@bookedsolid/rea 0.17.0 → 0.19.0

package/dist/policy/loader.d.ts

@@ -48,10 +48,14 @@ declare const PolicySchema: z.ZodObject<{
          */
         auto_narrow_threshold: z.ZodOptional<z.ZodNumber>;
         /**
-         * Codex CLI model override (0.13.4+). Pinned via `-c model="<name>"` on
-         * every `codex exec review` invocation. When unset, codex's own default
-         * applies — which today is the special-purpose `codex-auto-review`
-         * model at `medium` reasoning, NOT the flagship.
+         * Codex CLI model override (0.13.4+; runtime-default since 0.18.0).
+         * Pinned via `-c model="<name>"` on every `codex exec review`
+         * invocation. **0.18.0 iron-gate runtime default**: when unset, the
+         * runtime hardcodes `gpt-5.4` — codex's own default
+         * (`codex-auto-review` at medium) is no longer reachable through the
+         * rea push-gate. To select a different model, set this key
+         * explicitly. config.toml is consulted ONLY when the explicit value
+         * passed by rea is `undefined`, which the runtime never does.
          *
          * For serious adversarial review on consumer codebases (where verdict
          * stability matters) the recommended setting is `gpt-5.4` with
@@ -77,6 +81,15 @@ declare const PolicySchema: z.ZodObject<{
          * matters less than throughput.
          */
         codex_reasoning_effort: z.ZodOptional<z.ZodEnum<["low", "medium", "high"]>>;
+        /**
+         * Verdict cache TTL in milliseconds (0.18.1+ helixir #1, #4, #7, #8).
+         * Default 86_400_000 (24 hours). When a push of `head_sha` produces
+         * a non-blocking verdict, the result is written to
+         * `.rea/last-review.cache.json`. Subsequent pushes of the same SHA
+         * within the TTL skip the codex invocation and reuse the cached
+         * verdict. Set to 0 to disable caching (every push re-invokes codex).
+         */
+        cache_ttl_ms: z.ZodOptional<z.ZodNumber>;
     }, "strict", z.ZodTypeAny, {
         codex_required?: boolean | undefined;
         concerns_blocks?: boolean | undefined;
@@ -85,6 +98,7 @@ declare const PolicySchema: z.ZodObject<{
         auto_narrow_threshold?: number | undefined;
         codex_model?: string | undefined;
         codex_reasoning_effort?: "low" | "medium" | "high" | undefined;
+        cache_ttl_ms?: number | undefined;
     }, {
         codex_required?: boolean | undefined;
         concerns_blocks?: boolean | undefined;
@@ -93,6 +107,7 @@ declare const PolicySchema: z.ZodObject<{
         auto_narrow_threshold?: number | undefined;
         codex_model?: string | undefined;
         codex_reasoning_effort?: "low" | "medium" | "high" | undefined;
+        cache_ttl_ms?: number | undefined;
     }>>;
     redact: z.ZodOptional<z.ZodObject<{
         match_timeout_ms: z.ZodOptional<z.ZodNumber>;
@@ -192,6 +207,7 @@ declare const PolicySchema: z.ZodObject<{
         auto_narrow_threshold?: number | undefined;
         codex_model?: string | undefined;
         codex_reasoning_effort?: "low" | "medium" | "high" | undefined;
+        cache_ttl_ms?: number | undefined;
     } | undefined;
     redact?: {
         match_timeout_ms?: number | undefined;
@@ -241,6 +257,7 @@ declare const PolicySchema: z.ZodObject<{
         auto_narrow_threshold?: number | undefined;
         codex_model?: string | undefined;
         codex_reasoning_effort?: "low" | "medium" | "high" | undefined;
+        cache_ttl_ms?: number | undefined;
     } | undefined;
     redact?: {
         match_timeout_ms?: number | undefined;

package/dist/policy/loader.js

@@ -39,10 +39,14 @@ const ReviewPolicySchema = z
      */
     auto_narrow_threshold: z.number().int().nonnegative().optional(),
     /**
-     * Codex CLI model override (0.13.4+). Pinned via `-c model="<name>"` on
-     * every `codex exec review` invocation. When unset, codex's own default
-     * applies — which today is the special-purpose `codex-auto-review`
-     * model at `medium` reasoning, NOT the flagship.
+     * Codex CLI model override (0.13.4+; runtime-default since 0.18.0).
+     * Pinned via `-c model="<name>"` on every `codex exec review`
+     * invocation. **0.18.0 iron-gate runtime default**: when unset, the
+     * runtime hardcodes `gpt-5.4` — codex's own default
+     * (`codex-auto-review` at medium) is no longer reachable through the
+     * rea push-gate. To select a different model, set this key
+     * explicitly. config.toml is consulted ONLY when the explicit value
+     * passed by rea is `undefined`, which the runtime never does.
      *
      * For serious adversarial review on consumer codebases (where verdict
      * stability matters) the recommended setting is `gpt-5.4` with
@@ -68,6 +72,15 @@ const ReviewPolicySchema = z
      * matters less than throughput.
      */
     codex_reasoning_effort: z.enum(['low', 'medium', 'high']).optional(),
+    /**
+     * Verdict cache TTL in milliseconds (0.18.1+ helixir #1, #4, #7, #8).
+     * Default 86_400_000 (24 hours). When a push of `head_sha` produces
+     * a non-blocking verdict, the result is written to
+     * `.rea/last-review.cache.json`. Subsequent pushes of the same SHA
+     * within the TTL skip the codex invocation and reuse the cached
+     * verdict. Set to 0 to disable caching (every push re-invokes codex).
+     */
+    cache_ttl_ms: z.number().int().nonnegative().optional(),
 })
     .strict();
 /**

package/dist/policy/profiles.d.ts

@@ -47,6 +47,28 @@ export declare const ProfileSchema: z.ZodObject<{
         delegate_to_subagent?: string[] | undefined;
         max_bash_output_lines?: number | undefined;
     }>>;
+    audit: z.ZodOptional<z.ZodObject<{
+        rotation: z.ZodOptional<z.ZodObject<{
+            max_bytes: z.ZodOptional<z.ZodNumber>;
+            max_age_days: z.ZodOptional<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            max_bytes?: number | undefined;
+            max_age_days?: number | undefined;
+        }, {
+            max_bytes?: number | undefined;
+            max_age_days?: number | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        rotation?: {
+            max_bytes?: number | undefined;
+            max_age_days?: number | undefined;
+        } | undefined;
+    }, {
+        rotation?: {
+            max_bytes?: number | undefined;
+            max_age_days?: number | undefined;
+        } | undefined;
+    }>>;
 }, "strict", z.ZodTypeAny, {
     autonomy_level?: AutonomyLevel | undefined;
     max_autonomy_level?: AutonomyLevel | undefined;
@@ -64,6 +86,12 @@ export declare const ProfileSchema: z.ZodObject<{
         delegate_to_subagent?: string[] | undefined;
         max_bash_output_lines?: number | undefined;
     } | undefined;
+    audit?: {
+        rotation?: {
+            max_bytes?: number | undefined;
+            max_age_days?: number | undefined;
+        } | undefined;
+    } | undefined;
 }, {
     autonomy_level?: AutonomyLevel | undefined;
     max_autonomy_level?: AutonomyLevel | undefined;
@@ -81,6 +109,12 @@ export declare const ProfileSchema: z.ZodObject<{
         delegate_to_subagent?: string[] | undefined;
         max_bash_output_lines?: number | undefined;
     } | undefined;
+    audit?: {
+        rotation?: {
+            max_bytes?: number | undefined;
+            max_age_days?: number | undefined;
+        } | undefined;
+    } | undefined;
 }>;
 export type Profile = z.infer<typeof ProfileSchema>;
 /** Hard defaults applied before any profile or wizard answer. */

package/dist/policy/profiles.js

@@ -54,6 +54,21 @@ export const ProfileSchema = z
     injection_detection: z.enum(['block', 'warn']).optional(),
     injection: InjectionProfileSchema.optional(),
     context_protection: ContextProtectionProfileSchema.optional(),
+    // 0.18.1+ helixir #9: profiles can ship audit-rotation defaults.
+    // The full audit policy block validates at load time via
+    // `AuditPolicySchema` in loader.ts; profiles only need to declare
+    // the rotation knob (most consumer profiles will leave this empty
+    // — the default 50 MiB / 30 days are sane).
+    audit: z
+        .object({
+        rotation: z
+            .object({
+            max_bytes: z.number().int().positive().optional(),
+            max_age_days: z.number().int().positive().optional(),
+        })
+            .optional(),
+    })
+        .optional(),
 })
     .strict();
 /** Hard defaults applied before any profile or wizard answer. */

package/dist/policy/types.d.ts

@@ -158,6 +158,17 @@ export interface ReviewPolicy {
      * throughput.
      */
     codex_reasoning_effort?: 'low' | 'medium' | 'high';
+    /**
+     * Verdict cache TTL in milliseconds (0.18.1+ helixir #1, #4, #7, #8).
+     * Default 86_400_000 (24 hours). When a push of `head_sha` produces a
+     * non-blocking verdict, the result is written to
+     * `.rea/last-review.cache.json`. Subsequent pushes of the same SHA
+     * within the TTL skip the codex invocation and reuse the cached
+     * verdict. Set to `0` to disable caching (every push re-invokes
+     * codex — pre-0.18.1 behavior). Verdict flips on the same SHA emit
+     * a `rea.push_gate.verdict_flip` audit event and overwrite the cache.
+     */
+    cache_ttl_ms?: number;
 }
 /**
  * User-supplied redaction pattern entry. Each pattern has a stable `name` used

package/hooks/_lib/cmd-segments.sh

@@ -73,6 +73,20 @@
 # escapes (per POSIX). Multiple wrappers per command-line are handled
 # (e.g. `foo; bash -c 'bar' && sh -c 'baz'` emits both `bar` and `baz`).
 #
+# 0.18.0 helix-020 G1.A fix: the unwrap pass scans a QUOTE-MASKED form
+# of the input, not the raw input. Pre-fix, a quoted argument that
+# MENTIONED a wrapper (e.g. `git commit -m "docs: mention bash -c 'npm
+# install left-pad'"`) would emit a phantom inner-payload segment, and
+# `dependency-audit-gate.sh` would block the innocent commit. The
+# quote-mask layer (the same one `_rea_split_segments` uses) replaces
+# all in-quote separators AND in-quote single/double quote characters
+# with multi-byte sentinels — so the wrapper regex can no longer match
+# inside an outer quoted span. The unwrapped payload itself is still
+# emitted from the un-masked input by recomputing offsets back to the
+# raw string, so escape semantics inside legitimate wrappers stay
+# correct. We only need the mask to suppress matching; the captured
+# payload is read off the original string.
+#
 # Limitation: ONE level of unwrapping. A wrapper inside a wrapper
 # (`bash -c "bash -c 'innermost'"`) emits only the second-level payload
 # (`bash -c 'innermost'`), not the third-level. This is enough for
@@ -81,32 +95,130 @@
 _rea_unwrap_nested_shells() {
   local cmd="$1"
   printf '%s\n' "$cmd"
-  printf '%s' "$cmd" | awk '
+  # Build a mask where in-quote `"` `'` `;` `&` `|` characters are
+  # replaced with multi-byte sentinels so the wrapper regex below
+  # cannot match wrapper syntax that lives inside outer quoted prose.
+  # We also mask the in-quote QUOTE characters themselves so the awk
+  # body's quote-state heuristic (which looks at the byte immediately
+  # after the matched wrapper-prefix region) cannot mistake an inner
+  # quote for a payload-opening quote. Sentinel bytes are aligned to
+  # be the same width as their original character (single-byte) so
+  # offsets into the raw string remain valid for payload extraction.
+  #
+  # Approach: rather than synthesize a per-byte sentinel of width 1,
+  # we run the awk wrapper-scan against a SEPARATE masked stream and
+  # then translate matched RSTART/RLENGTH offsets back to the original
+  # string. We do that by passing both strings into awk (raw via stdin,
+  # masked via -v MASKED) and tracking the same index across both —
+  # since the mask substitutes single bytes with single bytes only
+  # (placeholder bytes drawn from the C0 control-character range) the
+  # offsets line up.
+  #
+  # Placeholder bytes — chosen from the C0 control range so they
+  # cannot appear in real shell input under UTF-8 (NUL, BEL, VT, FF
+  # are reserved by some shells; we use SOH/STX/ETX/ENQ/ACK which are
+  # not assigned operational meaning by any shell we ship with).
+  #   \x01 SOH — replaces in-quote `"`
+  #   \x02 STX — replaces in-quote `'`
+  #   \x03 ETX — replaces in-quote `;`
+  #   \x05 ENQ — replaces in-quote `&`
+  #   \x06 ACK — replaces in-quote `|`
+  local masked
+  masked=$(printf '%s' "$cmd" | awk '
+    {
+      line = $0
+      out = ""
+      i = 1
+      n = length(line)
+      mode = 0
+      while (i <= n) {
+        ch = substr(line, i, 1)
+        if (mode == 0) {
+          if (ch == "\"") { mode = 1; out = out ch; i++; continue }
+          if (ch == "'\''") { mode = 2; out = out ch; i++; continue }
+          out = out ch
+          i++
+          continue
+        }
+        if (mode == 2) {
+          if (ch == "'\''") { mode = 0; out = out "\002"; i++; continue }
+          if (ch == ";") { out = out "\003"; i++; continue }
+          if (ch == "&") { out = out "\005"; i++; continue }
+          if (ch == "|") { out = out "\006"; i++; continue }
+          if (ch == "\"") { out = out "\001"; i++; continue }
+          out = out ch
+          i++
+          continue
+        }
+        # mode == 1 (double-quoted)
+        if (ch == "\\" && i < n) {
+          # Preserve the escape pair literally — width preserved.
+          nxt = substr(line, i + 1, 1)
+          out = out ch nxt
+          i += 2
+          continue
+        }
+        if (ch == "\"") { mode = 0; out = out "\001"; i++; continue }
+        if (ch == ";") { out = out "\003"; i++; continue }
+        if (ch == "&") { out = out "\005"; i++; continue }
+        if (ch == "|") { out = out "\006"; i++; continue }
+        if (ch == "'\''") { out = out "\002"; i++; continue }
+        out = out ch
+        i++
+      }
+      printf "%s", out
+    }')
+  # Pass both raw and masked into awk. Wrapper-regex matches against the
+  # masked form; payload extraction reads the raw form using the same
+  # offsets. Because the mask is byte-for-byte width-preserving, the
+  # same RSTART/RLENGTH applies to both.
+  printf '' | awk -v raw="$cmd" -v masked="$masked" '
     BEGIN {
       # Wrapper-prefix regex: shell-name + optional flag tokens + -c-style flag.
       # Each flag token is `-` followed by 1+ letters and trailing space.
+      # NOTE: matches only OUTSIDE outer quoted spans because in-quote
+      # `"`, `'\''`, `;`, `&`, `|` are masked out in `masked`. The leading
+      # alternation `(^|[[:space:]&|;])` therefore cannot anchor on a
+      # masked separator, and the shell-name token itself can no longer
+      # appear adjacent to a masked quote-introducer.
       WRAP = "(^|[[:space:]&|;])(bash|sh|zsh|dash|ksh)([[:space:]]+-[a-zA-Z]+)*[[:space:]]+-(c|lc|lic|ic|cl|cli|li|il)[[:space:]]+"
-    }
-    {
-      rest = $0
-      while (length(rest) > 0) {
-        if (! match(rest, WRAP)) break
-        # Tail begins immediately after the matched wrapper prefix.
-        tail = substr(rest, RSTART + RLENGTH)
-        first = substr(tail, 1, 1)
-        if (first == "'\''") {
-          # Single-quoted body: no escape semantics; runs to next `'"'"'`.
-          body = substr(tail, 2)
+      # Track the cursor in BOTH raw and masked. Because the mask is
+      # byte-for-byte width-preserving, the same RSTART/RLENGTH applies
+      # to both — but each iteration of the loop must SLICE both strings
+      # by the same amount so subsequent matches see synchronized tails.
+      mrest = masked
+      rrest = raw
+      while (length(mrest) > 0) {
+        if (! match(mrest, WRAP)) break
+        # Tail begins immediately after the matched wrapper prefix in
+        # BOTH strings (offsets line up — mask is width-preserving).
+        mtail = substr(mrest, RSTART + RLENGTH)
+        rtail = substr(rrest, RSTART + RLENGTH)
+        # The wrapper-payload-introducing quote must be a REAL outer
+        # quote — i.e. not a masked in-quote sentinel. Probe the raw
+        # form for the introducer character, which the mask preserved
+        # verbatim only when it was an outer quote.
+        first = substr(rtail, 1, 1)
+        mfirst = substr(mtail, 1, 1)
+        if (first == "'\''" && mfirst == "'\''") {
+          # Single-quoted body: no escape semantics; runs to next `'\''`.
+          body = substr(rtail, 2)
+          mbody = substr(mtail, 2)
           end = index(body, "'\''")
-          if (end == 0) { rest = substr(tail, 2); continue }
+          if (end == 0) {
+            mrest = substr(mtail, 2)
+            rrest = substr(rtail, 2)
+            continue
+          }
           payload = substr(body, 1, end - 1)
           print payload
-          rest = substr(body, end + 1)
+          mrest = substr(mbody, end + 1)
+          rrest = substr(body, end + 1)
           continue
         }
-        if (first == "\"") {
+        if (first == "\"" && mfirst == "\"") {
           # Double-quoted body: \" and \\ are literal escapes.
-          body = substr(tail, 2)
+          body = substr(rtail, 2)
           n = length(body)
           j = 1
           out = ""
@@ -124,15 +236,27 @@ _rea_unwrap_nested_shells() {
             out = out c
             j++
           }
-          if (closed == 0) { rest = substr(tail, 2); continue }
+          if (closed == 0) {
+            mrest = substr(mtail, 2)
+            rrest = substr(rtail, 2)
+            continue
+          }
           print out
-          rest = substr(body, closed + 1)
+          # Skip past the opening `"` (1 byte) AND the closing `"` (1
+          # byte at body[closed], i.e. mtail[closed+1]). Cursor lands
+          # at mtail[closed+2].
+          mrest = substr(mtail, closed + 2)
+          rrest = substr(rtail, closed + 2)
           continue
         }
         # Non-quoted argument — proceed past the matched prefix only.
-        rest = tail
+        mrest = mtail
+        rrest = rtail
       }
-    }'
+    }
+    # Empty action with no input rules — explicitly drive the loop from
+    # END so awk does not require any input records.
+    END {}'
 }
 
 # Split $1 on shell command separators. Emits one segment per line on

package/hooks/_lib/policy-read.sh

@@ -53,20 +53,80 @@ policy_bool_true() {
   [[ "$value" == "true" ]]
 }
 
-# Read a list of scalars from a top-level sequence block.
+# Read a list of scalars from a top-level sequence.
 # Usage: mapfile -t patterns < <(policy_list "delegate_to_subagent")
-# Handles inline "[]" as empty. Stops at the first non-"-" continuation line.
+#
+# Recognized YAML forms:
+#
+#   1. Block sequence (the historical / canonical form):
+#        blocked_paths:
+#          - .env
+#          - .env.*
+#          - .rea/HALT
+#
+#   2. Empty inline array (since 0.1.x):
+#        blocked_paths: []      # → no entries (returns successfully)
+#
+#   3. Non-empty inline array (added 0.18.0 G1.B/G1.C):
+#        blocked_paths: [.env, .env.*, .rea/HALT]
+#
+# Inline arrays may span multiple lines:
+#
+#        blocked_paths: [
+#          .env,
+#          .env.*,
+#          .rea/HALT
+#        ]
+#
+# Quoted entries (single or double quotes) are unquoted. Leading and
+# trailing whitespace on each entry is trimmed. Empty entries (e.g. from
+# a trailing `,`) are skipped silently.
+#
+# Pre-fix (G1.B/G1.C): the inline array form was VALID YAML but parsed
+# to an empty list — silent bypass of `blocked-paths-bash-gate.sh` and
+# silent ignore of `protected_writes` overrides. Fixed by extending the
+# parser to recognize the inline form in addition to the block form.
+#
+# The block form is still preferred (sed-friendly, line-aligned diffs)
+# but the inline form is now equally enforced.
 policy_list() {
   local key="$1"
   local policy
   policy=$(policy_path)
   [[ -z "$policy" ]] && return 0
   local in_block=0
+  local in_inline=0
+  local inline_buf=""
   while IFS= read -r line; do
+    # Skip while we're collecting an inline-array body across lines.
+    if [[ $in_inline -eq 1 ]]; then
+      inline_buf="${inline_buf} ${line}"
+      # Detect the closing `]` (any position on the line).
+      if printf '%s' "$line" | grep -qE '\]'; then
+        _policy_emit_inline_array "$inline_buf"
+        return 0
+      fi
+      continue
+    fi
     if printf '%s' "$line" | grep -qE "^[[:space:]]*${key}:"; then
-      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[\]"; then
+      # Empty inline `[]` — explicit empty list.
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\[[[:space:]]*\]"; then
         return 0
       fi
+      # Non-empty inline `[ ... ]` — parse the bracketed body. May or
+      # may not close on the same line.
+      if printf '%s' "$line" | grep -qE "${key}:[[:space:]]*\["; then
+        # Strip everything up to and including the opening `[`.
+        inline_buf=$(printf '%s' "$line" | sed -E "s/^.*${key}:[[:space:]]*\[//")
+        if printf '%s' "$inline_buf" | grep -qE '\]'; then
+          # Single-line inline array.
+          _policy_emit_inline_array "$inline_buf"
+          return 0
+        fi
+        in_inline=1
+        continue
+      fi
+      # Block-form sequence header — entries follow on subsequent lines.
       in_block=1
       continue
     fi
@@ -80,3 +140,31 @@ policy_list() {
     fi
   done < "$policy"
 }
+
+# Emit each entry of an inline-array body (everything between `[` and
+# `]`, possibly across newlines if the caller concatenated lines with
+# spaces). Strips outer brackets, splits on `,`, trims whitespace and
+# matched outer quotes, drops empty entries (trailing-comma tolerance).
+_policy_emit_inline_array() {
+  local buf="$1"
+  # Drop the closing `]` and anything after it (line comments etc).
+  buf=$(printf '%s' "$buf" | sed -E 's/\].*$//')
+  # Split on commas.
+  local IFS=','
+  local raw
+  for raw in $buf; do
+    # Trim leading + trailing whitespace.
+    raw="${raw#"${raw%%[![:space:]]*}"}"
+    raw="${raw%"${raw##*[![:space:]]}"}"
+    # Drop trailing inline comment (` # comment`).
+    raw=$(printf '%s' "$raw" | sed -E 's/[[:space:]]+#.*$//')
+    # Re-trim after comment stripping.
+    raw="${raw#"${raw%%[![:space:]]*}"}"
+    raw="${raw%"${raw##*[![:space:]]}"}"
+    # Skip empty entries (trailing comma, blank line in multi-line form).
+    [[ -z "$raw" ]] && continue
+    # Strip matched outer single or double quotes.
+    raw=$(printf '%s' "$raw" | sed -E "s/^[\"']//; s/[\"']$//")
+    printf '%s\n' "$raw"
+  done
+}

package/hooks/_lib/protected-paths.sh

@@ -58,6 +58,13 @@ REA_KILL_SWITCH_INVARIANTS=(
 # first call to `rea_path_is_protected`; stays the same for the lifetime
 # of the hook process.
 REA_PROTECTED_PATTERNS=()
+# 0.18.0 helix-020 G2 fix: track which patterns came from the consumer's
+# explicit `protected_writes` override (vs. the hardcoded default). The
+# override-first ordering in `rea_path_is_protected` checks ONLY this
+# subset before consulting the extension-surface allow-list, so an
+# explicit `protected_writes: [.husky/pre-push.d/]` can re-protect a
+# path that the allow-list would otherwise let through.
+REA_PROTECTED_OVERRIDE_PATTERNS=()
 _REA_PROTECTED_PATTERNS_LOADED=0
 
 # True if $1 is a kill-switch invariant (case-insensitive exact or
@@ -195,6 +202,31 @@ _rea_load_protected_patterns() {
     fi
   done
 
+  # 0.18.0 helix-020 G2: also expose the EXPLICIT-OVERRIDE subset so
+  # `rea_path_is_protected` can prioritize override matches over the
+  # extension-surface allow-list. Only entries that came from a
+  # `protected_writes:` declaration land here — kill-switch invariants
+  # added defensively in step 2 above are NOT included (they get the
+  # historical "extension surface relaxes them" treatment, since the
+  # user did NOT explicitly opt in to protecting husky fragments).
+  if [ "$protected_writes_set" = "1" ]; then
+    local ow ow_lc rentry_lc2 relaxed2
+    for ow in "${writes_list[@]+"${writes_list[@]}"}"; do
+      ow_lc=$(printf '%s' "$ow" | tr '[:upper:]' '[:lower:]')
+      relaxed2=0
+      for rentry in "${relaxed_set[@]+"${relaxed_set[@]}"}"; do
+        rentry_lc2=$(printf '%s' "$rentry" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ow_lc" == "$rentry_lc2" ]]; then
+          relaxed2=1
+          break
+        fi
+      done
+      if [ "$relaxed2" = "0" ]; then
+        REA_PROTECTED_OVERRIDE_PATTERNS+=("$ow")
+      fi
+    done
+  fi
+
   _REA_PROTECTED_PATTERNS_LOADED=1
 }
 
@@ -243,18 +275,57 @@ rea_path_is_extension_surface() {
 #
 # 0.16.4 helix-018 Option B: paths inside the documented husky
 # extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
-# return 1 (not protected) BEFORE the prefix-pattern check so they
-# don't get caught by `.husky/`'s prefix block. This mirrors the
-# §5b allow-list that has been in settings-protection.sh since 0.13.2.
+# return 1 (not protected) by default so they don't get caught by
+# `.husky/`'s prefix block. This mirrors the §5b allow-list that has
+# been in settings-protection.sh since 0.13.2.
+#
+# 0.18.0 helix-020 G2 fix: ORDER MATTERS. The pre-fix function checked
+# the extension-surface allow-list FIRST and short-circuited "not
+# protected" unconditionally. That made the `protected_writes` /
+# `protected_paths` override silently ineffective for any path inside
+# the extension surface — a consumer who wanted `.husky/pre-push.d/`
+# hardened could not opt in. The fix: explicit overrides win FIRST
+# (the consumer asked for this), then the extension-surface
+# short-circuit applies to anything else, then the default protected
+# list. Pseudocode is the canonical version from helix-020 Interactive
+# Finding 1.
 rea_path_is_protected() {
   _rea_load_protected_patterns
-  # Extension-surface allow-list — short-circuit before pattern match.
-  if rea_path_is_extension_surface "$1"; then
-    return 1
-  fi
   local p_lc
   p_lc=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
   local pattern pattern_lc
+
+  # 1. Explicit `protected_writes` overrides win. If the consumer
+  #    listed this path (or its parent prefix) in `protected_writes`,
+  #    we honor that intent even when the path is on the extension
+  #    surface. This is what lets a consumer harden their managed
+  #    `.husky/pre-push.d/` fragments — the carve-out for unmanaged
+  #    consumer fragments is the default, but it can be undone.
+  for pattern in "${REA_PROTECTED_OVERRIDE_PATTERNS[@]+"${REA_PROTECTED_OVERRIDE_PATTERNS[@]}"}"; do
+    pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+    if [[ "$p_lc" == "$pattern_lc" ]]; then
+      return 0
+    fi
+    if [[ "$pattern_lc" == */ ]] && [[ "$p_lc" == "$pattern_lc"* ]]; then
+      return 0
+    fi
+  done
+
+  # 2. Extension-surface allow-list. Paths inside the documented
+  #    husky extension surface (`.husky/{commit-msg,pre-push,pre-commit}.d/*`)
+  #    are NOT protected by default — the consumer manages those
+  #    fragments freely; settings-protection.sh §5b has the same
+  #    carve-out on the Write/Edit side. Step 1 above is what lets a
+  #    consumer override that default per-path.
+  if rea_path_is_extension_surface "$1"; then
+    return 1
+  fi
+
+  # 3. Default protected list (kill-switch invariants + `.husky/`
+  #    prefix block + `.claude/settings*` + `.rea/policy.yaml`). When
+  #    `protected_writes` was set, kill-switch invariants are still
+  #    enforced via this branch because they were added back into
+  #    REA_PROTECTED_PATTERNS during `_rea_load_protected_patterns`.
   for pattern in "${REA_PROTECTED_PATTERNS[@]+"${REA_PROTECTED_PATTERNS[@]}"}"; do
     pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
     if [[ "$p_lc" == "$pattern_lc" ]]; then