@bookedsolid/rea 0.35.0 → 0.37.0

package/templates/attribution-advisory.dogfood-staged.sh

@@ -20,6 +20,15 @@
 # symlink-out + tarball-replacement attacks on the resolved CLI AND
 # stale-node_modules version skew that would otherwise turn every
 # Bash dispatch into a hard failure.
+#
+# Codex round 2 P1 (2026-05-16): the sandbox check now runs BEFORE
+# the policy read. The pre-round-2 order called
+# `policy_reader_get block_ai_attribution` first; that read invokes
+# the resolved CLI through Tier 1 of the unified reader — meaning an
+# unsandboxed CLI executed BEFORE the sandbox guard fired. Fixed by
+# validating sandbox first; on failure REA_ARGV is cleared so the
+# reader degrades to Tier 2 / Tier 3 (both pure file-parse, no
+# arbitrary-code-execution).
 
 set -uo pipefail
 
@@ -63,22 +72,12 @@ if [ "$RELEVANT" -eq 0 ]; then
   exit 0
 fi
 
-# 2b. Policy short-circuit (round-6 P2). The pre-0.32.0 bash body
-#     no-op'd when `block_ai_attribution` was absent or false. Without
-#     this check, an unbuilt/stale install would refuse `git commit`
-#     even on repos that DELIBERATELY disable the attribution gate.
-#     Read the policy via a simple grep — the canonical loader
-#     handles inline forms but we only need block form here, and a
-#     conservative "true-and-only-true counts" rule matches the
-#     intent (false / absent / inline-only all → no enforcement).
-POLICY_FILE="$REA_ROOT/.rea/policy.yaml"
-if [ ! -f "$POLICY_FILE" ] || ! grep -qE '^block_ai_attribution:[[:space:]]*true([[:space:]]|$)' "$POLICY_FILE"; then
-  # Attribution blocking disabled — pre-0.32.0 bash body would have
-  # exited 0 here. Don't refuse on stale-install grounds.
-  exit 0
-fi
-
-# 3. Resolve the rea CLI.
+# 2b. Resolve the rea CLI first — the unified policy reader uses
+#     REA_ARGV (when populated) as its Tier 1 source. Reordered from
+#     the pre-0.37.0 shape (where the CLI was resolved AFTER the policy
+#     grep) so the policy short-circuit below can route through Tier 1
+#     when the CLI is reachable, falling through Tier 2 (python3 +
+#     PyYAML) and Tier 3 (awk block-form) on stale/unbuilt installs.
 REA_ARGV=()
 RESOLVED_CLI_PATH=""
 if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
@@ -89,7 +88,115 @@ elif [ -f "$proj/dist/cli/index.js" ]; then
   RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
 fi
 
+# 2c. Realpath sandbox check — MUST run BEFORE any policy read that
+#     could route through Tier 1 (CLI). Codex round 2 P1: previously
+#     the policy_reader_get call below executed the resolved CLI to
+#     read `block_ai_attribution`. An attacker who symlinked
+#     dist/cli/index.js → /tmp/forged-tree (or who otherwise compromised
+#     the path) would have their forged CLI invoked during policy
+#     lookup BEFORE the sandbox check ran — defeating the trust
+#     boundary this shim is supposed to enforce.
+#
+#     Fix: validate the CLI's sandbox shape first. On failure, clear
+#     REA_ARGV so the unified policy reader falls back to Tier 2
+#     (python3 + PyYAML) / Tier 3 (awk block-form) and the unsafe CLI
+#     never runs. The shim then re-evaluates fail-closed posture at
+#     §2e below (CLI absent + attribution-enabled → exit 2).
+#
+#     Other 5 migrated shims (e.g. delegation-advisory) naturally avoid
+#     this ordering bug because their policy reads are NESTED inside
+#     `if [ "${#REA_ARGV[@]}" -eq 0 ]` (the CLI-absent path). This
+#     shim's flow is different — it reads policy unconditionally to
+#     decide whether to fail-closed at all.
+SANDBOX_CHECK_RESULT=""
+if [ "${#REA_ARGV[@]}" -gt 0 ]; then
+  if ! command -v node >/dev/null 2>&1; then
+    # No node on PATH — cannot run sandbox probe. Clear REA_ARGV so
+    # the policy reader skips Tier 1; later §2e will catch the
+    # CLI-required-but-absent state and refuse explicitly.
+    SANDBOX_CHECK_RESULT="bad:no-node"
+    REA_ARGV=()
+  else
+    SANDBOX_CHECK_RESULT=$(node -e '
+      const fs = require("fs");
+      const path = require("path");
+      const cli = process.argv[1];
+      const projDir = process.argv[2];
+      let real, realProj;
+      try { real = fs.realpathSync(cli); } catch (e) {
+        process.stdout.write("bad:realpath"); process.exit(1);
+      }
+      try { realProj = fs.realpathSync(projDir); } catch (e) {
+        process.stdout.write("bad:realpath-proj"); process.exit(1);
+      }
+      const sep = path.sep;
+      const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
+      if (!(real === realProj || real.startsWith(projWithSep))) {
+        process.stdout.write("bad:cli-escapes-project"); process.exit(1);
+      }
+      let cur = path.dirname(path.dirname(path.dirname(real)));
+      let found = false;
+      for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
+        const pj = path.join(cur, "package.json");
+        if (fs.existsSync(pj)) {
+          try {
+            const data = JSON.parse(fs.readFileSync(pj, "utf8"));
+            if (data && data.name === "@bookedsolid/rea") { found = true; break; }
+          } catch (e) { /* keep walking */ }
+        }
+        cur = path.dirname(cur);
+      }
+      if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
+      process.stdout.write("ok");
+    ' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
+    if [ "$SANDBOX_CHECK_RESULT" != "ok" ]; then
+      # Sandbox failed — drop the unsafe CLI from REA_ARGV BEFORE
+      # reading policy. The unified reader will degrade to Tier 2 /
+      # Tier 3, both of which only read the policy file (no
+      # arbitrary-code-execution risk).
+      REA_ARGV=()
+    fi
+  fi
+fi
+
+# 2d. Policy short-circuit (round-6 P2, generalized in 0.37.0). The
+#     pre-0.32.0 bash body no-op'd when `block_ai_attribution` was
+#     absent or false. Without this check, an unbuilt/stale install
+#     would refuse `git commit` even on repos that DELIBERATELY
+#     disable the attribution gate.
+#
+#     0.37.0: route through `policy_reader_get` (4-tier ladder). The
+#     pre-0.37.0 grep matched ONLY block-form `block_ai_attribution:
+#     true`; inline-form (`block_ai_attribution: true` at any nesting
+#     accident) and quoted-form variants were missed. The reader's
+#     Tier 1 / Tier 2 paths handle both forms identically to the
+#     canonical TS loader; Tier 3 preserves the pre-0.37.0 block-only
+#     posture as a graceful-degrade fallback.
+#
+#     Codex round 2 P1: by the time we reach this line, REA_ARGV is
+#     EITHER (a) populated and sandbox-validated, OR (b) empty — never
+#     populated-but-untrusted. The policy reader can safely use Tier 1.
+# shellcheck source=_lib/policy-reader.sh
+source "$(dirname "$0")/_lib/policy-reader.sh"
+ATTR_ENABLED=$(policy_reader_get block_ai_attribution)
+if [ "$ATTR_ENABLED" != "true" ]; then
+  # Attribution blocking disabled (or unreadable on Tier 3 fallback +
+  # missing policy file) — pre-0.32.0 bash body would have exited 0
+  # here. Don't refuse on stale-install grounds.
+  exit 0
+fi
+
+# 2e. CLI required from here on — we need the parser-backed Node binary
+#     to scan for attribution patterns. If REA_ARGV is empty because
+#     either (a) the CLI wasn't installed/built or (b) sandbox check
+#     failed and we cleared it above, refuse explicitly with a tailored
+#     message.
 if [ "${#REA_ARGV[@]}" -eq 0 ]; then
+  if [ -n "$SANDBOX_CHECK_RESULT" ] && [ "$SANDBOX_CHECK_RESULT" != "ok" ]; then
+    # Sandbox failure path — preserve forensic detail.
+    printf 'rea: attribution-advisory FAILED sandbox check (%s) — refusing.\n' "$SANDBOX_CHECK_RESULT" >&2
+    exit 2
+  fi
   # 0.32.0 round-4 P2: when `block_ai_attribution: true`, this hook is
   # blocking-tier — the pre-0.32.0 bash body enforced the policy
   # without a compiled CLI. Falling through to exit 0 would silently
@@ -102,55 +209,7 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
   exit 2
 fi
 
-# 3. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: attribution-advisory cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore enforcement.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  # 0.32.0 round-4 P2: fail closed (blocking-tier when policy enables —
-  # see top-of-file rationale). Sandbox failure means the CLI cannot
-  # be authenticated; refuse rather than silently bypass.
-  printf 'rea: attribution-advisory FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 4. Version-probe: confirm the resolved CLI implements
+# 3. Version-probe: confirm the resolved CLI implements
 #    `hook attribution-advisory`. Codex round 1 P1.
 probe_out=$("${REA_ARGV[@]}" hook attribution-advisory --help 2>&1)
 probe_status=$?
@@ -165,6 +224,6 @@ if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'attribu
   exit 2
 fi
 
-# 5. Forward stdin (already captured up-front for the relevance gate).
+# 4. Forward stdin (already captured up-front for the relevance gate).
 printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook attribution-advisory
 exit $?

package/templates/blocked-paths-bash-gate.dogfood-staged.sh

@@ -82,26 +82,26 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
   if [ ! -f "$POLICY_FILE" ]; then
     exit 0
   fi
+  # 0.37.0: route blocked_paths reads through the unified
+  # policy-reader (Tier 1 CLI → Tier 2 python3 → Tier 3 awk
+  # block-form). Pre-0.37.0 the per-shim awk parser missed flow-form
+  # arrays (`blocked_paths: [.env, .env.*, ...]`), silently exiting 0
+  # on relevant Bash calls when the CLI was unreachable. The
+  # 4-tier ladder closes that bypass via Tier 2 whenever python3 +
+  # PyYAML are available (common on macOS Homebrew + most Linux
+  # distros); falls through to Tier 3 (block-form only) otherwise.
+  # shellcheck source=_lib/policy-reader.sh
+  source "$(dirname "$0")/_lib/policy-reader.sh"
   # Substring scan: does the command mention any blocked_paths entry?
   # Coarse — over-trigger is fine, under-trigger is the bypass we MUST
-  # avoid. Strip YAML quotes/comments via a minimal awk filter.
+  # avoid.
   CLI_MISSING_RELEVANT=0
   while IFS= read -r entry; do
     [ -z "$entry" ] && continue
     case "$CLI_MISSING_CMD" in
       *"$entry"*) CLI_MISSING_RELEVANT=1; break ;;
     esac
-  done < <(awk '
-    /^blocked_paths:/ { in_block=1; next }
-    in_block && /^[[:space:]]*-/ {
-      sub(/^[[:space:]]*-[[:space:]]*/, "")
-      gsub(/^["'\'']/, "")
-      gsub(/["'\'']$/, "")
-      print
-      next
-    }
-    in_block && /^[^[:space:]-]/ { in_block=0 }
-  ' "$POLICY_FILE" 2>/dev/null)
+  done < <(policy_reader_get_list blocked_paths 2>/dev/null)
   if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
     exit 0
   fi

package/templates/blocked-paths-enforcer.dogfood-staged.sh

@@ -73,6 +73,16 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
   if [ ! -f "$POLICY_FILE" ]; then
     exit 0
   fi
+  # 0.37.0: route blocked_paths reads through the unified
+  # policy-reader (Tier 1 CLI → Tier 2 python3 → Tier 3 awk
+  # block-form). Pre-0.37.0 the inline awk parser missed flow-form
+  # arrays (`blocked_paths: [.env, .env.*, ...]`), silently allowing
+  # writes to those paths when the CLI was unreachable. The 4-tier
+  # ladder closes the bypass via Tier 2 when python3 + PyYAML are
+  # reachable; Tier 3 preserves the pre-0.37.0 block-only posture as
+  # a no-dep fallback.
+  # shellcheck source=_lib/policy-reader.sh
+  source "$(dirname "$0")/_lib/policy-reader.sh"
   CLI_MISSING_RELEVANT=0
   while IFS= read -r entry; do
     [ -z "$entry" ] && continue
@@ -94,17 +104,7 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
     case "$CLI_MISSING_FILE_PATH" in
       *"$base"*) CLI_MISSING_RELEVANT=1; break ;;
     esac
-  done < <(awk '
-    /^blocked_paths:/ { in_block=1; next }
-    in_block && /^[[:space:]]*-/ {
-      sub(/^[[:space:]]*-[[:space:]]*/, "")
-      gsub(/^["'\'']/, "")
-      gsub(/["'\'']$/, "")
-      print
-      next
-    }
-    in_block && /^[^[:space:]-]/ { in_block=0 }
-  ' "$POLICY_FILE" 2>/dev/null)
+  done < <(policy_reader_get_list blocked_paths 2>/dev/null)
   if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
     exit 0
   fi

package/templates/local-review-gate.dogfood-staged.sh

@@ -158,100 +158,130 @@ if [ "${#REA_ARGV[@]}" -gt 0 ] && command -v node >/dev/null 2>&1; then
   fi
 fi
 
-# Helper: read a `local_review.<leaf>` policy key. Tries
-# `rea hook policy-get review.local_review --json` (one node-spawn for
-# the whole subtree) first — that path handles inline + block YAML
-# identically since it goes through the canonical `yaml.parse()`.
-# Falls back to a block-form awk parser when the CLI isn't available
-# or jq isn't installed. Empty stdout → "default applies".
+# 0.37.0: route policy reads through the unified policy-reader. The
+# pre-0.37.0 helper here was a hand-rolled dual-tier (CLI subtree
+# JSON + per-leaf awk block-form parser). The new helper consolidates
+# CLI + python3 + awk into a single 4-tier ladder, so inline-form
+# mappings like `local_review: { mode: off, refuse_at: commit }` now
+# work even on installs where the CLI is unreachable AND python3 +
+# PyYAML are available (the previous bash awk fallback missed inline
+# forms entirely — silent no-op on stale-CLI installs).
 #
-# 0.34.0 round-2 P2 fix: pre-fix the shim only ran the block-form awk
-# parser, so inline-form mappings like
-# `local_review: { mode: off, refuse_at: commit }` silently no-op'd on
-# stale-CLI installs (the canonical loader DOES handle them — only the
-# shim was block-only). Hybrid policy reader mirrors the pattern used
-# by prepare-commit-msg's augmenter.
+# Behavior preserved: empty stdout → "default applies"; the helper
+# returns 0 even when the key is unset, so the existing callers'
+# `case` statements work unchanged.
 #
-# The subtree JSON is fetched ONCE per Bash event (cached in
-# `_lrg_subtree_json`) so we don't pay 3x node-spawn cost. The cache
-# variable is "" until first call, "<none>" if the CLI / jq path
-# returned no usable JSON (so awk fallback runs), or the JSON body.
-_lrg_subtree_json=""
-_lrg_read_policy() {
-  # $1 = dotted key (e.g. `review.local_review.mode`)
-  local key="$1"
-  local leaf="${key##*.}"
-  # 1. First call: try `rea hook policy-get review.local_review --json`.
-  #    Subsequent calls reuse the cached subtree.
-  if [ -z "$_lrg_subtree_json" ]; then
-    if [ "${#REA_ARGV[@]}" -gt 0 ] && command -v jq >/dev/null 2>&1; then
-      local json
-      json=$("${REA_ARGV[@]}" hook policy-get review.local_review --json 2>/dev/null || true)
-      # `null` indicates the path was unset — leaves jq to print
-      # `null` for any leaf, which we treat as "default applies".
-      if [ -n "$json" ]; then
-        _lrg_subtree_json="$json"
-      else
-        _lrg_subtree_json="<none>"
-      fi
-    else
-      _lrg_subtree_json="<none>"
-    fi
+# Codex round 4 P2 (2026-05-16): local-review-gate fires on EVERY Bash
+# PreToolUse event and reads three leaves from `review.local_review`
+# (mode + refuse_at + bypass_env_var). The unified reader's CLI tier
+# spawns a fresh `rea hook policy-get` per leaf, so the hot path went
+# from 1 CLI startup (the pre-0.37.0 subtree call) to 4 (version probe
+# + 3 leaves). Restore the subtree-cache shape: fetch
+# `review.local_review` as JSON once, then extract leaves locally. Falls
+# back to per-leaf reads when the subtree call returns null/empty (e.g.
+# Tier 3 awk can't serve subtree — that's documented and the per-leaf
+# block-form parser handles those cases via the unified reader's
+# fall-through ladder).
+# shellcheck source=_lib/policy-reader.sh
+source "$(dirname "$0")/_lib/policy-reader.sh"
+
+# Subtree cache: populated lazily on first read. Empty string means
+# "not yet attempted"; "null" means "attempted, key unset"; any other
+# value is the JSON object.
+_LRG_LR_SUBTREE_JSON=""
+
+_lrg_load_local_review_subtree() {
+  if [ -n "$_LRG_LR_SUBTREE_JSON" ]; then
+    return 0
+  fi
+  local sub
+  sub=$(policy_reader_get_subtree_json review.local_review 2>/dev/null)
+  if [ -z "$sub" ]; then
+    _LRG_LR_SUBTREE_JSON="null"
+  else
+    _LRG_LR_SUBTREE_JSON="$sub"
   fi
-  # 2. If we have JSON, ask jq for the leaf.
-  if [ "$_lrg_subtree_json" != "<none>" ]; then
+}
+
+# Extract a leaf from the cached subtree JSON. When subtree retrieval
+# failed (e.g. Tier 3 awk fallback), or the leaf isn't present in the
+# JSON, returns empty + non-zero so the caller can fall back to a
+# per-leaf read.
+_lrg_subtree_leaf() {
+  local leaf="$1"
+  if [ -z "$_LRG_LR_SUBTREE_JSON" ] || [ "$_LRG_LR_SUBTREE_JSON" = "null" ]; then
+    return 1
+  fi
+  # Try jq first; fall back to a python3 one-liner. Same hardened
+  # invocation shape as policy-reader.sh's no-jq fallback (env -u +
+  # PYTHONSAFEPATH + sys.path scrub).
+  if command -v jq >/dev/null 2>&1; then
     local out
-    out=$(printf '%s' "$_lrg_subtree_json" | jq -r --arg k "$leaf" '
-      if type == "object" and has($k) and (.[$k] != null) then .[$k] | tostring else "" end
-    ' 2>/dev/null || true)
+    out=$(printf '%s' "$_LRG_LR_SUBTREE_JSON" | jq -r --arg k "$leaf" '
+      .[$k] as $v
+      | if $v == null then empty
+        elif ($v|type) == "string" or ($v|type) == "number" or ($v|type) == "boolean"
+          then $v | tostring
+        else empty
+        end
+    ' 2>/dev/null)
     if [ -n "$out" ]; then
       printf '%s' "$out"
       return 0
     fi
-    # JSON path present but leaf unset → fall through to default. Do
-    # NOT also try the awk parser; the canonical loader is the source
-    # of truth here.
-    return 0
+    return 1
   fi
-  # 3. Fallback: block-form awk parser (legacy 0.34.0 round-1 path).
-  #    Only covers `review.local_review.<leaf>`. Inline-form mappings
-  #    fall through to "" → defaults — which is the SAME posture as the
-  #    pre-0.34.0 bash hook, but now with the CLI path above providing
-  #    inline-form support whenever the CLI is reachable.
-  if [ ! -f "$POLICY_FILE" ] || ! command -v awk >/dev/null 2>&1; then
-    return 0
+  if command -v python3 >/dev/null 2>&1; then
+    local out
+    out=$(env -u PYTHONPATH -u PYTHONHOME -u PYTHONSTARTUP \
+      PYTHONSAFEPATH=1 python3 -c '
+import sys
+import os
+_cwd = os.getcwd()
+_cwd_real = os.path.realpath(_cwd)
+sys.path[:] = [p for p in sys.path if p not in ("", ".", _cwd, _cwd_real)]
+import json
+try:
+    doc = json.loads(sys.argv[1])
+except Exception:
+    sys.exit(0)
+leaf = sys.argv[2]
+if isinstance(doc, dict) and leaf in doc:
+    v = doc[leaf]
+    if isinstance(v, bool):
+        sys.stdout.write("true" if v else "false")
+    elif isinstance(v, (int, float, str)):
+        sys.stdout.write(str(v))
+' "$_LRG_LR_SUBTREE_JSON" "$leaf" 2>/dev/null)
+    if [ -n "$out" ]; then
+      printf '%s' "$out"
+      return 0
+    fi
   fi
+  return 1
+}
+
+_lrg_read_policy() {
+  # $1 = dotted key (e.g. `review.local_review.mode`)
+  #
+  # For `review.local_review.*` leaves, try the subtree cache first
+  # (one CLI startup serves all three leaves). Fall back to a per-key
+  # read for everything else — and for leaves that the subtree cache
+  # couldn't produce (e.g. Tier 3 awk fallback where subtree mode is
+  # unsupported).
+  local key="$1"
   case "$key" in
-    review.local_review.mode)
-      awk '
-        /^review[[:space:]]*:[[:space:]]*$/ { in_review=1; next }
-        /^[^[:space:]]/                     { in_review=0; in_lr=0; next }
-        in_review && /^[[:space:]]+local_review[[:space:]]*:[[:space:]]*$/ { in_lr=1; next }
-        in_lr && /^[[:space:]]{2,}[a-zA-Z]/ {
-          if ($1 ~ /^mode:/) { print $2; exit }
-        }
-        in_lr && /^[[:space:]]{0,2}[a-zA-Z]/ && !/^[[:space:]]+local_review/ { in_lr=0 }
-      ' "$POLICY_FILE" 2>/dev/null | tr -d '"' | tr -d "'" | head -1
-      ;;
-    review.local_review.refuse_at)
-      awk '
-        /^review[[:space:]]*:[[:space:]]*$/ { in_review=1; next }
-        /^[^[:space:]]/                     { in_review=0; in_lr=0; next }
-        in_review && /^[[:space:]]+local_review[[:space:]]*:[[:space:]]*$/ { in_lr=1; next }
-        in_lr && /^[[:space:]]{2,}refuse_at[[:space:]]*:/ { print $2; exit }
-        in_lr && /^[[:space:]]{0,2}[a-zA-Z]/ && !/^[[:space:]]+local_review/ && !/^[[:space:]]+(mode|refuse_at|bypass_env_var|max_age_seconds)/ { in_lr=0 }
-      ' "$POLICY_FILE" 2>/dev/null | tr -d '"' | tr -d "'" | head -1
-      ;;
-    review.local_review.bypass_env_var)
-      awk '
-        /^review[[:space:]]*:[[:space:]]*$/ { in_review=1; next }
-        /^[^[:space:]]/                     { in_review=0; in_lr=0; next }
-        in_review && /^[[:space:]]+local_review[[:space:]]*:[[:space:]]*$/ { in_lr=1; next }
-        in_lr && /^[[:space:]]{2,}bypass_env_var[[:space:]]*:/ { print $2; exit }
-        in_lr && /^[[:space:]]{0,2}[a-zA-Z]/ && !/^[[:space:]]+local_review/ && !/^[[:space:]]+(mode|refuse_at|bypass_env_var|max_age_seconds)/ { in_lr=0 }
-      ' "$POLICY_FILE" 2>/dev/null | tr -d '"' | tr -d "'" | head -1
+    review.local_review.*)
+      _lrg_load_local_review_subtree
+      local leaf="${key##*.}"
+      local v
+      if v=$(_lrg_subtree_leaf "$leaf"); then
+        printf '%s' "$v"
+        return 0
+      fi
       ;;
   esac
+  policy_reader_get "$key" 2>/dev/null
 }
 
 # 4. Mode-off short-circuit. Mirrors the bash hook's

package/templates/protected-paths-bash-gate.dogfood-staged.sh

@@ -81,13 +81,19 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
     *".rea/last-review"*) CLI_MISSING_RELEVANT=1 ;;
     *".claude\\"*|*".husky\\"*|*".rea\\"*) CLI_MISSING_RELEVANT=1 ;;
   esac
-  # Codex round-1 P2 fix: scan policy.protected_writes entries too so a
-  # consumer-defined protected path isn't silently allowed when the CLI
-  # is missing. Read the policy via the same awk parser the consumer-
-  # facing relevance pre-gates use for blocked_paths.
+  # 0.37.0: route protected_writes reads through the unified
+  # policy-reader (Tier 1 CLI → Tier 2 python3 → Tier 3 awk
+  # block-form). Pre-0.37.0 the inline awk parser missed flow-form
+  # arrays (`protected_writes: [path/a, path/b]`) on CLI-missing
+  # installs, silently allowing writes to consumer-defined protected
+  # paths. The 4-tier ladder closes the bypass via Tier 2 whenever
+  # python3 + PyYAML are reachable; Tier 3 preserves the pre-0.37.0
+  # block-only posture as a no-dep fallback.
   if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
     POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
     if [ -f "$POLICY_FILE" ]; then
+      # shellcheck source=_lib/policy-reader.sh
+      source "$(dirname "$0")/_lib/policy-reader.sh"
       while IFS= read -r entry; do
         [ -z "$entry" ] && continue
         base="$entry"
@@ -98,17 +104,7 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
         case "$CLI_MISSING_CMD" in
           *"$base"*) CLI_MISSING_RELEVANT=1; break ;;
         esac
-      done < <(awk '
-        /^protected_writes:/ { in_block=1; next }
-        in_block && /^[[:space:]]*-/ {
-          sub(/^[[:space:]]*-[[:space:]]*/, "")
-          gsub(/^["'\'']/, "")
-          gsub(/["'\'']$/, "")
-          print
-          next
-        }
-        in_block && /^[^[:space:]-]/ { in_block=0 }
-      ' "$POLICY_FILE" 2>/dev/null)
+      done < <(policy_reader_get_list protected_writes 2>/dev/null)
     fi
   fi
   if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then

package/templates/settings-protection.dogfood-staged.sh

@@ -97,12 +97,19 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
     *".claude\\"*|*".husky\\"*|*".rea\\"*) CLI_MISSING_RELEVANT=1 ;;
     *"..%2F"*|*"%2E%2E"*) CLI_MISSING_RELEVANT=1 ;;
   esac
-  # Codex round-1 P2 fix: scan policy.protected_writes entries too so a
-  # consumer-defined protected path isn't silently allowed when the CLI
-  # is missing.
+  # 0.37.0: route protected_writes reads through the unified
+  # policy-reader (Tier 1 CLI → Tier 2 python3 → Tier 3 awk
+  # block-form). Pre-0.37.0 the inline awk parser missed flow-form
+  # arrays (`protected_writes: [path/a, path/b]`), silently allowing
+  # writes to consumer-defined protected paths when the CLI was
+  # unreachable. The 4-tier ladder closes the bypass via Tier 2 when
+  # python3 + PyYAML are reachable; Tier 3 preserves the pre-0.37.0
+  # block-only posture as a no-dep fallback.
   if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
     POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
     if [ -f "$POLICY_FILE" ]; then
+      # shellcheck source=_lib/policy-reader.sh
+      source "$(dirname "$0")/_lib/policy-reader.sh"
       while IFS= read -r entry; do
         [ -z "$entry" ] && continue
         base="$entry"
@@ -113,17 +120,7 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
         case "$CLI_MISSING_FILE_PATH" in
           *"$base"*) CLI_MISSING_RELEVANT=1; break ;;
         esac
-      done < <(awk '
-        /^protected_writes:/ { in_block=1; next }
-        in_block && /^[[:space:]]*-/ {
-          sub(/^[[:space:]]*-[[:space:]]*/, "")
-          gsub(/^["'\'']/, "")
-          gsub(/["'\'']$/, "")
-          print
-          next
-        }
-        in_block && /^[^[:space:]-]/ { in_block=0 }
-      ' "$POLICY_FILE" 2>/dev/null)
+      done < <(policy_reader_get_list protected_writes 2>/dev/null)
     fi
   fi
   if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then