@bookedsolid/rea 0.37.0 → 0.38.0

package/hooks/secret-scanner.sh

@@ -1,240 +1,117 @@
 #!/bin/bash
 # PreToolUse hook: secret-scanner.sh
 # 0.34.0+ — Node-binary shim for `rea hook secret-scanner`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.34.0 the gate's full body lived here as bash (230 LOC, the
-# awk line filter + 17-pattern catalog + placeholder-rejection + the
-# MultiEdit fragment join). The migration to the Node binary moves
-# the pattern catalog + filter + placeholder evaluation into
-# `src/hooks/secret-scanner/index.ts`. This shim is the Claude Code
-# dispatcher's view of the hook — it forwards stdin to the CLI and
-# exits with whatever the CLI returns.
+# Pre-0.34.0 the gate's full body lived here as bash (230 LOC, awk
+# line filter + 17-pattern catalog + placeholder-rejection + MultiEdit
+# fragment join). Migration in `src/hooks/secret-scanner/index.ts`.
+# Behavioral contract preserved byte-for-byte: exit 0 on no-match or
+# MEDIUM-only advisory, exit 2 on HALT / HIGH match / malformed payload.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on no-match
-# or MEDIUM-only advisory, exit 2 on HALT / HIGH match / malformed
-# payload.
+# # Shim short-circuits (codex round-1 P2 fix from 0.34.0)
 #
-# # Shim short-circuits (codex round-1 P2 fix)
-#
-# The 0.34.0 round-0 shim deferred ALL decisions to the CLI, including
-# empty-content and `.env.example` suffix exclusion. That regressed
-# benign workflows on fresh/unbuilt installs: clearing a file or
-# editing an example env file would fail closed when `dist/cli/index.js`
-# wasn't built yet.
-#
-# Round-1 P2 fix: replicate the pre-0.34.0 bash body's three
-# short-circuits in the shim BEFORE CLI resolution:
+# Replicate the pre-0.34.0 bash body's two short-circuits BEFORE CLI
+# resolution:
 #   - Empty content (no `content`, `new_string`, `edits[]`, or
-#     `new_source` in the payload) → exit 0 silently.
+#     `new_source` in the payload) → exit 0.
 #   - file_path / notebook_path with `.env.example` or `.env.sample`
-#     suffix → exit 0 silently.
-# The full pattern catalog + filter + placeholder rejection still
-# lives in the CLI.
-#
-# # CLI-resolution trust boundary
+#     suffix → exit 0.
+# This unblocks workflows on fresh/unbuilt installs (clearing a file
+# or editing an example env file would otherwise fail closed).
 #
-# Mirrors the 0.32.0 final shim shape.
+# # CLI-missing relevance scan (round-7 P1)
 #
-# # Fail-closed posture
-#
-# secret-scanner is Write/Edit/MultiEdit/NotebookEdit tier — the
-# pre-0.34.0 bash body refused credential-bearing writes without any
-# compiled CLI. Early-exit branches fail closed AFTER the shim
-# short-circuits.
+# When the CLI is missing AND content contains a credential marker
+# from the catalog, preserve fail-closed. When no marker matches,
+# exit 0 (pre-port body would have allowed).
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
+SHIM_NAME="secret-scanner"
+SHIM_INTRODUCED_IN="0.34.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN="credential refusal"
 
-# 2. Capture stdin once.
-INPUT=$(cat)
+# Module-level: populated by shim_is_relevant for use by
+# shim_cli_missing_relevant (avoids re-parsing INPUT via jq twice).
+_SS_CONTENT=""
+_SS_FILE_PATH=""
+_SS_JQ_PARSE_CLEAN=0
 
-# 3. Short-circuit: empty-content / file-suffix exclusion. Mirrors
-#    the pre-0.34.0 bash body's `[[ -z "$CONTENT" ]] && exit 0` and
-#    the `*.env.example | *.env.sample` suffix check. We do these in
-#    the shim so unbuilt installs don't fail closed on benign writes.
-if command -v jq >/dev/null 2>&1; then
-  # Compose content the same way `parseWriteHookPayload` does:
-  # priority content > new_string > join(edits[].new_string) > new_source.
-  # 0.34.0 round-2 fix: every value goes through `tostring` so a
-  # non-string `new_string` (object/number/null) doesn't trip jq with
-  # a "Cannot iterate" error → empty CONTENT → exit 0 bypass. Mirrors
-  # the 0.14.0 secret-scanner fix that originally closed this class.
-  #
-  # 0.34.0 round-4 P2 fix: capture jq's exit code SEPARATELY rather
-  # than swallowing it with `|| true`. Pre-fix, invalid JSON or a
-  # schema mismatch yielded empty CONTENT → exit 0 silent allow.
-  # Post-fix we distinguish:
-  #   - jq exit 0 + empty CONTENT  → valid payload, no content (the
-  #                                  bash hook also exit 0'd here)
-  #   - jq exit 0 + non-empty      → enter suffix-check + CLI forward
-  #   - jq exit != 0 (parse fail)  → fall through to CLI forward;
-  #                                  the CLI re-parses with Zod and
-  #                                  refuses on malformed payload
-  # The third branch does NOT exit 0 — we want CLI enforcement to
-  # decide. The CLI's parser fails closed.
-  CONTENT=$(printf '%s' "$INPUT" | jq -r '
-    (.tool_input.content // .tool_input.new_string //
-      (
-        if (.tool_input.edits | type) == "array"
-        then (.tool_input.edits | map((.new_string // "") | tostring) | join("\n"))
-        else ""
-        end
-      ) //
-      .tool_input.new_source // ""
-    ) | tostring
-  ' 2>/dev/null)
-  jq_content_status=$?
-  FILE_PATH=$(printf '%s' "$INPUT" | jq -r '
-    .tool_input.file_path // .tool_input.notebook_path // ""
-  ' 2>/dev/null)
-  jq_path_status=$?
-  # Only honor the shim short-circuits when BOTH jq probes parsed
-  # cleanly. Otherwise forward to the CLI which fails closed via Zod.
-  if [ "$jq_content_status" -eq 0 ] && [ "$jq_path_status" -eq 0 ]; then
-    if [ -z "$CONTENT" ]; then
-      exit 0
+shim_is_relevant() {
+  # Two short-circuits: empty content, and *.env.example / *.env.sample
+  # suffix. Only honored when BOTH jq probes parse cleanly; on parse
+  # failure fall through to the CLI which fails closed via Zod.
+  if command -v jq >/dev/null 2>&1; then
+    # 0.34.0 round-2 fix: tostring so non-string `new_string`
+    # (object/number/null) doesn't trip jq with "Cannot iterate".
+    _SS_CONTENT=$(printf '%s' "$INPUT" | jq -r '
+      (.tool_input.content // .tool_input.new_string //
+        (
+          if (.tool_input.edits | type) == "array"
+          then (.tool_input.edits | map((.new_string // "") | tostring) | join("\n"))
+          else ""
+          end
+        ) //
+        .tool_input.new_source // ""
+      ) | tostring
+    ' 2>/dev/null)
+    local jq_content_status=$?
+    _SS_FILE_PATH=$(printf '%s' "$INPUT" | jq -r '
+      .tool_input.file_path // .tool_input.notebook_path // ""
+    ' 2>/dev/null)
+    local jq_path_status=$?
+    if [ "$jq_content_status" -eq 0 ] && [ "$jq_path_status" -eq 0 ]; then
+      _SS_JQ_PARSE_CLEAN=1
+      if [ -z "$_SS_CONTENT" ]; then
+        # Empty content — pre-port body exit 0.
+        return 1
+      fi
+      case "$_SS_FILE_PATH" in
+        *.env.example|*.env.sample) return 1 ;;
+      esac
     fi
-    # Suffix-based exclusion. Mirrors the bash hook's:
-    #   if [[ "$FILE_PATH" == *.env.example || "$FILE_PATH" == *.env.sample ]]; then exit 0; fi
-    case "$FILE_PATH" in
-      *.env.example|*.env.sample) exit 0 ;;
-    esac
   fi
-  # jq parse failure → do NOT short-circuit. Fall through to the CLI
-  # forward at section 7. The CLI will refuse on malformed payload.
-fi
-# When jq is unavailable, fall through — the CLI does the same parse
-# in TypeScript-space and will short-circuit on empty content there.
-
-# 4. Resolve the rea CLI through the fixed 2-tier sandboxed order.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
+  # Either jq missing OR jq parse failure OR non-excluded payload → relevant.
+  return 0
+}
 
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  # 4b. Relevance pre-gate (round-7 P1). The round-0 shim refused ALL
-  #     writes when the CLI was missing, but the pre-0.34.0 bash body
-  #     only refused writes containing credential patterns. On a fresh
-  #     install (`npx rea init` flow, pre-`pnpm build` checkout) the
-  #     CLI isn't built yet but consumers need to write files — config,
-  #     source, docs, etc. Fix: substring scan the content for the
-  #     credential markers in the catalog. When CLI is missing AND no
-  #     marker matches, exit 0 (the pre-0.34.0 body would have done
-  #     the same — no pattern hit). When CLI is missing AND a marker
-  #     DOES match, preserve fail-closed (refuse rather than silently
-  #     allow a credential-shaped write).
-  #
-  #     Substrings cover every entry in SECRET_PATTERNS (catalog in
-  #     `src/hooks/secret-scanner/index.ts`). Coarse — over-trigger is
-  #     fine, under-trigger is the bypass we MUST avoid. Same posture
-  #     as the round-7 dangerous-bash relevance pre-gate.
-  CONTENT_FOR_SCAN=""
-  if [ -n "${CONTENT:-}" ]; then
-    CONTENT_FOR_SCAN="$CONTENT"
+shim_cli_missing_relevant() {
+  # 0.34.0 round-7 P1: when the CLI is missing AND the content carries
+  # a credential marker, preserve fail-closed. When no marker matches,
+  # the pre-port bash body would have allowed.
+  local content_for_scan
+  if [ -n "$_SS_CONTENT" ]; then
+    content_for_scan="$_SS_CONTENT"
   else
-    # CONTENT may not have been populated (jq missing, parse failure).
-    # Fall back to the raw payload so the substring scan still catches
-    # credential markers embedded in JSON-string form.
-    CONTENT_FOR_SCAN="$INPUT"
+    # jq missing or parse-failed — substring scan the raw payload.
+    content_for_scan="$INPUT"
   fi
-  CRED_RELEVANT=0
-  case "$CONTENT_FOR_SCAN" in
-    *"AKIA"*) CRED_RELEVANT=1 ;;
-    *"AWS_SECRET_ACCESS_KEY"*|*"aws_secret_access_key"*) CRED_RELEVANT=1 ;;
-    *"-----BEGIN"*) CRED_RELEVANT=1 ;;
-    *"sk-ant-"*) CRED_RELEVANT=1 ;;
-    *"ghp_"*|*"ghs_"*|*"gho_"*|*"ghu_"*|*"ghr_"*) CRED_RELEVANT=1 ;;
-    *"github_pat_"*) CRED_RELEVANT=1 ;;
-    *"sk_live_"*|*"rk_live_"*|*"pk_live_"*) CRED_RELEVANT=1 ;;
-    *"sk_test_"*|*"rk_test_"*|*"pk_test_"*) CRED_RELEVANT=1 ;;
-    *"whsec_"*) CRED_RELEVANT=1 ;;
-    *"SECRET"*|*"PASSWORD"*|*"PRIVATE_KEY"*|*"API_SECRET"*) CRED_RELEVANT=1 ;;
-    *"SUPABASE_SERVICE_ROLE_KEY"*|*"SUPABASE_ANON_KEY"*) CRED_RELEVANT=1 ;;
-    *"ANTHROPIC_API_KEY"*|*"STRIPE_SECRET"*|*"DATABASE_URL"*) CRED_RELEVANT=1 ;;
-    *"postgresql://"*) CRED_RELEVANT=1 ;;
-    *"eyJ"*) CRED_RELEVANT=1 ;;  # JWT prefix — catches Supabase keys
+  case "$content_for_scan" in
+    *"AKIA"*) return 0 ;;
+    *"AWS_SECRET_ACCESS_KEY"*|*"aws_secret_access_key"*) return 0 ;;
+    *"-----BEGIN"*) return 0 ;;
+    *"sk-ant-"*) return 0 ;;
+    *"ghp_"*|*"ghs_"*|*"gho_"*|*"ghu_"*|*"ghr_"*) return 0 ;;
+    *"github_pat_"*) return 0 ;;
+    *"sk_live_"*|*"rk_live_"*|*"pk_live_"*) return 0 ;;
+    *"sk_test_"*|*"rk_test_"*|*"pk_test_"*) return 0 ;;
+    *"whsec_"*) return 0 ;;
+    *"SECRET"*|*"PASSWORD"*|*"PRIVATE_KEY"*|*"API_SECRET"*) return 0 ;;
+    *"SUPABASE_SERVICE_ROLE_KEY"*|*"SUPABASE_ANON_KEY"*) return 0 ;;
+    *"ANTHROPIC_API_KEY"*|*"STRIPE_SECRET"*|*"DATABASE_URL"*) return 0 ;;
+    *"postgresql://"*) return 0 ;;
+    *"eyJ"*) return 0 ;;
   esac
-  if [ "$CRED_RELEVANT" -eq 0 ]; then
-    # No credential marker. The pre-0.34.0 bash body would have allowed
-    # this write — exit 0 to unblock `npx rea init` and pre-build
-    # checkouts.
-    exit 0
-  fi
-  # Credential marker matched. Preserve fail-closed posture.
-  printf 'rea: secret-scanner cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.34.0 bash body enforced secret refusal without a CLI.\n' >&2
-  exit 2
-fi
-
-# 5. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: secret-scanner cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore credential refusal.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: secret-scanner FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 6. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook secret-scanner --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'secret-scanner'; then
-  printf 'rea: this shim requires the `rea hook secret-scanner` subcommand (introduced in 0.34.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  return 1
+}
 
-# 7. Forward stdin (already captured up-front).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook secret-scanner
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/security-disclosure-gate.sh

@@ -1,171 +1,48 @@
 #!/bin/bash
 # PreToolUse hook: security-disclosure-gate.sh
 # 0.32.0+ — Node-binary shim for `rea hook security-disclosure-gate`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.32.0 the gate's full body lived here as bash (339 LOC including
-# the awk body-file resolver, security-patterns array, and mode-aware
-# routing). The migration to the parser-backed Node binary moves all of
-# that into `src/hooks/security-disclosure-gate/index.ts`. This shim is
-# the Claude Code dispatcher's view of the hook — it forwards stdin
-# AND the REA_DISCLOSURE_MODE env var to the CLI and exits with
-# whatever the CLI returns.
+# Blocking-tier: refuses `gh issue create` payloads carrying
+# disclosure keywords. Pre-port body was 339 LOC; migration in
+# `src/hooks/security-disclosure-gate/index.ts`.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on
-# pass-through / no-match, exit 2 on HALT / pattern match / traversal
-# refusal / malformed payload (fail-closed).
+# # Relevance pre-gate
 #
-# # CLI-resolution trust boundary
+# Substring scan for `gh issue create`. Plain (NOT JSON-aware) so
+# escaped quotes in quoted env prefixes don't break the match.
 #
-# Codex round 1 P1 (2026-05-15): realpath sandbox check matches
-# delegation-advisory.sh §3. The resolved CLI MUST live INSIDE
-# realpath(CLAUDE_PROJECT_DIR) AND have an ancestor `package.json`
-# whose `name` is `@bookedsolid/rea`. Defends against symlink-out
-# and tarball-replacement attacks that could otherwise forge the
-# pattern matcher and either suppress real findings or leak a
-# vulnerability through the disclosure gate.
+# # Mode short-circuit (round-6 P2)
 #
-# Sandboxed resolution order (PATH is INTENTIONALLY OMITTED):
-#   1. node_modules/@bookedsolid/rea/dist/cli/index.js (consumer-side)
-#   2. dist/cli/index.js under CLAUDE_PROJECT_DIR (dogfood)
-#
-# When NO rea CLI is reachable, the hook falls through to allow —
-# same posture as the bash-resident version, which `source`d
-# _lib/common.sh first and exited cleanly if the lib was missing.
+# `REA_DISCLOSURE_MODE=disabled` exits 0 — pre-port body no-op'd only
+# in that mode (advisory + issues modes both enforced). This runs
+# BEFORE sandbox check because it reads an env-var, no policy/CLI.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Relevance pre-gate (0.32.0 round-5 P1, round-6 fix). PreToolUse
-#    Bash matchers fire on EVERY shell command, but this hook only
-#    enforces against `gh issue create` payloads carrying disclosure
-#    keywords. Capture stdin + check relevance FIRST so unrelated
-#    commands exit 0 even when the CLI is missing/stale.
-#
-#    Match `gh issue create` ANYWHERE in the command string (allow
-#    shell prefixes — `sudo`, env assignments). Round-6 P1.
-INPUT=$(cat)
-# Substring scan (NOT JSON-aware). Round-7 P1: any JSON-aware regex
-# anchored on `"command":"...` gets tripped by escaped quotes in
-# quoted env prefixes (`MODE="internal" gh issue create …`). Plain
-# substring match has no such edge — and false-positives just defer
-# to the Node body which handles correctly.
-RELEVANT=0
-if printf '%s' "$INPUT" | grep -qE 'gh[[:space:]]+issue[[:space:]]+create'; then
-  RELEVANT=1
-fi
-if [ "$RELEVANT" -eq 0 ]; then
-  exit 0
-fi
-
-# 2b. Mode short-circuit (round-6 P2). The pre-0.32.0 bash body
-#     no-op'd ONLY when `REA_DISCLOSURE_MODE=disabled` — `advisory`
-#     mode and the `issues` mode (default) BOTH enforced. Without
-#     this check, an unbuilt/stale install would refuse every relevant
-#     `gh issue create` even when the operator has deliberately set
-#     mode=disabled.
-MODE="${REA_DISCLOSURE_MODE:-advisory}"
-if [ "$MODE" = "disabled" ]; then
-  exit 0
-fi
-
-# 3. Resolve the rea CLI.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  # 0.32.0 round-4 P1: this is a blocking-tier gate — the pre-0.32.0
-  # bash body enforced the disclosure policy WITHOUT a compiled CLI.
-  # Falling through to exit 0 here would silently disable security-
-  # keyword blocking on `gh issue create` until the operator runs
-  # `pnpm install` / `pnpm build`. Fail closed: refuse the operation
-  # and tell the operator how to restore protection.
-  printf 'rea: security-disclosure-gate cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.32.0 bash body enforced disclosure policy without a CLI.\n' >&2
-  exit 2
-fi
-
-# 3. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: security-disclosure-gate cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore disclosure-policy enforcement.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  # 0.32.0 round-4 P1: fail closed (blocking-tier — see exit-0 → exit-2
-  # rationale at the top). A failed sandbox check means the CLI we
-  # would run cannot be authenticated as the rea binary; refusing is
-  # both the safest posture AND preserves the pre-0.32.0 bash-body
-  # contract that this hook always enforces policy.
-  printf 'rea: security-disclosure-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 4. Version-probe: confirm the resolved CLI implements
-#    `hook security-disclosure-gate`. Codex round 1 P1.
-probe_out=$("${REA_ARGV[@]}" hook security-disclosure-gate --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'security-disclosure-gate'; then
-  # 0.32.0 round-4 P1: a stale/older CLI without the new subcommand is
-  # NOT a "harmless availability fallback" for this hook — the bash
-  # body it replaces always enforced. Fail closed and tell the
-  # operator exactly how to fix.
-  printf 'rea: this shim requires the `rea hook security-disclosure-gate` subcommand (introduced in 0.32.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
-
-# 5. Forward stdin (already captured up-front for the relevance gate).
-#    REA_DISCLOSURE_MODE is in env already; the Node binary reads it
-#    directly.
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook security-disclosure-gate
-exit $?
+SHIM_NAME="security-disclosure-gate"
+SHIM_INTRODUCED_IN="0.32.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN="disclosure-policy enforcement"
+
+shim_is_relevant() {
+  if ! printf '%s' "$INPUT" | grep -qE 'gh[[:space:]]+issue[[:space:]]+create'; then
+    return 1
+  fi
+  # Mode short-circuit: REA_DISCLOSURE_MODE=disabled bypasses BEFORE
+  # any CLI work. Implemented inline (no policy read needed).
+  local mode="${REA_DISCLOSURE_MODE:-advisory}"
+  if [ "$mode" = "disabled" ]; then
+    return 1
+  fi
+  return 0
+}
+
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run