@bookedsolid/rea 0.21.0 → 0.22.0

package/dist/cli/init.js

@@ -85,7 +85,7 @@ function resolveLayered(profileName, reagentTranslated) {
     }
     return layered;
 }
-async function runWizard(options, targetDir, reagentPolicyPath, layeredBase) {
+async function runWizard(options, targetDir, reagentPolicyPath, layeredBase, existingPolicy = undefined) {
     const projectName = detectProjectName(targetDir);
     p.intro(`rea init — ${projectName}`);
     let fromReagent = options.fromReagent === true;
@@ -124,9 +124,15 @@ async function runWizard(options, targetDir, reagentPolicyPath, layeredBase) {
             cancel('Init cancelled.');
         profileName = picked;
     }
-    const autonomyDefault = layeredBase.autonomy_level ?? AutonomyLevel.L1;
+    // 0.21.1: prefer the existing on-disk value over the profile default
+    // so re-running `rea init` doesn't reset an operator's manual edit.
+    const autonomyDefault = existingPolicy?.autonomyLevel
+        ?? layeredBase.autonomy_level
+        ?? AutonomyLevel.L1;
     const autonomyPick = await p.select({
-        message: 'Starting autonomy_level',
+        message: existingPolicy?.autonomyLevel !== undefined
+            ? `Starting autonomy_level (current: ${existingPolicy.autonomyLevel})`
+            : 'Starting autonomy_level',
         initialValue: autonomyDefault,
         options: [
             { value: AutonomyLevel.L0, label: 'L0', hint: 'read-only; every write needs approval' },
@@ -139,9 +145,13 @@ async function runWizard(options, targetDir, reagentPolicyPath, layeredBase) {
         cancel('Init cancelled.');
     const autonomyLevel = autonomyPick;
     const maxCandidates = AUTONOMY_LEVELS.filter((lvl) => levelRank(lvl) >= levelRank(autonomyLevel));
-    const defaultMax = (layeredBase.max_autonomy_level !== undefined &&
-        maxCandidates.includes(layeredBase.max_autonomy_level) &&
-        layeredBase.max_autonomy_level) ||
+    // 0.21.1: prefer existing on-disk max_autonomy_level over profile default.
+    const defaultMax = (existingPolicy?.maxAutonomyLevel !== undefined &&
+        maxCandidates.includes(existingPolicy.maxAutonomyLevel) &&
+        existingPolicy.maxAutonomyLevel) ||
+        (layeredBase.max_autonomy_level !== undefined &&
+            maxCandidates.includes(layeredBase.max_autonomy_level) &&
+            layeredBase.max_autonomy_level) ||
         maxCandidates.find((l) => l === AutonomyLevel.L2) ||
         autonomyLevel;
     const maxOptions = maxCandidates.map((lvl) => {
@@ -233,6 +243,79 @@ async function printCodexInstallAssist() {
     console.log('  Install via the Claude Code Codex plugin helper: `/codex:setup`,');
     console.log('  or set `review.codex_required: false` in .rea/policy.yaml to opt out.');
 }
+/**
+ * Read user-mutable values from an existing `.rea/policy.yaml`.
+ * Returns undefined when the file doesn't exist or fails to parse.
+ *
+ * The reader is permissive — any field that fails to extract is
+ * dropped from the result; the caller falls back to the profile
+ * default for that one field. This is the idempotency contract
+ * extension introduced in 0.17.0 (`installed_at` preservation),
+ * extended in 0.21.1 to cover every field an operator might
+ * manually edit between init runs.
+ *
+ * Profile-switch is allowed but advisory: when the existing
+ * `profile:` value disagrees with the requested one, the existing
+ * VALUES are still preserved. Operators who want full reset pass
+ * `--force` to bypass the file-existence check entirely.
+ */
+function readExistingPolicyForPreservation(targetDir) {
+    const policyPath = path.join(targetDir, REA_DIR, POLICY_FILE);
+    if (!fs.existsSync(policyPath))
+        return undefined;
+    try {
+        const raw = fs.readFileSync(policyPath, 'utf8');
+        const out = {};
+        // Profile (informational; used for stderr advisory).
+        const pm = raw.match(/^profile:\s*['"]?([a-z0-9-]+)['"]?\s*$/m);
+        if (pm)
+            out.profile = pm[1];
+        // Autonomy + ceiling (enum).
+        const am = raw.match(/^autonomy_level:\s*(L[0-3])\s*$/m);
+        const amVal = am?.[1];
+        if (amVal !== undefined && Object.values(AutonomyLevel).includes(amVal)) {
+            out.autonomyLevel = amVal;
+        }
+        const mm = raw.match(/^max_autonomy_level:\s*(L[0-3])\s*$/m);
+        const mmVal = mm?.[1];
+        if (mmVal !== undefined && Object.values(AutonomyLevel).includes(mmVal)) {
+            out.maxAutonomyLevel = mmVal;
+        }
+        // block_ai_attribution.
+        const bm = raw.match(/^block_ai_attribution:\s*(true|false)\s*$/m);
+        if (bm?.[1] !== undefined)
+            out.blockAiAttribution = bm[1] === 'true';
+        // blocked_paths block-sequence — line-by-line scan.
+        const bpStart = raw.match(/^blocked_paths:\s*$/m);
+        if (bpStart) {
+            const after = raw.slice((bpStart.index ?? 0) + bpStart[0].length + 1);
+            const lines = after.split('\n');
+            const collected = [];
+            for (const line of lines) {
+                const m2 = line.match(/^\s*-\s+(?:['"]([^'"]+)['"]|(\S.*?))\s*$/);
+                if (!m2)
+                    break;
+                const v = m2[1] ?? m2[2];
+                if (v !== undefined)
+                    collected.push(v);
+            }
+            if (collected.length > 0)
+                out.blockedPaths = collected;
+        }
+        // notification_channel.
+        const nm = raw.match(/^notification_channel:\s*['"]?([^'"\n]*)['"]?\s*$/m);
+        if (nm?.[1] !== undefined)
+            out.notificationChannel = nm[1];
+        // review.codex_required (under nested `review:` block).
+        const cm = raw.match(/^\s+codex_required:\s*(true|false)\s*$/m);
+        if (cm?.[1] !== undefined)
+            out.codexRequired = cm[1] === 'true';
+        return out;
+    }
+    catch {
+        return undefined;
+    }
+}
 function readExistingInstalledAt(policyPath) {
     try {
         if (!fs.existsSync(policyPath))
@@ -480,30 +563,58 @@ export async function runInit(options) {
         }
     }
     const layeredBase = resolveLayered(profileName, reagentTranslated);
+    // 0.21.1: preserve user-mutable policy values across re-init (idempotency
+    // class — same as the `installed_at` fix from 0.17.0). Pre-fix, every
+    // `rea init` re-applied profile defaults, silently resetting an
+    // operator's `autonomy_level: L2` back to the profile's L1, etc.
+    // Read the existing policy if present and merge: explicit existing
+    // value wins over profile default. Operator opts out with --force
+    // (existing flag — bypass the file-existence check entirely).
+    // Profile-switch case: when the existing profile name disagrees with
+    // the requested profile, the existing values are STILL preserved by
+    // default but a stderr advisory names what was kept; operator can
+    // pass --force to fully reset.
+    const existingPolicy = readExistingPolicyForPreservation(targetDir);
     let config;
     if (options.yes === true) {
         // G11.4 non-interactive codex resolution:
         //   1. Explicit --codex / --no-codex flag wins.
-        //   2. Otherwise derive from the profile name (`*-no-codex` → false).
+        //   2. Otherwise existing policy value wins (preserves operator edit).
+        //   3. Otherwise derive from the profile name (`*-no-codex` → false).
         const codexRequired = options.codex !== undefined
             ? options.codex
-            : profileDefaultCodexRequired(profileName);
+            : (existingPolicy?.codexRequired ?? profileDefaultCodexRequired(profileName));
         config = {
             profile: profileName,
-            autonomyLevel: layeredBase.autonomy_level ?? AutonomyLevel.L1,
-            maxAutonomyLevel: layeredBase.max_autonomy_level ?? AutonomyLevel.L2,
-            blockAiAttribution: layeredBase.block_ai_attribution ?? true,
-            blockedPaths: layeredBase.blocked_paths ?? ['.env', '.env.*'],
-            notificationChannel: layeredBase.notification_channel ?? '',
+            autonomyLevel: existingPolicy?.autonomyLevel
+                ?? layeredBase.autonomy_level
+                ?? AutonomyLevel.L1,
+            maxAutonomyLevel: existingPolicy?.maxAutonomyLevel
+                ?? layeredBase.max_autonomy_level
+                ?? AutonomyLevel.L2,
+            blockAiAttribution: existingPolicy?.blockAiAttribution
+                ?? layeredBase.block_ai_attribution
+                ?? true,
+            blockedPaths: existingPolicy?.blockedPaths
+                ?? layeredBase.blocked_paths
+                ?? ['.env', '.env.*'],
+            notificationChannel: existingPolicy?.notificationChannel
+                ?? layeredBase.notification_channel
+                ?? '',
             codexRequired,
             fromReagent,
             reagentPolicyPath,
             reagentNotices,
         };
-        log(`Non-interactive init: profile=${profileName}, autonomy=${config.autonomyLevel}, max=${config.maxAutonomyLevel}, attribution-block=${config.blockAiAttribution}, codex_required=${config.codexRequired}`);
+        if (existingPolicy !== undefined) {
+            log(`Non-interactive init (re-run): preserving existing autonomy=${config.autonomyLevel}, max=${config.maxAutonomyLevel}, attribution-block=${config.blockAiAttribution}, codex_required=${config.codexRequired}. Pass --force to reset to profile defaults.`);
+        }
+        else {
+            log(`Non-interactive init: profile=${profileName}, autonomy=${config.autonomyLevel}, max=${config.maxAutonomyLevel}, attribution-block=${config.blockAiAttribution}, codex_required=${config.codexRequired}`);
+        }
     }
     else {
-        config = await runWizard(options, targetDir, reagentPolicyPath, layeredBase);
+        config = await runWizard(options, targetDir, reagentPolicyPath, layeredBase, existingPolicy);
         config.reagentNotices = reagentNotices;
     }
     if (!fs.existsSync(reaDir))

package/hooks/_lib/cmd-segments.sh

@@ -87,14 +87,29 @@
 # correct. We only need the mask to suppress matching; the captured
 # payload is read off the original string.
 #
-# Limitation: ONE level of unwrapping. A wrapper inside a wrapper
-# (`bash -c "bash -c 'innermost'"`) emits only the second-level payload
-# (`bash -c 'innermost'`), not the third-level. This is enough for
-# every consumer-reported bypass; deeper nesting can be added later
-# without changing the contract.
+# 0.21.2 helix-022 #3: recurse to fixed point with depth bound 8.
+# Pre-fix the function did exactly ONE level of unwrap, so
+# `bash -lc "bash -lc 'printf x > .rea/HALT'"` emitted the
+# middle wrapper as a segment but NEVER the inner `printf x > ...`.
+# Now each extracted payload is re-fed through the unwrap until
+# either no payload is found (fixed point) or depth 8 is reached.
+# Depth limit prevents pathological inputs; on overflow the helper
+# emits a stderr advisory but does not refuse — caller falls back
+# to logical-form-only enforcement of the partial unwrap.
 _rea_unwrap_nested_shells() {
+  _rea_unwrap_at_depth "$1" 0
+}
+
+_rea_unwrap_at_depth() {
   local cmd="$1"
+  local depth="$2"
+  local max_depth=8
   printf '%s\n' "$cmd"
+  if [[ $depth -ge $max_depth ]]; then
+    printf 'rea: nested-shell unwrap depth limit (%d) reached on payload %.80s...\n' \
+      "$max_depth" "$cmd" >&2
+    return 0
+  fi
   # Build a mask where in-quote `"` `'` `;` `&` `|` characters are
   # replaced with multi-byte sentinels so the wrapper regex below
   # cannot match wrapper syntax that lives inside outer quoted prose.
@@ -172,7 +187,10 @@ _rea_unwrap_nested_shells() {
   # masked form; payload extraction reads the raw form using the same
   # offsets. Because the mask is byte-for-byte width-preserving, the
   # same RSTART/RLENGTH applies to both.
-  printf '' | awk -v raw="$cmd" -v masked="$masked" '
+  #
+  # 0.21.2: capture payloads to a local var; iterate to recurse.
+  local _unwrap_payloads
+  _unwrap_payloads=$(printf '' | awk -v raw="$cmd" -v masked="$masked" '
     BEGIN {
       # Wrapper-prefix regex: shell-name + optional flag tokens + -c-style flag.
       # Each flag token is `-` followed by 1+ letters and trailing space.
@@ -263,7 +281,14 @@ _rea_unwrap_nested_shells() {
     }
     # Empty action with no input rules — explicitly drive the loop from
     # END so awk does not require any input records.
-    END {}'
+    END {}')
+  # Recurse on each extracted payload with depth+1.
+  if [[ -n "$_unwrap_payloads" ]]; then
+    while IFS= read -r _unwrap_p; do
+      [[ -z "$_unwrap_p" ]] && continue
+      _rea_unwrap_at_depth "$_unwrap_p" $((depth + 1))
+    done <<< "$_unwrap_payloads"
+  fi
 }
 
 # Split $1 on shell command separators. Emits one segment per line on

package/hooks/_lib/interpreter-scanner.sh

@@ -0,0 +1,71 @@
+# shellcheck shell=bash
+# hooks/_lib/interpreter-scanner.sh — extract write-operation targets
+# from interpreter `-e` / `--eval` invocations.
+#
+# 0.21.2 helix-022 #2: shared between blocked-paths-bash-gate.sh and
+# protected-paths-bash-gate.sh. Pre-fix the protected gate had no
+# interpreter scanner — `node -e "fs.writeFileSync('.rea/HALT','x')"`
+# bypassed the protected-path check while the soft blocked-paths gate
+# (which had its own copy of the scanner) caught equivalent writes
+# against soft-list paths.
+#
+# Coverage:
+#   node -e | --eval | -p | --print   (also fs.writeFile / appendFile
+#                                       / createWriteStream variants)
+#   python | python2 | python3 -c     (open(...,'w'), pathlib.write_*)
+#   ruby -e                            (File.write, IO.write)
+#   perl -e                            (open + print, syswrite)
+#
+# Returns: stdout — one path per line, raw (post-quote-strip but no
+# normalization). Caller passes each through their own _normalize_target
+# / _check_token / rea_path_is_protected pipeline.
+
+# Extract write targets from an interpreter -e / --eval invocation.
+# Usage: rea_interpreter_write_targets "$segment"
+#        Returns each path on a separate line on stdout.
+#        No output means no interpreter-write-shape was detected.
+rea_interpreter_write_targets() {
+  local segment="$1"
+
+  # Node — fs.writeFileSync / fs.writeFile / fs.appendFileSync /
+  #        fs.appendFile / fs.createWriteStream
+  if [[ "$segment" =~ (^|[[:space:]])node[[:space:]]+(-e|--eval|-p|--print)[[:space:]]+ ]]; then
+    printf '%s' "$segment" \
+      | grep -oE "fs\.(writeFileSync|writeFile|appendFileSync|appendFile|createWriteStream)\([[:space:]]*[\"'][^\"']+[\"']" \
+      | sed -E "s/.*\([[:space:]]*[\"']([^\"']+)[\"'].*/\\1/" \
+      || true
+  fi
+
+  # Python — open(PATH, 'w'|'wb'|'a'|'ab'|'w+'|'r+'|'x'|'xb') |
+  #          pathlib.Path(PATH).write_text|.write_bytes
+  if [[ "$segment" =~ (^|[[:space:]])python[23]?[[:space:]]+(-c) ]]; then
+    # open(...,'w'-style)
+    printf '%s' "$segment" \
+      | grep -oE "open\([[:space:]]*[\"'][^\"']+[\"'][[:space:]]*,[[:space:]]*[\"'](w|wb|a|ab|w\+|r\+|x|xb)[\"']" \
+      | sed -E "s/open\([[:space:]]*[\"']([^\"']+)[\"'].*/\\1/" \
+      || true
+    # pathlib write_text / write_bytes
+    printf '%s' "$segment" \
+      | grep -oE "Path\([[:space:]]*[\"'][^\"']+[\"'][[:space:]]*\)\.(write_text|write_bytes)" \
+      | sed -E "s/Path\([[:space:]]*[\"']([^\"']+)[\"'].*/\\1/" \
+      || true
+  fi
+
+  # Ruby — File.write(PATH, ...) | IO.write(PATH, ...)
+  if [[ "$segment" =~ (^|[[:space:]])ruby[[:space:]]+(-e) ]]; then
+    printf '%s' "$segment" \
+      | grep -oE "(File|IO)\.write\([[:space:]]*[\"'][^\"']+[\"']" \
+      | sed -E "s/.*\([[:space:]]*[\"']([^\"']+)[\"'].*/\\1/" \
+      || true
+  fi
+
+  # Perl — open(FH, '>file') | open(FH, '>>file') | sysopen(... O_WRONLY)
+  # Conservative: capture the literal `>file` / `>>file` form, which is
+  # the common shell-style spelling Perl accepts in 2-arg open.
+  if [[ "$segment" =~ (^|[[:space:]])perl[[:space:]]+(-e) ]]; then
+    printf '%s' "$segment" \
+      | grep -oE "open\([[:space:]]*[A-Z_]+,[[:space:]]*[\"']>{1,2}[^\"']+[\"']" \
+      | sed -E "s/.*[\"']>+([^\"']+)[\"'].*/\\1/" \
+      || true
+  fi
+}

package/hooks/_lib/path-normalize.sh

@@ -58,9 +58,36 @@ resolve_parent_realpath() {
   local parent_dir
   parent_dir=$(dirname -- "$target_path")
   if [[ ! -d "$parent_dir" ]]; then
-    # Parent doesn't exist yet — caller should treat as "no realpath
-    # available" and fall back to logical-path checks. Return empty.
-    printf ''
+    # 0.21.2 helix-022 #1: parent doesn't exist on disk — but a
+    # SYMLINK along the path might. Walk up to the nearest existing
+    # ancestor, resolve THAT, then append the unresolved tail. Pre-fix
+    # this returned empty for any path whose terminal directory is
+    # created mid-segment (`mkdir -p linkroot/.husky/sub` followed by
+    # a redirect into `.husky/sub/X`); the caller fell back to logical-
+    # path-only enforcement, restoring the symlink-walk bypass.
+    local walk="$parent_dir"
+    local tail=""
+    while [[ -n "$walk" && "$walk" != "/" && "$walk" != "." && ! -d "$walk" ]]; do
+      tail="$(basename -- "$walk")${tail:+/$tail}"
+      walk="$(dirname -- "$walk")"
+    done
+    if [[ -z "$walk" || "$walk" == "/" ]]; then
+      # Walked all the way up; no existing ancestor inside the project.
+      # Caller still has the logical-path check; return empty.
+      printf ''
+      return 0
+    fi
+    local resolved_walk
+    resolved_walk=$(cd -P -- "$walk" 2>/dev/null && pwd -P 2>/dev/null) || resolved_walk=""
+    if [[ -z "$resolved_walk" ]]; then
+      printf ''
+      return 0
+    fi
+    if [[ -n "$tail" ]]; then
+      printf '%s/%s' "$resolved_walk" "$tail"
+    else
+      printf '%s' "$resolved_walk"
+    fi
     return 0
   fi
   # `cd -P` follows symlinks; `pwd -P` prints the resolved physical

package/hooks/blocked-paths-bash-gate.sh

@@ -45,6 +45,8 @@ source "$(dirname "$0")/_lib/path-normalize.sh"
 source "$(dirname "$0")/_lib/policy-read.sh"
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
+# shellcheck source=_lib/interpreter-scanner.sh
+source "$(dirname "$0")/_lib/interpreter-scanner.sh"
 
 INPUT=$(cat)
 
@@ -270,25 +272,17 @@ _check_segment() {
       ;;
   esac
 
-  # Node-interpreter fs.writeFileSync / fs.appendFileSync / fs.createWriteStream
-  # detection (discord-ops Round 9 #1 explicit shape). Anchored on
-  # `node -e ...` or `node --eval ...`. Conservative regex: pulls the
-  # first quoted argument out of the call.
-  local re_node_write='(^|[[:space:]])node[[:space:]]+(-e|--eval|-p|--print)[[:space:]]+'
-  if [[ "$segment" =~ $re_node_write ]]; then
-    # Find any quoted-string argument that contains fs.write* /
-    # fs.append* / createWriteStream + a path-looking arg. This is a
-    # best-effort scan; the goal is the obvious vector, not full JS.
-    local node_targets
-    node_targets=$(printf '%s' "$segment" \
-      | grep -oE "fs\.(writeFileSync|writeFile|appendFileSync|appendFile|createWriteStream)\([[:space:]]*[\"'][^\"']+[\"']" \
-      | sed -E "s/.*\([[:space:]]*[\"']([^\"']+)[\"'].*/\\1/" || true)
-    if [[ -n "$node_targets" ]]; then
-      while IFS= read -r tgt; do
-        [[ -z "$tgt" ]] && continue
-        _check_token "$tgt" "$segment"
-      done <<<"$node_targets"
-    fi
+  # 0.21.2 helix-022 #2: interpreter scanner factored to
+  # _lib/interpreter-scanner.sh and shared with protected-paths-bash-gate.
+  # Covers node -e fs.writeFileSync, python -c open(...,'w'),
+  # ruby -e File.write, perl -e open(FH,'>...').
+  local interp_targets
+  interp_targets=$(rea_interpreter_write_targets "$segment")
+  if [[ -n "$interp_targets" ]]; then
+    while IFS= read -r tgt; do
+      [[ -z "$tgt" ]] && continue
+      _check_token "$tgt" "$segment"
+    done <<<"$interp_targets"
   fi
 
   return 0

package/hooks/protected-paths-bash-gate.sh

@@ -31,6 +31,8 @@ source "$(dirname "$0")/_lib/protected-paths.sh"
 source "$(dirname "$0")/_lib/path-normalize.sh"
 # shellcheck source=_lib/cmd-segments.sh
 source "$(dirname "$0")/_lib/cmd-segments.sh"
+# shellcheck source=_lib/interpreter-scanner.sh
+source "$(dirname "$0")/_lib/interpreter-scanner.sh"
 
 INPUT=$(cat)
 
@@ -72,6 +74,20 @@ _normalize_target() {
   # Strip matching surrounding quotes.
   if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
   if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
+  # 0.21.2 helix-022 #5: fail closed on shell parameter/command
+  # substitution in the target. `printf x > "$p"` (where p was set
+  # earlier in the segment to `.rea/HALT`) bypassed the gate because
+  # neither the logical nor resolved-form check matched the literal
+  # string `$p`. We DO NOT try to resolve `$NAME=value` assignments
+  # in the same segment — that's a partial-execution semantic this
+  # static analyzer cannot guarantee. Refuse with a clear sentinel
+  # so the caller emits the actionable error message.
+  case "$t" in
+    *'$'*|*'`'*)
+      printf '__rea_unresolved_expansion__:%s' "$t"
+      return 0
+      ;;
+  esac
   # If the path contains `..` segments, resolve them aggressively. We
   # cannot rely on `realpath` being installed; do a manual resolution
   # by walking segments. This is the helix-015 P1 fix: pre-fix, the
@@ -121,6 +137,83 @@ _normalize_target() {
   printf '%s' "$t" | tr '[:upper:]' '[:lower:]'
 }
 
+# 0.21.2 helix-022 #4: cp/mv destination extractor. Walks the segment
+# token-by-token, skips flags (single-dash, double-dash, `--` end-of-
+# options separator), returns the LAST positional argument — which is
+# the destination per POSIX cp/mv semantic.
+#
+# Handles:
+#   cp src dst           → dst
+#   cp -f src dst        → dst
+#   cp --force src dst   → dst
+#   cp a b c dst         → dst (multi-source: last is destination)
+#   cp -- -src dst       → dst (-- ends option processing)
+#   cp -t dir src        → src is the source after -t flag (-t SOURCE_FIRST)
+#                          but we don't try to follow -t semantics; we
+#                          conservatively treat the LAST positional as
+#                          the destination, which over-blocks `-t dir src`
+#                          (destination becomes `src`) — the caller's
+#                          rea_path_is_protected check then determines
+#                          if that's actually protected. False-positive
+#                          case is narrow.
+#
+# Flag-with-value awareness: short flag clusters that take a value
+# (cp -t TARGET_DIR, mv -S SUFFIX, install -m MODE, etc.) consume the
+# next token. Conservative heuristic: known short-options-with-values
+# get the next token consumed.
+_extract_cpmv_destination() {
+  local segment="$1"
+  local stripped="${segment#"${segment%%[![:space:]]*}"}"
+  # Word-split on whitespace. `set --` is intentional; downstream
+  # iteration consumes positional args.
+  local positionals=()
+  local found_cmd=""
+  local end_of_options=0
+  # shellcheck disable=SC2086
+  set -- $stripped
+  while [ "$#" -gt 0 ]; do
+    local tok="$1"
+    shift
+    if [[ -z "$found_cmd" ]]; then
+      case "$tok" in
+        cp|mv) found_cmd="$tok" ;;
+      esac
+      continue
+    fi
+    if [[ "$end_of_options" -eq 1 ]]; then
+      positionals+=("$tok")
+      continue
+    fi
+    case "$tok" in
+      --) end_of_options=1; continue ;;
+      --*=*) continue ;;
+      --*)
+        # Long flags that take a value as the next token.
+        case "$tok" in
+          --target-directory|--reply|--suffix|--backup|--reflink|--strip-trailing-slashes)
+            shift 2>/dev/null || true
+            ;;
+        esac
+        continue
+        ;;
+      -*)
+        # Short flag cluster. Check the LAST char — if it's a known
+        # value-taking flag, consume the next token.
+        case "$tok" in
+          *-t|*-S|*-Z|*-T) shift 2>/dev/null || true ;;
+        esac
+        continue
+        ;;
+      *)
+        positionals+=("$tok")
+        ;;
+    esac
+  done
+  if [[ ${#positionals[@]} -ge 2 ]]; then
+    printf '%s' "${positionals[$((${#positionals[@]} - 1))]}"
+  fi
+}
+
 # Refuse and exit 2 with a uniform error message.
 _refuse() {
   local pattern="$1" target="$2" segment="$3"
@@ -159,7 +252,15 @@ _check_segment() {
   # pattern accepts: optional fd-prefix, then `>` or `>>` or `>|`, with
   # optional `&` for stderr-merge variants.
   local re_redirect='(^|[[:space:]])(&>>|&>|[0-9]+>>|[0-9]+>\||[0-9]+>|>>|>\||>)[[:space:]]*([^[:space:]&|;<>]+)'
-  local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
+  # 0.21.2 helix-022 #4: cp/mv detection now uses an explicit argv-walk
+  # (`_extract_cpmv_destination`) instead of regex-with-backtracking so
+  # every shape is handled — `cp -f src dst`, multi-source `cp a b dst`,
+  # `cp --no-clobber src dst`, `cp -- src dst`. The walker treats the
+  # LAST positional as the destination (POSIX cp/mv semantic). The
+  # sentinel `re_cpmv` regex below is retained ONLY as a cheap pre-screen
+  # — it matches the command name to avoid running the walker on every
+  # segment, but never returns the destination (the walker does).
+  local re_cpmv_screen='(^|[[:space:]])(cp|mv)[[:space:]]+'
   local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
   local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
   # 0.15.0 codex P1 fix: replaced the bash-3.2-broken `(...)*` pattern
@@ -171,9 +272,17 @@ _check_segment() {
   if [[ "$segment" =~ $re_redirect ]]; then
     target_token="${BASH_REMATCH[3]}"
     detected_form="redirect ${BASH_REMATCH[2]}"
-  elif [[ "$segment" =~ $re_cpmv ]]; then
-    target_token="${BASH_REMATCH[3]}"
-    detected_form="${BASH_REMATCH[2]}"
+  elif [[ "$segment" =~ $re_cpmv_screen ]]; then
+    # 0.21.2 helix-022 #4: extract destination via argv-walk; LAST
+    # positional is the destination per POSIX cp/mv semantic.
+    local _cpmv_cmd="${BASH_REMATCH[2]}"
+    target_token=$(_extract_cpmv_destination "$segment")
+    detected_form="$_cpmv_cmd"
+    if [[ -z "$target_token" ]]; then
+      # No positional destination found — segment isn't actually a
+      # valid cp/mv invocation. Fall through.
+      :
+    fi
   elif [[ "$segment" =~ $re_sed ]]; then
     target_token="${BASH_REMATCH[3]}"
     detected_form="sed -i"
@@ -246,6 +355,18 @@ _check_segment() {
             } >&2
             exit 2
           fi
+          # 0.21.2 helix-022 #5: shell expansion in target — refuse.
+          if [[ "$_t" == __rea_unresolved_expansion__:* ]]; then
+            local raw="${_t#__rea_unresolved_expansion__:}"
+            {
+              printf 'PROTECTED PATH (bash): unresolved shell expansion in target\n'
+              printf '  Token: %s\n  Segment: %s\n' "$raw" "$segment"
+              printf '  Rule: $-substitution and `command-substitution` in redirect\n'
+              printf '        targets are refused at static-analysis time. Resolve\n'
+              printf '        the variable to a literal path before the redirect.\n'
+            } >&2
+            exit 2
+          fi
           # 0.20.1 helix-021 #1: resolve intermediate symlinks via
           # `cd -P / pwd -P` parent-canonicalization (Write-tier parity).
           # `ln -s ../ .husky/pre-push.d/linkdir; printf x > .husky/pre-push.d/linkdir/pre-push`
@@ -285,7 +406,13 @@ _check_segment() {
     done
   fi
 
+  # 0.21.2 helix-022 #2: when no shell-redirect target was found,
+  # interpreter-scanner pass before returning. `node -e
+  # "fs.writeFileSync('.rea/HALT','x')"` has NO redirect or cp/mv
+  # token but still writes a protected path. Run the scanner on the
+  # raw segment; refuse if any extracted target is protected.
   if [[ -z "$target_token" ]]; then
+    _interpreter_scan_and_refuse_protected "$segment"
     return 0
   fi
 
@@ -307,6 +434,21 @@ _check_segment() {
     } >&2
     exit 2
   fi
+  # 0.21.2 helix-022 #5: shell expansion in target — refuse.
+  if [[ "$target" == __rea_unresolved_expansion__:* ]]; then
+    local raw="${target#__rea_unresolved_expansion__:}"
+    {
+      printf 'PROTECTED PATH (bash): unresolved shell expansion in target\n'
+      printf '\n'
+      printf '  Token:   %s\n' "$raw"
+      printf '  Segment: %s\n' "$segment"
+      printf '\n'
+      printf '  Rule: $-substitution and `command-substitution` in redirect\n'
+      printf '        targets are refused at static-analysis time. Resolve\n'
+      printf '        the variable to a literal path before the redirect.\n'
+    } >&2
+    exit 2
+  fi
   # 0.20.1 helix-021 #1: resolve intermediate symlinks. See parallel
   # block in the multi-target loop above for the rationale.
   local target_resolved
@@ -340,9 +482,55 @@ _check_segment() {
     done
     _refuse "$matched" "$hit_form" "$segment"
   fi
+
+  # 0.21.2 helix-022 #2: interpreter-scanner pass even when a
+  # shell-redirect target was already found. A single segment can
+  # have BOTH a shell redirect AND a node -e fs.write*; both must
+  # be checked.
+  _interpreter_scan_and_refuse_protected "$segment"
+
   return 0
 }
 
+# 0.21.2 helix-022 #2: interpreter-scanner pass. Catches
+# `node -e "fs.writeFileSync('.rea/HALT','x')"` and equivalents in
+# python/ruby/perl. The blocked-paths sibling has had this since
+# 0.16.3 F3; this is parity. Each extracted target runs through
+# `_normalize_target` + `rea_path_is_protected` so the existing
+# logical-form + symlink-resolved-form checks both apply.
+_interpreter_scan_and_refuse_protected() {
+  local segment="$1"
+  local _interp_targets
+  _interp_targets=$(rea_interpreter_write_targets "$segment")
+  [[ -z "$_interp_targets" ]] && return 0
+  while IFS= read -r _interp_t; do
+    [[ -z "$_interp_t" ]] && continue
+    local _norm
+    _norm=$(_normalize_target "$_interp_t")
+    if [[ "$_norm" == __rea_outside_root__:* || "$_norm" == __rea_unresolved_expansion__:* ]]; then
+      continue
+    fi
+    local _norm_resolved
+    _norm_resolved=$(rea_resolved_relative_form "$_interp_t")
+    if rea_path_is_protected "$_norm" \
+       || ([[ -n "$_norm_resolved" && "$_norm_resolved" != __rea_outside_root__:* ]] \
+          && rea_path_is_protected "$_norm_resolved"); then
+      local matched_interp="" pattern_lc
+      local hit_form="$_norm"
+      if [[ -n "$_norm_resolved" ]] && rea_path_is_protected "$_norm_resolved" \
+         && ! rea_path_is_protected "$_norm"; then
+        hit_form="$_norm_resolved"
+      fi
+      for pattern in "${REA_PROTECTED_PATTERNS[@]}"; do
+        pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+        if [[ "$hit_form" == "$pattern_lc" ]]; then matched_interp="$pattern"; break; fi
+        if [[ "$pattern_lc" == */ && "$hit_form" == "$pattern_lc"* ]]; then matched_interp="$pattern"; break; fi
+      done
+      _refuse "$matched_interp" "$hit_form" "$segment"
+    fi
+  done <<<"$_interp_targets"
+}
+
 for_each_segment "$CMD" _check_segment
 
 exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.21.0",
+  "version": "0.22.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",