@bookedsolid/rea 0.28.1 → 0.29.0

package/hooks/delegation-capture.sh

@@ -0,0 +1,158 @@
+#!/bin/bash
+# PreToolUse hook: delegation-capture.sh
+# 0.29.0+ — delegation-telemetry MVP.
+#
+# Fires BEFORE every `Agent` or `Skill` tool call. Reads the Claude
+# Code hook payload from stdin, pipes it to
+# `rea hook delegation-signal --detach`, and exits 0 immediately.
+#
+# The signal is OBSERVATIONAL — never gates tool dispatch. Worst-case
+# latency budget is ~50ms even when the audit chain is under
+# cross-process contention, because the audit append runs in the
+# background (via `&`) and the CLI subcommand itself only validates
+# the payload before forking the writer.
+#
+# Matcher: `Agent|Skill` (NOT `Task|Skill` — `TaskCreate`/`TaskList`
+# are the unrelated todo-list tools and MUST NOT match).
+#
+# # CLI-resolution trust boundary
+#
+# Codex round 3 P1 (2026-05-12): pre-fix this hook resolved the rea
+# binary via `$REA_ROOT/node_modules/.bin/rea` then PATH-walked
+# `command -v rea`. Either path was attacker-influenced in a consumer
+# repo with a forged `node_modules/.bin/rea` symlink or a
+# PATH-prepended fake `rea` binary — giving attacker-controlled code
+# execution on every Agent/Skill dispatch.
+#
+# Fix: this hook now uses the same 2-tier sandboxed resolution that
+# protected-paths-bash-gate.sh + blocked-paths-bash-gate.sh use:
+#   1. node_modules/@bookedsolid/rea/dist/cli/index.js (consumer-side
+#      published artifact)
+#   2. dist/cli/index.js under CLAUDE_PROJECT_DIR (the rea repo's own
+#      dogfood install)
+#
+# A realpath sandbox check ensures the resolved CLI lives INSIDE
+# realpath(CLAUDE_PROJECT_DIR) — catches symlink-out attacks.
+#
+# Exit codes:
+#   0 — always (under normal operation). Failure to write the audit
+#       signal must NEVER block Claude Code's tool dispatch. Stderr
+#       breadcrumbs surface diagnostic info to the operator. HALT
+#       still exits 2 because the kill-switch contract must hold.
+#   2 — HALT active.
+
+set -uo pipefail
+
+# 1. HALT check. Even though this hook is observational, refusing to
+#    emit signals while frozen matches the rest of the hook tree and
+#    keeps the kill-switch contract uniform.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+
+# 2. Resolve the rea CLI through the same fixed 2-tier sandboxed order
+#    the protected-paths / blocked-paths bash gates use. PATH lookup
+#    is INTENTIONALLY OMITTED — agent-controlled $PATH would let a
+#    forged `rea` binary on a consumer machine intercept the
+#    delegation signal on every Agent/Skill dispatch. The trade-off:
+#    consumers MUST have `@bookedsolid/rea` installed under
+#    `node_modules` (the common case after `pnpm i`) OR be running
+#    against the rea repo's own dogfood (where dist/cli/index.js
+#    holds the canonical CLI). Other install shapes silently drop the
+#    signal — matching the bash-gate posture.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  # rea repo dogfood: the project IS @bookedsolid/rea.
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
+
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  # No rea CLI in scope — drop the signal silently. This is the
+  # expected state during bootstrap (consumer ran `rea init` but
+  # hasn't installed the npm package yet) or in non-rea repos. A
+  # noisy stderr warning here would fire on every Agent/Skill
+  # dispatch and drown legitimate signals.
+  exit 0
+fi
+
+# 3. Realpath sandbox check — mirrors protected-paths-bash-gate.sh §6.
+#    The resolved CLI MUST live inside realpath(CLAUDE_PROJECT_DIR)
+#    AND have an ancestor package.json declaring `@bookedsolid/rea`
+#    as its `name`. Catches symlink-out attacks where an attacker
+#    writes node_modules/@bookedsolid/rea → /tmp/forged-tree.
+if ! command -v node >/dev/null 2>&1; then
+  # Node not on PATH — we can't verify the CLI shape. Fail safe by
+  # dropping the signal (observability is not a security claim; the
+  # rest of the Bash gate suite refuses on this path).
+  exit 0
+fi
+
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath");
+    process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj");
+    process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project");
+    process.exit(1);
+  }
+  // Walk up looking for package.json with the protected name.
+  let cur = path.dirname(path.dirname(path.dirname(real))); // pkg root
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) {
+    process.stdout.write("bad:no-rea-pkg-json");
+    process.exit(1);
+  }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  # CLI failed the sandbox check — silent drop. The forensic
+  # breadcrumb in stderr is intentional but trimmed so this doesn't
+  # become spammy on every dispatch.
+  printf 'rea: delegation-capture skipped (sandbox check: %s)\n' "$sandbox_check" >&2
+  exit 0
+fi
+
+# 4. Read stdin and pipe to the CLI. `--detach` tells the CLI to
+#    suppress stderr output (no parent shell is listening); we ALSO
+#    background the whole pipeline with `&` and `disown` so the
+#    shell hook returns instantly even if the CLI's own startup
+#    takes a few ms.
+INPUT=$(cat)
+{
+  printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook delegation-signal --detach \
+    >/dev/null 2>&1 &
+  disown 2>/dev/null || true
+} 2>/dev/null
+
+exit 0

package/hooks/settings-protection.sh

@@ -128,6 +128,45 @@ if [[ "$raw_has_traversal" -eq 1 ]] || [[ "$norm_has_traversal" -eq 1 ]]; then
   exit 2
 fi
 
+# ── 5a-bis. Reject interior single-dot segments (0.29.0 helix-/./-class) ─────
+# Companion to the `..` guard above. The `normalize_path` helper deliberately
+# does NOT collapse interior `./` segments because doing so would corrupt
+# `..` traversals — but that leaves a parallel bypass class. A path like
+# `.husky/./pre-push` resolves on disk to `.husky/pre-push`, yet the literal/
+# prefix matchers in §6 compare against the un-collapsed `.husky/./pre-push`
+# string and miss the match.
+#
+# Conservative reading (per Jake 2026-05-12): treat any interior `./`
+# segment exactly like a `..` segment — refuse outright, force the caller
+# to send a canonical path. The corpus design pairs shell-scripting-specialist
+# with adversarial-test-specialist; the canonical attack shapes are:
+#
+#   .husky/./pre-push                  — single segment
+#   .husky/././pre-push                — repeated segments
+#   .husky/.//pre-push                 — `./` immediately followed by another `/`
+#   .claude/hooks/./_lib/halt-check.sh — inside a protected directory
+#   %2E%2F                             — percent-encoded `./`, caught after URL-decode
+#   .\.\pre-push                       — backslash variant, normalize_path → `./`
+#
+# Only the NORMALIZED form is checked (not the raw form) because raw `./foo`
+# at start-of-string is a legitimate relative path; `normalize_path` already
+# strips leading `./` segments, so anything that survives into the normalized
+# form's `/./` shape is INTERIOR by construction.
+norm_has_dot_segment=0
+case "/$NORMALIZED/" in
+  */./*) norm_has_dot_segment=1 ;;
+esac
+if [[ "$norm_has_dot_segment" -eq 1 ]]; then
+  {
+    printf 'SETTINGS PROTECTION: interior dot-segment rejected\n'
+    printf '\n'
+    printf '  File: %s\n' "$SAFE_FILE_PATH"
+    printf "  Rule: path contains an interior '/./' segment; rewrite to a\n"
+    printf '        canonical project-relative path without dot segments.\n'
+  } >&2
+  exit 2
+fi
+
 # Compute lower-cased path early so the §5b allow-list (and §6/§6b matchers
 # below) all reference a single normalized variable.
 LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.28.1",
+  "version": "0.29.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/scripts/dist-regression-gate.sh

@@ -167,8 +167,52 @@ trap 'rm -rf -- "$WORK"' EXIT HUP INT TERM
 # a new tarball was published. The release.yml rebuild+verify step
 # remains the catching net at publish time, so skipping here does not
 # re-open the BUG-013 attack surface for the merge-to-main path.
-if ! ( cd "$WORK" && npm pack "${PKG_NAME}@${PREV_VERSION}" --silent >/dev/null 2>&1 ); then
-  log "skip — npm pack ${PKG_NAME}@${PREV_VERSION} failed (network issue or registry outage)"
+#
+# 0.29.0: bounded retry loop for npm CDN propagation lag. The memory
+# entries for 0.9.0, 0.12.0, 0.13.0, 0.28.0, and 0.28.1 all note
+# "release verify flaked on npm CDN lag" — `npm view` returns the
+# version metadata but `npm pack` against the same version times out
+# or 404s because the tarball blob has not propagated to all CDN edges
+# yet. The CI-side workflow already has a 12×10s retry (release.yml
+# phase 2); this script runs locally / in PR CI where the failure
+# window is shorter but still occurs.
+#
+# Shape: initial attempt + three retries with sleeps 2s / 8s / 30s.
+# Total worst-case wait = 2 + 8 + 30 = 40s, all on the failure path.
+# That covers the empirically observed CDN propagation window (cf.
+# release.yml phase 2 retry loops) while bounding the local-/ PR-side
+# blocking time to under a minute on a genuine outage.
+NPM_PACK_OK=0
+NPM_PACK_DELAYS=(2 8 30)
+NPM_PACK_ATTEMPTS=$((${#NPM_PACK_DELAYS[@]} + 1))
+# Codex round 1 P2-2: use bash arithmetic for-loop instead of `$(seq 1 N)`.
+# `seq` is not in the preflight tool list (line 104: npm jq git shasum tar)
+# and `set -e` at the top of the script would exit 127 inside the loop body
+# on minimal images that lack it (Alpine, some BusyBox shells). Bash's
+# arithmetic for-loop is a builtin and works on every supported version.
+for ((attempt = 1; attempt <= NPM_PACK_ATTEMPTS; attempt++)); do
+  if ( cd "$WORK" && npm pack "${PKG_NAME}@${PREV_VERSION}" --silent >/dev/null 2>&1 ); then
+    if [ "$attempt" -gt 1 ]; then
+      log "npm pack succeeded after ${attempt} attempt(s) (CDN propagation lag)"
+    fi
+    NPM_PACK_OK=1
+    break
+  fi
+  # Clean up any partial artifact npm pack may have left in $WORK
+  # before retrying so the next attempt has a clean slate.
+  find "$WORK" -maxdepth 1 -type f -name '*.tgz' -delete 2>/dev/null || true
+  if [ "$attempt" -lt "$NPM_PACK_ATTEMPTS" ]; then
+    # Bash array is 0-indexed; $attempt is 1-indexed; index into
+    # NPM_PACK_DELAYS at $attempt-1 to read the delay AFTER this
+    # failed attempt (before the next try).
+    idx=$((attempt - 1))
+    delay="${NPM_PACK_DELAYS[$idx]}"
+    log "npm pack attempt ${attempt}/${NPM_PACK_ATTEMPTS} failed; sleeping ${delay}s for CDN propagation"
+    sleep "$delay"
+  fi
+done
+if [ "$NPM_PACK_OK" -ne 1 ]; then
+  log "skip — npm pack ${PKG_NAME}@${PREV_VERSION} failed after ${NPM_PACK_ATTEMPTS} attempts (network issue, registry outage, or persistent CDN lag)"
   exit 0
 fi