@bookedsolid/rea 0.4.0 → 0.6.0

package/dist/audit/append.js

@@ -141,11 +141,22 @@ export async function appendAuditRecord(baseDir, input) {
         .then(async () => {
         record = await doAppend(resolvedBase, input);
     });
-    writeQueues.set(key, next.finally(() => {
+    writeQueues.set(key, next
+        .finally(() => {
         // Keep the queue lean — once this write resolves, drop the reference
         // if nothing newer is chained behind it.
         if (writeQueues.get(key) === next)
             writeQueues.delete(key);
+    })
+        // Swallow rejections on the stored promise so Node doesn't flag it as
+        // an unhandled rejection. The current caller already owns this error
+        // via the `await next` below; the NEXT caller that chains off this
+        // entry also .catch()-es it at the top of its chain. Without this
+        // terminal .catch(), a failed audit append surfaces as a spurious
+        // `unhandledRejection` event — which matters in tests that run the
+        // whole process and in long-lived servers that would log it.
+        .catch(() => {
+        /* handled by caller */
     }));
     await next;
     return record;

package/dist/cache/review-cache.d.ts

@@ -0,0 +1,115 @@
+/**
+ * Review cache (BUG-009). The push-review-gate hook (`hooks/push-review-gate.sh`)
+ * has shipped since 0.3.x calling `rea cache check <sha>` to skip re-review on
+ * a previously-approved diff, and `rea cache set <sha> pass ...` as the
+ * operator's advertised way to complete the gate. Neither subcommand existed
+ * in the CLI through 0.4.0. Once BUG-008's pre-push stdin adapter lands and
+ * the gate actually fires, a protected-path push has no completion path
+ * without this cache — hence "paired ship blocker."
+ *
+ * ## File layout
+ *
+ * `.rea/review-cache.jsonl` — one JSON object per line, terminated with `\n`.
+ * Each entry:
+ *
+ *   {
+ *     "sha": "<diff-sha256>",
+ *     "branch": "<feature-branch>",
+ *     "base": "<target-branch>",
+ *     "result": "pass" | "fail",
+ *     "recorded_at": "<ISO-8601>",
+ *     "reason"?: "<free text>"   // optional, populated on fail or on skip
+ *   }
+ *
+ * The `sha` is whatever the caller supplies — the hook happens to use a
+ * SHA-256 of the full diff, but the cache does not interpret or validate the
+ * value. Hash-chained is intentionally NOT required: this is a keyed cache,
+ * not an append-only integrity log. The audit log at `.rea/audit.jsonl`
+ * remains the integrity story.
+ *
+ * ## Concurrency
+ *
+ * Every write takes the same `proper-lockfile` lock on the `.rea/` parent
+ * directory that the audit helpers use (`withAuditLock`). This means a
+ * concurrent audit append and cache write serialize against each other — a
+ * negligible cost given cache writes happen once per push gate completion.
+ *
+ * ## Idempotency
+ *
+ * `appendEntry` writes a new line unconditionally. `lookup` returns the most
+ * recent entry matching `(sha, branch, base)`. This "last write wins" keeps
+ * the write path O(1) and the read path O(n) over the file; n is bounded by
+ * typical review frequency (dozens per week, not millions). If a future
+ * operator needs a compact file, `rea cache clear <sha>` drops matching
+ * entries and a separate `rea cache compact` (not in 0.5.0) could rewrite.
+ *
+ * ## TTL
+ *
+ * `lookup` honors `review.cache_max_age_seconds` (default 3600). Entries
+ * older than the window are treated as a miss. Expired entries are not
+ * garbage-collected on read — `rea cache clear` or `rea cache compact`
+ * is the operator tool for shrinking.
+ */
+/** Default TTL when policy does not supply one. */
+export declare const DEFAULT_CACHE_MAX_AGE_SECONDS = 3600;
+export type CacheResult = 'pass' | 'fail';
+export interface CacheEntry {
+    sha: string;
+    branch: string;
+    base: string;
+    result: CacheResult;
+    recorded_at: string;
+    reason?: string;
+}
+export interface CacheLookupInput {
+    sha: string;
+    branch: string;
+    base: string;
+    /** Epoch ms used as the "now" reference for TTL comparison. Defaults to `Date.now()`. */
+    nowMs?: number;
+    /** TTL in seconds; defaults to {@link DEFAULT_CACHE_MAX_AGE_SECONDS}. */
+    maxAgeSeconds?: number;
+}
+export interface CacheLookupResult {
+    hit: boolean;
+    entry?: CacheEntry;
+    /** Reason for a miss. One of `'no-entry' | 'expired' | 'empty-file'`. Always set when `hit === false`. */
+    missReason?: 'no-entry' | 'expired' | 'empty-file';
+}
+export interface CacheAppendInput {
+    sha: string;
+    branch: string;
+    base: string;
+    result: CacheResult;
+    reason?: string;
+    /** ISO-8601 timestamp. Defaults to `new Date().toISOString()`. */
+    timestamp?: string;
+}
+export declare function resolveCacheFile(baseDir: string): string;
+/**
+ * Append an entry to the cache. Writes are serialized through the shared
+ * `.rea/` directory lock so audit writes and cache writes do not interleave.
+ */
+export declare function appendEntry(baseDir: string, input: CacheAppendInput): Promise<CacheEntry>;
+/**
+ * Find the most-recent entry matching `(sha, branch, base)` within the TTL
+ * window. Idempotent and side-effect free.
+ */
+export declare function lookup(baseDir: string, input: CacheLookupInput): Promise<CacheLookupResult>;
+/**
+ * Remove every entry matching `sha`. Returns the count removed. A `0` return
+ * is a valid outcome (sha not present). Writes back via the same lock as
+ * `appendEntry`, so concurrent sets do not lose entries.
+ *
+ * Writes use temp-file + `fs.rename` (atomic within a single directory on
+ * POSIX) so unlocked readers (`lookup`, `list`) can never observe a torn or
+ * empty intermediate state. Codex F4 on the 0.5.0 PR1 review.
+ */
+export declare function clear(baseDir: string, sha: string): Promise<number>;
+/**
+ * Return every entry, optionally filtered by branch. Entries are returned in
+ * file order (oldest first). Callers that want "newest first" should reverse.
+ */
+export declare function list(baseDir: string, options?: {
+    branch?: string;
+}): Promise<CacheEntry[]>;

package/dist/cache/review-cache.js

@@ -0,0 +1,200 @@
+/**
+ * Review cache (BUG-009). The push-review-gate hook (`hooks/push-review-gate.sh`)
+ * has shipped since 0.3.x calling `rea cache check <sha>` to skip re-review on
+ * a previously-approved diff, and `rea cache set <sha> pass ...` as the
+ * operator's advertised way to complete the gate. Neither subcommand existed
+ * in the CLI through 0.4.0. Once BUG-008's pre-push stdin adapter lands and
+ * the gate actually fires, a protected-path push has no completion path
+ * without this cache — hence "paired ship blocker."
+ *
+ * ## File layout
+ *
+ * `.rea/review-cache.jsonl` — one JSON object per line, terminated with `\n`.
+ * Each entry:
+ *
+ *   {
+ *     "sha": "<diff-sha256>",
+ *     "branch": "<feature-branch>",
+ *     "base": "<target-branch>",
+ *     "result": "pass" | "fail",
+ *     "recorded_at": "<ISO-8601>",
+ *     "reason"?: "<free text>"   // optional, populated on fail or on skip
+ *   }
+ *
+ * The `sha` is whatever the caller supplies — the hook happens to use a
+ * SHA-256 of the full diff, but the cache does not interpret or validate the
+ * value. Hash-chained is intentionally NOT required: this is a keyed cache,
+ * not an append-only integrity log. The audit log at `.rea/audit.jsonl`
+ * remains the integrity story.
+ *
+ * ## Concurrency
+ *
+ * Every write takes the same `proper-lockfile` lock on the `.rea/` parent
+ * directory that the audit helpers use (`withAuditLock`). This means a
+ * concurrent audit append and cache write serialize against each other — a
+ * negligible cost given cache writes happen once per push gate completion.
+ *
+ * ## Idempotency
+ *
+ * `appendEntry` writes a new line unconditionally. `lookup` returns the most
+ * recent entry matching `(sha, branch, base)`. This "last write wins" keeps
+ * the write path O(1) and the read path O(n) over the file; n is bounded by
+ * typical review frequency (dozens per week, not millions). If a future
+ * operator needs a compact file, `rea cache clear <sha>` drops matching
+ * entries and a separate `rea cache compact` (not in 0.5.0) could rewrite.
+ *
+ * ## TTL
+ *
+ * `lookup` honors `review.cache_max_age_seconds` (default 3600). Entries
+ * older than the window are treated as a miss. Expired entries are not
+ * garbage-collected on read — `rea cache clear` or `rea cache compact`
+ * is the operator tool for shrinking.
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { withAuditLock } from '../audit/fs.js';
+/** Default TTL when policy does not supply one. */
+export const DEFAULT_CACHE_MAX_AGE_SECONDS = 3600;
+/**
+ * Tolerated clock skew for future-dated entries. A `recorded_at` more than
+ * this far in the future relative to `nowMs` is treated as tampered or
+ * severely-drifted and forces a miss (re-review). 60s covers NTP jitter on
+ * well-synced hosts; anything beyond that is noise we do not trust.
+ */
+const FUTURE_SKEW_ALLOWANCE_MS = 60_000;
+const CACHE_FILENAME = 'review-cache.jsonl';
+const REA_DIRNAME = '.rea';
+export function resolveCacheFile(baseDir) {
+    return path.join(baseDir, REA_DIRNAME, CACHE_FILENAME);
+}
+/**
+ * Load every entry from the cache file. Returns `[]` when the file does not
+ * exist or is empty. Malformed lines are skipped — we never throw on a
+ * corrupt line, because the cache is advisory and a bad write (e.g. a
+ * half-written line from a crashed host) must not block a subsequent push.
+ */
+async function loadEntries(cacheFile) {
+    let raw;
+    try {
+        raw = await fs.readFile(cacheFile, 'utf8');
+    }
+    catch (err) {
+        if (err.code === 'ENOENT')
+            return [];
+        throw err;
+    }
+    if (raw.length === 0)
+        return [];
+    const entries = [];
+    for (const line of raw.split('\n')) {
+        if (line.length === 0)
+            continue;
+        try {
+            const parsed = JSON.parse(line);
+            if (typeof parsed.sha === 'string' &&
+                typeof parsed.branch === 'string' &&
+                typeof parsed.base === 'string' &&
+                (parsed.result === 'pass' || parsed.result === 'fail') &&
+                typeof parsed.recorded_at === 'string') {
+                entries.push(parsed);
+            }
+        }
+        catch {
+            // Skip malformed line.
+        }
+    }
+    return entries;
+}
+/**
+ * Append an entry to the cache. Writes are serialized through the shared
+ * `.rea/` directory lock so audit writes and cache writes do not interleave.
+ */
+export async function appendEntry(baseDir, input) {
+    const cacheFile = resolveCacheFile(baseDir);
+    await fs.mkdir(path.dirname(cacheFile), { recursive: true });
+    const entry = {
+        sha: input.sha,
+        branch: input.branch,
+        base: input.base,
+        result: input.result,
+        recorded_at: input.timestamp ?? new Date().toISOString(),
+        ...(input.reason !== undefined && input.reason.length > 0
+            ? { reason: input.reason }
+            : {}),
+    };
+    await withAuditLock(cacheFile, async () => {
+        const line = JSON.stringify(entry) + '\n';
+        await fs.appendFile(cacheFile, line);
+    });
+    return entry;
+}
+/**
+ * Find the most-recent entry matching `(sha, branch, base)` within the TTL
+ * window. Idempotent and side-effect free.
+ */
+export async function lookup(baseDir, input) {
+    const cacheFile = resolveCacheFile(baseDir);
+    const entries = await loadEntries(cacheFile);
+    if (entries.length === 0)
+        return { hit: false, missReason: 'empty-file' };
+    // Walk from the tail so the first match is the newest.
+    let matched;
+    for (let i = entries.length - 1; i >= 0; i--) {
+        const e = entries[i];
+        if (e.sha === input.sha && e.branch === input.branch && e.base === input.base) {
+            matched = e;
+            break;
+        }
+    }
+    if (matched === undefined)
+        return { hit: false, missReason: 'no-entry' };
+    const nowMs = input.nowMs ?? Date.now();
+    const maxAgeSeconds = input.maxAgeSeconds ?? DEFAULT_CACHE_MAX_AGE_SECONDS;
+    const recordedMs = Date.parse(matched.recorded_at);
+    if (Number.isNaN(recordedMs)) {
+        // Corrupt timestamp — treat as an expired miss so the caller re-reviews.
+        return { hit: false, missReason: 'expired', entry: matched };
+    }
+    if (recordedMs > nowMs + FUTURE_SKEW_ALLOWANCE_MS) {
+        return { hit: false, missReason: 'expired', entry: matched };
+    }
+    if ((nowMs - recordedMs) / 1000 > maxAgeSeconds) {
+        return { hit: false, missReason: 'expired', entry: matched };
+    }
+    return { hit: true, entry: matched };
+}
+/**
+ * Remove every entry matching `sha`. Returns the count removed. A `0` return
+ * is a valid outcome (sha not present). Writes back via the same lock as
+ * `appendEntry`, so concurrent sets do not lose entries.
+ *
+ * Writes use temp-file + `fs.rename` (atomic within a single directory on
+ * POSIX) so unlocked readers (`lookup`, `list`) can never observe a torn or
+ * empty intermediate state. Codex F4 on the 0.5.0 PR1 review.
+ */
+export async function clear(baseDir, sha) {
+    const cacheFile = resolveCacheFile(baseDir);
+    return withAuditLock(cacheFile, async () => {
+        const entries = await loadEntries(cacheFile);
+        const kept = entries.filter((e) => e.sha !== sha);
+        const removed = entries.length - kept.length;
+        if (removed === 0)
+            return 0;
+        const out = kept.length === 0 ? '' : kept.map((e) => JSON.stringify(e)).join('\n') + '\n';
+        const tmpFile = `${cacheFile}.tmp.${process.pid}.${Date.now()}`;
+        await fs.writeFile(tmpFile, out);
+        await fs.rename(tmpFile, cacheFile);
+        return removed;
+    });
+}
+/**
+ * Return every entry, optionally filtered by branch. Entries are returned in
+ * file order (oldest first). Callers that want "newest first" should reverse.
+ */
+export async function list(baseDir, options = {}) {
+    const cacheFile = resolveCacheFile(baseDir);
+    const entries = await loadEntries(cacheFile);
+    if (options.branch === undefined)
+        return entries;
+    return entries.filter((e) => e.branch === options.branch);
+}

package/dist/cli/cache.d.ts

@@ -0,0 +1,52 @@
+/**
+ * `rea cache` — push-review cache operator subcommands (BUG-009).
+ *
+ * Four verbs:
+ *   - `check <sha> --branch <b> --base <b>` — JSON to stdout ONLY; never
+ *     diagnostics. `hooks/push-review-gate.sh` reads this via
+ *     `printf '%s' "$CACHE_RESULT" | jq -e '.hit == true'`, so any stray
+ *     text on stdout would poison the hook's JSON parse.
+ *   - `set <sha> pass|fail --branch <b> --base <b> [--reason <s>]` — record
+ *     a review outcome.
+ *   - `clear <sha>` — drop every entry for a sha (dev convenience).
+ *   - `list [--branch <b>]` — pretty-print entries.
+ *
+ * The TTL used by `check` reads `review.cache_max_age_seconds` from
+ * `.rea/policy.yaml` when present, falling back to
+ * {@link DEFAULT_CACHE_MAX_AGE_SECONDS} (1 hour) when the policy file or
+ * field is absent. An unreadable/malformed policy file is NOT fatal for
+ * `check` — it degrades to the default so a broken policy never deadlocks
+ * the push gate; other commands that don't consume the TTL ignore the policy
+ * entirely.
+ */
+import { type CacheResult } from '../cache/review-cache.js';
+export interface CacheCheckOptions {
+    sha: string;
+    branch: string;
+    base: string;
+}
+export interface CacheSetOptions {
+    sha: string;
+    result: CacheResult;
+    branch: string;
+    base: string;
+    reason?: string;
+}
+export interface CacheClearOptions {
+    sha: string;
+}
+export interface CacheListOptions {
+    branch?: string;
+}
+/**
+ * Print the cache-check JSON to stdout. Hook contract: stdout is ONLY JSON.
+ * On a miss we still exit 0 with `{"hit":false}` — the hook interprets
+ * non-zero as "rea broken, force re-review" via its `|| echo '{"hit":false}'`
+ * fallback.
+ */
+export declare function runCacheCheck(options: CacheCheckOptions): Promise<void>;
+export declare function runCacheSet(options: CacheSetOptions): Promise<void>;
+export declare function runCacheClear(options: CacheClearOptions): Promise<void>;
+export declare function runCacheList(options: CacheListOptions): Promise<void>;
+/** Parse-and-validate helper for `set` — surfaces a clean error on bad input. */
+export declare function parseCacheResult(raw: string): CacheResult;

package/dist/cli/cache.js

@@ -0,0 +1,112 @@
+/**
+ * `rea cache` — push-review cache operator subcommands (BUG-009).
+ *
+ * Four verbs:
+ *   - `check <sha> --branch <b> --base <b>` — JSON to stdout ONLY; never
+ *     diagnostics. `hooks/push-review-gate.sh` reads this via
+ *     `printf '%s' "$CACHE_RESULT" | jq -e '.hit == true'`, so any stray
+ *     text on stdout would poison the hook's JSON parse.
+ *   - `set <sha> pass|fail --branch <b> --base <b> [--reason <s>]` — record
+ *     a review outcome.
+ *   - `clear <sha>` — drop every entry for a sha (dev convenience).
+ *   - `list [--branch <b>]` — pretty-print entries.
+ *
+ * The TTL used by `check` reads `review.cache_max_age_seconds` from
+ * `.rea/policy.yaml` when present, falling back to
+ * {@link DEFAULT_CACHE_MAX_AGE_SECONDS} (1 hour) when the policy file or
+ * field is absent. An unreadable/malformed policy file is NOT fatal for
+ * `check` — it degrades to the default so a broken policy never deadlocks
+ * the push gate; other commands that don't consume the TTL ignore the policy
+ * entirely.
+ */
+import { loadPolicy } from '../policy/loader.js';
+import { DEFAULT_CACHE_MAX_AGE_SECONDS, appendEntry, clear as clearEntries, list as listEntries, lookup, } from '../cache/review-cache.js';
+import { err, log } from './utils.js';
+function resolveMaxAgeSeconds(baseDir) {
+    try {
+        const policy = loadPolicy(baseDir);
+        const configured = policy.review?.cache_max_age_seconds;
+        if (typeof configured === 'number' && configured > 0)
+            return configured;
+        return DEFAULT_CACHE_MAX_AGE_SECONDS;
+    }
+    catch {
+        // Missing or malformed policy must not block the push gate — degrade to
+        // the default. `rea doctor` is the canonical surface for flagging a
+        // broken policy file; the cache is not the place to re-diagnose it.
+        return DEFAULT_CACHE_MAX_AGE_SECONDS;
+    }
+}
+/**
+ * Print the cache-check JSON to stdout. Hook contract: stdout is ONLY JSON.
+ * On a miss we still exit 0 with `{"hit":false}` — the hook interprets
+ * non-zero as "rea broken, force re-review" via its `|| echo '{"hit":false}'`
+ * fallback.
+ */
+export async function runCacheCheck(options) {
+    const baseDir = process.cwd();
+    const maxAgeSeconds = resolveMaxAgeSeconds(baseDir);
+    const result = await lookup(baseDir, {
+        sha: options.sha,
+        branch: options.branch,
+        base: options.base,
+        maxAgeSeconds,
+    });
+    if (result.hit && result.entry !== undefined) {
+        const payload = {
+            hit: true,
+            result: result.entry.result,
+            branch: result.entry.branch,
+            base: result.entry.base,
+            recorded_at: result.entry.recorded_at,
+            ...(result.entry.reason !== undefined ? { reason: result.entry.reason } : {}),
+        };
+        process.stdout.write(JSON.stringify(payload) + '\n');
+        return;
+    }
+    process.stdout.write(JSON.stringify({ hit: false }) + '\n');
+}
+export async function runCacheSet(options) {
+    const baseDir = process.cwd();
+    const entry = await appendEntry(baseDir, {
+        sha: options.sha,
+        branch: options.branch,
+        base: options.base,
+        result: options.result,
+        ...(options.reason !== undefined && options.reason.length > 0
+            ? { reason: options.reason }
+            : {}),
+    });
+    log(`Recorded ${entry.result} for ${entry.sha.slice(0, 12)} (${entry.branch} → ${entry.base}).`);
+}
+export async function runCacheClear(options) {
+    const baseDir = process.cwd();
+    const removed = await clearEntries(baseDir, options.sha);
+    if (removed === 0) {
+        log(`No entries found for ${options.sha.slice(0, 12)}.`);
+        return;
+    }
+    log(`Cleared ${removed} entr${removed === 1 ? 'y' : 'ies'} for ${options.sha.slice(0, 12)}.`);
+}
+export async function runCacheList(options) {
+    const baseDir = process.cwd();
+    const entries = await listEntries(baseDir, {
+        ...(options.branch !== undefined ? { branch: options.branch } : {}),
+    });
+    if (entries.length === 0) {
+        log('No review-cache entries.');
+        return;
+    }
+    for (const e of entries) {
+        const shortSha = e.sha.slice(0, 12);
+        const reason = e.reason !== undefined ? `  — ${e.reason}` : '';
+        console.log(`${e.recorded_at}  ${e.result.padEnd(4)}  ${shortSha}  ${e.branch} → ${e.base}${reason}`);
+    }
+}
+/** Parse-and-validate helper for `set` — surfaces a clean error on bad input. */
+export function parseCacheResult(raw) {
+    if (raw === 'pass' || raw === 'fail')
+        return raw;
+    err(`result must be 'pass' or 'fail'; got ${JSON.stringify(raw)}`);
+    process.exit(1);
+}

package/dist/cli/doctor.d.ts

@@ -19,6 +19,33 @@ export interface CheckResult {
  * Exported so tests can drive this without spinning up the full `runDoctor`.
  */
 export declare function checkFingerprintStore(baseDir: string): Promise<CheckResult>;
+/**
+ * Detect whether `baseDir` is a git repository. Returns true for the three
+ * shapes git itself accepts:
+ *
+ *   1. `.git/` is a directory (vanilla repo).
+ *   2. `.git` is a file with `gitdir: <path>` (linked worktree, submodule).
+ *      The target gitdir is resolved and must exist on disk — a stale or
+ *      orphaned gitlink (submodule whose parent moved, worktree whose main
+ *      repo was deleted) is NOT a git repo and must return false, otherwise
+ *      doctor short-circuits the non-git escape hatch and hard-fails on the
+ *      pre-push check against a `.git/hooks/` that doesn't exist (F1 from
+ *      Codex review of 0.5.1).
+ *   3. Anything else (including a plain file a user accidentally named
+ *      `.git`, or a symlink to nowhere) → false.
+ *
+ * Filesystem-shape predicate only. Deliberately does not consult `GIT_DIR`
+ * or shell out to `git rev-parse` — `rea doctor` already checks things
+ * inside `baseDir/.git/hooks/`, so the shape-on-disk is the right question
+ * for the escape hatch. A GIT_DIR-aware secondary signal is a follow-up.
+ *
+ * Security note (F3): removing `.git/` does NOT bypass governance. The
+ * governance artifact is the pre-push hook; a directory with no `.git/`
+ * has no commits to push and no pre-push event to bypass. The escape
+ * hatch is a UX predicate for knowledge repos and non-source directories,
+ * NOT a trust boundary. Do not key security decisions on the return value.
+ */
+export declare function isGitRepo(baseDir: string): boolean;
 /**
  * Translate a `CodexProbeState` into two doctor CheckResults: one for
  * responsiveness (pass/warn) and one informational line about the last

package/dist/cli/doctor.js

@@ -240,6 +240,75 @@ function checkSettingsJson(baseDir) {
         };
     }
 }
+/**
+ * Detect whether `baseDir` is a git repository. Returns true for the three
+ * shapes git itself accepts:
+ *
+ *   1. `.git/` is a directory (vanilla repo).
+ *   2. `.git` is a file with `gitdir: <path>` (linked worktree, submodule).
+ *      The target gitdir is resolved and must exist on disk — a stale or
+ *      orphaned gitlink (submodule whose parent moved, worktree whose main
+ *      repo was deleted) is NOT a git repo and must return false, otherwise
+ *      doctor short-circuits the non-git escape hatch and hard-fails on the
+ *      pre-push check against a `.git/hooks/` that doesn't exist (F1 from
+ *      Codex review of 0.5.1).
+ *   3. Anything else (including a plain file a user accidentally named
+ *      `.git`, or a symlink to nowhere) → false.
+ *
+ * Filesystem-shape predicate only. Deliberately does not consult `GIT_DIR`
+ * or shell out to `git rev-parse` — `rea doctor` already checks things
+ * inside `baseDir/.git/hooks/`, so the shape-on-disk is the right question
+ * for the escape hatch. A GIT_DIR-aware secondary signal is a follow-up.
+ *
+ * Security note (F3): removing `.git/` does NOT bypass governance. The
+ * governance artifact is the pre-push hook; a directory with no `.git/`
+ * has no commits to push and no pre-push event to bypass. The escape
+ * hatch is a UX predicate for knowledge repos and non-source directories,
+ * NOT a trust boundary. Do not key security decisions on the return value.
+ */
+export function isGitRepo(baseDir) {
+    const dotGit = path.join(baseDir, '.git');
+    let stat;
+    try {
+        // statSync follows symlinks, so a `.git` symlink to a real gitdir is
+        // treated like the real thing; a dangling symlink throws ENOENT and
+        // falls into the catch → false.
+        stat = fs.statSync(dotGit);
+    }
+    catch {
+        return false;
+    }
+    if (stat.isDirectory())
+        return true;
+    if (!stat.isFile())
+        return false;
+    // Gitlink file: `gitdir: <absolute-or-relative-path>`. Read and verify
+    // the target resolves. If the target is missing, git itself would fail
+    // in this directory, so we treat it as non-git.
+    let content;
+    try {
+        content = fs.readFileSync(dotGit, 'utf8');
+    }
+    catch {
+        return false;
+    }
+    // `\s*$` on the old shape was inert (greedy `.+` consumed trailing spaces
+    // and `\s ⊂ .`) — the `.trim()` below did all the work. Tighten to
+    // `(\S.*?)` with an explicit trailing-space class so the captured group
+    // starts at the first non-whitespace char and stops before trailing
+    // whitespace. Still handles CRLF, leading tabs, and path-internal spaces.
+    const match = /^gitdir:\s*(\S.*?)[ \t]*\r?$/m.exec(content);
+    const rawTarget = match?.[1];
+    if (rawTarget === undefined)
+        return false;
+    const targetPath = rawTarget;
+    if (targetPath.length === 0)
+        return false;
+    const resolved = path.isAbsolute(targetPath)
+        ? targetPath
+        : path.join(baseDir, targetPath);
+    return fs.existsSync(resolved);
+}
 function checkCommitMsgHook(baseDir) {
     const hookPath = path.join(baseDir, '.git', 'hooks', 'commit-msg');
     if (!fs.existsSync(hookPath)) {
@@ -443,10 +512,23 @@ export function collectChecks(baseDir, codexProbeState, prePushState) {
         checkAgentsPresent(baseDir),
         checkHooksInstalled(baseDir),
         checkSettingsJson(baseDir),
-        checkCommitMsgHook(baseDir),
     ];
-    if (prePushState !== undefined) {
-        checks.push(checkPrePushHook(prePushState));
+    // Non-git escape hatch: when `.git/` is absent, both git-hook checks are
+    // meaningless (commit-msg + pre-push can't be invoked without git). Emit
+    // one informational line so `rea doctor` exits 0 in knowledge repos and
+    // other non-source-code directories that consume rea governance.
+    if (isGitRepo(baseDir)) {
+        checks.push(checkCommitMsgHook(baseDir));
+        if (prePushState !== undefined) {
+            checks.push(checkPrePushHook(prePushState));
+        }
+    }
+    else {
+        checks.push({
+            label: 'git hooks',
+            status: 'info',
+            detail: 'no `.git/` at baseDir — commit-msg / pre-push checks skipped (not a git repo)',
+        });
     }
     if (codexRequiredFromPolicy(baseDir)) {
         checks.push(checkCodexAgent(baseDir), checkCodexCommand(baseDir));