@bookedsolid/rea 0.30.1 → 0.32.0

package/hooks/security-disclosure-gate.sh

@@ -1,339 +1,171 @@
-#!/usr/bin/env bash
-# security-disclosure-gate.sh — PreToolUse: Bash
+#!/bin/bash
+# PreToolUse hook: security-disclosure-gate.sh
+# 0.32.0+ — Node-binary shim for `rea hook security-disclosure-gate`.
 #
-# Intercepts `gh issue create` commands that contain security-sensitive
-# keywords and blocks them. Routing depends on REA_DISCLOSURE_MODE:
+# Pre-0.32.0 the gate's full body lived here as bash (339 LOC including
+# the awk body-file resolver, security-patterns array, and mode-aware
+# routing). The migration to the parser-backed Node binary moves all of
+# that into `src/hooks/security-disclosure-gate/index.ts`. This shim is
+# the Claude Code dispatcher's view of the hook — it forwards stdin
+# AND the REA_DISCLOSURE_MODE env var to the CLI and exits with
+# whatever the CLI returns.
 #
-#   advisory (default) — redirect to GitHub Security Advisories (private)
-#                        Use for public OSS repos
-#   issues             — redirect to gh issue create with security + internal labels
-#                        Use for permanently private client repos
-#   disabled           — pass through (not recommended)
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# pass-through / no-match, exit 2 on HALT / pattern match / traversal
+# refusal / malformed payload (fail-closed).
 #
-# Set REA_DISCLOSURE_MODE in .rea/policy.yaml (written to settings.json
-# env by rea init). Defaults to "advisory" when unset.
+# # CLI-resolution trust boundary
 #
-# Triggered by: PreToolUse — Bash tool
-
-set -euo pipefail
+# Codex round 1 P1 (2026-05-15): realpath sandbox check matches
+# delegation-advisory.sh §3. The resolved CLI MUST live INSIDE
+# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
+# whose `name` is `@bookedsolid/rea`. Defends against symlink-out
+# and tarball-replacement attacks that could otherwise forge the
+# pattern matcher and either suppress real findings or leak a
+# vulnerability through the disclosure gate.
+#
+# Sandboxed resolution order (PATH is INTENTIONALLY OMITTED):
+#   1. node_modules/@bookedsolid/rea/dist/cli/index.js (consumer-side)
+#   2. dist/cli/index.js under CLAUDE_PROJECT_DIR (dogfood)
+#
+# When NO rea CLI is reachable, the hook falls through to allow —
+# same posture as the bash-resident version, which `source`d
+# _lib/common.sh first and exited cleanly if the lib was missing.
 
-# shellcheck source=_lib/common.sh
-source "$(dirname "$0")/_lib/common.sh"
+set -uo pipefail
 
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
+REA_ROOT=$(rea_root)
 
-# Read disclosure mode — default to advisory
-DISCLOSURE_MODE="${REA_DISCLOSURE_MODE:-advisory}"
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-# Disabled mode: pass through entirely
-if [[ "$DISCLOSURE_MODE" == "disabled" ]]; then
+# 2. Relevance pre-gate (0.32.0 round-5 P1, round-6 fix). PreToolUse
+#    Bash matchers fire on EVERY shell command, but this hook only
+#    enforces against `gh issue create` payloads carrying disclosure
+#    keywords. Capture stdin + check relevance FIRST so unrelated
+#    commands exit 0 even when the CLI is missing/stale.
+#
+#    Match `gh issue create` ANYWHERE in the command string (allow
+#    shell prefixes — `sudo`, env assignments). Round-6 P1.
+INPUT=$(cat)
+# Substring scan (NOT JSON-aware). Round-7 P1: any JSON-aware regex
+# anchored on `"command":"...` gets tripped by escaped quotes in
+# quoted env prefixes (`MODE="internal" gh issue create …`). Plain
+# substring match has no such edge — and false-positives just defer
+# to the Node body which handles correctly.
+RELEVANT=0
+if printf '%s' "$INPUT" | grep -qE 'gh[[:space:]]+issue[[:space:]]+create'; then
+  RELEVANT=1
+fi
+if [ "$RELEVANT" -eq 0 ]; then
   exit 0
 fi
 
-INPUT="$(cat)"
-TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
-
-if [[ "$TOOL_NAME" != "Bash" ]]; then
+# 2b. Mode short-circuit (round-6 P2). The pre-0.32.0 bash body
+#     no-op'd ONLY when `REA_DISCLOSURE_MODE=disabled` — `advisory`
+#     mode and the `issues` mode (default) BOTH enforced. Without
+#     this check, an unbuilt/stale install would refuse every relevant
+#     `gh issue create` even when the operator has deliberately set
+#     mode=disabled.
+MODE="${REA_DISCLOSURE_MODE:-advisory}"
+if [ "$MODE" = "disabled" ]; then
   exit 0
 fi
 
-COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""')
-
-# Only intercept gh issue create
-# 0.16.3 F8: anchor at segment start so `gh pr create --body "context: gh issue create earlier"`
-# does not match. Same anchoring class as F5/F6 in this release. Source the
-# segment splitter and use any_segment_starts_with — when the cmd-segments
-# lib isn't reachable for any reason, fall back to the legacy unanchored
-# grep (defense-in-depth: better to over-block prose mentions than miss a
-# real `gh issue create`).
-# shellcheck source=_lib/cmd-segments.sh
-if [ -f "$(dirname "$0")/_lib/cmd-segments.sh" ]; then
-  # shellcheck source=_lib/cmd-segments.sh
-  source "$(dirname "$0")/_lib/cmd-segments.sh"
-  if ! any_segment_starts_with "$COMMAND" 'gh[[:space:]]+issue[[:space:]]+create'; then
-    exit 0
-  fi
-else
-  if ! echo "$COMMAND" | grep -qE 'gh\s+issue\s+create'; then
-    exit 0
-  fi
+# 3. Resolve the rea CLI.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
 fi
 
-require_jq
-
-# Security-sensitive keywords that should not appear in public issues —
-# these terms suggest a vulnerability, exploit path, or bypass technique
-SECURITY_PATTERNS=(
-  # Vulnerability classes
-  'bypass'
-  'exploit'
-  'injection'
-  'traversal'
-  'exfiltrat'
-  'escalat'
-  'privilege'
-  'rce'
-  'remote.code.exec'
-  'arbitrary.code'
-  'code.execution'
-  'zero.day'
-  '0day'
-  'CVE-'
-  'CVSS'
-  'GHSA-'
-  # Reagent-specific sensitive terms
-  'hook.bypass'
-  'HALT.bypass'
-  'redaction.bypass'
-  'policy.bypass'
-  'middleware.bypass'
-  'skip.*gate'
-  'evad'
-  # Credential/secret exposure
-  'secret.*leak'
-  'credential.*leak'
-  'token.*leak'
-  'key.*expos'
-  'expos.*secret'
-  # Prompt injection
-  'prompt.inject'
-  'jailbreak'
-  'jail.break'
-)
-
-# Scan the full command text (title + body + flags) for sensitive patterns.
-#
-# 0.16.3 discord-ops Round 9 #2 fix: pre-fix the scan only saw what was on
-# the command line, so `gh issue create --body-file leak.md` (or `-F`)
-# routed the body through a file the regex never read. We now resolve the
-# named flag's path argument(s), read up to 64 KiB of each (cap covers
-# realistic issue bodies; a multi-megabyte body is suspicious in itself),
-# and prepend the lowercased file contents to FULL_TEXT before the
-# pattern scan. Stdin form (`-F -` or `--body-file -`) is intentionally
-# skipped — the hook's stdin is the tool payload, not the issue body,
-# and re-reading is impossible. Files outside REA_ROOT (resolved via
-# `..` traversal) are refused as a defense-in-depth measure mirroring
-# protected-paths-bash-gate.sh's outside-root sentinel.
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
-BODY_FILE_TEXT=""
-_extract_body_file_paths() {
-  # Emit each `--body-file PATH` and `-F PATH` argument on its own line.
-  # Skips the stdin form (`-`) and emits the path verbatim from the
-  # equals-form (`--body-file=PATH` / `-F=PATH`).
-  #
-  # 0.17.0 helix-019 #2: quote-aware tokenization. The pre-fix awk split
-  # on whitespace, breaking `--body-file "security notes.md"` into three
-  # tokens — the hook then tried to read `"security` (with literal
-  # leading quote), failed, and silently skipped the body scan. Now we
-  # walk the string with quote-state awareness: whitespace inside
-  # matched `"..."` / `'...'` spans is part of the token, not a
-  # separator. Single-quote spans have no escape semantics; double-quote
-  # spans treat `\"` and `\\` as literal escapes (POSIX shell rules).
-  printf '%s' "$COMMAND" \
-    | awk '
-        BEGIN { skip_next = 0 }
-        function strip_outer_quotes(s,    n, first, last) {
-          n = length(s)
-          if (n < 2) return s
-          first = substr(s, 1, 1)
-          last  = substr(s, n, 1)
-          if ((first == "\"" && last == "\"") || (first == "'\''" && last == "'\''")) {
-            return substr(s, 2, n - 2)
-          }
-          return s
-        }
-        function emit_token(t) {
-          if (skip_next) {
-            skip_next = 0
-            if (t == "-" || t == "") return
-            t = strip_outer_quotes(t)
-            print t
-            return
-          }
-          if (t == "--body-file" || t == "-F") { skip_next = 1; return }
-          if (t ~ /^--body-file=/) {
-            v = substr(t, length("--body-file=") + 1)
-            v = strip_outer_quotes(v)
-            if (v != "" && v != "-") print v
-          }
-          if (t ~ /^-F=/) {
-            v = substr(t, length("-F=") + 1)
-            v = strip_outer_quotes(v)
-            if (v != "" && v != "-") print v
-          }
-        }
-        {
-          line = $0
-          n = length(line)
-          i = 1
-          tok = ""
-          mode = 0  # 0=plain, 1=double-quoted, 2=single-quoted
-          while (i <= n) {
-            ch = substr(line, i, 1)
-            if (mode == 0) {
-              # 0.18.0 helix-020 G3.B fix: in plain (unquoted) mode,
-              # `\X` (any character X) is the POSIX shell escape for
-              # the literal character X — most commonly a space in
-              # paths like `path\ with\ spaces.md`. Pre-fix the
-              # tokenizer treated the `\` as an ordinary character and
-              # truncated at the following space, dropping the rest of
-              # the path. We now consume the backslash and emit the
-              # following byte as a literal part of the current token.
-              # `\<eol>` (line-continuation) is left intact — emit the
-              # `\` and let the splitter flow into the next record on
-              # the assumption that the caller already joined the line.
-              if (ch == "\\" && i < n) {
-                nxt = substr(line, i + 1, 1)
-                tok = tok nxt
-                i += 2
-                continue
-              }
-              if (ch == " " || ch == "\t") {
-                if (tok != "") { emit_token(tok); tok = "" }
-                i++; continue
-              }
-              if (ch == "\"") { mode = 1; tok = tok ch; i++; continue }
-              if (ch == "'\''") { mode = 2; tok = tok ch; i++; continue }
-              tok = tok ch
-              i++
-              continue
-            }
-            if (mode == 1) {
-              if (ch == "\\" && i < n) {
-                nxt = substr(line, i + 1, 1)
-                tok = tok ch nxt
-                i += 2
-                continue
-              }
-              if (ch == "\"") { mode = 0; tok = tok ch; i++; continue }
-              tok = tok ch
-              i++
-              continue
-            }
-            # mode == 2
-            if (ch == "'\''") { mode = 0; tok = tok ch; i++; continue }
-            tok = tok ch
-            i++
-          }
-          if (tok != "") emit_token(tok)
-        }'
-}
-while IFS= read -r body_path; do
-  [[ -z "$body_path" ]] && continue
-  raw_path="$body_path"
-  # Resolve relative to the hook's cwd (the agent's project dir). gh
-  # accepts both absolute paths (e.g. tmpfiles like /var/folders/…) and
-  # cwd-relative paths; we honor both. Absolute paths NOT containing
-  # `..` are taken at face value.
-  if [[ "$body_path" != /* ]]; then
-    body_path="$(pwd)/$body_path"
-  fi
-  # Walk `..` segments. The only outside-REA_ROOT shape we refuse is one
-  # where the canonical form contains `..` (i.e. an explicit traversal
-  # by the caller). Plain absolute tmp paths are NOT refused — gh issue
-  # body-files are very commonly written to /var/folders or /tmp and
-  # rejecting those would defeat the scan in routine use.
-  had_traversal=0
-  case "/$raw_path/" in */../*) had_traversal=1 ;; esac
-  resolved="$body_path"
-  if [[ "$had_traversal" -eq 1 ]]; then
-    IFS='/' read -ra _bf_parts_raw <<<"$body_path"
-    _bf_parts=()
-    for _seg in "${_bf_parts_raw[@]}"; do
-      case "$_seg" in
-        ''|.) continue ;;
-        ..) [[ "${#_bf_parts[@]}" -gt 0 ]] && unset '_bf_parts[${#_bf_parts[@]}-1]' ;;
-        *) _bf_parts+=("$_seg") ;;
-      esac
-    done
-    resolved="/$(IFS=/; printf '%s' "${_bf_parts[*]}")"
-    # 0.17.0 helix-019 #1: HARD REFUSAL on traversal escaping REA_ROOT.
-    # Pre-fix the gate logged "skipping body scan" and exited 0 — every
-    # sensitive payload at the resolved external path bypassed the
-    # disclosure check. The traversal-out-of-root shape exists ONLY to
-    # obfuscate; legitimate workflows pass absolute tmpfile paths
-    # (`/tmp/...`, `/var/folders/...`) without `..` segments.
-    if [[ "$resolved" != "$REA_ROOT" && "$resolved" != "$REA_ROOT"/* ]]; then
-      {
-        printf 'SECURITY DISCLOSURE GATE: --body-file path traversal escapes project root\n'
-        printf '\n'
-        printf '  Path:     %s\n' "$raw_path"
-        printf '  Resolved: %s\n' "$resolved"
-        printf '\n'
-        printf '  Rule: --body-file paths whose canonical form uses `..` segments to\n'
-        printf '        escape REA_ROOT are refused. Move the file inside the project\n'
-        printf '        tree, or paste the body inline via --body.\n'
-      } >&2
-      exit 2
-    fi
-  fi
-  if [[ ! -r "$resolved" ]]; then
-    printf 'security-disclosure-gate: --body-file %s unreadable; skipping body scan\n' "$raw_path" >&2
-    continue
-  fi
-  # Cap at 64 KiB. Lowercase to match FULL_TEXT case folding.
-  body_chunk=$(head -c 65536 "$resolved" 2>/dev/null | tr '[:upper:]' '[:lower:]') || body_chunk=""
-  if [[ -n "$body_chunk" ]]; then
-    BODY_FILE_TEXT="${BODY_FILE_TEXT}
-${body_chunk}"
-  fi
-done < <(_extract_body_file_paths)
-
-FULL_TEXT="${BODY_FILE_TEXT}
-$(echo "$COMMAND" | tr '[:upper:]' '[:lower:]')"
-
-MATCHED_PATTERN=""
-for PATTERN in "${SECURITY_PATTERNS[@]}"; do
-  if echo "$FULL_TEXT" | grep -qiE "$PATTERN"; then
-    MATCHED_PATTERN="$PATTERN"
-    break
-  fi
-done
-
-if [[ -z "$MATCHED_PATTERN" ]]; then
-  exit 0
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  # 0.32.0 round-4 P1: this is a blocking-tier gate — the pre-0.32.0
+  # bash body enforced the disclosure policy WITHOUT a compiled CLI.
+  # Falling through to exit 0 here would silently disable security-
+  # keyword blocking on `gh issue create` until the operator runs
+  # `pnpm install` / `pnpm build`. Fail closed: refuse the operation
+  # and tell the operator how to restore protection.
+  printf 'rea: security-disclosure-gate cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.32.0 bash body enforced disclosure policy without a CLI.\n' >&2
+  exit 2
 fi
 
-# ─── Route based on disclosure mode ──────────────────────────────────────────
-
-if [[ "$DISCLOSURE_MODE" == "issues" ]]; then
-  # Private repo mode: redirect to labeled internal issue
-  json_output "block" \
-    "SECURITY DISCLOSURE GATE: This issue appears to describe a security finding (matched: '${MATCHED_PATTERN}').
-
-This project is configured for PRIVATE disclosure (REA_DISCLOSURE_MODE=issues).
-
-CORRECT PATH for security findings in this private repo:
-  Use: gh issue create --label 'security,internal' --title '...' --body '...'
-
-The 'security' and 'internal' labels keep this off public project boards and
-mark it for maintainer-only triage. Do NOT use the public issue queue without
-these labels for security findings.
-
-If this is NOT a security finding, rephrase the title/body to avoid triggering
-security patterns, then retry."
-
-else
-  # Advisory mode (default): redirect to GitHub Security Advisories
-  json_output "block" \
-    "SECURITY DISCLOSURE GATE: This issue appears to describe a security vulnerability (matched: '${MATCHED_PATTERN}'). Do NOT create a public GitHub issue for security vulnerabilities.
-
-CORRECT DISCLOSURE PATH:
-1. Use GitHub Security Advisories (private):
-   gh api repos/{owner}/{repo}/security-advisories --method POST --input - <<'JSON'
-   { \"summary\": \"...\", \"description\": \"...\", \"severity\": \"medium|high|critical\",
-     \"vulnerabilities\": [{\"package\": {\"name\": \"@pkg\", \"ecosystem\": \"npm\"}}] }
-   JSON
-2. Or navigate to: Security tab → Advisories → 'Report a vulnerability'
-3. Or email security@bookedsolid.tech (see SECURITY.md)
-
-The finding will be publicly disclosed AFTER a patch is released (coordinated disclosure).
+# 3. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: security-disclosure-gate cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore disclosure-policy enforcement.\n' >&2
+  exit 2
+fi
 
-WHY: Public issues expose vulnerabilities before users can patch. This is enforced by the
-security-disclosure-gate hook (REA_DISCLOSURE_MODE=${DISCLOSURE_MODE}).
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  # 0.32.0 round-4 P1: fail closed (blocking-tier — see exit-0 → exit-2
+  # rationale at the top). A failed sandbox check means the CLI we
+  # would run cannot be authenticated as the rea binary; refusing is
+  # both the safest posture AND preserves the pre-0.32.0 bash-body
+  # contract that this hook always enforces policy.
+  printf 'rea: security-disclosure-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
 
-If this is NOT a security vulnerability, rephrase the issue to avoid triggering
-security patterns, then retry."
+# 4. Version-probe: confirm the resolved CLI implements
+#    `hook security-disclosure-gate`. Codex round 1 P1.
+probe_out=$("${REA_ARGV[@]}" hook security-disclosure-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'security-disclosure-gate'; then
+  # 0.32.0 round-4 P1: a stale/older CLI without the new subcommand is
+  # NOT a "harmless availability fallback" for this hook — the bash
+  # body it replaces always enforced. Fail closed and tell the
+  # operator exactly how to fix.
+  printf 'rea: this shim requires the `rea hook security-disclosure-gate` subcommand (introduced in 0.32.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
+  exit 2
 fi
 
-exit 2
+# 5. Forward stdin (already captured up-front for the relevance gate).
+#    REA_DISCLOSURE_MODE is in env already; the Node binary reads it
+#    directly.
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook security-disclosure-gate
+exit $?

package/hooks/settings-protection.sh

@@ -172,10 +172,12 @@ fi
 LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
 
 # ── 5b. Extension-surface allow-list ──────────────────────────────────────────
-# `.husky/commit-msg.d/*` and `.husky/pre-push.d/*` are the documented
-# consumer extension surface (Fix H / 0.13.0). Consumers — and the agents
-# that govern those consumers — are expected to write here freely so they
-# can layer commitlint, lint-staged, branch-policy, act-CI, etc. without
+# `.husky/commit-msg.d/*`, `.husky/pre-push.d/*`, and (0.32.0+)
+# `.husky/prepare-commit-msg.d/*` are the documented consumer
+# extension surface (Fix H / 0.13.0; Phase 3 / 0.32.0 for the
+# prepare-commit-msg lane). Consumers — and the agents that govern
+# those consumers — are expected to write here freely so they can
+# layer commitlint, lint-staged, branch-policy, act-CI, etc. without
 # losing rea coverage on `rea upgrade`.
 #
 # The §6 PROTECTED_PATTERNS list below has `.husky/` as a prefix block,
@@ -216,14 +218,14 @@ LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
 # subshell pattern (no Python or readlink -f dependency required).
 # Closes the path-string→symlink bypass completely.
 case "$LOWER_NORM" in
-  .husky/commit-msg.d/*|.husky/pre-push.d/*)
+  .husky/commit-msg.d/*|.husky/pre-push.d/*|.husky/prepare-commit-msg.d/*)
     if [ -L "$FILE_PATH" ]; then
       {
         printf 'SETTINGS PROTECTION: symlink in extension surface refused\n'
         printf '\n'
         printf '  File: %s\n' "$SAFE_FILE_PATH"
-        printf '  Rule: .husky/commit-msg.d/* and .husky/pre-push.d/* must be\n'
-        printf '        regular files (a symlink could resolve to a protected\n'
+        printf '  Rule: .husky/{commit-msg,pre-push,prepare-commit-msg}.d/* must\n'
+        printf '        be regular files (a symlink could resolve to a protected\n'
         printf '        package-managed body and bypass §6 protection).\n'
       } >&2
       exit 2
@@ -245,8 +247,10 @@ case "$LOWER_NORM" in
         # to `.husky/pre-push.d.bak/...` and slipped through.
         # The trailing `/` on each pattern (and the explicit
         # exact-match arm) requires a real directory boundary.
+        # 0.32.0 Phase 3: `.husky/prepare-commit-msg.d/` joins the
+        # allow-list (mirrors commit-msg.d/pre-push.d patterns).
         case "$resolved_parent" in
-          */.husky/commit-msg.d|*/.husky/commit-msg.d/*|*/.husky/pre-push.d|*/.husky/pre-push.d/*) : ;;
+          */.husky/commit-msg.d|*/.husky/commit-msg.d/*|*/.husky/pre-push.d|*/.husky/pre-push.d/*|*/.husky/prepare-commit-msg.d|*/.husky/prepare-commit-msg.d/*) : ;;
           *)
             {
               printf 'SETTINGS PROTECTION: extension path resolves outside surface\n'
@@ -254,7 +258,7 @@ case "$LOWER_NORM" in
               printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
               printf '  Resolved: %s\n' "$resolved_parent"
               printf '  Rule: an intermediate directory of the extension path is a\n'
-              printf '        symlink whose target leaves .husky/{commit-msg,pre-push}.d/.\n'
+              printf '        symlink whose target leaves .husky/{commit-msg,pre-push,prepare-commit-msg}.d/.\n'
               printf '        Refused to prevent symlinked-parent bypass of the\n'
               printf '        package-managed body protection.\n'
             } >&2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.30.1",
+  "version": "0.32.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/profiles/bst-internal-no-codex.yaml

@@ -58,3 +58,15 @@ context_protection:
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — enabled for bst-internal-no-codex.
+# This is a bst-internal variant, so it inherits BST's delegation
+# discipline: the delegation-advisory.sh PostToolUse hook emits a
+# one-time stderr advisory when a session crosses `threshold`
+# write-class tool calls (Bash/Edit/Write/MultiEdit/NotebookEdit)
+# without dispatching a curated specialist. Advisory only — never
+# blocks. `exempt_subagents` omitted → schema default applies
+# (general-purpose, Explore, Plan, output-style-setup,
+# statusline-setup don't count as real delegation).
+delegation_advisory:
+  enabled: true
+  threshold: 25

package/profiles/bst-internal.yaml

@@ -67,3 +67,16 @@ architecture_review:
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — enabled for bst-internal.
+# The delegation-advisory.sh PostToolUse hook emits a one-time stderr
+# advisory when a session crosses `threshold` write-class tool calls
+# (Bash/Edit/Write/MultiEdit/NotebookEdit) without dispatching a
+# curated specialist. Advisory only — never blocks a tool call. BST's
+# own delegation discipline (CLAUDE.md routes all non-trivial work
+# through rea-orchestrator) is load-bearing, so the nudge ships on.
+# `exempt_subagents` omitted → the schema default applies
+# (general-purpose, Explore, Plan, output-style-setup, statusline-setup
+# don't count as real delegation).
+delegation_advisory:
+  enabled: true
+  threshold: 25

package/profiles/client-engagement.yaml

@@ -35,3 +35,14 @@ context_protection:
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — disabled for client-engagement.
+# The delegation-advisory.sh PostToolUse hook emits a one-time stderr
+# advisory when a session crosses `threshold` write-class tool calls
+# without dispatching a curated specialist. Client projects vary too
+# much in their delegation conventions to ship the nudge on by
+# default — opt in per-repo via .rea/policy.yaml:
+#   delegation_advisory:
+#     enabled: true
+#     threshold: 25
+delegation_advisory:
+  enabled: false

package/profiles/lit-wc.yaml

@@ -29,3 +29,13 @@ notification_channel: ''
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — disabled for lit-wc.
+# The delegation-advisory.sh PostToolUse hook emits a one-time stderr
+# advisory when a session crosses `threshold` write-class tool calls
+# without dispatching a curated specialist. External profiles ship
+# `enabled: false` — opt in per-repo via .rea/policy.yaml:
+#   delegation_advisory:
+#     enabled: true
+#     threshold: 25
+delegation_advisory:
+  enabled: false

package/profiles/minimal.yaml

@@ -25,3 +25,14 @@ notification_channel: ''
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — disabled for minimal.
+# The delegation-advisory.sh PostToolUse hook emits a one-time stderr
+# advisory when a session crosses `threshold` write-class tool calls
+# without dispatching a curated specialist. The minimal profile ships
+# bare defaults — `enabled: false` keeps it opinion-free. Opt in
+# per-repo via .rea/policy.yaml:
+#   delegation_advisory:
+#     enabled: true
+#     threshold: 25
+delegation_advisory:
+  enabled: false

package/profiles/open-source-no-codex.yaml

@@ -44,3 +44,14 @@ notification_channel: ''
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — disabled for open-source-no-codex.
+# The delegation-advisory.sh PostToolUse hook emits a one-time stderr
+# advisory when a session crosses `threshold` write-class tool calls
+# without dispatching a curated specialist. "You should delegate more"
+# is an opinion not every OSS team shares, so external profiles ship
+# `enabled: false` — opt in per-repo via .rea/policy.yaml:
+#   delegation_advisory:
+#     enabled: true
+#     threshold: 25
+delegation_advisory:
+  enabled: false