@bookedsolid/rea 0.33.0 → 0.34.0

package/hooks/secret-scanner.sh

@@ -1,230 +1,240 @@
 #!/bin/bash
 # PreToolUse hook: secret-scanner.sh
-# Fires BEFORE every Write or Edit tool call.
-# Scans content about to be written for credential patterns and blocks (exit 2)
-# if real secrets are detected — before they ever touch disk.
+# 0.34.0+ — Node-binary shim for `rea hook secret-scanner`.
 #
-# Content extraction:
-#   Write tool → tool_input.content
-#   Edit tool  → tool_input.new_string
+# Pre-0.34.0 the gate's full body lived here as bash (230 LOC, the
+# awk line filter + 17-pattern catalog + placeholder-rejection + the
+# MultiEdit fragment join). The migration to the Node binary moves
+# the pattern catalog + filter + placeholder evaluation into
+# `src/hooks/secret-scanner/index.ts`. This shim is the Claude Code
+# dispatcher's view of the hook — it forwards stdin to the CLI and
+# exits with whatever the CLI returns.
 #
-# NOTE: This hook is a last-resort pre-write guard. The primary secret gate is
-# gitleaks running in the pre-commit hook. This hook stops obvious credentials
-# before they hit disk. It cannot catch all encoding tricks — rely on gitleaks
-# for comprehensive coverage.
+# Behavioral contract is preserved byte-for-byte: exit 0 on no-match
+# or MEDIUM-only advisory, exit 2 on HALT / HIGH match / malformed
+# payload.
 #
-# Exit codes:
-#   0 = no secrets detected — allow the tool to proceed
-#   2 = secrets detected    — block the tool call
+# # Shim short-circuits (codex round-1 P2 fix)
+#
+# The 0.34.0 round-0 shim deferred ALL decisions to the CLI, including
+# empty-content and `.env.example` suffix exclusion. That regressed
+# benign workflows on fresh/unbuilt installs: clearing a file or
+# editing an example env file would fail closed when `dist/cli/index.js`
+# wasn't built yet.
+#
+# Round-1 P2 fix: replicate the pre-0.34.0 bash body's three
+# short-circuits in the shim BEFORE CLI resolution:
+#   - Empty content (no `content`, `new_string`, `edits[]`, or
+#     `new_source` in the payload) → exit 0 silently.
+#   - file_path / notebook_path with `.env.example` or `.env.sample`
+#     suffix → exit 0 silently.
+# The full pattern catalog + filter + placeholder rejection still
+# lives in the CLI.
+#
+# # CLI-resolution trust boundary
+#
+# Mirrors the 0.32.0 final shim shape.
+#
+# # Fail-closed posture
+#
+# secret-scanner is Write/Edit/MultiEdit/NotebookEdit tier — the
+# pre-0.34.0 bash body refused credential-bearing writes without any
+# compiled CLI. Early-exit branches fail closed AFTER the shim
+# short-circuits.
 
 set -uo pipefail
 
-INPUT=$(cat)
-
-# ── Dependency check ──────────────────────────────────────────────────────────
-if ! command -v jq >/dev/null 2>&1; then
-  printf 'REA ERROR: jq is required but not installed.\n' >&2
-  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
-  exit 2
-fi
-
-# ── HALT check ────────────────────────────────────────────────────────────────
-# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
+# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-# 0.16.0: payload extraction moved to `_lib/payload-read.sh`. The shared
-# helpers handle Write content / Edit new_string / MultiEdit edits[] /
-# NotebookEdit new_source with the same defensive type-guards. Adding
-# the next write-tier tool is a one-line edit there, not a sweep
-# across N hooks.
-# shellcheck source=_lib/payload-read.sh
-source "$(dirname "$0")/_lib/payload-read.sh"
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-FILE_PATH=$(extract_file_path "$INPUT")
-CONTENT=$(extract_write_content "$INPUT")
+# 2. Capture stdin once.
+INPUT=$(cat)
 
-if [[ -z "$CONTENT" ]]; then
-  exit 0
+# 3. Short-circuit: empty-content / file-suffix exclusion. Mirrors
+#    the pre-0.34.0 bash body's `[[ -z "$CONTENT" ]] && exit 0` and
+#    the `*.env.example | *.env.sample` suffix check. We do these in
+#    the shim so unbuilt installs don't fail closed on benign writes.
+if command -v jq >/dev/null 2>&1; then
+  # Compose content the same way `parseWriteHookPayload` does:
+  # priority content > new_string > join(edits[].new_string) > new_source.
+  # 0.34.0 round-2 fix: every value goes through `tostring` so a
+  # non-string `new_string` (object/number/null) doesn't trip jq with
+  # a "Cannot iterate" error → empty CONTENT → exit 0 bypass. Mirrors
+  # the 0.14.0 secret-scanner fix that originally closed this class.
+  #
+  # 0.34.0 round-4 P2 fix: capture jq's exit code SEPARATELY rather
+  # than swallowing it with `|| true`. Pre-fix, invalid JSON or a
+  # schema mismatch yielded empty CONTENT → exit 0 silent allow.
+  # Post-fix we distinguish:
+  #   - jq exit 0 + empty CONTENT  → valid payload, no content (the
+  #                                  bash hook also exit 0'd here)
+  #   - jq exit 0 + non-empty      → enter suffix-check + CLI forward
+  #   - jq exit != 0 (parse fail)  → fall through to CLI forward;
+  #                                  the CLI re-parses with Zod and
+  #                                  refuses on malformed payload
+  # The third branch does NOT exit 0 — we want CLI enforcement to
+  # decide. The CLI's parser fails closed.
+  CONTENT=$(printf '%s' "$INPUT" | jq -r '
+    (.tool_input.content // .tool_input.new_string //
+      (
+        if (.tool_input.edits | type) == "array"
+        then (.tool_input.edits | map((.new_string // "") | tostring) | join("\n"))
+        else ""
+        end
+      ) //
+      .tool_input.new_source // ""
+    ) | tostring
+  ' 2>/dev/null)
+  jq_content_status=$?
+  FILE_PATH=$(printf '%s' "$INPUT" | jq -r '
+    .tool_input.file_path // .tool_input.notebook_path // ""
+  ' 2>/dev/null)
+  jq_path_status=$?
+  # Only honor the shim short-circuits when BOTH jq probes parsed
+  # cleanly. Otherwise forward to the CLI which fails closed via Zod.
+  if [ "$jq_content_status" -eq 0 ] && [ "$jq_path_status" -eq 0 ]; then
+    if [ -z "$CONTENT" ]; then
+      exit 0
+    fi
+    # Suffix-based exclusion. Mirrors the bash hook's:
+    #   if [[ "$FILE_PATH" == *.env.example || "$FILE_PATH" == *.env.sample ]]; then exit 0; fi
+    case "$FILE_PATH" in
+      *.env.example|*.env.sample) exit 0 ;;
+    esac
+  fi
+  # jq parse failure → do NOT short-circuit. Fall through to the CLI
+  # forward at section 7. The CLI will refuse on malformed payload.
+fi
+# When jq is unavailable, fall through — the CLI does the same parse
+# in TypeScript-space and will short-circuit on empty content there.
+
+# 4. Resolve the rea CLI through the fixed 2-tier sandboxed order.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
 fi
 
-# Smart file-path exclusions (suffix-based only — no directory exclusions)
-if [[ -n "$FILE_PATH" ]]; then
-  if [[ "$FILE_PATH" == *.env.example || "$FILE_PATH" == *.env.sample ]]; then
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  # 4b. Relevance pre-gate (round-7 P1). The round-0 shim refused ALL
+  #     writes when the CLI was missing, but the pre-0.34.0 bash body
+  #     only refused writes containing credential patterns. On a fresh
+  #     install (`npx rea init` flow, pre-`pnpm build` checkout) the
+  #     CLI isn't built yet but consumers need to write files — config,
+  #     source, docs, etc. Fix: substring scan the content for the
+  #     credential markers in the catalog. When CLI is missing AND no
+  #     marker matches, exit 0 (the pre-0.34.0 body would have done
+  #     the same — no pattern hit). When CLI is missing AND a marker
+  #     DOES match, preserve fail-closed (refuse rather than silently
+  #     allow a credential-shaped write).
+  #
+  #     Substrings cover every entry in SECRET_PATTERNS (catalog in
+  #     `src/hooks/secret-scanner/index.ts`). Coarse — over-trigger is
+  #     fine, under-trigger is the bypass we MUST avoid. Same posture
+  #     as the round-7 dangerous-bash relevance pre-gate.
+  CONTENT_FOR_SCAN=""
+  if [ -n "${CONTENT:-}" ]; then
+    CONTENT_FOR_SCAN="$CONTENT"
+  else
+    # CONTENT may not have been populated (jq missing, parse failure).
+    # Fall back to the raw payload so the substring scan still catches
+    # credential markers embedded in JSON-string form.
+    CONTENT_FOR_SCAN="$INPUT"
+  fi
+  CRED_RELEVANT=0
+  case "$CONTENT_FOR_SCAN" in
+    *"AKIA"*) CRED_RELEVANT=1 ;;
+    *"AWS_SECRET_ACCESS_KEY"*|*"aws_secret_access_key"*) CRED_RELEVANT=1 ;;
+    *"-----BEGIN"*) CRED_RELEVANT=1 ;;
+    *"sk-ant-"*) CRED_RELEVANT=1 ;;
+    *"ghp_"*|*"ghs_"*|*"gho_"*|*"ghu_"*|*"ghr_"*) CRED_RELEVANT=1 ;;
+    *"github_pat_"*) CRED_RELEVANT=1 ;;
+    *"sk_live_"*|*"rk_live_"*|*"pk_live_"*) CRED_RELEVANT=1 ;;
+    *"sk_test_"*|*"rk_test_"*|*"pk_test_"*) CRED_RELEVANT=1 ;;
+    *"whsec_"*) CRED_RELEVANT=1 ;;
+    *"SECRET"*|*"PASSWORD"*|*"PRIVATE_KEY"*|*"API_SECRET"*) CRED_RELEVANT=1 ;;
+    *"SUPABASE_SERVICE_ROLE_KEY"*|*"SUPABASE_ANON_KEY"*) CRED_RELEVANT=1 ;;
+    *"ANTHROPIC_API_KEY"*|*"STRIPE_SECRET"*|*"DATABASE_URL"*) CRED_RELEVANT=1 ;;
+    *"postgresql://"*) CRED_RELEVANT=1 ;;
+    *"eyJ"*) CRED_RELEVANT=1 ;;  # JWT prefix — catches Supabase keys
+  esac
+  if [ "$CRED_RELEVANT" -eq 0 ]; then
+    # No credential marker. The pre-0.34.0 bash body would have allowed
+    # this write — exit 0 to unblock `npx rea init` and pre-build
+    # checkouts.
     exit 0
   fi
-  # Test files are NOT excluded — real secrets in test files must be caught.
-  # The is_placeholder() function handles false positives from test fixtures.
+  # Credential marker matched. Preserve fail-closed posture.
+  printf 'rea: secret-scanner cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.34.0 bash body enforced secret refusal without a CLI.\n' >&2
+  exit 2
 fi
 
-# Build line-filtered content
-# Strip: shell comment lines (#) and lines where process.env.VAR is the RHS of an assignment
-# NOT stripped: lines that merely mention process.env somewhere (bypass vector if too broad)
-FILTERED_FILE=$(mktemp "${TMPDIR:-/tmp}/rea-secret-scan-XXXXXX") || {
-  printf 'SECRET-SCAN ERROR: Failed to create temp file — blocking write (fail-secure)\n' >&2
+# 5. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: secret-scanner cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore credential refusal.\n' >&2
   exit 2
-}
-
-VIOLATIONS_FILE=""
-
-cleanup() {
-  rm -f "$FILTERED_FILE"
-  [[ -n "$VIOLATIONS_FILE" ]] && rm -f "$VIOLATIONS_FILE"
-}
-trap cleanup EXIT
-
-printf '%s' "$CONTENT" | awk '
-{
-  line = $0
-  trimmed = line
-  sub(/^[[:space:]]+/, "", trimmed)
-  # Skip shell comment lines only
-  if (substr(trimmed, 1, 1) == "#") next
-  # Skip lines where process.env.VAR is the RHS of an assignment
-  # Pattern: = process.env.SOMETHING  (not just any mention of process.env)
-  if (trimmed ~ /=[[:space:]]*process\.env\.[A-Z_]+[^a-zA-Z]?$/) next
-  if (trimmed ~ /=[[:space:]]*process\.env\.[A-Z_]+[[:space:]]*[;,)]/) next
-  if (trimmed ~ /os\.environ\[/) next
-  print line
-}
-' > "$FILTERED_FILE" 2>/dev/null
-
-if [[ ! -s "$FILTERED_FILE" ]]; then
-  exit 0
 fi
 
-is_placeholder() {
-  local MATCH
-  MATCH=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
-  [[ "$MATCH" =~ \<[a-z_]+\> ]] && return 0
-  [[ "$MATCH" =~ your_key_here  ]] && return 0
-  [[ "$MATCH" =~ your_api_key   ]] && return 0
-  [[ "$MATCH" =~ your_secret    ]] && return 0
-  [[ "$MATCH" =~ placeholder    ]] && return 0
-  [[ "$MATCH" =~ changeme       ]] && return 0
-  [[ "$MATCH" =~ insert.*here   ]] && return 0
-  # Prefix checks: require full placeholder compound, not just a prefix
-  [[ "$MATCH" =~ ^(test|fake|mock|demo|example)_(key|token|secret|credential|api)$ ]] && return 0
-  [[ "$MATCH" =~ ^test_[a-z_]+_key$ ]] && return 0
-  # Repeated-character dummies (aaaaaaa, 1111111, etc.)
-  if printf '%s' "$MATCH" | grep -qE '^(.)\1{7,}$'; then return 0; fi
-  return 1
-}
-
-VIOLATIONS_FILE=$(mktemp "${TMPDIR:-/tmp}/rea-secret-violations-XXXXXX") || {
-  printf 'SECRET-SCAN ERROR: Failed to create violations file — blocking write (fail-secure)\n' >&2
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: secret-scanner FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
   exit 2
-}
-
-scan_pattern() {
-  local SEVERITY="$1"
-  local LABEL="$2"
-  local PATTERN="$3"
-  local MATCHES GREP_EXIT MATCH SNIPPET
-  MATCHES=$(grep -oE -e "$PATTERN" "$FILTERED_FILE" 2>/dev/null)
-  GREP_EXIT=$?
-  [[ $GREP_EXIT -ne 0 ]] && return 0
-  [[ -z "$MATCHES" ]]    && return 0
-  MATCHES=$(printf '%s\n' "$MATCHES" | head -5)
-  while IFS= read -r MATCH; do
-    [[ -z "$MATCH" ]] && continue
-    if is_placeholder "$MATCH"; then continue; fi
-    if [[ ${#MATCH} -gt 60 ]]; then
-      SNIPPET="${MATCH:0:60}..."
-    else
-      SNIPPET="$MATCH"
-    fi
-    printf '%s|%s|%s\n' "$SEVERITY" "$LABEL" "$SNIPPET" >> "$VIOLATIONS_FILE"
-  done <<< "$MATCHES"
-}
-
-# ── HIGH severity patterns ─────────────────────────────────────────────────────
-
-scan_pattern "HIGH" "AWS Access Key ID" \
-  'AKIA[0-9A-Z]{16}'
-
-scan_pattern "HIGH" "AWS Secret Access Key" \
-  '[Aa][Ww][Ss]_SECRET_ACCESS_KEY[[:space:]]*=[[:space:]]*[A-Za-z0-9/+]{40}'
-
-scan_pattern "HIGH" "Private key block" \
-  '-----BEGIN (RSA|EC|OPENSSH|PGP) PRIVATE KEY-----'
-
-scan_pattern "HIGH" "Anthropic API key" \
-  'sk-ant-api03-[A-Za-z0-9_-]{93}'
-
-scan_pattern "HIGH" "Anthropic OAuth token" \
-  'sk-ant-oat01-[A-Za-z0-9_-]{86}'
-
-scan_pattern "HIGH" "GitHub classic Personal Access Token" \
-  'gh[puors]_[A-Za-z0-9]{36}'
-
-scan_pattern "HIGH" "GitHub fine-grained Personal Access Token" \
-  'github_pat_[A-Za-z0-9_]{82}'
-
-scan_pattern "HIGH" "Stripe live secret/restricted key" \
-  '(sk|rk)_live_[A-Za-z0-9]{24,}'
-
-scan_pattern "HIGH" "Stripe webhook signing secret" \
-  'whsec_[A-Za-z0-9+/]{40,}'
-
-scan_pattern "HIGH" "Generic secret assignment (double-quoted)" \
-  '(SECRET|PASSWORD|PRIVATE_KEY|API_SECRET)[[:space:]]*=[[:space:]]*"[^"]{20,}"'
-
-scan_pattern "HIGH" "Generic secret assignment (single-quoted)" \
-  "(SECRET|PASSWORD|PRIVATE_KEY|API_SECRET)[[:space:]]*=[[:space:]]*'[^']{20,}'"
-
-scan_pattern "HIGH" "Supabase service role key (JWT)" \
-  'SUPABASE_SERVICE_ROLE_KEY[[:space:]]*=[[:space:]]*["\'"'"']eyJ[A-Za-z0-9._-]{50,}'
-
-# ── MEDIUM severity patterns ───────────────────────────────────────────────────
-
-scan_pattern "MEDIUM" ".env credential assignment" \
-  '^(ANTHROPIC_API_KEY|SUPABASE_SERVICE_ROLE_KEY|DATABASE_URL|STRIPE_SECRET)[[:space:]]*=[[:space:]]*[^[:space:]]+'
-
-scan_pattern "MEDIUM" "Stripe test API key (real credential, test env)" \
-  '(sk|pk|rk)_test_[A-Za-z0-9]{24,}'
-
-scan_pattern "MEDIUM" "Stripe live publishable key" \
-  'pk_live_[A-Za-z0-9]{24,}'
-
-scan_pattern "MEDIUM" "Hardcoded DB connection string with password" \
-  'postgresql://[^:]+:[^@]{8,}@'
-
-scan_pattern "MEDIUM" "Supabase anon key in non-client context" \
-  'SUPABASE_ANON_KEY[[:space:]]*=[[:space:]]*["\'"'"']eyJ[A-Za-z0-9._-]{50,}'
-
-if [[ ! -s "$VIOLATIONS_FILE" ]]; then
-  exit 0
 fi
 
-FILE_BASENAME=$(basename "${FILE_PATH:-unknown}")
-HIGH_COUNT=$(grep -cF 'HIGH|' "$VIOLATIONS_FILE" 2>/dev/null || true)
-: "${HIGH_COUNT:=0}"
-
-if [[ "$HIGH_COUNT" -gt 0 ]]; then
-  {
-    printf 'SECRET DETECTED: Potential credential in %s\n' "$FILE_BASENAME"
-    COUNT=0
-    while IFS='|' read -r SEVERITY LABEL SNIPPET; do
-      [[ -z "$SEVERITY" ]] && continue
-      COUNT=$(( COUNT + 1 ))
-      if [[ $COUNT -gt 5 ]]; then break; fi
-      printf '  %s: %s — '"'"'%s'"'"'\n' "$SEVERITY" "$LABEL" "$SNIPPET"
-    done < "$VIOLATIONS_FILE"
-    printf 'Block reason: Writing credentials to disk risks exposure via git history.\n'
-    printf 'Fix: Load credentials from environment variables — never hardcode secrets.\n'
-  } >&2
+# 6. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook secret-scanner --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'secret-scanner'; then
+  printf 'rea: this shim requires the `rea hook secret-scanner` subcommand (introduced in 0.34.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
   exit 2
 fi
 
-{
-  printf 'SECRET-SCAN WARN: Low-confidence credential pattern in %s (advisory — not blocking)\n' "$FILE_BASENAME"
-  while IFS='|' read -r SEVERITY LABEL SNIPPET; do
-    [[ -z "$SEVERITY" ]] && continue
-    printf '  %s: %s — '"'"'%s'"'"'\n' "$SEVERITY" "$LABEL" "$SNIPPET"
-  done < "$VIOLATIONS_FILE"
-  printf 'Note: Heuristic match — may be a false positive. If real, load from environment.\n'
-} >&2
-exit 0
+# 7. Forward stdin (already captured up-front).
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook secret-scanner
+exit $?

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.33.0",
+  "version": "0.34.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/templates/dangerous-bash-interceptor.dogfood-staged.sh

@@ -0,0 +1,196 @@
+#!/bin/bash
+# PreToolUse hook: dangerous-bash-interceptor.sh
+# 0.34.0+ — Node-binary shim for `rea hook dangerous-bash-interceptor`.
+#
+# Pre-0.34.0 the gate's full body lived here as bash (414 LOC, every
+# refusal class H1-H17 + M1 plus their bypass-corpus regressions). The
+# migration to the parser-backed Node binary moves all of that into
+# `src/hooks/dangerous-bash-interceptor/index.ts`. This shim is the
+# Claude Code dispatcher's view of the hook — it forwards stdin to
+# the CLI and exits with whatever the CLI returns.
+#
+# Behavioral contract is preserved byte-for-byte: exit 0 on
+# pass-through / MEDIUM-only advisory, exit 2 on HALT / HIGH rule
+# match / malformed payload (fail-closed).
+#
+# # CLI-resolution trust boundary
+#
+# Mirrors the 0.32.0 final shim shape (round-8 of the codex iteration
+# on the three Phase 1 pilots). The resolved CLI MUST live INSIDE
+# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
+# whose `name` is `@bookedsolid/rea`. Defends against symlink-out and
+# tarball-replacement attacks on the resolved CLI.
+#
+# # Fail-closed posture
+#
+# dangerous-bash-interceptor is the agent-runaway gate — the pre-0.34.0
+# bash body refused destructive commands without any compiled CLI. The
+# early-exit branches (CLI missing, node missing, sandbox failed,
+# version skew) fail closed AFTER the relevance pre-gate passes.
+# Irrelevant Bash calls exit 0 regardless of CLI state.
+#
+# # Relevance pre-gate
+#
+# 0.34.0 round-7 P1 fix: the pre-0.34.0 bash body refused destructive
+# commands without any compiled CLI. The round-0 shim preserved that
+# fail-closed-on-CLI-missing posture for ALL Bash, but that's stricter
+# than the pre-0.34.0 body which only refused commands matching the
+# destructive catalog. On a fresh / unbuilt install (`npx rea init`,
+# pre-`pnpm build` checkout) the shim blocked benign Bash like `ls`,
+# `mkdir`, `pnpm install` — defeating the install path itself.
+#
+# Fix: substring pre-gate over the EXTRACTED command (not raw payload —
+# the local-review-gate round-2 lesson). When CLI is missing AND no
+# destructive-keyword appears in the extracted command, exit 0 (the
+# pre-0.34.0 bash body would have done the same — there's no rule to
+# match). When CLI is missing AND a destructive-keyword DOES appear,
+# preserve the original fail-closed posture (we'd rather refuse than
+# silently allow a destructive command).
+#
+# The keyword list is coarse — it over-triggers (e.g. `git status` hits
+# `git` substring) but that's fine: the CLI does the real evaluation
+# and lets benign forms through. Over-trigger costs one node-spawn;
+# under-trigger is the bypass we MUST avoid. Same posture as the
+# 0.32.0 secret-scanner `gh issue create` substring fix.
+
+set -uo pipefail
+
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+
+# 2. Capture stdin once. The CLI consumes it via stdin pipe below.
+INPUT=$(cat)
+
+# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
+
+# 3b. Relevance pre-gate (round-7 P1). Only used when the CLI is
+#     missing — when present, every Bash call goes through the CLI.
+#     Extract the command string from the payload, then substring-scan
+#     it for destructive-catalog keywords. Mirrors the H1-H17 + M1
+#     rule heads.
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  CLI_MISSING_CMD=""
+  if command -v jq >/dev/null 2>&1; then
+    # Match the CLI's payload schema: tool_input.command. tostring so
+    # a non-string value (object/number) doesn't blow up jq.
+    CLI_MISSING_CMD=$(printf '%s' "$INPUT" | jq -r '
+      (.tool_input.command // "") | tostring
+    ' 2>/dev/null || true)
+  else
+    # jq missing — fall back to scanning the raw payload. Over-trigger
+    # by design (the CLI is the source of truth; this is fail-closed
+    # only when keywords match). Substring scan still catches the
+    # destructive forms in JSON-string-encoded payloads.
+    CLI_MISSING_CMD="$INPUT"
+  fi
+  # If we couldn't extract a command, treat as relevant (fail closed).
+  CLI_MISSING_RELEVANT=0
+  if [ -z "$CLI_MISSING_CMD" ]; then
+    # Empty command (or non-Bash payload). The pre-0.34.0 bash body
+    # would have exited 0 here — no command, no rule match.
+    exit 0
+  fi
+  # Substring scan. Keywords cover every rule head H1-H17 + M1. Coarse
+  # by design — we're a safety net, not the source of truth. The CLI
+  # does the precise per-rule evaluation when reachable.
+  case "$CLI_MISSING_CMD" in
+    *"git "*) CLI_MISSING_RELEVANT=1 ;;
+    *"git	"*) CLI_MISSING_RELEVANT=1 ;;  # tab after git
+    *"rm "*|*"rm	"*) CLI_MISSING_RELEVANT=1 ;;
+    *"psql"*|*"pgcli"*) CLI_MISSING_RELEVANT=1 ;;
+    *"DROP "*|*"DROP	"*) CLI_MISSING_RELEVANT=1 ;;
+    *"kill "*|*"kill	"*|*"killall"*) CLI_MISSING_RELEVANT=1 ;;
+    *"HUSKY="*) CLI_MISSING_RELEVANT=1 ;;
+    *"curl"*|*"wget"*) CLI_MISSING_RELEVANT=1 ;;
+    *"REA_BYPASS"*) CLI_MISSING_RELEVANT=1 ;;
+    *"alias "*|*"function "*) CLI_MISSING_RELEVANT=1 ;;
+    *"core.hooksPath"*|*"core.hookspath"*) CLI_MISSING_RELEVANT=1 ;;
+    *"npm "*|*"pnpm "*|*"yarn "*) CLI_MISSING_RELEVANT=1 ;;
+    *"--no-verify"*|*"--force"*) CLI_MISSING_RELEVANT=1 ;;
+  esac
+  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
+    # No destructive-keyword in the extracted command. The pre-0.34.0
+    # bash body would have allowed this — exit 0 to preserve install-
+    # path / unbuilt-checkout workflows.
+    exit 0
+  fi
+  # Keyword matched. Preserve fail-closed posture — the pre-0.34.0
+  # bash body would have evaluated this command and potentially refused.
+  printf 'rea: dangerous-bash-interceptor cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.34.0 bash body enforced destructive-command refusal without a CLI.\n' >&2
+  exit 2
+fi
+
+# 4. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: dangerous-bash-interceptor cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore destructive-command refusal.\n' >&2
+  exit 2
+fi
+
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: dangerous-bash-interceptor FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
+
+# 5. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook dangerous-bash-interceptor --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'dangerous-bash-interceptor'; then
+  printf 'rea: this shim requires the `rea hook dangerous-bash-interceptor` subcommand (introduced in 0.34.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
+  exit 2
+fi
+
+# 6. Forward stdin (already captured up-front).
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook dangerous-bash-interceptor
+exit $?