@bookedsolid/rea 0.32.0 → 0.34.0

package/dist/cli/hook.js

@@ -39,6 +39,13 @@ import { checkHalt, formatHaltBanner } from '../hooks/_lib/halt-check.js';
 import { runHookPrIssueLinkGate } from '../hooks/pr-issue-link-gate/index.js';
 import { runHookSecurityDisclosureGate } from '../hooks/security-disclosure-gate/index.js';
 import { runHookAttributionAdvisory } from '../hooks/attribution-advisory/index.js';
+import { runHookEnvFileProtection } from '../hooks/env-file-protection/index.js';
+import { runHookDependencyAuditGate } from '../hooks/dependency-audit-gate/index.js';
+import { runHookChangesetSecurityGate } from '../hooks/changeset-security-gate/index.js';
+import { runHookArchitectureReviewGate } from '../hooks/architecture-review-gate/index.js';
+import { runHookDangerousBashInterceptor } from '../hooks/dangerous-bash-interceptor/index.js';
+import { runHookLocalReviewGate } from '../hooks/local-review-gate/index.js';
+import { runHookSecretScanner } from '../hooks/secret-scanner/index.js';
 import { loadPolicy } from '../policy/loader.js';
 import { appendAuditRecord, InvocationStatus, Tier } from '../audit/append.js';
 import { CODEX_REVIEW_TOOL_NAME, CODEX_REVIEW_SERVER_NAME, } from '../audit/codex-event.js';
@@ -973,6 +980,48 @@ export function registerHookCommand(program) {
         .action(async () => {
         await runHookAttributionAdvisory();
     });
+    hook
+        .command('env-file-protection')
+        .description('Node-binary port of `hooks/env-file-protection.sh` (0.33.0). Reads a Claude Code PreToolUse Bash payload from stdin; when the command sources, cps, or reads a `.env*`/`.envrc` file via text-reading utilities (cat/head/tail/grep/sed/awk/etc.), exits 2 with banner. Same-segment co-occurrence required for the utility-vs-filename match so multi-segment commands do not false-positive.')
+        .action(async () => {
+        await runHookEnvFileProtection();
+    });
+    hook
+        .command('dependency-audit-gate')
+        .description('Node-binary port of `hooks/dependency-audit-gate.sh` (0.33.0). Reads a Claude Code PreToolUse Bash payload from stdin; when the command is `(npm|pnpm|yarn) (install|i|add) <pkg>`, verifies each named package exists on the npm registry via `npm view <pkg> name` (5s timeout, capped at 5 packages/command). Exit 2 with multi-line banner on any missing package, otherwise exit 0.')
+        .action(async () => {
+        await runHookDependencyAuditGate();
+    });
+    hook
+        .command('changeset-security-gate')
+        .description('Node-binary port of `hooks/changeset-security-gate.sh` (0.33.0). Reads a Claude Code PreToolUse Write/Edit/MultiEdit/NotebookEdit payload from stdin; for writes targeting `.changeset/*.md`, blocks GHSA/CVE pre-disclosure and validates frontmatter (`---`-delimited block with `<pkg>: (patch|minor|major)` + non-empty description). MultiEdit short-circuits frontmatter validation because fragments are not full files. Block emissions use the Claude Code JSON-on-stdout protocol.')
+        .action(async () => {
+        await runHookChangesetSecurityGate();
+    });
+    hook
+        .command('architecture-review-gate')
+        .description('Node-binary port of `hooks/architecture-review-gate.sh` (0.33.0). PostToolUse Write/Edit advisory. Reads `policy.architecture_review.patterns` and prints an advisory banner to stderr when the just-written file matches a configured prefix. ALWAYS exits 0 unless HALT (exit 2). Path normalization handles Windows backslashes + URL-encoding; empty/unset patterns short-circuit silently.')
+        .action(async () => {
+        await runHookArchitectureReviewGate();
+    });
+    hook
+        .command('dangerous-bash-interceptor')
+        .description('Node-binary port of `hooks/dangerous-bash-interceptor.sh` (0.34.0). PreToolUse Bash gate that blocks destructive commands. Catalog of 17 HIGH (H1-H17) + 1 MEDIUM (M1) rules: force-push, --no-verify, HUSKY=0, rm -rf broad targets, curl|sh pipe-RCE, REA_BYPASS, alias/function-with-bypass, psql DROP, context_protection delegate enforcement. Exit 2 on HIGH match, 0 on MEDIUM-only advisory or pass-through.')
+        .action(async () => {
+        await runHookDangerousBashInterceptor();
+    });
+    hook
+        .command('local-review-gate')
+        .description('Node-binary port of `hooks/local-review-gate.sh` (0.34.0). PreToolUse Bash gate refusing `git push` (and optionally `git commit`) until a recent `rea.local_review` audit entry covers HEAD. Honors `policy.review.local_review.{mode=off|enforced, refuse_at=push|commit|both, bypass_env_var}`. Mode=off short-circuits silently; bypass var (default REA_SKIP_LOCAL_REVIEW) accepts process-env (global) or per-segment inline `VAR="<reason>" git push` shapes. CTO directive 2026-05-05 enforcement.')
+        .action(async () => {
+        await runHookLocalReviewGate();
+    });
+    hook
+        .command('secret-scanner')
+        .description('Node-binary port of `hooks/secret-scanner.sh` (0.34.0). PreToolUse Write/Edit/MultiEdit/NotebookEdit pre-write credential gate. Catalog of 12 HIGH + 5 MEDIUM patterns (AWS, Anthropic, GitHub, Stripe live/test, Supabase JWT, generic SECRET=, private-key armor, DB connection strings). awk-style line filter strips shell comments and `process.env.VAR` RHS assignments; `is_placeholder` filter drops `<your_key>`/`test_token`/`aaaaaaa` shapes. HIGH match → exit 2; MEDIUM-only → exit 0 with advisory. Suffix-excludes `.env.example`/`.env.sample`.')
+        .action(async () => {
+        await runHookSecretScanner();
+    });
     hook
         .command('policy-get')
         .description('Read a value from `.rea/policy.yaml` via the canonical YAML parser. Used by bash-tier hooks (`hooks/_lib/policy-read.sh::policy_nested_scalar`) so inline AND block YAML forms agree at a single source of truth. Default scalar mode: prints raw value or empty. With `--json`: emits JSON (scalar or object/array; missing path → `null`). Unparseable YAML → empty / null, exit 1.')

package/dist/hooks/_lib/payload.d.ts

@@ -68,6 +68,44 @@ export declare class TypePayloadError extends Error {
  *         non-string type.
  */
 export declare function parseHookPayload(raw: string | Buffer): HookPayload;
+/**
+ * Result of a write-tier hook payload extraction. Covers all four
+ * write-class tools (Write, Edit, MultiEdit, NotebookEdit).
+ */
+export interface WriteHookPayload {
+    /** `tool_name` from the payload, or `''` when absent. */
+    toolName: string;
+    /**
+     * `tool_input.file_path` (Write/Edit/MultiEdit) OR
+     * `tool_input.notebook_path` (NotebookEdit), or `''` when absent.
+     */
+    filePath: string;
+    /**
+     * Concatenated content payload. Resolution order matches
+     * `hooks/_lib/payload-read.sh::extract_write_content`:
+     *
+     *   1. `tool_input.content`                     (Write)
+     *   2. `tool_input.new_string`                  (Edit)
+     *   3. `tool_input.edits[].new_string` joined   (MultiEdit, `\n`)
+     *   4. `tool_input.new_source`                  (NotebookEdit cell)
+     *
+     * Returns `''` when none of these are present. Defensive coercion:
+     * a non-string `new_string`, non-array `edits`, or non-string
+     * fragments fail closed (treated as missing) rather than throwing —
+     * mirrors the bash hook's `.tool_input.new_string // ""` + the
+     * type-guard branches added in 0.16.0.
+     */
+    content: string;
+}
+/**
+ * Parse a Claude Code Write/Edit/MultiEdit/NotebookEdit stdin payload.
+ *
+ * Same fail-closed posture as `parseHookPayload`: malformed JSON →
+ * throws `MalformedPayloadError`; type-mismatched fields → throws
+ * `TypePayloadError`. Callers fail-closed on these for blocking-tier
+ * gates (changeset-security-gate refuses on uncertainty).
+ */
+export declare function parseWriteHookPayload(raw: string | Buffer): WriteHookPayload;
 /**
  * Read all of stdin into a string with a soft byte cap and a hard
  * timeout. Mirrors the `readStdinWithTimeout` helper in

package/dist/hooks/_lib/payload.js

@@ -104,6 +104,85 @@ export function parseHookPayload(raw) {
     }
     return { toolName, command };
 }
+/**
+ * Parse a Claude Code Write/Edit/MultiEdit/NotebookEdit stdin payload.
+ *
+ * Same fail-closed posture as `parseHookPayload`: malformed JSON →
+ * throws `MalformedPayloadError`; type-mismatched fields → throws
+ * `TypePayloadError`. Callers fail-closed on these for blocking-tier
+ * gates (changeset-security-gate refuses on uncertainty).
+ */
+export function parseWriteHookPayload(raw) {
+    const text = typeof raw === 'string' ? raw : raw.toString('utf8');
+    if (text.trim().length === 0) {
+        return { toolName: '', filePath: '', content: '' };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(text);
+    }
+    catch (err) {
+        const detail = err instanceof Error ? err.message : String(err);
+        throw new MalformedPayloadError(`hook payload is not valid JSON: ${detail}`);
+    }
+    if (parsed === null) {
+        return { toolName: '', filePath: '', content: '' };
+    }
+    if (typeof parsed !== 'object' || Array.isArray(parsed)) {
+        throw new MalformedPayloadError(`hook payload top-level is ${Array.isArray(parsed) ? 'array' : typeof parsed}, expected object`);
+    }
+    const toolName = typeof parsed.tool_name === 'string' ? parsed.tool_name : '';
+    const ti = parsed.tool_input;
+    let filePath = '';
+    let content = '';
+    if (ti !== undefined && ti !== null) {
+        if (typeof ti !== 'object') {
+            throw new TypePayloadError(`hook payload tool_input is ${typeof ti}, expected object`);
+        }
+        // file_path or notebook_path. Both are optional; either string or absent.
+        if (ti.file_path !== undefined) {
+            if (typeof ti.file_path !== 'string') {
+                throw new TypePayloadError(`hook payload tool_input.file_path is ${typeof ti.file_path}, expected string`);
+            }
+            filePath = ti.file_path;
+        }
+        else if (ti.notebook_path !== undefined) {
+            if (typeof ti.notebook_path !== 'string') {
+                throw new TypePayloadError(`hook payload tool_input.notebook_path is ${typeof ti.notebook_path}, expected string`);
+            }
+            filePath = ti.notebook_path;
+        }
+        // Content extraction — same priority order as the bash hook.
+        if (typeof ti.content === 'string' && ti.content.length > 0) {
+            content = ti.content;
+        }
+        else if (typeof ti.new_string === 'string' && ti.new_string.length > 0) {
+            content = ti.new_string;
+        }
+        else if (Array.isArray(ti.edits) && ti.edits.length > 0) {
+            // Defensive: non-string `new_string` fragments collapse to ''
+            // (matches the bash helper's `// ""` + `tostring`). The
+            // concatenation order is bash hook's `join("\n")`.
+            const parts = [];
+            for (const edit of ti.edits) {
+                if (edit === null || typeof edit !== 'object')
+                    continue;
+                const e = edit;
+                if (typeof e.new_string === 'string') {
+                    parts.push(e.new_string);
+                }
+                else {
+                    parts.push('');
+                }
+            }
+            content = parts.join('\n');
+        }
+        else if (typeof ti.new_source === 'string' && ti.new_source.length > 0) {
+            content = ti.new_source;
+        }
+    }
+    return { toolName, filePath, content };
+}
 /**
  * Read all of stdin into a string with a soft byte cap and a hard
  * timeout. Mirrors the `readStdinWithTimeout` helper in

package/dist/hooks/_lib/segments.d.ts

@@ -69,6 +69,14 @@ export interface CommandSegment {
  * Split `cmd` into segments using the quote-aware masking → split →
  * unmask pipeline. Returns an array of `{ raw, head }` tuples in the
  * order they appeared in the original command.
+ *
+ * 0.33.0 — nested-shell unwrapping was added on top of the original
+ * 0.32.0 splitter. When a segment's head is `bash -c|-lc|--c PAYLOAD`
+ * or `sh -c|-lc|--c PAYLOAD` (any combination of `-l` and `-c` flags),
+ * the PAYLOAD inside the quoted arg becomes additional segments
+ * appended after the wrapper segment. Mirrors the bash counterpart's
+ * `_rea_unwrap_nested_shells` (helix-017 #3 fix). Recurses up to
+ * `MAX_NESTED_DEPTH` levels.
  */
 export declare function splitSegments(cmd: string): CommandSegment[];
 /**
@@ -98,3 +106,122 @@ export declare function anySegmentStartsWith(cmd: string, regexSource: string):
  * Case-INSENSITIVE, extended regex. Same posture as the bash helper.
  */
 export declare function anySegmentMatches(cmd: string, regexSource: string): boolean;
+/**
+ * Returns true if any single segment's RAW text contains matches for
+ * BOTH `regexA` AND `regexB`. Mirrors `any_segment_matches_both` from
+ * the bash counterpart — used by `env-file-protection` to require that
+ * a text-reading utility AND an `.env*` filename co-occur within the
+ * same shell segment (a multi-segment construction like
+ * `echo "log: cat .env stuff" ; touch foo.env` must NOT fire because
+ * the utility and filename live in different segments).
+ *
+ * Case-INSENSITIVE, extended regex on both patterns. Same posture as
+ * the bash helper.
+ *
+ * 0.33.0 port. The bash helper was introduced in 0.16.2 to fix the
+ * helix-017 P2 false-positive class where two independent booleans
+ * (any-utility OR any-env) were AND'd across segments.
+ */
+export declare function anySegmentMatchesBoth(cmd: string, regexA: string, regexB: string): boolean;
+/**
+ * Returns true if any segment's RAW text (env-var prefixes intact, only
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `any_segment_raw_matches` in the bash counterpart — used by checks
+ * where the env-prefix itself IS the signal (`HUSKY=0 git`, `REA_BYPASS=`,
+ * `alias … = HUSKY=0`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor (H10, H15, H16) and
+ * local-review-gate (env-prefix git push detection) call into this.
+ * Note: callers anchor with `^` in the regex source when they want
+ * "starts at segment head"; we do not prepend `^` here.
+ */
+export declare function anySegmentRawMatches(cmd: string, regexSource: string): boolean;
+/**
+ * Returns true if any segment's RAW text contains a match for the
+ * regex source. Mirrors `any_segment_matches` in the bash counterpart —
+ * used by content-scan style checks. The regex matches anywhere in the
+ * segment (not anchored). Useful for `(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|…)`
+ * style patterns that must match across the whole segment but only
+ * within a single segment (a heredoc body in segment N or commit
+ * message in segment 1 must NOT poison segment N+1).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H6 calls into this.
+ */
+export declare function anySegmentContains(cmd: string, regexSource: string): boolean;
+/**
+ * Iterate over every segment of `cmd` and invoke `callback(raw, head)`
+ * for each. Mirrors `for_each_segment` in the bash counterpart —
+ * dangerous-bash-interceptor H1 uses this to walk each push segment
+ * independently (since one segment may include `--force-with-lease`
+ * while another carries an unsafe `--force`).
+ *
+ * The callback receives the raw segment (env-prefix preserved) and the
+ * prefix-stripped head. Return value is ignored.
+ *
+ * 0.34.0 port.
+ */
+export declare function forEachSegment(cmd: string, callback: (raw: string, head: string) => void): void;
+/**
+ * Quote-aware mask of in-quote separators. Mirrors `quote_masked_cmd`
+ * in the bash counterpart — produces a string where in-quote `|` / `;`
+ * / `&` characters are replaced with multi-byte sentinels so a caller's
+ * regex can match real (unquoted) instances of those bytes without
+ * false-positiving on quoted commit-message bodies (`git commit -m
+ * "curl|sh later"`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H12 (`curl|sh` detection)
+ * uses this to scan the WHOLE command (not split into segments)
+ * without quoted-mention false positives.
+ *
+ * Implementation uses the same sentinel-byte alphabet the bash helper
+ * uses. Sentinels are public so callers can `.test()` against the
+ * masked output without accidentally tripping on them.
+ */
+export declare const INQUOTE_PIPE_SENTINEL = "__REA_INQUOTE_PIPE_a8f2c1__";
+export declare const INQUOTE_SEMI_SENTINEL = "__REA_INQUOTE_SC_a8f2c1__";
+export declare const INQUOTE_AMP_SENTINEL = "__REA_INQUOTE_AMP_a8f2c1__";
+export declare function quoteMaskedCmd(cmd: string): string;
+/**
+ * Walk the nested-shell unwrap chain and emit `cmd` PLUS each inner
+ * payload as a separate string. Mirrors `_rea_unwrap_nested_shells`
+ * in the bash counterpart.
+ *
+ * Used by dangerous-bash-interceptor H12 (`curl|sh` detection) so a
+ * payload like `zsh -c "curl https://x | sh"` is scanned for the pipe
+ * shape even though the literal `|` is inside quotes at the outer
+ * level. The H12 check then runs `quoteMaskedCmd` against each
+ * emitted line independently.
+ *
+ * Depth-bounded at MAX_NESTED_DEPTH (8) — same as `splitSegments`.
+ *
+ * 0.34.0 port.
+ */
+export declare function unwrapNestedShells(cmd: string): string[];
+/**
+ * Return every segment of `cmd` whose prefix-stripped head matches the
+ * head-anchored regex source. Mirrors `find_all_segments_starting_with`
+ * in the bash counterpart.
+ *
+ * Returns each match as `{ raw, head }` so callers (local-review-gate's
+ * round-25 P1-B sweep) can validate per-segment bypass against the
+ * raw (env-prefix-intact) form.
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export declare function findAllSegmentsStartingWith(cmd: string, regexSource: string): CommandSegment[];
+/**
+ * Return every segment of `cmd` whose RAW text (env-prefix intact,
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `find_all_segments_raw_matches` in the bash counterpart.
+ *
+ * Companion to `findAllSegmentsStartingWith` for the env-prefix shapes
+ * the prefix-stripper bails on (quoted-value env-vars like
+ * `REA_SKIP="urgent fix"`).
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export declare function findAllSegmentsRawMatches(cmd: string, regexSource: string): CommandSegment[];