@bookedsolid/rea 0.16.2 → 0.16.4

package/dist/cli/install/settings-merge.js

@@ -260,6 +260,7 @@ export function defaultDesiredHooks() {
                 { type: 'command', command: `${base}/dangerous-bash-interceptor.sh`, timeout: 10000, statusMessage: 'Checking command safety...' },
                 { type: 'command', command: `${base}/env-file-protection.sh`, timeout: 5000, statusMessage: 'Checking for .env file reads...' },
                 { type: 'command', command: `${base}/protected-paths-bash-gate.sh`, timeout: 5000, statusMessage: 'Checking for shell-redirect to protected paths...' },
+                { type: 'command', command: `${base}/blocked-paths-bash-gate.sh`, timeout: 5000, statusMessage: 'Checking for shell-redirect to policy-blocked paths...' },
                 { type: 'command', command: `${base}/dependency-audit-gate.sh`, timeout: 15000, statusMessage: 'Verifying package exists...' },
                 { type: 'command', command: `${base}/security-disclosure-gate.sh`, timeout: 5000, statusMessage: 'Checking disclosure policy...' },
                 { type: 'command', command: `${base}/pr-issue-link-gate.sh`, timeout: 5000, statusMessage: 'Checking PR for issue reference...' },

package/dist/hooks/push-gate/codex-runner.js

@@ -158,6 +158,51 @@ export async function runCodexReview(options) {
         '--ephemeral',
     ];
     const args = options.prompt !== undefined && options.prompt.length > 0 ? [...baseArgs, options.prompt] : baseArgs;
+    // 0.16.3 helix-016.1 #1 fix: pre-flight probe for the codex CLI before
+    // we hand control to the long-running review subprocess. The original
+    // try/catch around `spawner(...)` only caught synchronous ENOENT; on
+    // some platforms (Linux child_process under certain shell configs)
+    // the missing-binary error arrives as a `'error'` event AFTER spawn
+    // has returned a child handle, and on others codex CLI is present
+    // but a wrapper script exits non-zero before any JSONL emerges. Both
+    // shapes leak through the existing classify path as `subprocess` /
+    // `protocol` errors with stack-frame-shaped messages instead of the
+    // friendly install hint defined on `CodexNotInstalledError`.
+    //
+    // The probe runs `codex --version` synchronously with a 2-second cap
+    // (cheap; codex --version returns in <50ms when the binary exists).
+    // If the binary is absent OR the probe exits non-zero AND the error
+    // is ENOENT-class, we throw `CodexNotInstalledError` directly so
+    // `index.ts:561` formats it as the headline `PUSH BLOCKED:` line.
+    // We deliberately do NOT use the probe for binaries that exist but
+    // fail their version check — those are real subprocess errors and
+    // belong in the existing classify path.
+    //
+    // The probe is skipped when `spawnImpl` is provided so unit tests
+    // continue to control the entire spawn surface deterministically.
+    if (options.spawnImpl === undefined) {
+        const probe = spawnSync('codex', ['--version'], {
+            cwd: options.cwd,
+            env: options.env ?? process.env,
+            timeout: 2000,
+            encoding: 'utf8',
+        });
+        // `error` is set when the OS could not start the binary at all
+        // (ENOENT, EACCES, ENOTDIR). Codex returning a non-zero status
+        // because of a downstream issue is NOT the same condition — let
+        // it fall through to the main run where the existing classifier
+        // produces a meaningful subprocess error.
+        if (probe.error !== undefined) {
+            const code = probe.error.code;
+            if (code === 'ENOENT')
+                throw new CodexNotInstalledError();
+            // EACCES on the codex binary is operationally identical to "not
+            // installed" for the user — they need to install or fix perms.
+            if (code === 'EACCES')
+                throw new CodexNotInstalledError();
+            throw probe.error;
+        }
+    }
     let child;
     try {
         child = spawner('codex', args, {

package/dist/policy/loader.d.ts

@@ -11,6 +11,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: z.ZodBoolean;
     block_ai_attribution: z.ZodDefault<z.ZodBoolean>;
     blocked_paths: z.ZodArray<z.ZodString, "many">;
+    protected_paths_relax: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
     notification_channel: z.ZodDefault<z.ZodString>;
     injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
     injection: z.ZodOptional<z.ZodObject<{
@@ -171,6 +172,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: boolean;
     block_ai_attribution: boolean;
     blocked_paths: string[];
+    protected_paths_relax: string[];
     notification_channel: string;
     injection_detection?: "block" | "warn" | undefined;
     injection?: {
@@ -218,6 +220,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: boolean;
     blocked_paths: string[];
     block_ai_attribution?: boolean | undefined;
+    protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;
     injection?: {

package/dist/policy/loader.js

@@ -160,6 +160,12 @@ const PolicySchema = z
     promotion_requires_human_approval: z.boolean(),
     block_ai_attribution: z.boolean().default(false),
     blocked_paths: z.array(z.string()),
+    // 0.16.3 F7: opt-in relax list. Consumers can list rea-managed
+    // hard-protected patterns they want unblocked (e.g. `.husky/` to
+    // author their own husky hooks). The kill-switch invariants
+    // (`.rea/HALT`, `.rea/policy.yaml`, `.claude/settings.json`) are
+    // ignored if listed — see hooks/_lib/protected-paths.sh.
+    protected_paths_relax: z.array(z.string()).default([]),
     notification_channel: z.string().default(''),
     injection_detection: z.enum(['block', 'warn']).optional(),
     injection: InjectionPolicySchema.optional(),

package/dist/policy/profiles.d.ts

@@ -26,6 +26,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval: z.ZodOptional<z.ZodBoolean>;
     block_ai_attribution: z.ZodOptional<z.ZodBoolean>;
     blocked_paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    protected_paths_relax: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     notification_channel: z.ZodOptional<z.ZodString>;
     injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
     injection: z.ZodOptional<z.ZodObject<{
@@ -51,6 +52,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval?: boolean | undefined;
     block_ai_attribution?: boolean | undefined;
     blocked_paths?: string[] | undefined;
+    protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;
     injection?: {
@@ -66,6 +68,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval?: boolean | undefined;
     block_ai_attribution?: boolean | undefined;
     blocked_paths?: string[] | undefined;
+    protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;
     injection?: {

package/dist/policy/profiles.js

@@ -48,6 +48,7 @@ export const ProfileSchema = z
     promotion_requires_human_approval: z.boolean().optional(),
     block_ai_attribution: z.boolean().optional(),
     blocked_paths: z.array(z.string()).optional(),
+    protected_paths_relax: z.array(z.string()).optional(),
     notification_channel: z.string().optional(),
     injection_detection: z.enum(['block', 'warn']).optional(),
     injection: InjectionProfileSchema.optional(),

package/dist/policy/types.d.ts

@@ -268,6 +268,7 @@ export interface Policy {
     promotion_requires_human_approval: boolean;
     block_ai_attribution: boolean;
     blocked_paths: string[];
+    protected_paths_relax: string[];
     notification_channel: string;
     injection_detection?: 'block' | 'warn';
     injection?: InjectionPolicy;

package/hooks/_lib/cmd-segments.sh

@@ -33,17 +33,23 @@
 #     form matches PATTERN (a `grep -qiE` extended regex). Returns 1
 #     if no segment matches.
 #
-# Quoting awareness: the splitter is NOT quote-aware. A separator inside
-# a quoted string would be split. This is INTENTIONAL and SAFE: the
-# segments-vs-callback contract is "find segments that anchor on a
-# trigger word." Over-splitting produces extra segments that don't
-# anchor; they're ignored. Under-splitting (treating a quoted separator
-# as part of one segment) is what the original bug was. The trade-off
-# explicitly accepts over-splitting.
+# Quoting awareness (0.16.3 helix-016.1 #2 fix): the splitter masks
+# shell separators that occur INSIDE matched `"..."` and `'...'` quote
+# spans before splitting. Earlier versions split on every unescaped
+# `&`/`;`/`|`/newline regardless of quote context, which produced
+# false-positive segment boundaries inside quoted prose:
 #
-# Quoting note for future maintainers: do not "fix" the over-splitting
-# without breaking the security property. Quote-aware splitting in pure
-# bash is a real lift; if needed it should move to a Node helper.
+#   echo "release note & git push --force now"
+#
+# The pre-fix splitter broke that into two segments and the H1 force-push
+# detector anchored on `git push --force` at the head of segment 2 — a
+# real false positive helix reproduced spontaneously during diagnostic
+# work. The fix walks the input once, replaces in-quote separators with
+# multi-byte sentinels (impossible-to-collide forms), splits on the
+# remaining un-quoted separators, then restores the sentinels back to
+# their literal characters in the surviving segments. Single-quoted spans
+# do NOT honor `\` escapes; double-quoted spans treat `\"` as a literal
+# `"` and skip past it.
 
 # Split $1 on shell command separators. Emits one segment per line on
 # stdout (empty segments preserved). Used by both higher-level helpers
@@ -54,6 +60,22 @@ _rea_split_segments() {
   # We use printf+sed instead of bash IFS=$'...' read so the splitter
   # behaves identically across BSD and GNU sed.
   #
+  # Pipeline overview (post-0.16.3 quote-mask):
+  #   1. awk one-pass mask: replace `;` `&` `|` `\n` INSIDE matched
+  #      `"..."` / `'...'` spans with multi-byte sentinels so the
+  #      separator-splitting passes below ignore them. Single-quoted
+  #      spans have no escape semantics; double-quoted spans treat
+  #      `\"` as a literal quote and continue inside the span.
+  #   2. existing `>|` swap (preserves the bash noclobber-override
+  #      operator across the splitting passes).
+  #   3. existing `&&` swap (so step 4 doesn't break compound `&&`
+  #      operators apart while still splitting on bare `&`).
+  #   4. sed split on `||`, `;`, bare `|`, bare `&`.
+  #   5. unswap `&&` / `>|` placeholders.
+  #   6. restore the in-quote sentinels back to literal chars so each
+  #      surviving segment sees its quoted prose intact (downstream
+  #      hooks regex against the segments and need the literal bytes).
+  #
   # 0.16.0 codex P1 fix (helix-015 #3): the prior sed split on bare `|`
   # which broke bash's `>|` (noclobber-override redirect) into two
   # segments — `printf x >` then ` .rea/HALT`. The redirect detector
@@ -77,12 +99,130 @@ _rea_split_segments() {
   # token is `sleep`, and `any_segment_starts_with($CMD, 'git push')`
   # missed the force-push entirely. Add `&` to the separator set, but
   # AFTER `&&` is already swapped out so we don't break it apart.
-  printf '%s\n' "$cmd" \
+  # 0.16.3 helix-016.1 #2 fix: quote-mask in-quote separators before
+  # splitting so quoted prose no longer over-splits and anchors trigger
+  # words at the head of phantom segments. See header comment for the
+  # full rationale.
+  printf '%s' "$cmd" \
+    | awk '
+        BEGIN {
+          SC  = "__REA_SEP_SC_a8f2c1__"
+          AMP = "__REA_SEP_AMP_a8f2c1__"
+          PIPE = "__REA_SEP_PIPE_a8f2c1__"
+          NL  = "__REA_SEP_NL_a8f2c1__"
+        }
+        {
+          line = $0
+          out = ""
+          i = 1
+          n = length(line)
+          mode = 0  # 0=plain, 1=double, 2=single
+          while (i <= n) {
+            ch = substr(line, i, 1)
+            if (mode == 0) {
+              if (ch == "\"") { mode = 1; out = out ch; i++; continue }
+              if (ch == "'\''") { mode = 2; out = out ch; i++; continue }
+              out = out ch
+              i++
+              continue
+            }
+            if (mode == 2) {
+              # Single quotes: no escape semantics. Only `'\''` ends.
+              if (ch == "'\''") { mode = 0; out = out ch; i++; continue }
+              if (ch == ";")    { out = out SC;   i++; continue }
+              if (ch == "&")    { out = out AMP;  i++; continue }
+              if (ch == "|")    { out = out PIPE; i++; continue }
+              # awk record-mode: literal newlines inside single-quoted
+              # heredoc bodies arrive as separate records; mask is
+              # per-record so they remain separators across records by
+              # design (the original splitter behavior).
+              out = out ch
+              i++
+              continue
+            }
+            # mode == 1 (double-quoted)
+            if (ch == "\\" && i < n) {
+              # Preserve `\"` and `\\` escape sequences literally; do not
+              # exit the double-quoted span on the escaped quote.
+              nxt = substr(line, i + 1, 1)
+              out = out ch nxt
+              i += 2
+              continue
+            }
+            if (ch == "\"") { mode = 0; out = out ch; i++; continue }
+            if (ch == ";")  { out = out SC;   i++; continue }
+            if (ch == "&")  { out = out AMP;  i++; continue }
+            if (ch == "|")  { out = out PIPE; i++; continue }
+            out = out ch
+            i++
+          }
+          print out
+        }' \
     | sed -E 's/>\|/__REA_GTPIPE_a8f2c1__/g' \
     | sed -E 's/&&/__REA_LOGAND_a8f2c1__/g' \
     | sed -E 's/(\|\||;|\||&)/\n/g' \
     | sed -E 's/__REA_LOGAND_a8f2c1__/\n/g' \
-    | sed -E 's/__REA_GTPIPE_a8f2c1__/>|/g'
+    | sed -E 's/__REA_GTPIPE_a8f2c1__/>|/g' \
+    | sed -E 's/__REA_SEP_SC_a8f2c1__/;/g; s/__REA_SEP_AMP_a8f2c1__/\&/g; s/__REA_SEP_PIPE_a8f2c1__/|/g; s/__REA_SEP_NL_a8f2c1__/\n/g'
+}
+
+# Apply only the quote-mask preprocessing pass. Returns the input with
+# in-quote `;`/`&`/`|`/newline replaced by sentinels but WITHOUT splitting
+# on the un-masked operators. Useful for multi-segment-property checks
+# (H12 curl-pipe-shell) that need to scan the whole command-line as one
+# string while still ignoring in-quote prose. Restores quoted-content
+# pipe to a placeholder (`__REA_INQUOTE_PIPE__`) so a regex against the
+# masked output can match a real `|` token without false-positiving on
+# in-quote `|` characters.
+quote_masked_cmd() {
+  local cmd="$1"
+  printf '%s' "$cmd" \
+    | awk '
+        BEGIN {
+          INQ_PIPE = "__REA_INQUOTE_PIPE_a8f2c1__"
+          INQ_SC   = "__REA_INQUOTE_SC_a8f2c1__"
+          INQ_AMP  = "__REA_INQUOTE_AMP_a8f2c1__"
+        }
+        {
+          line = $0
+          out = ""
+          i = 1
+          n = length(line)
+          mode = 0
+          while (i <= n) {
+            ch = substr(line, i, 1)
+            if (mode == 0) {
+              if (ch == "\"") { mode = 1; out = out ch; i++; continue }
+              if (ch == "'\''") { mode = 2; out = out ch; i++; continue }
+              out = out ch
+              i++
+              continue
+            }
+            if (mode == 2) {
+              if (ch == "'\''") { mode = 0; out = out ch; i++; continue }
+              if (ch == "|") { out = out INQ_PIPE; i++; continue }
+              if (ch == ";") { out = out INQ_SC;   i++; continue }
+              if (ch == "&") { out = out INQ_AMP;  i++; continue }
+              out = out ch
+              i++
+              continue
+            }
+            if (ch == "\\" && i < n) {
+              out = out ch substr(line, i + 1, 1)
+              i += 2
+              continue
+            }
+            if (ch == "\"") { mode = 0; out = out ch; i++; continue }
+            if (ch == "|") { out = out INQ_PIPE; i++; continue }
+            if (ch == ";") { out = out INQ_SC;   i++; continue }
+            if (ch == "&") { out = out INQ_AMP;  i++; continue }
+            out = out ch
+            i++
+          }
+          # awk auto-appends a newline on `print`; strip it so the
+          # caller gets exactly what was passed in.
+          printf "%s", out
+        }'
 }
 
 # Strip leading whitespace and well-known command prefixes from a single

package/hooks/_lib/protected-paths.sh

@@ -9,13 +9,37 @@
 # by the principal-engineer audit. The fix: factor the list out so
 # both hooks read the same data, and protect against shell redirects
 # in addition to Write/Edit/MultiEdit tools.
+#
+# 0.16.3 F7: the list is now policy-driven via `protected_paths_relax`.
+# Consumers who legitimately need to author `.husky/<hookname>` files
+# (or other paths in the rea-managed hard list) can opt out per-pattern
+# by listing the entry in `.rea/policy.yaml`:
+#
+#   protected_paths_relax:
+#     - .husky/    # I author my own husky hooks; opt out of rea protection
+#
+# Pre-0.16.3 the only escape was editing rea-managed source itself —
+# which `protected-paths-bash-gate.sh` (also rea-managed) would refuse.
+# That left consumers stuck. The relax list closes that escape hatch
+# without weakening the integrity of the governance layer itself.
+#
+# KILL-SWITCH INVARIANTS — these patterns are ALWAYS protected, even
+# if a consumer lists them in `protected_paths_relax`. They represent
+# the integrity of the governance layer; relaxing them would let an
+# agent disable rea, defeating the entire product.
+#
+#   .rea/HALT             — the kill switch itself
+#   .rea/policy.yaml      — the policy that defines all enforcement
+#   .claude/settings.json — the hook registration that activates rea
+#
+# Listing a kill-switch invariant in `protected_paths_relax` is silently
+# ignored AND a stderr advisory is emitted on first read.
 
-# The path list is bash glob patterns matched against project-root-
-# relative paths. Suffix `/` indicates a prefix match; no suffix means
-# (case-insensitive) exact match — see `rea_path_is_protected` for the
-# helix-015 #2 lowercase-comparison rationale. Mirrors the array in
-# settings-protection.sh §6.
-REA_PROTECTED_PATTERNS=(
+# The full hard-protected list. Suffix `/` indicates a prefix match;
+# no suffix means (case-insensitive) exact match — see
+# `rea_path_is_protected` for the helix-015 #2 lowercase-comparison
+# rationale.
+REA_PROTECTED_PATTERNS_FULL=(
   '.claude/settings.json'
   '.claude/settings.local.json'
   '.husky/'
@@ -23,9 +47,127 @@ REA_PROTECTED_PATTERNS=(
   '.rea/HALT'
 )
 
-# Test whether a project-relative path matches any protected pattern.
+# Kill-switch invariants — never relaxable. Subset of FULL.
+REA_KILL_SWITCH_INVARIANTS=(
+  '.claude/settings.json'
+  '.rea/policy.yaml'
+  '.rea/HALT'
+)
+
+# Effective patterns after applying the relax list. Computed lazily on
+# first call to `rea_path_is_protected`; stays the same for the lifetime
+# of the hook process.
+REA_PROTECTED_PATTERNS=()
+_REA_PROTECTED_PATTERNS_LOADED=0
+
+# True if $1 is a kill-switch invariant (case-insensitive exact or
+# prefix match per the same rules as the protected list itself).
+_rea_is_kill_switch() {
+  local p="$1"
+  local p_lc inv inv_lc
+  p_lc=$(printf '%s' "$p" | tr '[:upper:]' '[:lower:]')
+  for inv in "${REA_KILL_SWITCH_INVARIANTS[@]}"; do
+    inv_lc=$(printf '%s' "$inv" | tr '[:upper:]' '[:lower:]')
+    if [[ "$p_lc" == "$inv_lc" ]]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+# Load the effective list, applying `protected_paths_relax` from policy.
+# Sources policy-read.sh on demand so this lib stays self-contained.
+_rea_load_protected_patterns() {
+  if [ "$_REA_PROTECTED_PATTERNS_LOADED" = "1" ]; then
+    return 0
+  fi
+  # Source policy-read if not already sourced. The caller may have
+  # already done so; checking for a known function avoids double-source.
+  if ! command -v policy_list >/dev/null 2>&1; then
+    # Resolve relative to THIS file's dir, not the caller's.
+    # shellcheck source=policy-read.sh
+    source "${BASH_SOURCE[0]%/*}/policy-read.sh" 2>/dev/null || true
+  fi
+
+  local relax_list=()
+  if command -v policy_list >/dev/null 2>&1; then
+    while IFS= read -r entry; do
+      [ -z "$entry" ] && continue
+      relax_list+=("$entry")
+    done < <(policy_list "protected_paths_relax" 2>/dev/null || true)
+  fi
+
+  # Validate relax entries: any kill-switch invariant in the list is
+  # silently dropped from "permitted to relax" but emits a stderr
+  # advisory so the operator can see why their relax didn't take
+  # effect.
+  local relaxed_set=()
+  local r
+  for r in "${relax_list[@]+"${relax_list[@]}"}"; do
+    if _rea_is_kill_switch "$r"; then
+      printf 'rea: protected_paths_relax: %s is a kill-switch invariant and cannot be relaxed; ignoring.\n' \
+        "$r" >&2
+    else
+      relaxed_set+=("$r")
+    fi
+  done
+
+  # Build the effective list: every FULL entry that is NOT in the
+  # relaxed set (case-insensitive comparison).
+  local pat pat_lc rentry rentry_lc relaxed
+  for pat in "${REA_PROTECTED_PATTERNS_FULL[@]}"; do
+    pat_lc=$(printf '%s' "$pat" | tr '[:upper:]' '[:lower:]')
+    relaxed=0
+    for rentry in "${relaxed_set[@]+"${relaxed_set[@]}"}"; do
+      rentry_lc=$(printf '%s' "$rentry" | tr '[:upper:]' '[:lower:]')
+      if [[ "$pat_lc" == "$rentry_lc" ]]; then
+        relaxed=1
+        break
+      fi
+    done
+    if [ "$relaxed" = "0" ]; then
+      REA_PROTECTED_PATTERNS+=("$pat")
+    fi
+  done
+
+  _REA_PROTECTED_PATTERNS_LOADED=1
+}
+
+# Test whether a project-relative path is in the documented husky
+# extension surface (`.husky/commit-msg.d/*`, `.husky/pre-push.d/*`).
+# Returns 0 on match, 1 on no match. Case-insensitive.
+#
+# 0.16.4 helix-018 Option B: settings-protection.sh §5b has carved
+# this surface out of write-tier protection since 0.13.2 — consumers
+# write extension fragments here freely. Pre-0.16.4 the BASH-tier
+# gates (`protected-paths-bash-gate.sh`, `blocked-paths-bash-gate.sh`)
+# had no parity carve-out, so a `cat <<EOF > .husky/pre-push.d/X`
+# redirect was refused by the bash-gate even though the equivalent
+# Write-tool call would succeed. This helper bakes the carve-out
+# into the shared lib so every caller inherits it uniformly.
+rea_path_is_extension_surface() {
+  local p_lc
+  p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
+  case "$p_lc" in
+    .husky/commit-msg.d/*|.husky/pre-push.d/*|.husky/pre-commit.d/*)
+      # Refuse the bare directory itself — only fragments INSIDE
+      # the surface count. `.husky/pre-push.d/` (trailing slash, no
+      # fragment) and `.husky/pre-push.d` (the dir node) both fall
+      # through to the protection check via the parent prefix.
+      case "$p_lc" in
+        .husky/commit-msg.d/|.husky/pre-push.d/|.husky/pre-commit.d/) return 1 ;;
+      esac
+      return 0
+      ;;
+  esac
+  return 1
+}
+
+# Test whether a project-relative path matches any protected pattern
+# (after applying `protected_paths_relax`). Returns 0 on match, 1 on
+# no match.
+#
 # Usage: if rea_path_is_protected ".rea/HALT"; then echo "blocked"; fi
-# Returns 0 on match, 1 on no match.
 #
 # 0.16.0 codex P1 fix (helix-015 #2): match case-insensitively.
 # macOS APFS (default case-insensitive) lets `.ClAuDe/settings.json`
@@ -33,11 +175,22 @@ REA_PROTECTED_PATTERNS=(
 # §6 has had a CI matcher since 0.10.x; this helper was missing it.
 # We lowercase BOTH sides so the comparison is symmetric — callers can
 # pass either case.
+#
+# 0.16.4 helix-018 Option B: paths inside the documented husky
+# extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
+# return 1 (not protected) BEFORE the prefix-pattern check so they
+# don't get caught by `.husky/`'s prefix block. This mirrors the
+# §5b allow-list that has been in settings-protection.sh since 0.13.2.
 rea_path_is_protected() {
+  _rea_load_protected_patterns
+  # Extension-surface allow-list — short-circuit before pattern match.
+  if rea_path_is_extension_surface "$1"; then
+    return 1
+  fi
   local p_lc
   p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
   local pattern pattern_lc
-  for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+  for pattern in "${REA_PROTECTED_PATTERNS[@]+"${REA_PROTECTED_PATTERNS[@]}"}"; do
     pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
     if [[ "$p_lc" == "$pattern_lc" ]]; then
       return 0

package/hooks/blocked-paths-bash-gate.sh

@@ -0,0 +1,280 @@
+#!/bin/bash
+# PreToolUse hook: blocked-paths-bash-gate.sh
+# Fires BEFORE every Bash tool call.
+# Refuses Bash commands that write to entries in policy.yaml's
+# `blocked_paths` list via shell redirection or write-flag utilities.
+#
+# Background (0.16.3, discord-ops Round 9 #1): the existing
+# blocked-paths-enforcer.sh only fires on Write/Edit/MultiEdit/
+# NotebookEdit. Bash-tier writes to blocked_paths entries bypass it
+# entirely:
+#
+#   echo x > .env
+#   cp src.txt .env
+#   sed -i '' '1d' .env.production
+#   node -e "fs.writeFileSync('.env','x')"
+#
+# `protected-paths-bash-gate.sh` covers the HARD list (HALT, policy.yaml,
+# settings.json, .husky/*) — but the soft, runtime-configurable
+# `blocked_paths` list never had a Bash-tier counterpart. discord-ops
+# independently caught this gap during their cycle 9 audit.
+#
+# This hook closes the gap by reading the same `blocked_paths` list that
+# blocked-paths-enforcer.sh reads, applying the same redirect / write-
+# utility detection pipeline as protected-paths-bash-gate.sh, and
+# blocking when the resolved target matches any entry.
+#
+# Exit codes:
+#   0 = no blocked-path write detected — allow
+#   2 = blocked-path write via Bash detected — block
+#
+# Detection: `node -e "fs.writeFileSync('.env','x')"` — Node's
+# fs.writeFileSync called against a blocked path is also detected by
+# argument scan. Other interpreter constructions (perl, python, etc.)
+# remain a known coverage gap for the same reason the env-file-protection
+# hook lists hard caps in its header comment: defense-in-depth, not an
+# adversarial firewall.
+
+set -uo pipefail
+
+# shellcheck source=_lib/cmd-segments.sh
+source "$(dirname "$0")/_lib/cmd-segments.sh"
+# shellcheck source=_lib/path-normalize.sh
+source "$(dirname "$0")/_lib/path-normalize.sh"
+# shellcheck source=_lib/policy-read.sh
+source "$(dirname "$0")/_lib/policy-read.sh"
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+
+INPUT=$(cat)
+
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REA ERROR: jq is required but not installed.\n' >&2
+  exit 2
+fi
+
+check_halt
+REA_ROOT=$(rea_root)
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Load blocked_paths list. If the policy is missing or the list is empty,
+# this hook is a no-op (matches blocked-paths-enforcer.sh semantics).
+BLOCKED_PATHS=()
+while IFS= read -r entry; do
+  [[ -z "$entry" ]] && continue
+  BLOCKED_PATHS+=("$entry")
+done < <(policy_list "blocked_paths")
+
+if [[ ${#BLOCKED_PATHS[@]} -eq 0 ]]; then
+  exit 0
+fi
+
+# Match a normalized project-relative path against the loaded
+# blocked_paths list using the same matching rules as
+# blocked-paths-enforcer.sh:
+#   - directory match (entry ends with `/`) → prefix match
+#   - glob entry (contains `*`) → ERE conversion + anchored match
+#   - otherwise → exact (case-insensitive) match
+# Returns 0 + sets MATCHED on hit, 1 on no hit.
+MATCHED=""
+_match_blocked() {
+  local target_lc="$1"
+  MATCHED=""
+  local entry entry_lc regex
+  for entry in "${BLOCKED_PATHS[@]}"; do
+    entry_lc=$(printf '%s' "$entry" | tr '[:upper:]' '[:lower:]')
+    if [[ "$entry_lc" == */ ]]; then
+      if [[ "$target_lc" == "$entry_lc"* ]] || [[ "$target_lc" == "${entry_lc%/}" ]]; then
+        MATCHED="$entry"
+        return 0
+      fi
+      continue
+    fi
+    if [[ "$entry" == *'*'* ]]; then
+      regex=$(printf '%s' "$entry_lc" | sed 's/\./\\./g; s/\*/.*/g')
+      if printf '%s' "$target_lc" | grep -qE "^${regex}$"; then
+        MATCHED="$entry"
+        return 0
+      fi
+      continue
+    fi
+    if [[ "$target_lc" == "$entry_lc" ]]; then
+      MATCHED="$entry"
+      return 0
+    fi
+  done
+  return 1
+}
+
+# Normalize a path token and apply the same `..` walk + outside-REA_ROOT
+# sentinel trick as protected-paths-bash-gate.sh::_normalize_target.
+# Returns the normalized lowercased project-relative path on stdout, or
+# `__rea_outside_root__:<resolved>` when the path resolves outside the
+# project root.
+_normalize_target() {
+  local t="$1"
+  if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  case "/$t/" in
+    */../*)
+      local abs="$t"
+      [[ "$abs" != /* ]] && abs="$REA_ROOT/$abs"
+      local -a raw_parts parts=()
+      IFS='/' read -ra raw_parts <<<"$abs"
+      for part in "${raw_parts[@]}"; do
+        case "$part" in
+          ''|.) continue ;;
+          ..) [[ "${#parts[@]}" -gt 0 ]] && unset 'parts[${#parts[@]}-1]' ;;
+          *) parts+=("$part") ;;
+        esac
+      done
+      t="/$(IFS=/; printf '%s' "${parts[*]}")"
+      if [[ "$t" != "$REA_ROOT" && "$t" != "$REA_ROOT"/* ]]; then
+        printf '__rea_outside_root__:%s' "$t"
+        return 0
+      fi
+      ;;
+  esac
+  t=$(normalize_path "$t")
+  printf '%s' "$t" | tr '[:upper:]' '[:lower:]'
+}
+
+_refuse() {
+  local pattern="$1" target="$2" segment="$3"
+  {
+    printf 'BLOCKED PATH (bash): write denied by policy\n'
+    printf '\n'
+    printf '  Blocked by:      %s\n' "$pattern"
+    printf '  Resolved target: %s\n' "$target"
+    printf '  Segment:         %s\n' "$segment"
+    printf '\n'
+    printf '  Source: .rea/policy.yaml → blocked_paths\n'
+    printf '  Rule: blocked_paths entries are unreachable via Bash redirects\n'
+    printf '        too — not just Write/Edit/MultiEdit. To modify, a human\n'
+    printf '        must edit directly or update blocked_paths in policy.yaml.\n'
+  } >&2
+  exit 2
+}
+
+# Check a single resolved-target token. Refuses on hit.
+_check_token() {
+  local token="$1" segment="$2"
+  [[ -z "$token" ]] && return 0
+  local resolved
+  resolved=$(_normalize_target "$token")
+  if [[ "$resolved" == __rea_outside_root__:* ]]; then
+    # Outside REA_ROOT → can't be in blocked_paths (blocked_paths is
+    # project-relative). Allow; the protected-paths gate handles
+    # outside-root rejection on the protected list itself.
+    return 0
+  fi
+  if _match_blocked "$resolved"; then
+    _refuse "$MATCHED" "$resolved" "$segment"
+  fi
+  return 0
+}
+
+# Scan one segment for redirect / write-utility / node-fs targets and
+# refuse on any hit. Mirrors protected-paths-bash-gate.sh::_check_segment
+# layout, with a few additions to catch discord-ops Round 9 #1's exact
+# Node-interpreter and sed-script-on-target shapes.
+_check_segment() {
+  local _raw="$1" segment="$2"
+  [[ -z "$segment" ]] && return 0
+
+  # Same regex set as protected-paths-bash-gate.sh — fd-prefix-aware
+  # redirects, cp/mv tail target, sed -i target, dd of=, plus a
+  # token-walk for tee/truncate/install/ln. Keeps behavior consistent
+  # across the two bash gates.
+  local re_redirect='(^|[[:space:]])(&>>|&>|[0-9]+>>|[0-9]+>\||[0-9]+>|>>|>\||>)[[:space:]]*([^[:space:]&|;<>]+)'
+  local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
+
+  if [[ "$segment" =~ $re_redirect ]]; then
+    _check_token "${BASH_REMATCH[3]}" "$segment"
+  fi
+  if [[ "$segment" =~ $re_cpmv ]]; then
+    _check_token "${BASH_REMATCH[3]}" "$segment"
+  fi
+  if [[ "$segment" =~ $re_sed ]]; then
+    _check_token "${BASH_REMATCH[3]}" "$segment"
+  fi
+  if [[ "$segment" =~ $re_dd ]]; then
+    _check_token "${BASH_REMATCH[2]}" "$segment"
+  fi
+
+  # tee / truncate / install / ln — token-walk identical to
+  # protected-paths-bash-gate.sh.
+  local _seg_for_walk="$segment"
+  _seg_for_walk="${_seg_for_walk#"${_seg_for_walk%%[![:space:]]*}"}"
+  local first_tok
+  first_tok=$(printf '%s' "$_seg_for_walk" | awk '{print $1}')
+  case "$first_tok" in
+    tee|truncate|install|ln)
+      local found_cmd=""
+      # shellcheck disable=SC2086
+      set -- $_seg_for_walk
+      while [ "$#" -gt 0 ]; do
+        local tok="$1"
+        shift
+        if [[ -z "$found_cmd" ]]; then
+          case "$tok" in
+            tee|truncate|install|ln) found_cmd="$tok" ;;
+          esac
+          continue
+        fi
+        case "$tok" in
+          --) continue ;;
+          --*=*) continue ;;
+          --*)
+            case "$tok" in
+              --append|--ignore-interrupts|--no-clobber|--force|--no-target-directory|--symbolic|--no-dereference|--reference=*) continue ;;
+              *) shift 2>/dev/null || true; continue ;;
+            esac
+            ;;
+          -*)
+            case "$tok" in
+              -s*|-m*|-o*|-g*|-t*) shift 2>/dev/null || true ;;
+            esac
+            continue
+            ;;
+          *)
+            _check_token "$tok" "$segment"
+            ;;
+        esac
+      done
+      ;;
+  esac
+
+  # Node-interpreter fs.writeFileSync / fs.appendFileSync / fs.createWriteStream
+  # detection (discord-ops Round 9 #1 explicit shape). Anchored on
+  # `node -e ...` or `node --eval ...`. Conservative regex: pulls the
+  # first quoted argument out of the call.
+  local re_node_write='(^|[[:space:]])node[[:space:]]+(-e|--eval|-p|--print)[[:space:]]+'
+  if [[ "$segment" =~ $re_node_write ]]; then
+    # Find any quoted-string argument that contains fs.write* /
+    # fs.append* / createWriteStream + a path-looking arg. This is a
+    # best-effort scan; the goal is the obvious vector, not full JS.
+    local node_targets
+    node_targets=$(printf '%s' "$segment" \
+      | grep -oE "fs\.(writeFileSync|writeFile|appendFileSync|appendFile|createWriteStream)\([[:space:]]*[\"'][^\"']+[\"']" \
+      | sed -E "s/.*\([[:space:]]*[\"']([^\"']+)[\"'].*/\\1/" || true)
+    if [[ -n "$node_targets" ]]; then
+      while IFS= read -r tgt; do
+        [[ -z "$tgt" ]] && continue
+        _check_token "$tgt" "$segment"
+      done <<<"$node_targets"
+    fi
+  fi
+
+  return 0
+}
+
+for_each_segment "$CMD" _check_segment
+
+exit 0

package/hooks/dangerous-bash-interceptor.sh

@@ -245,13 +245,20 @@ fi
 
 # H12: curl/wget piped directly to shell (supply chain attack vector).
 # 0.16.1 helix-016 P1 fix: this check requires BOTH the curl/wget call
-# AND the `| sh` to appear in the same shell pipeline. The 0.16.0
-# refactor moved this into `any_segment_matches`, but the segmenter
-# splits on `|` first — so `curl https://x | sh` decomposed into two
-# segments (`curl https://x`, `sh`) and the regex (which requires both
-# in one segment) never matched. Pipe-RCE is fundamentally a
-# multi-segment property and must be checked against the raw command.
-if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
+# AND the `| sh` to appear in the same shell pipeline. Pipe-RCE is
+# fundamentally a multi-segment property — splitting on `|` would
+# decompose `curl https://x | sh` into two unrelated segments — so the
+# detection must run against the un-split command.
+#
+# 0.16.3 helix-016.1 #2 sibling fix: pre-fix the check ran against the
+# raw `$CMD`, which false-positived on `git commit -m "...curl|sh..."`
+# (literal pipe inside the commit-message body). The fix is to scan
+# the QUOTE-MASKED form of the command — same un-split shape, but
+# in-quote pipes are replaced with a sentinel that the regex doesn't
+# match. Real curl-pipe-shell still matches because the pipe between
+# `curl https://x` and `sh` is outside any quote span.
+H12_MASKED=$(quote_masked_cmd "$CMD")
+if printf '%s' "$H12_MASKED" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \
@@ -307,9 +314,26 @@ while IFS= read -r pattern; do
   DELEGATE_PATTERNS+=("$pattern")
 done < <(policy_list "delegate_to_subagent")
 
+# 0.16.3 discord-ops Round 9 #3 fix: anchor the match on segment-start
+# instead of unanchored substring search. The patterns from
+# `policy_list "delegate_to_subagent"` are command prefixes
+# (`pnpm run build`, `pnpm test`, `pnpm run lint`); a substring search
+# fired on commit messages and prose mentioning those prefixes
+# (`git commit -m "doc: when to delegate pnpm test to subagent"`).
+# `any_segment_starts_with` regexes against the prefix-stripped form of
+# each segment, so patterns now only match when the command segment
+# actually invokes the named tool.
+#
+# `grep -qF` was fixed-string; `any_segment_starts_with` runs grep -E.
+# The patterns from policy.yaml are literal prefixes — escape ERE
+# metacharacters before passing them through.
+_escape_ere() {
+  printf '%s' "$1" | sed 's/[][\\.*^$(){}+?|]/\\&/g'
+}
+
 for pattern in "${DELEGATE_PATTERNS[@]+"${DELEGATE_PATTERNS[@]}"}"; do
-  # Use fixed-string match — these are command prefixes, not regex.
-  if printf '%s' "$CMD" | grep -qF "$pattern"; then
+  pattern_re=$(_escape_ere "$pattern")
+  if any_segment_starts_with "$CMD" "${pattern_re}([[:space:]]|$)"; then
     add_high \
       "Context protection — command must run in a subagent" \
       "This command produces excessive output that will exhaust the coordinator context window. Delegate it to a subagent instead of running it directly." \

package/hooks/env-file-protection.sh

@@ -65,7 +65,15 @@ truncate_cmd() {
 # The goal is to block casual and accidental reads, not defeat a determined
 # adversary with shell access.
 PATTERN_UTILITY='(cat|head|tail|less|more|grep|sed|awk|bat|strings|printf|xargs|tee|jq|python3?[[:space:]]+-c|ruby[[:space:]]+-e)[[:space:]]'
-# Also catch: source/., cp (reads then writes elsewhere)
+# Also catch: source/., cp (reads then writes elsewhere).
+#
+# 0.16.3 discord-ops Round 9 #4 fix: anchored on segment-start. Pre-fix
+# `any_segment_matches` matched anywhere in the segment, so
+# `git commit -m "fix: don't source .env files"` fired even though no
+# real source-of-.env was happening — the trigger words appeared inside
+# the quoted commit-message body. The patterns are command prefixes
+# (`source PATH`, `. PATH`, `cp X PATH`), so segment-start anchoring is
+# the correct shape.
 PATTERN_SOURCE='(source|\.)[[:space:]]+[^;|&]*\.env'
 PATTERN_CP_ENV='cp[[:space:]]+[^;|&]*\.env'
 # .env* files or .envrc (direnv)
@@ -83,9 +91,10 @@ if any_segment_matches_both "$CMD" "$PATTERN_UTILITY" "$PATTERN_ENV_FILE"; then
   MATCHES_BOTH_SAME_SEGMENT=1
 fi
 
-# Direct source/cp of .env files — always block
-if any_segment_matches "$CMD" "$PATTERN_SOURCE" || \
-   any_segment_matches "$CMD" "$PATTERN_CP_ENV"; then
+# Direct source/cp of .env files — always block (segment-start anchored
+# per discord-ops Round 9 #4).
+if any_segment_starts_with "$CMD" "$PATTERN_SOURCE" || \
+   any_segment_starts_with "$CMD" "$PATTERN_CP_ENV"; then
   TRUNCATED_CMD=$(truncate_cmd "$CMD")
   {
     printf 'ENV FILE PROTECTION: Direct sourcing or copying of .env files is blocked.\n'

package/hooks/security-disclosure-gate.sh

@@ -40,8 +40,23 @@ fi
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""')
 
 # Only intercept gh issue create
-if ! echo "$COMMAND" | grep -qE 'gh\s+issue\s+create'; then
-  exit 0
+# 0.16.3 F8: anchor at segment start so `gh pr create --body "context: gh issue create earlier"`
+# does not match. Same anchoring class as F5/F6 in this release. Source the
+# segment splitter and use any_segment_starts_with — when the cmd-segments
+# lib isn't reachable for any reason, fall back to the legacy unanchored
+# grep (defense-in-depth: better to over-block prose mentions than miss a
+# real `gh issue create`).
+# shellcheck source=_lib/cmd-segments.sh
+if [ -f "$(dirname "$0")/_lib/cmd-segments.sh" ]; then
+  # shellcheck source=_lib/cmd-segments.sh
+  source "$(dirname "$0")/_lib/cmd-segments.sh"
+  if ! any_segment_starts_with "$COMMAND" 'gh[[:space:]]+issue[[:space:]]+create'; then
+    exit 0
+  fi
+else
+  if ! echo "$COMMAND" | grep -qE 'gh\s+issue\s+create'; then
+    exit 0
+  fi
 fi
 
 require_jq
@@ -86,8 +101,107 @@ SECURITY_PATTERNS=(
   'jail.break'
 )
 
-# Scan the full command text (title + body + flags) for sensitive patterns
-FULL_TEXT=$(echo "$COMMAND" | tr '[:upper:]' '[:lower:]')
+# Scan the full command text (title + body + flags) for sensitive patterns.
+#
+# 0.16.3 discord-ops Round 9 #2 fix: pre-fix the scan only saw what was on
+# the command line, so `gh issue create --body-file leak.md` (or `-F`)
+# routed the body through a file the regex never read. We now resolve the
+# named flag's path argument(s), read up to 64 KiB of each (cap covers
+# realistic issue bodies; a multi-megabyte body is suspicious in itself),
+# and prepend the lowercased file contents to FULL_TEXT before the
+# pattern scan. Stdin form (`-F -` or `--body-file -`) is intentionally
+# skipped — the hook's stdin is the tool payload, not the issue body,
+# and re-reading is impossible. Files outside REA_ROOT (resolved via
+# `..` traversal) are refused as a defense-in-depth measure mirroring
+# protected-paths-bash-gate.sh's outside-root sentinel.
+REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+BODY_FILE_TEXT=""
+_extract_body_file_paths() {
+  # Emit each `--body-file PATH` and `-F PATH` argument on its own line.
+  # Skips the stdin form (`-`) and `-F=foo`/`--body-file=foo` (handled
+  # by a separate awk pass below).
+  printf '%s' "$COMMAND" \
+    | awk '
+        BEGIN { skip_next = 0; flag_was = "" }
+        {
+          n = split($0, toks, /[[:space:]]+/)
+          for (i = 1; i <= n; i++) {
+            t = toks[i]
+            if (skip_next) {
+              skip_next = 0
+              if (t == "-" || t == "") continue
+              # Strip surrounding quotes from the token if present.
+              gsub(/^["'"'"']/, "", t)
+              gsub(/["'"'"']$/, "", t)
+              print t
+              continue
+            }
+            if (t == "--body-file" || t == "-F") { skip_next = 1; continue }
+            # Equals form.
+            if (t ~ /^--body-file=/) {
+              v = substr(t, length("--body-file=") + 1)
+              gsub(/^["'"'"']/, "", v); gsub(/["'"'"']$/, "", v)
+              if (v != "" && v != "-") print v
+            }
+            if (t ~ /^-F=/) {
+              v = substr(t, length("-F=") + 1)
+              gsub(/^["'"'"']/, "", v); gsub(/["'"'"']$/, "", v)
+              if (v != "" && v != "-") print v
+            }
+          }
+        }'
+}
+while IFS= read -r body_path; do
+  [[ -z "$body_path" ]] && continue
+  raw_path="$body_path"
+  # Resolve relative to the hook's cwd (the agent's project dir). gh
+  # accepts both absolute paths (e.g. tmpfiles like /var/folders/…) and
+  # cwd-relative paths; we honor both. Absolute paths NOT containing
+  # `..` are taken at face value.
+  if [[ "$body_path" != /* ]]; then
+    body_path="$(pwd)/$body_path"
+  fi
+  # Walk `..` segments. The only outside-REA_ROOT shape we refuse is one
+  # where the canonical form contains `..` (i.e. an explicit traversal
+  # by the caller). Plain absolute tmp paths are NOT refused — gh issue
+  # body-files are very commonly written to /var/folders or /tmp and
+  # rejecting those would defeat the scan in routine use.
+  had_traversal=0
+  case "/$raw_path/" in */../*) had_traversal=1 ;; esac
+  resolved="$body_path"
+  if [[ "$had_traversal" -eq 1 ]]; then
+    IFS='/' read -ra _bf_parts_raw <<<"$body_path"
+    _bf_parts=()
+    for _seg in "${_bf_parts_raw[@]}"; do
+      case "$_seg" in
+        ''|.) continue ;;
+        ..) [[ "${#_bf_parts[@]}" -gt 0 ]] && unset '_bf_parts[${#_bf_parts[@]}-1]' ;;
+        *) _bf_parts+=("$_seg") ;;
+      esac
+    done
+    resolved="/$(IFS=/; printf '%s' "${_bf_parts[*]}")"
+    # If the raw path used `..` AND the resolved form escapes REA_ROOT,
+    # refuse — that's the obfuscation shape we care about. A file under
+    # /tmp or /var/folders without `..` segments is fine.
+    if [[ "$resolved" != "$REA_ROOT" && "$resolved" != "$REA_ROOT"/* ]]; then
+      printf 'security-disclosure-gate: --body-file path uses `..` traversal escaping project root; skipping body scan\n' >&2
+      continue
+    fi
+  fi
+  if [[ ! -r "$resolved" ]]; then
+    printf 'security-disclosure-gate: --body-file %s unreadable; skipping body scan\n' "$raw_path" >&2
+    continue
+  fi
+  # Cap at 64 KiB. Lowercase to match FULL_TEXT case folding.
+  body_chunk=$(head -c 65536 "$resolved" 2>/dev/null | tr '[:upper:]' '[:lower:]') || body_chunk=""
+  if [[ -n "$body_chunk" ]]; then
+    BODY_FILE_TEXT="${BODY_FILE_TEXT}
+${body_chunk}"
+  fi
+done < <(_extract_body_file_paths)
+
+FULL_TEXT="${BODY_FILE_TEXT}
+$(echo "$COMMAND" | tr '[:upper:]' '[:lower:]')"
 
 MATCHED_PATTERN=""
 for PATTERN in "${SECURITY_PATTERNS[@]}"; do

package/hooks/settings-protection.sh

@@ -226,13 +226,16 @@ esac
 # §6 runs BEFORE the patch-session allowlist so hook-patch sessions cannot
 # reach .rea/policy.yaml, .rea/HALT, or .claude/settings.json via any glob
 # creativity.
-PROTECTED_PATTERNS=(
-  '.claude/settings.json'
-  '.claude/settings.local.json'
-  '.husky/'
-  '.rea/policy.yaml'
-  '.rea/HALT'
-)
+#
+# 0.16.3 F7: list is sourced from `_lib/protected-paths.sh`, which honors
+# the `protected_paths_relax` policy key (kill-switch invariants always
+# stay protected — see the lib for the always-protected subset).
+# shellcheck source=_lib/protected-paths.sh
+source "$(dirname "$0")/_lib/protected-paths.sh"
+# Trigger lazy load now so PROTECTED_PATTERNS reflects the relaxed list
+# from the start of this hook process.
+rea_path_is_protected "/__rea_force_load__" >/dev/null 2>&1 || true
+PROTECTED_PATTERNS=("${REA_PROTECTED_PATTERNS[@]}")
 
 # Patterns that are protected from general agent edits but can be unlocked by
 # REA_HOOK_PATCH_SESSION. Kept separate from the hard-protected list above so

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.16.2",
+  "version": "0.16.4",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",