@bookedsolid/rea 0.17.0 → 0.18.0

package/.husky/commit-msg

@@ -78,9 +78,17 @@ BLOCKED=0
 MATCHES=""
 
 # Pattern 1: Co-Authored-By with noreply@ email
-if grep -qiE 'Co-Authored-By:.*noreply@' "$COMMIT_MSG_FILE" 2>/dev/null; then
+# 0.18.0 helix-020 / discord-ops Round 10 #3 fix (G4.B):
+# the pre-fix pattern `Co-Authored-By:.*noreply@` matched both AI-tool
+# noreply addresses AND legitimate `<user>@users.noreply.github.com`
+# collaborator credits — blocking honest co-author footers from human
+# contributors. Refined to enumerate AI-tool noreply domains explicitly;
+# Pattern 2 below catches Co-Authored-By with named tools regardless of
+# email, so dropping users.noreply.github.com from this branch only
+# relaxes the check for human collaborators — never for AI.
+if grep -qiE 'Co-Authored-By:.*noreply@(anthropic\.com|openai\.com|github-copilot|github\.com|claude\.ai|chatgpt\.com|googlemail\.com|google\.com|cursor\.com|codeium\.com|tabnine\.com|amazon\.com|amazonaws\.com|amazon-q\.amazonaws\.com|cody\.dev|sourcegraph\.com)' "$COMMIT_MSG_FILE" 2>/dev/null; then
   BLOCKED=1
-  MATCHES="${MATCHES}$(grep -niE 'Co-Authored-By:.*noreply@' "$COMMIT_MSG_FILE" 2>/dev/null)
+  MATCHES="${MATCHES}$(grep -niE 'Co-Authored-By:.*noreply@(anthropic\.com|openai\.com|github-copilot|github\.com|claude\.ai|chatgpt\.com|googlemail\.com|google\.com|cursor\.com|codeium\.com|tabnine\.com|amazon\.com|amazonaws\.com|amazon-q\.amazonaws\.com|cody\.dev|sourcegraph\.com)' "$COMMIT_MSG_FILE" 2>/dev/null)
 "
 fi
 

package/agents/codex-adversarial.md

@@ -32,13 +32,18 @@ You may read additional files in the repo if needed for context, but do so read-
 1. **Check HALT and policy** — read `.rea/policy.yaml`, check `.rea/HALT`. If frozen, stop immediately.
 2. **Validate Codex availability** — if `/codex` is not installed, report and stop. Do not silently fall back to another reviewer.
 3. **Prepare the Codex invocation** — construct the adversarial-review prompt with the diff, commit log, and any relevant context files.
-4. **Invoke `/codex:adversarial-review`** — this call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
+4. **Invoke `/codex:adversarial-review --model gpt-5.4`** — pass the `--model` flag explicitly to pin the iron-gate model regardless of plugin defaults or `~/.codex/config.toml` resolution. The codex-companion script accepts `--model` (see `codex-companion.mjs:684`). This call flows through the REA middleware chain (audit → kill-switch → tier → policy → redact → injection → execute → result-size-cap).
 
    **Model pinning (0.16.1+):** when the codex plugin's adversarial-review supports model overrides, request `gpt-5.4` with `model_reasoning_effort: high` to match the push-gate's iron-gate defaults. Pre-0.16.1, in-session adversarial reviews ran on whatever the plugin defaulted to (likely `codex-auto-review` at medium reasoning) — meaningfully WEAKER than the push-gate's `gpt-5.4` + `high`. This caused a "in-session review passes, push-gate review fails" pattern reported by helix across 014 / 015 / 016. If the plugin call accepts model parameters, pass them. If it does not, fall back to invoking `codex exec review --base <ref> --json --ephemeral -c model="gpt-5.4" -c model_reasoning_effort="high"` directly via `Bash` — same shape the push-gate uses (see `src/hooks/push-gate/codex-runner.ts::runCodexReview`). The cost of the stronger model is small relative to the cost of shipping a release with a P1 bypass that gets caught at consumer push time.
 5. **Parse the Codex output** — extract structured findings.
 6. **Classify findings** by category: security, correctness, edge cases, test gaps, API design, performance.
 7. **Assign verdict**: `pass` (no material findings), `concerns` (findings worth addressing but not blocking), `blocking` (findings that must be fixed before merge).
-8. **Emit an audit entry — REQUIRED** for every `/codex-review` invocation. The pre-push gate does not consult audit records to decide pass/fail (post-0.11.0 the gate is stateless), but the `/codex-review` slash command's Step 3 verifies an audit entry was appended for this run and surfaces "review never happened" to the user when one is missing. The two specs are a contract pair — audit emission is what tells the operator their interactive review actually completed. Append via the public `@bookedsolid/rea/audit` helper:
+8. **Emit an audit entry — REQUIRED** for every `/codex-review` invocation. This is one of three identical contract checkpoints:
+   - The runtime always emits (`src/hooks/push-gate/index.ts` calls `appendAuditRecord` via `safeAppend` on every completed review — see `EVT_REVIEWED`).
+   - This agent always emits (this step).
+   - The `/codex-review` slash command's Step 3 verifies the entry exists and surfaces "review never happened" as a failure if it does not.
+
+   The pre-push gate does not consult audit records to decide pass/fail (post-0.11.0 the gate is stateless), but the audit record is still the operator's only forensic trail for an interactive review. Without it, "did this review actually happen" becomes unanswerable. Reconciled in 0.18.0 (helixir Finding #6 across cycles 1–7) so the three documents — `commands/codex-review.md`, `agents/codex-adversarial.md`, `src/hooks/push-gate/index.ts` — describe the same contract in identical wording. Append via the public `@bookedsolid/rea/audit` helper:
 
    ```ts
    import { appendAuditRecord, CODEX_REVIEW_TOOL_NAME, CODEX_REVIEW_SERVER_NAME, Tier, InvocationStatus } from '@bookedsolid/rea/audit';

package/commands/codex-review.md

@@ -55,17 +55,21 @@ Invoke the `codex-adversarial` agent with:
 
 The agent wraps `/codex:adversarial-review` and returns structured findings.
 
-## Step 3 — (Optional) verify audit entry
+## Step 3 — Verify audit entry — REQUIRED
 
-Audit emission is **optional** in 0.11.0+. The pre-push gate is stateless and does not consult audit records to decide pass/fail; the agent's structured findings ARE the review. The agent will append an audit entry when it helps forensic traceability (intermittent verdicts, review-history audits) but its absence is not a failure.
+The `codex-adversarial` agent **MUST** emit an audit entry for every invocation. This is the same contract documented in `agents/codex-adversarial.md` Step 4 and matches the runtime behavior of `rea hook push-gate` (which always calls `appendAuditRecord` on a completed review — see `src/hooks/push-gate/index.ts`'s `EVT_REVIEWED` path).
 
-If you want to confirm an entry was written for this run:
+Verify the entry was written:
 
 ```bash
 tail -n 1 .rea/audit.jsonl
 ```
 
-A `codex-adversarial-review` entry with `head_sha`, `target`, `finding_count`, and `verdict` fields is informative — but DO NOT treat its absence as a failure. The review happened if the agent returned text. (Pre-0.15.0 this step was a hard verification gate that contradicted the agent's "audit optional" contract — see Helix Finding 3, 2026-05-03.)
+The expected entry has `tool_name: "codex.review"`, `server_name: "codex"`, and `metadata` containing `head_sha`, `target`, `finding_count`, and `verdict`. If the entry is missing, the review **did not complete its contract** — surface that to the user as a failure.
+
+**Why audit emission is required even though the pre-push gate is stateless:** the 0.11.0 push-gate decides pass/fail on Codex's live verdict, not on a receipt in the audit log — but the audit record is still the operator's only forensic trail for an interactive `/codex-review` run. Without it, "did this review actually happen" becomes unanswerable, which is exactly the failure mode helixir flagged across rounds 65/66/73 in the 0.13–0.17 cycle. Runtime always emits; the agent always emits; the slash command verifies. Three checkpoints, one contract.
+
+(Earlier docs in 0.15+ said this step was "optional"; that wording contradicted both the agent's Step 4 and the runtime behavior of `safeAppend` in `src/hooks/push-gate/index.ts`. Reconciled in 0.18.0 — helixir Finding #6 across cycles 1–7.)
 
 ## Step 4 — Report
 

package/dist/cli/upgrade.js

@@ -635,7 +635,22 @@ export async function runUpgrade(options = {}) {
     }
     const now = new Date().toISOString();
     const installedAt = existingManifest?.installed_at ?? now;
-    const profile = existingManifest?.profile ?? 'unknown';
+    // 0.18.0 helix-020 G6 fix: pre-fix the upgrade path read profile from
+    // the existing manifest only — and pre-0.2.0 manifests recorded
+    // `"unknown"` as a placeholder. Every subsequent `rea upgrade` then
+    // re-stamped `"unknown"` forever. Authoritative source for the
+    // profile is `.rea/policy.yaml`; the manifest is a derivative
+    // record. Read policy first; fall back to existing manifest only
+    // when policy load fails (covers the bootstrap case where the
+    // manifest exists but policy is malformed).
+    let profile;
+    try {
+        const livePolicy = loadPolicy(resolvedRoot);
+        profile = livePolicy.profile;
+    }
+    catch {
+        profile = existingManifest?.profile ?? 'unknown';
+    }
     const freshManifest = {
         version: getPkgVersion(),
         profile,

package/dist/hooks/push-gate/codex-runner.js

@@ -136,18 +136,29 @@ function escapeTomlString(value) {
  */
 export async function runCodexReview(options) {
     const spawner = options.spawnImpl ?? spawn;
+    // 0.18.0 iron-gate runtime default: ALWAYS pass model + reasoning
+    // effort to codex. Pre-fix, undefined options fell back to codex's
+    // own default (`codex-auto-review` at medium reasoning), which
+    // bypassed the iron-gate intent and let weaker reviews ship. Now
+    // the runtime hardcodes `gpt-5.4` + `high` as the floor; policy
+    // can OVERRIDE to a different model/effort but cannot opt out into
+    // codex's defaults (config.toml or otherwise). The user's directive
+    // — "we want codex to be using its BEST. EVERY TIME" — is enforced
+    // here, not at the policy layer.
+    //
     // Model + reasoning overrides go BEFORE the `exec` subcommand because
     // `-c key=value` is a top-level codex CLI flag, not an `exec` flag.
     // Codex's TOML parser interprets the value, so we wrap strings in TOML
     // quotes — `-c model="gpt-5.4"` not `-c model=gpt-5.4` — to ensure the
     // value lands as a string regardless of upstream parsing changes.
-    const overrideArgs = [];
-    if (options.model !== undefined && options.model.length > 0) {
-        overrideArgs.push('-c', `model="${escapeTomlString(options.model)}"`);
-    }
-    if (options.reasoningEffort !== undefined) {
-        overrideArgs.push('-c', `model_reasoning_effort="${escapeTomlString(options.reasoningEffort)}"`);
-    }
+    const effectiveModel = options.model !== undefined && options.model.length > 0 ? options.model : 'gpt-5.4';
+    const effectiveReasoning = options.reasoningEffort ?? 'high';
+    const overrideArgs = [
+        '-c',
+        `model="${escapeTomlString(effectiveModel)}"`,
+        '-c',
+        `model_reasoning_effort="${escapeTomlString(effectiveReasoning)}"`,
+    ];
     const baseArgs = [
         ...overrideArgs,
         'exec',

package/dist/policy/loader.d.ts

@@ -48,10 +48,14 @@ declare const PolicySchema: z.ZodObject<{
          */
         auto_narrow_threshold: z.ZodOptional<z.ZodNumber>;
         /**
-         * Codex CLI model override (0.13.4+). Pinned via `-c model="<name>"` on
-         * every `codex exec review` invocation. When unset, codex's own default
-         * applies — which today is the special-purpose `codex-auto-review`
-         * model at `medium` reasoning, NOT the flagship.
+         * Codex CLI model override (0.13.4+; runtime-default since 0.18.0).
+         * Pinned via `-c model="<name>"` on every `codex exec review`
+         * invocation. **0.18.0 iron-gate runtime default**: when unset, the
+         * runtime hardcodes `gpt-5.4` — codex's own default
+         * (`codex-auto-review` at medium) is no longer reachable through the
+         * rea push-gate. To select a different model, set this key
+         * explicitly. config.toml is consulted ONLY when the explicit value
+         * passed by rea is `undefined`, which the runtime never does.
          *
          * For serious adversarial review on consumer codebases (where verdict
          * stability matters) the recommended setting is `gpt-5.4` with

package/dist/policy/loader.js

@@ -39,10 +39,14 @@ const ReviewPolicySchema = z
      */
     auto_narrow_threshold: z.number().int().nonnegative().optional(),
     /**
-     * Codex CLI model override (0.13.4+). Pinned via `-c model="<name>"` on
-     * every `codex exec review` invocation. When unset, codex's own default
-     * applies — which today is the special-purpose `codex-auto-review`
-     * model at `medium` reasoning, NOT the flagship.
+     * Codex CLI model override (0.13.4+; runtime-default since 0.18.0).
+     * Pinned via `-c model="<name>"` on every `codex exec review`
+     * invocation. **0.18.0 iron-gate runtime default**: when unset, the
+     * runtime hardcodes `gpt-5.4` — codex's own default
+     * (`codex-auto-review` at medium) is no longer reachable through the
+     * rea push-gate. To select a different model, set this key
+     * explicitly. config.toml is consulted ONLY when the explicit value
+     * passed by rea is `undefined`, which the runtime never does.
      *
      * For serious adversarial review on consumer codebases (where verdict
      * stability matters) the recommended setting is `gpt-5.4` with

package/hooks/_lib/cmd-segments.sh

@@ -73,6 +73,20 @@
 # escapes (per POSIX). Multiple wrappers per command-line are handled
 # (e.g. `foo; bash -c 'bar' && sh -c 'baz'` emits both `bar` and `baz`).
 #
+# 0.18.0 helix-020 G1.A fix: the unwrap pass scans a QUOTE-MASKED form
+# of the input, not the raw input. Pre-fix, a quoted argument that
+# MENTIONED a wrapper (e.g. `git commit -m "docs: mention bash -c 'npm
+# install left-pad'"`) would emit a phantom inner-payload segment, and
+# `dependency-audit-gate.sh` would block the innocent commit. The
+# quote-mask layer (the same one `_rea_split_segments` uses) replaces
+# all in-quote separators AND in-quote single/double quote characters
+# with multi-byte sentinels — so the wrapper regex can no longer match
+# inside an outer quoted span. The unwrapped payload itself is still
+# emitted from the un-masked input by recomputing offsets back to the
+# raw string, so escape semantics inside legitimate wrappers stay
+# correct. We only need the mask to suppress matching; the captured
+# payload is read off the original string.
+#
 # Limitation: ONE level of unwrapping. A wrapper inside a wrapper
 # (`bash -c "bash -c 'innermost'"`) emits only the second-level payload
 # (`bash -c 'innermost'`), not the third-level. This is enough for
@@ -81,32 +95,130 @@
 _rea_unwrap_nested_shells() {
   local cmd="$1"
   printf '%s\n' "$cmd"
-  printf '%s' "$cmd" | awk '
+  # Build a mask where in-quote `"` `'` `;` `&` `|` characters are
+  # replaced with multi-byte sentinels so the wrapper regex below
+  # cannot match wrapper syntax that lives inside outer quoted prose.
+  # We also mask the in-quote QUOTE characters themselves so the awk
+  # body's quote-state heuristic (which looks at the byte immediately
+  # after the matched wrapper-prefix region) cannot mistake an inner
+  # quote for a payload-opening quote. Sentinel bytes are aligned to
+  # be the same width as their original character (single-byte) so
+  # offsets into the raw string remain valid for payload extraction.
+  #
+  # Approach: rather than synthesize a per-byte sentinel of width 1,
+  # we run the awk wrapper-scan against a SEPARATE masked stream and
+  # then translate matched RSTART/RLENGTH offsets back to the original
+  # string. We do that by passing both strings into awk (raw via stdin,
+  # masked via -v MASKED) and tracking the same index across both —
+  # since the mask substitutes single bytes with single bytes only
+  # (placeholder bytes drawn from the C0 control-character range) the
+  # offsets line up.
+  #
+  # Placeholder bytes — chosen from the C0 control range so they
+  # cannot appear in real shell input under UTF-8 (NUL, BEL, VT, FF
+  # are reserved by some shells; we use SOH/STX/ETX/ENQ/ACK which are
+  # not assigned operational meaning by any shell we ship with).
+  #   \x01 SOH — replaces in-quote `"`
+  #   \x02 STX — replaces in-quote `'`
+  #   \x03 ETX — replaces in-quote `;`
+  #   \x05 ENQ — replaces in-quote `&`
+  #   \x06 ACK — replaces in-quote `|`
+  local masked
+  masked=$(printf '%s' "$cmd" | awk '
+    {
+      line = $0
+      out = ""
+      i = 1
+      n = length(line)
+      mode = 0
+      while (i <= n) {
+        ch = substr(line, i, 1)
+        if (mode == 0) {
+          if (ch == "\"") { mode = 1; out = out ch; i++; continue }
+          if (ch == "'\''") { mode = 2; out = out ch; i++; continue }
+          out = out ch
+          i++
+          continue
+        }
+        if (mode == 2) {
+          if (ch == "'\''") { mode = 0; out = out "\002"; i++; continue }
+          if (ch == ";") { out = out "\003"; i++; continue }
+          if (ch == "&") { out = out "\005"; i++; continue }
+          if (ch == "|") { out = out "\006"; i++; continue }
+          if (ch == "\"") { out = out "\001"; i++; continue }
+          out = out ch
+          i++
+          continue
+        }
+        # mode == 1 (double-quoted)
+        if (ch == "\\" && i < n) {
+          # Preserve the escape pair literally — width preserved.
+          nxt = substr(line, i + 1, 1)
+          out = out ch nxt
+          i += 2
+          continue
+        }
+        if (ch == "\"") { mode = 0; out = out "\001"; i++; continue }
+        if (ch == ";") { out = out "\003"; i++; continue }
+        if (ch == "&") { out = out "\005"; i++; continue }
+        if (ch == "|") { out = out "\006"; i++; continue }
+        if (ch == "'\''") { out = out "\002"; i++; continue }
+        out = out ch
+        i++
+      }
+      printf "%s", out
+    }')
+  # Pass both raw and masked into awk. Wrapper-regex matches against the
+  # masked form; payload extraction reads the raw form using the same
+  # offsets. Because the mask is byte-for-byte width-preserving, the
+  # same RSTART/RLENGTH applies to both.
+  printf '' | awk -v raw="$cmd" -v masked="$masked" '
     BEGIN {
       # Wrapper-prefix regex: shell-name + optional flag tokens + -c-style flag.
       # Each flag token is `-` followed by 1+ letters and trailing space.
+      # NOTE: matches only OUTSIDE outer quoted spans because in-quote
+      # `"`, `'\''`, `;`, `&`, `|` are masked out in `masked`. The leading
+      # alternation `(^|[[:space:]&|;])` therefore cannot anchor on a
+      # masked separator, and the shell-name token itself can no longer
+      # appear adjacent to a masked quote-introducer.
       WRAP = "(^|[[:space:]&|;])(bash|sh|zsh|dash|ksh)([[:space:]]+-[a-zA-Z]+)*[[:space:]]+-(c|lc|lic|ic|cl|cli|li|il)[[:space:]]+"
-    }
-    {
-      rest = $0
-      while (length(rest) > 0) {
-        if (! match(rest, WRAP)) break
-        # Tail begins immediately after the matched wrapper prefix.
-        tail = substr(rest, RSTART + RLENGTH)
-        first = substr(tail, 1, 1)
-        if (first == "'\''") {
-          # Single-quoted body: no escape semantics; runs to next `'"'"'`.
-          body = substr(tail, 2)
+      # Track the cursor in BOTH raw and masked. Because the mask is
+      # byte-for-byte width-preserving, the same RSTART/RLENGTH applies
+      # to both — but each iteration of the loop must SLICE both strings
+      # by the same amount so subsequent matches see synchronized tails.
+      mrest = masked
+      rrest = raw
+      while (length(mrest) > 0) {
+        if (! match(mrest, WRAP)) break
+        # Tail begins immediately after the matched wrapper prefix in
+        # BOTH strings (offsets line up — mask is width-preserving).
+        mtail = substr(mrest, RSTART + RLENGTH)
+        rtail = substr(rrest, RSTART + RLENGTH)
+        # The wrapper-payload-introducing quote must be a REAL outer
+        # quote — i.e. not a masked in-quote sentinel. Probe the raw
+        # form for the introducer character, which the mask preserved
+        # verbatim only when it was an outer quote.
+        first = substr(rtail, 1, 1)
+        mfirst = substr(mtail, 1, 1)
+        if (first == "'\''" && mfirst == "'\''") {
+          # Single-quoted body: no escape semantics; runs to next `'\''`.
+          body = substr(rtail, 2)
+          mbody = substr(mtail, 2)
           end = index(body, "'\''")
-          if (end == 0) { rest = substr(tail, 2); continue }
+          if (end == 0) {
+            mrest = substr(mtail, 2)
+            rrest = substr(rtail, 2)
+            continue
+          }
           payload = substr(body, 1, end - 1)
           print payload
-          rest = substr(body, end + 1)
+          mrest = substr(mbody, end + 1)
+          rrest = substr(body, end + 1)
           continue
         }
-        if (first == "\"") {
+        if (first == "\"" && mfirst == "\"") {
           # Double-quoted body: \" and \\ are literal escapes.
-          body = substr(tail, 2)
+          body = substr(rtail, 2)
           n = length(body)
           j = 1
           out = ""
@@ -124,15 +236,27 @@ _rea_unwrap_nested_shells() {
             out = out c
             j++
           }
-          if (closed == 0) { rest = substr(tail, 2); continue }
+          if (closed == 0) {
+            mrest = substr(mtail, 2)
+            rrest = substr(rtail, 2)
+            continue
+          }
           print out
-          rest = substr(body, closed + 1)
+          # Skip past the opening `"` (1 byte) AND the closing `"` (1
+          # byte at body[closed], i.e. mtail[closed+1]). Cursor lands
+          # at mtail[closed+2].
+          mrest = substr(mtail, closed + 2)
+          rrest = substr(rtail, closed + 2)
           continue
         }
         # Non-quoted argument — proceed past the matched prefix only.
-        rest = tail
+        mrest = mtail
+        rrest = rtail
       }
-    }'
+    }
+    # Empty action with no input rules — explicitly drive the loop from
+    # END so awk does not require any input records.
+    END {}'
 }
 
 # Split $1 on shell command separators. Emits one segment per line on

package/hooks/_lib/policy-read.sh

@@ -53,20 +53,80 @@ policy_bool_true() {
   [[ "$value" == "true" ]]
 }
 
-# Read a list of scalars from a top-level sequence block.
+# Read a list of scalars from a top-level sequence.
 # Usage: mapfile -t patterns < <(policy_list "delegate_to_subagent")
-# Handles inline "[]" as empty. Stops at the first non-"-" continuation line.
+#
+# Recognized YAML forms:
+#
+#   1. Block sequence (the historical / canonical form):
+#        blocked_paths:
+#          - .env
+#          - .env.*
+#          - .rea/HALT
+#
+#   2. Empty inline array (since 0.1.x):
+#        blocked_paths: []      # → no entries (returns successfully)
+#
+#   3. Non-empty inline array (added 0.18.0 G1.B/G1.C):
+#        blocked_paths: [.env, .env.*, .rea/HALT]
+#
+# Inline arrays may span multiple lines:
+#
+#        blocked_paths: [
+#          .env,
+#          .env.*,
+#          .rea/HALT
+#        ]
+#
+# Quoted entries (single or double quotes) are unquoted. Leading and
+# trailing whitespace on each entry is trimmed. Empty entries (e.g. from
+# a trailing `,`) are skipped silently.
+#
+# Pre-fix (G1.B/G1.C): the inline array form was VALID YAML but parsed
+# to an empty list — silent bypass of `blocked-paths-bash-gate.sh` and
+# silent ignore of `protected_writes` overrides. Fixed by extending the
+# parser to recognize the inline form in addition to the block form.
+#
+# The block form is still preferred (sed-friendly, line-aligned diffs)
+# but the inline form is now equally enforced.
 policy_list() {
   local key="$1"
   local policy
   policy=$(policy_path)
   [[ -z "$policy" ]] && return 0
   local in_block=0
+  local in_inline=0
+  local inline_buf=""
   while IFS= read -r line; do
+    # Skip while we're collecting an inline-array body across lines.
+    if [[ $in_inline -eq 1 ]]; then
+      inline_buf="${inline_buf} ${line}"
+      # Detect the closing `]` (any position on the line).
+      if printf '%s' "$line" | grep -qE '\]'; then
+        _policy_emit_inline_array "$inline_buf"
+        return 0
+      fi
+      continue
+    fi
     if printf '%s' "$line" | grep -qE "^[[:space:]]*${key}:"; then
-      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[\]"; then
+      # Empty inline `[]` — explicit empty list.
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[[[:space:]]*\]"; then
         return 0
       fi
+      # Non-empty inline `[ ... ]` — parse the bracketed body. May or
+      # may not close on the same line.
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\["; then
+        # Strip everything up to and including the opening `[`.
+        inline_buf=$(printf '%s' "$line" | sed -E "s/^.*${key}:[[:space:]]*\[//")
+        if printf '%s' "$inline_buf" | grep -qE '\]'; then
+          # Single-line inline array.
+          _policy_emit_inline_array "$inline_buf"
+          return 0
+        fi
+        in_inline=1
+        continue
+      fi
+      # Block-form sequence header — entries follow on subsequent lines.
       in_block=1
       continue
     fi
@@ -80,3 +140,31 @@ policy_list() {
     fi
   done < "$policy"
 }
+
+# Emit each entry of an inline-array body (everything between `[` and
+# `]`, possibly across newlines if the caller concatenated lines with
+# spaces). Strips outer brackets, splits on `,`, trims whitespace and
+# matched outer quotes, drops empty entries (trailing-comma tolerance).
+_policy_emit_inline_array() {
+  local buf="$1"
+  # Drop the closing `]` and anything after it (line comments etc).
+  buf=$(printf '%s' "$buf" | sed -E 's/\].*$//')
+  # Split on commas.
+  local IFS=','
+  local raw
+  for raw in $buf; do
+    # Trim leading + trailing whitespace.
+    raw="${raw#"${raw%%[![:space:]]*}"}"
+    raw="${raw%"${raw##*[![:space:]]}"}"
+    # Drop trailing inline comment (` # comment`).
+    raw=$(printf '%s' "$raw" | sed -E 's/[[:space:]]+#.*$//')
+    # Re-trim after comment stripping.
+    raw="${raw#"${raw%%[![:space:]]*}"}"
+    raw="${raw%"${raw##*[![:space:]]}"}"
+    # Skip empty entries (trailing comma, blank line in multi-line form).
+    [[ -z "$raw" ]] && continue
+    # Strip matched outer single or double quotes.
+    raw=$(printf '%s' "$raw" | sed -E "s/^[\"']//; s/[\"']$//")
+    printf '%s\n' "$raw"
+  done
+}

package/hooks/_lib/protected-paths.sh

@@ -58,6 +58,13 @@ REA_KILL_SWITCH_INVARIANTS=(
 # first call to `rea_path_is_protected`; stays the same for the lifetime
 # of the hook process.
 REA_PROTECTED_PATTERNS=()
+# 0.18.0 helix-020 G2 fix: track which patterns came from the consumer's
+# explicit `protected_writes` override (vs. the hardcoded default). The
+# override-first ordering in `rea_path_is_protected` checks ONLY this
+# subset before consulting the extension-surface allow-list, so an
+# explicit `protected_writes: [.husky/pre-push.d/]` can re-protect a
+# path that the allow-list would otherwise let through.
+REA_PROTECTED_OVERRIDE_PATTERNS=()
 _REA_PROTECTED_PATTERNS_LOADED=0
 
 # True if $1 is a kill-switch invariant (case-insensitive exact or
@@ -195,6 +202,31 @@ _rea_load_protected_patterns() {
     fi
   done
 
+  # 0.18.0 helix-020 G2: also expose the EXPLICIT-OVERRIDE subset so
+  # `rea_path_is_protected` can prioritize override matches over the
+  # extension-surface allow-list. Only entries that came from a
+  # `protected_writes:` declaration land here — kill-switch invariants
+  # added defensively in step 2 above are NOT included (they get the
+  # historical "extension surface relaxes them" treatment, since the
+  # user did NOT explicitly opt in to protecting husky fragments).
+  if [ "$protected_writes_set" = "1" ]; then
+    local ow ow_lc rentry_lc2 relaxed2
+    for ow in "${writes_list[@]+"${writes_list[@]}"}"; do
+      ow_lc=$(printf '%s' "$ow" | tr '[:upper:]' '[:lower:]')
+      relaxed2=0
+      for rentry in "${relaxed_set[@]+"${relaxed_set[@]}"}"; do
+        rentry_lc2=$(printf '%s' "$rentry" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ow_lc" == "$rentry_lc2" ]]; then
+          relaxed2=1
+          break
+        fi
+      done
+      if [ "$relaxed2" = "0" ]; then
+        REA_PROTECTED_OVERRIDE_PATTERNS+=("$ow")
+      fi
+    done
+  fi
+
   _REA_PROTECTED_PATTERNS_LOADED=1
 }
 
@@ -243,18 +275,57 @@ rea_path_is_extension_surface() {
 #
 # 0.16.4 helix-018 Option B: paths inside the documented husky
 # extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
-# return 1 (not protected) BEFORE the prefix-pattern check so they
-# don't get caught by `.husky/`'s prefix block. This mirrors the
-# §5b allow-list that has been in settings-protection.sh since 0.13.2.
+# return 1 (not protected) by default so they don't get caught by
+# `.husky/`'s prefix block. This mirrors the §5b allow-list that has
+# been in settings-protection.sh since 0.13.2.
+#
+# 0.18.0 helix-020 G2 fix: ORDER MATTERS. The pre-fix function checked
+# the extension-surface allow-list FIRST and short-circuited "not
+# protected" unconditionally. That made the `protected_writes` /
+# `protected_paths` override silently ineffective for any path inside
+# the extension surface — a consumer who wanted `.husky/pre-push.d/`
+# hardened could not opt in. The fix: explicit overrides win FIRST
+# (the consumer asked for this), then the extension-surface
+# short-circuit applies to anything else, then the default protected
+# list. Pseudocode is the canonical version from helix-020 Interactive
+# Finding 1.
 rea_path_is_protected() {
   _rea_load_protected_patterns
-  # Extension-surface allow-list — short-circuit before pattern match.
-  if rea_path_is_extension_surface "$1"; then
-    return 1
-  fi
   local p_lc
   p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
   local pattern pattern_lc
+
+  # 1. Explicit `protected_writes` overrides win. If the consumer
+  #    listed this path (or its parent prefix) in `protected_writes`,
+  #    we honor that intent even when the path is on the extension
+  #    surface. This is what lets a consumer harden their managed
+  #    `.husky/pre-push.d/` fragments — the carve-out for unmanaged
+  #    consumer fragments is the default, but it can be undone.
+  for pattern in "${REA_PROTECTED_OVERRIDE_PATTERNS[@]+"${REA_PROTECTED_OVERRIDE_PATTERNS[@]}"}"; do
+    pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+    if [[ "$p_lc" == "$pattern_lc" ]]; then
+      return 0
+    fi
+    if [[ "$pattern_lc" == */ ]] && [[ "$p_lc" == "$pattern_lc"* ]]; then
+      return 0
+    fi
+  done
+
+  # 2. Extension-surface allow-list. Paths inside the documented
+  #    husky extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
+  #    are NOT protected by default — the consumer manages those
+  #    fragments freely; settings-protection.sh §5b has the same
+  #    carve-out on the Write/Edit side. Step 1 above is what lets a
+  #    consumer override that default per-path.
+  if rea_path_is_extension_surface "$1"; then
+    return 1
+  fi
+
+  # 3. Default protected list (kill-switch invariants + `.husky/`
+  #    prefix block + `.claude/settings*` + `.rea/policy.yaml`). When
+  #    `protected_writes` was set, kill-switch invariants are still
+  #    enforced via this branch because they were added back into
+  #    REA_PROTECTED_PATTERNS during `_rea_load_protected_patterns`.
   for pattern in "${REA_PROTECTED_PATTERNS[@]+"${REA_PROTECTED_PATTERNS[@]}"}"; do
     pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
     if [[ "$p_lc" == "$pattern_lc" ]]; then

package/hooks/attribution-advisory.sh

@@ -58,13 +58,24 @@ fi
 source "$(dirname "$0")/_lib/cmd-segments.sh"
 
 # ── 6. Check if this is a relevant command ────────────────────────────────────
+# 0.18.0 helix-020 / discord-ops Round 10 #2 fix (G4.A): use
+# `any_segment_starts_with`, not `any_segment_matches`. The pre-fix
+# matcher used the unanchored form, so a segment like
+#   gh pr edit --body "tracked: gh pr create earlier in the run"
+# triggered IS_RELEVANT=1 because the substring `gh pr create` was
+# anywhere in the segment. The downstream attribution check then
+# scanned the body for the markdown-link / Co-Authored-By patterns,
+# and ANY mention of those terms in the body's prose got blocked
+# even though the actual command was a `gh pr edit` whose intent had
+# nothing to do with structural attribution. The same anchoring fix
+# `dangerous-bash-interceptor.sh` got in 0.16.3 F5 finally lands here.
 IS_RELEVANT=0
 
-if any_segment_matches "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
+if any_segment_starts_with "$CMD" 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
   IS_RELEVANT=1
 fi
 
-if any_segment_matches "$CMD" 'git[[:space:]]+commit'; then
+if any_segment_starts_with "$CMD" 'git[[:space:]]+commit'; then
   IS_RELEVANT=1
 fi
 
@@ -77,7 +88,21 @@ fi
 FOUND=0
 
 # Co-Authored-By with noreply@ email
-if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@'; then
+# 0.18.0 helix-020 / discord-ops Round 10 #3 fix (G4.B): exclude
+# GitHub's legitimate `<user>@users.noreply.github.com` collaborator
+# footers from the noreply match. Pre-fix the regex `Co-Authored-By:.*noreply@`
+# matched both AI-tool noreply addresses (anthropic.com, openai.com,
+# github-copilot, etc.) AND GitHub's per-user noreply form, blocking
+# legitimate human collaborator credits. The new regex requires
+# `noreply@` to be followed by something that ISN'T `users.noreply.github.com`
+# — covered via a negative-lookahead simulation: match `noreply@` then
+# either end-of-line, whitespace, `>`, or a domain that does NOT begin
+# with `users.noreply.github.com`. Posix ERE has no lookarounds, so we
+# enumerate the allowed-prefix shapes explicitly. The "AI names" branch
+# below catches Co-Authored-By with named tools regardless of the email
+# domain, so dropping `users.noreply.github.com` from the noreply
+# pattern only relaxes the check for human collaborators — never for AI.
+if any_segment_matches "$CMD" 'Co-Authored-By:.*noreply@(anthropic\.com|openai\.com|github-copilot|github\.com|claude\.ai|chatgpt\.com|googlemail\.com|google\.com|cursor\.com|codeium\.com|tabnine\.com|amazon\.com|amazonaws\.com|amazon-q\.amazonaws\.com|cody\.dev|sourcegraph\.com)'; then
   FOUND=1
 fi
 

package/hooks/security-disclosure-gate.sh

@@ -171,6 +171,23 @@ _extract_body_file_paths() {
           while (i <= n) {
             ch = substr(line, i, 1)
             if (mode == 0) {
+              # 0.18.0 helix-020 G3.B fix: in plain (unquoted) mode,
+              # `\X` (any character X) is the POSIX shell escape for
+              # the literal character X — most commonly a space in
+              # paths like `path\ with\ spaces.md`. Pre-fix the
+              # tokenizer treated the `\` as an ordinary character and
+              # truncated at the following space, dropping the rest of
+              # the path. We now consume the backslash and emit the
+              # following byte as a literal part of the current token.
+              # `\<eol>` (line-continuation) is left intact — emit the
+              # `\` and let the splitter flow into the next record on
+              # the assumption that the caller already joined the line.
+              if (ch == "\\" && i < n) {
+                nxt = substr(line, i + 1, 1)
+                tok = tok nxt
+                i += 2
+                continue
+              }
               if (ch == " " || ch == "\t") {
                 if (tok != "") { emit_token(tok); tok = "" }
                 i++; continue

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",