@bookedsolid/rea 0.37.0 → 0.38.0

package/hooks/blocked-paths-enforcer.sh

@@ -1,89 +1,54 @@
 #!/bin/bash
 # PreToolUse hook: blocked-paths-enforcer.sh
 # 0.35.0+ — Node-binary shim for `rea hook blocked-paths-enforcer`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.35.0 the gate's full body lived here as bash (284 LOC). The
-# full bash body is preserved at
+# Write/Edit/MultiEdit/NotebookEdit-tier blocking gate. Full bash body
+# preserved at
 # `__tests__/hooks/parity/baselines/blocked-paths-enforcer.sh.pre-0.35.0`.
+# Migration in `src/hooks/blocked-paths-enforcer/index.ts`.
 #
-# Migration moves the enforcement logic (path normalization, traversal
-# reject, glob/prefix/exact matching, symlink resolution, agent-
-# writable allow-list) into `src/hooks/blocked-paths-enforcer/index.ts`.
-# This shim is the Claude Code dispatcher's view of the hook — it
-# forwards stdin to the CLI and exits with whatever the CLI returns.
+# SHIM_ENFORCE_CLI_SHAPE=1: 0.35.0 codex round-1 P1 — enforce
+# dist/cli/index.js shape.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on allow,
-# exit 2 on HALT / blocked-paths match / malformed payload.
+# # Relevance pre-gate (CLI-missing only)
 #
-# # CLI-resolution trust boundary
-#
-# Mirrors the 0.32.0 final shim shape.
-#
-# # Fail-closed posture
-#
-# blocked-paths-enforcer is a Write/Edit/MultiEdit/NotebookEdit tier
-# security gate. The pre-0.35.0 bash body refused on uncertainty.
-# Early-exit branches fail closed AFTER the relevance pre-gate passes.
-#
-# # Relevance pre-gate
-#
-# Extract file_path / notebook_path from the payload, substring-scan
-# against the policy's blocked_paths entries. When CLI is missing AND
-# no policy.blocked_paths entry matches, exit 0. Empty/missing policy
-# → no enforcement, exit 0.
+# Extract file_path / notebook_path; substring-scan against any
+# policy.blocked_paths entry. Empty/missing policy → exit 0.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Capture stdin once.
-INPUT=$(cat)
+SHIM_NAME="blocked-paths-enforcer"
+SHIM_INTRODUCED_IN="0.35.0"
+SHIM_FAIL_OPEN=0
+SHIM_ENFORCE_CLI_SHAPE=1
+SHIM_REFUSAL_NOUN="blocked_paths refusal"
 
-# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-# 3b. Relevance pre-gate. Only used when the CLI is missing.
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  CLI_MISSING_FILE_PATH=""
+shim_cli_missing_relevant() {
+  local cli_missing_file_path=""
   if command -v jq >/dev/null 2>&1; then
-    CLI_MISSING_FILE_PATH=$(printf '%s' "$INPUT" | jq -r '
+    cli_missing_file_path=$(printf '%s' "$INPUT" | jq -r '
       (.tool_input.file_path // .tool_input.notebook_path // "") | tostring
     ' 2>/dev/null || true)
   else
-    CLI_MISSING_FILE_PATH="$INPUT"
+    cli_missing_file_path="$INPUT"
   fi
-  if [ -z "$CLI_MISSING_FILE_PATH" ]; then
-    exit 0
+  if [ -z "$cli_missing_file_path" ]; then
+    return 1
   fi
-  POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-  if [ ! -f "$POLICY_FILE" ]; then
-    exit 0
+  local policy_file="${REA_ROOT}/.rea/policy.yaml"
+  if [ ! -f "$policy_file" ]; then
+    return 1
   fi
-  # 0.37.0: route blocked_paths reads through the unified
-  # policy-reader (Tier 1 CLI → Tier 2 python3 → Tier 3 awk
-  # block-form). Pre-0.37.0 the inline awk parser missed flow-form
-  # arrays (`blocked_paths: [.env, .env.*, ...]`), silently allowing
-  # writes to those paths when the CLI was unreachable. The 4-tier
-  # ladder closes the bypass via Tier 2 when python3 + PyYAML are
-  # reachable; Tier 3 preserves the pre-0.37.0 block-only posture as
-  # a no-dep fallback.
+  # 0.37.0: route blocked_paths reads through the unified policy-reader.
   # shellcheck source=_lib/policy-reader.sh
   source "$(dirname "$0")/_lib/policy-reader.sh"
-  CLI_MISSING_RELEVANT=0
+  local entry base
   while IFS= read -r entry; do
     [ -z "$entry" ] && continue
     # Substring scan — for directory prefixes the entry ends with /
@@ -94,87 +59,17 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
     case "$base" in
       */) base="${base%/}" ;;
     esac
-    # Strip glob wildcards for substring testing — `src/*.ts` becomes
-    # `src/` + `.ts`. The simplest safe form is to scan the literal
-    # part before the first `*`.
     case "$base" in
       *'*'*) base="${base%%\**}" ;;
     esac
     [ -z "$base" ] && continue
-    case "$CLI_MISSING_FILE_PATH" in
-      *"$base"*) CLI_MISSING_RELEVANT=1; break ;;
+    case "$cli_missing_file_path" in
+      *"$base"*) return 0 ;;
     esac
   done < <(policy_reader_get_list blocked_paths 2>/dev/null)
-  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
-    exit 0
-  fi
-  printf 'rea: blocked-paths-enforcer cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.35.0 bash body enforced blocked_paths refusal without a CLI.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: blocked-paths-enforcer cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore blocked_paths refusal.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  // Codex round-1 P1 fix: enforce dist/cli/index.js shape (see
-  // settings-protection.sh).
-  const expectedEnd = path.join("dist", "cli", "index.js");
-  if (!real.endsWith(path.sep + expectedEnd) && real !== "/" + expectedEnd) {
-    process.stdout.write("bad:cli-shape"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: blocked-paths-enforcer FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook blocked-paths-enforcer --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'blocked-paths-enforcer'; then
-  printf 'rea: this shim requires the `rea hook blocked-paths-enforcer` subcommand (introduced in 0.35.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  return 1
+}
 
-# 6. Forward stdin (already captured up-front).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook blocked-paths-enforcer
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/changeset-security-gate.sh

@@ -1,137 +1,44 @@
 #!/bin/bash
 # PreToolUse hook: changeset-security-gate.sh
 # 0.33.0+ — Node-binary shim for `rea hook changeset-security-gate`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.33.0 the gate's full body lived here as bash (172 LOC, frontmatter
-# validation + GHSA/CVE scan + MultiEdit-aware tool handling). The
-# migration to the parser-backed Node binary moves all of that into
+# Blocking-tier: frontmatter validation + GHSA/CVE scan over
+# .changeset/ writes. Full logic in
 # `src/hooks/changeset-security-gate/index.ts`.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on
-# pass-through / non-changeset / valid frontmatter, exit 2 on HALT /
-# disclosure leak / malformed frontmatter / malformed payload.
+# # Relevance pre-gate
 #
-# # CLI-resolution trust boundary
-#
-# Realpath sandbox check + version probe. Same shape as the 0.32.0
-# pilots.
-#
-# # Fail-closed posture
-#
-# changeset-security-gate is BLOCKING-tier — the pre-0.33.0 bash body
-# refused on GHSA/CVE patterns and on malformed frontmatter. Early-exit
-# branches fail closed AFTER the relevance pre-gate passes.
+# 2026-05-15 codex round-2 P2 fix: scan `tool_input.file_path` /
+# `tool_input.notebook_path` ONLY, not the raw JSON payload, so a
+# Write to README.md mentioning `.changeset/` in its content body
+# doesn't trip the fail-closed branch.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Relevance pre-gate. This is a PreToolUse Write/Edit/MultiEdit/
-#    NotebookEdit matcher, so the payload always has a `tool_input.
-#    file_path` (or `notebook_path`).
-#
-#    2026-05-15 codex round-2 P2 fix: scan `tool_input.file_path` /
-#    `tool_input.notebook_path` ONLY, NOT the raw JSON payload. Pre-fix
-#    a Write to `README.md` whose body merely mentions `.changeset/`
-#    (e.g. "See .changeset/example.md") tripped the fail-closed branch
-#    when the CLI was unbuilt — the substring lived in the
-#    tool_input.content blob, not in the target path. The Node body
-#    correctly filters by file_path; the shim's pre-gate must match
-#    that posture.
-INPUT=$(cat)
-RELEVANT=0
-PROBE=""
-if command -v jq >/dev/null 2>&1; then
-  PROBE=$(printf '%s' "$INPUT" | jq -r '(.tool_input.file_path // .tool_input.notebook_path // "")' 2>/dev/null || true)
-  if printf '%s' "$PROBE" | grep -qE '\.changeset/'; then
-    RELEVANT=1
+SHIM_NAME="changeset-security-gate"
+SHIM_INTRODUCED_IN="0.33.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN="changeset disclosure refusal"
+
+shim_is_relevant() {
+  local probe
+  if command -v jq >/dev/null 2>&1; then
+    probe=$(printf '%s' "$INPUT" | jq -r '(.tool_input.file_path // .tool_input.notebook_path // "")' 2>/dev/null || true)
+  else
+    probe="$INPUT"
   fi
-else
-  if printf '%s' "$INPUT" | grep -qE '\.changeset/'; then
-    RELEVANT=1
+  if printf '%s' "$probe" | grep -qE '\.changeset/'; then
+    return 0
   fi
-fi
-if [ "$RELEVANT" -eq 0 ]; then
-  exit 0
-fi
-
-# 3. Resolve the rea CLI.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  printf 'rea: changeset-security-gate cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: changeset-security-gate cannot run — `node` is not on PATH.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: changeset-security-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook changeset-security-gate --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'changeset-security-gate'; then
-  printf 'rea: this shim requires the `rea hook changeset-security-gate` subcommand (introduced in 0.33.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  return 1
+}
 
-# 6. Forward stdin.
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook changeset-security-gate
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/dangerous-bash-interceptor.sh

@@ -1,196 +1,72 @@
 #!/bin/bash
 # PreToolUse hook: dangerous-bash-interceptor.sh
 # 0.34.0+ — Node-binary shim for `rea hook dangerous-bash-interceptor`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.34.0 the gate's full body lived here as bash (414 LOC, every
-# refusal class H1-H17 + M1 plus their bypass-corpus regressions). The
-# migration to the parser-backed Node binary moves all of that into
-# `src/hooks/dangerous-bash-interceptor/index.ts`. This shim is the
-# Claude Code dispatcher's view of the hook — it forwards stdin to
-# the CLI and exits with whatever the CLI returns.
+# Pre-0.34.0 the gate's full body lived here as bash (414 LOC: refusal
+# classes H1-H17 + M1 plus their bypass-corpus regressions). Migration
+# in `src/hooks/dangerous-bash-interceptor/index.ts`. Behavioral
+# contract preserved byte-for-byte: exit 0 on pass-through / MEDIUM-only
+# advisory, exit 2 on HALT / HIGH match / malformed payload.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on
-# pass-through / MEDIUM-only advisory, exit 2 on HALT / HIGH rule
-# match / malformed payload (fail-closed).
+# # Relevance pre-gate (CLI-missing only)
 #
-# # CLI-resolution trust boundary
+# 0.34.0 round-7 P1 fix: substring scan over the EXTRACTED command for
+# destructive-catalog keywords. When CLI is missing AND no keyword
+# matches, exit 0 (the pre-port bash body would have done the same —
+# no rule to match). When CLI is missing AND a keyword DOES match,
+# fail closed.
 #
-# Mirrors the 0.32.0 final shim shape (round-8 of the codex iteration
-# on the three Phase 1 pilots). The resolved CLI MUST live INSIDE
-# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
-# whose `name` is `@bookedsolid/rea`. Defends against symlink-out and
-# tarball-replacement attacks on the resolved CLI.
-#
-# # Fail-closed posture
-#
-# dangerous-bash-interceptor is the agent-runaway gate — the pre-0.34.0
-# bash body refused destructive commands without any compiled CLI. The
-# early-exit branches (CLI missing, node missing, sandbox failed,
-# version skew) fail closed AFTER the relevance pre-gate passes.
-# Irrelevant Bash calls exit 0 regardless of CLI state.
-#
-# # Relevance pre-gate
-#
-# 0.34.0 round-7 P1 fix: the pre-0.34.0 bash body refused destructive
-# commands without any compiled CLI. The round-0 shim preserved that
-# fail-closed-on-CLI-missing posture for ALL Bash, but that's stricter
-# than the pre-0.34.0 body which only refused commands matching the
-# destructive catalog. On a fresh / unbuilt install (`npx rea init`,
-# pre-`pnpm build` checkout) the shim blocked benign Bash like `ls`,
-# `mkdir`, `pnpm install` — defeating the install path itself.
-#
-# Fix: substring pre-gate over the EXTRACTED command (not raw payload —
-# the local-review-gate round-2 lesson). When CLI is missing AND no
-# destructive-keyword appears in the extracted command, exit 0 (the
-# pre-0.34.0 bash body would have done the same — there's no rule to
-# match). When CLI is missing AND a destructive-keyword DOES appear,
-# preserve the original fail-closed posture (we'd rather refuse than
-# silently allow a destructive command).
-#
-# The keyword list is coarse — it over-triggers (e.g. `git status` hits
-# `git` substring) but that's fine: the CLI does the real evaluation
-# and lets benign forms through. Over-trigger costs one node-spawn;
-# under-trigger is the bypass we MUST avoid. Same posture as the
-# 0.32.0 secret-scanner `gh issue create` substring fix.
+# Keywords cover every rule head H1-H17 + M1. Coarse by design — the
+# CLI does the real per-rule evaluation when reachable; over-trigger
+# costs one node-spawn, under-trigger is the bypass we MUST avoid.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Capture stdin once. The CLI consumes it via stdin pipe below.
-INPUT=$(cat)
+SHIM_NAME="dangerous-bash-interceptor"
+SHIM_INTRODUCED_IN="0.34.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN="destructive-command refusal"
 
-# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-# 3b. Relevance pre-gate (round-7 P1). Only used when the CLI is
-#     missing — when present, every Bash call goes through the CLI.
-#     Extract the command string from the payload, then substring-scan
-#     it for destructive-catalog keywords. Mirrors the H1-H17 + M1
-#     rule heads.
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  CLI_MISSING_CMD=""
+shim_cli_missing_relevant() {
+  local cli_missing_cmd=""
   if command -v jq >/dev/null 2>&1; then
-    # Match the CLI's payload schema: tool_input.command. tostring so
-    # a non-string value (object/number) doesn't blow up jq.
-    CLI_MISSING_CMD=$(printf '%s' "$INPUT" | jq -r '
+    cli_missing_cmd=$(printf '%s' "$INPUT" | jq -r '
       (.tool_input.command // "") | tostring
     ' 2>/dev/null || true)
   else
     # jq missing — fall back to scanning the raw payload. Over-trigger
     # by design (the CLI is the source of truth; this is fail-closed
-    # only when keywords match). Substring scan still catches the
-    # destructive forms in JSON-string-encoded payloads.
-    CLI_MISSING_CMD="$INPUT"
+    # only when keywords match).
+    cli_missing_cmd="$INPUT"
   fi
-  # If we couldn't extract a command, treat as relevant (fail closed).
-  CLI_MISSING_RELEVANT=0
-  if [ -z "$CLI_MISSING_CMD" ]; then
-    # Empty command (or non-Bash payload). The pre-0.34.0 bash body
-    # would have exited 0 here — no command, no rule match.
-    exit 0
+  if [ -z "$cli_missing_cmd" ]; then
+    # Empty/non-Bash payload → pre-port body would have exit 0'd.
+    return 1
   fi
-  # Substring scan. Keywords cover every rule head H1-H17 + M1. Coarse
-  # by design — we're a safety net, not the source of truth. The CLI
-  # does the precise per-rule evaluation when reachable.
-  case "$CLI_MISSING_CMD" in
-    *"git "*) CLI_MISSING_RELEVANT=1 ;;
-    *"git	"*) CLI_MISSING_RELEVANT=1 ;;  # tab after git
-    *"rm "*|*"rm	"*) CLI_MISSING_RELEVANT=1 ;;
-    *"psql"*|*"pgcli"*) CLI_MISSING_RELEVANT=1 ;;
-    *"DROP "*|*"DROP	"*) CLI_MISSING_RELEVANT=1 ;;
-    *"kill "*|*"kill	"*|*"killall"*) CLI_MISSING_RELEVANT=1 ;;
-    *"HUSKY="*) CLI_MISSING_RELEVANT=1 ;;
-    *"curl"*|*"wget"*) CLI_MISSING_RELEVANT=1 ;;
-    *"REA_BYPASS"*) CLI_MISSING_RELEVANT=1 ;;
-    *"alias "*|*"function "*) CLI_MISSING_RELEVANT=1 ;;
-    *"core.hooksPath"*|*"core.hookspath"*) CLI_MISSING_RELEVANT=1 ;;
-    *"npm "*|*"pnpm "*|*"yarn "*) CLI_MISSING_RELEVANT=1 ;;
-    *"--no-verify"*|*"--force"*) CLI_MISSING_RELEVANT=1 ;;
+  case "$cli_missing_cmd" in
+    *"git "*) return 0 ;;
+    *"git	"*) return 0 ;;
+    *"rm "*|*"rm	"*) return 0 ;;
+    *"psql"*|*"pgcli"*) return 0 ;;
+    *"DROP "*|*"DROP	"*) return 0 ;;
+    *"kill "*|*"kill	"*|*"killall"*) return 0 ;;
+    *"HUSKY="*) return 0 ;;
+    *"curl"*|*"wget"*) return 0 ;;
+    *"REA_BYPASS"*) return 0 ;;
+    *"alias "*|*"function "*) return 0 ;;
+    *"core.hooksPath"*|*"core.hookspath"*) return 0 ;;
+    *"npm "*|*"pnpm "*|*"yarn "*) return 0 ;;
+    *"--no-verify"*|*"--force"*) return 0 ;;
   esac
-  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
-    # No destructive-keyword in the extracted command. The pre-0.34.0
-    # bash body would have allowed this — exit 0 to preserve install-
-    # path / unbuilt-checkout workflows.
-    exit 0
-  fi
-  # Keyword matched. Preserve fail-closed posture — the pre-0.34.0
-  # bash body would have evaluated this command and potentially refused.
-  printf 'rea: dangerous-bash-interceptor cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.34.0 bash body enforced destructive-command refusal without a CLI.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: dangerous-bash-interceptor cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore destructive-command refusal.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: dangerous-bash-interceptor FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook dangerous-bash-interceptor --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'dangerous-bash-interceptor'; then
-  printf 'rea: this shim requires the `rea hook dangerous-bash-interceptor` subcommand (introduced in 0.34.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  return 1
+}
 
-# 6. Forward stdin (already captured up-front).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook dangerous-bash-interceptor
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run