@bookedsolid/rea 0.16.0 → 0.16.2

package/.husky/commit-msg

@@ -99,9 +99,15 @@ if grep -qiE '^\s*(Generated|Created|Built|Powered|Authored|Written|Produced)\s+
 fi
 
 # Pattern 4: Markdown-linked attribution
-if grep -qiE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]' "$COMMIT_MSG_FILE" 2>/dev/null; then
+# 0.16.2 helix-017 P3 #4: anchor on the markdown link shape `[Text](url)`
+# rather than bare `[Text]`. Pre-fix the regex matched ANY bracketed
+# mention — `feat: support [Claude Code] hook output format` would block
+# a perfectly legitimate commit. The markdown-link form requires the `(`
+# immediately after the closing bracket, which is the actual structural
+# attribution we want to catch.
+if grep -qiE '\[Claude Code\]\(|\[GitHub Copilot\]\(|\[ChatGPT\]\(|\[Gemini\]\(|\[Cursor\]\(' "$COMMIT_MSG_FILE" 2>/dev/null; then
   BLOCKED=1
-  MATCHES="${MATCHES}$(grep -niE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]' "$COMMIT_MSG_FILE" 2>/dev/null)
+  MATCHES="${MATCHES}$(grep -niE '\[Claude Code\]\(|\[GitHub Copilot\]\(|\[ChatGPT\]\(|\[Gemini\]\(|\[Cursor\]\(' "$COMMIT_MSG_FILE" 2>/dev/null)
 "
 fi
 

package/agents/codex-adversarial.md

@@ -33,6 +33,8 @@ You may read additional files in the repo if needed for context, but do so read-
 2. **Validate Codex availability** — if `/codex` is not installed, report and stop. Do not silently fall back to another reviewer.
 3. **Prepare the Codex invocation** — construct the adversarial-review prompt with the diff, commit log, and any relevant context files.
 4. **Invoke `/codex:adversarial-review`** — this call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
+
+   **Model pinning (0.16.1+):** when the codex plugin's adversarial-review supports model overrides, request `gpt-5.4` with `model_reasoning_effort: high` to match the push-gate's iron-gate defaults. Pre-0.16.1, in-session adversarial reviews ran on whatever the plugin defaulted to (likely `codex-auto-review` at medium reasoning) — meaningfully WEAKER than the push-gate's `gpt-5.4` + `high`. This caused a "in-session review passes, push-gate review fails" pattern reported by helix across 014 / 015 / 016. If the plugin call accepts model parameters, pass them. If it does not, fall back to invoking `codex exec review --base <ref> --json --ephemeral -c model="gpt-5.4" -c model_reasoning_effort="high"` directly via `Bash` — same shape the push-gate uses (see `src/hooks/push-gate/codex-runner.ts::runCodexReview`). The cost of the stronger model is small relative to the cost of shipping a release with a P1 bypass that gets caught at consumer push time.
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).

package/hooks/_lib/cmd-segments.sh

@@ -71,9 +71,17 @@ _rea_split_segments() {
   # under any encoding we care about (any agent that intentionally
   # included this string would already be obviously trying to confuse
   # the splitter — and even then, the worst case is fail-closed).
+  # 0.16.1 helix-016 P1 fix: also split on single `&` (background-process
+  # operator). Pre-fix the splitter only broke on `&&|||;|`; a command like
+  # `sleep 1 & git push --force` was treated as ONE segment whose first
+  # token is `sleep`, and `any_segment_starts_with($CMD, 'git push')`
+  # missed the force-push entirely. Add `&` to the separator set, but
+  # AFTER `&&` is already swapped out so we don't break it apart.
   printf '%s\n' "$cmd" \
     | sed -E 's/>\|/__REA_GTPIPE_a8f2c1__/g' \
-    | sed -E 's/(\|\||&&|;|\|)/\n/g' \
+    | sed -E 's/&&/__REA_LOGAND_a8f2c1__/g' \
+    | sed -E 's/(\|\||;|\||&)/\n/g' \
+    | sed -E 's/__REA_LOGAND_a8f2c1__/\n/g' \
     | sed -E 's/__REA_GTPIPE_a8f2c1__/>|/g'
 }
 
@@ -151,6 +159,58 @@ any_segment_matches() {
   return 1
 }
 
+# Return 0 if any segment of $1 (RAW — no prefix-stripping) matches the
+# extended regex $2. Use this for checks where the prefix itself IS the
+# signal — e.g. H10's `HUSKY=0 git commit` detection (the prefix-stripper
+# would strip the `HUSKY=0` before any_segment_matches sees it). Also
+# right for H15 (`REA_BYPASS=...`) and H16 (alias/function defs).
+#
+# 0.16.1 helix-016 sibling fix: H10 baseline corpus regressed from
+# 0.15.0 because it migrated to `any_segment_matches` which strips
+# env-var prefixes. The check needs the raw segment to fire.
+any_segment_raw_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment
+  while IFS= read -r segment; do
+    # Trim leading whitespace for clean anchor matching, but otherwise
+    # leave the segment intact (env-var assignments preserved).
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    if printf '%s' "$segment" | grep -qiE "$pattern"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
+# Return 0 if any single segment of $1 (after prefix-stripping) matches
+# BOTH extended regex $2 AND extended regex $3. Case-insensitive. Returns
+# 1 if no single segment matches both patterns.
+#
+# Use this when two patterns must co-occur within the SAME shell command
+# segment to constitute a detection — e.g. env-file-protection's
+# "utility + .env-filename" rule. Pre-fix env-file-protection used two
+# independent `any_segment_matches` calls and OR-combined the booleans,
+# which mis-fires across multi-segment constructions like
+# `echo "log: cat is broken" ; touch foo.env` (utility in segment 1,
+# .env name in segment 2 — both flags set, false-positive block).
+#
+# 0.16.2 helix-017 P2 #2 fix.
+any_segment_matches_both() {
+  local cmd="$1"
+  local pattern_a="$2"
+  local pattern_b="$3"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "$pattern_a" \
+       && printf '%s' "$stripped" | grep -qiE "$pattern_b"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
 # Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
 # the extended regex $2. Case-insensitive. Returns 1 if no segment
 # starts with the pattern.

package/hooks/attribution-advisory.sh

@@ -92,7 +92,11 @@ if any_segment_matches "$CMD" '(Generated|Created|Built|Powered|Authored|Written
 fi
 
 # Markdown-linked attribution
-if any_segment_matches "$CMD" '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
+# 0.16.2 helix-017 P3 #4: anchor on `[Text](` (markdown link shape) so
+# legitimate bracketed mentions like `gh pr edit --body "support [Claude
+# Code] hook output"` don't false-positive. The actual attribution we
+# care about is structural — `Generated with [Claude Code](https://...)`.
+if any_segment_matches "$CMD" '\[Claude Code\]\(|\[GitHub Copilot\]\(|\[ChatGPT\]\(|\[Gemini\]\(|\[Cursor\]\('; then
   FOUND=1
 fi
 

package/hooks/dangerous-bash-interceptor.sh

@@ -216,7 +216,7 @@ if any_segment_starts_with "$CMD" 'git[[:space:]]+commit.*--no-verify'; then
 fi
 
 # H10: HUSKY=0 bypass — suppresses all git hooks without --no-verify
-if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
+if any_segment_raw_matches "$CMD" '^HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
   add_high \
     "HUSKY=0 — bypasses all husky git hooks" \
     "Setting HUSKY=0 disables pre-commit, commit-msg, and pre-push safety gates without --no-verify." \
@@ -243,8 +243,15 @@ if any_segment_starts_with "$CMD" "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]
     "Alt: Move to a temp location first, or use 'rm -ri' for interactive deletion."
 fi
 
-# H12: curl/wget piped directly to shell (supply chain attack vector)
-if any_segment_matches "$CMD" '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
+# H12: curl/wget piped directly to shell (supply chain attack vector).
+# 0.16.1 helix-016 P1 fix: this check requires BOTH the curl/wget call
+# AND the `| sh` to appear in the same shell pipeline. The 0.16.0
+# refactor moved this into `any_segment_matches`, but the segmenter
+# splits on `|` first — so `curl https://x | sh` decomposed into two
+# segments (`curl https://x`, `sh`) and the regex (which requires both
+# in one segment) never matched. Pipe-RCE is fundamentally a
+# multi-segment property and must be checked against the raw command.
+if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \
@@ -268,7 +275,7 @@ if any_segment_starts_with "$CMD" 'git[[:space:]]+-c[[:space:]]+core\.hookspath'
 fi
 
 # H15: REA_BYPASS env var — attempted escape hatch
-if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*='; then
+if any_segment_raw_matches "$CMD" '^REA_BYPASS[[:space:]]*='; then
   add_high \
     "REA_BYPASS env var — unauthorized bypass attempt" \
     "Setting REA_BYPASS is not a supported escape mechanism and indicates a bypass attempt." \
@@ -276,7 +283,7 @@ if any_segment_matches "$CMD" '(^|[[:space:];]|&&|\|\|)REA_BYPASS[[:space:]]*=';
 fi
 
 # H16: alias/function definitions containing bypass strings
-if any_segment_matches "$CMD" '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
+if any_segment_raw_matches "$CMD" '^(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
   add_high \
     "Alias/function definition with bypass — circumventing safety gates" \
     "Defining aliases or functions that embed bypass flags defeats safety hooks." \

package/hooks/dependency-audit-gate.sh

@@ -73,15 +73,35 @@ extract_packages() {
     # Anchor to start: only match when the install command is the FIRST
     # thing on the segment, optionally preceded by `sudo` / `exec` /
     # `time` / etc.
-    if printf '%s' "$segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
+    #
+    # 0.16.1 helix-016 P2 fix: also strip leading KEY=VALUE env-var
+    # assignments. Pre-fix the prefix allow-list only permitted
+    # sudo/exec/time, so `CI=1 pnpm add foo` and
+    # `NODE_ENV=development npm install bar` bypassed the audit
+    # entirely. POSIX shell allows any number of leading KEY=VALUE
+    # assignments before the command word; we strip them the same
+    # way the shell does.
+    local stripped_segment
+    stripped_segment=$(printf '%s' "$segment" | sed -E 's/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+)+//')
+
+    if printf '%s' "$stripped_segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
       # Strip the leading prefix wrappers + install command, leaving args.
       local after_cmd
-      after_cmd=$(printf '%s' "$segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
+      after_cmd=$(printf '%s' "$stripped_segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
 
       for token in $after_cmd; do
         if [[ "$token" == -* ]]; then continue; fi
         if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
         if [[ -z "$token" ]]; then continue; fi
+        # 0.16.1: tighten token classification (helix-016 sibling concern).
+        # A "package name" is something that doesn't contain shell
+        # metacharacters — `2>&1`, `$VAR`, etc. are never valid npm
+        # package names. Skip any token containing `=`, `>`, `<`, `&`,
+        # `|`, `;`, `$`, backtick, or quotes.
+        if [[ "$token" == *=* || "$token" == *">"* || "$token" == *"<"* ||
+              "$token" == *"&"* || "$token" == *"|"* || "$token" == *";"* ||
+              "$token" == *'$'* || "$token" == *'`'* ||
+              "$token" == *'"'* || "$token" == *"'"* ]]; then continue; fi
         # `npm view` can't validate `@workspace:*` / `link:` / `file:`
         # prefixes (workspace protocols). Skip them — they're never npm
         # registry packages.

package/hooks/env-file-protection.sh

@@ -71,19 +71,16 @@ PATTERN_CP_ENV='cp[[:space:]]+[^;|&]*\.env'
 # .env* files or .envrc (direnv)
 PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
 
-MATCHES_UTILITY=0
-MATCHES_ENV_FILE=0
-
-# 0.15.0: per-segment match. Pre-fix this greped the FULL command which
-# false-positived on commit messages: `git commit -m "stop reading .env
-# files via cat"` matched both PATTERN_UTILITY (cat) and PATTERN_ENV_FILE
-# (.env) and the hook blocked a perfectly safe commit.
-if any_segment_matches "$CMD" "$PATTERN_UTILITY"; then
-  MATCHES_UTILITY=1
-fi
-
-if any_segment_matches "$CMD" "$PATTERN_ENV_FILE"; then
-  MATCHES_ENV_FILE=1
+# 0.16.2 helix-017 P2 #2: utility AND env-filename must co-occur within
+# the SAME shell segment. Pre-fix this set two independent booleans
+# (any segment with utility OR any segment with .env) and AND'd them,
+# which false-positived across multi-segment constructions like
+# `echo "log: cat is broken" ; touch foo.env` (utility in segment 1,
+# .env name in segment 2). Detection is fundamentally a same-segment
+# co-occurrence property.
+MATCHES_BOTH_SAME_SEGMENT=0
+if any_segment_matches_both "$CMD" "$PATTERN_UTILITY" "$PATTERN_ENV_FILE"; then
+  MATCHES_BOTH_SAME_SEGMENT=1
 fi
 
 # Direct source/cp of .env files — always block
@@ -101,7 +98,7 @@ if any_segment_matches "$CMD" "$PATTERN_SOURCE" || \
   exit 2
 fi
 
-if [[ $MATCHES_UTILITY -eq 1 && $MATCHES_ENV_FILE -eq 1 ]]; then
+if [[ $MATCHES_BOTH_SAME_SEGMENT -eq 1 ]]; then
   TRUNCATED_CMD=$(truncate_cmd "$CMD")
   {
     printf 'ENV FILE PROTECTION: Reading .env files via Bash is blocked.\n'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.16.0",
+  "version": "0.16.2",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",