@bookedsolid/rea 0.34.0 → 0.36.0

package/dist/hooks/blocked-paths-enforcer/index.js

@@ -0,0 +1,287 @@
+/**
+ * Node-binary port of `hooks/blocked-paths-enforcer.sh`.
+ *
+ * 0.35.0 Phase 4 port (paired Write/Edit tier). Enforces
+ * `policy.blocked_paths` against Write/Edit/MultiEdit/NotebookEdit
+ * tool calls. Sibling of `blocked-paths-bash-gate` (Bash-tier) — same
+ * policy data, different surface.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin, extract `tool_input.file_path` (or `notebook_path`).
+ *      Missing/empty → exit 0.
+ *   3. Load policy permissively (a partial / migrating policy.yaml
+ *      must NOT collapse the blocked_paths list).
+ *   4. Empty `blocked_paths` → exit 0.
+ *   5. §5a path-traversal rejection. Refuses any path with a `..`
+ *      segment in EITHER the raw form OR the normalized form. Also
+ *      catches URL-encoded traversal (`%2E%2E/`, `..%2F`, etc.)
+ *      against the raw input.
+ *   6. §5a-bis interior `/./` segment rejection (0.29.0 helix-/./-class).
+ *      NORMALIZED form only — `normalize_path` already strips leading
+ *      `./` segments, so anything remaining is interior by construction.
+ *   7. Agent-writable allow-list short-circuit (`.rea/tasks.jsonl`,
+ *      `.rea/audit/`) — even if blocked_paths includes `.rea/` as a
+ *      prefix block, these are PM-data writeables.
+ *   8. Match the normalized path against each blocked entry:
+ *        - directory prefix (entry ends with `/`)
+ *        - glob (entry contains `*`)
+ *        - exact (lower-case, case-INSENSITIVE)
+ *      Match → exit 2 with reason.
+ *   9. §H.2 intermediate-symlink resolution. If the parent dir exists,
+ *      resolve its realpath. If the resolved target falls inside a
+ *      blocked entry, refuse.
+ *
+ * Audit-log parity: emits a `rea.hook.blocked-paths-enforcer` entry.
+ */
+import path from 'node:path';
+import fs from 'node:fs';
+import { parse as parseYaml } from 'yaml';
+import { checkHalt, formatHaltBanner } from '../_lib/halt-check.js';
+import { parseWriteHookPayload, MalformedPayloadError, TypePayloadError, readStdinWithTimeout, } from '../_lib/payload.js';
+import { normalizePath, hasTraversalSegment, hasInteriorDotSegment, resolveCanonRoot, resolveParentRealpath, } from '../_lib/path-normalize.js';
+import { appendAuditRecord, InvocationStatus, Tier } from '../../audit/append.js';
+const AGENT_WRITABLE = ['.rea/tasks.jsonl', '.rea/audit/'];
+/** Match `pathLc` against a single blocked entry. Returns true on hit. */
+function matchBlockedEntry(pathLc, blockedEntry) {
+    const entryLc = blockedEntry.toLowerCase();
+    // Directory prefix.
+    if (entryLc.endsWith('/')) {
+        if (pathLc.startsWith(entryLc))
+            return true;
+        if (pathLc === entryLc.slice(0, -1))
+            return true;
+        return false;
+    }
+    // Glob (contains *).
+    if (entryLc.includes('*')) {
+        // Convert glob to regex: . → \., * → .*; anchor to whole string.
+        const escaped = entryLc.replace(/[.+^${}()|[\]\\]/g, (m) => `\\${m}`);
+        const re = '^' + escaped.replace(/\*/g, '.*') + '$';
+        try {
+            return new RegExp(re).test(pathLc);
+        }
+        catch {
+            return false;
+        }
+    }
+    // Exact.
+    return pathLc === entryLc;
+}
+function loadBlockedPathsPermissive(reaRoot) {
+    const policyPath = path.join(reaRoot, '.rea', 'policy.yaml');
+    if (!fs.existsSync(policyPath))
+        return [];
+    let raw;
+    try {
+        raw = fs.readFileSync(policyPath, 'utf8');
+    }
+    catch {
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch {
+        return [];
+    }
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return [];
+    }
+    const obj = parsed;
+    const bp = obj['blocked_paths'];
+    if (!Array.isArray(bp))
+        return [];
+    const out = [];
+    for (const entry of bp) {
+        if (typeof entry === 'string' && entry.length > 0)
+            out.push(entry);
+    }
+    return out;
+}
+export async function runBlockedPathsEnforcer(options = {}) {
+    const reaRoot = options.reaRoot ?? process.env['CLAUDE_PROJECT_DIR'] ?? process.cwd();
+    let stderr = '';
+    const writeStderr = (s) => {
+        stderr += s;
+        if (options.stderrWrite)
+            options.stderrWrite(s);
+    };
+    // 1. HALT check.
+    const halt = checkHalt(reaRoot);
+    if (halt.halted) {
+        writeStderr(formatHaltBanner(halt.reason));
+        return { exitCode: 2, stderr, matched: null };
+    }
+    // 2. Read + parse stdin.
+    const stdinRaw = options.stdinOverride !== undefined
+        ? options.stdinOverride
+        : await readStdinWithTimeout(5_000);
+    let filePath = '';
+    try {
+        const payload = parseWriteHookPayload(stdinRaw);
+        filePath = payload.filePath;
+    }
+    catch (err) {
+        if (err instanceof MalformedPayloadError || err instanceof TypePayloadError) {
+            writeStderr(`blocked-paths-enforcer: ${err.message} — refusing on uncertainty.\n`);
+            return { exitCode: 2, stderr, matched: null };
+        }
+        throw err;
+    }
+    if (filePath.length === 0) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    // 3. Load policy permissively.
+    const blockedPaths = loadBlockedPathsPermissive(reaRoot);
+    if (blockedPaths.length === 0) {
+        return { exitCode: 0, stderr, matched: null };
+    }
+    // 4. Normalize.
+    const normalized = normalizePath(filePath, reaRoot);
+    const lowerNorm = normalized.toLowerCase();
+    // 5. §5a path-traversal rejection. Both raw + normalized.
+    const rawTraversal = hasTraversalSegment(filePath.replace(/\\/g, '/'));
+    const normTraversal = hasTraversalSegment(normalized);
+    // URL-encoded traversal check on raw input.
+    const urlEncodedTraversal = /%2[Ee]%2[Ee]|%2[Ee]\.|\.%2[Ee]/.test(filePath);
+    if (rawTraversal || normTraversal || urlEncodedTraversal) {
+        writeStderr('BLOCKED PATH: path traversal rejected\n');
+        writeStderr('\n');
+        writeStderr(`  File: ${filePath}\n`);
+        writeStderr("  Rule: path contains a '..' segment; rewrite to a canonical\n");
+        writeStderr('        project-relative path without traversal.\n');
+        return { exitCode: 2, stderr, matched: null };
+    }
+    // 6. §5a-bis interior `/./` segment rejection.
+    if (hasInteriorDotSegment(normalized)) {
+        writeStderr('BLOCKED PATH: interior dot-segment rejected\n');
+        writeStderr('\n');
+        writeStderr(`  File: ${filePath}\n`);
+        writeStderr("  Rule: path contains an interior '/./' segment; rewrite to a\n");
+        writeStderr('        canonical project-relative path without dot segments.\n');
+        return { exitCode: 2, stderr, matched: null };
+    }
+    // 7. Agent-writable allow-list.
+    for (const writable of AGENT_WRITABLE) {
+        if (normalized === writable)
+            return { exitCode: 0, stderr, matched: null };
+        if (writable.endsWith('/') && normalized.startsWith(writable)) {
+            return { exitCode: 0, stderr, matched: null };
+        }
+    }
+    // 8. Match against blocked_paths.
+    let matched = null;
+    for (const blocked of blockedPaths) {
+        if (matchBlockedEntry(lowerNorm, blocked)) {
+            matched = blocked;
+            break;
+        }
+    }
+    if (matched !== null) {
+        const isGlob = matched.includes('*');
+        writeStderr('BLOCKED PATH: Write denied by policy\n');
+        writeStderr('\n');
+        writeStderr(`  File: ${filePath}\n`);
+        writeStderr(`  Blocked by: ${matched}${isGlob ? ' (glob pattern)' : ''}\n`);
+        writeStderr('  Source: .rea/policy.yaml → blocked_paths\n');
+        if (matched.endsWith('/')) {
+            writeStderr('\n');
+            writeStderr('  This path is protected by policy. To modify it, a human must\n');
+            writeStderr('  either update blocked_paths in policy.yaml or edit the file directly.\n');
+        }
+        await maybeAudit(reaRoot, 'denied', matched, filePath);
+        return { exitCode: 2, stderr, matched };
+    }
+    // 9. §H.2 intermediate-symlink resolution.
+    const symMatched = checkSymlinkResolution(filePath, blockedPaths, reaRoot);
+    if (symMatched !== null) {
+        writeStderr('BLOCKED PATH: intermediate-symlink resolution blocked\n');
+        writeStderr('\n');
+        writeStderr(`  Logical:  ${filePath}\n`);
+        writeStderr(`  Resolved: ${symMatched.resolvedTarget}\n`);
+        writeStderr(`  Blocked by: ${symMatched.entry}\n`);
+        writeStderr('  Source: .rea/policy.yaml → blocked_paths\n');
+        writeStderr('\n');
+        writeStderr('  Rule: an intermediate directory of the path is a symlink\n');
+        writeStderr('        whose target falls inside a blocked policy entry.\n');
+        await maybeAudit(reaRoot, 'denied', symMatched.entry, filePath);
+        return { exitCode: 2, stderr, matched: symMatched.entry };
+    }
+    await maybeAudit(reaRoot, 'allowed', null, filePath);
+    return { exitCode: 0, stderr, matched: null };
+}
+/**
+ * Symlink-resolution check — mirrors `hooks/blocked-paths-enforcer.sh`
+ * §H.2. Returns the matched entry + resolved target form, or null.
+ */
+function checkSymlinkResolution(filePath, blockedPaths, reaRoot) {
+    // Only attempt resolution if the target exists or its parent dir
+    // exists — matches the bash `if [[ -e "$FILE_PATH" || -d ... ]]`.
+    let targetExists = false;
+    try {
+        targetExists = fs.existsSync(filePath);
+    }
+    catch {
+        /* fall through */
+    }
+    const parentDir = path.dirname(filePath);
+    let parentExists = false;
+    try {
+        parentExists = fs.statSync(parentDir).isDirectory();
+    }
+    catch {
+        /* falls through */
+    }
+    if (!targetExists && !parentExists)
+        return null;
+    if (!parentExists)
+        return null;
+    const resolvedParent = resolveParentRealpath(filePath);
+    if (resolvedParent.length === 0)
+        return null;
+    const canonRoot = resolveCanonRoot(reaRoot);
+    // Resolved parent must be inside REA_ROOT for the check to be
+    // meaningful — external paths are out of scope (the logical-path
+    // matchers handle them).
+    if (resolvedParent !== canonRoot && !resolvedParent.startsWith(canonRoot + '/')) {
+        return null;
+    }
+    const relativeResolved = resolvedParent === canonRoot ? '' : resolvedParent.slice(canonRoot.length + 1);
+    const resolvedTarget = relativeResolved.length > 0
+        ? `${relativeResolved}/${path.basename(filePath)}`
+        : path.basename(filePath);
+    const resolvedTargetLc = resolvedTarget.toLowerCase();
+    for (const blocked of blockedPaths) {
+        if (matchBlockedEntry(resolvedTargetLc, blocked)) {
+            return { entry: blocked, resolvedTarget };
+        }
+    }
+    return null;
+}
+async function maybeAudit(reaRoot, status, matched, filePath) {
+    try {
+        await appendAuditRecord(reaRoot, {
+            tool_name: 'rea.hook.blocked-paths-enforcer',
+            server_name: 'rea',
+            tier: Tier.Write,
+            status: status === 'allowed' ? InvocationStatus.Allowed : InvocationStatus.Denied,
+            metadata: {
+                ...(matched !== null ? { matched } : {}),
+                file_path_preview: filePath.slice(0, 256),
+            },
+        });
+    }
+    catch {
+        /* best-effort */
+    }
+}
+export async function runHookBlockedPathsEnforcer(options = {}) {
+    const result = await runBlockedPathsEnforcer({
+        ...options,
+        stderrWrite: (s) => process.stderr.write(s),
+    });
+    process.exit(result.exitCode);
+}

package/dist/hooks/protected-paths-bash-gate/index.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Node-binary port of `hooks/protected-paths-bash-gate.sh`.
+ *
+ * 0.35.0 Phase 3 port (paired tier-1 scanner-shim). Like blocked-paths-
+ * bash-gate but uses `runProtectedScan` against the
+ * `policy.protected_writes` / `policy.protected_paths_relax` resolved
+ * set. The bash gate was already a thin shim over the parser-backed
+ * scanner; this port drops the shim → CLI → scanner subprocess hop.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin via `parseHookPayload`. Empty/missing command → exit 0.
+ *   3. Non-Bash tool calls bypass.
+ *   4. REA_HOOK_PATCH_SESSION-class bypass: when the env var is set with
+ *      a non-empty reason, the scanner's protected-set is RELAXED for
+ *      .claude/hooks/ — the patch-session pattern. Implemented by
+ *      appending `.claude/hooks/` to the relax list when the env var is
+ *      live (this mirrors the bash gate's §6b semantics for the Bash
+ *      tier).
+ *   5. Load policy permissively (same lesson as 0.34.0 round-2 P2).
+ *   6. Run `runProtectedScan` with the resolved policy context.
+ *   7. Verdict `block` → exit 2; `allow` → exit 0.
+ *
+ * Audit-log parity: emits a `rea.hook.protected-paths-bash-gate` entry.
+ */
+import type { Buffer } from 'node:buffer';
+import { type Verdict } from '../bash-scanner/index.js';
+export interface ProtectedPathsBashGateOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+    /**
+     * Test seam — overrides `process.env.REA_HOOK_PATCH_SESSION`. The
+     * CLI wrapper omits, letting the real env var govern the bypass.
+     */
+    patchSessionOverride?: string;
+}
+export interface ProtectedPathsBashGateResult {
+    exitCode: number;
+    stderr: string;
+    /** Final verdict (test seam). Null when the gate short-circuited
+     *  before scanning (HALT, non-Bash, empty cmd). */
+    verdict: Verdict | null;
+}
+export declare function runProtectedPathsBashGate(options?: ProtectedPathsBashGateOptions): Promise<ProtectedPathsBashGateResult>;
+export declare function runHookProtectedPathsBashGate(options?: ProtectedPathsBashGateOptions): Promise<void>;

package/dist/hooks/protected-paths-bash-gate/index.js

@@ -0,0 +1,168 @@
+/**
+ * Node-binary port of `hooks/protected-paths-bash-gate.sh`.
+ *
+ * 0.35.0 Phase 3 port (paired tier-1 scanner-shim). Like blocked-paths-
+ * bash-gate but uses `runProtectedScan` against the
+ * `policy.protected_writes` / `policy.protected_paths_relax` resolved
+ * set. The bash gate was already a thin shim over the parser-backed
+ * scanner; this port drops the shim → CLI → scanner subprocess hop.
+ *
+ * Behavioral contract — preserves the bash hook byte-for-byte:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin via `parseHookPayload`. Empty/missing command → exit 0.
+ *   3. Non-Bash tool calls bypass.
+ *   4. REA_HOOK_PATCH_SESSION-class bypass: when the env var is set with
+ *      a non-empty reason, the scanner's protected-set is RELAXED for
+ *      .claude/hooks/ — the patch-session pattern. Implemented by
+ *      appending `.claude/hooks/` to the relax list when the env var is
+ *      live (this mirrors the bash gate's §6b semantics for the Bash
+ *      tier).
+ *   5. Load policy permissively (same lesson as 0.34.0 round-2 P2).
+ *   6. Run `runProtectedScan` with the resolved policy context.
+ *   7. Verdict `block` → exit 2; `allow` → exit 0.
+ *
+ * Audit-log parity: emits a `rea.hook.protected-paths-bash-gate` entry.
+ */
+import path from 'node:path';
+import fs from 'node:fs';
+import { parse as parseYaml } from 'yaml';
+import { checkHalt, formatHaltBanner } from '../_lib/halt-check.js';
+import { parseHookPayload, MalformedPayloadError, TypePayloadError, readStdinWithTimeout, } from '../_lib/payload.js';
+import { runProtectedScan } from '../bash-scanner/index.js';
+import { appendAuditRecord, InvocationStatus, Tier } from '../../audit/append.js';
+function loadPolicyPermissive(reaRoot) {
+    const policyPath = path.join(reaRoot, '.rea', 'policy.yaml');
+    const empty = { protectedRelax: [] };
+    if (!fs.existsSync(policyPath))
+        return empty;
+    let raw;
+    try {
+        raw = fs.readFileSync(policyPath, 'utf8');
+    }
+    catch {
+        return empty;
+    }
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch {
+        return empty;
+    }
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return empty;
+    }
+    const obj = parsed;
+    const out = { protectedRelax: [] };
+    if (Array.isArray(obj['protected_writes'])) {
+        out.protectedWrites = [];
+        for (const e of obj['protected_writes']) {
+            if (typeof e === 'string' && e.length > 0)
+                out.protectedWrites.push(e);
+        }
+    }
+    if (Array.isArray(obj['protected_paths_relax'])) {
+        for (const e of obj['protected_paths_relax']) {
+            if (typeof e === 'string' && e.length > 0)
+                out.protectedRelax.push(e);
+        }
+    }
+    return out;
+}
+export async function runProtectedPathsBashGate(options = {}) {
+    const reaRoot = options.reaRoot ?? process.env['CLAUDE_PROJECT_DIR'] ?? process.cwd();
+    let stderr = '';
+    const writeStderr = (s) => {
+        stderr += s;
+        if (options.stderrWrite)
+            options.stderrWrite(s);
+    };
+    // 1. HALT check.
+    const halt = checkHalt(reaRoot);
+    if (halt.halted) {
+        writeStderr(formatHaltBanner(halt.reason));
+        return { exitCode: 2, stderr, verdict: { verdict: 'block', reason: 'rea HALT active' } };
+    }
+    // 2. Read + parse stdin.
+    const stdinRaw = options.stdinOverride !== undefined
+        ? options.stdinOverride
+        : await readStdinWithTimeout(5_000);
+    let toolName = '';
+    let cmd = '';
+    try {
+        const payload = parseHookPayload(stdinRaw);
+        toolName = payload.toolName;
+        cmd = payload.command;
+    }
+    catch (err) {
+        if (err instanceof MalformedPayloadError || err instanceof TypePayloadError) {
+            writeStderr(`protected-paths-bash-gate: ${err.message} — refusing on uncertainty.\n`);
+            return { exitCode: 2, stderr, verdict: { verdict: 'block', reason: err.message } };
+        }
+        throw err;
+    }
+    // 3. Non-Bash tool calls bypass.
+    if (toolName !== '' && toolName !== 'Bash') {
+        return { exitCode: 0, stderr, verdict: null };
+    }
+    // 4. Empty command → allow.
+    if (cmd.length === 0) {
+        return { exitCode: 0, stderr, verdict: null };
+    }
+    // 5. Load policy permissively.
+    const policy = loadPolicyPermissive(reaRoot);
+    const relax = [...policy.protectedRelax];
+    // 6. REA_HOOK_PATCH_SESSION — relax .claude/hooks/ when env var is
+    //    set with a non-empty reason. Mirrors settings-protection.sh §6b
+    //    posture (the Bash-tier counterpart wasn't enforcing this against
+    //    .claude/hooks/ until 0.35.0 — that gap is closed here).
+    const patchSession = options.patchSessionOverride ?? process.env['REA_HOOK_PATCH_SESSION'] ?? '';
+    if (patchSession.length > 0) {
+        relax.push('.claude/hooks/');
+    }
+    // 7. Scan.
+    const verdict = runProtectedScan({
+        reaRoot,
+        policy: {
+            ...(policy.protectedWrites !== undefined
+                ? { protected_writes: policy.protectedWrites }
+                : {}),
+            protected_paths_relax: relax,
+        },
+        stderr: (line) => writeStderr(line),
+    }, cmd);
+    // 8. Audit.
+    try {
+        await appendAuditRecord(reaRoot, {
+            tool_name: 'rea.hook.protected-paths-bash-gate',
+            server_name: 'rea',
+            tier: Tier.Read,
+            status: verdict.verdict === 'allow' ? InvocationStatus.Allowed : InvocationStatus.Denied,
+            metadata: {
+                verdict: verdict.verdict,
+                ...(verdict.detected_form !== undefined ? { detected_form: verdict.detected_form } : {}),
+                ...(verdict.hit_pattern !== undefined ? { hit_pattern: verdict.hit_pattern } : {}),
+                ...(patchSession.length > 0 ? { patch_session: true } : {}),
+                command_preview: cmd.slice(0, 256),
+            },
+        });
+    }
+    catch {
+        /* best-effort */
+    }
+    if (verdict.verdict === 'block') {
+        if (typeof verdict.reason === 'string' && verdict.reason.length > 0) {
+            writeStderr(verdict.reason + '\n');
+        }
+        return { exitCode: 2, stderr, verdict };
+    }
+    return { exitCode: 0, stderr, verdict };
+}
+export async function runHookProtectedPathsBashGate(options = {}) {
+    const result = await runProtectedPathsBashGate({
+        ...options,
+        stderrWrite: (s) => process.stderr.write(s),
+    });
+    process.exit(result.exitCode);
+}

package/dist/hooks/secret-scanner/index.js

@@ -127,7 +127,22 @@ const SECRET_PATTERNS = [
     {
         severity: 'HIGH',
         label: 'Supabase service role key (JWT)',
-        regex: /SUPABASE_SERVICE_ROLE_KEY\s*=\s*["']?eyJ[A-Za-z0-9._-]{50,}/g,
+        // 0.36.0 audit-trail (charter item 5 / 0.34.0 codex round-7 P2 #2):
+        // restore byte-parity with the pre-0.34.0 bash body. The bash hook
+        // required a quote introducer (`["']`, no `?`); only quoted
+        // assignments matched HIGH. Pre-fix this TS regex made the quote
+        // OPTIONAL (`["']?`), which upgraded an unquoted `.env` line like
+        // `SUPABASE_SERVICE_ROLE_KEY=eyJ...` from MEDIUM advisory (matched
+        // by the lower-down `.env credential assignment` pattern) to HIGH
+        // blocking. That over-blocks legitimate `.env` files committed to
+        // public repos and breaks parity with consumers still on the bash
+        // body. Fix: drop the `?` so the quote is required, matching bash
+        // exactly. Unquoted assignments continue to fire MEDIUM via the
+        // `.env credential assignment` pattern below (line ~190); the only
+        // change is that they no longer ALSO fire HIGH here. The `[\"']`
+        // character class accepts both single and double quotes
+        // (mirroring the bash `["\'"'"']` literal).
+        regex: /SUPABASE_SERVICE_ROLE_KEY\s*=\s*["']eyJ[A-Za-z0-9._-]{50,}/g,
     },
     // ── MEDIUM severity (advisory) ───────────────────────────────────
     {
@@ -153,10 +168,57 @@ const SECRET_PATTERNS = [
         label: 'Hardcoded DB connection string with password',
         regex: /postgresql:\/\/[^:]+:[^@]{8,}@/g,
     },
+    {
+        severity: 'MEDIUM',
+        label: 'Supabase service role key (JWT, unquoted non-.env shape)',
+        // 0.36.0 codex round-2 P1 → round-3 P3 → round-4 P1 evolution.
+        //
+        // Background:
+        //   - Round 1: 0.34.0-introduced HIGH regex had `["']?` (quote
+        //     optional) which over-blocked unquoted .env lines vs the
+        //     pre-0.34.0 bash baseline. Charter item 5 dropped the `?`.
+        //   - Round 2 P1: dropping the `?` left a gap for unquoted forms
+        //     outside `^FOO=` shape (`export FOO=…` etc.) that ALSO
+        //     existed in the bash baseline. Added an unquoted-anywhere
+        //     MEDIUM rule to close it.
+        //   - Round 3 P3: unquoted-anywhere double-fired with the broader
+        //     `.env credential assignment` MEDIUM on plain `^FOO=` lines.
+        //     Narrowed to only fire on 5 specific shell-keyword prefixes
+        //     (`export`, `readonly`, `declare`, `local`, `typeset`).
+        //   - Round 4 P1: too narrow — left other unquoted shapes
+        //     (Dockerfile `ENV FOO=…`, k8s manifests, ad-hoc shell
+        //     `FOO=…; bar`) entirely unscanned.
+        //
+        // Round-4 resolution: fire on any unquoted assignment that is
+        // NOT at the start of a line (`^`). The `.env credential
+        // assignment` MEDIUM pattern owns `^FOO=…`; this rule owns
+        // everything else (`ENV FOO=…`, `export FOO=…`, `; FOO=…`,
+        // template-string `${FOO=…}`, etc.). Implemented via a
+        // multi-line regex with a look-behind for "anything except a
+        // line start". JS regex doesn't support a direct "not at line
+        // start" assertion, so we require at least one non-newline char
+        // before `SUPABASE_SERVICE_ROLE_KEY` on the same line.
+        //
+        // The `(?!["'])` look-ahead refuses when the value starts with
+        // a quote so the same secret isn't double-reported by the HIGH
+        // pattern above. Result: each secret produces exactly one
+        // MEDIUM finding regardless of shape, and the HIGH rule keeps
+        // exclusive ownership of quoted forms.
+        regex: /(?<=[^\n\r])\bSUPABASE_SERVICE_ROLE_KEY\s*=\s*(?!["'])eyJ[A-Za-z0-9._-]{50,}/gm,
+    },
     {
         severity: 'MEDIUM',
         label: 'Supabase anon key in non-client context',
-        regex: /SUPABASE_ANON_KEY\s*=\s*["']?eyJ[A-Za-z0-9._-]{50,}/g,
+        // 0.36.0 audit-trail (charter item 5 / 0.34.0 codex round-7 P2 #2,
+        // sibling fix): same parity restoration as the SUPABASE_SERVICE_ROLE_KEY
+        // pattern above — bash hook required a quote introducer, TS pattern
+        // had it optional via `?`. Removed for byte-parity. Unquoted .env
+        // forms continue to be advisory via the broader `.env credential
+        // assignment` MEDIUM pattern (where SUPABASE_ANON_KEY is NOT one of
+        // the named keys — anon-key prose in unquoted .env is acceptable
+        // since anon keys are public; only QUOTED-in-source matches stay
+        // an advisory MEDIUM here).
+        regex: /SUPABASE_ANON_KEY\s*=\s*["']eyJ[A-Za-z0-9._-]{50,}/g,
     },
 ];
 /**

package/dist/hooks/settings-protection/index.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Node-binary port of `hooks/settings-protection.sh`.
+ *
+ * 0.35.0 Phase 4 port. The LARGEST hook in the repo at 582 LOC of
+ * bash — this is the gate that protects `.claude/settings.json`,
+ * `.claude/hooks/*`, `.husky/*`, `.rea/policy.yaml`, and `.rea/HALT`
+ * from agent writes. Without it the entire governance layer can be
+ * disabled by an agent's own Write tool.
+ *
+ * Behavioral contract — preserves the bash hook section by section:
+ *
+ *   1. HALT check → exit 2 with shared banner.
+ *   2. Read stdin, extract `tool_input.file_path` (or `notebook_path`
+ *      via the shared Write payload parser). Missing → exit 0.
+ *
+ *   §5a Path-traversal reject (`..` segment in raw OR normalized form).
+ *   §5a-bis Interior `/./` segment reject (NORMALIZED form only).
+ *
+ *   §5b Extension-surface allow-list. `.husky/{commit-msg,pre-push,
+ *       pre-commit,prepare-commit-msg}.d/*` is the documented consumer
+ *       extension surface — fragments here are NOT protected, with
+ *       two defense-in-depth checks:
+ *         (a) Final-component symlink refusal (`fs.lstatSync().isSymbolicLink()`).
+ *         (b) Intermediate-directory symlink resolution — the parent's
+ *             realpath must STILL end in `/.husky/<surface>.d/` or
+ *             `/.husky/<surface>.d` (directory-boundary anchored per
+ *             0.20.1 helix-021 #3).
+ *
+ *   §6  Default-protected list resolution. Sourced from
+ *       `_lib/protected-paths.ts`'s `resolveProtectedPatterns` which
+ *       honors `protected_writes` (full override) and
+ *       `protected_paths_relax` (subtractor). Match runs case-insensitive.
+ *
+ *   §6c Intermediate-symlink resolution against the hard-protected list
+ *       (helix-016 H.1 fix). Parallel to §5b's surface-only check, this
+ *       runs against ANY protected pattern.
+ *
+ *   §6b REA_HOOK_PATCH_SESSION unlock for `.claude/hooks/` (the only
+ *       patch-session pattern). When the env var is set with a non-
+ *       empty reason, audit-log the edit (via the shared TS audit
+ *       primitive — directly, no shell-out gymnastics) and allow.
+ *       Audit-append failure is fail-closed — block the edit and
+ *       surface the failure. This preserves hash-chain integrity.
+ *
+ *   §6c-bis Patch-session patterns blocked when env var is NOT set.
+ *
+ * Stderr formatting is preserved verbatim from the bash hook so
+ * existing log-parsing consumers (if any) keep working.
+ */
+import type { Buffer } from 'node:buffer';
+export interface SettingsProtectionOptions {
+    reaRoot?: string;
+    stdinOverride?: string | Buffer;
+    stderrWrite?: (s: string) => void;
+    /** Test seam — overrides `process.env.REA_HOOK_PATCH_SESSION`. */
+    patchSessionOverride?: string;
+    /** Test seam — overrides `process.env.CLAUDE_SESSION_ID`. */
+    sessionIdOverride?: string;
+}
+export interface SettingsProtectionResult {
+    exitCode: number;
+    stderr: string;
+    /**
+     * When the gate blocks: the matched pattern (one of PROTECTED_PATTERNS,
+     * PATCH_SESSION_PATTERNS, or a §5a/§5a-bis sentinel string).
+     */
+    matched: string | null;
+    /** When the gate blocks via §5b extension-surface symlink refusal. */
+    surfaceSymlinkRefused: boolean;
+    /** When the gate allows under REA_HOOK_PATCH_SESSION. */
+    patchSessionAllowed: boolean;
+}
+export declare function runSettingsProtection(options?: SettingsProtectionOptions): Promise<SettingsProtectionResult>;
+export declare function runHookSettingsProtection(options?: SettingsProtectionOptions): Promise<void>;