@bookedsolid/rea 0.22.0 → 0.23.1

package/dist/hooks/push-gate/base.js

@@ -55,9 +55,7 @@ export function resolveBaseRef(git, options = {}) {
         // some-other-branch` invocations, where the local checkout's HEAD is a
         // different branch entirely and the resulting diff would compare the
         // wrong commits.
-        const headRef = options.headRef !== undefined && options.headRef.length > 0
-            ? options.headRef
-            : 'HEAD';
+        const headRef = options.headRef !== undefined && options.headRef.length > 0 ? options.headRef : 'HEAD';
         const requested = options.lastNCommits;
         const tryDepth = (k) => git.tryRevParse(['--verify', '--quiet', `${headRef}~${k}^{commit}`]).trim();
         // Fast path: requested depth resolves directly.
@@ -164,9 +162,7 @@ export function resolveBaseRef(git, options = {}) {
     //    tracking ref (typically `refs/remotes/origin/<branch>`). Returns
     //    empty on branches without an upstream — which is normal for a brand
     //    new feature branch; fall through.
-    const upstream = git
-        .tryRevParse(['--abbrev-ref', '--symbolic-full-name', '@{upstream}'])
-        .trim();
+    const upstream = git.tryRevParse(['--abbrev-ref', '--symbolic-full-name', '@{upstream}']).trim();
     if (upstream.length > 0) {
         return { ref: upstream, source: 'upstream' };
     }

package/dist/hooks/push-gate/codex-runner.js

@@ -190,7 +190,9 @@ export async function runCodexReview(options) {
         '--json',
         '--ephemeral',
     ];
-    const args = options.prompt !== undefined && options.prompt.length > 0 ? [...baseArgs, options.prompt] : baseArgs;
+    const args = options.prompt !== undefined && options.prompt.length > 0
+        ? [...baseArgs, options.prompt]
+        : baseArgs;
     // 0.16.3 helix-016.1 #1 fix: pre-flight probe for the codex CLI before
     // we hand control to the long-running review subprocess. The original
     // try/catch around `spawner(...)` only caught synchronous ENOENT; on

package/dist/hooks/push-gate/index.js

@@ -31,7 +31,7 @@ import { resolveBaseRef } from './base.js';
 import { createRealGitExecutor, runCodexReview, CodexNotInstalledError, CodexProtocolError, CodexSubprocessError, CodexTimeoutError, IRON_GATE_DEFAULT_MODEL, IRON_GATE_DEFAULT_REASONING, } from './codex-runner.js';
 import { summarizeReview } from './findings.js';
 import { renderBanner, writeLastReview } from './report.js';
-import { isFlip, lookupVerdict, writeVerdict, } from './verdict-cache.js';
+import { isFlip, lookupVerdict, writeVerdict } from './verdict-cache.js';
 /**
  * Parse the raw pre-push stdin text into refspecs. Each line is four
  * whitespace-separated fields. Blank lines and malformed lines are
@@ -266,7 +266,9 @@ export async function runPushGate(deps) {
     }
     if (headSha.length === 0) {
         stderr('PUSH BLOCKED: could not resolve HEAD SHA. Is this a valid git repo?\n');
-        await safeAppend(appendAuditFn, deps.baseDir, EVT_ERROR, fullPolicy, { kind: 'head-sha-missing' });
+        await safeAppend(appendAuditFn, deps.baseDir, EVT_ERROR, fullPolicy, {
+            kind: 'head-sha-missing',
+        });
         return { status: 'error', exitCode: 2, summary: 'head-sha-missing' };
     }
     // 4b. Auto-narrow probe (J / 0.13.0). When the resolved base is far
@@ -317,8 +319,7 @@ export async function runPushGate(deps) {
         baseFromPushedRemoteTip;
     if (autoNarrowEligible) {
         originalCommitCount = git.revListCount(base.ref, headSha);
-        if (originalCommitCount !== null &&
-            originalCommitCount > policy.auto_narrow_threshold) {
+        if (originalCommitCount !== null && originalCommitCount > policy.auto_narrow_threshold) {
             const fallbackWindow = PUSH_GATE_DEFAULT_LAST_N_COMMITS_FALLBACK;
             const narrowed = resolveBaseRef(git, {
                 lastNCommits: fallbackWindow,
@@ -361,8 +362,8 @@ export async function runPushGate(deps) {
     const cacheLookup = policy.cache_ttl_ms > 0 ? lookupVerdict(deps.baseDir, headSha) : { hit: false };
     if (cacheLookup.hit && cacheLookup.entry !== undefined) {
         const cached = cacheLookup.entry;
-        const cachedBlocked = cached.verdict === 'blocking'
-            || (cached.verdict === 'concerns' && policy.concerns_blocks && !isConcernsOverrideSet(env));
+        const cachedBlocked = cached.verdict === 'blocking' ||
+            (cached.verdict === 'concerns' && policy.concerns_blocks && !isConcernsOverrideSet(env));
         // 0.19.1 P3-3 (code-reviewer): emit EVT_CACHE_HIT (forensic detail
         // for the cache layer specifically) AND EVT_REVIEWED (the canonical
         // verdict event with `cache_hit: true` metadata). Operators
@@ -421,10 +422,8 @@ export async function runPushGate(deps) {
                 : {}),
         });
         const summary = summarizeReview(codexResult.reviewText);
-        const blocked = summary.verdict === 'blocking'
-            || (summary.verdict === 'concerns'
-                && policy.concerns_blocks
-                && !isConcernsOverrideSet(env));
+        const blocked = summary.verdict === 'blocking' ||
+            (summary.verdict === 'concerns' && policy.concerns_blocks && !isConcernsOverrideSet(env));
         const lastReviewPath = path.join(deps.baseDir, '.rea', 'last-review.json');
         const payload = writeLastReviewFn({
             baseDir: deps.baseDir,

package/dist/policy/loader.js

@@ -63,7 +63,10 @@ const ReviewPolicySchema = z
     // (NUL, NL, CR, escape sequences) through the `-c model="<value>"`
     // injection point. Accepts published codex model names; rejects
     // re-quote / TOML-escape edge cases.
-    codex_model: z.string().regex(/^[a-zA-Z0-9._-]{1,64}$/).optional(),
+    codex_model: z
+        .string()
+        .regex(/^[a-zA-Z0-9._-]{1,64}$/)
+        .optional(),
     /**
      * Codex reasoning effort knob (0.13.4+). Pinned via
      * `-c model_reasoning_effort="<level>"` on every invocation. Only

package/dist/registry/tofu-gate.js

@@ -23,8 +23,8 @@
  */
 import { Tier, InvocationStatus } from '../policy/types.js';
 import { appendAuditRecord } from '../audit/append.js';
-import { loadFingerprintStore, saveFingerprintStore, } from './fingerprints-store.js';
-import { classifyServers, updateStore, } from './tofu.js';
+import { loadFingerprintStore, saveFingerprintStore } from './fingerprints-store.js';
+import { classifyServers, updateStore } from './tofu.js';
 import { createLogger } from '../gateway/log.js';
 const TOFU_TOOL_NAME = 'rea.tofu';
 const TOFU_SERVER_NAME = 'rea';

package/hooks/blocked-paths-bash-gate.sh

@@ -1,293 +1,163 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # PreToolUse hook: blocked-paths-bash-gate.sh
-# Fires BEFORE every Bash tool call.
-# Refuses Bash commands that write to entries in policy.yaml's
-# `blocked_paths` list via shell redirection or write-flag utilities.
 #
-# Background (0.16.3, discord-ops Round 9 #1): the existing
-# blocked-paths-enforcer.sh only fires on Write/Edit/MultiEdit/
-# NotebookEdit. Bash-tier writes to blocked_paths entries bypass it
-# entirely:
+# 0.23.0+ — thin shim. Forwards stdin to `rea hook scan-bash --mode blocked`.
+# See protected-paths-bash-gate.sh for the architectural rationale + CLI
+# resolution strategy + verdict-verification model; this shim differs
+# only in the --mode flag.
 #
-#   echo x > .env
-#   cp src.txt .env
-#   sed -i '' '1d' .env.production
-#   node -e "fs.writeFileSync('.env','x')"
+# Codex round 4 Finding 2: 2-tier sandboxed resolver (drops PATH lookup
+# and node_modules/.bin/rea symlink). See protected-paths-bash-gate.sh
+# for rationale.
 #
-# `protected-paths-bash-gate.sh` covers the HARD list (HALT, policy.yaml,
-# settings.json, .husky/*) — but the soft, runtime-configurable
-# `blocked_paths` list never had a Bash-tier counterpart. discord-ops
-# independently caught this gap during their cycle 9 audit.
-#
-# This hook closes the gap by reading the same `blocked_paths` list that
-# blocked-paths-enforcer.sh reads, applying the same redirect / write-
-# utility detection pipeline as protected-paths-bash-gate.sh, and
-# blocking when the resolved target matches any entry.
+# Codex round 2 R2-3: REA_NODE_CLI env-var honoring REMOVED.
 #
 # Exit codes:
-#   0 = no blocked-path write detected — allow
-#   2 = blocked-path write via Bash detected — block
-#
-# Detection: `node -e "fs.writeFileSync('.env','x')"` — Node's
-# fs.writeFileSync called against a blocked path is also detected by
-# argument scan. Other interpreter constructions (perl, python, etc.)
-# remain a known coverage gap for the same reason the env-file-protection
-# hook lists hard caps in its header comment: defense-in-depth, not an
-# adversarial firewall.
+#   0 = allow
+#   2 = block (verdict, missing CLI, malformed payload, verdict mismatch)
 
 set -uo pipefail
 
-# shellcheck source=_lib/cmd-segments.sh
-source "$(dirname "$0")/_lib/cmd-segments.sh"
-# shellcheck source=_lib/path-normalize.sh
-source "$(dirname "$0")/_lib/path-normalize.sh"
-# shellcheck source=_lib/policy-read.sh
-source "$(dirname "$0")/_lib/policy-read.sh"
-# shellcheck source=_lib/halt-check.sh
-source "$(dirname "$0")/_lib/halt-check.sh"
-# shellcheck source=_lib/interpreter-scanner.sh
-source "$(dirname "$0")/_lib/interpreter-scanner.sh"
-
-INPUT=$(cat)
+proj="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+
+# 2-tier sandboxed CLI resolver. NO PATH lookup, NO env-var override.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
 
-if ! command -v jq >/dev/null 2>&1; then
-  printf 'REA ERROR: jq is required but not installed.\n' >&2
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  printf 'rea: CLI not found at sandboxed tiers (node_modules/@bookedsolid/rea/dist or dist/).\n' >&2
+  printf 'Install @bookedsolid/rea via npm/pnpm and run `rea doctor`.\n' >&2
+  printf 'Refusing the Bash command on uncertainty.\n' >&2
   exit 2
 fi
 
-check_halt
-REA_ROOT=$(rea_root)
-
-CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
-if [[ -z "$CMD" ]]; then
-  exit 0
+# Codex round 4 Finding 2 + round 5 F2 tier defense: realpath the
+# resolved CLI; PRIMARY check is project-root containment, SECONDARY
+# is ancestor `package.json` with the protected name. See
+# protected-paths-bash-gate.sh for the full rationale.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: node not on PATH (required to realpath verify scan-bash CLI). Refusing.\n' >&2
+  exit 2
+fi
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath:" + (e && e.message ? e.message : String(e)));
+    process.exit(1);
+  }
+  // PRIMARY (round 5 F2): realCli must live INSIDE realProj. Catches
+  // node_modules/@bookedsolid/rea -> /tmp/sym-attacker symlink-out.
+  let realProj;
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj:" + (e && e.message ? e.message : String(e)));
+    process.exit(1);
+  }
+  const projWithSep = realProj.endsWith(path.sep) ? realProj : realProj + path.sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project:" + real + ":proj=" + realProj);
+    process.exit(1);
+  }
+  // SECONDARY (round 4 #2): shape + ancestor `package.json` with
+  // `@bookedsolid/rea`. Guards against intra-project hijack.
+  const expectedEnd = path.join("dist", "cli", "index.js");
+  if (!real.endsWith(path.sep + expectedEnd) && real !== "/" + expectedEnd) {
+    process.stdout.write("bad:cli-shape:" + real);
+    process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") {
+          found = true;
+          break;
+        }
+      } catch (e) {
+        // Continue.
+      }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) {
+    process.stdout.write("bad:no-rea-pkg:" + real);
+    process.exit(1);
+  }
+  process.stdout.write("ok");
+  process.exit(0);
+' "$RESOLVED_CLI_PATH" "$proj" 2>&1)
+sandbox_status=$?
+if [ "$sandbox_status" -ne 0 ] || [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: scan-bash CLI realpath escapes sandbox (%s). Refusing.\n' "$sandbox_check" >&2
+  exit 2
 fi
 
-# Load blocked_paths list. If the policy is missing or the list is empty,
-# this hook is a no-op (matches blocked-paths-enforcer.sh semantics).
-BLOCKED_PATHS=()
-while IFS= read -r entry; do
-  [[ -z "$entry" ]] && continue
-  BLOCKED_PATHS+=("$entry")
-done < <(policy_list "blocked_paths")
-
-if [[ ${#BLOCKED_PATHS[@]} -eq 0 ]]; then
+payload=$(cat)
+if [ -z "$payload" ]; then
   exit 0
 fi
 
-# Match a normalized project-relative path against the loaded
-# blocked_paths list using the same matching rules as
-# blocked-paths-enforcer.sh:
-#   - directory match (entry ends with `/`) → prefix match
-#   - glob entry (contains `*`) → ERE conversion + anchored match
-#   - otherwise → exact (case-insensitive) match
-# Returns 0 + sets MATCHED on hit, 1 on no hit.
-MATCHED=""
-_match_blocked() {
-  local target_lc="$1"
-  MATCHED=""
-  local entry entry_lc regex
-  for entry in "${BLOCKED_PATHS[@]}"; do
-    entry_lc=$(printf '%s' "$entry" | tr '[:upper:]' '[:lower:]')
-    if [[ "$entry_lc" == */ ]]; then
-      if [[ "$target_lc" == "$entry_lc"* ]] || [[ "$target_lc" == "${entry_lc%/}" ]]; then
-        MATCHED="$entry"
-        return 0
-      fi
-      continue
+verdict=$(printf '%s' "$payload" | "${REA_ARGV[@]}" hook scan-bash --mode blocked)
+status=$?
+
+verifier='try {
+  const raw = require("fs").readFileSync(0, "utf8");
+  if (raw.trim().length === 0) { process.stdout.write("bad:empty"); process.exit(1); }
+  const v = JSON.parse(raw);
+  if (typeof v !== "object" || v === null || Array.isArray(v)) {
+    process.stdout.write("bad:non-object"); process.exit(1);
+  }
+  if (v.verdict !== "allow" && v.verdict !== "block") {
+    process.stdout.write("bad:verdict-shape:" + String(v.verdict)); process.exit(1);
+  }
+  process.stdout.write("ok:" + v.verdict); process.exit(0);
+} catch (e) {
+  process.stdout.write("bad:" + (e && e.message ? e.message : String(e))); process.exit(1);
+}'
+
+verdict_check=$(printf '%s' "$verdict" | node -e "$verifier" 2>&1)
+verdict_check_status=$?
+
+case "$status" in
+  0)
+    if [ "$verdict_check_status" -ne 0 ]; then
+      printf 'rea: scan-bash exited 0 but verdict JSON is malformed (%s). Refusing on uncertainty.\n' "$verdict_check" >&2
+      exit 2
     fi
-    if [[ "$entry" == *'*'* ]]; then
-      regex=$(printf '%s' "$entry_lc" | sed 's/\./\\./g; s/\*/.*/g')
-      if printf '%s' "$target_lc" | grep -qE "^${regex}$"; then
-        MATCHED="$entry"
-        return 0
-      fi
-      continue
+    if [ "$verdict_check" != "ok:allow" ]; then
+      printf 'rea: scan-bash exit 0 but verdict says %s. Refusing on uncertainty.\n' "$verdict_check" >&2
+      exit 2
     fi
-    if [[ "$target_lc" == "$entry_lc" ]]; then
-      MATCHED="$entry"
-      return 0
+    exit 0
+    ;;
+  2)
+    if [ "$verdict_check_status" -ne 0 ]; then
+      exit 2
     fi
-  done
-  return 1
-}
-
-# Normalize a path token and apply the same `..` walk + outside-REA_ROOT
-# sentinel trick as protected-paths-bash-gate.sh::_normalize_target.
-# Returns the normalized lowercased project-relative path on stdout, or
-# `__rea_outside_root__:<resolved>` when the path resolves outside the
-# project root.
-_normalize_target() {
-  local t="$1"
-  if [[ "$t" =~ ^\"(.*)\"$ ]]; then t="${BASH_REMATCH[1]}"; fi
-  if [[ "$t" =~ ^\'(.*)\'$ ]]; then t="${BASH_REMATCH[1]}"; fi
-  case "/$t/" in
-    */../*)
-      local abs="$t"
-      [[ "$abs" != /* ]] && abs="$REA_ROOT/$abs"
-      local -a raw_parts parts=()
-      IFS='/' read -ra raw_parts <<<"$abs"
-      for part in "${raw_parts[@]}"; do
-        case "$part" in
-          ''|.) continue ;;
-          ..) [[ "${#parts[@]}" -gt 0 ]] && unset 'parts[${#parts[@]}-1]' ;;
-          *) parts+=("$part") ;;
-        esac
-      done
-      t="/$(IFS=/; printf '%s' "${parts[*]}")"
-      if [[ "$t" != "$REA_ROOT" && "$t" != "$REA_ROOT"/* ]]; then
-        printf '__rea_outside_root__:%s' "$t"
-        return 0
-      fi
-      ;;
-  esac
-  t=$(normalize_path "$t")
-  printf '%s' "$t" | tr '[:upper:]' '[:lower:]'
-}
-
-_refuse() {
-  local pattern="$1" target="$2" segment="$3"
-  {
-    printf 'BLOCKED PATH (bash): write denied by policy\n'
-    printf '\n'
-    printf '  Blocked by:      %s\n' "$pattern"
-    printf '  Resolved target: %s\n' "$target"
-    printf '  Segment:         %s\n' "$segment"
-    printf '\n'
-    printf '  Source: .rea/policy.yaml → blocked_paths\n'
-    printf '  Rule: blocked_paths entries are unreachable via Bash redirects\n'
-    printf '        too — not just Write/Edit/MultiEdit. To modify, a human\n'
-    printf '        must edit directly or update blocked_paths in policy.yaml.\n'
-  } >&2
-  exit 2
-}
-
-# Check a single resolved-target token. Refuses on hit.
-#
-# 0.20.1 helix-021 #2: in addition to the logical post-_normalize_target
-# form, also check the symlink-resolved form. Pre-fix `ln -s . linkroot;
-# printf x > linkroot/.env` had a logical form of `linkroot/.env`
-# (no match against blocked_paths) but a resolved form of `.env`
-# (which DOES match). Refuse on either match. Write-tier
-# `blocked-paths-enforcer.sh` already has this resolution since 0.10.x.
-_check_token() {
-  local token="$1" segment="$2"
-  [[ -z "$token" ]] && return 0
-  local resolved
-  resolved=$(_normalize_target "$token")
-  if [[ "$resolved" == __rea_outside_root__:* ]]; then
-    # Outside REA_ROOT → can't be in blocked_paths (blocked_paths is
-    # project-relative). Allow; the protected-paths gate handles
-    # outside-root rejection on the protected list itself.
-    return 0
-  fi
-  # Symlink-resolved form via shared helper. Returns empty when the
-  # parent doesn't exist (legitimate "creating the parent" case);
-  # outside-REA_ROOT sentinel when the symlink walks out of the
-  # project (silently allow — same as the logical-path branch above).
-  local resolved_symlink
-  resolved_symlink=$(rea_resolved_relative_form "$token")
-  if [[ "$resolved_symlink" == __rea_outside_root__:* ]]; then
-    resolved_symlink=""
-  fi
-  if _match_blocked "$resolved"; then
-    _refuse "$MATCHED" "$resolved" "$segment"
-  fi
-  if [[ -n "$resolved_symlink" ]] && _match_blocked "$resolved_symlink"; then
-    _refuse "$MATCHED" "$resolved_symlink" "$segment"
-  fi
-  return 0
-}
-
-# Scan one segment for redirect / write-utility / node-fs targets and
-# refuse on any hit. Mirrors protected-paths-bash-gate.sh::_check_segment
-# layout, with a few additions to catch discord-ops Round 9 #1's exact
-# Node-interpreter and sed-script-on-target shapes.
-_check_segment() {
-  local _raw="$1" segment="$2"
-  [[ -z "$segment" ]] && return 0
-
-  # Same regex set as protected-paths-bash-gate.sh — fd-prefix-aware
-  # redirects, cp/mv tail target, sed -i target, dd of=, plus a
-  # token-walk for tee/truncate/install/ln. Keeps behavior consistent
-  # across the two bash gates.
-  local re_redirect='(^|[[:space:]])(&>>|&>|[0-9]+>>|[0-9]+>\||[0-9]+>|>>|>\||>)[[:space:]]*([^[:space:]&|;<>]+)'
-  local re_cpmv='(^|[[:space:]])(cp|mv)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
-  local re_sed='(^|[[:space:]])sed[[:space:]]+(-[a-zA-Z]*i[a-zA-Z]*[^[:space:]]*)[[:space:]]+[^&|;<>]+[[:space:]]([^[:space:]&|;<>]+)[[:space:]]*$'
-  local re_dd='(^|[[:space:]])dd[[:space:]]+[^&|;<>]*of=([^[:space:]&|;<>]+)'
-
-  if [[ "$segment" =~ $re_redirect ]]; then
-    _check_token "${BASH_REMATCH[3]}" "$segment"
-  fi
-  if [[ "$segment" =~ $re_cpmv ]]; then
-    _check_token "${BASH_REMATCH[3]}" "$segment"
-  fi
-  if [[ "$segment" =~ $re_sed ]]; then
-    _check_token "${BASH_REMATCH[3]}" "$segment"
-  fi
-  if [[ "$segment" =~ $re_dd ]]; then
-    _check_token "${BASH_REMATCH[2]}" "$segment"
-  fi
-
-  # tee / truncate / install / ln — token-walk identical to
-  # protected-paths-bash-gate.sh.
-  local _seg_for_walk="$segment"
-  _seg_for_walk="${_seg_for_walk#"${_seg_for_walk%%[![:space:]]*}"}"
-  local first_tok
-  first_tok=$(printf '%s' "$_seg_for_walk" | awk '{print $1}')
-  case "$first_tok" in
-    tee|truncate|install|ln)
-      local found_cmd=""
-      # shellcheck disable=SC2086
-      set -- $_seg_for_walk
-      while [ "$#" -gt 0 ]; do
-        local tok="$1"
-        shift
-        if [[ -z "$found_cmd" ]]; then
-          case "$tok" in
-            tee|truncate|install|ln) found_cmd="$tok" ;;
-          esac
-          continue
-        fi
-        case "$tok" in
-          --) continue ;;
-          --*=*) continue ;;
-          --*)
-            case "$tok" in
-              --append|--ignore-interrupts|--no-clobber|--force|--no-target-directory|--symbolic|--no-dereference|--reference=*) continue ;;
-              *) shift 2>/dev/null || true; continue ;;
-            esac
-            ;;
-          -*)
-            case "$tok" in
-              -s*|-m*|-o*|-g*|-t*) shift 2>/dev/null || true ;;
-            esac
-            continue
-            ;;
-          *)
-            _check_token "$tok" "$segment"
-            ;;
-        esac
-      done
-      ;;
-  esac
-
-  # 0.21.2 helix-022 #2: interpreter scanner factored to
-  # _lib/interpreter-scanner.sh and shared with protected-paths-bash-gate.
-  # Covers node -e fs.writeFileSync, python -c open(...,'w'),
-  # ruby -e File.write, perl -e open(FH,'>...').
-  local interp_targets
-  interp_targets=$(rea_interpreter_write_targets "$segment")
-  if [[ -n "$interp_targets" ]]; then
-    while IFS= read -r tgt; do
-      [[ -z "$tgt" ]] && continue
-      _check_token "$tgt" "$segment"
-    done <<<"$interp_targets"
-  fi
-
-  return 0
-}
-
-for_each_segment "$CMD" _check_segment
-
-exit 0
+    if [ "$verdict_check" != "ok:block" ]; then
+      printf 'rea: scan-bash exit 2 but verdict says %s. Refusing on uncertainty.\n' "$verdict_check" >&2
+      exit 2
+    fi
+    exit 2
+    ;;
+  *)
+    printf 'rea: scan-bash exited %d (expected 0/2). Refusing on uncertainty.\n' "$status" >&2
+    if [ -n "$verdict" ]; then
+      printf 'rea: scan-bash stdout was: %s\n' "$verdict" >&2
+    fi
+    exit 2
+    ;;
+esac