@bookedsolid/rea 0.30.1 → 0.32.0

package/profiles/open-source.yaml

@@ -29,3 +29,14 @@ notification_channel: ''
 attribution:
   co_author:
     enabled: false
+# 0.31.0 delegation-advisory nudge — disabled for open-source.
+# The delegation-advisory.sh PostToolUse hook emits a one-time stderr
+# advisory when a session crosses `threshold` write-class tool calls
+# without dispatching a curated specialist. "You should delegate more"
+# is an opinion not every OSS team shares, so external profiles ship
+# `enabled: false` — opt in per-repo via .rea/policy.yaml:
+#   delegation_advisory:
+#     enabled: true
+#     threshold: 25
+delegation_advisory:
+  enabled: false

package/templates/attribution-advisory.dogfood-staged.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+# PreToolUse hook: attribution-advisory.sh
+# 0.32.0+ — Node-binary shim for `rea hook attribution-advisory`.
+#
+# Pre-0.32.0 the gate's full body lived here as bash (162 LOC,
+# including the AI-attribution pattern catalog and segment-relevance
+# gating). The migration to the parser-backed Node binary moves all
+# of that into `src/hooks/attribution-advisory/index.ts`. This shim
+# is the Claude Code dispatcher's view of the hook — it forwards
+# stdin to the CLI and exits with whatever the CLI returns.
+#
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# disabled-policy / non-relevant / clean-command, exit 2 on HALT /
+# attribution detected / malformed payload (fail-closed).
+#
+# # CLI-resolution trust boundary
+#
+# Codex round 1 P1 (2026-05-15): realpath sandbox check + version
+# probe. Mirrors delegation-advisory.sh §3. Defends against
+# symlink-out + tarball-replacement attacks on the resolved CLI AND
+# stale-node_modules version skew that would otherwise turn every
+# Bash dispatch into a hard failure.
+
+set -uo pipefail
+
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+
+# 2. Relevance pre-gate (0.32.0 round-5 P1, round-6 fix). PreToolUse
+#    Bash matchers fire on EVERY shell command, but this hook only
+#    enforces against `git commit` / `gh pr create|edit`. Capture
+#    stdin + check relevance FIRST so unrelated commands (ls,
+#    pnpm test, …) exit 0 even when the CLI is missing/stale/
+#    sandboxed-out.
+#
+#    Match the pattern ANYWHERE in the command string (after the
+#    opening quote, then `[^"]*` for any leading shell prefix —
+#    `sudo`, `time`, env assignments like `FOO=x git commit …`).
+#    Round-6 P1: prior round-5 pattern anchored at the start of the
+#    JSON value and missed all prefixed forms.
+INPUT=$(cat)
+# Substring scan (NOT JSON-aware). Round-7 P2: any JSON-aware regex
+# anchored on `"command":"...` gets tripped by escaped quotes in
+# quoted env prefixes (`FOO="two words" git commit …` → the payload
+# carries `\"two words\"` and `[^"]*` stops at the escaped quote).
+# Plain substring match has no such edge: it over-triggers only on
+# the rare case where the pattern appears inside a quoted argument
+# (`echo "gh pr create"`), and the Node body handles that correctly.
+# This hook only fires on `tool_name=Bash`, so we don't risk matching
+# unrelated payload shapes.
+RELEVANT=0
+if printf '%s' "$INPUT" | grep -qE '(git[[:space:]]+commit|gh[[:space:]]+pr[[:space:]]+(create|edit))'; then
+  RELEVANT=1
+fi
+if [ "$RELEVANT" -eq 0 ]; then
+  # Irrelevant Bash call — nothing the pre-0.32.0 body would have
+  # processed. Always exit 0 regardless of CLI state.
+  exit 0
+fi
+
+# 2b. Policy short-circuit (round-6 P2). The pre-0.32.0 bash body
+#     no-op'd when `block_ai_attribution` was absent or false. Without
+#     this check, an unbuilt/stale install would refuse `git commit`
+#     even on repos that DELIBERATELY disable the attribution gate.
+#     Read the policy via a simple grep — the canonical loader
+#     handles inline forms but we only need block form here, and a
+#     conservative "true-and-only-true counts" rule matches the
+#     intent (false / absent / inline-only all → no enforcement).
+POLICY_FILE="$REA_ROOT/.rea/policy.yaml"
+if [ ! -f "$POLICY_FILE" ] || ! grep -qE '^block_ai_attribution:[[:space:]]*true([[:space:]]|$)' "$POLICY_FILE"; then
+  # Attribution blocking disabled — pre-0.32.0 bash body would have
+  # exited 0 here. Don't refuse on stale-install grounds.
+  exit 0
+fi
+
+# 3. Resolve the rea CLI.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
+
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  # 0.32.0 round-4 P2: when `block_ai_attribution: true`, this hook is
+  # blocking-tier — the pre-0.32.0 bash body enforced the policy
+  # without a compiled CLI. Falling through to exit 0 would silently
+  # let AI-attribution patterns through every git commit / gh pr
+  # create-or-edit until the operator rebuilds. Fail closed and tell
+  # the operator how to restore protection.
+  printf 'rea: attribution-advisory cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.32.0 bash body enforced attribution policy without a CLI.\n' >&2
+  exit 2
+fi
+
+# 3. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: attribution-advisory cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore enforcement.\n' >&2
+  exit 2
+fi
+
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  # 0.32.0 round-4 P2: fail closed (blocking-tier when policy enables —
+  # see top-of-file rationale). Sandbox failure means the CLI cannot
+  # be authenticated; refuse rather than silently bypass.
+  printf 'rea: attribution-advisory FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
+
+# 4. Version-probe: confirm the resolved CLI implements
+#    `hook attribution-advisory`. Codex round 1 P1.
+probe_out=$("${REA_ARGV[@]}" hook attribution-advisory --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'attribution-advisory'; then
+  # 0.32.0 round-4 P2: stale/older CLI without the new subcommand is
+  # NOT advisory-tier fall-through — the bash body it replaces
+  # enforced when policy enabled. Fail closed and tell the operator
+  # exactly how to fix.
+  printf 'rea: this shim requires the `rea hook attribution-advisory` subcommand (introduced in 0.32.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
+  exit 2
+fi
+
+# 5. Forward stdin (already captured up-front for the relevance gate).
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook attribution-advisory
+exit $?

package/templates/pr-issue-link-gate.dogfood-staged.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+# PreToolUse hook: pr-issue-link-gate.sh
+# 0.32.0+ — Node-binary shim for `rea hook pr-issue-link-gate`.
+#
+# Pre-0.32.0 the gate's full body lived here as bash; the migration to
+# the parser-backed Node binary moves the matching + advisory logic
+# into `src/hooks/pr-issue-link-gate/index.ts`. This shim is the
+# Claude Code dispatcher's view of the hook — it forwards stdin to the
+# CLI and exits with whatever the CLI returns.
+#
+# Behavioral contract is preserved byte-for-byte: ALWAYS exit 0 except
+# under HALT (exit 2) or a malformed payload (exit 2, fail-closed).
+#
+# # CLI-resolution trust boundary
+#
+# Codex round 1 P1 (2026-05-15): mirrors the realpath sandbox check
+# from `delegation-advisory.sh` §3 and `protected-paths-bash-gate.sh`
+# §6. The resolved CLI MUST live INSIDE realpath(CLAUDE_PROJECT_DIR)
+# AND have an ancestor `package.json` whose `name` is
+# `@bookedsolid/rea`. Pre-fix the shim executed
+# `node_modules/@bookedsolid/rea/dist/cli/index.js` directly without
+# realpathing the target, which would let an attacker who controlled
+# `node_modules/@bookedsolid/rea` (symlink-out, postinstall script,
+# tarball-replacement) ship forged review code that intercepts every
+# Bash dispatch.
+#
+# Sandboxed resolution order (PATH is INTENTIONALLY OMITTED):
+#   1. node_modules/@bookedsolid/rea/dist/cli/index.js (consumer-side)
+#   2. dist/cli/index.js under CLAUDE_PROJECT_DIR (dogfood)
+#
+# When NO rea CLI is reachable through the sandboxed order, this hook
+# falls through to allow (exit 0) — the advisory is a nudge, not a
+# security claim. The bash-tier path gates fail-closed because they
+# protect write surfaces; this gate only emits prose.
+#
+# # Version skew
+#
+# Codex round 1 P1 (2026-05-15): a fresh `rea init` against a stale
+# `node_modules/@bookedsolid/rea` would deliver this 0.32.0 shim while
+# the installed CLI lacks the `hook pr-issue-link-gate` subcommand —
+# every Bash dispatch would then fail with `unknown command` (exit 1).
+# Probe the subcommand's `--help` output before propagating the exit
+# code; on probe failure, advise the operator to `pnpm install` and
+# fall through silently so the workspace stays usable.
+
+set -uo pipefail
+
+# 1. HALT check. Even though the CLI re-checks for defense-in-depth,
+#    short-circuit here so we never spawn `node` while frozen.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+
+# 2. Resolve the rea CLI through the fixed 2-tier sandboxed order.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
+
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  exit 0
+fi
+
+# 3. Realpath sandbox check — mirrors delegation-advisory.sh §3.
+if ! command -v node >/dev/null 2>&1; then
+  exit 0
+fi
+
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: pr-issue-link-gate skipped (sandbox check: %s)\n' "$sandbox_check" >&2
+  exit 0
+fi
+
+# 4. Version-probe: confirm the resolved CLI implements the
+#    `hook pr-issue-link-gate` subcommand. A stale node_modules from
+#    a fresh `rea init` against an older installed version would
+#    otherwise turn every Bash dispatch into a hard failure.
+probe_out=$("${REA_ARGV[@]}" hook pr-issue-link-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'pr-issue-link-gate'; then
+  printf 'rea: this shim requires the `rea hook pr-issue-link-gate` subcommand (introduced in 0.32.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI to the version this shim expects.\n' >&2
+  exit 0
+fi
+
+# 5. Forward stdin to the CLI synchronously. The advisory text must
+#    reach the operator's stderr before this hook returns; the CLI's
+#    own exit code is the hook's exit code (0 normally, 2 under HALT
+#    or malformed payload).
+INPUT=$(cat)
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook pr-issue-link-gate
+exit $?

package/templates/prepare-commit-msg.husky.sh

@@ -36,28 +36,65 @@ set -u
 COMMIT_MSG_FILE="${1:-}"
 COMMIT_SOURCE="${2:-}"
 
+REA_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
+
+# Forward declaration — the extension-chain runner is defined further
+# down (after $REA_ROOT is set so the dir lookup is anchored). We call
+# it from every "augmenter skipped" exit point so consumer fragments
+# under .husky/prepare-commit-msg.d/* run regardless of whether rea's
+# own augmenter ran. The function fires fragments in lex order,
+# logs-and-continues on non-zero exits, and is a no-op if the dir is
+# absent or empty.
+#
+# 0.32.0 Phase 3: the pre-0.32.0 layout exited early at every
+# precondition gate, which made the extension surface unreachable
+# when (a) attribution was disabled, (b) HALT was active, or (c)
+# REA_SKIP_ATTRIBUTION was set. The new layout runs the chain at the
+# end of every exit path EXCEPT when the message file itself is
+# missing/unparseable (no point running fragments against a path that
+# doesn't exist).
+run_extension_chain() {
+  ext_dir="${REA_ROOT}/.husky/prepare-commit-msg.d"
+  if [ -d "$ext_dir" ]; then
+    for frag in "$ext_dir"/*; do
+      [ -e "$frag" ] || continue
+      [ -f "$frag" ] || continue
+      [ -x "$frag" ] || continue
+      if ! "$frag" "$COMMIT_MSG_FILE" "$COMMIT_SOURCE"; then
+        printf 'rea: prepare-commit-msg.d fragment exited non-zero: %s (continuing)\n' \
+          "$(basename "$frag")" >&2
+      fi
+    done
+  fi
+}
+
 # Skip conditions: any missing precondition exits 0 silently. The hook
 # is purely additive; refusing here would break commits with no upside.
 
-# Missing message file → nothing to augment.
+# Missing message file → nothing to augment AND nothing for fragments
+# to act on either. Exit immediately without running the chain.
 if [ -z "$COMMIT_MSG_FILE" ] || [ ! -f "$COMMIT_MSG_FILE" ]; then
   exit 0
 fi
 
-# Per-invocation override.
+# Per-invocation override — skip the augmenter, but still run consumer
+# fragments. The flag is named REA_SKIP_ATTRIBUTION, not REA_SKIP_HOOK,
+# precisely so the rest of the chain runs.
 if [ -n "${REA_SKIP_ATTRIBUTION:-}" ]; then
+  run_extension_chain
   exit 0
 fi
 
-REA_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
-
-# HALT kill switch — refuse to mutate anything while frozen.
+# HALT kill switch — refuse to mutate anything while frozen. The
+# extension chain is also skipped under HALT: a frozen system means
+# "no agent-side actions" and consumer fragments are agent-side too.
 if [ -f "${REA_ROOT}/.rea/HALT" ]; then
   exit 0
 fi
 
 POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
 if [ ! -f "$POLICY_FILE" ]; then
+  run_extension_chain
   exit 0
 fi
 
@@ -172,6 +209,7 @@ print(enabled); print(name); print(email); print(skip_merge)
 PY
 )
   if [ -z "$CO_AUTHOR_PARSE" ]; then
+    run_extension_chain
     exit 0
   fi
   ENABLED=$(printf '%s\n' "$CO_AUTHOR_PARSE" | sed -n '1p')
@@ -179,11 +217,15 @@ PY
   CO_EMAIL=$(printf '%s\n' "$CO_AUTHOR_PARSE" | sed -n '3p')
   SKIP_MERGE=$(printf '%s\n' "$CO_AUTHOR_PARSE" | sed -n '4p')
 else
-  # Neither rea CLI nor python3 reachable — silent no-op.
+  # Neither rea CLI nor python3 reachable — silent no-op for the
+  # augmenter, but still run consumer fragments. The chain doesn't
+  # need policy values; it just runs `.husky/prepare-commit-msg.d/*`.
+  run_extension_chain
   exit 0
 fi
 
 if [ "$ENABLED" != "true" ]; then
+  run_extension_chain
   exit 0
 fi
 
@@ -204,11 +246,13 @@ if [ -z "$CO_NAME" ] || [ -z "$CO_EMAIL" ]; then
     "$([ -z "$CO_NAME" ] && [ -z "$CO_EMAIL" ] && printf '+')" \
     "$([ -z "$CO_EMAIL" ] && printf email)" >&2
   printf 'rea: edit .rea/policy.yaml — set name + email, OR set enabled: false.\n' >&2
+  run_extension_chain
   exit 0
 fi
 
 # skip_merge: true → skip when commit source is 'merge'.
 if [ "$SKIP_MERGE" = "true" ] && [ "$COMMIT_SOURCE" = "merge" ]; then
+  run_extension_chain
   exit 0
 fi
 
@@ -226,6 +270,7 @@ LOWER_EMAIL=$(printf '%s' "$CO_EMAIL" | tr '[:upper:]' '[:lower:]')
 ESCAPED_EMAIL=$(printf '%s' "$LOWER_EMAIL" | sed 's/[.[\*^$(){}+?|]/\\&/g')
 if grep -iE "^co-authored-by:[[:space:]]*[^<]*<${ESCAPED_EMAIL}>[[:space:]]*$" \
   "$COMMIT_MSG_FILE" >/dev/null 2>&1; then
+  run_extension_chain
   exit 0
 fi
 
@@ -311,4 +356,33 @@ awk '
 } > "${COMMIT_MSG_FILE}.rea-tmp" && mv "${COMMIT_MSG_FILE}.rea-tmp" "$COMMIT_MSG_FILE"
 
 rm -f "$TMP_BODY_TRIMMED"
+
+# ── Extension-hook chaining ───────────────────────────────────────────────────
+# 0.32.0 — `.husky/prepare-commit-msg.d/*` extension surface mirrors
+# the `.husky/commit-msg.d/*` and `.husky/pre-push.d/*` patterns from
+# 0.13.0. Source every executable file under
+# `.husky/prepare-commit-msg.d/` in lexical order. Missing directory
+# is a no-op (backward compatible). Each fragment receives the same
+# `$1` (commit message file path) and `$2` (commit source) that git
+# delivered to this hook so consumers can layer on their own
+# augmenters (lint-staged --on-prepare, branch-name-injection,
+# ticket-reference-prepend, …) without losing rea coverage.
+#
+# Fragments run AFTER rea's attribution augmenter so the
+# `Co-Authored-By` trailer is already in the file before any consumer
+# fragment reads it; that lets a fragment reorder trailers, dedupe,
+# or run its own template substitution against the augmented body.
+#
+# A non-zero exit from a fragment does NOT fail the commit — this
+# hook is purely additive (its bash counterpart `commit-msg` is the
+# blocking gate). We log the failure to stderr and continue so a
+# broken consumer fragment can't take down `git commit`.
+#
+# The actual chain body lives in `run_extension_chain` (defined near
+# the top of the file). The reason for the early definition: several
+# augmenter-skip exit paths (enabled: false, missing identity, idempo-
+# tency hit, skip_merge match) need to run the chain too, so consumer
+# fragments fire regardless of whether rea's own augmenter activated.
+run_extension_chain
+
 exit 0

package/templates/security-disclosure-gate.dogfood-staged.sh

@@ -0,0 +1,171 @@
+#!/bin/bash
+# PreToolUse hook: security-disclosure-gate.sh
+# 0.32.0+ — Node-binary shim for `rea hook security-disclosure-gate`.
+#
+# Pre-0.32.0 the gate's full body lived here as bash (339 LOC including
+# the awk body-file resolver, security-patterns array, and mode-aware
+# routing). The migration to the parser-backed Node binary moves all of
+# that into `src/hooks/security-disclosure-gate/index.ts`. This shim is
+# the Claude Code dispatcher's view of the hook — it forwards stdin
+# AND the REA_DISCLOSURE_MODE env var to the CLI and exits with
+# whatever the CLI returns.
+#
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# pass-through / no-match, exit 2 on HALT / pattern match / traversal
+# refusal / malformed payload (fail-closed).
+#
+# # CLI-resolution trust boundary
+#
+# Codex round 1 P1 (2026-05-15): realpath sandbox check matches
+# delegation-advisory.sh §3. The resolved CLI MUST live INSIDE
+# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
+# whose `name` is `@bookedsolid/rea`. Defends against symlink-out
+# and tarball-replacement attacks that could otherwise forge the
+# pattern matcher and either suppress real findings or leak a
+# vulnerability through the disclosure gate.
+#
+# Sandboxed resolution order (PATH is INTENTIONALLY OMITTED):
+#   1. node_modules/@bookedsolid/rea/dist/cli/index.js (consumer-side)
+#   2. dist/cli/index.js under CLAUDE_PROJECT_DIR (dogfood)
+#
+# When NO rea CLI is reachable, the hook falls through to allow —
+# same posture as the bash-resident version, which `source`d
+# _lib/common.sh first and exited cleanly if the lib was missing.
+
+set -uo pipefail
+
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+
+# 2. Relevance pre-gate (0.32.0 round-5 P1, round-6 fix). PreToolUse
+#    Bash matchers fire on EVERY shell command, but this hook only
+#    enforces against `gh issue create` payloads carrying disclosure
+#    keywords. Capture stdin + check relevance FIRST so unrelated
+#    commands exit 0 even when the CLI is missing/stale.
+#
+#    Match `gh issue create` ANYWHERE in the command string (allow
+#    shell prefixes — `sudo`, env assignments). Round-6 P1.
+INPUT=$(cat)
+# Substring scan (NOT JSON-aware). Round-7 P1: any JSON-aware regex
+# anchored on `"command":"...` gets tripped by escaped quotes in
+# quoted env prefixes (`MODE="internal" gh issue create …`). Plain
+# substring match has no such edge — and false-positives just defer
+# to the Node body which handles correctly.
+RELEVANT=0
+if printf '%s' "$INPUT" | grep -qE 'gh[[:space:]]+issue[[:space:]]+create'; then
+  RELEVANT=1
+fi
+if [ "$RELEVANT" -eq 0 ]; then
+  exit 0
+fi
+
+# 2b. Mode short-circuit (round-6 P2). The pre-0.32.0 bash body
+#     no-op'd ONLY when `REA_DISCLOSURE_MODE=disabled` — `advisory`
+#     mode and the `issues` mode (default) BOTH enforced. Without
+#     this check, an unbuilt/stale install would refuse every relevant
+#     `gh issue create` even when the operator has deliberately set
+#     mode=disabled.
+MODE="${REA_DISCLOSURE_MODE:-advisory}"
+if [ "$MODE" = "disabled" ]; then
+  exit 0
+fi
+
+# 3. Resolve the rea CLI.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
+
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  # 0.32.0 round-4 P1: this is a blocking-tier gate — the pre-0.32.0
+  # bash body enforced the disclosure policy WITHOUT a compiled CLI.
+  # Falling through to exit 0 here would silently disable security-
+  # keyword blocking on `gh issue create` until the operator runs
+  # `pnpm install` / `pnpm build`. Fail closed: refuse the operation
+  # and tell the operator how to restore protection.
+  printf 'rea: security-disclosure-gate cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.32.0 bash body enforced disclosure policy without a CLI.\n' >&2
+  exit 2
+fi
+
+# 3. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: security-disclosure-gate cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore disclosure-policy enforcement.\n' >&2
+  exit 2
+fi
+
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  # 0.32.0 round-4 P1: fail closed (blocking-tier — see exit-0 → exit-2
+  # rationale at the top). A failed sandbox check means the CLI we
+  # would run cannot be authenticated as the rea binary; refusing is
+  # both the safest posture AND preserves the pre-0.32.0 bash-body
+  # contract that this hook always enforces policy.
+  printf 'rea: security-disclosure-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
+
+# 4. Version-probe: confirm the resolved CLI implements
+#    `hook security-disclosure-gate`. Codex round 1 P1.
+probe_out=$("${REA_ARGV[@]}" hook security-disclosure-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'security-disclosure-gate'; then
+  # 0.32.0 round-4 P1: a stale/older CLI without the new subcommand is
+  # NOT a "harmless availability fallback" for this hook — the bash
+  # body it replaces always enforced. Fail closed and tell the
+  # operator exactly how to fix.
+  printf 'rea: this shim requires the `rea hook security-disclosure-gate` subcommand (introduced in 0.32.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
+  exit 2
+fi
+
+# 5. Forward stdin (already captured up-front for the relevance gate).
+#    REA_DISCLOSURE_MODE is in env already; the Node binary reads it
+#    directly.
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook security-disclosure-gate
+exit $?