@bookedsolid/rea 0.25.0 → 0.26.0

package/hooks/_lib/cmd-segments.sh

@@ -493,8 +493,21 @@ _rea_strip_prefix() {
       *)
         # Env-var assignment prefix (`KEY=value `) — only strip if the
         # token before the first space looks like NAME=value.
-        if [[ "$seg" =~ ^[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+ ]]; then
-          seg="${seg#* }"
+        #
+        # 0.26.0 round-25 P2-A fix: ANSI-C quoting `$'...'` was previously
+        # uncovered. `FOO=$'a b' git push` evaded the env-prefix stripper
+        # (whose value pattern `[^[:space:]]+` bailed at the space inside
+        # the ANSI-C body) AND the local-review-gate's raw-fallback regex.
+        # Add an explicit ANSI-C alternative here so the prefix is stripped
+        # cleanly even when the value carries embedded whitespace inside
+        # `$'...'`. Bash 3.2+ regex doesn't support non-capturing groups,
+        # so we keep the alternation flat.
+        if [[ "$seg" =~ ^[A-Za-z_][A-Za-z0-9_]*=([^[:space:]\"\'$]+|\"[^\"]*\"|\'[^\']*\'|\$\'[^\']*\')[[:space:]]+ ]]; then
+          # Compute prefix length and slice — `seg=${seg#* }` would split
+          # on the first space, which is INSIDE the value for ANSI-C and
+          # quoted forms. Slice by the matched length instead.
+          local _prefix_len=${#BASH_REMATCH[0]}
+          seg="${seg:_prefix_len}"
           seg="${seg#"${seg%%[![:space:]]*}"}"
         else
           break
@@ -621,3 +634,128 @@ any_segment_starts_with() {
   done < <(_rea_split_segments "$cmd")
   return 1
 }
+
+# Return on stdout the FIRST segment of $1 (RAW form, env-var prefixes
+# preserved) whose prefix-stripped form starts with the extended regex
+# $2. Returns empty stdout and exit 1 if no segment matches.
+#
+# Use this when a downstream check needs to scope further parsing to the
+# specific segment that triggered detection — e.g. local-review-gate's
+# inline-bypass regex must only match `VAR=val git push` shapes inside
+# the SAME segment that contained the `git push`, not anywhere in $CMD.
+# Segment-scoped capture closes the round-24 P1 bypass class where
+# `true VAR=fake git status; git push origin main` had the bypass shape
+# in segment 1 and the real push in segment 2 — the un-scoped regex
+# previously honored the bypass for the unrelated push.
+#
+# 0.26.0 helix-024 round-24 fix.
+find_first_segment_starting_with() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "^${pattern}"; then
+      printf '%s' "$segment"
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
+# Return on stdout the FIRST segment of $1 (RAW — no prefix-stripping,
+# but with leading whitespace trimmed for clean anchor matching) that
+# matches the extended regex $2. Returns empty stdout and exit 1 if no
+# segment matches.
+#
+# Companion to `any_segment_raw_matches`. Used by local-review-gate to
+# capture the segment whose RAW shape (env-var prefixes intact) triggered
+# the fallback `^([NAME=...])+git push` detector. The prefix-stripper's
+# regex `NAME=[^[:space:]]+[[:space:]]+` bails on quoted-value-with-spaces,
+# so `any_segment_starts_with` misses `REA_SKIP="urgent fix" git push`;
+# the raw-anchor fallback catches it. Round-24's segment-scoped bypass
+# regex must run against the SAME segment (raw form) that the fallback
+# matched, not against the whole $CMD.
+#
+# 0.26.0 helix-024 round-24 fix.
+find_first_segment_raw_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment
+  while IFS= read -r segment; do
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    if printf '%s' "$segment" | grep -qiE "$pattern"; then
+      printf '%s' "$segment"
+      return 0
+    fi
+  done < <(_rea_split_segments "$cmd")
+  return 1
+}
+
+# Return on stdout EVERY segment of $1 (RAW form) whose prefix-stripped
+# form starts with the extended regex $2. Each match is a separate line.
+# Returns empty stdout and exit 1 if no segments match.
+#
+# Use this when a downstream check needs to validate EVERY trigger segment
+# — e.g. local-review-gate's per-segment bypass requirement. Pre-round-25
+# fix the gate captured only the FIRST trigger segment via
+# `find_first_segment_starting_with` and scoped the inline-bypass regex
+# there. Multi-push laundering PoCs:
+#
+#   REA_SKIP="x" git push fake --dry-run; git push origin main
+#     → first push has bypass, second does not. Pre-fix: bypass honored
+#       for FIRST segment only, but the gate exited 0 globally; second
+#       (real) push went through ungated.
+#
+# Round-25 P1-B closes that class by sweeping ALL trigger segments and
+# requiring that EVERY one carries its own bypass. Any trigger segment
+# without a bypass forces preflight invocation.
+#
+# 0.26.0 helix-026 round-25 P1-B fix.
+find_all_segments_starting_with() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment stripped
+  local _matched=0
+  while IFS= read -r segment; do
+    stripped=$(_rea_strip_prefix "$segment")
+    if printf '%s' "$stripped" | grep -qiE "^${pattern}"; then
+      printf '%s\n' "$segment"
+      _matched=1
+    fi
+  done < <(_rea_split_segments "$cmd")
+  if [ "$_matched" -eq 0 ]; then
+    return 1
+  fi
+  return 0
+}
+
+# Return on stdout EVERY segment of $1 (RAW — no prefix-stripping, but
+# with leading whitespace trimmed for clean anchor matching) that matches
+# the extended regex $2. Each match is a separate line. Returns empty
+# stdout and exit 1 if no segments match.
+#
+# Companion to `find_all_segments_starting_with`. Used by
+# local-review-gate's round-25 P1-B fix to sweep every trigger segment
+# whose RAW shape (env-var prefixes intact) triggered the
+# `^([NAME=...])+git push` fallback detector — so each can be validated
+# for bypass independently.
+#
+# 0.26.0 helix-026 round-25 P1-B fix.
+find_all_segments_raw_matches() {
+  local cmd="$1"
+  local pattern="$2"
+  local segment
+  local _matched=0
+  while IFS= read -r segment; do
+    segment="${segment#"${segment%%[![:space:]]*}"}"
+    if printf '%s' "$segment" | grep -qiE "$pattern"; then
+      printf '%s\n' "$segment"
+      _matched=1
+    fi
+  done < <(_rea_split_segments "$cmd")
+  if [ "$_matched" -eq 0 ]; then
+    return 1
+  fi
+  return 0
+}

package/hooks/_lib/policy-read.sh

@@ -141,6 +141,261 @@ policy_list() {
   done < "$policy"
 }
 
+# Resolve the rea binary the same 4-branch ladder used by
+# `local-review-gate.sh` and `templates/pre-push.local-first.sh`. Echoes
+# the resolved command (one shell-token per line) on stdout when found,
+# nothing when the ladder exhausts. The caller passes the result to
+# `read -ra` to materialize a bash array.
+#
+# Round-30 F2: shared helper used by `policy_nested_scalar` to invoke
+# `rea hook policy-get` for canonical inline+block YAML reads. Falling
+# open to empty when no rea CLI is reachable keeps the bash gates
+# advisory rather than fail-closed on missing tooling — same posture
+# `local-review-gate.sh` itself takes.
+_rea_resolve_bin() {
+  local root="${REA_ROOT:-}"
+  if [[ -z "$root" ]]; then
+    if command -v rea_root >/dev/null 2>&1; then
+      root=$(rea_root)
+    else
+      root="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+    fi
+  fi
+  if [ -x "${root}/node_modules/.bin/rea" ]; then
+    printf '%s\n' "${root}/node_modules/.bin/rea"
+    return 0
+  fi
+  if [ -f "${root}/dist/cli/index.js" ] \
+     && [ -f "${root}/package.json" ] \
+     && grep -q '"name": *"@bookedsolid/rea"' "${root}/package.json" 2>/dev/null; then
+    printf 'node\n'
+    printf '%s\n' "${root}/dist/cli/index.js"
+    return 0
+  fi
+  if command -v rea >/dev/null 2>&1; then
+    printf 'rea\n'
+    return 0
+  fi
+  if command -v npx >/dev/null 2>&1; then
+    printf 'npx\n'
+    printf -- '--no-install\n'
+    printf '@bookedsolid/rea\n'
+    return 0
+  fi
+  return 1
+}
+
+# Read the value of a nested scalar under a parent key.
+# Usage: policy_nested_scalar "review" "local_review" "mode"
+# Prints empty when any link in the chain is missing.
+#
+# Round-30 F2 (structural): delegates to `rea hook policy-get` so
+# the bash reader and the TS loader use the same parser. Pre-fix the
+# bash function only matched block-form mappings (parent+child+grandchild
+# at increasing indents) and silently missed inline forms like
+# `local_review: { mode: off }`. The TS loader (yaml.parse) accepts both
+# forms — silent split-brain. Routing through the canonical parser
+# closes the divergence by construction.
+#
+# Fallback: when the rea CLI cannot be located AT ALL (no
+# node_modules/.bin/rea, no dogfood dist, no PATH, no npx), the
+# function falls back to the legacy awk parser. This preserves the
+# pre-0.27 behavior on machines that have not installed rea yet —
+# the gate stays advisory, not fail-closed on missing tooling. The
+# awk fallback keeps the block-only limitation; that's acceptable
+# for the no-CLI scenario because consumers without rea installed
+# can't have edited a rea-format policy anyway.
+policy_nested_scalar() {
+  local parent="$1"
+  local child="$2"
+  local grandchild="$3"
+  local policy
+  policy=$(policy_path)
+  [[ -z "$policy" ]] && return 0
+
+  # Try the canonical TS reader first. `read -ra` materializes the
+  # newline-delimited resolver output into a bash array; an empty
+  # result means the ladder exhausted (no CLI reachable).
+  local resolved
+  resolved=$(_rea_resolve_bin 2>/dev/null) || resolved=""
+  if [[ -n "$resolved" ]]; then
+    local rea_cmd=()
+    while IFS= read -r tok; do
+      [[ -n "$tok" ]] && rea_cmd+=("$tok")
+    done <<< "$resolved"
+    if [[ ${#rea_cmd[@]} -gt 0 ]]; then
+      local out
+      out=$("${rea_cmd[@]}" hook policy-get "${parent}.${child}.${grandchild}" 2>/dev/null) || out=""
+      printf '%s' "$out"
+      return 0
+    fi
+  fi
+
+  # No rea CLI reachable — fall back to the legacy block-form awk
+  # parser. Inline forms still miss in this branch, but the consumer
+  # has bigger problems (no rea binary at all).
+  _rea_awk_nested_scalar "$parent" "$child" "$grandchild"
+}
+
+# Round-30 F2 perf optimization: cache the entire `review.local_review`
+# subtree as JSON on first read. Three rea-CLI spawns per Bash hook fire
+# (200ms each = ~0.6s overhead) is unacceptable; ONE spawn for all three
+# fields is acceptable (~200ms once per hook). The JSON is parsed via jq
+# (already a hook dependency) for each individual field.
+#
+# `_REA_LOCAL_REVIEW_JSON_CACHE` is process-scoped (set when the hook
+# sources this file). Empty string before the first read; either `null`
+# or a JSON object after. The `_REA_LOCAL_REVIEW_JSON_LOADED` flag
+# distinguishes "not yet read" from "read and value was null". Both
+# cleared at re-source time so each hook fire starts fresh.
+_REA_LOCAL_REVIEW_JSON_CACHE=""
+_REA_LOCAL_REVIEW_JSON_LOADED=0
+
+_rea_load_local_review_json() {
+  if [[ $_REA_LOCAL_REVIEW_JSON_LOADED -eq 1 ]]; then
+    return 0
+  fi
+  _REA_LOCAL_REVIEW_JSON_LOADED=1
+  local policy
+  policy=$(policy_path)
+  if [[ -z "$policy" ]]; then
+    _REA_LOCAL_REVIEW_JSON_CACHE='null'
+    return 0
+  fi
+
+  # Try the canonical TS reader for the entire subtree as JSON. Falls
+  # back to awk-fallback emulation when the rea CLI is unreachable.
+  local resolved
+  resolved=$(_rea_resolve_bin 2>/dev/null) || resolved=""
+  if [[ -n "$resolved" ]]; then
+    local rea_cmd=()
+    while IFS= read -r tok; do
+      [[ -n "$tok" ]] && rea_cmd+=("$tok")
+    done <<< "$resolved"
+    if [[ ${#rea_cmd[@]} -gt 0 ]]; then
+      local out
+      out=$("${rea_cmd[@]}" hook policy-get review.local_review --json 2>/dev/null) || out=""
+      if [[ -n "$out" ]]; then
+        _REA_LOCAL_REVIEW_JSON_CACHE="$out"
+        return 0
+      fi
+    fi
+  fi
+
+  # Fallback: synthesize a JSON object from individual awk reads. This
+  # is the only path on machines without rea reachable. Inline-form
+  # values still miss in the awk fallback (the documented divergence
+  # from when no CLI is reachable), but block-form values work.
+  local mode_val refuse_val bypass_val
+  mode_val=$(_rea_awk_nested_scalar "review" "local_review" "mode")
+  refuse_val=$(_rea_awk_nested_scalar "review" "local_review" "refuse_at")
+  bypass_val=$(_rea_awk_nested_scalar "review" "local_review" "bypass_env_var")
+  if command -v jq >/dev/null 2>&1; then
+    _REA_LOCAL_REVIEW_JSON_CACHE=$(jq -n \
+      --arg mode "$mode_val" \
+      --arg refuse_at "$refuse_val" \
+      --arg bypass_env_var "$bypass_val" \
+      'def s($x): if $x == "" then null else $x end;
+       {mode: s($mode), refuse_at: s($refuse_at), bypass_env_var: s($bypass_env_var)}')
+  else
+    # No jq either — synthesize minimal JSON via printf. Values are
+    # YAML scalars; we re-quote them safely. Empty values become null.
+    _REA_LOCAL_REVIEW_JSON_CACHE='null'
+  fi
+}
+
+# Helper: read from the cached local_review JSON via jq. Echoes the
+# scalar value or empty string when missing/null.
+_rea_local_review_get() {
+  local field="$1"
+  _rea_load_local_review_json
+  if [[ "$_REA_LOCAL_REVIEW_JSON_CACHE" == "null" || -z "$_REA_LOCAL_REVIEW_JSON_CACHE" ]]; then
+    return 0
+  fi
+  if ! command -v jq >/dev/null 2>&1; then
+    return 0
+  fi
+  local v
+  v=$(printf '%s' "$_REA_LOCAL_REVIEW_JSON_CACHE" | jq -r --arg f "$field" '.[$f] // empty' 2>/dev/null) || v=""
+  printf '%s' "$v"
+}
+
+# Read `policy.review.local_review.mode`. Prints "enforced" or "off"
+# (defaults to empty when unset — the caller treats empty as "enforced",
+# the protective default). Added 0.26.0; round-30 F2 routes through the
+# canonical TS YAML parser so inline AND block forms both work.
+policy_get_local_review_mode() {
+  _rea_local_review_get "mode"
+}
+
+# Read `policy.review.local_review.refuse_at`. Prints "push" / "commit"
+# / "both" or empty when unset (default "push"). Added 0.26.0.
+policy_get_local_review_refuse_at() {
+  _rea_local_review_get "refuse_at"
+}
+
+# Read `policy.review.local_review.bypass_env_var`. Prints the configured
+# env-var name or empty when unset (default REA_SKIP_LOCAL_REVIEW).
+# Added 0.26.0.
+policy_get_local_review_bypass_env_var() {
+  _rea_local_review_get "bypass_env_var"
+}
+
+# Internal: pure-awk nested-scalar reader. Block-form only — used as the
+# fallback when no rea CLI is reachable. Same body as the historical
+# `policy_nested_scalar` awk parser, lifted into a private helper so
+# the public function can route through `rea hook policy-get` first.
+_rea_awk_nested_scalar() {
+  local parent="$1"
+  local child="$2"
+  local grandchild="$3"
+  local policy
+  policy=$(policy_path)
+  [[ -z "$policy" ]] && return 0
+  awk -v parent="$parent" -v child="$child" -v grandchild="$grandchild" '
+    function indent_of(line,    n, c) {
+      n = 0
+      while (n < length(line)) {
+        c = substr(line, n + 1, 1)
+        if (c == " " || c == "\t") n++
+        else break
+      }
+      return n
+    }
+    BEGIN { in_parent = 0; parent_indent = -1; in_child = 0; child_indent = -1 }
+    {
+      ind = indent_of($0)
+      stripped = $0
+      sub(/^[[:space:]]+/, "", stripped)
+      if (!in_parent && stripped ~ ("^" parent ":[[:space:]]*$") && ind == 0) {
+        in_parent = 1
+        parent_indent = 0
+        next
+      }
+      if (in_parent && ind <= parent_indent && !match(stripped, "^$")) {
+        in_parent = 0
+        in_child = 0
+      }
+      if (in_parent && !in_child && stripped ~ ("^" child ":[[:space:]]*$") && ind > parent_indent) {
+        in_child = 1
+        child_indent = ind
+        next
+      }
+      if (in_child && ind <= child_indent && !match(stripped, "^$")) {
+        in_child = 0
+      }
+      if (in_child && match(stripped, ("^" grandchild ":[[:space:]]+"))) {
+        val = stripped
+        sub(("^" grandchild ":[[:space:]]+"), "", val)
+        sub(/[[:space:]]+#.*$/, "", val)
+        gsub(/^["'\'']|["'\'']$/, "", val)
+        printf "%s", val
+        exit
+      }
+    }
+  ' "$policy"
+}
+
 # Emit each entry of an inline-array body (everything between `[` and
 # `]`, possibly across newlines if the caller concatenated lines with
 # spaces). Strips outer brackets, splits on `,`, trims whitespace and