@bookedsolid/rea 0.33.0 → 0.35.0

package/dist/hooks/_lib/segments.js

@@ -764,3 +764,293 @@ export function anySegmentMatchesBoth(cmd, regexA, regexB) {
     }
     return false;
 }
+/**
+ * Returns true if any segment's RAW text (env-var prefixes intact, only
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `any_segment_raw_matches` in the bash counterpart — used by checks
+ * where the env-prefix itself IS the signal (`HUSKY=0 git`, `REA_BYPASS=`,
+ * `alias … = HUSKY=0`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor (H10, H15, H16) and
+ * local-review-gate (env-prefix git push detection) call into this.
+ * Note: callers anchor with `^` in the regex source when they want
+ * "starts at segment head"; we do not prepend `^` here.
+ */
+export function anySegmentRawMatches(cmd, regexSource) {
+    const re = new RegExp(regexSource, 'i');
+    for (const seg of splitSegments(cmd)) {
+        const trimmed = seg.raw.replace(/^\s+/, '');
+        if (re.test(trimmed))
+            return true;
+    }
+    return false;
+}
+/**
+ * Returns true if any segment's RAW text contains a match for the
+ * regex source. Mirrors `any_segment_matches` in the bash counterpart —
+ * used by content-scan style checks. The regex matches anywhere in the
+ * segment (not anchored). Useful for `(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|…)`
+ * style patterns that must match across the whole segment but only
+ * within a single segment (a heredoc body in segment N or commit
+ * message in segment 1 must NOT poison segment N+1).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H6 calls into this.
+ */
+export function anySegmentContains(cmd, regexSource) {
+    const re = new RegExp(regexSource, 'i');
+    for (const seg of splitSegments(cmd)) {
+        if (re.test(seg.head))
+            return true;
+    }
+    return false;
+}
+/**
+ * Iterate over every segment of `cmd` and invoke `callback(raw, head)`
+ * for each. Mirrors `for_each_segment` in the bash counterpart —
+ * dangerous-bash-interceptor H1 uses this to walk each push segment
+ * independently (since one segment may include `--force-with-lease`
+ * while another carries an unsafe `--force`).
+ *
+ * The callback receives the raw segment (env-prefix preserved) and the
+ * prefix-stripped head. Return value is ignored.
+ *
+ * 0.34.0 port.
+ */
+export function forEachSegment(cmd, callback) {
+    for (const seg of splitSegments(cmd)) {
+        callback(seg.raw, seg.head);
+    }
+}
+/**
+ * Quote-aware mask of in-quote separators. Mirrors `quote_masked_cmd`
+ * in the bash counterpart — produces a string where in-quote `|` / `;`
+ * / `&` characters are replaced with multi-byte sentinels so a caller's
+ * regex can match real (unquoted) instances of those bytes without
+ * false-positiving on quoted commit-message bodies (`git commit -m
+ * "curl|sh later"`).
+ *
+ * 0.34.0 port — dangerous-bash-interceptor H12 (`curl|sh` detection)
+ * uses this to scan the WHOLE command (not split into segments)
+ * without quoted-mention false positives.
+ *
+ * Implementation uses the same sentinel-byte alphabet the bash helper
+ * uses. Sentinels are public so callers can `.test()` against the
+ * masked output without accidentally tripping on them.
+ */
+export const INQUOTE_PIPE_SENTINEL = '__REA_INQUOTE_PIPE_a8f2c1__';
+export const INQUOTE_SEMI_SENTINEL = '__REA_INQUOTE_SC_a8f2c1__';
+export const INQUOTE_AMP_SENTINEL = '__REA_INQUOTE_AMP_a8f2c1__';
+export function quoteMaskedCmd(cmd) {
+    // 4-state walker mirroring the bash awk:
+    //   0 = plain
+    //   1 = inside "…" (backslash escapes next char)
+    //   2 = inside '…' (no escapes)
+    //   3 = inside $'…' (ANSI-C; backslash escapes next char)
+    // In modes 1/2/3, in-quote `|`/`;`/`&` are replaced with sentinels.
+    // The opening `$'` is preserved verbatim (caller code that detects
+    // ANSI-C envelopes still sees them).
+    let out = '';
+    let i = 0;
+    const n = cmd.length;
+    let mode = 0;
+    while (i < n) {
+        const ch = cmd[i];
+        if (mode === 0) {
+            if (ch === '$' && i + 1 < n && cmd[i + 1] === "'") {
+                mode = 3;
+                out += "$'";
+                i += 2;
+                continue;
+            }
+            if (ch === '"') {
+                mode = 1;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === "'") {
+                mode = 2;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === '\\' && i + 1 < n) {
+                out += ch + cmd[i + 1];
+                i += 2;
+                continue;
+            }
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (mode === 3) {
+            if (ch === '\\' && i + 1 < n) {
+                out += ch + cmd[i + 1];
+                i += 2;
+                continue;
+            }
+            if (ch === "'") {
+                mode = 0;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === '|') {
+                out += INQUOTE_PIPE_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === ';') {
+                out += INQUOTE_SEMI_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === '&') {
+                out += INQUOTE_AMP_SENTINEL;
+                i += 1;
+                continue;
+            }
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (mode === 2) {
+            if (ch === "'") {
+                mode = 0;
+                out += ch;
+                i += 1;
+                continue;
+            }
+            if (ch === '|') {
+                out += INQUOTE_PIPE_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === ';') {
+                out += INQUOTE_SEMI_SENTINEL;
+                i += 1;
+                continue;
+            }
+            if (ch === '&') {
+                out += INQUOTE_AMP_SENTINEL;
+                i += 1;
+                continue;
+            }
+            out += ch;
+            i += 1;
+            continue;
+        }
+        // mode === 1
+        if (ch === '\\' && i + 1 < n) {
+            out += ch + cmd[i + 1];
+            i += 2;
+            continue;
+        }
+        if (ch === '"') {
+            mode = 0;
+            out += ch;
+            i += 1;
+            continue;
+        }
+        if (ch === '|') {
+            out += INQUOTE_PIPE_SENTINEL;
+            i += 1;
+            continue;
+        }
+        if (ch === ';') {
+            out += INQUOTE_SEMI_SENTINEL;
+            i += 1;
+            continue;
+        }
+        if (ch === '&') {
+            out += INQUOTE_AMP_SENTINEL;
+            i += 1;
+            continue;
+        }
+        out += ch;
+        i += 1;
+    }
+    return out;
+}
+/**
+ * Walk the nested-shell unwrap chain and emit `cmd` PLUS each inner
+ * payload as a separate string. Mirrors `_rea_unwrap_nested_shells`
+ * in the bash counterpart.
+ *
+ * Used by dangerous-bash-interceptor H12 (`curl|sh` detection) so a
+ * payload like `zsh -c "curl https://x | sh"` is scanned for the pipe
+ * shape even though the literal `|` is inside quotes at the outer
+ * level. The H12 check then runs `quoteMaskedCmd` against each
+ * emitted line independently.
+ *
+ * Depth-bounded at MAX_NESTED_DEPTH (8) — same as `splitSegments`.
+ *
+ * 0.34.0 port.
+ */
+export function unwrapNestedShells(cmd) {
+    const out = [cmd];
+    unwrapNestedShellsRecursive(cmd, 0, out);
+    return out;
+}
+function unwrapNestedShellsRecursive(cmd, depth, acc) {
+    if (depth >= MAX_NESTED_DEPTH)
+        return;
+    // Walk segments so a heredoc-style or multi-line command gets each
+    // segment's inner payload extracted independently.
+    const masked = maskQuotedSeparators(cmd);
+    const rawSegs = splitOnUnquotedSeparators(masked);
+    for (const raw of rawSegs) {
+        const unmaskedRaw = unmask(raw);
+        const head = stripSegmentPrefix(unmaskedRaw);
+        const inner = extractNestedShellPayload(head);
+        if (inner !== null) {
+            acc.push(inner);
+            unwrapNestedShellsRecursive(inner, depth + 1, acc);
+        }
+    }
+}
+/**
+ * Return every segment of `cmd` whose prefix-stripped head matches the
+ * head-anchored regex source. Mirrors `find_all_segments_starting_with`
+ * in the bash counterpart.
+ *
+ * Returns each match as `{ raw, head }` so callers (local-review-gate's
+ * round-25 P1-B sweep) can validate per-segment bypass against the
+ * raw (env-prefix-intact) form.
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export function findAllSegmentsStartingWith(cmd, regexSource) {
+    const re = new RegExp(`^${regexSource}`, 'i');
+    const out = [];
+    for (const seg of splitSegments(cmd)) {
+        if (re.test(seg.head))
+            out.push(seg);
+    }
+    return out;
+}
+/**
+ * Return every segment of `cmd` whose RAW text (env-prefix intact,
+ * leading whitespace trimmed) matches the regex source. Mirrors
+ * `find_all_segments_raw_matches` in the bash counterpart.
+ *
+ * Companion to `findAllSegmentsStartingWith` for the env-prefix shapes
+ * the prefix-stripper bails on (quoted-value env-vars like
+ * `REA_SKIP="urgent fix"`).
+ *
+ * Case-INSENSITIVE. Empty array on no matches.
+ *
+ * 0.34.0 port.
+ */
+export function findAllSegmentsRawMatches(cmd, regexSource) {
+    const re = new RegExp(regexSource, 'i');
+    const out = [];
+    for (const seg of splitSegments(cmd)) {
+        const trimmed = seg.raw.replace(/^\s+/, '');
+        if (re.test(trimmed))
+            out.push(seg);
+    }
+    return out;
+}

package/dist/hooks/blocked-paths-bash-gate/index.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Node-binary port of `hooks/blocked-paths-bash-gate.sh`.
+ *
+ * 0.35.0 Phase 3 port (paired tier-1 scanner-shim). This was a thin
+ * bash shim over `rea hook scan-bash --mode blocked` — the heavy
+ * lifting (the parser-backed AST walker that closes 9 bypass classes
+ * from helix-023 + discord-ops Round 13) lives in `src/hooks/bash-
+ * scanner/`.
+ *
+ * The Node-binary port preserves the same byte-for-byte verdict shape
+ * and exit-code contract but eliminates the bash-shim → node-CLI →
+ * scanner-module subprocess hop. The caller is now `rea hook blocked-
+ * paths-bash-gate`, which calls `runBlockedScan` directly.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin via `parseHookPayload`. Empty/missing command → exit 0
+ *      (the bash gate's `[[ -z "$payload" ]] && exit 0` guard).
+ *   3. Non-Bash tool calls bypass — Claude Code's hook matcher already
+ *      filters to Bash but defense-in-depth.
+ *   4. Load policy permissively (a partial/migrating policy.yaml with
+ *      unknown keys must NOT collapse the `blocked_paths` list — same
+ *      lesson from 0.33.0 round-1 P3 + 0.34.0 round-2 P2).
+ *   5. Empty `blocked_paths` → allow (no-op). Mirrors
+ *      `runBlockedScan({ blockedPaths: [] }, cmd)` short-circuit.
+ *   6. Run `runBlockedScan` against the command.
+ *   7. Verdict `block` → exit 2 with the scanner's reason. Verdict
+ *      `allow` → exit 0.
+ *
+ * Audit-log parity: emits a `rea.hook.blocked-paths-bash-gate` entry
+ * (best-effort, never blocks the verdict on audit failure).
+ */
+import type { Buffer } from 'node:buffer';
+import { type Verdict } from '../bash-scanner/index.js';
+export interface BlockedPathsBashGateOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+}
+export interface BlockedPathsBashGateResult {
+    exitCode: number;
+    stderr: string;
+    /** Final verdict from the scanner (test seam). */
+    verdict: Verdict | null;
+}
+/**
+ * Pure executor. Returns `{ exitCode, stderr, verdict }`; the CLI
+ * wrapper translates them into `process.stderr.write` + `process.exit`.
+ */
+export declare function runBlockedPathsBashGate(options?: BlockedPathsBashGateOptions): Promise<BlockedPathsBashGateResult>;
+/**
+ * CLI entry point — `rea hook blocked-paths-bash-gate`.
+ */
+export declare function runHookBlockedPathsBashGate(options?: BlockedPathsBashGateOptions): Promise<void>;

package/dist/hooks/blocked-paths-bash-gate/index.js

@@ -0,0 +1,175 @@
+/**
+ * Node-binary port of `hooks/blocked-paths-bash-gate.sh`.
+ *
+ * 0.35.0 Phase 3 port (paired tier-1 scanner-shim). This was a thin
+ * bash shim over `rea hook scan-bash --mode blocked` — the heavy
+ * lifting (the parser-backed AST walker that closes 9 bypass classes
+ * from helix-023 + discord-ops Round 13) lives in `src/hooks/bash-
+ * scanner/`.
+ *
+ * The Node-binary port preserves the same byte-for-byte verdict shape
+ * and exit-code contract but eliminates the bash-shim → node-CLI →
+ * scanner-module subprocess hop. The caller is now `rea hook blocked-
+ * paths-bash-gate`, which calls `runBlockedScan` directly.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin via `parseHookPayload`. Empty/missing command → exit 0
+ *      (the bash gate's `[[ -z "$payload" ]] && exit 0` guard).
+ *   3. Non-Bash tool calls bypass — Claude Code's hook matcher already
+ *      filters to Bash but defense-in-depth.
+ *   4. Load policy permissively (a partial/migrating policy.yaml with
+ *      unknown keys must NOT collapse the `blocked_paths` list — same
+ *      lesson from 0.33.0 round-1 P3 + 0.34.0 round-2 P2).
+ *   5. Empty `blocked_paths` → allow (no-op). Mirrors
+ *      `runBlockedScan({ blockedPaths: [] }, cmd)` short-circuit.
+ *   6. Run `runBlockedScan` against the command.
+ *   7. Verdict `block` → exit 2 with the scanner's reason. Verdict
+ *      `allow` → exit 0.
+ *
+ * Audit-log parity: emits a `rea.hook.blocked-paths-bash-gate` entry
+ * (best-effort, never blocks the verdict on audit failure).
+ */
+import path from 'node:path';
+import fs from 'node:fs';
+import { parse as parseYaml } from 'yaml';
+import { checkHalt, formatHaltBanner } from '../_lib/halt-check.js';
+import { parseHookPayload, MalformedPayloadError, TypePayloadError, readStdinWithTimeout, } from '../_lib/payload.js';
+import { runBlockedScan } from '../bash-scanner/index.js';
+import { appendAuditRecord, InvocationStatus, Tier } from '../../audit/append.js';
+/**
+ * Load `blocked_paths` from `<reaRoot>/.rea/policy.yaml` permissively.
+ *
+ * Why not `loadPolicy`? The strict zod loader refuses partial / unknown
+ * keys (it's strict-mode by design). A consumer running a migrating
+ * policy.yaml or holding legacy keys would have their `blocked_paths`
+ * effectively wiped — silently. The bash gate's pre-0.35.0 yaml grep
+ * scanned for the key directly with no schema validation; we mirror
+ * that permissive posture by reading `blocked_paths` from the parsed
+ * YAML directly without validation.
+ *
+ * Returns `[]` on any failure (missing file, bad YAML, missing key,
+ * unexpected type). Empty list is the "no enforcement" no-op state.
+ */
+function loadBlockedPathsPermissive(reaRoot) {
+    const policyPath = path.join(reaRoot, '.rea', 'policy.yaml');
+    if (!fs.existsSync(policyPath))
+        return [];
+    let raw;
+    try {
+        raw = fs.readFileSync(policyPath, 'utf8');
+    }
+    catch {
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch {
+        return [];
+    }
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return [];
+    }
+    const obj = parsed;
+    const bp = obj['blocked_paths'];
+    if (!Array.isArray(bp))
+        return [];
+    const out = [];
+    for (const entry of bp) {
+        if (typeof entry === 'string' && entry.length > 0) {
+            out.push(entry);
+        }
+    }
+    return out;
+}
+/**
+ * Pure executor. Returns `{ exitCode, stderr, verdict }`; the CLI
+ * wrapper translates them into `process.stderr.write` + `process.exit`.
+ */
+export async function runBlockedPathsBashGate(options = {}) {
+    const reaRoot = options.reaRoot ?? process.env['CLAUDE_PROJECT_DIR'] ?? process.cwd();
+    let stderr = '';
+    const writeStderr = (s) => {
+        stderr += s;
+        if (options.stderrWrite)
+            options.stderrWrite(s);
+    };
+    // 1. HALT check.
+    const halt = checkHalt(reaRoot);
+    if (halt.halted) {
+        writeStderr(formatHaltBanner(halt.reason));
+        return { exitCode: 2, stderr, verdict: { verdict: 'block', reason: 'rea HALT active' } };
+    }
+    // 2. Read + parse stdin.
+    const stdinRaw = options.stdinOverride !== undefined
+        ? options.stdinOverride
+        : await readStdinWithTimeout(5_000);
+    let toolName = '';
+    let cmd = '';
+    try {
+        const payload = parseHookPayload(stdinRaw);
+        toolName = payload.toolName;
+        cmd = payload.command;
+    }
+    catch (err) {
+        if (err instanceof MalformedPayloadError || err instanceof TypePayloadError) {
+            writeStderr(`blocked-paths-bash-gate: ${err.message} — refusing on uncertainty.\n`);
+            return { exitCode: 2, stderr, verdict: { verdict: 'block', reason: err.message } };
+        }
+        throw err;
+    }
+    // 3. Non-Bash tool calls bypass.
+    if (toolName !== '' && toolName !== 'Bash') {
+        return { exitCode: 0, stderr, verdict: null };
+    }
+    // 4. Empty command → allow.
+    if (cmd.length === 0) {
+        return { exitCode: 0, stderr, verdict: null };
+    }
+    // 5. Load policy permissively.
+    const blockedPaths = loadBlockedPathsPermissive(reaRoot);
+    // 6. Empty list → allow.
+    if (blockedPaths.length === 0) {
+        return { exitCode: 0, stderr, verdict: { verdict: 'allow' } };
+    }
+    // 7. Scan.
+    const verdict = runBlockedScan({ reaRoot, blockedPaths }, cmd);
+    // 8. Audit — best-effort, never changes verdict.
+    try {
+        await appendAuditRecord(reaRoot, {
+            tool_name: 'rea.hook.blocked-paths-bash-gate',
+            server_name: 'rea',
+            tier: Tier.Read,
+            status: verdict.verdict === 'allow' ? InvocationStatus.Allowed : InvocationStatus.Denied,
+            metadata: {
+                verdict: verdict.verdict,
+                ...(verdict.detected_form !== undefined ? { detected_form: verdict.detected_form } : {}),
+                ...(verdict.hit_pattern !== undefined ? { hit_pattern: verdict.hit_pattern } : {}),
+                command_preview: cmd.slice(0, 256),
+            },
+        });
+    }
+    catch {
+        /* best-effort */
+    }
+    if (verdict.verdict === 'block') {
+        if (typeof verdict.reason === 'string' && verdict.reason.length > 0) {
+            writeStderr(verdict.reason + '\n');
+        }
+        return { exitCode: 2, stderr, verdict };
+    }
+    return { exitCode: 0, stderr, verdict };
+}
+/**
+ * CLI entry point — `rea hook blocked-paths-bash-gate`.
+ */
+export async function runHookBlockedPathsBashGate(options = {}) {
+    const result = await runBlockedPathsBashGate({
+        ...options,
+        stderrWrite: (s) => process.stderr.write(s),
+    });
+    process.exit(result.exitCode);
+}

package/dist/hooks/blocked-paths-enforcer/index.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Node-binary port of `hooks/blocked-paths-enforcer.sh`.
+ *
+ * 0.35.0 Phase 4 port (paired Write/Edit tier). Enforces
+ * `policy.blocked_paths` against Write/Edit/MultiEdit/NotebookEdit
+ * tool calls. Sibling of `blocked-paths-bash-gate` (Bash-tier) — same
+ * policy data, different surface.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin, extract `tool_input.file_path` (or `notebook_path`).
+ *      Missing/empty → exit 0.
+ *   3. Load policy permissively (a partial / migrating policy.yaml
+ *      must NOT collapse the blocked_paths list).
+ *   4. Empty `blocked_paths` → exit 0.
+ *   5. §5a path-traversal rejection. Refuses any path with a `..`
+ *      segment in EITHER the raw form OR the normalized form. Also
+ *      catches URL-encoded traversal (`%2E%2E/`, `..%2F`, etc.)
+ *      against the raw input.
+ *   6. §5a-bis interior `/./` segment rejection (0.29.0 helix-/./-class).
+ *      NORMALIZED form only — `normalize_path` already strips leading
+ *      `./` segments, so anything remaining is interior by construction.
+ *   7. Agent-writable allow-list short-circuit (`.rea/tasks.jsonl`,
+ *      `.rea/audit/`) — even if blocked_paths includes `.rea/` as a
+ *      prefix block, these are PM-data writeables.
+ *   8. Match the normalized path against each blocked entry:
+ *        - directory prefix (entry ends with `/`)
+ *        - glob (entry contains `*`)
+ *        - exact (lower-case, case-INSENSITIVE)
+ *      Match → exit 2 with reason.
+ *   9. §H.2 intermediate-symlink resolution. If the parent dir exists,
+ *      resolve its realpath. If the resolved target falls inside a
+ *      blocked entry, refuse.
+ *
+ * Audit-log parity: emits a `rea.hook.blocked-paths-enforcer` entry.
+ */
+import type { Buffer } from 'node:buffer';
+export interface BlockedPathsEnforcerOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+}
+export interface BlockedPathsEnforcerResult {
+    exitCode: number;
+    stderr: string;
+    /** Test seam — when the gate blocks, the matched blocked-paths entry. */
+    matched: string | null;
+}
+export declare function runBlockedPathsEnforcer(options?: BlockedPathsEnforcerOptions): Promise<BlockedPathsEnforcerResult>;
+export declare function runHookBlockedPathsEnforcer(options?: BlockedPathsEnforcerOptions): Promise<void>;