@bookedsolid/rea 0.36.0 → 0.38.0

package/hooks/delegation-capture.sh

@@ -1,158 +1,52 @@
 #!/bin/bash
 # PreToolUse hook: delegation-capture.sh
 # 0.29.0+ — delegation-telemetry MVP.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Fires BEFORE every `Agent` or `Skill` tool call. Reads the Claude
-# Code hook payload from stdin, pipes it to
-# `rea hook delegation-signal --detach`, and exits 0 immediately.
+# Fires BEFORE every `Agent` or `Skill` tool call. Pipes the payload to
+# `rea hook delegation-signal --detach`, BACKGROUNDED so the hook
+# returns instantly even when the CLI's startup takes a few ms. The
+# signal is OBSERVATIONAL — never gates tool dispatch.
 #
-# The signal is OBSERVATIONAL — never gates tool dispatch. Worst-case
-# latency budget is ~50ms even when the audit chain is under
-# cross-process contention, because the audit append runs in the
-# background (via `&`) and the CLI subcommand itself only validates
-# the payload before forking the writer.
+# Matcher: `Agent|Skill` (NOT `Task|Skill`).
 #
-# Matcher: `Agent|Skill` (NOT `Task|Skill` — `TaskCreate`/`TaskList`
-# are the unrelated todo-list tools and MUST NOT match).
+# # CLI subcommand differs from SHIM_NAME
 #
-# # CLI-resolution trust boundary
+# The forward target is `rea hook delegation-signal`, not `rea hook
+# delegation-capture` — the hook name and the CLI subcommand differ.
+# We use shim_forward to invoke the correct subcommand.
 #
-# Codex round 3 P1 (2026-05-12): pre-fix this hook resolved the rea
-# binary via `$REA_ROOT/node_modules/.bin/rea` then PATH-walked
-# `command -v rea`. Either path was attacker-influenced in a consumer
-# repo with a forged `node_modules/.bin/rea` symlink or a
-# PATH-prepended fake `rea` binary — giving attacker-controlled code
-# execution on every Agent/Skill dispatch.
+# # No version probe
 #
-# Fix: this hook now uses the same 2-tier sandboxed resolution that
-# protected-paths-bash-gate.sh + blocked-paths-bash-gate.sh use:
-#   1. node_modules/@bookedsolid/rea/dist/cli/index.js (consumer-side
-#      published artifact)
-#   2. dist/cli/index.js under CLAUDE_PROJECT_DIR (the rea repo's own
-#      dogfood install)
-#
-# A realpath sandbox check ensures the resolved CLI lives INSIDE
-# realpath(CLAUDE_PROJECT_DIR) — catches symlink-out attacks.
-#
-# Exit codes:
-#   0 — always (under normal operation). Failure to write the audit
-#       signal must NEVER block Claude Code's tool dispatch. Stderr
-#       breadcrumbs surface diagnostic info to the operator. HALT
-#       still exits 2 because the kill-switch contract must hold.
-#   2 — HALT active.
+# SHIM_SKIP_VERSION_PROBE=1: the pre-port body had no probe; a stale
+# CLI drops the signal silently rather than emit a probe-skew banner
+# on every Agent/Skill dispatch.
 
 set -uo pipefail
 
-# 1. HALT check. Even though this hook is observational, refusing to
-#    emit signals while frozen matches the rest of the hook tree and
-#    keeps the kill-switch contract uniform.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Resolve the rea CLI through the same fixed 2-tier sandboxed order
-#    the protected-paths / blocked-paths bash gates use. PATH lookup
-#    is INTENTIONALLY OMITTED — agent-controlled $PATH would let a
-#    forged `rea` binary on a consumer machine intercept the
-#    delegation signal on every Agent/Skill dispatch. The trade-off:
-#    consumers MUST have `@bookedsolid/rea` installed under
-#    `node_modules` (the common case after `pnpm i`) OR be running
-#    against the rea repo's own dogfood (where dist/cli/index.js
-#    holds the canonical CLI). Other install shapes silently drop the
-#    signal — matching the bash-gate posture.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  # rea repo dogfood: the project IS @bookedsolid/rea.
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  # No rea CLI in scope — drop the signal silently. This is the
-  # expected state during bootstrap (consumer ran `rea init` but
-  # hasn't installed the npm package yet) or in non-rea repos. A
-  # noisy stderr warning here would fire on every Agent/Skill
-  # dispatch and drown legitimate signals.
-  exit 0
-fi
-
-# 3. Realpath sandbox check — mirrors protected-paths-bash-gate.sh §6.
-#    The resolved CLI MUST live inside realpath(CLAUDE_PROJECT_DIR)
-#    AND have an ancestor package.json declaring `@bookedsolid/rea`
-#    as its `name`. Catches symlink-out attacks where an attacker
-#    writes node_modules/@bookedsolid/rea → /tmp/forged-tree.
-if ! command -v node >/dev/null 2>&1; then
-  # Node not on PATH — we can't verify the CLI shape. Fail safe by
-  # dropping the signal (observability is not a security claim; the
-  # rest of the Bash gate suite refuses on this path).
+SHIM_NAME="delegation-capture"
+SHIM_INTRODUCED_IN="0.29.0"
+SHIM_FAIL_OPEN=1
+SHIM_SKIP_VERSION_PROBE=1
+SHIM_REFUSAL_NOUN="the delegation telemetry signal"
+
+shim_forward() {
+  # Pipe to `rea hook delegation-signal --detach`. `--detach` tells the
+  # CLI to suppress stderr; the whole pipeline is backgrounded with
+  # `& disown` so the shell hook returns instantly.
+  {
+    printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook delegation-signal --detach \
+      >/dev/null 2>&1 &
+    disown 2>/dev/null || true
+  } 2>/dev/null
   exit 0
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath");
-    process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj");
-    process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project");
-    process.exit(1);
-  }
-  // Walk up looking for package.json with the protected name.
-  let cur = path.dirname(path.dirname(path.dirname(real))); // pkg root
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) {
-    process.stdout.write("bad:no-rea-pkg-json");
-    process.exit(1);
-  }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  # CLI failed the sandbox check — silent drop. The forensic
-  # breadcrumb in stderr is intentional but trimmed so this doesn't
-  # become spammy on every dispatch.
-  printf 'rea: delegation-capture skipped (sandbox check: %s)\n' "$sandbox_check" >&2
-  exit 0
-fi
-
-# 4. Read stdin and pipe to the CLI. `--detach` tells the CLI to
-#    suppress stderr output (no parent shell is listening); we ALSO
-#    background the whole pipeline with `&` and `disown` so the
-#    shell hook returns instantly even if the CLI's own startup
-#    takes a few ms.
-INPUT=$(cat)
-{
-  printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook delegation-signal --detach \
-    >/dev/null 2>&1 &
-  disown 2>/dev/null || true
-} 2>/dev/null
+}
 
-exit 0
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/dependency-audit-gate.sh

@@ -1,138 +1,46 @@
 #!/bin/bash
 # PreToolUse hook: dependency-audit-gate.sh
 # 0.33.0+ — Node-binary shim for `rea hook dependency-audit-gate`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.33.0 the gate's full body lived here as bash (179 LOC, the
-# segment splitter + install-pattern detection + per-package
-# `npm view` probe). The migration to the parser-backed Node binary
-# moves all of that into `src/hooks/dependency-audit-gate/index.ts`.
+# Blocking-tier: refuses install commands when any requested package
+# isn't published on the registry (pre-port behavior). The full
+# segment splitter + per-package `npm view` probe is in
+# `src/hooks/dependency-audit-gate/index.ts`.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on
-# pass-through / all-packages-verified, exit 2 on HALT / any package
-# missing / malformed payload.
+# # Relevance pre-gate
 #
-# # CLI-resolution trust boundary
-#
-# Realpath sandbox check + version probe. Same shape as the 0.32.0
-# pilots and the env-file-protection shim above.
-#
-# # Fail-closed posture
-#
-# dependency-audit-gate is BLOCKING-tier — the pre-0.33.0 bash body
-# refused on missing packages. Early-exit branches (CLI missing,
-# node missing, sandbox failed, version skew) fail closed AFTER the
-# relevance pre-gate passes.
+# 2026-05-15 codex round-2 P2 fix: scan `tool_input.command` ONLY,
+# not the raw JSON payload. Pre-fix `git commit -m "docs: run pnpm
+# install foo"` triggered fail-closed on fresh checkout (the regex hit
+# the substring inside the commit-message ARG). The jq-less fallback
+# preserves the pre-0.33.0 over-trigger shape.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Relevance pre-gate. Look for any install-pattern keyword.
-#
-#    2026-05-15 codex round-2 P2 fix: scan `tool_input.command` ONLY,
-#    not the raw JSON payload. Pre-fix `git commit -m "docs: run pnpm
-#    install foo before start"` triggered the fail-closed branch on a
-#    fresh checkout (the install-pattern regex hit the substring
-#    inside the commit-message ARG of the git command, not a real
-#    install invocation). The Node body's segment-anchored matcher
-#    correctly distinguishes between the two — the shim's pre-gate
-#    must match that posture.
-#
-#    `jq`-less fallback preserves the pre-0.33.0 over-trigger shape.
-INPUT=$(cat)
-RELEVANT=0
-PROBE=""
-if command -v jq >/dev/null 2>&1; then
-  PROBE=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
-  if printf '%s' "$PROBE" | grep -qE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]'; then
-    RELEVANT=1
+SHIM_NAME="dependency-audit-gate"
+SHIM_INTRODUCED_IN="0.33.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN="dependency-audit refusal"
+
+shim_is_relevant() {
+  local probe
+  if command -v jq >/dev/null 2>&1; then
+    probe=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
+  else
+    probe="$INPUT"
   fi
-else
-  if printf '%s' "$INPUT" | grep -qE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]'; then
-    RELEVANT=1
+  if printf '%s' "$probe" | grep -qE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install|i)|yarn[[:space:]]+add)[[:space:]]'; then
+    return 0
   fi
-fi
-if [ "$RELEVANT" -eq 0 ]; then
-  exit 0
-fi
-
-# 3. Resolve the rea CLI.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  printf 'rea: dependency-audit-gate cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: dependency-audit-gate cannot run — `node` is not on PATH.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: dependency-audit-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook dependency-audit-gate --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'dependency-audit-gate'; then
-  printf 'rea: this shim requires the `rea hook dependency-audit-gate` subcommand (introduced in 0.33.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  return 1
+}
 
-# 6. Forward stdin.
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook dependency-audit-gate
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/env-file-protection.sh

@@ -1,157 +1,46 @@
 #!/bin/bash
 # PreToolUse hook: env-file-protection.sh
 # 0.33.0+ — Node-binary shim for `rea hook env-file-protection`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.33.0 the gate's full body lived here as bash (124 LOC, the
-# segment splitter + `source`/`cp` anchor patterns + utility-vs-.env
-# co-occurrence check). The migration to the parser-backed Node binary
-# moves all of that into `src/hooks/env-file-protection/index.ts`. This
-# shim is the Claude Code dispatcher's view of the hook — it forwards
-# stdin to the CLI and exits with whatever the CLI returns.
+# Blocking-tier: refuses Bash commands that source/cp/cat .env. Full
+# segment splitter + utility-vs-.env co-occurrence logic in
+# `src/hooks/env-file-protection/index.ts`.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on
-# pass-through / no-match, exit 2 on HALT / .env access detected /
-# malformed payload (fail-closed).
+# # Relevance pre-gate
 #
-# # CLI-resolution trust boundary
-#
-# Mirrors the 0.32.0 final shim shape (round-8 of the codex iteration
-# on the three Phase 1 pilots). The resolved CLI MUST live INSIDE
-# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
-# whose `name` is `@bookedsolid/rea`. Defends against symlink-out and
-# tarball-replacement attacks on the resolved CLI.
-#
-# # Fail-closed posture
-#
-# env-file-protection is a BLOCKING-tier gate — the pre-0.33.0 bash
-# body refused on .env access without a compiled CLI. The early-exit
-# branches (CLI missing, node missing, sandbox failed, version skew)
-# fail closed AFTER the relevance pre-gate passes. Irrelevant Bash
-# calls exit 0 regardless of CLI state.
+# 2026-05-15 codex round-2 P2 fix: scan `tool_input.command` ONLY, not
+# the raw JSON payload — otherwise `git commit -m "stop reading .env"`
+# (where `.env` appears inside the commit message ARG) hits fail-closed
+# on a fresh checkout.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Relevance pre-gate. Capture stdin + check for `.env` substring
-#    BEFORE any CLI/sandbox/probe work so unrelated Bash calls
-#    (`ls`, `pnpm test`, `git status`, …) exit 0 even when the CLI
-#    is missing/stale/sandboxed-out.
-#
-#    2026-05-15 codex round-2 P2 fix: the substring scan MUST run
-#    against `tool_input.command` ONLY, not the raw JSON payload —
-#    otherwise a benign `git commit -m "stop reading .env"` (where
-#    `.env` appears inside the commit message ARG, NOT as a file
-#    target) would hit the fail-closed branch on a fresh checkout
-#    where the CLI is unbuilt. Pre-fix the raw scan saw the substring
-#    inside the payload's "command" string-quoted body and refused.
-#
-#    Strategy: extract `tool_input.command` via `jq` (already required
-#    by 5 other hooks; trust assumption is consistent). When `jq` is
-#    not installed, fall back to scanning the raw payload — the cost
-#    is the same over-trigger the bash original had, NOT a new
-#    regression. When `jq` IS installed (the common case), the
-#    pre-gate is field-scoped.
-INPUT=$(cat)
-RELEVANT=0
-PROBE=""
-if command -v jq >/dev/null 2>&1; then
-  PROBE=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
-  if printf '%s' "$PROBE" | grep -qE '\.env'; then
-    RELEVANT=1
-  fi
-else
-  # jq-less fallback — match the pre-0.33.0 over-trigger posture.
-  if printf '%s' "$INPUT" | grep -qE '\.env'; then
-    RELEVANT=1
+SHIM_NAME="env-file-protection"
+SHIM_INTRODUCED_IN="0.33.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN=".env protection"
+
+shim_is_relevant() {
+  local probe
+  if command -v jq >/dev/null 2>&1; then
+    probe=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
+    if printf '%s' "$probe" | grep -qE '\.env'; then
+      return 0
+    fi
+  else
+    if printf '%s' "$INPUT" | grep -qE '\.env'; then
+      return 0
+    fi
   fi
-fi
-if [ "$RELEVANT" -eq 0 ]; then
-  exit 0
-fi
-
-# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  # Blocking-tier: fail closed. The pre-0.33.0 bash body enforced
-  # .env protection without a CLI. Refuse and tell the operator how
-  # to restore protection.
-  printf 'rea: env-file-protection cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.33.0 bash body enforced .env protection without a CLI.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: env-file-protection cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore .env protection.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: env-file-protection FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook env-file-protection --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'env-file-protection'; then
-  printf 'rea: this shim requires the `rea hook env-file-protection` subcommand (introduced in 0.33.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  return 1
+}
 
-# 6. Forward stdin (already captured up-front for the relevance gate).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook env-file-protection
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run