refactor moved this into `any_segment_matches`, but the segmenter
+# splits on `|` first — so `curl https://x | sh` decomposed into two
+# segments (`curl https://x`, `sh`) and the regex (which requires both
+# in one segment) never matched. Pipe-RCE is fundamentally a
+# multi-segment property and must be checked against the raw command.
+if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \
@@ -270,7 +275,7 @@ if any_segment_starts_with "$CMD" 'git[[:space:]]+-c[[:space:]]+core\.hookspath'
 fi
 
 # H15: REA_BYPASS env var — attempted escape hatch
-if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
+if any_segment_raw_matches "$CMD" '^REA_BYPASS[[:space:]]*='; then
   add_high \
     "REA_BYPASS env var — unauthorized bypass attempt" \
     "Setting REA_BYPASS is not a supported escape mechanism and indicates a bypass attempt." \
@@ -278,55 +283,41 @@ if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*=';
 fi
 
 # H16: alias/function definitions containing bypass strings
-if any_segment_matches "$CMD" '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
+if any_segment_raw_matches "$CMD" '^(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
   add_high \
     "Alias/function definition with bypass — circumventing safety gates" \
     "Defining aliases or functions that embed bypass flags defeats safety hooks." \
     "Alt: Do not wrap bypass patterns in aliases or functions."
 fi
 
-# H17: context_protection — block commands that should be delegated to subagents
+# H17: context_protection — block commands that should be delegated to subagents.
 # Reads context_protection.delegate_to_subagent from .rea/policy.yaml.
 # These commands produce excessive output that exhausts coordinator context windows.
-POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-if [[ -f "$POLICY_FILE" ]]; then
-  DELEGATE_PATTERNS=()
-  IN_DELEGATE_BLOCK=0
-  while IFS= read -r line; do
-    if printf '%s' "$line" | grep -qE '^[[:space:]]*delegate_to_subagent:'; then
-      # Check for inline empty array
-      if printf '%s' "$line" | grep -qE 'delegate_to_subagent:[[:space:]]*\[\]'; then
-        break
-      fi
-      IN_DELEGATE_BLOCK=1
-      continue
-    fi
-    if [[ $IN_DELEGATE_BLOCK -eq 1 ]]; then
-      # Block sequence items start with "  - "
-      if printf '%s' "$line" | grep -qE '^[[:space:]]*-[[:space:]]'; then
-        pattern=$(printf '%s' "$line" | sed "s/^[[:space:]]*-[[:space:]]*//; s/^[\"']//; s/[\"']$//")
-        if [[ -n "$pattern" ]]; then
-          DELEGATE_PATTERNS+=("$pattern")
-        fi
-      else
-        # Non-continuation line = end of block
-        break
-      fi
-    fi
-  done < "$POLICY_FILE"
-
-  for pattern in "${DELEGATE_PATTERNS[@]+"${DELEGATE_PATTERNS[@]}"}"; do
-    # Use fixed-string match — these are command prefixes, not regex
-    if printf '%s' "$CMD" | grep -qF "$pattern"; then
-      add_high \
-        "Context protection — command must run in a subagent" \
-        "This command produces excessive output that will exhaust the coordinator context window. Delegate it to a subagent instead of running it directly." \
-        "Alt: Use the Agent tool to delegate: Agent(subagent_type: 'qa-engineer-automation', prompt: 'Run $pattern and report pass/fail summary only.')" \
-        "Alt: The context_protection policy in .rea/policy.yaml lists commands that must be delegated."
-      break
-    fi
-  done
-fi
+#
+# 0.16.0 fix J.2: replaced the inline YAML parser (40+ lines reimplementing
+# block-sequence walking) with `policy_list` from `_lib/policy-read.sh`.
+# Same parser shape as every other rea hook now reads policy via the shared
+# helper; drift between hooks is structurally impossible.
+# shellcheck source=_lib/policy-read.sh
+source "$(dirname "$0")/_lib/policy-read.sh"
+
+DELEGATE_PATTERNS=()
+while IFS= read -r pattern; do
+  [[ -z "$pattern" ]] && continue
+  DELEGATE_PATTERNS+=("$pattern")
+done < <(policy_list "delegate_to_subagent")
+
+for pattern in "${DELEGATE_PATTERNS[@]+"${DELEGATE_PATTERNS[@]}"}"; do
+  # Use fixed-string match — these are command prefixes, not regex.
+  if printf '%s' "$CMD" | grep -qF "$pattern"; then
+    add_high \
+      "Context protection — command must run in a subagent" \
+      "This command produces excessive output that will exhaust the coordinator context window. Delegate it to a subagent instead of running it directly." \
+      "Alt: Use the Agent tool to delegate: Agent(subagent_type: 'qa-engineer-automation', prompt: 'Run $pattern and report pass/fail summary only.')" \
+      "Alt: The context_protection policy in .rea/policy.yaml lists commands that must be delegated."
+    break
+  fi
+done
 
 # ── 10. MEDIUM severity checks ────────────────────────────────────────────────
 

package/hooks/dependency-audit-gate.sh

@@ -21,13 +21,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Parse command ──────────────────────────────────────────────────────────
 CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
@@ -75,15 +73,35 @@ extract_packages() {
     # Anchor to start: only match when the install command is the FIRST
     # thing on the segment, optionally preceded by `sudo` / `exec` /
     # `time` / etc.
-    if printf '%s' "$segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
+    #
+    # 0.16.1 helix-016 P2 fix: also strip leading KEY=VALUE env-var
+    # assignments. Pre-fix the prefix allow-list only permitted
+    # sudo/exec/time, so `CI=1 pnpm add foo` and
+    # `NODE_ENV=development npm install bar` bypassed the audit
+    # entirely. POSIX shell allows any number of leading KEY=VALUE
+    # assignments before the command word; we strip them the same
+    # way the shell does.
+    local stripped_segment
+    stripped_segment=$(printf '%s' "$segment" | sed -E 's/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+)+//')
+
+    if printf '%s' "$stripped_segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
       # Strip the leading prefix wrappers + install command, leaving args.
       local after_cmd
-      after_cmd=$(printf '%s' "$segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
+      after_cmd=$(printf '%s' "$stripped_segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
 
       for token in $after_cmd; do
         if [[ "$token" == -* ]]; then continue; fi
         if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
         if [[ -z "$token" ]]; then continue; fi
+        # 0.16.1: tighten token classification (helix-016 sibling concern).
+        # A "package name" is something that doesn't contain shell
+        # metacharacters — `2>&1`, `$VAR`, etc. are never valid npm
+        # package names. Skip any token containing `=`, `>`, `<`, `&`,
+        # `|`, `;`, `$`, backtick, or quotes.
+        if [[ "$token" == *=* || "$token" == *">"* || "$token" == *"<"* ||
+              "$token" == *"&"* || "$token" == *"|"* || "$token" == *";"* ||
+              "$token" == *'$'* || "$token" == *'`'* ||
+              "$token" == *'"'* || "$token" == *"'"* ]]; then continue; fi
         # `npm view` can't validate `@workspace:*` / `link:` / `file:`
         # prefixes (workspace protocols). Skip them — they're never npm
         # registry packages.

package/hooks/env-file-protection.sh

@@ -33,13 +33,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── HALT check ────────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 

package/hooks/protected-paths-bash-gate.sh

@@ -52,19 +52,71 @@ if [[ -z "$CMD" ]]; then
   exit 0
 fi
 
-# Normalize a path token: strip enclosing quotes, strip leading
-# `$REA_ROOT/`, strip leading `./`. The result is project-relative
-# for matching against REA_PROTECTED_PATTERNS.
+# Normalize a path token. 0.16.0 codex P1 fixes (helix Findings 015):
+#   - resolve `..` segments via realpath when the path exists, OR reject
+#     them outright when it doesn't (`.claude/hooks/../settings.json`
+#     writes to `.claude/settings.json` but the literal-string match
+#     missed it pre-fix)
+#   - lowercase the result so case-insensitive matchers (macOS APFS,
+#     `.ClAuDe/settings.json`) still match the canonical lowercase
+#     pattern (`.claude/settings.json`)
+#   - apply shared `_lib/path-normalize.sh::normalize_path` for backslash
+#     translation + URL decode + leading-`./` strip
+# shellcheck source=_lib/path-normalize.sh
+source "$(dirname "$0")/_lib/path-normalize.sh"
+
 _normalize_target() {
   local t="$1"
   # Strip matching surrounding quotes.
   if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
   if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
-  # Strip $REA_ROOT prefix (with or without trailing slash).
-  if [[ "$t" == "$REA_ROOT"/* ]]; then t="${t#"$REA_ROOT"/}"; fi
-  # Strip leading ./
-  while [[ "$t" == ./* ]]; do t="${t#./}"; done
-  printf '%s' "$t"
+  # If the path contains `..` segments, resolve them aggressively. We
+  # cannot rely on `realpath` being installed; do a manual resolution
+  # by walking segments. This is the helix-015 P1 fix: pre-fix, the
+  # literal `.claude/hooks/../settings.json` did not match the
+  # `.claude/settings.json` pattern even though the OS would resolve
+  # the write to that target.
+  case "/$t/" in
+    */../*)
+      # Build absolute then walk and normalize segments.
+      # 0.16.0 codex P1-1 fix: use `read -ra` with IFS=/ instead of an
+      # unquoted `for part in $abs` loop. The unquoted `for` was subject
+      # to pathname expansion — `.claude/*/../settings.json` would glob
+      # `*` against the agent's CWD, mangling the resolved path and
+      # bypassing the protected-paths matcher. `read -ra` with an
+      # explicit delimiter disables both word-splitting (via IFS) AND
+      # pathname expansion (read does not glob).
+      local abs="$t"
+      [[ "$abs" != /* ]] && abs="$REA_ROOT/$abs"
+      local -a raw_parts parts=()
+      IFS='/' read -ra raw_parts <<<"$abs"
+      for part in "${raw_parts[@]}"; do
+        case "$part" in
+          ''|.) continue ;;
+          ..) [[ "${#parts[@]}" -gt 0 ]] && unset 'parts[${#parts[@]}-1]' ;;
+          *) parts+=("$part") ;;
+        esac
+      done
+      t="/$(IFS=/; printf '%s' "${parts[*]}")"
+      # 0.16.0 codex P2-3 fix: if the resolved absolute path escapes
+      # REA_ROOT, emit a sentinel so the caller refuses outright.
+      # `exit 2` here would only exit the `$()` subshell, not the parent
+      # hook process — sentinel + caller-side handling is the only
+      # cross-shell-portable way.
+      if [[ "$t" != "$REA_ROOT" && "$t" != "$REA_ROOT"/* ]]; then
+        printf '__rea_outside_root__:%s' "$t"
+        return 0
+      fi
+      ;;
+  esac
+  # Hand off to shared normalize_path (strips $REA_ROOT, URL-decodes,
+  # translates `\` → `/`, strips leading `./`).
+  t=$(normalize_path "$t")
+  # Lowercase for case-insensitive matching (helix-015 P1 fix #2 —
+  # macOS APFS allows `.ClAuDe/settings.json` to land on the same
+  # file as `.claude/settings.json`, so the matcher must compare
+  # lowercased forms).
+  printf '%s' "$t" | tr '[:upper:]' '[:lower:]'
 }
 
 # Refuse and exit 2 with a uniform error message.
@@ -96,7 +148,15 @@ _check_segment() {
   # bash `[[ =~ ]]` regex literals with `|` and `(...)` parsed inline
   # confuse some bash versions on macOS. Use named variables for each
   # pattern so the literal stays in a string context only.
-  local re_redirect='(^|[[:space:]])(&>|2>>|2>|>>|>)[[:space:]]*([^[:space:]&|;<>]+)'
+  # 0.16.0 codex P1 fix (helix-015 #3): widened redirect regex. Pre-fix
+  # only matched `>`, `>>`, `2>`, `2>>`, `&>`. Missed:
+  #   - `1>` / `1>>` (explicit stdout fd)
+  #   - `>|` (noclobber-override redirect)
+  #   - `[0-9]+>` / `[0-9]+>>` (any fd prefix — `9>file`, `42>>file`)
+  # All of these write to the target and bypassed the gate. The new
+  # pattern accepts: optional fd-prefix, then `>` or `>>` or `>|`, with
+  # optional `&` for stderr-merge variants.
+  local re_redirect='(^|[[:space:]])(&>>|&>|[0-9]+>>|[0-9]+>\||[0-9]+>|>>|>\||>)[[:space:]]*([^[:space:]&|;<>]+)'
   local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
   local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
   local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
@@ -175,11 +235,22 @@ _check_segment() {
           # walking — there may be more positional args.
           local _t
           _t=$(_normalize_target "$target_token")
+          # 0.16.0 codex P2-3: outside-REA_ROOT sentinel handling.
+          if [[ "$_t" == __rea_outside_root__:* ]]; then
+            local resolved="${_t#__rea_outside_root__:}"
+            {
+              printf 'PROTECTED PATH (bash): path traversal escapes project root\n'
+              printf '  Logical: %s\n  Resolved: %s\n' "$target_token" "$resolved"
+            } >&2
+            exit 2
+          fi
           if rea_path_is_protected "$_t"; then
             local matched=""
+            local pattern_lc
             for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
-              if [[ "$_t" == "$pattern" ]]; then matched="$pattern"; break; fi
-              if [[ "$pattern" == */ && "$_t" == "$pattern"* ]]; then matched="$pattern"; break; fi
+              pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+              if [[ "$_t" == "$pattern_lc" ]]; then matched="$pattern"; break; fi
+              if [[ "$pattern_lc" == */ && "$_t" == "$pattern_lc"* ]]; then matched="$pattern"; break; fi
             done
             _refuse "$matched" "$_t" "$segment"
           fi
@@ -196,12 +267,31 @@ _check_segment() {
 
   local target
   target=$(_normalize_target "$target_token")
+  # 0.16.0 codex P2-3 fix: outside-REA_ROOT sentinel from _normalize_target.
+  if [[ "$target" == __rea_outside_root__:* ]]; then
+    local resolved="${target#__rea_outside_root__:}"
+    {
+      printf 'PROTECTED PATH (bash): path traversal escapes project root\n'
+      printf '\n'
+      printf '  Logical:  %s\n' "$target_token"
+      printf '  Resolved: %s\n' "$resolved"
+      printf '  Segment:  %s\n' "$segment"
+      printf '\n'
+      printf '  Rule: bash redirects whose target resolves outside REA_ROOT\n'
+      printf '        are refused. Use a project-relative path without `..`\n'
+      printf '        segments.\n'
+    } >&2
+    exit 2
+  fi
   if rea_path_is_protected "$target"; then
-    # Find the matching pattern for the error message.
-    local matched=""
+    # Find the matching pattern for the error message. Both `target`
+    # and `pattern` lowercased to match `_normalize_target`'s case-
+    # insensitive output (helix-015 P1 fix).
+    local matched="" pattern_lc
     for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
-      if [[ "$target" == "$pattern" ]]; then matched="$pattern"; break; fi
-      if [[ "$pattern" == */ && "$target" == "$pattern"* ]]; then matched="$pattern"; break; fi
+      pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+      if [[ "$target" == "$pattern_lc" ]]; then matched="$pattern"; break; fi
+      if [[ "$pattern_lc" == */ && "$target" == "$pattern_lc"* ]]; then matched="$pattern"; break; fi
     done
     _refuse "$matched" "$target" "$segment"
   fi

package/hooks/secret-scanner.sh

@@ -29,53 +29,24 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── HALT check ────────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
-
-FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
-CONTENT_WRITE=$(printf '%s' "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
-CONTENT_EDIT=$(printf '%s' "$INPUT"  | jq -r '.tool_input.new_string // empty' 2>/dev/null)
-# MultiEdit (0.14.0 fix): the payload is at tool_input.edits[].new_string —
-# an array, not a scalar — and the prior versions of this hook never read
-# it. Result: any agent could route credential writes through MultiEdit and
-# bypass the secret scanner entirely. We extract every `new_string` value
-# from the edits array and concatenate them with newlines so the awk-based
-# pattern scan below treats them like any other write content.
-#
-# Defensive coercion (codex round-1 P1): a malformed payload where
-# `new_string` is a number, object, or array would make jq error out, the
-# `2>/dev/null` would swallow stderr, `CONTENT_MULTIEDIT` would be empty,
-# and the precedence chain below would fall through to `exit 0` —
-# silently allowing the write. Same fail-open mode for a non-array
-# `edits` value. We:
-#
-#   1. Coerce `.tool_input.edits` to `[]` if it's anything other than an
-#      array (`if type=="array" then . else [] end`)
-#   2. Coerce every `new_string` to a string via `tostring` so jq cannot
-#      fail on heterogeneous types
-#
-# Both layers fail closed: a malformed payload either yields the empty
-# string (no scan needed, exit 0 from the precedence chain) or yields a
-# pattern-scannable string. There is no path where jq errors silently and
-# the hook falls through to allow.
-CONTENT_MULTIEDIT=$(printf '%s' "$INPUT" | jq -r '
-  (.tool_input.edits // [] | if type=="array" then . else [] end)
-  | map((.new_string // "") | tostring)
-  | join("\n")
-' 2>/dev/null)
-
-if [[ -n "$CONTENT_WRITE" ]]; then
-  CONTENT="$CONTENT_WRITE"
-elif [[ -n "$CONTENT_EDIT" ]]; then
-  CONTENT="$CONTENT_EDIT"
-elif [[ -n "$CONTENT_MULTIEDIT" ]]; then
-  CONTENT="$CONTENT_MULTIEDIT"
-else
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+# 0.16.0: payload extraction moved to `_lib/payload-read.sh`. The shared
+# helpers handle Write content / Edit new_string / MultiEdit edits[] /
+# NotebookEdit new_source with the same defensive type-guards. Adding
+# the next write-tier tool is a one-line edit there, not a sweep
+# across N hooks.
+# shellcheck source=_lib/payload-read.sh
+source "$(dirname "$0")/_lib/payload-read.sh"
+
+FILE_PATH=$(extract_file_path "$INPUT")
+CONTENT=$(extract_write_content "$INPUT")
+
+if [[ -z "$CONTENT" ]]; then
   exit 0
 fi
 

package/hooks/settings-protection.sh

@@ -33,13 +33,11 @@ if ! command -v jq >/dev/null 2>&1; then
 fi
 
 # ── 3. HALT check ────────────────────────────────────────────────────────────
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-HALT_FILE="${REA_ROOT}/.rea/HALT"
-if [ -f "$HALT_FILE" ]; then
-  printf 'REA HALT: %s\nAll agent operations suspended. Run: rea unfreeze\n' \
-    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
-  exit 2
-fi
+# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
 # ── 4. Extract file path from payload ─────────────────────────────────────────
 FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
@@ -335,6 +333,63 @@ if match_protected_ci; then
   exit 2
 fi
 
+# ── 6c. Intermediate-symlink resolution (0.16.0 fix H.1) ──────────────────────
+# Helix Finding 2 reborn against the hard-protected list. The §5b
+# extension-surface fix (0.13.2) resolved parent realpath for the
+# `.husky/{commit-msg,pre-push}.d/*` allowlist; §6 was never given the
+# same protection. Attack:
+#
+#   mkdir innocuous_path
+#   ln -s ../.husky innocuous_path/maybe   # symlink resolves to .husky/
+#   write innocuous_path/maybe/pre-push    # writes through to .husky/pre-push
+#
+# §5a (`..` traversal) doesn't catch — the path string has no `..`.
+# §6 PROTECTED_PATTERNS sees `innocuous_path/maybe/pre-push` — doesn't
+# match `.husky/` prefix. The write succeeds and the package-managed
+# pre-push body is overwritten.
+#
+# Fix: when the parent directory of the target exists, resolve its
+# realpath via cd -P && pwd -P (same shape as §5b) and check whether
+# the resolved path falls inside any protected directory. Only resolve
+# when the parent already exists — a write that creates the parent has
+# nothing to follow.
+if [[ -e "$FILE_PATH" || -d "$(dirname -- "$FILE_PATH")" ]]; then
+  parent_dir=$(dirname -- "$FILE_PATH")
+  if [[ -d "$parent_dir" ]]; then
+    resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
+    if [[ -n "$resolved_parent" ]]; then
+      # If the resolved parent is inside REA_ROOT, compute the project-
+      # relative path and test it against the protected patterns.
+      if [[ "$resolved_parent" == "$REA_ROOT"/* ]]; then
+        relative_resolved="${resolved_parent#"$REA_ROOT"/}"
+        # Walk every PROTECTED_PATTERN that's a directory prefix and
+        # check whether the resolved parent falls inside it. Direct
+        # filename matches against PROTECTED_PATTERNS for the resolved
+        # final path (parent + basename).
+        resolved_target="${relative_resolved}/$(basename -- "$FILE_PATH")"
+        resolved_target_lc=$(printf '%s' "$resolved_target" | tr '[:upper:]' '[:lower:]')
+        for pattern in "${PROTECTED_PATTERNS[@]}"; do
+          pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+          if [[ "$resolved_target_lc" == "$pattern_lc" ]] || \
+             { [[ "$pattern_lc" == */ ]] && [[ "$resolved_target_lc" == "$pattern_lc"* ]]; }; then
+            {
+              printf 'SETTINGS PROTECTION: intermediate-symlink resolution blocked\n'
+              printf '\n'
+              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
+              printf '  Resolved: %s\n' "$resolved_target"
+              printf '  Matched:  %s\n' "$pattern"
+              printf '  Rule: an intermediate directory of the target path is a\n'
+              printf '        symlink whose target falls inside a hard-protected\n'
+              printf '        path. Refused to prevent symlinked-parent bypass.\n'
+            } >&2
+            exit 2
+          fi
+        done
+      fi
+    fi
+  fi
+fi
+
 # ── 6b. Hook-patch session (Defect I / rea#76) ───────────────────────────────
 # When REA_HOOK_PATCH_SESSION is set to a non-empty reason, allow edits under
 # .claude/hooks/ and hooks/ for this session. The session boundary IS the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.15.0",
+  "version": "0.16.1",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",