@bookedsolid/rea 0.34.0 → 0.36.0

package/hooks/settings-protection.sh

@@ -1,582 +1,204 @@
 #!/bin/bash
 # PreToolUse hook: settings-protection.sh
-# Fires BEFORE every Write or Edit tool call.
-# Blocks modifications to critical configuration files that, if tampered with,
-# would disable the entire hook safety layer.
+# 0.35.0+ — Node-binary shim for `rea hook settings-protection`.
 #
-# Protected paths (security controls and hook infrastructure ONLY):
-#   .claude/settings.json       — hook configuration
-#   .claude/settings.local.json — local hook overrides
-#   .claude/hooks/*             — hook scripts themselves
-#   .husky/*                    — git hook scripts
-#   .rea/policy.yaml        — autonomy/blocking policy
-#   .rea/HALT               — kill switch file
+# Pre-0.35.0 this was the LARGEST hook in the repo at 582 LOC of bash:
+# §5a `..` traversal reject, §5a-bis interior `/./` reject, §5b
+# extension-surface allow-list (with final-component + intermediate-
+# directory symlink refusal), §6 hard-protected pattern resolution
+# (PROTECTED_PATTERNS sourced from `_lib/protected-paths.sh` with
+# `protected_writes` override + `protected_paths_relax` subtractor),
+# §6c intermediate-symlink resolution against the hard-protected list,
+# §6b REA_HOOK_PATCH_SESSION unlock for .claude/hooks/ with hash-
+# chained audit append (fail-closed). The full bash body is preserved
+# at `__tests__/hooks/parity/baselines/settings-protection.sh.pre-0.35.0`.
 #
-# NOT protected (operational files agents may legitimately write):
-#   .rea/review-cache.json  — cache file, writable by CLI and agents
-#   .rea/tasks.jsonl        — task store, managed by task MCP tools
+# The migration moves every section into
+# `src/hooks/settings-protection/index.ts`. This shim is the Claude Code
+# dispatcher's view of the hook — it forwards stdin to the CLI and
+# exits with whatever the CLI returns.
 #
-# Exit codes:
-#   0 = allow (path not protected)
-#   2 = block (protected path modification attempt)
-
-set -uo pipefail
-
-# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
-INPUT=$(cat)
-
-# ── 2. Dependency check ──────────────────────────────────────────────────────
-if ! command -v jq >/dev/null 2>&1; then
-  printf 'REA ERROR: jq is required but not installed.\n' >&2
-  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
-  exit 2
-fi
-
-# ── 3. HALT check ────────────────────────────────────────────────────────────
-# 0.16.0: HALT check sourced from shared _lib/halt-check.sh.
-# shellcheck source=_lib/halt-check.sh
-source "$(dirname "$0")/_lib/halt-check.sh"
-check_halt
-REA_ROOT=$(rea_root)
-
-# ── 4. Extract file path from payload ─────────────────────────────────────────
-FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
-
-if [[ -z "$FILE_PATH" ]]; then
-  exit 0
-fi
-
-# ── 5. Normalize path for comparison ──────────────────────────────────────────
-# Convert to relative path from project root for consistent matching
-normalize_path() {
-  local p="$1"
-  local root="$REA_ROOT"
-
-  # Strip project root prefix if present
-  if [[ "$p" == "$root"/* ]]; then
-    p="${p#$root/}"
-  fi
-
-  # URL decode common sequences. Include %5C (`\`) so Windows-style or
-  # percent-encoded back-slash traversal (`..%5C`, `\..\`) normalizes to the
-  # forward-slash form the §5a detector sees.
-  p=$(printf '%s' "$p" \
-    | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g; s/%5[Cc]/\\/g')
-
-  # Translate any backslash separators to forward slashes. Keeps the traversal
-  # check in §5a working for `.claude\hooks\..\settings.json`-style inputs.
-  p=$(printf '%s' "$p" | tr '\\\\' '/')
-
-  # Strip leading ./ components only. We intentionally do NOT strip interior
-  # ./ sequences — that transformation corrupts `..` traversals (e.g. `.../`
-  # collapsed to `../`, or `../` collapsed to `./`) and hides traversal from
-  # the §5a detector.
-  while [[ "$p" == ./* ]]; do
-    p="${p#./}"
-  done
-
-  printf '%s' "$p"
-}
-
-# Strip C0/C1 control characters from a string to prevent terminal escape
-# injection when we echo protected paths back to the operator. Escape sequences
-# in file names could otherwise rewrite lines above the deny message.
-#
-# Byte ranges stripped:
-#   \000-\037  — C0 controls (BEL, BS, HT, LF, CR, ESC, …)
-#   \177       — DEL
-#   \200-\237  — C1 controls (CSI 0x9B, OSC 0x9D, …). Many terminals still
-#                interpret these as single-byte CSI introducers; without
-#                stripping, a UTF-8 file name whose bytes fall in this range
-#                could still drive the cursor on older emulators.
-sanitize_for_stderr() {
-  printf '%s' "$1" | LC_ALL=C tr -d '\000-\037\177\200-\237'
-}
-
-NORMALIZED=$(normalize_path "$FILE_PATH")
-SAFE_FILE_PATH=$(sanitize_for_stderr "$FILE_PATH")
-SAFE_NORMALIZED=$(sanitize_for_stderr "$NORMALIZED")
-
-# ── 5a. Reject path traversal segments (Codex HIGH: Defect I bypass) ─────────
-# A path containing `..` segments can be used to bypass the protected-path
-# globs in §6 — e.g. `.claude/hooks/../settings.json` would pass the
-# `.claude/hooks/*` case-glob in the patch-session allowlist but actually
-# refers to `.claude/settings.json`. We refuse any path that contains a `..`
-# segment in either the raw input OR the normalized form. The request must
-# be reissued with a canonical path.
-#
-# For the raw-input check, translate backslashes first so a Windows-style
-# `.claude\hooks\..\settings.json` is rejected at the raw stage too (the
-# normalized form also catches it — this is defense in depth).
-RAW_PATH_SLASHED=$(printf '%s' "$FILE_PATH" | tr '\\\\' '/')
-raw_has_traversal=0
-case "/$RAW_PATH_SLASHED/" in
-  */../*) raw_has_traversal=1 ;;
-esac
-norm_has_traversal=0
-case "/$NORMALIZED/" in
-  */../*) norm_has_traversal=1 ;;
-esac
-if [[ "$raw_has_traversal" -eq 1 ]] || [[ "$norm_has_traversal" -eq 1 ]]; then
-  {
-    printf 'SETTINGS PROTECTION: path traversal rejected\n'
-    printf '\n'
-    printf '  File: %s\n' "$SAFE_FILE_PATH"
-    printf "  Rule: path contains a '..' segment; rewrite to a canonical\n"
-    printf '        project-relative path without traversal.\n'
-  } >&2
-  exit 2
-fi
-
-# ── 5a-bis. Reject interior single-dot segments (0.29.0 helix-/./-class) ─────
-# Companion to the `..` guard above. The `normalize_path` helper deliberately
-# does NOT collapse interior `./` segments because doing so would corrupt
-# `..` traversals — but that leaves a parallel bypass class. A path like
-# `.husky/./pre-push` resolves on disk to `.husky/pre-push`, yet the literal/
-# prefix matchers in §6 compare against the un-collapsed `.husky/./pre-push`
-# string and miss the match.
+# Behavioral contract is preserved byte-for-byte: exit 0 on allow,
+# exit 2 on HALT / traversal-reject / interior-dot-reject / protected
+# match / patch-session-mismatch / malformed payload.
 #
-# Conservative reading (per Jake 2026-05-12): treat any interior `./`
-# segment exactly like a `..` segment — refuse outright, force the caller
-# to send a canonical path. The corpus design pairs shell-scripting-specialist
-# with adversarial-test-specialist; the canonical attack shapes are:
+# # CLI-resolution trust boundary
 #
-#   .husky/./pre-push                  — single segment
-#   .husky/././pre-push                — repeated segments
-#   .husky/.//pre-push                 — `./` immediately followed by another `/`
-#   .claude/hooks/./_lib/halt-check.sh — inside a protected directory
-#   %2E%2F                             — percent-encoded `./`, caught after URL-decode
-#   .\.\pre-push                       — backslash variant, normalize_path → `./`
+# Mirrors the 0.32.0 final shim shape.
 #
-# Only the NORMALIZED form is checked (not the raw form) because raw `./foo`
-# at start-of-string is a legitimate relative path; `normalize_path` already
-# strips leading `./` segments, so anything that survives into the normalized
-# form's `/./` shape is INTERIOR by construction.
-norm_has_dot_segment=0
-case "/$NORMALIZED/" in
-  */./*) norm_has_dot_segment=1 ;;
-esac
-if [[ "$norm_has_dot_segment" -eq 1 ]]; then
-  {
-    printf 'SETTINGS PROTECTION: interior dot-segment rejected\n'
-    printf '\n'
-    printf '  File: %s\n' "$SAFE_FILE_PATH"
-    printf "  Rule: path contains an interior '/./' segment; rewrite to a\n"
-    printf '        canonical project-relative path without dot segments.\n'
-  } >&2
-  exit 2
-fi
-
-# Compute lower-cased path early so the §5b allow-list (and §6/§6b matchers
-# below) all reference a single normalized variable.
-LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
-
-# ── 5b. Extension-surface allow-list ──────────────────────────────────────────
-# `.husky/commit-msg.d/*`, `.husky/pre-push.d/*`, and (0.32.0+)
-# `.husky/prepare-commit-msg.d/*` are the documented consumer
-# extension surface (Fix H / 0.13.0; Phase 3 / 0.32.0 for the
-# prepare-commit-msg lane). Consumers — and the agents that govern
-# those consumers — are expected to write here freely so they can
-# layer commitlint, lint-staged, branch-policy, act-CI, etc. without
-# losing rea coverage on `rea upgrade`.
-#
-# The §6 PROTECTED_PATTERNS list below has `.husky/` as a prefix block,
-# which (correctly) keeps `.husky/pre-push`, `.husky/commit-msg`, and
-# the `.husky/_/*` runtime stubs out of agent reach. But the same prefix
-# also caught `.husky/pre-push.d/00-act-ci` and `.husky/commit-msg.d/*`
-# until 0.13.2 — the very directories advertised as the extension
-# surface. This early allow-list closes that contract gap.
+# # Fail-closed posture
 #
-# Anchored on the literal `.d/` segment (not `.d`) so `.husky/pre-push.d.bak/`
-# or `.husky/pre-push.dump` still hit the prefix block. Nested fragments
-# (e.g. `pre-push.d/sub/file`) are allowed so the surface composes naturally.
+# settings-protection is THE gate protecting the entire governance layer
+# from agent self-disable. Pre-0.35.0 the bash body enforced refusal
+# without any compiled CLI; the Node-binary port preserves that — early-
+# exit branches fail closed AFTER the relevance pre-gate passes.
 #
-# SECURITY: runs AFTER §5a (path-traversal reject), so a clever
-# `.husky/pre-push.d/../pre-push` cannot bypass §6's protection of the
-# package-managed body — §5a kills it before this matcher runs.
+# # Relevance pre-gate
 #
-# SECURITY (defense-in-depth): symlinks INSIDE the .d/ surface are
-# refused — both final-component AND intermediate-directory symlinks.
-# A fragment is a short shell script authored in place; consumers do
-# not need symlinks here. Without these checks the gate has two
-# bypass shapes:
+# Substring scan over the extracted file_path / notebook_path for the
+# protected-path markers (.claude/, .husky/, .rea/policy.yaml, .rea/HALT,
+# the verdict cache paths, plus any policy.blocked_paths entry). When
+# CLI is missing AND none of these substrings appear in the payload's
+# file path, exit 0. The pre-0.35.0 bash body would have allowed.
 #
-#   (a) Final-component symlink:
-#       ln -s ../pre-push .husky/pre-push.d/00-evil; write 00-evil
-#       — caught by `[ -L "$FILE_PATH" ]`.
-#
-#   (b) Intermediate-directory symlink (helix Finding 2 / 0.15.0):
-#       mkdir .husky/pre-push.d; ln -s ../ .husky/pre-push.d/linkdir
-#       write .husky/pre-push.d/linkdir/pre-push
-#       — `[ -L $FILE_PATH ]` only inspects the FINAL component, so a
-#       not-yet-existing target whose parent contains a symlink resolves
-#       to outside the surface (here: `.husky/pre-push`), letting the
-#       attacker write through to the package-managed body.
-#
-# Resolve the realpath of the parent directory and require it to live
-# under the literal extension surface. Use a portable `cd ... && pwd -P`
-# subshell pattern (no Python or readlink -f dependency required).
-# Closes the path-string→symlink bypass completely.
-case "$LOWER_NORM" in
-  .husky/commit-msg.d/*|.husky/pre-push.d/*|.husky/prepare-commit-msg.d/*)
-    if [ -L "$FILE_PATH" ]; then
-      {
-        printf 'SETTINGS PROTECTION: symlink in extension surface refused\n'
-        printf '\n'
-        printf '  File: %s\n' "$SAFE_FILE_PATH"
-        printf '  Rule: .husky/{commit-msg,pre-push,prepare-commit-msg}.d/* must\n'
-        printf '        be regular files (a symlink could resolve to a protected\n'
-        printf '        package-managed body and bypass §6 protection).\n'
-      } >&2
-      exit 2
-    fi
-    # Resolve the parent directory's realpath. If any intermediate
-    # component is a symlink whose target leaves the surface, the
-    # resolved path no longer contains `/.husky/<surface>.d/` and we
-    # refuse. The parent dir must already exist for this check; if it
-    # doesn't, the write is creating the parent, in which case there
-    # is no intermediate symlink to follow yet.
-    parent_dir=$(dirname -- "$FILE_PATH")
-    if [ -d "$parent_dir" ]; then
-      resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
-      if [ -n "$resolved_parent" ]; then
-        # 0.20.1 helix-021 #3: directory-boundary on the case glob.
-        # Pre-fix `*"/.husky/commit-msg.d"*` matched `.husky/commit-msg.d.bak/`
-        # too (substring without trailing-slash anchor). A symlink
-        # `.husky/pre-push.d/linkdir -> ../pre-push.d.bak` then resolved
-        # to `.husky/pre-push.d.bak/...` and slipped through.
-        # The trailing `/` on each pattern (and the explicit
-        # exact-match arm) requires a real directory boundary.
-        # 0.32.0 Phase 3: `.husky/prepare-commit-msg.d/` joins the
-        # allow-list (mirrors commit-msg.d/pre-push.d patterns).
-        case "$resolved_parent" in
-          */.husky/commit-msg.d|*/.husky/commit-msg.d/*|*/.husky/pre-push.d|*/.husky/pre-push.d/*|*/.husky/prepare-commit-msg.d|*/.husky/prepare-commit-msg.d/*) : ;;
-          *)
-            {
-              printf 'SETTINGS PROTECTION: extension path resolves outside surface\n'
-              printf '\n'
-              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
-              printf '  Resolved: %s\n' "$resolved_parent"
-              printf '  Rule: an intermediate directory of the extension path is a\n'
-              printf '        symlink whose target leaves .husky/{commit-msg,pre-push,prepare-commit-msg}.d/.\n'
-              printf '        Refused to prevent symlinked-parent bypass of the\n'
-              printf '        package-managed body protection.\n'
-            } >&2
-            exit 2
-          ;;
-        esac
-      fi
-    fi
-    # Documented extension surface — agents can write here freely.
-    exit 0
-    ;;
-esac
-
-# ── 6. Protected path patterns ────────────────────────────────────────────────
-# §6 runs BEFORE the patch-session allowlist so hook-patch sessions cannot
-# reach .rea/policy.yaml, .rea/HALT, or .claude/settings.json via any glob
-# creativity.
+# # Bootstrap safety
 #
-# 0.16.3 F7: list is sourced from `_lib/protected-paths.sh`, which honors
-# the `protected_paths_relax` policy key (kill-switch invariants always
-# stay protected — see the lib for the always-protected subset).
-# shellcheck source=_lib/protected-paths.sh
-source "$(dirname "$0")/_lib/protected-paths.sh"
-# Trigger lazy load now so PROTECTED_PATTERNS reflects the relaxed list
-# from the start of this hook process.
-rea_path_is_protected "/__rea_force_load__" >/dev/null 2>&1 || true
-PROTECTED_PATTERNS=("${REA_PROTECTED_PATTERNS[@]}")
-
-# Patterns that are protected from general agent edits but can be unlocked by
-# REA_HOOK_PATCH_SESSION. Kept separate from the hard-protected list above so
-# the patch-session gate in §6b only applies to these directories.
-PATCH_SESSION_PATTERNS=(
-  '.claude/hooks/'
-)
-
-# LOWER_NORM was computed in §5b above and is reused here.
-
-# Match $NORMALIZED against PROTECTED_PATTERNS (exact or prefix for patterns
-# ending in '/'). Sets $PROTECTED_MATCH to the matched pattern; exit 0 on hit.
-match_protected() {
-  local pattern
-  PROTECTED_MATCH=""
-  for pattern in "${PROTECTED_PATTERNS[@]}"; do
-    if [[ "$NORMALIZED" == "$pattern" ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-    if [[ "$pattern" == */ ]] && [[ "$NORMALIZED" == "$pattern"* ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-  done
-  return 1
-}
+# This shim is ITSELF protected by `settings-protection.sh`. The new
+# shim must not block legitimate writes — the `bash -n` syntax check
+# in the test:bash-syntax script catches parse errors BEFORE the
+# install lands them. The relevance pre-gate keeps benign writes (like
+# editing `src/foo.ts`) exiting 0 even when the CLI is missing.
 
-match_protected_ci() {
-  local pattern lp
-  PROTECTED_MATCH=""
-  for pattern in "${PROTECTED_PATTERNS[@]}"; do
-    lp=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
-    if [[ "$LOWER_NORM" == "$lp" ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-    if [[ "$lp" == */ ]] && [[ "$LOWER_NORM" == "$lp"* ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-  done
-  return 1
-}
+set -uo pipefail
 
-match_patch_session() {
-  local pattern
-  PROTECTED_MATCH=""
-  for pattern in "${PATCH_SESSION_PATTERNS[@]}"; do
-    if [[ "$NORMALIZED" == "$pattern" ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-    if [[ "$pattern" == */ ]] && [[ "$NORMALIZED" == "$pattern"* ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-  done
-  return 1
-}
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
 
-match_patch_session_ci() {
-  local pattern lp
-  PROTECTED_MATCH=""
-  for pattern in "${PATCH_SESSION_PATTERNS[@]}"; do
-    lp=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
-    if [[ "$LOWER_NORM" == "$lp" ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-    if [[ "$lp" == */ ]] && [[ "$LOWER_NORM" == "$lp"* ]]; then
-      PROTECTED_MATCH="$pattern"
-      return 0
-    fi
-  done
-  return 1
-}
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
 
-if match_protected; then
-  {
-    printf 'SETTINGS PROTECTION: Modification blocked\n'
-    printf '\n'
-    printf '  File: %s\n' "$SAFE_FILE_PATH"
-    printf '  Matched: %s\n' "$PROTECTED_MATCH"
-    printf '  Rule: This file is protected from agent modification, including\n'
-    printf '        sessions with REA_HOOK_PATCH_SESSION set.\n'
-  } >&2
-  exit 2
-fi
+# 2. Capture stdin once.
+INPUT=$(cat)
 
-if match_protected_ci; then
-  {
-    printf 'SETTINGS PROTECTION: Modification blocked (case-insensitive match)\n'
-    printf '\n'
-    printf '  File: %s\n' "$SAFE_FILE_PATH"
-    printf '  Matched: %s\n' "$PROTECTED_MATCH"
-  } >&2
-  exit 2
+# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
 fi
 
-# ── 6c. Intermediate-symlink resolution (0.16.0 fix H.1) ──────────────────────
-# Helix Finding 2 reborn against the hard-protected list. The §5b
-# extension-surface fix (0.13.2) resolved parent realpath for the
-# `.husky/{commit-msg,pre-push}.d/*` allowlist; §6 was never given the
-# same protection. Attack:
-#
-#   mkdir innocuous_path
-#   ln -s ../.husky innocuous_path/maybe   # symlink resolves to .husky/
-#   write innocuous_path/maybe/pre-push    # writes through to .husky/pre-push
-#
-# §5a (`..` traversal) doesn't catch — the path string has no `..`.
-# §6 PROTECTED_PATTERNS sees `innocuous_path/maybe/pre-push` — doesn't
-# match `.husky/` prefix. The write succeeds and the package-managed
-# pre-push body is overwritten.
-#
-# Fix: when the parent directory of the target exists, resolve its
-# realpath via cd -P && pwd -P (same shape as §5b) and check whether
-# the resolved path falls inside any protected directory. Only resolve
-# when the parent already exists — a write that creates the parent has
-# nothing to follow.
-if [[ -e "$FILE_PATH" || -d "$(dirname -- "$FILE_PATH")" ]]; then
-  parent_dir=$(dirname -- "$FILE_PATH")
-  if [[ -d "$parent_dir" ]]; then
-    resolved_parent=$(cd -P -- "$parent_dir" 2>/dev/null && pwd -P 2>/dev/null) || resolved_parent=""
-    if [[ -n "$resolved_parent" ]]; then
-      # If the resolved parent is inside REA_ROOT, compute the project-
-      # relative path and test it against the protected patterns.
-      if [[ "$resolved_parent" == "$REA_ROOT"/* ]]; then
-        relative_resolved="${resolved_parent#"$REA_ROOT"/}"
-        # Walk every PROTECTED_PATTERN that's a directory prefix and
-        # check whether the resolved parent falls inside it. Direct
-        # filename matches against PROTECTED_PATTERNS for the resolved
-        # final path (parent + basename).
-        resolved_target="${relative_resolved}/$(basename -- "$FILE_PATH")"
-        resolved_target_lc=$(printf '%s' "$resolved_target" | tr '[:upper:]' '[:lower:]')
-        for pattern in "${PROTECTED_PATTERNS[@]}"; do
-          pattern_lc=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
-          if [[ "$resolved_target_lc" == "$pattern_lc" ]] || \
-             { [[ "$pattern_lc" == */ ]] && [[ "$resolved_target_lc" == "$pattern_lc"* ]]; }; then
-            {
-              printf 'SETTINGS PROTECTION: intermediate-symlink resolution blocked\n'
-              printf '\n'
-              printf '  Logical:  %s\n' "$SAFE_FILE_PATH"
-              printf '  Resolved: %s\n' "$resolved_target"
-              printf '  Matched:  %s\n' "$pattern"
-              printf '  Rule: an intermediate directory of the target path is a\n'
-              printf '        symlink whose target falls inside a hard-protected\n'
-              printf '        path. Refused to prevent symlinked-parent bypass.\n'
-            } >&2
-            exit 2
-          fi
-        done
-      fi
-    fi
+# 3b. Relevance pre-gate. Only used when the CLI is missing.
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  CLI_MISSING_FILE_PATH=""
+  if command -v jq >/dev/null 2>&1; then
+    CLI_MISSING_FILE_PATH=$(printf '%s' "$INPUT" | jq -r '
+      (.tool_input.file_path // .tool_input.notebook_path // "") | tostring
+    ' 2>/dev/null || true)
+  else
+    CLI_MISSING_FILE_PATH="$INPUT"
   fi
-fi
-
-# ── 6b. Hook-patch session (Defect I / rea#76) ───────────────────────────────
-# When REA_HOOK_PATCH_SESSION is set to a non-empty reason, allow edits under
-# .claude/hooks/ and hooks/ for this session. The session boundary IS the
-# expiry — a new shell requires a fresh opt-in. Every allowed edit is audited
-# as hooks.patch.session so the bypass is never silent.
-#
-# SECURITY: runs AFTER §5a (traversal reject) and §6 (hard-protected denies),
-# so no glob creativity can reach policy/HALT/settings files from here.
-if [[ -n "${REA_HOOK_PATCH_SESSION:-}" ]]; then
-  if match_patch_session; then
-    SAFE_REASON=$(sanitize_for_stderr "${REA_HOOK_PATCH_SESSION}")
-    # Audit record via the TypeScript chain so the hash chain stays intact.
-    # If the append fails, block the edit — silent failure would let an
-    # attacker disable audit logging and then patch hooks unobserved.
-    SHA_BEFORE=""
-    if [[ -f "$FILE_PATH" ]]; then
-      if command -v sha256sum >/dev/null 2>&1; then
-        SHA_BEFORE=$(sha256sum "$FILE_PATH" 2>/dev/null | awk '{print $1}')
-      elif command -v shasum >/dev/null 2>&1; then
-        SHA_BEFORE=$(shasum -a 256 "$FILE_PATH" 2>/dev/null | awk '{print $1}')
-      elif command -v openssl >/dev/null 2>&1; then
-        SHA_BEFORE=$(openssl dgst -sha256 "$FILE_PATH" 2>/dev/null | awk '{print $NF}')
-      fi
-    fi
-    ACTOR_NAME=$(git -C "$REA_ROOT" config user.name 2>/dev/null || printf 'unknown')
-    ACTOR_EMAIL=$(git -C "$REA_ROOT" config user.email 2>/dev/null || printf 'unknown')
-
-    AUDIT_PAYLOAD=$(
-      cd "$REA_ROOT" 2>/dev/null || true
-      REA_AUDIT_REASON="${REA_HOOK_PATCH_SESSION}" \
-      REA_AUDIT_FILE="$NORMALIZED" \
-      REA_AUDIT_SHA="$SHA_BEFORE" \
-      REA_AUDIT_ACTOR_NAME="$ACTOR_NAME" \
-      REA_AUDIT_ACTOR_EMAIL="$ACTOR_EMAIL" \
-      REA_AUDIT_PID="$$" \
-      REA_AUDIT_PPID="$PPID" \
-      REA_AUDIT_SESSION="${CLAUDE_SESSION_ID:-external}" \
-      REA_AUDIT_ROOT="$REA_ROOT" \
-      node --input-type=module -e '
-        const root = process.env.REA_AUDIT_ROOT;
-        async function loadMod() {
-          // Consumer path: `@bookedsolid/rea` resolvable via node_modules
-          // (how `rea init`-installed consumers reach the published package)
-          // or via package self-reference when the hook runs inside the rea
-          // source repo itself.
-          try {
-            return await import("@bookedsolid/rea/audit");
-          } catch (e1) {
-            // Dev path: direct file import from the source repos dist/.
-            try {
-              return await import(root + "/dist/audit/append.js");
-            } catch (e2) {
-              process.stderr.write(
-                "audit import failed: package=" + (e1 && e1.message ? e1.message : e1) +
-                "; dist=" + (e2 && e2.message ? e2.message : e2) + "\n");
-              process.exit(1);
-            }
-          }
+  if [ -z "$CLI_MISSING_FILE_PATH" ]; then
+    exit 0
+  fi
+  CLI_MISSING_RELEVANT=0
+  case "$CLI_MISSING_FILE_PATH" in
+    *".claude/settings"*) CLI_MISSING_RELEVANT=1 ;;
+    *".claude/hooks/"*) CLI_MISSING_RELEVANT=1 ;;
+    *".husky/"*) CLI_MISSING_RELEVANT=1 ;;
+    *".rea/policy.yaml"*) CLI_MISSING_RELEVANT=1 ;;
+    *".rea/HALT"*) CLI_MISSING_RELEVANT=1 ;;
+    *".rea/last-review"*) CLI_MISSING_RELEVANT=1 ;;
+    *".claude\\"*|*".husky\\"*|*".rea\\"*) CLI_MISSING_RELEVANT=1 ;;
+    *"..%2F"*|*"%2E%2E"*) CLI_MISSING_RELEVANT=1 ;;
+  esac
+  # Codex round-1 P2 fix: scan policy.protected_writes entries too so a
+  # consumer-defined protected path isn't silently allowed when the CLI
+  # is missing.
+  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
+    POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
+    if [ -f "$POLICY_FILE" ]; then
+      while IFS= read -r entry; do
+        [ -z "$entry" ] && continue
+        base="$entry"
+        case "$base" in
+          */) base="${base%/}" ;;
+        esac
+        [ -z "$base" ] && continue
+        case "$CLI_MISSING_FILE_PATH" in
+          *"$base"*) CLI_MISSING_RELEVANT=1; break ;;
+        esac
+      done < <(awk '
+        /^protected_writes:/ { in_block=1; next }
+        in_block && /^[[:space:]]*-/ {
+          sub(/^[[:space:]]*-[[:space:]]*/, "")
+          gsub(/^["'\'']/, "")
+          gsub(/["'\'']$/, "")
+          print
+          next
         }
-        (async () => {
-          const mod = await loadMod();
-          try {
-            await mod.appendAuditRecord(root, {
-              session_id: process.env.REA_AUDIT_SESSION,
-              tool_name: "hooks.patch.session",
-              server_name: "rea",
-              tier: "write",
-              status: "allowed",
-              autonomy_level: "unknown",
-              duration_ms: 0,
-              metadata: {
-                reason: process.env.REA_AUDIT_REASON,
-                file: process.env.REA_AUDIT_FILE,
-                sha_before: process.env.REA_AUDIT_SHA,
-                actor: {
-                  name: process.env.REA_AUDIT_ACTOR_NAME,
-                  email: process.env.REA_AUDIT_ACTOR_EMAIL,
-                },
-                pid: Number(process.env.REA_AUDIT_PID),
-                ppid: Number(process.env.REA_AUDIT_PPID),
-              },
-            });
-            process.exit(0);
-          } catch (e) {
-            process.stderr.write("audit append failed: " + (e && e.message ? e.message : e) + "\n");
-            process.exit(1);
-          }
-        })();
-      ' 2>&1
-    )
-    AUDIT_EXIT=$?
-    if [[ "$AUDIT_EXIT" -ne 0 ]]; then
-      # Fail closed. We deliberately do NOT fall back to a raw `jq … >> audit`
-      # write: that path skips prev_hash/hash computation and would silently
-      # degrade the hash-chain integrity the rest of REA (and `rea audit verify`)
-      # relies on. If the TypeScript chain is unavailable (no `dist/`, missing
-      # Node, broken import), refuse the hook-patch edit and surface why. The
-      # operator resolves by building the package (`pnpm build`) or running
-      # against a published install that ships `dist/`.
-      {
-        printf 'SETTINGS PROTECTION: audit-append failed; refusing hook-patch edit\n'
-        printf '  File: %s\n' "$SAFE_FILE_PATH"
-        printf '  Rule: hash-chained audit is required; no raw-jq fallback.\n'
-        printf '  Detail: %s\n' "$(sanitize_for_stderr "$AUDIT_PAYLOAD")"
-      } >&2
-      exit 2
+        in_block && /^[^[:space:]-]/ { in_block=0 }
+      ' "$POLICY_FILE" 2>/dev/null)
     fi
-    printf 'REA_HOOK_PATCH_SESSION: allowing edit to %s (reason: %s)\n' \
-      "$SAFE_NORMALIZED" "$SAFE_REASON" >&2
+  fi
+  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
     exit 0
   fi
+  printf 'rea: settings-protection cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.35.0 bash body enforced protected-path refusal without a CLI.\n' >&2
+  exit 2
+fi
+
+# 4. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: settings-protection cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore protected-path refusal.\n' >&2
+  exit 2
 fi
 
-# ── 6c. Patch-session patterns are still blocked when env var is NOT set ─────
-if match_patch_session; then
-  {
-    printf 'SETTINGS PROTECTION: Modification blocked\n'
-    printf '\n'
-    printf '  File: %s\n' "$SAFE_FILE_PATH"
-    printf '  Matched: %s\n' "$PROTECTED_MATCH"
-    printf '  Rule: Files under this path are protected. To apply an upstream\n'
-    printf '        hook finding, set REA_HOOK_PATCH_SESSION=<reason> and retry.\n'
-  } >&2
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  // Codex round-1 P1 fix: enforce dist/cli/index.js shape so a
+  // workspace attacker who repoints node_modules/@bookedsolid/rea or
+  // dist at an arbitrary in-project JS file cannot execute it as the
+  // trusted gate CLI. Pre-0.35.0 shims had this check; the 0.34.0
+  // round-8 template dropped it; restored here.
+  const expectedEnd = path.join("dist", "cli", "index.js");
+  if (!real.endsWith(path.sep + expectedEnd) && real !== "/" + expectedEnd) {
+    process.stdout.write("bad:cli-shape"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: settings-protection FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
   exit 2
 fi
 
-if match_patch_session_ci; then
-  {
-    printf 'SETTINGS PROTECTION: Modification blocked (case-insensitive match)\n'
-    printf '\n'
-    printf '  File: %s\n' "$SAFE_FILE_PATH"
-    printf '  Matched: %s\n' "$PROTECTED_MATCH"
-  } >&2
+# 5. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook settings-protection --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'settings-protection'; then
+  printf 'rea: this shim requires the `rea hook settings-protection` subcommand (introduced in 0.35.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
   exit 2
 fi
 
-exit 0
+# 6. Forward stdin (already captured up-front).
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook settings-protection
+exit $?