npm - @bookedsolid/rea - Versions diffs - 0.16.1 → 0.16.2 - Mend

@bookedsolid/rea 0.16.1 → 0.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/.husky/commit-msg +8 -2
package/hooks/_lib/cmd-segments.sh +28 -0
package/hooks/attribution-advisory.sh +5 -1
package/hooks/env-file-protection.sh +11 -14
package/package.json +1 -1

package/.husky/commit-msg CHANGED Viewed

@@ -99,9 +99,15 @@ if grep -qiE '^\s*(Generated|Created|Built|Powered|Authored|Written|Produced)\s+
 fi
 # Pattern 4: Markdown-linked attribution
-if grep -qiE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]' "$COMMIT_MSG_FILE" 2>/dev/null; then
+# 0.16.2 helix-017 P3 #4: anchor on the markdown link shape `[Text](url)`
+# rather than bare `[Text]`. Pre-fix the regex matched ANY bracketed
+# mention — `feat: support [Claude Code] hook output format` would block
+# a perfectly legitimate commit. The markdown-link form requires the `(`
+# immediately after the closing bracket, which is the actual structural
+# attribution we want to catch.
+if grep -qiE '\[Claude Code\]\(|\[GitHub Copilot\]\(|\[ChatGPT\]\(|\[Gemini\]\(|\[Cursor\]\(' "$COMMIT_MSG_FILE" 2>/dev/null; then
   BLOCKED=1
-  MATCHES="${MATCHES}$(grep -niE '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]' "$COMMIT_MSG_FILE" 2>/dev/null)
+  MATCHES="${MATCHES}$(grep -niE '\[Claude Code\]\(|\[GitHub Copilot\]\(|\[ChatGPT\]\(|\[Gemini\]\(|\[Cursor\]\(' "$COMMIT_MSG_FILE" 2>/dev/null)
 "
 fi

package/hooks/_lib/cmd-segments.sh CHANGED Viewed

@@ -183,6 +183,34 @@ any_segment_raw_matches() {
   return 1
 }
+# Return 0 if any single segment of $1 (after prefix-stripping) matches
+# BOTH extended regex $2 AND extended regex $3. Case-insensitive. Returns
+# 1 if no single segment matches both patterns.
+#
+# Use this when two patterns must co-occur within the SAME shell command
+# segment to constitute a detection — e.g. env-file-protection's
+# "utility + .env-filename" rule. Pre-fix env-file-protection used two
+# independent `any_segment_matches` calls and OR-combined the booleans,
+# which mis-fires across multi-segment constructions like
+# `echo "log: cat is broken" ; touch foo.env` (utility in segment 1,
+# .env name in segment 2 — both flags set, false-positive block).
+#
+# 0.16.2 helix-017 P2 #2 fix.
+any_segment_matches_both() {
+  local cmd="$1"
+  local pattern_a="$2"
+  local pattern_b="$3"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "$pattern_a" \
+       && printf '%s' "$stripped" | grep -qiE "$pattern_b"; then
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
 # Return 0 if any segment of $1 (after prefix-stripping) STARTS WITH
 # the extended regex $2. Case-insensitive. Returns 1 if no segment
 # starts with the pattern.

package/hooks/attribution-advisory.sh CHANGED Viewed

@@ -92,7 +92,11 @@ if any_segment_matches "$CMD" '(Generated|Created|Built|Powered|Authored|Written
 fi
 # Markdown-linked attribution
-if any_segment_matches "$CMD" '\[Claude Code\]|\[GitHub Copilot\]|\[ChatGPT\]|\[Gemini\]|\[Cursor\]'; then
+# 0.16.2 helix-017 P3 #4: anchor on `[Text](` (markdown link shape) so
+# legitimate bracketed mentions like `gh pr edit --body "support [Claude
+# Code] hook output"` don't false-positive. The actual attribution we
+# care about is structural — `Generated with [Claude Code](https://...)`.
+if any_segment_matches "$CMD" '\[Claude Code\]\(|\[GitHub Copilot\]\(|\[ChatGPT\]\(|\[Gemini\]\(|\[Cursor\]\('; then
   FOUND=1
 fi

package/hooks/env-file-protection.sh CHANGED Viewed

@@ -71,19 +71,16 @@ PATTERN_CP_ENV='cp[[:space:]]+[^;|&]*\.env'
 # .env* files or .envrc (direnv)
 PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
-MATCHES_UTILITY=0
-MATCHES_ENV_FILE=0
-# 0.15.0: per-segment match. Pre-fix this greped the FULL command which
-# false-positived on commit messages: `git commit -m "stop reading .env
-# files via cat"` matched both PATTERN_UTILITY (cat) and PATTERN_ENV_FILE
-# (.env) and the hook blocked a perfectly safe commit.
-if any_segment_matches "$CMD" "$PATTERN_UTILITY"; then
-  MATCHES_UTILITY=1
-fi
-if any_segment_matches "$CMD" "$PATTERN_ENV_FILE"; then
-  MATCHES_ENV_FILE=1
+# 0.16.2 helix-017 P2 #2: utility AND env-filename must co-occur within
+# the SAME shell segment. Pre-fix this set two independent booleans
+# (any segment with utility OR any segment with .env) and AND'd them,
+# which false-positived across multi-segment constructions like
+# `echo "log: cat is broken" ; touch foo.env` (utility in segment 1,
+# .env name in segment 2). Detection is fundamentally a same-segment
+# co-occurrence property.
+MATCHES_BOTH_SAME_SEGMENT=0
+if any_segment_matches_both "$CMD" "$PATTERN_UTILITY" "$PATTERN_ENV_FILE"; then
+  MATCHES_BOTH_SAME_SEGMENT=1
 fi
 # Direct source/cp of .env files — always block
@@ -101,7 +98,7 @@ if any_segment_matches "$CMD" "$PATTERN_SOURCE" || \
   exit 2
 fi
-if [[ $MATCHES_UTILITY -eq 1 && $MATCHES_ENV_FILE -eq 1 ]]; then
+if [[ $MATCHES_BOTH_SAME_SEGMENT -eq 1 ]]; then
   TRUNCATED_CMD=$(truncate_cmd "$CMD")
   {
     printf 'ENV FILE PROTECTION: Reading .env files via Bash is blocked.\n'

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.16.1",
+  "version": "0.16.2",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",