@bookedsolid/rea 0.30.0 → 0.30.1

package/.husky/prepare-commit-msg

@@ -88,12 +88,31 @@ rea_invoke() {
 ENABLED=$(rea_invoke hook policy-get attribution.co_author.enabled 2>/dev/null)
 REA_RC=$?
 
+# REA_RC interpretation:
+#   0          — rea CLI ran and returned a value (or empty for an
+#                unset key). Use the CLI reads.
+#   non-zero   — rea CLI unreachable (127 sentinel), too old to know
+#                `hook policy-get`, OR the policy YAML is unparseable.
+#                In every one of those cases the policy file ITSELF
+#                may still be valid block-form YAML, so fall back to
+#                the embedded python3 parser. The realistic invalid-
+#                config case — `enabled: true` with an empty name or
+#                email — is caught downstream by the `[ -z "$CO_NAME" ]`
+#                defense-in-depth guard, which exits 0 without
+#                augmenting regardless of which reader produced the
+#                values. (An earlier 0.30.1 revision fail-closed on
+#                non-127 exit codes; codex round 1 showed that
+#                regressed the supported stale-CLI / pre-`pnpm i` flow,
+#                because an old `rea` exits non-zero exactly like an
+#                unparseable policy — the two are indistinguishable by
+#                exit code.)
 if [ "$REA_RC" = "0" ]; then
   CO_NAME=$(rea_invoke hook policy-get attribution.co_author.name 2>/dev/null || printf '')
   CO_EMAIL=$(rea_invoke hook policy-get attribution.co_author.email 2>/dev/null || printf '')
   SKIP_MERGE=$(rea_invoke hook policy-get attribution.co_author.skip_merge 2>/dev/null || printf 'false')
 elif command -v python3 >/dev/null 2>&1; then
-  # rea CLI unreachable — fall back to Python block-form parser.
+  # rea CLI unreachable / stale / policy unparseable — fall back to the
+  # Python block-form parser.
   CO_AUTHOR_PARSE=$(python3 - "$POLICY_FILE" <<'PY' 2>/dev/null
 import re
 import sys

package/dist/cli/doctor.js

@@ -301,7 +301,7 @@ export function checkSettingsSchema(baseDir, strict) {
             detail: `malformed JSON: ${e instanceof Error ? e.message : String(e)}`,
         };
     }
-    const result = validateSettings(parsed);
+    const result = validateSettings(parsed, { strict });
     const issues = [];
     if (!result.parsed) {
         issues.push(...result.errors.map((e) => `schema: ${e}`));
@@ -460,12 +460,22 @@ export function isGitRepo(baseDir) {
  */
 /**
  * Resolve the active git hooks directory for the doctor's prepare-commit-msg
- * check. Mirrors `installCommitMsgHook`'s `readHooksPathFromGit` but
- * synchronous (doctor is sync end-to-end). Honors `core.hooksPath` when set
- * (husky 9 installs land at `.husky/_/`); falls back to `.git/hooks/`
- * otherwise. Codex round 1 P2: prior implementation always looked at
- * `.git/hooks/prepare-commit-msg`, false-reporting missing on any consumer
- * running husky.
+ * check. Mirrors `installPrepareCommitMsgHook`'s resolution order
+ * (synchronous — doctor is sync end-to-end):
+ *
+ *   1. `core.hooksPath` — explicit operator override (husky 9 installs
+ *      land at `.husky/_/`). Honored verbatim.
+ *   2. `git rev-parse --git-path hooks` — resolves the canonical hooks
+ *      dir even when `.git` is a FILE (linked worktrees, submodules).
+ *      0.30.1 round-5 P2: the prior implementation hardcoded
+ *      `.git/hooks`, which is wrong for worktrees/submodules where
+ *      `.git` is a gitdir pointer file, not a directory.
+ *   3. `.git/hooks` — last-resort fallback when git itself is missing.
+ *
+ * The Husky 9 STUB indirection (active file at the resolved path is a
+ * `. "${0%/*}/h"` stub that dispatches to `.husky/prepare-commit-msg`)
+ * is followed separately inside `checkPrepareCommitMsgHook` via
+ * `isHusky9Stub` / `resolveHusky9StubTarget`.
  */
 function resolveHooksDirSync(baseDir) {
     try {
@@ -479,7 +489,20 @@ function resolveHooksDirSync(baseDir) {
         }
     }
     catch {
-        // git missing or `core.hooksPath` unset — fall through to default.
+        // git missing or `core.hooksPath` unset — fall through.
+    }
+    try {
+        const out = execFileSync('git', ['-C', baseDir, 'rev-parse', '--git-path', 'hooks'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        });
+        const trimmed = out.trim();
+        if (trimmed.length > 0) {
+            return path.isAbsolute(trimmed) ? trimmed : path.join(baseDir, trimmed);
+        }
+    }
+    catch {
+        // git missing — fall through to the literal default.
     }
     return path.join(baseDir, '.git', 'hooks');
 }

package/dist/config/settings-schema.d.ts

@@ -2066,8 +2066,20 @@ export interface SettingsValidationResult {
  * best-effort scan of any `hooks: { PreToolUse: [...] }` shape we
  * recognize, so the operator still sees traversal + missing-hooks
  * findings.
+ *
+ * `strict` selects the schema:
+ *   - `false` (default) — `SettingsSchema`, top-level `.passthrough()`.
+ *     Unknown harness keys pass. Used by `rea upgrade` and advisory
+ *     `rea doctor`.
+ *   - `true` — `SettingsSchemaStrict`, top-level `.strict()`. Unknown
+ *     keys fail the parse. Used only by `rea doctor --strict` (the CI
+ *     gate path). 0.30.1 round-5 P2: the strict schema existed since
+ *     0.30.0 but `validateSettings` never accepted the selector, so
+ *     `rea doctor --strict` silently ran the lenient schema.
  */
-export declare function validateSettings(input: unknown): SettingsValidationResult;
+export declare function validateSettings(input: unknown, options?: {
+    strict?: boolean;
+}): SettingsValidationResult;
 /**
  * Cross-check: every name in `EXPECTED_HOOKS` should appear as the
  * basename of at least one `command` across PreToolUse + PostToolUse.

package/dist/config/settings-schema.js

@@ -154,8 +154,18 @@ export function validateNoTraversal(settings) {
  * best-effort scan of any `hooks: { PreToolUse: [...] }` shape we
  * recognize, so the operator still sees traversal + missing-hooks
  * findings.
+ *
+ * `strict` selects the schema:
+ *   - `false` (default) — `SettingsSchema`, top-level `.passthrough()`.
+ *     Unknown harness keys pass. Used by `rea upgrade` and advisory
+ *     `rea doctor`.
+ *   - `true` — `SettingsSchemaStrict`, top-level `.strict()`. Unknown
+ *     keys fail the parse. Used only by `rea doctor --strict` (the CI
+ *     gate path). 0.30.1 round-5 P2: the strict schema existed since
+ *     0.30.0 but `validateSettings` never accepted the selector, so
+ *     `rea doctor --strict` silently ran the lenient schema.
  */
-export function validateSettings(input) {
+export function validateSettings(input, options = {}) {
     const result = {
         parsed: false,
         settings: null,
@@ -164,7 +174,8 @@ export function validateSettings(input) {
         missingReaHooks: [],
         warnings: [],
     };
-    const parsed = SettingsSchema.safeParse(input);
+    const schema = options.strict === true ? SettingsSchemaStrict : SettingsSchema;
+    const parsed = schema.safeParse(input);
     if (parsed.success) {
         result.parsed = true;
         result.settings = parsed.data;

package/dist/policy/loader.d.ts

@@ -249,7 +249,7 @@ declare const PolicySchema: z.ZodObject<{
     attribution: z.ZodOptional<z.ZodObject<{
         co_author: z.ZodOptional<z.ZodEffects<z.ZodObject<{
             enabled: z.ZodOptional<z.ZodBoolean>;
-            name: z.ZodOptional<z.ZodString>;
+            name: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
             email: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodLiteral<"">]>;
             skip_merge: z.ZodOptional<z.ZodBoolean>;
         }, "strict", z.ZodTypeAny, {

package/dist/policy/loader.js

@@ -231,10 +231,24 @@ const GatewayPolicySchema = z
  * Stricter validation is the consumer's job — RFC 5322 is too permissive
  * for an opt-in audit footprint anyway.
  */
+// 0.30.1 round-5 P2: the `name` value lands verbatim inside a
+// `Co-Authored-By: <name> <email>` git trailer. A newline or carriage
+// return in `name` would split the trailer across lines — git's
+// `interpret-trailers` would drop the continuation and the augmenter
+// could even inject arbitrary extra trailer lines. Reject any ASCII
+// control character (newline, CR, tab, NUL, …) in `name`.
+const CONTROL_CHAR_RE = /[\x00-\x1f\x7f]/;
 const AttributionCoAuthorSchema = z
     .object({
     enabled: z.boolean().optional(),
-    name: z.string().optional(),
+    name: z
+        .string()
+        .refine((v) => !CONTROL_CHAR_RE.test(v), {
+        message: 'attribution.co_author.name must not contain control characters ' +
+            '(newlines, tabs, carriage returns) — the value is written verbatim ' +
+            'into a single-line Co-Authored-By git trailer.',
+    })
+        .optional(),
     email: z
         .string()
         .regex(/^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.30.0",
+  "version": "0.30.1",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/templates/prepare-commit-msg.husky.sh

@@ -88,12 +88,31 @@ rea_invoke() {
 ENABLED=$(rea_invoke hook policy-get attribution.co_author.enabled 2>/dev/null)
 REA_RC=$?
 
+# REA_RC interpretation:
+#   0          — rea CLI ran and returned a value (or empty for an
+#                unset key). Use the CLI reads.
+#   non-zero   — rea CLI unreachable (127 sentinel), too old to know
+#                `hook policy-get`, OR the policy YAML is unparseable.
+#                In every one of those cases the policy file ITSELF
+#                may still be valid block-form YAML, so fall back to
+#                the embedded python3 parser. The realistic invalid-
+#                config case — `enabled: true` with an empty name or
+#                email — is caught downstream by the `[ -z "$CO_NAME" ]`
+#                defense-in-depth guard, which exits 0 without
+#                augmenting regardless of which reader produced the
+#                values. (An earlier 0.30.1 revision fail-closed on
+#                non-127 exit codes; codex round 1 showed that
+#                regressed the supported stale-CLI / pre-`pnpm i` flow,
+#                because an old `rea` exits non-zero exactly like an
+#                unparseable policy — the two are indistinguishable by
+#                exit code.)
 if [ "$REA_RC" = "0" ]; then
   CO_NAME=$(rea_invoke hook policy-get attribution.co_author.name 2>/dev/null || printf '')
   CO_EMAIL=$(rea_invoke hook policy-get attribution.co_author.email 2>/dev/null || printf '')
   SKIP_MERGE=$(rea_invoke hook policy-get attribution.co_author.skip_merge 2>/dev/null || printf 'false')
 elif command -v python3 >/dev/null 2>&1; then
-  # rea CLI unreachable — fall back to Python block-form parser.
+  # rea CLI unreachable / stale / policy unparseable — fall back to the
+  # Python block-form parser.
   CO_AUTHOR_PARSE=$(python3 - "$POLICY_FILE" <<'PY' 2>/dev/null
 import re
 import sys