@bookedsolid/rea 0.31.0 → 0.33.0

package/dist/hooks/architecture-review-gate/index.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Node-binary port of `hooks/architecture-review-gate.sh`.
+ *
+ * 0.33.0 Phase 1 port #4 — the SIMPLEST tier-1 port.
+ *
+ * PostToolUse Write/Edit advisory. Reads `policy.architecture_review.
+ * patterns` and prints an advisory banner to stderr when the just-
+ * written file path begins with one of the configured prefixes.
+ * ALWAYS exits 0 — this is a nudge, not a gate.
+ *
+ * Behavioral contract preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with the shared banner. (Even though the
+ *      gate is advisory, HALT short-circuits ALL hooks.)
+ *   2. `policy.architecture_advisory: false` short-circuit → exit 0
+ *      silently. The bash hook reads the policy file with a grep
+ *      `architecture_advisory: false`; we mirror via the canonical
+ *      YAML loader.
+ *   3. Read stdin → `tool_input.file_path` (the bash hook uses
+ *      `notebook_path` too via fall-through, but the original
+ *      `jq -r '.tool_input.file_path // empty'` expression does NOT
+ *      fall through to notebook_path. We preserve that exactly).
+ *   4. Empty file_path → exit 0.
+ *   5. Path normalization mirrors `_lib/path-normalize.sh::normalize_path`:
+ *        - Convert backslashes to forward slashes (Windows / Git Bash).
+ *        - URL-decode `%xx` sequences.
+ *        - Strip a leading `<REA_ROOT>/` prefix if present so
+ *          `policy.architecture_review.patterns` can use repo-relative
+ *          patterns.
+ *   6. Read `policy.architecture_review.patterns`. Empty / unset →
+ *      silent no-op (exit 0). The bst-internal profile pins rea-
+ *      source patterns; consumer projects opt in by populating their
+ *      own list.
+ *   7. First prefix match wins. Emit the advisory banner to stderr;
+ *      exit 0.
+ *
+ * Distinct from the other 0.33.0 ports: this gate is POSTToolUse
+ * (fires AFTER the write, advisory only). The shim that invokes it
+ * should NOT fail-closed on missing CLI — the pre-0.33.0 bash hook
+ * was already a silent no-op when the policy was unset.
+ */
+import type { Buffer } from 'node:buffer';
+export interface ArchitectureReviewGateOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+}
+export interface ArchitectureReviewGateResult {
+    exitCode: number;
+    stderr: string;
+    /** Test seam — the matched pattern (or `null`). */
+    matched: string | null;
+}
+export declare function runArchitectureReviewGate(options?: ArchitectureReviewGateOptions): Promise<ArchitectureReviewGateResult>;
+/**
+ * CLI entry — `rea hook architecture-review-gate`.
+ */
+export declare function runHookArchitectureReviewGate(options?: ArchitectureReviewGateOptions): Promise<void>;

package/dist/hooks/architecture-review-gate/index.js

@@ -0,0 +1,250 @@
+/**
+ * Node-binary port of `hooks/architecture-review-gate.sh`.
+ *
+ * 0.33.0 Phase 1 port #4 — the SIMPLEST tier-1 port.
+ *
+ * PostToolUse Write/Edit advisory. Reads `policy.architecture_review.
+ * patterns` and prints an advisory banner to stderr when the just-
+ * written file path begins with one of the configured prefixes.
+ * ALWAYS exits 0 — this is a nudge, not a gate.
+ *
+ * Behavioral contract preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with the shared banner. (Even though the
+ *      gate is advisory, HALT short-circuits ALL hooks.)
+ *   2. `policy.architecture_advisory: false` short-circuit → exit 0
+ *      silently. The bash hook reads the policy file with a grep
+ *      `architecture_advisory: false`; we mirror via the canonical
+ *      YAML loader.
+ *   3. Read stdin → `tool_input.file_path` (the bash hook uses
+ *      `notebook_path` too via fall-through, but the original
+ *      `jq -r '.tool_input.file_path // empty'` expression does NOT
+ *      fall through to notebook_path. We preserve that exactly).
+ *   4. Empty file_path → exit 0.
+ *   5. Path normalization mirrors `_lib/path-normalize.sh::normalize_path`:
+ *        - Convert backslashes to forward slashes (Windows / Git Bash).
+ *        - URL-decode `%xx` sequences.
+ *        - Strip a leading `<REA_ROOT>/` prefix if present so
+ *          `policy.architecture_review.patterns` can use repo-relative
+ *          patterns.
+ *   6. Read `policy.architecture_review.patterns`. Empty / unset →
+ *      silent no-op (exit 0). The bst-internal profile pins rea-
+ *      source patterns; consumer projects opt in by populating their
+ *      own list.
+ *   7. First prefix match wins. Emit the advisory banner to stderr;
+ *      exit 0.
+ *
+ * Distinct from the other 0.33.0 ports: this gate is POSTToolUse
+ * (fires AFTER the write, advisory only). The shim that invokes it
+ * should NOT fail-closed on missing CLI — the pre-0.33.0 bash hook
+ * was already a silent no-op when the policy was unset.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+import { checkHalt, formatHaltBanner } from '../_lib/halt-check.js';
+import { parseWriteHookPayload, MalformedPayloadError, TypePayloadError, readStdinWithTimeout, } from '../_lib/payload.js';
+/**
+ * Normalize the incoming file path. Mirrors
+ * `hooks/_lib/path-normalize.sh::normalize_path`:
+ *   - backslashes → forward slashes
+ *   - URL-decoded
+ *   - leading `<REA_ROOT>/` stripped (when applicable)
+ *
+ * Pre-0.16.0 the bash hook ONLY stripped the REA_ROOT prefix, which
+ * meant Windows / Git Bash backslash paths bypassed advisory.
+ */
+function normalizePath(rawPath, reaRoot) {
+    let p = rawPath.replace(/\\/g, '/');
+    try {
+        p = decodeURIComponent(p);
+    }
+    catch {
+        // Malformed % escape — leave the string unchanged. The bash
+        // helper's `printf '%b'` behavior is similar (passes through).
+    }
+    // Strip leading <REA_ROOT>/. Compare normalized forms.
+    const normRoot = reaRoot.replace(/\\/g, '/').replace(/\/+$/, '');
+    if (normRoot.length > 0) {
+        if (p === normRoot)
+            return '';
+        const withSep = normRoot + '/';
+        if (p.startsWith(withSep)) {
+            p = p.slice(withSep.length);
+        }
+    }
+    // 2026-05-15 codex round-1 P3 fix: strip chains of leading `./`
+    // segments. Mirrors `_lib/path-normalize.sh::path_canonical_form`.
+    // Pre-fix `./src/gateway/foo.ts` did NOT match the `src/gateway/`
+    // pattern because the leading `./` was preserved. Bash's
+    // path_canonical_form collapses `./` chains, so `./src/...`,
+    // `././src/...`, etc. all reduce to `src/...`.
+    while (p.startsWith('./')) {
+        p = p.slice(2);
+    }
+    return p;
+}
+function buildAdvisoryBanner(filePath, matched) {
+    return [
+        'ARCHITECTURE ADVISORY: Sensitive path modified\n',
+        '\n',
+        `  File: ${filePath}\n`,
+        `  Category: ${matched}\n`,
+        '\n',
+        '  This file is in an architecture-sensitive directory.\n',
+        '  Consider: Does this change maintain backward compatibility?\n',
+        '  Consider: Should this be reviewed by the principal-engineer agent?\n',
+    ].join('');
+}
+/**
+ * Read `policy.architecture_review.patterns`. Returns `[]` on:
+ *   - policy file missing
+ *   - YAML unparseable
+ *   - architecture_review unset
+ *   - architecture_review.patterns unset/empty/non-list
+ *
+ * 2026-05-15 codex round-1 P3 fix: do NOT use `loadPolicy()` here.
+ * The strict zod schema throws on legacy keys / extra fields, which
+ * caused the catch to swallow patterns silently — a legacy policy.yaml
+ * with one unknown key would disable the advisory entirely, with no
+ * indication to the user.
+ *
+ * The bash original used `policy_list` (a non-strict reader). To match
+ * that behavior we read the YAML directly via the same permissive
+ * parser that `rea hook policy-get` uses (`yaml` package's `parse`),
+ * then pull `architecture_review.patterns` as a list of strings. Any
+ * non-string entry is filtered out. Unknown keys ELSEWHERE in the
+ * policy are tolerated — only the patterns subset matters for this
+ * advisory.
+ */
+function loadArchitecturePatterns(reaRoot, onWarning) {
+    const policyPath = path.join(reaRoot, '.rea', 'policy.yaml');
+    let raw;
+    try {
+        raw = fs.readFileSync(policyPath, 'utf8');
+    }
+    catch {
+        // File missing — bash hook treats this as "advisory disabled".
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch {
+        // Unparseable YAML — log to stderr (NOT silent) and return [].
+        // The advisory still short-circuits to exit 0 since this is an
+        // advisory tier, but the user sees a one-line warning instead of
+        // mysterious silence.
+        onWarning('architecture-review-gate: policy.yaml is unparseable; advisory disabled\n');
+        return [];
+    }
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return [];
+    }
+    const ar = parsed['architecture_review'];
+    if (ar === undefined || ar === null || typeof ar !== 'object' || Array.isArray(ar)) {
+        return [];
+    }
+    const patterns = ar['patterns'];
+    if (!Array.isArray(patterns))
+        return [];
+    const out = [];
+    for (const entry of patterns) {
+        if (typeof entry === 'string' && entry.length > 0) {
+            out.push(entry);
+        }
+    }
+    return out;
+}
+/**
+ * Quick policy-disable probe. The bash hook reads
+ * `architecture_advisory: false` (legacy key — pre-0.20.1 toggle)
+ * directly from policy.yaml via grep. The canonical loader doesn't
+ * surface this key (it's not in the strict schema), so we re-read
+ * the raw YAML text. Returns true when the key is present and
+ * literally `false` (no other value disables the hook in the bash
+ * implementation).
+ */
+function isAdvisoryDisabled(reaRoot) {
+    const policyPath = path.join(reaRoot, '.rea', 'policy.yaml');
+    let raw;
+    try {
+        raw = fs.readFileSync(policyPath, 'utf8');
+    }
+    catch {
+        return false;
+    }
+    return /^architecture_advisory:\s*false\b/m.test(raw);
+}
+export async function runArchitectureReviewGate(options = {}) {
+    const reaRoot = options.reaRoot ?? process.env['CLAUDE_PROJECT_DIR'] ?? process.cwd();
+    let stderr = '';
+    const writeStderr = (s) => {
+        stderr += s;
+        if (options.stderrWrite)
+            options.stderrWrite(s);
+    };
+    // 1. HALT.
+    const halt = checkHalt(reaRoot);
+    if (halt.halted) {
+        writeStderr(formatHaltBanner(halt.reason));
+        return { exitCode: 2, stderr, matched: null };
+    }
+    // 2. Disabled?
+    if (isAdvisoryDisabled(reaRoot)) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    // 3. Stdin.
+    const stdinRaw = options.stdinOverride !== undefined
+        ? options.stdinOverride
+        : await readStdinWithTimeout(5_000);
+    let filePath = '';
+    try {
+        const payload = parseWriteHookPayload(stdinRaw);
+        filePath = payload.filePath;
+    }
+    catch (err) {
+        if (err instanceof MalformedPayloadError || err instanceof TypePayloadError) {
+            // Advisory tier: silently exit 0 on malformed payload. The bash
+            // hook used `jq -r '.tool_input.file_path // empty'` which
+            // coerces malformed JSON to empty stdout, then exits 0. Mirror
+            // that — never refuse on a parse error in the advisory path.
+            return { exitCode: 0, stderr, matched: null };
+        }
+        throw err;
+    }
+    if (filePath.length === 0) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    const normalized = normalizePath(filePath, reaRoot);
+    if (normalized.length === 0) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    const patterns = loadArchitecturePatterns(reaRoot, writeStderr);
+    if (patterns.length === 0) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    let matched = null;
+    for (const pattern of patterns) {
+        if (normalized.startsWith(pattern)) {
+            matched = pattern;
+            break;
+        }
+    }
+    if (matched === null) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    writeStderr(buildAdvisoryBanner(normalized, matched));
+    return { exitCode: 0, stderr, matched };
+}
+/**
+ * CLI entry — `rea hook architecture-review-gate`.
+ */
+export async function runHookArchitectureReviewGate(options = {}) {
+    const result = await runArchitectureReviewGate({
+        ...options,
+        stderrWrite: (s) => process.stderr.write(s),
+    });
+    process.exit(result.exitCode);
+}

package/dist/hooks/attribution-advisory/index.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Node-binary port of `hooks/attribution-advisory.sh`.
+ *
+ * 0.32.0 Phase 1 Pilot #3 — opt-in policy-gated AI-attribution
+ * detector for `git commit` / `gh pr create|edit` commands.
+ *
+ * Why pilot #3 (and not #1): pilot #1 was the smallest port surface
+ * (no segments, no body-file resolution). Pilot #3 introduces the
+ * FULL `splitSegments` + `anySegmentStartsWith` + `anySegmentMatches`
+ * API surface. Pilot #2 (`security-disclosure-gate`) layers the
+ * file-IO body-file resolver on top of this same segment primitive.
+ *
+ * Behavioral contract — preserves bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner. (Same as pilot 1.)
+ *   2. Read stdin payload. When `tool_input.command` is missing /
+ *      empty, exit 0 silently.
+ *   3. Read `<reaRoot>/.rea/policy.yaml` and check for the line
+ *      `block_ai_attribution: true`. The bash original used `grep -qE
+ *      '^block_ai_attribution:[[:space:]]*true'` against the file
+ *      directly; the Node port preserves the EXACT same regex against
+ *      the file contents. NOT a YAML parse — the bash hook ran before
+ *      we had a CLI-mediated `policy-get` read, and consumers may
+ *      authored the line in either block or inline form. Matching the
+ *      regex behavior preserves all the edge cases the bash hook
+ *      shipped with.
+ *   4. Identify whether the command is RELEVANT — a `git commit` or
+ *      `gh pr create|edit` invocation at the head of any segment.
+ *      Uses `anySegmentStartsWith` (head-anchored, post-prefix-strip)
+ *      so a quoted-body mention like `gh pr edit --body "ref: git
+ *      commit earlier"` does NOT count as relevant.
+ *   5. Scan for FIVE attribution-marker classes, each via
+ *      `anySegmentMatches` so the match has to live in the same
+ *      segment as the relevant command head:
+ *        a. `Co-Authored-By:` with an AI vendor noreply@ domain
+ *        b. `Co-Authored-By:` with a known AI tool name
+ *        c. `Generated|Created|Built|… with|by <AI Tool>`
+ *        d. Markdown-linked tool name (`[Claude Code](`)
+ *        e. Robot-emoji + Generated marker
+ *   6. Any match → exit 2 with the banner. No match → exit 0.
+ *
+ * Wider-net pattern choice: the bash hook used `[[:space:]]+` for
+ * `\s+` equivalents. JS regex uses `\s+` which is broader (includes
+ * vertical tab / form feed). For the ASCII payloads `gh` and `git`
+ * actually accept, the behavior is identical.
+ */
+import type { Buffer } from 'node:buffer';
+export interface AttributionAdvisoryOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+}
+export interface AttributionAdvisoryResult {
+    exitCode: number;
+    stderr: string;
+}
+/**
+ * Pure executor — returns `{ exitCode, stderr }`.
+ */
+export declare function runAttributionAdvisory(options?: AttributionAdvisoryOptions): Promise<AttributionAdvisoryResult>;
+/**
+ * CLI entry — `rea hook attribution-advisory`.
+ */
+export declare function runHookAttributionAdvisory(options?: AttributionAdvisoryOptions): Promise<void>;
+export declare const __INTERNAL_BLOCK_BANNER_FOR_TESTS: string;
+export declare const __INTERNAL_PATTERNS_FOR_TESTS: {
+    PATTERN_NOREPLY_AI: string;
+    PATTERN_COAUTH_AI_NAME: string;
+    PATTERN_GENERATED_WITH: string;
+    PATTERN_MD_LINK: string;
+    PATTERN_EMOJI: string;
+};

package/dist/hooks/attribution-advisory/index.js

@@ -0,0 +1,233 @@
+/**
+ * Node-binary port of `hooks/attribution-advisory.sh`.
+ *
+ * 0.32.0 Phase 1 Pilot #3 — opt-in policy-gated AI-attribution
+ * detector for `git commit` / `gh pr create|edit` commands.
+ *
+ * Why pilot #3 (and not #1): pilot #1 was the smallest port surface
+ * (no segments, no body-file resolution). Pilot #3 introduces the
+ * FULL `splitSegments` + `anySegmentStartsWith` + `anySegmentMatches`
+ * API surface. Pilot #2 (`security-disclosure-gate`) layers the
+ * file-IO body-file resolver on top of this same segment primitive.
+ *
+ * Behavioral contract — preserves bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner. (Same as pilot 1.)
+ *   2. Read stdin payload. When `tool_input.command` is missing /
+ *      empty, exit 0 silently.
+ *   3. Read `<reaRoot>/.rea/policy.yaml` and check for the line
+ *      `block_ai_attribution: true`. The bash original used `grep -qE
+ *      '^block_ai_attribution:[[:space:]]*true'` against the file
+ *      directly; the Node port preserves the EXACT same regex against
+ *      the file contents. NOT a YAML parse — the bash hook ran before
+ *      we had a CLI-mediated `policy-get` read, and consumers may
+ *      authored the line in either block or inline form. Matching the
+ *      regex behavior preserves all the edge cases the bash hook
+ *      shipped with.
+ *   4. Identify whether the command is RELEVANT — a `git commit` or
+ *      `gh pr create|edit` invocation at the head of any segment.
+ *      Uses `anySegmentStartsWith` (head-anchored, post-prefix-strip)
+ *      so a quoted-body mention like `gh pr edit --body "ref: git
+ *      commit earlier"` does NOT count as relevant.
+ *   5. Scan for FIVE attribution-marker classes, each via
+ *      `anySegmentMatches` so the match has to live in the same
+ *      segment as the relevant command head:
+ *        a. `Co-Authored-By:` with an AI vendor noreply@ domain
+ *        b. `Co-Authored-By:` with a known AI tool name
+ *        c. `Generated|Created|Built|… with|by <AI Tool>`
+ *        d. Markdown-linked tool name (`[Claude Code](`)
+ *        e. Robot-emoji + Generated marker
+ *   6. Any match → exit 2 with the banner. No match → exit 0.
+ *
+ * Wider-net pattern choice: the bash hook used `[[:space:]]+` for
+ * `\s+` equivalents. JS regex uses `\s+` which is broader (includes
+ * vertical tab / form feed). For the ASCII payloads `gh` and `git`
+ * actually accept, the behavior is identical.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { checkHalt, formatHaltBanner } from '../_lib/halt-check.js';
+import { parseHookPayload, MalformedPayloadError, TypePayloadError, readStdinWithTimeout, } from '../_lib/payload.js';
+import { anySegmentStartsWith, anySegmentMatches } from '../_lib/segments.js';
+const RELEVANT_GH = 'gh\\s+pr\\s+(create|edit)';
+const RELEVANT_GIT_COMMIT = 'git\\s+commit';
+/**
+ * `Co-Authored-By:` paired with a vendor `noreply@` domain that we
+ * recognize as AI tooling. GitHub's per-user `users.noreply.github.com`
+ * form is EXCLUDED — that's a legitimate human-collaborator credit.
+ *
+ * Mirrors the 0.18.0 helix-020 G4.B fix exactly: the catalog of
+ * recognized AI vendor noreply domains is enumerated here verbatim
+ * from the bash hook so adding/removing a vendor is a one-place edit.
+ */
+const NOREPLY_AI_DOMAINS = [
+    'anthropic\\.com',
+    'openai\\.com',
+    'github-copilot',
+    'github\\.com',
+    'claude\\.ai',
+    'chatgpt\\.com',
+    'googlemail\\.com',
+    'google\\.com',
+    'cursor\\.com',
+    'codeium\\.com',
+    'tabnine\\.com',
+    'amazon\\.com',
+    'amazonaws\\.com',
+    'amazon-q\\.amazonaws\\.com',
+    'cody\\.dev',
+    'sourcegraph\\.com',
+    'mistral\\.ai',
+    'xai-org',
+    'x\\.ai',
+    'inflection\\.ai',
+    'perplexity\\.ai',
+    'replit\\.com',
+    'jetbrains\\.com',
+    'bito\\.ai',
+    'pieces\\.app',
+    'phind\\.com',
+    'you\\.com',
+];
+const PATTERN_NOREPLY_AI = `Co-Authored-By:.*noreply@(${NOREPLY_AI_DOMAINS.join('|')})`;
+const PATTERN_COAUTH_AI_NAME = 'Co-Authored-By:.*\\b(Claude|Sonnet|Opus|Haiku|Copilot|GPT|ChatGPT|Gemini|' +
+    'Cursor|Codeium|Tabnine|Amazon Q|CodeWhisperer|Devin|Windsurf|Cline|' +
+    'Aider|Anthropic|OpenAI|GitHub Copilot)\\b';
+const PATTERN_GENERATED_WITH = '(Generated|Created|Built|Powered|Authored|Written|Produced)\\s+' +
+    '(with|by)\\s+' +
+    '(Claude|Copilot|GPT|ChatGPT|Gemini|Cursor|Codeium|Tabnine|CodeWhisperer|' +
+    'Devin|Windsurf|Cline|Aider|AI|an? AI)\\b';
+const PATTERN_MD_LINK = '\\[Claude Code\\]\\(|\\[GitHub Copilot\\]\\(|\\[ChatGPT\\]\\(|' +
+    '\\[Gemini\\]\\(|\\[Cursor\\]\\(';
+const PATTERN_EMOJI = '🤖.*[Gg]enerated';
+const BLOCK_BANNER = [
+    '\n',
+    '═══════════════════════════════════════════════════════════════════\n',
+    '  BLOCKED: AI attribution detected in command\n',
+    '═══════════════════════════════════════════════════════════════════\n',
+    '\n',
+    '  Your command contains structural AI attribution markers.\n',
+    '\n',
+    '  What gets BLOCKED (structural attribution):\n',
+    '    - Co-Authored-By with AI names or noreply@ emails\n',
+    '    - "Generated with/by [AI Tool]" footer lines\n',
+    '    - Markdown-linked tool names: [Claude Code](...)\n',
+    '    - Emoji attribution: 🤖 Generated...\n',
+    '\n',
+    '  What is ALLOWED (legitimate references):\n',
+    '    - "Fix Claude API integration"\n',
+    '    - "Update OpenAI SDK version"\n',
+    '    - "Add Copilot config"\n',
+    '\n',
+    '  Remove the attribution markers and rewrite the command.\n',
+    '  To disable: set block_ai_attribution: false in .rea/policy.yaml\n',
+    '═══════════════════════════════════════════════════════════════════\n',
+    '\n',
+].join('');
+/**
+ * Check whether the policy file enables `block_ai_attribution`. Same
+ * grep posture as the bash hook (`grep -qE
+ * '^block_ai_attribution:[[:space:]]*true' "$POLICY_FILE"`).
+ *
+ * Missing file → not enabled. Read errors → not enabled (the policy
+ * itself becomes the gate's input; an unreadable policy can't say
+ * "block", so the safe posture is to no-op like the bash hook does).
+ */
+function isAttributionBlockingEnabled(reaRoot) {
+    const policyFile = path.join(reaRoot, '.rea', 'policy.yaml');
+    if (!fs.existsSync(policyFile))
+        return false;
+    let content;
+    try {
+        content = fs.readFileSync(policyFile, 'utf8');
+    }
+    catch {
+        return false;
+    }
+    // ERE: `^block_ai_attribution:[[:space:]]*true`. JS regex equiv:
+    // `^block_ai_attribution:\s*true` with multiline anchor.
+    return /^block_ai_attribution:\s*true/m.test(content);
+}
+/**
+ * Pure executor — returns `{ exitCode, stderr }`.
+ */
+export async function runAttributionAdvisory(options = {}) {
+    const reaRoot = options.reaRoot ?? process.env['CLAUDE_PROJECT_DIR'] ?? process.cwd();
+    let stderr = '';
+    const writeStderr = (s) => {
+        stderr += s;
+        if (options.stderrWrite)
+            options.stderrWrite(s);
+    };
+    // 1. HALT check.
+    const halt = checkHalt(reaRoot);
+    if (halt.halted) {
+        writeStderr(formatHaltBanner(halt.reason));
+        return { exitCode: 2, stderr };
+    }
+    // 2. Read stdin.
+    const stdinRaw = options.stdinOverride !== undefined
+        ? options.stdinOverride
+        : await readStdinWithTimeout(5_000);
+    let cmd = '';
+    try {
+        const payload = parseHookPayload(stdinRaw);
+        cmd = payload.command;
+    }
+    catch (err) {
+        if (err instanceof MalformedPayloadError || err instanceof TypePayloadError) {
+            writeStderr(`attribution-advisory: ${err.message} — refusing on uncertainty.\n`);
+            return { exitCode: 2, stderr };
+        }
+        throw err;
+    }
+    if (cmd.length === 0) {
+        return { exitCode: 0, stderr };
+    }
+    // 3. Policy gate.
+    if (!isAttributionBlockingEnabled(reaRoot)) {
+        return { exitCode: 0, stderr };
+    }
+    // 4. Relevance gate — only act on `git commit` / `gh pr create|edit`.
+    const isRelevant = anySegmentStartsWith(cmd, RELEVANT_GH) ||
+        anySegmentStartsWith(cmd, RELEVANT_GIT_COMMIT);
+    if (!isRelevant) {
+        return { exitCode: 0, stderr };
+    }
+    // 5. Attribution scan.
+    let found = false;
+    if (anySegmentMatches(cmd, PATTERN_NOREPLY_AI))
+        found = true;
+    if (!found && anySegmentMatches(cmd, PATTERN_COAUTH_AI_NAME))
+        found = true;
+    if (!found && anySegmentMatches(cmd, PATTERN_GENERATED_WITH))
+        found = true;
+    if (!found && anySegmentMatches(cmd, PATTERN_MD_LINK))
+        found = true;
+    if (!found && anySegmentMatches(cmd, PATTERN_EMOJI))
+        found = true;
+    if (found) {
+        writeStderr(BLOCK_BANNER);
+        return { exitCode: 2, stderr };
+    }
+    return { exitCode: 0, stderr };
+}
+/**
+ * CLI entry — `rea hook attribution-advisory`.
+ */
+export async function runHookAttributionAdvisory(options = {}) {
+    const result = await runAttributionAdvisory({
+        ...options,
+        stderrWrite: (s) => process.stderr.write(s),
+    });
+    process.exit(result.exitCode);
+}
+// Internal exports for tests.
+export const __INTERNAL_BLOCK_BANNER_FOR_TESTS = BLOCK_BANNER;
+export const __INTERNAL_PATTERNS_FOR_TESTS = {
+    PATTERN_NOREPLY_AI,
+    PATTERN_COAUTH_AI_NAME,
+    PATTERN_GENERATED_WITH,
+    PATTERN_MD_LINK,
+    PATTERN_EMOJI,
+};

package/dist/hooks/bash-scanner/protected-scan.js

@@ -136,13 +136,25 @@ function isKillSwitchInvariant(p) {
 /**
  * Test whether a normalized lowercase project-relative path falls
  * inside the documented husky extension surface
- * (`.husky/{commit-msg,pre-push,pre-commit}.d/<fragment>`).
+ * (`.husky/{commit-msg,pre-push,pre-commit,prepare-commit-msg}.d/<fragment>`).
  *
  * The bare directory itself (`.husky/pre-push.d/`) and the dir node
  * (`.husky/pre-push.d`) do NOT match — only fragments inside.
+ *
+ * 0.32.0 codex round 2 P1: `.husky/prepare-commit-msg.d/` joined the
+ * carve-out to match settings-protection.sh §5b and the bash-tier
+ * `rea_path_is_extension_surface` helper. Without this, the new
+ * prepare-commit-msg migration path documented in MIGRATING.md was
+ * still refused by the Node-binary protected-scan even though the
+ * Write/Edit allow-list permitted it.
  */
 function isExtensionSurface(pathLc) {
-    const surfaces = ['.husky/commit-msg.d/', '.husky/pre-push.d/', '.husky/pre-commit.d/'];
+    const surfaces = [
+        '.husky/commit-msg.d/',
+        '.husky/pre-push.d/',
+        '.husky/pre-commit.d/',
+        '.husky/prepare-commit-msg.d/',
+    ];
     for (const s of surfaces) {
         if (pathLc.startsWith(s) && pathLc.length > s.length) {
             return true;