@bookedsolid/rea 0.27.0 → 0.28.1

package/hooks/blocked-paths-bash-gate.sh

@@ -105,6 +105,18 @@ if [ "$sandbox_status" -ne 0 ] || [ "$sandbox_check" != "ok" ]; then
   exit 2
 fi
 
+# 0.28.0 helix-027 (bash total-lockout postmortem) — version-probe per
+# shim. See protected-paths-bash-gate.sh for the full rationale; this
+# shim mirrors the behavior to detect a stale CLI before payload reach.
+probe_out=$("${REA_ARGV[@]}" hook scan-bash --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'scan-bash' -e '--mode'; then
+  printf 'rea: this shim requires the `rea hook scan-bash` subcommand (introduced in 0.23.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI to the version this shim expects.\n' >&2
+  exit 2
+fi
+
 payload=$(cat)
 if [ -z "$payload" ]; then
   exit 0

package/hooks/protected-paths-bash-gate.sh

@@ -183,6 +183,27 @@ if [ "$sandbox_status" -ne 0 ] || [ "$sandbox_check" != "ok" ]; then
   exit 2
 fi
 
+# 0.28.0 helix-027 (bash total-lockout postmortem) — version-probe per
+# shim. The 0.23.0+ scan-bash subcommand is required; if the resolved
+# CLI is older than 0.23.0 it will refuse with "unknown command" and the
+# shim's exit-code dispatch lands on the catch-all "exit 2" branch
+# WITHOUT explaining why. That was the symptom that locked Jake's
+# helix workspace out of every Bash tool until he ran `pnpm install`.
+#
+# The probe runs `rea hook scan-bash --help` once per shim invocation
+# (~30 LOC) and refuses with an actionable message if the subcommand
+# does not exist. Probe failure is fail-closed (exit 2) — same posture
+# the rest of the shim takes — but the message tells the operator
+# exactly what to do (`pnpm install`).
+probe_out=$("${REA_ARGV[@]}" hook scan-bash --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'scan-bash' -e '--mode'; then
+  printf 'rea: this shim requires the `rea hook scan-bash` subcommand (introduced in 0.23.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI to the version this shim expects.\n' >&2
+  exit 2
+fi
+
 # Capture stdin once and forward it to the CLI.
 payload=$(cat)
 if [ -z "$payload" ]; then

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.27.0",
+  "version": "0.28.1",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -46,6 +46,7 @@
     "profiles/",
     "templates/",
     "scripts/",
+    "data/",
     ".husky/",
     "LICENSE",
     "README.md",