@bookedsolid/rea 0.32.0 → 0.33.0

package/hooks/architecture-review-gate.sh

@@ -1,101 +1,116 @@
 #!/bin/bash
 # PostToolUse hook: architecture-review-gate.sh
-# Fires AFTER every Write or Edit tool call.
-# Lightweight advisory: flags when writing to architecture-sensitive paths.
-# Does NOT block — only returns advisory context.
+# 0.33.0+ — Node-binary shim for `rea hook architecture-review-gate`.
 #
-# Exit codes:
-#   0 = always (advisory only, never blocks)
+# Pre-0.33.0 the gate's full body lived here as bash (101 LOC, policy-
+# driven prefix-match against `architecture_review.patterns`). The
+# migration moves all of that into `src/hooks/architecture-review-gate/
+# index.ts`.
+#
+# Behavioral contract is preserved byte-for-byte: ALWAYS exit 0
+# (advisory-only) except under HALT (exit 2). The hook fires for ALL
+# Write/Edit PostToolUse events, but the Node body short-circuits to
+# exit 0 when patterns are unset/empty — so the cost of running the
+# CLI on every write is bounded.
+#
+# # CLI-resolution trust boundary
+#
+# Realpath sandbox check + version probe. Same shape as the 0.32.0
+# pilots.
+#
+# # Fail-OPEN posture
+#
+# architecture-review-gate is ADVISORY-only — the pre-0.33.0 bash body
+# never refused (exit 0 only). The early-exit branches (CLI missing,
+# node missing, sandbox failed, version skew) all exit 0 silently
+# because there is nothing to "preserve protection" for. The HALT
+# check is the only path to exit 2.
 
 set -uo pipefail
 
-# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
-INPUT=$(cat)
-
-# ── 2. Dependency check ──────────────────────────────────────────────────────
-if ! command -v jq >/dev/null 2>&1; then
-  exit 0
-fi
-
-# ── 3. HALT check ────────────────────────────────────────────────────────────
-# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-# ── 4. Check if enabled ──────────────────────────────────────────────────────
-POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-if [[ -f "$POLICY_FILE" ]]; then
-  if grep -qE 'architecture_advisory:[[:space:]]*false' "$POLICY_FILE" 2>/dev/null; then
-    exit 0
-  fi
-fi
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-# ── 5. Extract file path ─────────────────────────────────────────────────────
-FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+# 2. No relevance pre-gate — architecture-review-gate fires on every
+#    Write/Edit, and the cost of the Node body's early-out (load
+#    policy, check patterns array, prefix-match) is well under the
+#    cost of a sandbox/probe pair. Capture stdin once.
+INPUT=$(cat)
 
-if [[ -z "$FILE_PATH" ]]; then
-  exit 0
+# 3. Resolve the rea CLI. Advisory-tier: exit 0 silently on missing
+#    CLI — nothing to enforce.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
 fi
 
-# 0.16.0 fix D.1: normalize via shared `_lib/path-normalize.sh` so
-# Windows / Git Bash backslash paths and URL-encoded forms are handled
-# uniformly with the rest of the hook layer. Pre-fix, this hook only
-# stripped $REA_ROOT prefix — `src\gateway\foo.ts` (Windows) or
-# `src%2Fgateway%2Ffoo.ts` (URL-encoded) silently bypassed the
-# architectural review.
-# shellcheck source=_lib/path-normalize.sh
-source "$(dirname "$0")/_lib/path-normalize.sh"
-FILE_PATH=$(normalize_path "$FILE_PATH")
-
-# ── 6. Check architecture-sensitive paths ─────────────────────────────────────
-# 0.20.1 helix-round-N P2: read patterns from policy. Pre-fix the
-# rea-internal source-tree patterns (`src/gateway/`, `hooks/_lib/`,
-# `profiles/`, etc.) shipped as hardcoded defaults — irrelevant noise
-# in consumer projects whose architecture-sensitive paths are
-# different. Consumers with their own architecture surfaces declare
-# them in `.rea/policy.yaml::architecture_review.patterns`. The
-# bst-internal profile pins the rea-source patterns so the dogfood
-# install behaves the same as before; consumers without a pattern
-# set get a silent no-op.
-# shellcheck source=_lib/policy-read.sh
-source "$(dirname "$0")/_lib/policy-read.sh"
-
-ARCH_PATTERNS=()
-while IFS= read -r entry; do
-  [[ -z "$entry" ]] && continue
-  ARCH_PATTERNS+=("$entry")
-done < <(policy_list "architecture_review.patterns" 2>/dev/null || true)
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  exit 0
+fi
 
-if [[ ${#ARCH_PATTERNS[@]} -eq 0 ]]; then
-  # Empty/unset policy → silent no-op. Consumers who haven't declared
-  # architecture-sensitive paths see zero advisory output.
+# 4. Realpath sandbox check. Advisory-tier: exit 0 silently on
+#    sandbox failure (with a single-line breadcrumb to stderr).
+if ! command -v node >/dev/null 2>&1; then
   exit 0
 fi
 
-MATCHED=""
-for pattern in "${ARCH_PATTERNS[@]}"; do
-  if [[ "$FILE_PATH" == "$pattern"* ]]; then
-    MATCHED="$pattern"
-    break
-  fi
-done
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
 
-if [[ -z "$MATCHED" ]]; then
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: architecture-review-gate skipped (sandbox check: %s)\n' "$sandbox_check" >&2
   exit 0
 fi
 
-# ── 7. Advisory output ───────────────────────────────────────────────────────
-{
-  printf 'ARCHITECTURE ADVISORY: Sensitive path modified\n'
-  printf '\n'
-  printf '  File: %s\n' "$FILE_PATH"
-  printf '  Category: %s\n' "$MATCHED"
-  printf '\n'
-  printf '  This file is in an architecture-sensitive directory.\n'
-  printf '  Consider: Does this change maintain backward compatibility?\n'
-  printf '  Consider: Should this be reviewed by the principal-engineer agent?\n'
-} >&2
+# 5. Version-probe. Advisory-tier: exit 0 on probe failure.
+probe_out=$("${REA_ARGV[@]}" hook architecture-review-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'architecture-review-gate'; then
+  printf 'rea: this shim requires the `rea hook architecture-review-gate` subcommand (introduced in 0.33.0).\n' >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; falling through silently.\n' >&2
+  exit 0
+fi
 
-exit 0
+# 6. Forward stdin.
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook architecture-review-gate
+exit $?

package/hooks/changeset-security-gate.sh

@@ -1,172 +1,137 @@
-#!/usr/bin/env bash
-# changeset-security-gate.sh — PreToolUse: Write|Edit
+#!/bin/bash
+# PreToolUse hook: changeset-security-gate.sh
+# 0.33.0+ — Node-binary shim for `rea hook changeset-security-gate`.
 #
-# Guards .changeset/*.md files against two failure modes:
+# Pre-0.33.0 the gate's full body lived here as bash (172 LOC, frontmatter
+# validation + GHSA/CVE scan + MultiEdit-aware tool handling). The
+# migration to the parser-backed Node binary moves all of that into
+# `src/hooks/changeset-security-gate/index.ts`.
 #
-# 1. SECURITY DISCLOSURE LEAK — GHSA IDs or CVE numbers written to a changeset
-#    file before the advisory is published. Changeset files are committed to git
-#    and appear verbatim in CHANGELOG.md — referencing a GHSA ID pre-publish
-#    creates public pre-disclosure in git history.
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# pass-through / non-changeset / valid frontmatter, exit 2 on HALT /
+# disclosure leak / malformed frontmatter / malformed payload.
 #
-# 2. MISSING OR MALFORMED FRONTMATTER — changeset files without proper frontmatter
-#    are silently ignored by the changesets tool, wasting the release entry.
+# # CLI-resolution trust boundary
 #
-# Triggered by: PreToolUse — Write and Edit tools
-
-set -euo pipefail
+# Realpath sandbox check + version probe. Same shape as the 0.32.0
+# pilots.
+#
+# # Fail-closed posture
+#
+# changeset-security-gate is BLOCKING-tier — the pre-0.33.0 bash body
+# refused on GHSA/CVE patterns and on malformed frontmatter. Early-exit
+# branches fail closed AFTER the relevance pre-gate passes.
 
-# shellcheck source=_lib/common.sh
-source "$(dirname "$0")/_lib/common.sh"
+set -uo pipefail
 
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
+REA_ROOT=$(rea_root)
 
-INPUT="$(cat)"
-TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // ""')
-
-# 0.15.0 fix: MultiEdit was not in the allowed tool_name set, so the gate
-# silently exited 0 on every MultiEdit call against `.changeset/*.md` —
-# letting GHSA / CVE pre-disclosure through and skipping frontmatter
-# validation. 0.16.0: NotebookEdit added too (changesets are .md files
-# but a malicious agent could in principle route a .md write through
-# NotebookEdit's new_source path; cheap to allow, free to test).
-if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" && "$TOOL_NAME" != "MultiEdit" && "$TOOL_NAME" != "NotebookEdit" ]]; then
-  exit 0
-fi
-
-require_jq
-
-# 0.16.0: payload extraction migrated to `_lib/payload-read.sh`. Shared
-# helpers handle every write-tier tool with the same defensive
-# coercion. Adding the next write-tier tool is a one-line edit there.
-# shellcheck source=_lib/payload-read.sh
-source "$(dirname "$0")/_lib/payload-read.sh"
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-FILE_PATH=$(extract_file_path "$INPUT")
-
-# Only care about .changeset/*.md files — exclude README.md (changeset tool metadata)
-if ! echo "$FILE_PATH" | grep -qE '\.changeset/[^/]+\.md$' || echo "$FILE_PATH" | grep -qE '\.changeset/README\.md$'; then
-  exit 0
-fi
-
-CONTENT=$(extract_write_content "$INPUT")
-
-# ─── 1. SECURITY DISCLOSURE CHECK ───────────────────────────────────────────
+# 2. Relevance pre-gate. This is a PreToolUse Write/Edit/MultiEdit/
+#    NotebookEdit matcher, so the payload always has a `tool_input.
+#    file_path` (or `notebook_path`).
 #
-# These patterns in a changeset mean security details are about to be committed
-# to git history BEFORE the advisory is published — creating pre-disclosure.
-# GHSA IDs and CVE numbers must NEVER appear in changeset files.
-
-DISCLOSURE_PATTERNS=(
-  'GHSA-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}'
-  'CVE-[0-9]{4}-[0-9]+'
-)
-
-MATCHED_PATTERN=""
-for PATTERN in "${DISCLOSURE_PATTERNS[@]}"; do
-  if echo "$CONTENT" | grep -qE "$PATTERN"; then
-    MATCHED_PATTERN="$PATTERN"
-    break
+#    2026-05-15 codex round-2 P2 fix: scan `tool_input.file_path` /
+#    `tool_input.notebook_path` ONLY, NOT the raw JSON payload. Pre-fix
+#    a Write to `README.md` whose body merely mentions `.changeset/`
+#    (e.g. "See .changeset/example.md") tripped the fail-closed branch
+#    when the CLI was unbuilt — the substring lived in the
+#    tool_input.content blob, not in the target path. The Node body
+#    correctly filters by file_path; the shim's pre-gate must match
+#    that posture.
+INPUT=$(cat)
+RELEVANT=0
+PROBE=""
+if command -v jq >/dev/null 2>&1; then
+  PROBE=$(printf '%s' "$INPUT" | jq -r '(.tool_input.file_path // .tool_input.notebook_path // "")' 2>/dev/null || true)
+  if printf '%s' "$PROBE" | grep -qE '\.changeset/'; then
+    RELEVANT=1
+  fi
+else
+  if printf '%s' "$INPUT" | grep -qE '\.changeset/'; then
+    RELEVANT=1
   fi
-done
-
-if [[ -n "$MATCHED_PATTERN" ]]; then
-  json_output "block" \
-    "CHANGESET SECURITY GATE: This changeset contains a security advisory identifier (matched: '${MATCHED_PATTERN}').
-
-Do NOT reference GHSA IDs or CVE numbers in changeset files before the advisory is published.
-Changeset files are committed to git — this creates pre-disclosure in public history and CHANGELOG.
-
-CORRECT approach for security fix changesets:
-  Use vague language only — no identifiers, no vulnerability details.
-
-  WRONG:  'fix(hooks): patch GHSA-3w3m-7gg4-f82g — symlink-guard now covers Edit tool'
-  RIGHT:  'security: extend symlink protection to cover all write-capable tools'
-
-  WRONG:  'security: fix CVE-2026-1234 prompt injection via tool descriptions'
-  RIGHT:  'security: harden middleware chain against indirect instruction attacks'
-
-After the release ships:
-  1. Publish the GitHub Security Advisory (Security tab → Advisories → Publish)
-  2. The GHSA becomes the detailed public disclosure document
-  3. Optionally update CHANGELOG.md post-publish to add the GHSA reference"
 fi
-
-# ─── 2. FRONTMATTER VALIDATION ───────────────────────────────────────────────
-#
-# A changeset without valid frontmatter is silently ignored by the changesets
-# tool — the package bump and CHANGELOG entry never appear in the release.
-#
-# 0.15.0 fix: skip frontmatter validation for MultiEdit. MultiEdit's
-# `tool_input.edits[].new_string` payload is a list of partial string
-# replacements, not the full file body — running the frontmatter
-# validator against the concatenation of new_strings would reject every
-# legitimate MultiEdit on an existing changeset (none of the edit
-# fragments individually contains a frontmatter block, even though the
-# resulting file does). The disclosure scan above still runs on
-# MultiEdit content because GHSA/CVE patterns match per-fragment without
-# any structural assumption.
-if [[ "$TOOL_NAME" == "MultiEdit" ]]; then
+if [ "$RELEVANT" -eq 0 ]; then
   exit 0
 fi
 
-# Must start with ---
-if ! echo "$CONTENT" | head -1 | grep -qE '^---'; then
-  json_output "block" \
-    "CHANGESET FORMAT GATE: Missing frontmatter block.
-
-Every changeset must start with a frontmatter block specifying which package to bump:
-
----
-'@bookedsolid/rea': patch
----
-
-Brief description of what changed and why (close #N if applicable).
-
-Bump types: patch (bug fix/security), minor (new feature), major (breaking change)"
+# 3. Resolve the rea CLI.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
 fi
 
-# Must have at least one package bump entry and a closing ---.
-# 0.15.0 fix: accept single-quoted, double-quoted, AND unquoted package
-# names (all three are valid YAML for the same string). Pre-fix the
-# regex required single quotes, so a tool or human authoring the
-# changeset with `"@scope/name": patch` was rejected as malformed even
-# though the Changesets tool itself accepts every form.
-#
-# Codex round-1 P2-1 fix: explicit-alternation form (no backref) so
-# the unquoted variant matches on BSD grep too. The earlier
-# `^([\"']?)[^\"']+\1: ...` shape relied on backref-with-empty-capture
-# semantics that BSD's grep rejects when the capture group's `?` made
-# it absent — quoted forms matched on macOS but unquoted did not.
-FRONTMATTER=$(echo "$CONTENT" | awk '/^---/{count++; if(count==2){exit} next} count==1{print}')
-if ! echo "$FRONTMATTER" | grep -qE "^(\"[^\"]+\"|'[^']+'|[^\"'[:space:]]+): (patch|minor|major)"; then
-  json_output "block" \
-    "CHANGESET FORMAT GATE: Frontmatter does not contain a valid package bump entry.
-
-The frontmatter must include at least one package/bump pair:
-
----
-'@bookedsolid/rea': patch
----
-
-Valid bump types: patch | minor | major"
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  printf 'rea: changeset-security-gate cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  exit 2
 fi
 
-# Must have a non-empty description after the closing ---
-DESCRIPTION=$(echo "$CONTENT" | awk 'BEGIN{count=0} /^---/{count++; next} count>=2{print}' | grep -v '^[[:space:]]*$' | head -1 || true)
-if [[ -z "$DESCRIPTION" ]]; then
-  json_output "block" \
-    "CHANGESET FORMAT GATE: Missing description after frontmatter.
-
-Add a meaningful description explaining what changed and why:
-
----
-'@bookedsolid/rea': patch
----
+# 4. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: changeset-security-gate cannot run — `node` is not on PATH.\n' >&2
+  exit 2
+fi
 
-fix(gateway): policy-loader now uses async I/O with 500ms TTL cache
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: changeset-security-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
 
-Previously, loadPolicy used fs.readFileSync on every tool invocation, blocking
-the event loop under concurrency. Closes #34."
+# 5. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook changeset-security-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'changeset-security-gate'; then
+  printf 'rea: this shim requires the `rea hook changeset-security-gate` subcommand (introduced in 0.33.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
+  exit 2
 fi
 
-exit 0
+# 6. Forward stdin.
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook changeset-security-gate
+exit $?