@bookedsolid/rea 0.34.0 → 0.36.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.34.0",
+  "version": "0.36.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -95,8 +95,9 @@
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
     "postinstall": "node scripts/postinstall.mjs",
-    "lint": "pnpm run lint:regex && eslint .",
+    "lint": "pnpm run lint:regex && pnpm run lint:awk-quotes && eslint .",
     "lint:regex": "node scripts/lint-safe-regex.mjs",
+    "lint:awk-quotes": "node scripts/lint-awk-shim-quotes.mjs",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "test": "pnpm run build && pnpm run test:dogfood && pnpm run test:bash-syntax && node scripts/run-vitest.mjs",

package/scripts/lint-awk-shim-quotes.mjs

@@ -0,0 +1,386 @@
+#!/usr/bin/env node
+// G — Static lint for `awk '...'` blocks embedded in bash hooks.
+//
+// 0.36.0 charter item 3 / 0.34.0 round-4 + round-6 regression class.
+//
+// # The class
+//
+// Bash hooks frequently embed an awk script inside a bash-single-quoted
+// argument:
+//
+//   awk '
+//     # awk comment
+//     { print $1 }
+//   '
+//
+// Bash single-quoted strings have one rule: NO escape sequences inside.
+// The string ends at the next unescaped `'`. If any character inside the
+// awk body is a literal `'`, bash terminates the string THERE — the rest
+// of the awk body is then re-parsed as bash, almost always producing a
+// `syntax error near unexpected token` or worse, silently shelling out
+// to whatever follows.
+//
+// The 0.34.0 marathon hit this twice — once at round-4, once at round-6.
+// The round-6 instance locked the entire repo (every Bash refused at
+// hook parse time because every hook sourced `_lib/cmd-segments.sh`,
+// which crashed at parse). Repair required out-of-session `git apply`.
+//
+// # The lint
+//
+// For each `*.sh` under `hooks/` and `.claude/hooks/` (dogfood mirror),
+// find every `awk '<NL>` block opening (the awk-with-multiline-body
+// shape that the marathon class triggers in), scan inward until the
+// matching unescaped `'`, and flag any line inside that:
+//
+//   - Starts with optional whitespace then `#` (a comment line in awk),
+//   - Contains a literal `'`.
+//
+// We deliberately do NOT lint inline awk one-liners (`awk '{ print $1 }'`
+// on one line) because those have no comment lines by construction —
+// the bug class only manifests in multi-line awk bodies.
+//
+// # Wired into `pnpm lint`
+//
+// `package.json#scripts.lint` chains `lint:awk-quotes` before eslint, in
+// the same posture as `lint:regex`. A failure here means a `'` ended up
+// in an awk comment in a shipped hook body; the diff that introduced it
+// would have parse-failed the hook at runtime (the way 0.34.0 round-6
+// did). CI catches it before it ships.
+//
+// Mirrors-coverage rationale: `.claude/hooks/` is rea's own dogfood
+// mirror. `tools/check-dogfood-drift.mjs` already enforces byte-equality
+// between `hooks/*.sh` and `.claude/hooks/*.sh`, but this lint runs
+// BEFORE that gate during a typical edit cycle, and a drifted mirror
+// could still ship if the drift gate is bypassed. Lint both for
+// defense-in-depth.
+
+import { readdirSync, readFileSync, existsSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(here, '..');
+
+// 0.36.0 codex round-5 P2 #1: extended coverage. Originally the
+// SCAN_DIRS list only covered `hooks/` and `.claude/hooks/` — but the
+// package also ships awk-heavy shell scripts in `.husky/` (e.g.
+// `prepare-commit-msg`) and `templates/` (e.g.
+// `local-review-gate.dogfood-staged.sh`). A bare-apostrophe regression
+// in those surfaces would have shipped silently. Adding them here
+// pulls them under the same gate. Each path is checked for existence
+// in `listShellFiles` so a profile that omits the directory still
+// works.
+const SCAN_DIRS = [
+  path.join(repoRoot, 'hooks'),
+  path.join(repoRoot, 'hooks', '_lib'),
+  path.join(repoRoot, '.claude', 'hooks'),
+  path.join(repoRoot, '.claude', 'hooks', '_lib'),
+  // 0.36.0 codex round-5 P2 #1 additions.
+  path.join(repoRoot, '.husky'),
+  path.join(repoRoot, 'templates'),
+];
+
+/**
+ * List shell-script files directly under the given directory
+ * (non-recursive). A file qualifies if it ends in `.sh` OR its
+ * first line is a `#!/...sh`/`#!/...bash` shebang (for extensionless
+ * husky hooks like `.husky/pre-push`).
+ *
+ * Returns empty array if the directory doesn't exist.
+ *
+ * 0.36.0 codex round-5 P2 #1: pre-fix required `.sh` extension, which
+ * skipped every `.husky/` file (they're shipped extensionless).
+ */
+function listShellFiles(dir) {
+  if (!existsSync(dir)) return [];
+  const entries = readdirSync(dir, { withFileTypes: true });
+  const out = [];
+  for (const e of entries) {
+    if (!e.isFile()) continue;
+    const full = path.join(dir, e.name);
+    // Codex round-7 P2: `.patch` files are unified diffs (hunk-prefixed
+    // lines, comments interleaved with `+`/`-`/` `), NOT raw shell. The
+    // scanFile function only understands shell syntax, so feeding a
+    // patch through it generates false-positives on benign comment-
+    // hunks like `+# this isn't related to awk`. Skip patches; the
+    // hook body the patch SHIPS TO will be linted directly once
+    // applied, which is the more reliable signal anyway.
+    if (e.name.endsWith('.sh')) {
+      out.push(full);
+      continue;
+    }
+    // Extensionless: check shebang.
+    try {
+      const head = readFileSync(full, 'utf8').slice(0, 64);
+      if (/^#!.*\b(sh|bash|zsh|dash|ksh)\b/.test(head)) {
+        out.push(full);
+      }
+    } catch {
+      // unreadable — skip silently
+    }
+  }
+  return out;
+}
+
+/**
+ * Scan a single `.sh` file for `awk '` opening blocks (multi-line body
+ * shape: `awk '` at end of a line, OR `awk '` followed by newline). For
+ * each open block, walk lines until the closing unescaped `'` and flag
+ * any comment line containing a literal `'`.
+ *
+ * Returns an array of `{file, line, content, reason}` findings.
+ */
+function scanFile(file) {
+  const text = readFileSync(file, 'utf8');
+  const lines = text.split('\n');
+  const findings = [];
+
+  let inAwkBlock = false;
+  let awkStartLine = -1;
+
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+
+    if (!inAwkBlock) {
+      // Detect block opening: any line containing the `awk` keyword
+      // that opens an awk-arg single-quote which DOESN'T close on
+      // the same line. Real-corpus shapes that must trigger:
+      //
+      //   awk '                                        ← bare
+      //   ... | awk '                                   ← piped
+      //   ... | awk -v key=val '                        ← -v vars
+      //   foo=$(awk -v a="$x" -v b="$y" '              ← multi-var
+      //   awk -F: '                                     ← field-sep
+      //   awk -v msg="can't" '                          ← -v with `'` in DQ-arg
+      //   awk 'BEGIN { ... }                            ← body starts on opener
+      //   ... | awk 'BEGIN { x = 1                      ← body starts on opener
+      //
+      // And must NOT trigger on:
+      //
+      //   # Example: awk '...'                          ← shell comment about awk
+      //   awk '{print $1}'                              ← one-liner (no multi-line)
+      //
+      // Algorithm:
+      //   1. Skip shell-comment lines (leading `#`).
+      //   2. Require the `awk` keyword somewhere on the line.
+      //   3. Strip benign bash quote-escape sequences.
+      //   4. Count remaining `'`. An odd count means the line opens
+      //      an awk-arg that doesn't close on this line (multi-line
+      //      body). An even count means every open is paired with a
+      //      close on this line (one-liner — no multi-line bug
+      //      class).
+      //
+      // 0.36.0 codex round-3 P2 #1: pre-fix opener was
+      // `/\bawk\b/ && /'\s*$/` which flipped on any prose line
+      // mentioning awk that happened to end in `'` (e.g. a comment
+      // like `# Example: awk '`). Shell-comment skip closes that
+      // false-positive path.
+      //
+      // 0.36.0 codex round-3 P2 #2: pre-fix opener required `'` at
+      // EOL, missing the `awk 'BEGIN { ... }` shape where the body
+      // starts on the same line as the opener. Odd-quote-count
+      // detection handles both shapes uniformly.
+      // Skip shell-comment lines — they may mention `awk` in prose
+      // (e.g. `# Example: awk '...'`) without being a real awk call.
+      const codeOnly = line.replace(/^\s+/, '');
+      if (codeOnly.startsWith('#')) continue;
+      if (!/\bawk\b/.test(line)) continue;
+      // Strip in order:
+      //   - bash double-quoted spans (`"..."`) — bash treats `'`
+      //     inside them as literal, NOT as quote terminators. Without
+      //     this strip, `awk -v msg="can't" '` would count 2 `'`s
+      //     and look balanced when it's actually 1 unclosed open.
+      //   - benign quote-escape sequences (`'\''`, `'"'"'`, `''`).
+      // Order matters: strip `"..."` first because the `'"'"'`
+      // escape contains a DQ pair that would be wrongly consumed by
+      // the DQ-strip if applied second.
+      // Codex round-7 P1 fix: the prior `"[^"]*"` strip was too naive —
+      // a valid shell line like `awk -v msg="foo \"can't\" bar" '` has
+      // backslash-escaped quotes inside the double-quoted span. `[^"]*`
+      // stops at the first `"` (which is `\"`), the next `"` opens a
+      // new span, etc. The apostrophe from `can't` is left behind and
+      // the linter false-balances the quote count. Fix: walk DQ spans
+      // with proper escape handling — treat `\\` and `\"` as escapes,
+      // ANY other char between `"`s is literal.
+      let sanitizedOpener = line
+        .replace(/'"'"'/g, '')
+        .replace(/'\\''/g, '')
+        .replace(/''/g, '');
+      // Replace each `"..."` (with backslash-escape awareness) with `""`.
+      sanitizedOpener = sanitizedOpener.replace(/"(?:[^"\\]|\\[\s\S])*"/g, '""');
+      const quoteCount = (sanitizedOpener.match(/'/g) ?? []).length;
+      // Odd → opens a multi-line body. Even (incl. 0 / 2) → no
+      // unclosed open on this line (one-liner or no quote at all).
+      if (quoteCount % 2 === 1) {
+        inAwkBlock = true;
+        awkStartLine = i + 1; // 1-indexed for human-readable errors
+        // 0.36.0 codex round-4 P2 #1: when the body starts on the
+        // SAME line as the opener (`awk 'BEGIN { print "can't"`),
+        // any apostrophe-in-word shape already on that opener line
+        // MUST be checked too. Pre-fix the opener-detect branch
+        // flipped state and immediately `continue`d, leaving the
+        // opener line's body content unscanned.
+        //
+        // Locate the OPENING `'` (the LAST `'` in the sanitized
+        // line — `awk` is typically the last token before the
+        // opening quote, so any earlier `'`s are inside upstream
+        // shell commands like `printf '%s'`). Then run the
+        // apostrophe-in-word check on the text AFTER it (the awk
+        // body content). Word-boundary detection scopes the lint
+        // to the high-confidence bug shape (same discriminator as
+        // the body-line check above).
+        const openerIdx = sanitizedOpener.lastIndexOf("'");
+        const bodyOnOpenerLine = sanitizedOpener.slice(openerIdx + 1);
+        const apostropheInWord = /\b[A-Za-z][A-Za-z]*'[A-Za-z]/g;
+        const om = bodyOnOpenerLine.match(apostropheInWord);
+        if (om !== null) {
+          const strippedOpener = line.replace(/^\s+/, '');
+          const kind = strippedOpener.startsWith('#') ? 'comment' : 'code';
+          findings.push({
+            file,
+            line: i + 1,
+            content: line,
+            reason:
+              `awk-body ${kind} content on the OPENER line ` +
+              `contains an apostrophe-in-word shape (${om[0]}). ` +
+              `Bash terminates the \`awk '...'\` single-quoted ` +
+              `argument at the embedded \`'\`, splicing the rest ` +
+              `of the body into bash context; the hook parse-fails ` +
+              `at runtime (0.34.0 round-4 + round-6 class). ` +
+              `Rewrite without the apostrophe (e.g. \`cannot\` for ` +
+              `\`can't\`) or escape as \`'\\''\`.`,
+            awkStartLine,
+          });
+          // Bail out of block-mode — the bare `'` already
+          // terminated bash quoting at runtime.
+          inAwkBlock = false;
+          awkStartLine = -1;
+        }
+      }
+      continue;
+    }
+
+    // Inside awk block. Three things can happen on this line:
+    //   1. The line contains a BARE `'` somewhere (in code OR
+    //      comment) that isn't a close → finding.
+    //   2. The line is the canonical block close → leave the block.
+    //   3. Neither — keep walking.
+    //
+    // Bare-quote definition: a `'` that isn't part of a known-safe
+    // bash escape sequence for embedding a literal apostrophe inside
+    // a single-quoted string. The three benign forms are:
+    //   - `'\''`  (close-quote, backslash-escaped quote, reopen-quote)
+    //   - `'"'"'` (close-quote, double-quoted quote, reopen-quote)
+    //   - `''`    (close + reopen, injects NO byte — used in rea
+    //              hook comments to quote literal-byte sequences like
+    //              `\\\''` without breaking bash parsing).
+    // All three are fine in awk-internal context: bash terminates the
+    // single-quoted argument, emits a literal `'` (or no byte for
+    // `''`), and resumes single-quoting.
+    //
+    // 0.36.0 codex round-2 P2 #1 fix: pre-fix the bare-quote check
+    // only ran on comment lines (`stripped.startsWith('#')`). A code
+    // line like `BEGIN { print "can't" }` or `/can't/` parse-fails
+    // the same way — bash sees the `'` in `can't` regardless of
+    // whether awk parses the surrounding chars as a comment, string,
+    // or regex. Lint now scans every line in the block.
+    //
+    // Close detection: the rea hook bodies always close an `awk '`
+    // block with a `'` followed by a redirect / pipe / end-of-line
+    // / closing paren on a line that is OTHERWISE empty of awk-body
+    // text. Concretely: leading whitespace, then `'`, then optional
+    // `|`/`>`/`)`/whitespace/EOL. We detect close BEFORE running the
+    // bare-quote check on that line so a canonical-close line
+    // (`  '`) doesn't itself trip a finding.
+    const sanitized = line
+      .replace(/'"'"'/g, '')
+      .replace(/'\\''/g, '')
+      .replace(/''/g, '');
+
+    if (!sanitized.includes("'")) {
+      // No bare `'` after stripping benign forms — no close, no bug.
+      continue;
+    }
+
+    // Detect the 0.34.0 round-4 + round-6 bug class specifically:
+    // an apostrophe-in-word shape like `can't`, `isn't`, `doesn't`
+    // — a `'` flanked by ASCII word chars on at least one side.
+    // That's the exact shape that broke the marathon (it appears
+    // naturally in English prose and slips past code review). Other
+    // possible bare-`'` shapes (e.g. `'X` at line start, where X is
+    // ASCII content) are genuinely ambiguous from the lint's POV —
+    // they may be the canonical close `'` followed by a bash
+    // continuation, the close of a bash quoted string, etc. We
+    // deliberately scope the lint to the high-confidence,
+    // demonstrated-historical-bug shape rather than risk
+    // false-positives on bash-grammar surface area we cannot parse.
+    //
+    // 0.36.0 codex round-4 P2 #2 resolution: pre-fix tried to
+    // distinguish close from bug structurally (by what preceded or
+    // followed the `'`). Both attempts produced false-positives on
+    // valid close shapes (`' "$arg"`, `END { print x }'`,
+    // `' | tr ...`). Word-boundary detection is the simplest
+    // discriminator that catches the exact bug class without
+    // tripping on legitimate bash continuation.
+    const apostropheInWord = /\b[A-Za-z][A-Za-z]*'[A-Za-z]/g;
+    const m = sanitized.match(apostropheInWord);
+    if (m !== null) {
+      const strippedLine = line.replace(/^\s+/, '');
+      const kind = strippedLine.startsWith('#') ? 'comment' : 'code';
+      findings.push({
+        file,
+        line: i + 1,
+        content: line,
+        reason:
+          `awk-body ${kind} line contains an apostrophe-in-word ` +
+          `shape (${m[0]}). Bash terminates the \`awk '...'\` ` +
+          `single-quoted argument at the embedded \`'\`, splicing ` +
+          `the rest of the body into bash context; the hook ` +
+          `parse-fails at runtime (0.34.0 round-4 + round-6 class). ` +
+          `Rewrite without the apostrophe (e.g. \`cannot\` for ` +
+          `\`can't\`) or escape as \`'\\''\`.`,
+        awkStartLine,
+      });
+      // Bail out of block-mode — the bare `'` already terminated
+      // bash quoting at runtime, so further lines are bash-parsed,
+      // not awk-parsed.
+      inAwkBlock = false;
+      awkStartLine = -1;
+      continue;
+    }
+
+    // Any other `'` shape: assume it's a legitimate close `'`
+    // followed by bash continuation. Leave the block.
+    inAwkBlock = false;
+    awkStartLine = -1;
+  }
+
+  return findings;
+}
+
+const allFindings = [];
+for (const dir of SCAN_DIRS) {
+  for (const file of listShellFiles(dir)) {
+    allFindings.push(...scanFile(file));
+  }
+}
+
+if (allFindings.length === 0) {
+  // Quiet success — matches the posture of lint:regex.
+  process.exit(0);
+}
+
+console.error(
+  '[lint:awk-quotes] FAIL — bare single-quote in awk comment line ' +
+    '(0.34.0 round-4 + round-6 regression class):\n',
+);
+for (const f of allFindings) {
+  const rel = path.relative(repoRoot, f.file);
+  console.error(`  ${rel}:${f.line}  (awk block opened at line ${f.awkStartLine})`);
+  console.error(`    ${f.content.trim()}`);
+  console.error(`    → ${f.reason}\n`);
+}
+console.error(
+  `[lint:awk-quotes] ${allFindings.length} finding(s) across ${SCAN_DIRS.length} scan path(s).`,
+);
+process.exit(1);

package/templates/blocked-paths-bash-gate.dogfood-staged.sh

@@ -0,0 +1,177 @@
+#!/bin/bash
+# PreToolUse hook: blocked-paths-bash-gate.sh
+# 0.35.0+ — Node-binary shim for `rea hook blocked-paths-bash-gate`.
+#
+# Pre-0.35.0 this was a thin bash shim over `rea hook scan-bash --mode
+# blocked` (the parser-backed AST walker that closes 9 bypass classes
+# from helix-023 + discord-ops Round 13 — see `src/hooks/bash-scanner/`).
+# The full bash body is preserved at
+# `__tests__/hooks/parity/baselines/blocked-paths-bash-gate.sh.pre-0.35.0`.
+#
+# This shim now resolves the CLI through the same 2-tier sandboxed
+# resolver as the 0.32.0+ pilots and calls `rea hook blocked-paths-
+# bash-gate` directly — eliminating the shim → CLI → scanner-module
+# subprocess hop entirely.
+#
+# Behavioral contract is preserved byte-for-byte: exit 0 on allow,
+# exit 2 on HALT / verdict block / malformed payload / sandbox fail.
+#
+# # CLI-resolution trust boundary
+#
+# Mirrors the 0.32.0 final shim shape. The resolved CLI MUST live
+# INSIDE realpath(CLAUDE_PROJECT_DIR) AND have an ancestor
+# `package.json` whose `name` is `@bookedsolid/rea`. Defends against
+# symlink-out and tarball-replacement attacks on the resolved CLI.
+#
+# # Fail-closed posture
+#
+# blocked-paths-bash-gate is a Tier-1 security gate (PreToolUse Bash).
+# The pre-0.35.0 bash body refused on uncertainty for every failure
+# class. Early-exit branches (CLI missing, node missing, sandbox failed,
+# version skew) fail closed AFTER the relevance pre-gate passes.
+# Irrelevant Bash calls exit 0 regardless of CLI state.
+#
+# # Relevance pre-gate
+#
+# Same posture as 0.34.0 dangerous-bash + secret-scanner. When the CLI
+# is missing, refuse only when the extracted command MENTIONS a path
+# from `policy.blocked_paths`. Empty policy → no enforcement, exit 0.
+# This unblocks the install path itself: `npx rea init`, pre-`pnpm build`
+# checkouts can still run benign Bash like `ls`/`mkdir`/`pnpm install`.
+
+set -uo pipefail
+
+# 1. HALT check.
+# shellcheck source=_lib/halt-check.sh
+source "$(dirname "$0")/_lib/halt-check.sh"
+check_halt
+REA_ROOT=$(rea_root)
+
+proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+
+# 2. Capture stdin once.
+INPUT=$(cat)
+
+# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
+REA_ARGV=()
+RESOLVED_CLI_PATH=""
+if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
+elif [ -f "$proj/dist/cli/index.js" ]; then
+  REA_ARGV=(node "$proj/dist/cli/index.js")
+  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
+fi
+
+# 3b. Relevance pre-gate. Only used when the CLI is missing.
+if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  CLI_MISSING_CMD=""
+  if command -v jq >/dev/null 2>&1; then
+    CLI_MISSING_CMD=$(printf '%s' "$INPUT" | jq -r '
+      (.tool_input.command // "") | tostring
+    ' 2>/dev/null || true)
+  else
+    CLI_MISSING_CMD="$INPUT"
+  fi
+  if [ -z "$CLI_MISSING_CMD" ]; then
+    # Empty/non-Bash payload → pre-0.35.0 body would have exited 0.
+    exit 0
+  fi
+  # Empty policy.blocked_paths → no enforcement, exit 0.
+  POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
+  if [ ! -f "$POLICY_FILE" ]; then
+    exit 0
+  fi
+  # Substring scan: does the command mention any blocked_paths entry?
+  # Coarse — over-trigger is fine, under-trigger is the bypass we MUST
+  # avoid. Strip YAML quotes/comments via a minimal awk filter.
+  CLI_MISSING_RELEVANT=0
+  while IFS= read -r entry; do
+    [ -z "$entry" ] && continue
+    case "$CLI_MISSING_CMD" in
+      *"$entry"*) CLI_MISSING_RELEVANT=1; break ;;
+    esac
+  done < <(awk '
+    /^blocked_paths:/ { in_block=1; next }
+    in_block && /^[[:space:]]*-/ {
+      sub(/^[[:space:]]*-[[:space:]]*/, "")
+      gsub(/^["'\'']/, "")
+      gsub(/["'\'']$/, "")
+      print
+      next
+    }
+    in_block && /^[^[:space:]-]/ { in_block=0 }
+  ' "$POLICY_FILE" 2>/dev/null)
+  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
+    exit 0
+  fi
+  printf 'rea: blocked-paths-bash-gate cannot run — the rea CLI is not built.\n' >&2
+  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
+  printf 'This shim fails closed because the pre-0.35.0 bash body enforced blocked_paths refusal without a CLI.\n' >&2
+  exit 2
+fi
+
+# 4. Realpath sandbox check.
+if ! command -v node >/dev/null 2>&1; then
+  printf 'rea: blocked-paths-bash-gate cannot run — `node` is not on PATH.\n' >&2
+  printf 'Install Node 22+ (engines.node) to restore blocked_paths refusal.\n' >&2
+  exit 2
+fi
+
+sandbox_check=$(node -e '
+  const fs = require("fs");
+  const path = require("path");
+  const cli = process.argv[1];
+  const projDir = process.argv[2];
+  let real, realProj;
+  try { real = fs.realpathSync(cli); } catch (e) {
+    process.stdout.write("bad:realpath"); process.exit(1);
+  }
+  try { realProj = fs.realpathSync(projDir); } catch (e) {
+    process.stdout.write("bad:realpath-proj"); process.exit(1);
+  }
+  const sep = path.sep;
+  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+  if (!(real === realProj || real.startsWith(projWithSep))) {
+    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+  }
+  // Codex round-1 P1 fix: enforce dist/cli/index.js shape (see
+  // settings-protection.sh).
+  const expectedEnd = path.join("dist", "cli", "index.js");
+  if (!real.endsWith(path.sep + expectedEnd) && real !== "/" + expectedEnd) {
+    process.stdout.write("bad:cli-shape"); process.exit(1);
+  }
+  let cur = path.dirname(path.dirname(path.dirname(real)));
+  let found = false;
+  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+    const pj = path.join(cur, "package.json");
+    if (fs.existsSync(pj)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+      } catch (e) { /* keep walking */ }
+    }
+    cur = path.dirname(cur);
+  }
+  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+  process.stdout.write("ok");
+' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+
+if [ "$sandbox_check" != "ok" ]; then
+  printf 'rea: blocked-paths-bash-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
+  exit 2
+fi
+
+# 5. Version-probe.
+probe_out=$("${REA_ARGV[@]}" hook blocked-paths-bash-gate --help 2>&1)
+probe_status=$?
+if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'blocked-paths-bash-gate'; then
+  printf 'rea: this shim requires the `rea hook blocked-paths-bash-gate` subcommand (introduced in 0.35.0).\n' >&2
+  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
+  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
+  exit 2
+fi
+
+# 6. Forward stdin (already captured up-front).
+printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook blocked-paths-bash-gate
+exit $?