@bookedsolid/rea 0.22.0 → 0.23.0

package/dist/cli/doctor.js

@@ -4,12 +4,12 @@ import { loadPolicy } from '../policy/loader.js';
 import { loadRegistry } from '../registry/loader.js';
 import { loadFingerprintStore } from '../registry/fingerprints-store.js';
 import { fingerprintServer } from '../registry/fingerprint.js';
-import { CodexProbe, } from '../gateway/observability/codex-probe.js';
-import { inspectPrePushState, } from './install/pre-push.js';
+import { CodexProbe } from '../gateway/observability/codex-probe.js';
+import { inspectPrePushState } from './install/pre-push.js';
 import { summarizeTelemetry } from '../gateway/observability/codex-telemetry.js';
 import { CLAUDE_MD_MANIFEST_PATH, SETTINGS_MANIFEST_PATH, enumerateCanonicalFiles, } from './install/canonical.js';
 import { buildFragment } from './install/claude-md.js';
-import { canonicalSettingsSubsetHash, defaultDesiredHooks, } from './install/settings-merge.js';
+import { canonicalSettingsSubsetHash, defaultDesiredHooks } from './install/settings-merge.js';
 import { manifestExists, readManifest } from './install/manifest-io.js';
 import { sha256OfBuffer, sha256OfFile } from './install/sha.js';
 import { POLICY_FILE, REA_DIR, REGISTRY_FILE, getPkgVersion, log, reaPath } from './utils.js';
@@ -177,7 +177,11 @@ function checkAgentsPresent(baseDir) {
 function checkHooksInstalled(baseDir) {
     const hooksDir = path.join(baseDir, '.claude', 'hooks');
     if (!fs.existsSync(hooksDir)) {
-        return { label: 'hooks installed + executable', status: 'fail', detail: `missing: ${hooksDir}` };
+        return {
+            label: 'hooks installed + executable',
+            status: 'fail',
+            detail: `missing: ${hooksDir}`,
+        };
     }
     const issues = [];
     for (const name of EXPECTED_HOOKS) {
@@ -309,9 +313,7 @@ export function isGitRepo(baseDir) {
     const targetPath = rawTarget;
     if (targetPath.length === 0)
         return false;
-    const resolved = path.isAbsolute(targetPath)
-        ? targetPath
-        : path.join(baseDir, targetPath);
+    const resolved = path.isAbsolute(targetPath) ? targetPath : path.join(baseDir, targetPath);
     return fs.existsSync(resolved);
 }
 function checkCommitMsgHook(baseDir) {
@@ -386,9 +388,7 @@ function checkPrePushHook(state) {
         // …), surface the .d/ migration path explicitly so consumers know
         // exactly how to keep their existing chain without losing rea coverage
         // or having `rea upgrade` clobber them again.
-        const hints = state.activePath !== null
-            ? detectPriorToolHints(state.activePath)
-            : [];
+        const hints = state.activePath !== null ? detectPriorToolHints(state.activePath) : [];
         let detail = `active pre-push at ${state.activePath} is present and executable but does NOT ` +
             'invoke `rea hook push-gate` — the 0.11.0 push-gate is silently bypassed. ' +
             'Either add `exec rea hook push-gate "$@"` to the existing hook, or ' +
@@ -820,8 +820,7 @@ export async function collectDriftReport(baseDir) {
     // Manifest entries no longer in canonical (removed upstream), excluding
     // synthetic entries handled below.
     for (const entry of manifest.files) {
-        if (entry.path === CLAUDE_MD_MANIFEST_PATH ||
-            entry.path === SETTINGS_MANIFEST_PATH)
+        if (entry.path === CLAUDE_MD_MANIFEST_PATH || entry.path === SETTINGS_MANIFEST_PATH)
             continue;
         if (!canonicalByPath.has(entry.path)) {
             rows.push({

package/dist/cli/hook.d.ts

@@ -48,8 +48,42 @@ export interface HookPushGateOptions {
  */
 export declare function runHookPushGate(options: HookPushGateOptions): Promise<void>;
 /**
- * Attach the `rea hook` subcommand tree to a commander Program. Single
- * subcommand today (`push-gate`); new hooks should land here rather than as
- * top-level commands so the CLI surface stays navigable.
+ * `rea hook scan-bash --mode protected|blocked` — invoked by the bash
+ * shim hooks at `hooks/protected-paths-bash-gate.sh` and
+ * `hooks/blocked-paths-bash-gate.sh` (since 0.23.0). Reads the Claude
+ * Code tool-input JSON from stdin, extracts `.tool_input.command`,
+ * runs the parser-backed scanner, and writes a verdict JSON to stdout.
+ *
+ * Exit-code contract (parsed by the bash shim via `jq`):
+ *   0 — allow (verdict.verdict == "allow")
+ *   2 — block (verdict.verdict == "block")
+ *   1 — runtime error (HALT active, missing args, internal exception)
+ *
+ * The verdict shape on stdout is `Verdict` (see `verdict.ts`); the
+ * bash shim only reads `.verdict` and `.reason`. Other fields are for
+ * structured-logging consumers in tests + audit middleware.
+ *
+ * HALT is checked HERE (not in the bash shim) so we have a single
+ * source of truth — the shim is intentionally as dumb as possible.
+ */
+export interface HookScanBashOptions {
+    mode: 'protected' | 'blocked';
+    /**
+     * Override REA_ROOT. Useful in tests; the production shim doesn't
+     * pass this — it relies on `process.cwd()` matching CLAUDE_PROJECT_DIR.
+     */
+    reaRoot?: string;
+}
+/**
+ * The non-async entry the commander binding hits. Reads stdin (with
+ * a timeout — same pattern as runHookPushGate), executes the scan,
+ * writes the verdict JSON, exits with the appropriate code.
+ */
+export declare function runHookScanBash(options: HookScanBashOptions): Promise<void>;
+/**
+ * Attach the `rea hook` subcommand tree to a commander Program. Two
+ * subcommands today: `push-gate` and `scan-bash`. New hooks should land
+ * here rather than as top-level commands so the CLI surface stays
+ * navigable.
  */
 export declare function registerHookCommand(program: Command): void;

package/dist/cli/hook.js

@@ -28,7 +28,12 @@
  * `codex_required: true`, `concerns_blocks: true`. The gate still fires.
  * This matches the protective default established in 0.10.x.
  */
+import fs from 'node:fs';
+import path from 'node:path';
 import { parsePrePushStdin, runPushGate } from '../hooks/push-gate/index.js';
+import { runBlockedScan, runProtectedScan } from '../hooks/bash-scanner/index.js';
+import { loadPolicy } from '../policy/loader.js';
+import { appendAuditRecord, InvocationStatus, Tier } from '../audit/append.js';
 import { err } from './utils.js';
 /**
  * Public runner, exposed so integration tests and the commander binding can
@@ -54,7 +59,9 @@ export async function runHookPushGate(options) {
             env: process.env,
             stderr,
             refspecs,
-            ...(options.base !== undefined && options.base.length > 0 ? { explicitBase: options.base } : {}),
+            ...(options.base !== undefined && options.base.length > 0
+                ? { explicitBase: options.base }
+                : {}),
             ...(options.lastNCommits !== undefined ? { lastNCommits: options.lastNCommits } : {}),
         });
         process.exit(result.exitCode);
@@ -102,14 +109,169 @@ async function readStdinWithTimeout(timeoutMs) {
     });
 }
 /**
- * Attach the `rea hook` subcommand tree to a commander Program. Single
- * subcommand today (`push-gate`); new hooks should land here rather than as
- * top-level commands so the CLI surface stays navigable.
+ * The non-async entry the commander binding hits. Reads stdin (with
+ * a timeout — same pattern as runHookPushGate), executes the scan,
+ * writes the verdict JSON, exits with the appropriate code.
+ */
+export async function runHookScanBash(options) {
+    const reaRoot = options.reaRoot ?? process.env['CLAUDE_PROJECT_DIR'] ?? process.cwd();
+    // HALT check — uniform with the bash hooks. We exit 2 (block) so
+    // the shim refuses the command in the same way settings-protection
+    // and the bash gates do.
+    const haltPath = path.join(reaRoot, '.rea', 'HALT');
+    if (fs.existsSync(haltPath)) {
+        let reason = 'Reason unknown';
+        try {
+            const content = fs.readFileSync(haltPath, 'utf8');
+            reason = content.slice(0, 1024).trim() || reason;
+        }
+        catch {
+            /* leave default */
+        }
+        process.stderr.write(`REA HALT: ${reason}\nAll agent operations suspended. Run: rea unfreeze\n`);
+        const haltVerdict = {
+            verdict: 'block',
+            reason: 'rea HALT active',
+        };
+        process.stdout.write(JSON.stringify(haltVerdict) + '\n');
+        process.exit(2);
+    }
+    const stdinRaw = process.stdin.isTTY ? '' : await readStdinWithTimeout(5_000);
+    let cmd = '';
+    if (stdinRaw.length > 0) {
+        try {
+            const parsed = JSON.parse(stdinRaw);
+            const c = parsed.tool_input?.command;
+            // Codex round 1 F-31: tool_input.command MUST be a string. A
+            // crafted payload with `command: ["rm", "-rf"]` or `command: 42`
+            // would pre-fix silently fall through to "allow on empty cmd".
+            // Refuse on type mismatch.
+            if (c !== undefined && typeof c !== 'string') {
+                const wrong = {
+                    verdict: 'block',
+                    reason: 'rea: scan-bash received a non-string `tool_input.command` field; refusing on uncertainty',
+                };
+                process.stdout.write(JSON.stringify(wrong) + '\n');
+                process.stderr.write(wrong.reason + '\n');
+                process.exit(2);
+            }
+            if (typeof c === 'string')
+                cmd = c;
+        }
+        catch {
+            // Malformed JSON on stdin → fail closed. The bash shim only
+            // forwards what Claude Code sends, so this should never happen
+            // in production; treating it as block prevents a crafted payload
+            // from getting an allow.
+            const malformed = {
+                verdict: 'block',
+                reason: 'rea: scan-bash received malformed JSON on stdin; refusing on uncertainty',
+            };
+            process.stdout.write(JSON.stringify(malformed) + '\n');
+            process.exit(2);
+        }
+    }
+    // Empty command → allow. Matches the bash gates' `[[ -z "$CMD" ]] && exit 0`.
+    if (cmd.length === 0) {
+        process.stdout.write(JSON.stringify({ verdict: 'allow' }) + '\n');
+        process.exit(0);
+    }
+    // Load policy. A missing policy file is treated as "no governance" —
+    // we allow on missing-policy so dev environments without a fully-
+    // initialized rea directory don't hard-block. The bash shim
+    // pre-0.23.0 had the same posture.
+    let blockedPaths = [];
+    let protectedWrites;
+    let protectedRelax = [];
+    try {
+        const policy = loadPolicy(reaRoot);
+        blockedPaths = policy.blocked_paths;
+        protectedWrites = policy.protected_writes;
+        protectedRelax = policy.protected_paths_relax ?? [];
+    }
+    catch {
+        // Policy missing or invalid. Continue with defaults — the historical
+        // protected list is hardcoded; blocked_paths becomes an empty no-op.
+    }
+    let verdict;
+    try {
+        if (options.mode === 'protected') {
+            verdict = runProtectedScan({
+                reaRoot,
+                policy: {
+                    ...(protectedWrites !== undefined ? { protected_writes: protectedWrites } : {}),
+                    protected_paths_relax: protectedRelax,
+                },
+                stderr: (line) => process.stderr.write(line),
+            }, cmd);
+        }
+        else {
+            verdict = runBlockedScan({ reaRoot, blockedPaths }, cmd);
+        }
+    }
+    catch (e) {
+        // Any exception in the scanner is a bug; fail closed.
+        const reason = e instanceof Error ? e.message : String(e);
+        verdict = {
+            verdict: 'block',
+            reason: `rea: scan-bash internal error; refusing on uncertainty: ${reason}`,
+        };
+    }
+    // Codex round 1 F-26: emit an audit record so the gateway audit log
+    // captures every scan-bash invocation. Best-effort — failure to
+    // write an audit entry must NOT change the verdict.
+    try {
+        await appendAuditRecord(reaRoot, {
+            tool_name: 'rea.hook.scan-bash',
+            server_name: 'rea',
+            tier: Tier.Read,
+            status: verdict.verdict === 'allow' ? InvocationStatus.Allowed : InvocationStatus.Denied,
+            metadata: {
+                mode: options.mode,
+                verdict: verdict.verdict,
+                ...(verdict.detected_form !== undefined ? { detected_form: verdict.detected_form } : {}),
+                ...(verdict.hit_pattern !== undefined ? { hit_pattern: verdict.hit_pattern } : {}),
+                // Truncate the command to avoid blowing the audit log on very
+                // long inputs.
+                command_preview: cmd.slice(0, 256),
+            },
+        });
+    }
+    catch {
+        /* best-effort */
+    }
+    // Write verdict JSON to stdout.
+    process.stdout.write(JSON.stringify(verdict) + '\n');
+    if (verdict.verdict === 'block') {
+        if (typeof verdict.reason === 'string' && verdict.reason.length > 0) {
+            process.stderr.write(verdict.reason + '\n');
+        }
+        process.exit(2);
+    }
+    process.exit(0);
+}
+/**
+ * Attach the `rea hook` subcommand tree to a commander Program. Two
+ * subcommands today: `push-gate` and `scan-bash`. New hooks should land
+ * here rather than as top-level commands so the CLI surface stays
+ * navigable.
  */
 export function registerHookCommand(program) {
     const hook = program
         .command('hook')
-        .description('Pre-hook entry points for git (pre-push) and Claude Code. Called by `.husky/pre-push` and the optional `.git/hooks/pre-push` fallback.');
+        .description('Pre-hook entry points for git (pre-push) and Claude Code. Called by `.husky/pre-push`, the optional `.git/hooks/pre-push` fallback, and the bash-shim Claude Code hooks at `.claude/hooks/{protected,blocked}-paths-bash-gate.sh`.');
+    hook
+        .command('scan-bash')
+        .description('Parser-backed bash-tier scanner. Reads Claude Code tool-input JSON from stdin, runs the AST walker against the protected-paths or blocked_paths policy, and writes a verdict JSON to stdout. Exit 0 on allow, 2 on block.')
+        .option('--mode <protected|blocked>', 'which policy to enforce: `protected` for the hardcoded + protected_writes list, `blocked` for the policy.blocked_paths list', (raw) => {
+        if (raw !== 'protected' && raw !== 'blocked') {
+            throw new Error(`--mode must be "protected" or "blocked", got ${JSON.stringify(raw)}`);
+        }
+        return raw;
+    }, 'protected')
+        .action(async (opts) => {
+        await runHookScanBash({ mode: opts.mode });
+    });
     hook
         .command('push-gate')
         // Accept (and silently ignore) positional args. Git passes the

package/dist/cli/init.js

@@ -15,7 +15,7 @@ import { CLAUDE_MD_MANIFEST_PATH, SETTINGS_MANIFEST_PATH, enumerateCanonicalFile
 import { writeManifestAtomic } from './install/manifest-io.js';
 import { sha256OfBuffer, sha256OfFile } from './install/sha.js';
 import { defaultReagentPath, ReagentDroppedFieldsError, translateReagentPolicy, } from './install/reagent.js';
-import { POLICY_FILE, REA_DIR, REGISTRY_FILE, err, getPkgVersion, log, warn, } from './utils.js';
+import { POLICY_FILE, REA_DIR, REGISTRY_FILE, err, getPkgVersion, log, warn } from './utils.js';
 const PROFILE_NAMES = [
     'minimal',
     'client-engagement',
@@ -114,7 +114,11 @@ async function runWizard(options, targetDir, reagentPolicyPath, layeredBase, exi
             initialValue: 'minimal',
             options: [
                 { value: 'minimal', label: 'minimal', hint: 'bare policy, no extras (default)' },
-                { value: 'client-engagement', label: 'client-engagement', hint: 'zero-trust client project' },
+                {
+                    value: 'client-engagement',
+                    label: 'client-engagement',
+                    hint: 'zero-trust client project',
+                },
                 { value: 'bst-internal', label: 'bst-internal', hint: 'internal BST projects' },
                 { value: 'lit-wc', label: 'lit-wc', hint: 'Lit / web component libraries' },
                 { value: 'open-source', label: 'open-source', hint: 'public OSS repos' },
@@ -126,9 +130,7 @@ async function runWizard(options, targetDir, reagentPolicyPath, layeredBase, exi
     }
     // 0.21.1: prefer the existing on-disk value over the profile default
     // so re-running `rea init` doesn't reset an operator's manual edit.
-    const autonomyDefault = existingPolicy?.autonomyLevel
-        ?? layeredBase.autonomy_level
-        ?? AutonomyLevel.L1;
+    const autonomyDefault = existingPolicy?.autonomyLevel ?? layeredBase.autonomy_level ?? AutonomyLevel.L1;
     const autonomyPick = await p.select({
         message: existingPolicy?.autonomyLevel !== undefined
             ? `Starting autonomy_level (current: ${existingPolicy.autonomyLevel})`
@@ -177,9 +179,7 @@ async function runWizard(options, targetDir, reagentPolicyPath, layeredBase, exi
     // G11.4: "Use Codex adversarial review?" — the default follows the
     // chosen profile (any `*-no-codex` profile defaults to No). An explicit
     // flag on the command line overrides that default for the initial value.
-    const codexInitial = options.codex !== undefined
-        ? options.codex
-        : profileDefaultCodexRequired(profileName);
+    const codexInitial = options.codex !== undefined ? options.codex : profileDefaultCodexRequired(profileName);
     const codexPick = await p.confirm({
         message: 'Use Codex adversarial review? (requires an OpenAI account — can be added later)',
         initialValue: codexInitial,
@@ -542,9 +542,7 @@ export async function runInit(options) {
             process.exit(1);
         }
         const baseProfile = loadProfile(profileName);
-        const profileCeiling = baseProfile?.max_autonomy_level ??
-            HARD_DEFAULTS.max_autonomy_level ??
-            AutonomyLevel.L2;
+        const profileCeiling = baseProfile?.max_autonomy_level ?? HARD_DEFAULTS.max_autonomy_level ?? AutonomyLevel.L2;
         try {
             const t = translateReagentPolicy(reagentPolicyPath, {
                 profileCeiling,
@@ -586,21 +584,11 @@ export async function runInit(options) {
             : (existingPolicy?.codexRequired ?? profileDefaultCodexRequired(profileName));
         config = {
             profile: profileName,
-            autonomyLevel: existingPolicy?.autonomyLevel
-                ?? layeredBase.autonomy_level
-                ?? AutonomyLevel.L1,
-            maxAutonomyLevel: existingPolicy?.maxAutonomyLevel
-                ?? layeredBase.max_autonomy_level
-                ?? AutonomyLevel.L2,
-            blockAiAttribution: existingPolicy?.blockAiAttribution
-                ?? layeredBase.block_ai_attribution
-                ?? true,
-            blockedPaths: existingPolicy?.blockedPaths
-                ?? layeredBase.blocked_paths
-                ?? ['.env', '.env.*'],
-            notificationChannel: existingPolicy?.notificationChannel
-                ?? layeredBase.notification_channel
-                ?? '',
+            autonomyLevel: existingPolicy?.autonomyLevel ?? layeredBase.autonomy_level ?? AutonomyLevel.L1,
+            maxAutonomyLevel: existingPolicy?.maxAutonomyLevel ?? layeredBase.max_autonomy_level ?? AutonomyLevel.L2,
+            blockAiAttribution: existingPolicy?.blockAiAttribution ?? layeredBase.block_ai_attribution ?? true,
+            blockedPaths: existingPolicy?.blockedPaths ?? layeredBase.blocked_paths ?? ['.env', '.env.*'],
+            notificationChannel: existingPolicy?.notificationChannel ?? layeredBase.notification_channel ?? '',
             codexRequired,
             fromReagent,
             reagentPolicyPath,

package/dist/cli/install/canonical.js

@@ -67,9 +67,24 @@ async function walkFiles(srcDir) {
  */
 export async function enumerateCanonicalFiles(pkgRoot = PKG_ROOT) {
     const mappings = [
-        { srcDir: path.join(pkgRoot, 'hooks'), dstPrefix: '.claude/hooks', source: 'hook', mode: 0o755 },
-        { srcDir: path.join(pkgRoot, 'agents'), dstPrefix: '.claude/agents', source: 'agent', mode: 0o644 },
-        { srcDir: path.join(pkgRoot, 'commands'), dstPrefix: '.claude/commands', source: 'command', mode: 0o644 },
+        {
+            srcDir: path.join(pkgRoot, 'hooks'),
+            dstPrefix: '.claude/hooks',
+            source: 'hook',
+            mode: 0o755,
+        },
+        {
+            srcDir: path.join(pkgRoot, 'agents'),
+            dstPrefix: '.claude/agents',
+            source: 'agent',
+            mode: 0o644,
+        },
+        {
+            srcDir: path.join(pkgRoot, 'commands'),
+            dstPrefix: '.claude/commands',
+            source: 'command',
+            mode: 0o644,
+        },
         { srcDir: path.join(pkgRoot, '.husky'), dstPrefix: '.husky', source: 'husky', mode: 0o755 },
     ];
     const out = [];

package/dist/cli/install/commit-msg.js

@@ -78,8 +78,7 @@ export async function classifyCommitMsgHook(hookPath) {
     }
     // Pre-0.13 rea body had no marker but always contained the attribution
     // grep. Treat that shape as upgradeable rather than foreign.
-    if (content.includes('block_ai_attribution') &&
-        content.includes('AI attribution detected')) {
+    if (content.includes('block_ai_attribution') && content.includes('AI attribution detected')) {
         return { kind: 'unmarked' };
     }
     return { kind: 'foreign', reason: 'no-marker' };

package/dist/cli/install/copy.js

@@ -131,9 +131,7 @@ async function assertSafeDestination(resolvedRoot, dstPath) {
     // Containment: resolve without following symlinks on the leaf so an attacker
     // cannot smuggle us out via a symlink in the leaf itself.
     const resolvedDst = path.resolve(dstPath);
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     if (resolvedDst !== resolvedRoot && !resolvedDst.startsWith(rootWithSep)) {
         throw new UnsafeInstallPathError('escape', resolvedDst, undefined, `refusing to write outside install root: ${resolvedDst} is not under ${resolvedRoot}`);
     }
@@ -171,9 +169,7 @@ async function assertSafeDestination(resolvedRoot, dstPath) {
  */
 async function assertSafeDirectory(resolvedRoot, dirPath) {
     const resolvedDir = path.resolve(dirPath);
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     if (resolvedDir !== resolvedRoot && !resolvedDir.startsWith(rootWithSep)) {
         throw new UnsafeInstallPathError('escape', resolvedDir, undefined, `refusing to operate on directory outside install root: ${resolvedDir}`);
     }
@@ -234,9 +230,7 @@ async function assertSafeDirectory(resolvedRoot, dirPath) {
  */
 async function snapshotAncestors(resolvedRoot, dstPath) {
     const snapshot = new Map();
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     const leafDir = path.dirname(path.resolve(dstPath));
     let cursor = leafDir;
     let reachedRoot = false;
@@ -334,10 +328,7 @@ async function verifyAncestorsUnchanged(snapshot) {
  */
 async function writeFileExclusiveNoFollow(srcPath, dstPath) {
     const contents = await fsPromises.readFile(srcPath);
-    const flags = fs.constants.O_WRONLY |
-        fs.constants.O_CREAT |
-        fs.constants.O_EXCL |
-        fs.constants.O_NOFOLLOW;
+    const flags = fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_NOFOLLOW;
     const fh = await fsPromises.open(dstPath, flags, 0o644);
     try {
         await fh.writeFile(contents);

package/dist/cli/install/fs-safe.js

@@ -47,9 +47,7 @@ export function resolveContained(resolvedRoot, candidate) {
         throw new UnsafeInstallPathError('escape', candidate, undefined, `refusing path with parent-directory segments: ${candidate}`);
     }
     const absolute = path.resolve(resolvedRoot, candidate);
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     if (absolute !== resolvedRoot && !absolute.startsWith(rootWithSep)) {
         throw new UnsafeInstallPathError('escape', absolute, undefined, `refusing to resolve outside install root: ${absolute} is not under ${resolvedRoot}`);
     }
@@ -62,9 +60,7 @@ export function resolveContained(resolvedRoot, candidate) {
  */
 export async function assertSafeDestination(resolvedRoot, dstPath) {
     const resolvedDst = path.resolve(dstPath);
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     if (resolvedDst !== resolvedRoot && !resolvedDst.startsWith(rootWithSep)) {
         throw new UnsafeInstallPathError('escape', resolvedDst, undefined, `refusing to write outside install root: ${resolvedDst} is not under ${resolvedRoot}`);
     }
@@ -95,9 +91,7 @@ export async function assertSafeDestination(resolvedRoot, dstPath) {
 }
 export async function assertSafeDirectory(resolvedRoot, dirPath) {
     const resolvedDir = path.resolve(dirPath);
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     if (resolvedDir !== resolvedRoot && !resolvedDir.startsWith(rootWithSep)) {
         throw new UnsafeInstallPathError('escape', resolvedDir, undefined, `refusing to operate on directory outside install root: ${resolvedDir}`);
     }
@@ -126,9 +120,7 @@ export async function assertSafeDirectory(resolvedRoot, dirPath) {
 }
 export async function snapshotAncestors(resolvedRoot, dstPath) {
     const snapshot = new Map();
-    const rootWithSep = resolvedRoot.endsWith(path.sep)
-        ? resolvedRoot
-        : resolvedRoot + path.sep;
+    const rootWithSep = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     const leafDir = path.dirname(path.resolve(dstPath));
     let cursor = leafDir;
     let reachedRoot = false;
@@ -196,10 +188,7 @@ export async function verifyAncestorsUnchanged(snapshot) {
  * `unlink`s first and then calls this.
  */
 export async function writeFileExclusiveNoFollow(dstPath, contents, mode = 0o644) {
-    const flags = fs.constants.O_WRONLY |
-        fs.constants.O_CREAT |
-        fs.constants.O_EXCL |
-        fs.constants.O_NOFOLLOW;
+    const flags = fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_NOFOLLOW;
     const fh = await fsPromises.open(dstPath, flags, mode);
     try {
         await fh.writeFile(contents);

package/dist/cli/install/gitignore.js

@@ -313,11 +313,7 @@ export async function ensureReaGitignore(targetDir, entries = REA_GITIGNORE_ENTR
         })();
         const bodyLines = lines.slice(0, trimmedTailIdx + 1);
         const separator = bodyLines.length === 0 ? [] : [''];
-        const newLines = [
-            ...bodyLines,
-            ...separator,
-            buildManagedBlock(entries, eol),
-        ];
+        const newLines = [...bodyLines, ...separator, buildManagedBlock(entries, eol)];
         const content = newLines.join(eol) + eol;
         await writeAtomic(absPath, content);
         return {

package/dist/cli/install/pre-push.js

@@ -442,9 +442,7 @@ export async function resolveHooksDir(targetDir) {
     if (configured === null) {
         return { dir: null, configured: false };
     }
-    const absolute = path.isAbsolute(configured)
-        ? configured
-        : path.join(targetDir, configured);
+    const absolute = path.isAbsolute(configured) ? configured : path.join(targetDir, configured);
     return { dir: absolute, configured: true };
 }
 /**
@@ -534,8 +532,7 @@ export async function classifyPrePushInstall(targetDir) {
     if (classification.kind === 'absent') {
         return { action: 'install', hookPath };
     }
-    if (classification.kind === 'rea-managed' ||
-        classification.kind === 'rea-managed-legacy-v1') {
+    if (classification.kind === 'rea-managed' || classification.kind === 'rea-managed-legacy-v1') {
         return { action: 'refresh', hookPath };
     }
     if (classification.kind === 'rea-managed-husky' ||
@@ -631,9 +628,7 @@ async function resolveLockDir(targetDir) {
         const { stdout } = await execFileAsync('git', ['-C', targetDir, 'rev-parse', '--git-common-dir'], { encoding: 'utf8' });
         const commonDir = stdout.trim();
         if (commonDir.length > 0) {
-            const absolute = path.isAbsolute(commonDir)
-                ? commonDir
-                : path.join(targetDir, commonDir);
+            const absolute = path.isAbsolute(commonDir) ? commonDir : path.join(targetDir, commonDir);
             return path.join(absolute, 'rea-prepush.lockdir');
         }
     }