@bookedsolid/rea 0.33.0 → 0.34.0

package/dist/cli/hook.js

@@ -43,6 +43,9 @@ import { runHookEnvFileProtection } from '../hooks/env-file-protection/index.js'
 import { runHookDependencyAuditGate } from '../hooks/dependency-audit-gate/index.js';
 import { runHookChangesetSecurityGate } from '../hooks/changeset-security-gate/index.js';
 import { runHookArchitectureReviewGate } from '../hooks/architecture-review-gate/index.js';
+import { runHookDangerousBashInterceptor } from '../hooks/dangerous-bash-interceptor/index.js';
+import { runHookLocalReviewGate } from '../hooks/local-review-gate/index.js';
+import { runHookSecretScanner } from '../hooks/secret-scanner/index.js';
 import { loadPolicy } from '../policy/loader.js';
 import { appendAuditRecord, InvocationStatus, Tier } from '../audit/append.js';
 import { CODEX_REVIEW_TOOL_NAME, CODEX_REVIEW_SERVER_NAME, } from '../audit/codex-event.js';
@@ -1001,6 +1004,24 @@ export function registerHookCommand(program) {
         .action(async () => {
         await runHookArchitectureReviewGate();
     });
+    hook
+        .command('dangerous-bash-interceptor')
+        .description('Node-binary port of `hooks/dangerous-bash-interceptor.sh` (0.34.0). PreToolUse Bash gate that blocks destructive commands. Catalog of 17 HIGH (H1-H17) + 1 MEDIUM (M1) rules: force-push, --no-verify, HUSKY=0, rm -rf broad targets, curl|sh pipe-RCE, REA_BYPASS, alias/function-with-bypass, psql DROP, context_protection delegate enforcement. Exit 2 on HIGH match, 0 on MEDIUM-only advisory or pass-through.')
+        .action(async () => {
+        await runHookDangerousBashInterceptor();
+    });
+    hook
+        .command('local-review-gate')
+        .description('Node-binary port of `hooks/local-review-gate.sh` (0.34.0). PreToolUse Bash gate refusing `git push` (and optionally `git commit`) until a recent `rea.local_review` audit entry covers HEAD. Honors `policy.review.local_review.{mode=off|enforced, refuse_at=push|commit|both, bypass_env_var}`. Mode=off short-circuits silently; bypass var (default REA_SKIP_LOCAL_REVIEW) accepts process-env (global) or per-segment inline `VAR="<reason>" git push` shapes. CTO directive 2026-05-05 enforcement.')
+        .action(async () => {
+        await runHookLocalReviewGate();
+    });
+    hook
+        .command('secret-scanner')
+        .description('Node-binary port of `hooks/secret-scanner.sh` (0.34.0). PreToolUse Write/Edit/MultiEdit/NotebookEdit pre-write credential gate. Catalog of 12 HIGH + 5 MEDIUM patterns (AWS, Anthropic, GitHub, Stripe live/test, Supabase JWT, generic SECRET=, private-key armor, DB connection strings). awk-style line filter strips shell comments and `process.env.VAR` RHS assignments; `is_placeholder` filter drops `<your_key>`/`test_token`/`aaaaaaa` shapes. HIGH match → exit 2; MEDIUM-only → exit 0 with advisory. Suffix-excludes `.env.example`/`.env.sample`.')
+        .action(async () => {
+        await runHookSecretScanner();
+    });
     hook
         .command('policy-get')
         .description('Read a value from `.rea/policy.yaml` via the canonical YAML parser. Used by bash-tier hooks (`hooks/_lib/policy-read.sh::policy_nested_scalar`) so inline AND block YAML forms agree at a single source of truth. Default scalar mode: prints raw value or empty. With `--json`: emits JSON (scalar or object/array; missing path → `null`). Unparseable YAML → empty / null, exit 1.')

package/dist/hooks/_lib/segments.d.ts

@@ -123,3 +123,105 @@ export declare function anySegmentMatches(cmd: string, regexSource: string): boo
  * (any-utility OR any-env) were AND'd across segments.
  */
 export declare function anySegmentMatchesBoth(cmd: string, regexA: string, regexB: string): boolean;
+/**
+ * Returns true if any segment's RAW text (env-var prefixes intact, only
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `any_segment_raw_matches` in the bash counterpart — used by checks
+ * where the env-prefix itself IS the signal (`HUSKY=0 git`, `REA_BYPASS=`,
+ * `alias … = HUSKY=0`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor (H10, H15, H16) and
+ * local-review-gate (env-prefix git push detection) call into this.
+ * Note: callers anchor with `^` in the regex source when they want
+ * "starts at segment head"; we do not prepend `^` here.
+ */
+export declare function anySegmentRawMatches(cmd: string, regexSource: string): boolean;
+/**
+ * Returns true if any segment's RAW text contains a match for the
+ * regex source. Mirrors `any_segment_matches` in the bash counterpart —
+ * used by content-scan style checks. The regex matches anywhere in the
+ * segment (not anchored). Useful for `(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|…)`
+ * style patterns that must match across the whole segment but only
+ * within a single segment (a heredoc body in segment N or commit
+ * message in segment 1 must NOT poison segment N+1).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H6 calls into this.
+ */
+export declare function anySegmentContains(cmd: string, regexSource: string): boolean;
+/**
+ * Iterate over every segment of `cmd` and invoke `callback(raw, head)`
+ * for each. Mirrors `for_each_segment` in the bash counterpart —
+ * dangerous-bash-interceptor H1 uses this to walk each push segment
+ * independently (since one segment may include `--force-with-lease`
+ * while another carries an unsafe `--force`).
+ *
+ * The callback receives the raw segment (env-prefix preserved) and the
+ * prefix-stripped head. Return value is ignored.
+ *
+ * 0.34.0 port.
+ */
+export declare function forEachSegment(cmd: string, callback: (raw: string, head: string) => void): void;
+/**
+ * Quote-aware mask of in-quote separators. Mirrors `quote_masked_cmd`
+ * in the bash counterpart — produces a string where in-quote `|` / `;`
+ * / `&` characters are replaced with multi-byte sentinels so a caller's
+ * regex can match real (unquoted) instances of those bytes without
+ * false-positiving on quoted commit-message bodies (`git commit -m
+ * "curl|sh later"`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H12 (`curl|sh` detection)
+ * uses this to scan the WHOLE command (not split into segments)
+ * without quoted-mention false positives.
+ *
+ * Implementation uses the same sentinel-byte alphabet the bash helper
+ * uses. Sentinels are public so callers can `.test()` against the
+ * masked output without accidentally tripping on them.
+ */
+export declare const INQUOTE_PIPE_SENTINEL = "__REA_INQUOTE_PIPE_a8f2c1__";
+export declare const INQUOTE_SEMI_SENTINEL = "__REA_INQUOTE_SC_a8f2c1__";
+export declare const INQUOTE_AMP_SENTINEL = "__REA_INQUOTE_AMP_a8f2c1__";
+export declare function quoteMaskedCmd(cmd: string): string;
+/**
+ * Walk the nested-shell unwrap chain and emit `cmd` PLUS each inner
+ * payload as a separate string. Mirrors `_rea_unwrap_nested_shells`
+ * in the bash counterpart.
+ *
+ * Used by dangerous-bash-interceptor H12 (`curl|sh` detection) so a
+ * payload like `zsh -c "curl https://x | sh"` is scanned for the pipe
+ * shape even though the literal `|` is inside quotes at the outer
+ * level. The H12 check then runs `quoteMaskedCmd` against each
+ * emitted line independently.
+ *
+ * Depth-bounded at MAX_NESTED_DEPTH (8) — same as `splitSegments`.
+ *
+ * 0.34.0 port.
+ */
+export declare function unwrapNestedShells(cmd: string): string[];
+/**
+ * Return every segment of `cmd` whose prefix-stripped head matches the
+ * head-anchored regex source. Mirrors `find_all_segments_starting_with`
+ * in the bash counterpart.
+ *
+ * Returns each match as `{ raw, head }` so callers (local-review-gate's
+ * round-25 P1-B sweep) can validate per-segment bypass against the
+ * raw (env-prefix-intact) form.
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export declare function findAllSegmentsStartingWith(cmd: string, regexSource: string): CommandSegment[];
+/**
+ * Return every segment of `cmd` whose RAW text (env-prefix intact,
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `find_all_segments_raw_matches` in the bash counterpart.
+ *
+ * Companion to `findAllSegmentsStartingWith` for the env-prefix shapes
+ * the prefix-stripper bails on (quoted-value env-vars like
+ * `REA_SKIP="urgent fix"`).
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export declare function findAllSegmentsRawMatches(cmd: string, regexSource: string): CommandSegment[];

package/dist/hooks/_lib/segments.js

@@ -764,3 +764,293 @@ export function anySegmentMatchesBoth(cmd, regexA, regexB) {
     }
     return false;
 }
+/**
+ * Returns true if any segment's RAW text (env-var prefixes intact, only
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `any_segment_raw_matches` in the bash counterpart — used by checks
+ * where the env-prefix itself IS the signal (`HUSKY=0 git`, `REA_BYPASS=`,
+ * `alias … = HUSKY=0`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor (H10, H15, H16) and
+ * local-review-gate (env-prefix git push detection) call into this.
+ * Note: callers anchor with `^` in the regex source when they want
+ * "starts at segment head"; we do not prepend `^` here.
+ */
+export function anySegmentRawMatches(cmd, regexSource) {
+    const re = new RegExp(regexSource, 'i');
+    for (const seg of splitSegments(cmd)) {
+        const trimmed = seg.raw.replace(/^\s+/, '');
+        if (re.test(trimmed))
+            return true;
+    }
+    return false;
+}
+/**
+ * Returns true if any segment's RAW text contains a match for the
+ * regex source. Mirrors `any_segment_matches` in the bash counterpart —
+ * used by content-scan style checks. The regex matches anywhere in the
+ * segment (not anchored). Useful for `(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|…)`
+ * style patterns that must match across the whole segment but only
+ * within a single segment (a heredoc body in segment N or commit
+ * message in segment 1 must NOT poison segment N+1).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H6 calls into this.
+ */
+export function anySegmentContains(cmd, regexSource) {
+    const re = new RegExp(regexSource, 'i');
+    for (const seg of splitSegments(cmd)) {
+        if (re.test(seg.head))
+            return true;
+    }
+    return false;
+}
+/**
+ * Iterate over every segment of `cmd` and invoke `callback(raw, head)`
+ * for each. Mirrors `for_each_segment` in the bash counterpart —
+ * dangerous-bash-interceptor H1 uses this to walk each push segment
+ * independently (since one segment may include `--force-with-lease`
+ * while another carries an unsafe `--force`).
+ *
+ * The callback receives the raw segment (env-prefix preserved) and the
+ * prefix-stripped head. Return value is ignored.
+ *
+ * 0.34.0 port.
+ */
+export function forEachSegment(cmd, callback) {
+    for (const seg of splitSegments(cmd)) {
+        callback(seg.raw, seg.head);
+    }
+}
+/**
+ * Quote-aware mask of in-quote separators. Mirrors `quote_masked_cmd`
+ * in the bash counterpart — produces a string where in-quote `|` / `;`
+ * / `&` characters are replaced with multi-byte sentinels so a caller's
+ * regex can match real (unquoted) instances of those bytes without
+ * false-positiving on quoted commit-message bodies (`git commit -m
+ * "curl|sh later"`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H12 (`curl|sh` detection)
+ * uses this to scan the WHOLE command (not split into segments)
+ * without quoted-mention false positives.
+ *
+ * Implementation uses the same sentinel-byte alphabet the bash helper
+ * uses. Sentinels are public so callers can `.test()` against the
+ * masked output without accidentally tripping on them.
+ */
+export const INQUOTE_PIPE_SENTINEL = '__REA_INQUOTE_PIPE_a8f2c1__';
+export const INQUOTE_SEMI_SENTINEL = '__REA_INQUOTE_SC_a8f2c1__';
+export const INQUOTE_AMP_SENTINEL = '__REA_INQUOTE_AMP_a8f2c1__';
+export function quoteMaskedCmd(cmd) {
+    // 4-state walker mirroring the bash awk:
+    //   0 = plain
+    //   1 = inside "…" (backslash escapes next char)
+    //   2 = inside '…' (no escapes)
+    //   3 = inside $'…' (ANSI-C; backslash escapes next char)
+    // In modes 1/2/3, in-quote `|`/`;`/`&` are replaced with sentinels.
+    // The opening `$'` is preserved verbatim (caller code that detects
+    // ANSI-C envelopes still sees them).
+    let out = '';
+    let i = 0;
+    const n = cmd.length;
+    let mode = 0;
+    while (i < n) {
+        const ch = cmd[i];
+        if (mode === 0) {
+            if (ch === '$' && i + 1 < n && cmd[i + 1] === "'") {
+                mode = 3;
+                out += "$'";
+                i += 2;
+                continue;
+            }
+            if (ch === '"') {
+                mode = 1;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === "'") {
+                mode = 2;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === '\\' && i + 1 < n) {
+                out += ch + cmd[i + 1];
+                i += 2;
+                continue;
+            }
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (mode === 3) {
+            if (ch === '\\' && i + 1 < n) {
+                out += ch + cmd[i + 1];
+                i += 2;
+                continue;
+            }
+            if (ch === "'") {
+                mode = 0;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === '|') {
+                out += INQUOTE_PIPE_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === ';') {
+                out += INQUOTE_SEMI_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === '&') {
+                out += INQUOTE_AMP_SENTINEL;
+                i += 1;
+                continue;
+            }
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (mode === 2) {
+            if (ch === "'") {
+                mode = 0;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === '|') {
+                out += INQUOTE_PIPE_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === ';') {
+                out += INQUOTE_SEMI_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === '&') {
+                out += INQUOTE_AMP_SENTINEL;
+                i += 1;
+                continue;
+            }
+            out += ch;
+            i += 1;
+            continue;
+        }
+        // mode === 1
+        if (ch === '\\' && i + 1 < n) {
+            out += ch + cmd[i + 1];
+            i += 2;
+            continue;
+        }
+        if (ch === '"') {
+            mode = 0;
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (ch === '|') {
+            out += INQUOTE_PIPE_SENTINEL;
+            i += 1;
+            continue;
+        }
+        if (ch === ';') {
+            out += INQUOTE_SEMI_SENTINEL;
+            i += 1;
+            continue;
+        }
+        if (ch === '&') {
+            out += INQUOTE_AMP_SENTINEL;
+            i += 1;
+            continue;
+        }
+        out += ch;
+        i += 1;
+    }
+    return out;
+}
+/**
+ * Walk the nested-shell unwrap chain and emit `cmd` PLUS each inner
+ * payload as a separate string. Mirrors `_rea_unwrap_nested_shells`
+ * in the bash counterpart.
+ *
+ * Used by dangerous-bash-interceptor H12 (`curl|sh` detection) so a
+ * payload like `zsh -c "curl https://x | sh"` is scanned for the pipe
+ * shape even though the literal `|` is inside quotes at the outer
+ * level. The H12 check then runs `quoteMaskedCmd` against each
+ * emitted line independently.
+ *
+ * Depth-bounded at MAX_NESTED_DEPTH (8) — same as `splitSegments`.
+ *
+ * 0.34.0 port.
+ */
+export function unwrapNestedShells(cmd) {
+    const out = [cmd];
+    unwrapNestedShellsRecursive(cmd, 0, out);
+    return out;
+}
+function unwrapNestedShellsRecursive(cmd, depth, acc) {
+    if (depth >= MAX_NESTED_DEPTH)
+        return;
+    // Walk segments so a heredoc-style or multi-line command gets each
+    // segment's inner payload extracted independently.
+    const masked = maskQuotedSeparators(cmd);
+    const rawSegs = splitOnUnquotedSeparators(masked);
+    for (const raw of rawSegs) {
+        const unmaskedRaw = unmask(raw);
+        const head = stripSegmentPrefix(unmaskedRaw);
+        const inner = extractNestedShellPayload(head);
+        if (inner !== null) {
+            acc.push(inner);
+            unwrapNestedShellsRecursive(inner, depth + 1, acc);
+        }
+    }
+}
+/**
+ * Return every segment of `cmd` whose prefix-stripped head matches the
+ * head-anchored regex source. Mirrors `find_all_segments_starting_with`
+ * in the bash counterpart.
+ *
+ * Returns each match as `{ raw, head }` so callers (local-review-gate's
+ * round-25 P1-B sweep) can validate per-segment bypass against the
+ * raw (env-prefix-intact) form.
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export function findAllSegmentsStartingWith(cmd, regexSource) {
+    const re = new RegExp(`^${regexSource}`, 'i');
+    const out = [];
+    for (const seg of splitSegments(cmd)) {
+        if (re.test(seg.head))
+            out.push(seg);
+    }
+    return out;
+}
+/**
+ * Return every segment of `cmd` whose RAW text (env-prefix intact,
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `find_all_segments_raw_matches` in the bash counterpart.
+ *
+ * Companion to `findAllSegmentsStartingWith` for the env-prefix shapes
+ * the prefix-stripper bails on (quoted-value env-vars like
+ * `REA_SKIP="urgent fix"`).
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export function findAllSegmentsRawMatches(cmd, regexSource) {
+    const re = new RegExp(regexSource, 'i');
+    const out = [];
+    for (const seg of splitSegments(cmd)) {
+        const trimmed = seg.raw.replace(/^\s+/, '');
+        if (re.test(trimmed))
+            out.push(seg);
+    }
+    return out;
+}

package/dist/hooks/dangerous-bash-interceptor/index.d.ts

@@ -0,0 +1,103 @@
+/**
+ * Node-binary port of `hooks/dangerous-bash-interceptor.sh`.
+ *
+ * 0.34.0 Phase 2 port #1 (tier-2 medium-complexity hooks with enforcer
+ * logic). This is the agent-runaway gate — it refuses destructive Bash
+ * commands before Claude Code dispatches them. Every refusal class in
+ * the 414-LOC bash body must be preserved byte-for-byte; the bypass
+ * corpus pinned across 0.13–0.27 demands it.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with the shared banner.
+ *   2. Read stdin, extract `tool_input.command`. Non-Bash payloads or
+ *      empty command → exit 0.
+ *   3. Compute smart exclusion flags:
+ *        - `CMD_IS_REBASE_SAFE` → segments that begin with
+ *          `git rebase --abort|--continue` skip the H2 rebase advisory.
+ *        - `CMD_IS_CLEAN_DRY` → segments that begin with
+ *          `git clean -n|--dry-run` skip the H5 destructive-clean check.
+ *   4. Run every HIGH check (H1–H17, M1) against the command. Each
+ *      check returns 0..N matches; matches are accumulated into the
+ *      violations table. The accumulator preserves the original bash
+ *      hook's first-match-wins-per-check semantics — H1 fires once
+ *      per command even if multiple push segments are unsafe.
+ *   5. If any HIGH match → emit "BASH INTERCEPTED" banner + exit 2.
+ *      Else if MEDIUM-only → emit "BASH ADVISORY" banner + exit 0.
+ *      Else exit 0 silently.
+ *
+ * The pattern catalog is in `RULES` below. Each rule is a self-
+ * contained closure with a stable identifier (`H1`, `H2`, …) so a
+ * future rule addition lands as a one-line array push, not a rewrite.
+ * Identifiers match the bash hook's `add_high "H<N>: …"` shape so
+ * audit/log consumers grepping for `H12` continue to work.
+ *
+ * Key parity choices:
+ *
+ *   - Segment-anchored detection via `anySegmentStartsWith` (and
+ *     `forEachSegment` for per-segment work). The bash 0.15.0 fix
+ *     (segment-aware instead of full-command grep) is reproduced here.
+ *   - Env-var-prefix shapes (H10 `HUSKY=0 git`, H15 `REA_BYPASS=…`,
+ *     H16 alias/function defs) use `anySegmentRawMatches` since the
+ *     prefix IS the signal — `stripSegmentPrefix` would eat it.
+ *   - H12 (`curl|sh` pipe-RCE) scans the whole command via
+ *     `quoteMaskedCmd` because pipe-RCE is a multi-segment property
+ *     (`|` is the separator that joins curl to sh). The bash hook's
+ *     `_rea_unwrap_nested_shells` is mirrored via `unwrapNestedShells`
+ *     so inner payloads of `bash -c "curl … | sh"` are also scanned.
+ *   - H17 (context-protection) reads
+ *     `policy.context_protection.delegate_to_subagent` via the canonical
+ *     YAML loader (matches the bash hook's 0.16.0 fix J.2).
+ */
+import type { Buffer } from 'node:buffer';
+export interface DangerousBashOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+}
+export interface DangerousBashResult {
+    exitCode: number;
+    stderr: string;
+    /** Test seam — violations the run accumulated, in catalog order. */
+    violations: Violation[];
+}
+export interface Violation {
+    severity: 'HIGH' | 'MEDIUM';
+    /** Stable identifier (`H1`, `H10`, `M1`, …) — matches bash labels. */
+    id: string;
+    /** Banner headline. */
+    label: string;
+    /** Banner explanation paragraph. */
+    detail: string;
+    /** Suggested alternatives. */
+    alternatives: string[];
+}
+/**
+ * Rule descriptor + execution closure. The closure receives the raw
+ * command + the active exclusion flags and returns 0..N violations
+ * for that rule.
+ */
+interface RuleContext {
+    cmd: string;
+    cmdIsRebaseSafe: boolean;
+    cmdIsCleanDry: boolean;
+    delegatePatterns: string[];
+}
+interface Rule {
+    id: string;
+    severity: 'HIGH' | 'MEDIUM';
+    run: (ctx: RuleContext) => Violation[];
+}
+/**
+ * Pure executor. Returns `{ exitCode, stderr, violations }`; the CLI
+ * wrapper translates them into `process.stderr.write` + `process.exit`.
+ */
+export declare function runDangerousBashInterceptor(options?: DangerousBashOptions): Promise<DangerousBashResult>;
+/**
+ * CLI entry point — `rea hook dangerous-bash-interceptor`.
+ */
+export declare function runHookDangerousBashInterceptor(options?: DangerousBashOptions): Promise<void>;
+export declare const __INTERNAL_FOR_TESTS: {
+    RULES: readonly Rule[];
+};
+export {};