@bookedsolid/rea 0.32.0 → 0.33.0

package/hooks/dependency-audit-gate.sh

@@ -1,179 +1,138 @@
 #!/bin/bash
 # PreToolUse hook: dependency-audit-gate.sh
-# Fires BEFORE every Bash tool call.
-# Detects package install commands (npm install, pnpm add, yarn add) and
-# verifies the package exists on the registry before allowing the install.
+# 0.33.0+ — Node-binary shim for `rea hook dependency-audit-gate`.
 #
-# Exit codes:
-#   0 = allow (not an install command, or package verified)
-#   2 = block (package not found on registry)
+# Pre-0.33.0 the gate's full body lived here as bash (179 LOC, the
+# segment splitter + install-pattern detection + per-package
+# `npm view` probe). The migration to the parser-backed Node binary
+# moves all of that into `src/hooks/dependency-audit-gate/index.ts`.
+#
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# pass-through / all-packages-verified, exit 2 on HALT / any package
+# missing / malformed payload.
+#
+# # CLI-resolution trust boundary
+#
+# Realpath sandbox check + version probe. Same shape as the 0.32.0
+# pilots and the env-file-protection shim above.
+#
+# # Fail-closed posture
+#
+# dependency-audit-gate is BLOCKING-tier — the pre-0.33.0 bash body
+# refused on missing packages. Early-exit branches (CLI missing,
+# node missing, sandbox failed, version skew) fail closed AFTER the
+# relevance pre-gate passes.
 
 set -uo pipefail
 
-# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
-INPUT=$(cat)
-
-# ── 2. Dependency check ──────────────────────────────────────────────────────
-if ! command -v jq >/dev/null 2>&1; then
-  printf 'REA ERROR: jq is required but not installed.\n' >&2
-  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
-  exit 2
-fi
-
-# ── 3. HALT check ────────────────────────────────────────────────────────────
-# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-# ── 4. Parse command ──────────────────────────────────────────────────────────
-CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
-
-if [[ -z "$CMD" ]]; then
-  exit 0
-fi
-
-# ── 5. Detect package install commands ────────────────────────────────────────
-# Match: npm install <pkg>, npm i <pkg>, pnpm add <pkg>, yarn add <pkg>
-# Skip: npm install (no args), npm ci, npm install --save-dev (without new pkg)
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-extract_packages() {
-  local cmd="$1"
-
-  # 0.15.0 fix: the previous parser ran `grep` against the entire bash
-  # command string with no segment boundary anchor. A heredoc body or
-  # commit-message containing `pnpm install` (e.g. inside
-  # `git commit -m "$(cat <<EOF ... pnpm install ... EOF)"`) matched the
-  # grep, the `.*` in the sed stripped up to that occurrence, and the rest
-  # of the command (`chore:`, `&&`, `||`, etc.) was passed to
-  # `npm view <token> name` and reported as missing packages. The hook
-  # then refused to commit perfectly innocent code.
-  #
-  # Fix: split the command on shell command separators (`;`, `&&`, `||`,
-  # `|`, newlines) and only run the install-detection on segments whose
-  # FIRST non-whitespace token is one of the install commands. Heredoc
-  # bodies inside `$()` substitutions are NOT split into separate segments
-  # — the entire `$(cat <<EOF ... EOF)` is one token attached to the
-  # outer command — but they're never the FIRST token on a segment, so
-  # the anchor rejects them.
-
-  # 0.17.0 helix-017 #3: unwrap nested-shell wrappers (`bash -c 'PAYLOAD'`,
-  # `sh -lc "PAYLOAD"`, etc.) before splitting so the inner install
-  # command becomes a segment that anchors against the install-pattern
-  # check below. Pre-fix `bash -lc 'npm install pkg'` produced a single
-  # segment whose first token was `bash` — install-detection skipped.
-  # 0.17.0 helix-019 #3: delegate splitting to the shared
-  # `_rea_split_segments` so this gate inherits the full separator set
-  # (including bare `&` background-process operator added in 0.16.1)
-  # and the quote-mask that prevents over-fire from in-quote separators.
-  # Pre-fix the local segmenter splat on `|||&&|;|` only, missing bare
-  # `&` — `echo warmup & pnpm add lodash` stayed merged into one segment
-  # and the install-pattern leading-token check skipped it entirely.
-  local segments
-  if [ -f "$(dirname "$0")/_lib/cmd-segments.sh" ]; then
-    # shellcheck source=_lib/cmd-segments.sh
-    source "$(dirname "$0")/_lib/cmd-segments.sh"
-    segments=$(_rea_split_segments "$cmd")
-  else
-    # Fallback (lib unavailable): legacy local splitter preserved.
-    segments=$(printf '%s\n' "$cmd" | sed -E 's/(\|\||\&\&|;|\||\&)/\n/g')
+# 2. Relevance pre-gate. Look for any install-pattern keyword.
+#
+#    2026-05-15 codex round-2 P2 fix: scan `tool_input.command` ONLY,
+#    not the raw JSON payload. Pre-fix `git commit -m "docs: run pnpm
+#    install foo before start"` triggered the fail-closed branch on a
+#    fresh checkout (the install-pattern regex hit the substring
+#    inside the commit-message ARG of the git command, not a real
+#    install invocation). The Node body's segment-anchored matcher
+#    correctly distinguishes between the two — the shim's pre-gate
+#    must match that posture.
+#
+#    `jq`-less fallback preserves the pre-0.33.0 over-trigger shape.
+INPUT=$(cat)
+RELEVANT=0
+PROBE=""
+if command -v jq >/dev/null 2>&1; then
+  PROBE=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
+  if printf '%s' "$PROBE" | grep -qE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]'; then
+    RELEVANT=1
   fi
-
-  while IFS= read -r segment; do
-    # Trim leading whitespace.
-    segment="${segment#"${segment%%[![:space:]]*}"}"
-    # Anchor to start: only match when the install command is the FIRST
-    # thing on the segment, optionally preceded by `sudo` / `exec` /
-    # `time` / etc.
-    #
-    # 0.16.1 helix-016 P2 fix: also strip leading KEY=VALUE env-var
-    # assignments. Pre-fix the prefix allow-list only permitted
-    # sudo/exec/time, so `CI=1 pnpm add foo` and
-    # `NODE_ENV=development npm install bar` bypassed the audit
-    # entirely. POSIX shell allows any number of leading KEY=VALUE
-    # assignments before the command word; we strip them the same
-    # way the shell does.
-    local stripped_segment
-    stripped_segment=$(printf '%s' "$segment" | sed -E 's/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*=[^[:space:]]+[[:space:]]+)+//')
-
-    if printf '%s' "$stripped_segment" | grep -qiE '^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+'; then
-      # Strip the leading prefix wrappers + install command, leaving args.
-      local after_cmd
-      after_cmd=$(printf '%s' "$stripped_segment" | sed -E 's/^(sudo[[:space:]]+|exec[[:space:]]+|time[[:space:]]+)*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]+//')
-
-      for token in $after_cmd; do
-        if [[ "$token" == -* ]]; then continue; fi
-        if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
-        if [[ -z "$token" ]]; then continue; fi
-        # 0.16.1: tighten token classification (helix-016 sibling concern).
-        # A "package name" is something that doesn't contain shell
-        # metacharacters — `2>&1`, `$VAR`, etc. are never valid npm
-        # package names. Skip any token containing `=`, `>`, `<`, `&`,
-        # `|`, `;`, `$`, backtick, or quotes.
-        if [[ "$token" == *=* || "$token" == *">"* || "$token" == *"<"* ||
-              "$token" == *"&"* || "$token" == *"|"* || "$token" == *";"* ||
-              "$token" == *'$'* || "$token" == *'`'* ||
-              "$token" == *'"'* || "$token" == *"'"* ]]; then continue; fi
-        # `npm view` can't validate `@workspace:*` / `link:` / `file:`
-        # prefixes (workspace protocols). Skip them — they're never npm
-        # registry packages.
-        if [[ "$token" == workspace:* || "$token" == link:* || "$token" == file:* || "$token" == git+* ]]; then continue; fi
-        local pkg_name
-        pkg_name=$(printf '%s' "$token" | sed -E 's/@[^@/]+$//')
-        if [[ -z "$pkg_name" ]]; then
-          pkg_name="$token"
-        fi
-        printf '%s\n' "$pkg_name"
-      done
-    fi
-  done <<< "$segments"
-}
-
-PACKAGES=$(extract_packages "$CMD")
-
-if [[ -z "$PACKAGES" ]]; then
+else
+  if printf '%s' "$INPUT" | grep -qE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]'; then
+    RELEVANT=1
+  fi
+fi
+if [ "$RELEVANT" -eq 0 ]; then
   exit 0
 fi
 
-# ── 6. Verify packages exist on registry ──────────────────────────────────────
-FAILED=""
-CHECKED=0
+# 3. Resolve the rea CLI.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
 
-while IFS= read -r pkg; do
-  [[ -z "$pkg" ]] && continue
-  CHECKED=$((CHECKED + 1))
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  printf 'rea: dependency-audit-gate cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  exit 2
+fi
 
-  # Cap at 5 packages per command to avoid slow hook
-  if [[ $CHECKED -gt 5 ]]; then
-    break
-  fi
+# 4. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: dependency-audit-gate cannot run — `node` is not on PATH.\n' >&2
+  exit 2
+fi
 
-  # Use npm view to check if package exists
-  # macOS doesn't have `timeout` by default, use a background process with kill
-  if command -v timeout >/dev/null 2>&1; then
-    if ! timeout 5 npm view "$pkg" name >/dev/null 2>&1; then
-      FAILED="${FAILED}  - ${pkg}\n"
-    fi
-  else
-    # Fallback: run npm view without timeout (still fast for simple checks)
-    if ! npm view "$pkg" name >/dev/null 2>&1; then
-      FAILED="${FAILED}  - ${pkg}\n"
-    fi
-  fi
-done <<< "$PACKAGES"
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: dependency-audit-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
 
-if [[ -n "$FAILED" ]]; then
-  {
-    printf 'DEPENDENCY AUDIT: Package not found on npm registry\n'
-    printf '\n'
-    printf '  The following packages could not be verified:\n'
-    printf '%b' "$FAILED"
-    printf '\n'
-    printf '  Rule: All packages must exist on the npm registry before installation.\n'
-    printf '  Check: Is the package name spelled correctly? Does it exist on npmjs.com?\n'
-  } >&2
+# 5. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook dependency-audit-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'dependency-audit-gate'; then
+  printf 'rea: this shim requires the `rea hook dependency-audit-gate` subcommand (introduced in 0.33.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
   exit 2
 fi
 
-exit 0
+# 6. Forward stdin.
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook dependency-audit-gate
+exit $?

package/hooks/env-file-protection.sh

@@ -1,124 +1,157 @@
 #!/bin/bash
 # PreToolUse hook: env-file-protection.sh
-# Fires BEFORE every Bash tool call.
-# Blocks commands that read .env* / .envrc files via shell text utilities.
+# 0.33.0+ — Node-binary shim for `rea hook env-file-protection`.
 #
-# Rationale: .env files contain credentials. Reading them via Bash exposes
-# the values in command output, logs, and agent transcripts. Load credentials
-# in code only (process.env, os.environ, etc.) — never via shell reads.
+# Pre-0.33.0 the gate's full body lived here as bash (124 LOC, the
+# segment splitter + `source`/`cp` anchor patterns + utility-vs-.env
+# co-occurrence check). The migration to the parser-backed Node binary
+# moves all of that into `src/hooks/env-file-protection/index.ts`. This
+# shim is the Claude Code dispatcher's view of the hook — it forwards
+# stdin to the CLI and exits with whatever the CLI returns.
 #
-# Trigger: command matches ALL of:
-#   1. Uses a text-reading utility (list below)
-#   2. References a .env* or .envrc filename
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# pass-through / no-match, exit 2 on HALT / .env access detected /
+# malformed payload (fail-closed).
 #
-# Exit codes:
-#   0 = allow
-#   2 = block (env file read detected)
+# # CLI-resolution trust boundary
+#
+# Mirrors the 0.32.0 final shim shape (round-8 of the codex iteration
+# on the three Phase 1 pilots). The resolved CLI MUST live INSIDE
+# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
+# whose `name` is `@bookedsolid/rea`. Defends against symlink-out and
+# tarball-replacement attacks on the resolved CLI.
+#
+# # Fail-closed posture
+#
+# env-file-protection is a BLOCKING-tier gate — the pre-0.33.0 bash
+# body refused on .env access without a compiled CLI. The early-exit
+# branches (CLI missing, node missing, sandbox failed, version skew)
+# fail closed AFTER the relevance pre-gate passes. Irrelevant Bash
+# calls exit 0 regardless of CLI state.
 
 set -uo pipefail
 
-# Source shared shell-segment splitter (0.15.0). Replaces full-command
-# grep that false-positives on commit messages mentioning `.env` (e.g.
-# `git commit -m "stop reading .env via cat"`).
-# shellcheck source=_lib/cmd-segments.sh
-source "$(dirname "$0")/_lib/cmd-segments.sh"
-
-INPUT=$(cat)
-
-# ── Dependency check ──────────────────────────────────────────────────────────
-if ! command -v jq >/dev/null 2>&1; then
-  printf 'REA ERROR: jq is required but not installed.\n' >&2
-  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
-  exit 2
-fi
-
-# ── HALT check ────────────────────────────────────────────────────────────────
-# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-if [[ -z "$CMD" ]]; then
+# 2. Relevance pre-gate. Capture stdin + check for `.env` substring
+#    BEFORE any CLI/sandbox/probe work so unrelated Bash calls
+#    (`ls`, `pnpm test`, `git status`, …) exit 0 even when the CLI
+#    is missing/stale/sandboxed-out.
+#
+#    2026-05-15 codex round-2 P2 fix: the substring scan MUST run
+#    against `tool_input.command` ONLY, not the raw JSON payload —
+#    otherwise a benign `git commit -m "stop reading .env"` (where
+#    `.env` appears inside the commit message ARG, NOT as a file
+#    target) would hit the fail-closed branch on a fresh checkout
+#    where the CLI is unbuilt. Pre-fix the raw scan saw the substring
+#    inside the payload's "command" string-quoted body and refused.
+#
+#    Strategy: extract `tool_input.command` via `jq` (already required
+#    by 5 other hooks; trust assumption is consistent). When `jq` is
+#    not installed, fall back to scanning the raw payload — the cost
+#    is the same over-trigger the bash original had, NOT a new
+#    regression. When `jq` IS installed (the common case), the
+#    pre-gate is field-scoped.
+INPUT=$(cat)
+RELEVANT=0
+PROBE=""
+if command -v jq >/dev/null 2>&1; then
+  PROBE=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
+  if printf '%s' "$PROBE" | grep -qE '\.env'; then
+    RELEVANT=1
+  fi
+else
+  # jq-less fallback — match the pre-0.33.0 over-trigger posture.
+  if printf '%s' "$INPUT" | grep -qE '\.env'; then
+    RELEVANT=1
+  fi
+fi
+if [ "$RELEVANT" -eq 0 ]; then
   exit 0
 fi
 
-truncate_cmd() {
-  local STR="$1"
-  local MAX=100
-  if [[ ${#STR} -gt $MAX ]]; then
-    printf '%s' "${STR:0:$MAX}..."
-  else
-    printf '%s' "$STR"
-  fi
-}
+# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
 
-# Text-reading utilities (shell and common alternatives)
-# Defense-in-depth: this list catches the most common shell-based exfiltration
-# vectors. It is NOT exhaustive. Known gaps include:
-#   - Docker volume mounts (docker run -v .env:/...) — separate concern
-#   - Editor commands (vim, nano, code) — not typically used by agents
-#   - Redirects/process substitution (< .env) without a listed utility
-#   - Network tools (curl file://, nc) — low-risk in agent context
-# The goal is to block casual and accidental reads, not defeat a determined
-# adversary with shell access.
-PATTERN_UTILITY='(cat|head|tail|less|more|grep|sed|awk|bat|strings|printf|xargs|tee|jq|python3?[[:space:]]+-c|ruby[[:space:]]+-e)[[:space:]]'
-# Also catch: source/., cp (reads then writes elsewhere).
-#
-# 0.16.3 discord-ops Round 9 #4 fix: anchored on segment-start. Pre-fix
-# `any_segment_matches` matched anywhere in the segment, so
-# `git commit -m "fix: don't source .env files"` fired even though no
-# real source-of-.env was happening — the trigger words appeared inside
-# the quoted commit-message body. The patterns are command prefixes
-# (`source PATH`, `. PATH`, `cp X PATH`), so segment-start anchoring is
-# the correct shape.
-PATTERN_SOURCE='(source|\.)[[:space:]]+[^;|&]*\.env'
-PATTERN_CP_ENV='cp[[:space:]]+[^;|&]*\.env'
-# .env* files or .envrc (direnv)
-PATTERN_ENV_FILE='(\.env[a-zA-Z0-9._-]*|\.envrc)([[:space:]]|"|'"'"'|$)'
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  # Blocking-tier: fail closed. The pre-0.33.0 bash body enforced
+  # .env protection without a CLI. Refuse and tell the operator how
+  # to restore protection.
+  printf 'rea: env-file-protection cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.33.0 bash body enforced .env protection without a CLI.\n' >&2
+  exit 2
+fi
 
-# 0.16.2 helix-017 P2 #2: utility AND env-filename must co-occur within
-# the SAME shell segment. Pre-fix this set two independent booleans
-# (any segment with utility OR any segment with .env) and AND'd them,
-# which false-positived across multi-segment constructions like
-# `echo "log: cat is broken" ; touch foo.env` (utility in segment 1,
-# .env name in segment 2). Detection is fundamentally a same-segment
-# co-occurrence property.
-MATCHES_BOTH_SAME_SEGMENT=0
-if any_segment_matches_both "$CMD" "$PATTERN_UTILITY" "$PATTERN_ENV_FILE"; then
-  MATCHES_BOTH_SAME_SEGMENT=1
+# 4. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: env-file-protection cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore .env protection.\n' >&2
+  exit 2
 fi
 
-# Direct source/cp of .env files — always block (segment-start anchored
-# per discord-ops Round 9 #4).
-if any_segment_starts_with "$CMD" "$PATTERN_SOURCE" || \
-   any_segment_starts_with "$CMD" "$PATTERN_CP_ENV"; then
-  TRUNCATED_CMD=$(truncate_cmd "$CMD")
-  {
-    printf 'ENV FILE PROTECTION: Direct sourcing or copying of .env files is blocked.\n'
-    printf '\n'
-    printf '  Command: %s\n' "$TRUNCATED_CMD"
-    printf '\n'
-    printf '  Rule: Load credentials in code only — never via shell source or cp.\n'
-    printf '  Use: process.env.VAR_NAME, os.environ["VAR_NAME"], etc.\n'
-  } >&2
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: env-file-protection FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
   exit 2
 fi
 
-if [[ $MATCHES_BOTH_SAME_SEGMENT -eq 1 ]]; then
-  TRUNCATED_CMD=$(truncate_cmd "$CMD")
-  {
-    printf 'ENV FILE PROTECTION: Reading .env files via Bash is blocked.\n'
-    printf '\n'
-    printf '  Command: %s\n' "$TRUNCATED_CMD"
-    printf '\n'
-    printf '  Rule: Load credentials in code only, never via shell.\n'
-    printf '  Use: process.env.VAR_NAME, os.environ["VAR_NAME"], etc.\n'
-    printf '  .env files must not be read via shell utilities in agent sessions.\n'
-  } >&2
+# 5. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook env-file-protection --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'env-file-protection'; then
+  printf 'rea: this shim requires the `rea hook env-file-protection` subcommand (introduced in 0.33.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
   exit 2
 fi
 
-exit 0
+# 6. Forward stdin (already captured up-front for the relevance gate).
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook env-file-protection
+exit $?

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.32.0",
+  "version": "0.33.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",