@bookedsolid/rea 0.31.0 → 0.32.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.husky/prepare-commit-msg +80 -6
- package/MIGRATING.md +24 -15
- package/dist/cli/hook.js +32 -22
- package/dist/hooks/_lib/halt-check.d.ts +78 -0
- package/dist/hooks/_lib/halt-check.js +106 -0
- package/dist/hooks/_lib/payload.d.ts +86 -0
- package/dist/hooks/_lib/payload.js +166 -0
- package/dist/hooks/_lib/segments.d.ts +100 -0
- package/dist/hooks/_lib/segments.js +444 -0
- package/dist/hooks/attribution-advisory/index.d.ts +72 -0
- package/dist/hooks/attribution-advisory/index.js +233 -0
- package/dist/hooks/bash-scanner/protected-scan.js +14 -2
- package/dist/hooks/pr-issue-link-gate/index.d.ts +91 -0
- package/dist/hooks/pr-issue-link-gate/index.js +127 -0
- package/dist/hooks/security-disclosure-gate/index.d.ts +91 -0
- package/dist/hooks/security-disclosure-gate/index.js +502 -0
- package/hooks/_lib/protected-paths.sh +10 -3
- package/hooks/attribution-advisory.sh +139 -131
- package/hooks/pr-issue-link-gate.sh +114 -45
- package/hooks/security-disclosure-gate.sh +148 -316
- package/hooks/settings-protection.sh +13 -9
- package/package.json +1 -1
- package/templates/attribution-advisory.dogfood-staged.sh +170 -0
- package/templates/pr-issue-link-gate.dogfood-staged.sh +134 -0
- package/templates/prepare-commit-msg.husky.sh +80 -6
- package/templates/security-disclosure-gate.dogfood-staged.sh +171 -0
- package/templates/settings-protection.dogfood.patch +58 -0
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
--- /Volumes/Development/booked/rea/.claude/hooks/settings-protection.sh 2026-05-12 21:19:51
|
|
2
|
+
+++ /Volumes/Development/booked/rea/hooks/settings-protection.sh 2026-05-14 23:50:17
|
|
3
|
+
@@ -172,10 +172,12 @@
|
|
4
|
+
LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
|
|
5
|
+
|
|
6
|
+
# ── 5b. Extension-surface allow-list ──────────────────────────────────────────
|
|
7
|
+
-# `.husky/commit-msg.d/*` and `.husky/pre-push.d/*` are the documented
|
|
8
|
+
-# consumer extension surface (Fix H / 0.13.0). Consumers — and the agents
|
|
9
|
+
-# that govern those consumers — are expected to write here freely so they
|
|
10
|
+
-# can layer commitlint, lint-staged, branch-policy, act-CI, etc. without
|
|
11
|
+
+# `.husky/commit-msg.d/*`, `.husky/pre-push.d/*`, and (0.32.0+)
|
|
12
|
+
+# `.husky/prepare-commit-msg.d/*` are the documented consumer
|
|
13
|
+
+# extension surface (Fix H / 0.13.0; Phase 3 / 0.32.0 for the
|
|
14
|
+
+# prepare-commit-msg lane). Consumers — and the agents that govern
|
|
15
|
+
+# those consumers — are expected to write here freely so they can
|
|
16
|
+
+# layer commitlint, lint-staged, branch-policy, act-CI, etc. without
|
|
17
|
+
# losing rea coverage on `rea upgrade`.
|
|
18
|
+
#
|
|
19
|
+
# The §6 PROTECTED_PATTERNS list below has `.husky/` as a prefix block,
|
|
20
|
+
@@ -216,14 +218,14 @@
|
|
21
|
+
# subshell pattern (no Python or readlink -f dependency required).
|
|
22
|
+
# Closes the path-string→symlink bypass completely.
|
|
23
|
+
case "$LOWER_NORM" in
|
|
24
|
+
- .husky/commit-msg.d/*|.husky/pre-push.d/*)
|
|
25
|
+
+ .husky/commit-msg.d/*|.husky/pre-push.d/*|.husky/prepare-commit-msg.d/*)
|
|
26
|
+
if [ -L "$FILE_PATH" ]; then
|
|
27
|
+
{
|
|
28
|
+
printf 'SETTINGS PROTECTION: symlink in extension surface refused\n'
|
|
29
|
+
printf '\n'
|
|
30
|
+
printf ' File: %s\n' "$SAFE_FILE_PATH"
|
|
31
|
+
- printf ' Rule: .husky/commit-msg.d/* and .husky/pre-push.d/* must be\n'
|
|
32
|
+
- printf ' regular files (a symlink could resolve to a protected\n'
|
|
33
|
+
+ printf ' Rule: .husky/{commit-msg,pre-push,prepare-commit-msg}.d/* must\n'
|
|
34
|
+
+ printf ' be regular files (a symlink could resolve to a protected\n'
|
|
35
|
+
printf ' package-managed body and bypass §6 protection).\n'
|
|
36
|
+
} >&2
|
|
37
|
+
exit 2
|
|
38
|
+
@@ -245,8 +247,10 @@
|
|
39
|
+
# to `.husky/pre-push.d.bak/...` and slipped through.
|
|
40
|
+
# The trailing `/` on each pattern (and the explicit
|
|
41
|
+
# exact-match arm) requires a real directory boundary.
|
|
42
|
+
+ # 0.32.0 Phase 3: `.husky/prepare-commit-msg.d/` joins the
|
|
43
|
+
+ # allow-list (mirrors commit-msg.d/pre-push.d patterns).
|
|
44
|
+
case "$resolved_parent" in
|
|
45
|
+
- */.husky/commit-msg.d|*/.husky/commit-msg.d/*|*/.husky/pre-push.d|*/.husky/pre-push.d/*) : ;;
|
|
46
|
+
+ */.husky/commit-msg.d|*/.husky/commit-msg.d/*|*/.husky/pre-push.d|*/.husky/pre-push.d/*|*/.husky/prepare-commit-msg.d|*/.husky/prepare-commit-msg.d/*) : ;;
|
|
47
|
+
*)
|
|
48
|
+
{
|
|
49
|
+
printf 'SETTINGS PROTECTION: extension path resolves outside surface\n'
|
|
50
|
+
@@ -254,7 +258,7 @@
|
|
51
|
+
printf ' Logical: %s\n' "$SAFE_FILE_PATH"
|
|
52
|
+
printf ' Resolved: %s\n' "$resolved_parent"
|
|
53
|
+
printf ' Rule: an intermediate directory of the extension path is a\n'
|
|
54
|
+
- printf ' symlink whose target leaves .husky/{commit-msg,pre-push}.d/.\n'
|
|
55
|
+
+ printf ' symlink whose target leaves .husky/{commit-msg,pre-push,prepare-commit-msg}.d/.\n'
|
|
56
|
+
printf ' Refused to prevent symlinked-parent bypass of the\n'
|
|
57
|
+
printf ' package-managed body protection.\n'
|
|
58
|
+
} >&2
|