@bookedsolid/rea 0.16.4 → 0.17.0

package/dist/cli/init.js

@@ -233,10 +233,28 @@ async function printCodexInstallAssist() {
     console.log('  Install via the Claude Code Codex plugin helper: `/codex:setup`,');
     console.log('  or set `review.codex_required: false` in .rea/policy.yaml to opt out.');
 }
+function readExistingInstalledAt(policyPath) {
+    try {
+        if (!fs.existsSync(policyPath))
+            return undefined;
+        const raw = fs.readFileSync(policyPath, 'utf8');
+        const m = raw.match(/^installed_at:\s*"([^"]+)"\s*$/m);
+        return m ? m[1] : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
 function writePolicyYaml(targetDir, config, layered) {
     const policyPath = path.join(targetDir, REA_DIR, POLICY_FILE);
     const installedBy = process.env.USER ?? os.userInfo().username ?? 'unknown';
-    const installedAt = new Date().toISOString();
+    // 0.17.0 idempotency: preserve the original `installed_at` if a policy
+    // already exists. Without this, every `rea init` re-stamps the field
+    // and produces a non-idempotent diff. The first install date is the
+    // semantically correct value — re-runs reflect refreshes, not new
+    // installs. Falls back to `new Date()` only when the file is absent
+    // or unparseable.
+    const installedAt = readExistingInstalledAt(policyPath) ?? new Date().toISOString();
     const lines = [];
     lines.push(`# .rea/policy.yaml — managed by rea v${getPkgVersion()}`);
     lines.push(`# Edit carefully: tightening takes effect on next load; loosening requires human approval.`);
@@ -349,14 +367,36 @@ async function writeInstallManifest(targetDir, profile, fragmentInput) {
         sha256: sha256OfBuffer(buildFragment(fragmentInput)),
         source: 'claude-md',
     });
+    // 0.17.0 idempotency: preserve the original `installed_at` from a
+    // prior manifest if present. The first install date is the semantic
+    // truth — re-runs reflect refreshes, not new installs.
+    const manifestPath = path.join(targetDir, REA_DIR, 'install-manifest.json');
     const manifest = {
         version: getPkgVersion(),
         profile,
-        installed_at: new Date().toISOString(),
+        installed_at: readExistingManifestInstalledAt(manifestPath) ?? new Date().toISOString(),
         files: entries,
     };
     return writeManifestAtomic(targetDir, manifest);
 }
+function readExistingManifestInstalledAt(manifestPath) {
+    try {
+        if (!fs.existsSync(manifestPath))
+            return undefined;
+        const raw = fs.readFileSync(manifestPath, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (typeof parsed === 'object' &&
+            parsed !== null &&
+            'installed_at' in parsed &&
+            typeof parsed.installed_at === 'string') {
+            return parsed.installed_at;
+        }
+    }
+    catch {
+        // Fall through — caller stamps a fresh date.
+    }
+    return undefined;
+}
 export async function runInit(options) {
     const targetDir = process.cwd();
     const reagentPolicyPath = detectReagentPolicy(targetDir);

package/dist/policy/loader.d.ts

@@ -11,6 +11,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: z.ZodBoolean;
     block_ai_attribution: z.ZodDefault<z.ZodBoolean>;
     blocked_paths: z.ZodArray<z.ZodString, "many">;
+    protected_writes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     protected_paths_relax: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
     notification_channel: z.ZodDefault<z.ZodString>;
     injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
@@ -174,6 +175,7 @@ declare const PolicySchema: z.ZodObject<{
     blocked_paths: string[];
     protected_paths_relax: string[];
     notification_channel: string;
+    protected_writes?: string[] | undefined;
     injection_detection?: "block" | "warn" | undefined;
     injection?: {
         suspicious_blocks_writes?: boolean | undefined;
@@ -220,6 +222,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: boolean;
     blocked_paths: string[];
     block_ai_attribution?: boolean | undefined;
+    protected_writes?: string[] | undefined;
     protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;

package/dist/policy/loader.js

@@ -160,11 +160,19 @@ const PolicySchema = z
     promotion_requires_human_approval: z.boolean(),
     block_ai_attribution: z.boolean().default(false),
     blocked_paths: z.array(z.string()),
-    // 0.16.3 F7: opt-in relax list. Consumers can list rea-managed
-    // hard-protected patterns they want unblocked (e.g. `.husky/` to
-    // author their own husky hooks). The kill-switch invariants
-    // (`.rea/HALT`, `.rea/policy.yaml`, `.claude/settings.json`) are
-    // ignored if listed — see hooks/_lib/protected-paths.sh.
+    // 0.16.5 F9 (helix-018 Option A): full policy-driven definition of
+    // the rea-managed write-protection list. When set, fully owns the
+    // protected set (kill-switch invariants are always added). When
+    // unset, defaults to the 5 historical patterns. Consumers who want
+    // to ADD a path (e.g. `.github/workflows/`) or remove non-invariant
+    // entries (e.g. `.husky/`) declare the full list here.
+    protected_writes: z.array(z.string()).optional(),
+    // 0.16.3 F7: opt-in subtractor. Removes entries from whatever the
+    // effective protected set is (default OR `protected_writes`).
+    // Kill-switch invariants (`.rea/HALT`, `.rea/policy.yaml`,
+    // `.claude/settings.json`) are silently dropped from the relax
+    // list — see hooks/_lib/protected-paths.sh. Both keys can coexist;
+    // `protected_paths_relax` runs AFTER `protected_writes`.
     protected_paths_relax: z.array(z.string()).default([]),
     notification_channel: z.string().default(''),
     injection_detection: z.enum(['block', 'warn']).optional(),

package/dist/policy/profiles.d.ts

@@ -26,6 +26,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval: z.ZodOptional<z.ZodBoolean>;
     block_ai_attribution: z.ZodOptional<z.ZodBoolean>;
     blocked_paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    protected_writes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     protected_paths_relax: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     notification_channel: z.ZodOptional<z.ZodString>;
     injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
@@ -52,6 +53,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval?: boolean | undefined;
     block_ai_attribution?: boolean | undefined;
     blocked_paths?: string[] | undefined;
+    protected_writes?: string[] | undefined;
     protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;
@@ -68,6 +70,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval?: boolean | undefined;
     block_ai_attribution?: boolean | undefined;
     blocked_paths?: string[] | undefined;
+    protected_writes?: string[] | undefined;
     protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;

package/dist/policy/profiles.js

@@ -48,6 +48,7 @@ export const ProfileSchema = z
     promotion_requires_human_approval: z.boolean().optional(),
     block_ai_attribution: z.boolean().optional(),
     blocked_paths: z.array(z.string()).optional(),
+    protected_writes: z.array(z.string()).optional(),
     protected_paths_relax: z.array(z.string()).optional(),
     notification_channel: z.string().optional(),
     injection_detection: z.enum(['block', 'warn']).optional(),

package/dist/policy/types.d.ts

@@ -268,6 +268,7 @@ export interface Policy {
     promotion_requires_human_approval: boolean;
     block_ai_attribution: boolean;
     blocked_paths: string[];
+    protected_writes?: string[];
     protected_paths_relax: string[];
     notification_channel: string;
     injection_detection?: 'block' | 'warn';

package/hooks/_lib/cmd-segments.sh

@@ -51,6 +51,90 @@
 # do NOT honor `\` escapes; double-quoted spans treat `\"` as a literal
 # `"` and skip past it.
 
+# Unwrap nested shell wrappers — `bash -c 'PAYLOAD'`, `sh -lc "PAYLOAD"`,
+# `zsh -ic 'PAYLOAD'`, etc. Emits the input string AS-IS plus each inner
+# PAYLOAD as a separate line. Pre-0.17.0 the splitter never parsed
+# inside wrapped quotes, so `bash -c 'git push --force'` produced a
+# single segment whose first token was `bash` — defeating every check
+# that uses `any_segment_starts_with`. This helper makes the inner
+# payload visible as its own segment, so every existing detection rule
+# fires uniformly on wrapped and unwrapped commands.
+#
+# Closes helix-017 #1, #2, #3 (0.16.2):
+#   - `bash -lc 'git push --force origin HEAD'`  → payload now seen by H1
+#   - `bash -c 'printf x > .rea/HALT'`           → payload now seen by bash-gate
+#   - `bash -lc 'npm install some-package'`      → payload now seen by audit-gate
+#
+# Recognized wrapper shape (case-insensitive shell name):
+#   (bash|sh|zsh|dash|ksh) [optional -flags...] (-c|-lc|-lic|-ic|-cl|-cli) (QUOTED_ARG)
+#
+# QUOTED_ARG can be single- or double-quoted. Single-quote bodies have no
+# escape semantics. Double-quote bodies treat \" and \\ as literal
+# escapes (per POSIX). Multiple wrappers per command-line are handled
+# (e.g. `foo; bash -c 'bar' && sh -c 'baz'` emits both `bar` and `baz`).
+#
+# Limitation: ONE level of unwrapping. A wrapper inside a wrapper
+# (`bash -c "bash -c 'innermost'"`) emits only the second-level payload
+# (`bash -c 'innermost'`), not the third-level. This is enough for
+# every consumer-reported bypass; deeper nesting can be added later
+# without changing the contract.
+_rea_unwrap_nested_shells() {
+  local cmd="$1"
+  printf '%s\n' "$cmd"
+  printf '%s' "$cmd" | awk '
+    BEGIN {
+      # Wrapper-prefix regex: shell-name + optional flag tokens + -c-style flag.
+      # Each flag token is `-` followed by 1+ letters and trailing space.
+      WRAP = "(^|[[:space:]&|;])(bash|sh|zsh|dash|ksh)([[:space:]]+-[a-zA-Z]+)*[[:space:]]+-(c|lc|lic|ic|cl|cli|li|il)[[:space:]]+"
+    }
+    {
+      rest = $0
+      while (length(rest) > 0) {
+        if (! match(rest, WRAP)) break
+        # Tail begins immediately after the matched wrapper prefix.
+        tail = substr(rest, RSTART + RLENGTH)
+        first = substr(tail, 1, 1)
+        if (first == "'\''") {
+          # Single-quoted body: no escape semantics; runs to next `'"'"'`.
+          body = substr(tail, 2)
+          end = index(body, "'\''")
+          if (end == 0) { rest = substr(tail, 2); continue }
+          payload = substr(body, 1, end - 1)
+          print payload
+          rest = substr(body, end + 1)
+          continue
+        }
+        if (first == "\"") {
+          # Double-quoted body: \" and \\ are literal escapes.
+          body = substr(tail, 2)
+          n = length(body)
+          j = 1
+          out = ""
+          closed = 0
+          while (j <= n) {
+            c = substr(body, j, 1)
+            if (c == "\\" && j < n) {
+              nxt = substr(body, j + 1, 1)
+              if (nxt == "\"" || nxt == "\\") { out = out nxt; j += 2; continue }
+              out = out c nxt
+              j += 2
+              continue
+            }
+            if (c == "\"") { closed = j; break }
+            out = out c
+            j++
+          }
+          if (closed == 0) { rest = substr(tail, 2); continue }
+          print out
+          rest = substr(body, closed + 1)
+          continue
+        }
+        # Non-quoted argument — proceed past the matched prefix only.
+        rest = tail
+      }
+    }'
+}
+
 # Split $1 on shell command separators. Emits one segment per line on
 # stdout (empty segments preserved). Used by both higher-level helpers
 # below; not generally called by hooks directly.
@@ -103,7 +187,14 @@ _rea_split_segments() {
   # splitting so quoted prose no longer over-splits and anchors trigger
   # words at the head of phantom segments. See header comment for the
   # full rationale.
-  printf '%s' "$cmd" \
+  #
+  # 0.17.0 helix-017 #1-#3 fix: unwrap `bash -c 'PAYLOAD'` style
+  # wrappers BEFORE the quote-mask + split passes. The unwrap step
+  # emits the original line plus each inner PAYLOAD as separate
+  # records; the existing pipeline then quote-masks and splits each
+  # record independently. Inner payload anchors trigger words for the
+  # `any_segment_*` checks downstream.
+  _rea_unwrap_nested_shells "$cmd" \
     | awk '
         BEGIN {
           SC  = "__REA_SEP_SC_a8f2c1__"

package/hooks/_lib/protected-paths.sh

@@ -75,8 +75,16 @@ _rea_is_kill_switch() {
   return 1
 }
 
-# Load the effective list, applying `protected_paths_relax` from policy.
+# Load the effective list, applying `protected_writes` (full override
+# from policy) and `protected_paths_relax` (subtractor) from policy.
 # Sources policy-read.sh on demand so this lib stays self-contained.
+#
+# 0.17.0 helix-018 Option A: `protected_writes` lets consumers fully
+# define the protected list. When set, replaces the hardcoded default;
+# kill-switch invariants are always added back regardless. When unset,
+# defaults to REA_PROTECTED_PATTERNS_FULL (the historical 5 patterns).
+# `protected_paths_relax` then subtracts from whatever the effective
+# set is (kill-switch invariants are non-relaxable).
 _rea_load_protected_patterns() {
   if [ "$_REA_PROTECTED_PATTERNS_LOADED" = "1" ]; then
     return 0
@@ -89,14 +97,71 @@ _rea_load_protected_patterns() {
     source "${BASH_SOURCE[0]%/*}/policy-read.sh" 2>/dev/null || true
   fi
 
+  # Read both policy keys.
+  local writes_list=()
   local relax_list=()
+  local protected_writes_set=0
   if command -v policy_list >/dev/null 2>&1; then
+    # `protected_writes`: detect "set but empty" vs "unset" via a probe.
+    # policy_list returns nothing for both cases, so we use a sentinel
+    # check on the YAML key existence via a separate probe.
+    local pw_present
+    pw_present=$(policy_scalar "protected_writes" 2>/dev/null || true)
+    # If the key is a list (yq returns "null" or empty for scalar reads
+    # of a list), policy_list reads it. We detect "key exists" by
+    # checking either policy_scalar's return OR policy_list's output.
+    while IFS= read -r entry; do
+      [ -z "$entry" ] && continue
+      writes_list+=("$entry")
+      protected_writes_set=1
+    done < <(policy_list "protected_writes" 2>/dev/null || true)
+    # If pw_present is "[]" (empty array) — policy_list returns nothing
+    # but the key IS set. policy_scalar of a list returns "null" or
+    # the literal `[]`. Treat any of those as "set".
+    case "$pw_present" in
+      '[]'|'null') protected_writes_set=1 ;;
+    esac
+
     while IFS= read -r entry; do
       [ -z "$entry" ] && continue
       relax_list+=("$entry")
     done < <(policy_list "protected_paths_relax" 2>/dev/null || true)
   fi
 
+  # Compose the BASE list:
+  #   - If `protected_writes` set in policy: that list, plus kill-switch
+  #     invariants always added (deduped).
+  #   - Else: REA_PROTECTED_PATTERNS_FULL (hardcoded historical default).
+  local base_list=()
+  if [ "$protected_writes_set" = "1" ]; then
+    local w
+    for w in "${writes_list[@]+"${writes_list[@]}"}"; do
+      base_list+=("$w")
+    done
+    # Add kill-switch invariants if not already present.
+    local inv inv_lc found
+    for inv in "${REA_KILL_SWITCH_INVARIANTS[@]}"; do
+      inv_lc=$(printf '%s' "$inv" | tr '[:upper:]' '[:lower:]')
+      found=0
+      local b b_lc
+      for b in "${base_list[@]+"${base_list[@]}"}"; do
+        b_lc=$(printf '%s' "$b" | tr '[:upper:]' '[:lower:]')
+        if [[ "$b_lc" == "$inv_lc" ]]; then
+          found=1
+          break
+        fi
+      done
+      if [ "$found" = "0" ]; then
+        base_list+=("$inv")
+      fi
+    done
+  else
+    local pat
+    for pat in "${REA_PROTECTED_PATTERNS_FULL[@]}"; do
+      base_list+=("$pat")
+    done
+  fi
+
   # Validate relax entries: any kill-switch invariant in the list is
   # silently dropped from "permitted to relax" but emits a stderr
   # advisory so the operator can see why their relax didn't take
@@ -112,10 +177,10 @@ _rea_load_protected_patterns() {
     fi
   done
 
-  # Build the effective list: every FULL entry that is NOT in the
+  # Build the effective list: every BASE entry that is NOT in the
   # relaxed set (case-insensitive comparison).
   local pat pat_lc rentry rentry_lc relaxed
-  for pat in "${REA_PROTECTED_PATTERNS_FULL[@]}"; do
+  for pat in "${base_list[@]+"${base_list[@]}"}"; do
     pat_lc=$(printf '%s' "$pat" | tr '[:upper:]' '[:lower:]')
     relaxed=0
     for rentry in "${relaxed_set[@]+"${relaxed_set[@]}"}"; do

package/hooks/dangerous-bash-interceptor.sh

@@ -257,8 +257,21 @@ fi
 # in-quote pipes are replaced with a sentinel that the regex doesn't
 # match. Real curl-pipe-shell still matches because the pipe between
 # `curl https://x` and `sh` is outside any quote span.
-H12_MASKED=$(quote_masked_cmd "$CMD")
-if printf '%s' "$H12_MASKED" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
+# 0.17.0 helix-017 #1 fix: also scan inner payloads of nested-shell
+# wrappers (`zsh -c "curl https://x | sh"`). The unwrap helper emits
+# the original command + each inner payload as separate lines; we
+# quote-mask each line independently and grep. If ANY emitted line
+# contains a real curl-pipe-shell, fire H12.
+H12_HIT=0
+while IFS= read -r _h12_line; do
+  [ -z "$_h12_line" ] && continue
+  _h12_masked=$(quote_masked_cmd "$_h12_line")
+  if printf '%s' "$_h12_masked" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
+    H12_HIT=1
+    break
+  fi
+done < <(_rea_unwrap_nested_shells "$CMD")
+if [ "$H12_HIT" = "1" ]; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \

package/hooks/dependency-audit-gate.sh

@@ -58,14 +58,27 @@ extract_packages() {
   # outer command — but they're never the FIRST token on a segment, so
   # the anchor rejects them.
 
-  # Tokenize on shell separators. Each `IFS=` entry becomes a separate
-  # segment we can anchor against. We use bash's `mapfile` with a sed
-  # to inject newlines at separators; awk-based splitting handles the
-  # quoting heuristic well enough for the realistic cases (agent-issued
-  # commands rarely have separators inside single-quoted strings that
-  # would confuse this).
+  # 0.17.0 helix-017 #3: unwrap nested-shell wrappers (`bash -c 'PAYLOAD'`,
+  # `sh -lc "PAYLOAD"`, etc.) before splitting so the inner install
+  # command becomes a segment that anchors against the install-pattern
+  # check below. Pre-fix `bash -lc 'npm install pkg'` produced a single
+  # segment whose first token was `bash` — install-detection skipped.
+  # 0.17.0 helix-019 #3: delegate splitting to the shared
+  # `_rea_split_segments` so this gate inherits the full separator set
+  # (including bare `&` background-process operator added in 0.16.1)
+  # and the quote-mask that prevents over-fire from in-quote separators.
+  # Pre-fix the local segmenter splat on `|||&&|;|` only, missing bare
+  # `&` — `echo warmup & pnpm add lodash` stayed merged into one segment
+  # and the install-pattern leading-token check skipped it entirely.
   local segments
-  segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\|)/\n/g')
+  if [ -f "$(dirname "$0")/_lib/cmd-segments.sh" ]; then
+    # shellcheck source=_lib/cmd-segments.sh
+    source "$(dirname "$0")/_lib/cmd-segments.sh"
+    segments=$(_rea_split_segments "$cmd")
+  else
+    # Fallback (lib unavailable): legacy local splitter preserved.
+    segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\||\&)/\n/g')
+  fi
 
   while IFS= read -r segment; do
     # Trim leading whitespace.

package/hooks/security-disclosure-gate.sh

@@ -118,37 +118,87 @@ REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
 BODY_FILE_TEXT=""
 _extract_body_file_paths() {
   # Emit each `--body-file PATH` and `-F PATH` argument on its own line.
-  # Skips the stdin form (`-`) and `-F=foo`/`--body-file=foo` (handled
-  # by a separate awk pass below).
+  # Skips the stdin form (`-`) and emits the path verbatim from the
+  # equals-form (`--body-file=PATH` / `-F=PATH`).
+  #
+  # 0.17.0 helix-019 #2: quote-aware tokenization. The pre-fix awk split
+  # on whitespace, breaking `--body-file "security notes.md"` into three
+  # tokens — the hook then tried to read `"security` (with literal
+  # leading quote), failed, and silently skipped the body scan. Now we
+  # walk the string with quote-state awareness: whitespace inside
+  # matched `"..."` / `'...'` spans is part of the token, not a
+  # separator. Single-quote spans have no escape semantics; double-quote
+  # spans treat `\"` and `\\` as literal escapes (POSIX shell rules).
   printf '%s' "$COMMAND" \
     | awk '
-        BEGIN { skip_next = 0; flag_was = "" }
+        BEGIN { skip_next = 0 }
+        function strip_outer_quotes(s,    n, first, last) {
+          n = length(s)
+          if (n < 2) return s
+          first = substr(s, 1, 1)
+          last  = substr(s, n, 1)
+          if ((first == "\"" && last == "\"") || (first == "'\''" && last == "'\''")) {
+            return substr(s, 2, n - 2)
+          }
+          return s
+        }
+        function emit_token(t) {
+          if (skip_next) {
+            skip_next = 0
+            if (t == "-" || t == "") return
+            t = strip_outer_quotes(t)
+            print t
+            return
+          }
+          if (t == "--body-file" || t == "-F") { skip_next = 1; return }
+          if (t ~ /^--body-file=/) {
+            v = substr(t, length("--body-file=") + 1)
+            v = strip_outer_quotes(v)
+            if (v != "" && v != "-") print v
+          }
+          if (t ~ /^-F=/) {
+            v = substr(t, length("-F=") + 1)
+            v = strip_outer_quotes(v)
+            if (v != "" && v != "-") print v
+          }
+        }
         {
-          n = split($0, toks, /[[:space:]]+/)
-          for (i = 1; i <= n; i++) {
-            t = toks[i]
-            if (skip_next) {
-              skip_next = 0
-              if (t == "-" || t == "") continue
-              # Strip surrounding quotes from the token if present.
-              gsub(/^["'"'"']/, "", t)
-              gsub(/["'"'"']$/, "", t)
-              print t
+          line = $0
+          n = length(line)
+          i = 1
+          tok = ""
+          mode = 0  # 0=plain, 1=double-quoted, 2=single-quoted
+          while (i <= n) {
+            ch = substr(line, i, 1)
+            if (mode == 0) {
+              if (ch == " " || ch == "\t") {
+                if (tok != "") { emit_token(tok); tok = "" }
+                i++; continue
+              }
+              if (ch == "\"") { mode = 1; tok = tok ch; i++; continue }
+              if (ch == "'\''") { mode = 2; tok = tok ch; i++; continue }
+              tok = tok ch
+              i++
               continue
             }
-            if (t == "--body-file" || t == "-F") { skip_next = 1; continue }
-            # Equals form.
-            if (t ~ /^--body-file=/) {
-              v = substr(t, length("--body-file=") + 1)
-              gsub(/^["'"'"']/, "", v); gsub(/["'"'"']$/, "", v)
-              if (v != "" && v != "-") print v
-            }
-            if (t ~ /^-F=/) {
-              v = substr(t, length("-F=") + 1)
-              gsub(/^["'"'"']/, "", v); gsub(/["'"'"']$/, "", v)
-              if (v != "" && v != "-") print v
+            if (mode == 1) {
+              if (ch == "\\" && i < n) {
+                nxt = substr(line, i + 1, 1)
+                tok = tok ch nxt
+                i += 2
+                continue
+              }
+              if (ch == "\"") { mode = 0; tok = tok ch; i++; continue }
+              tok = tok ch
+              i++
+              continue
             }
+            # mode == 2
+            if (ch == "'\''") { mode = 0; tok = tok ch; i++; continue }
+            tok = tok ch
+            i++
           }
+          if (tok != "") emit_token(tok)
         }'
 }
 while IFS= read -r body_path; do
@@ -180,12 +230,24 @@ while IFS= read -r body_path; do
       esac
     done
     resolved="/$(IFS=/; printf '%s' "${_bf_parts[*]}")"
-    # If the raw path used `..` AND the resolved form escapes REA_ROOT,
-    # refuse — that's the obfuscation shape we care about. A file under
-    # /tmp or /var/folders without `..` segments is fine.
+    # 0.17.0 helix-019 #1: HARD REFUSAL on traversal escaping REA_ROOT.
+    # Pre-fix the gate logged "skipping body scan" and exited 0 — every
+    # sensitive payload at the resolved external path bypassed the
+    # disclosure check. The traversal-out-of-root shape exists ONLY to
+    # obfuscate; legitimate workflows pass absolute tmpfile paths
+    # (`/tmp/...`, `/var/folders/...`) without `..` segments.
     if [[ "$resolved" != "$REA_ROOT" && "$resolved" != "$REA_ROOT"/* ]]; then
-      printf 'security-disclosure-gate: --body-file path uses `..` traversal escaping project root; skipping body scan\n' >&2
-      continue
+      {
+        printf 'SECURITY DISCLOSURE GATE: --body-file path traversal escapes project root\n'
+        printf '\n'
+        printf '  Path:     %s\n' "$raw_path"
+        printf '  Resolved: %s\n' "$resolved"
+        printf '\n'
+        printf '  Rule: --body-file paths whose canonical form uses `..` segments to\n'
+        printf '        escape REA_ROOT are refused. Move the file inside the project\n'
+        printf '        tree, or paste the body inline via --body.\n'
+      } >&2
+      exit 2
     fi
   fi
   if [[ ! -r "$resolved" ]]; then

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.16.4",
+  "version": "0.17.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",