@bookedsolid/rea 0.48.1 → 0.49.0

package/hooks/blocked-paths-bash-gate.sh

@@ -41,21 +41,44 @@ shim_cli_missing_relevant() {
   if [ -z "$cli_missing_cmd" ]; then
     return 1
   fi
+
+  # R5-P1: substring scan DETERMINES refusal; allowlist OPENS gates
+  # only. R7-P1: PM-route can ALSO return 2 (audit-integrity fail)
+  # which MUST refuse via banner regardless of substring scan.
+  local matched_blocked=0
   local policy_file="${REA_ROOT}/.rea/policy.yaml"
-  if [ ! -f "$policy_file" ]; then
+  if [ -f "$policy_file" ]; then
+    # shellcheck source=_lib/policy-reader.sh
+    source "$(dirname "$0")/_lib/policy-reader.sh"
+    local entry
+    while IFS= read -r entry; do
+      [ -z "$entry" ] && continue
+      case "$cli_missing_cmd" in
+        *"$entry"*) matched_blocked=1; break ;;
+      esac
+    done < <(policy_reader_get_list blocked_paths 2>/dev/null)
+  fi
+
+  # shellcheck source=_lib/bootstrap-allowlist.sh
+  source "$(dirname "$0")/_lib/bootstrap-allowlist.sh"
+
+  # R7-P1 (codex round 7): 3-state PM-route return.
+  #   0 = auditable allow → exit 0 immediately.
+  #   2 = refuse-HARD (audit-integrity fail) → banner regardless
+  #       of substring scan (the helper printed an explainer to
+  #       stderr; we must NOT silently allow a payload whose audit
+  #       record could not be written).
+  #   * = refuse-fallthrough → defer to substring-scan verdict.
+  _bootstrap_shim_pm_route "blocked-paths-bash-gate" "$cli_missing_cmd" "$REA_ROOT"
+  case "$?" in
+    0) exit 0 ;;
+    2) return 0 ;;
+  esac
+
+  if [ "$matched_blocked" -eq 0 ]; then
     return 1
   fi
-  # 0.37.0: route blocked_paths reads through the unified policy-reader.
-  # shellcheck source=_lib/policy-reader.sh
-  source "$(dirname "$0")/_lib/policy-reader.sh"
-  local entry
-  while IFS= read -r entry; do
-    [ -z "$entry" ] && continue
-    case "$cli_missing_cmd" in
-      *"$entry"*) return 0 ;;
-    esac
-  done < <(policy_reader_get_list blocked_paths 2>/dev/null)
-  return 1
+  return 0
 }
 
 # shellcheck source=_lib/shim-runtime.sh

package/hooks/protected-paths-bash-gate.sh

@@ -45,21 +45,24 @@ shim_cli_missing_relevant() {
   if [ -z "$cli_missing_cmd" ]; then
     return 1
   fi
+
+  # R5-P1 (codex round 5): substring scan is DETERMINATIVE for
+  # refusal. Allowlist opens an audited-allow gate but never closes
+  # one.
+  local matched_protected=0
   case "$cli_missing_cmd" in
-    *".claude/"*) return 0 ;;
-    *".husky/"*) return 0 ;;
-    *".rea/policy.yaml"*) return 0 ;;
-    *".rea/HALT"*) return 0 ;;
-    *".rea/last-review"*) return 0 ;;
-    *".claude\\"*|*".husky\\"*|*".rea\\"*) return 0 ;;
+    *".claude/"*) matched_protected=1 ;;
+    *".husky/"*) matched_protected=1 ;;
+    *".rea/policy.yaml"*) matched_protected=1 ;;
+    *".rea/HALT"*) matched_protected=1 ;;
+    *".rea/last-review"*) matched_protected=1 ;;
+    *".claude\\"*|*".husky\\"*|*".rea\\"*) matched_protected=1 ;;
   esac
   # 0.37.0: route protected_writes reads through the unified
   # policy-reader (Tier 1 CLI → Tier 2 python3 → Tier 3 awk
-  # block-form). Pre-0.37.0 the inline awk parser missed flow-form
-  # arrays (`protected_writes: [path/a, path/b]`) on CLI-missing
-  # installs.
+  # block-form).
   local policy_file="${REA_ROOT}/.rea/policy.yaml"
-  if [ -f "$policy_file" ]; then
+  if [ "$matched_protected" -eq 0 ] && [ -f "$policy_file" ]; then
     # shellcheck source=_lib/policy-reader.sh
     source "$(dirname "$0")/_lib/policy-reader.sh"
     local entry base
@@ -71,11 +74,26 @@ shim_cli_missing_relevant() {
       esac
       [ -z "$base" ] && continue
       case "$cli_missing_cmd" in
-        *"$base"*) return 0 ;;
+        *"$base"*) matched_protected=1; break ;;
       esac
     done < <(policy_reader_get_list protected_writes 2>/dev/null)
   fi
-  return 1
+
+  # shellcheck source=_lib/bootstrap-allowlist.sh
+  source "$(dirname "$0")/_lib/bootstrap-allowlist.sh"
+
+  # R7-P1 (codex round 7): 3-state PM-route return. See the
+  # blocked-paths shim for the contract.
+  _bootstrap_shim_pm_route "protected-paths-bash-gate" "$cli_missing_cmd" "$REA_ROOT"
+  case "$?" in
+    0) exit 0 ;;
+    2) return 0 ;;
+  esac
+
+  if [ "$matched_protected" -eq 0 ]; then
+    return 1
+  fi
+  return 0
 }
 
 # shellcheck source=_lib/shim-runtime.sh

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.48.1",
+  "version": "0.49.0",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",
@@ -75,6 +75,7 @@
     "mvdan-sh": "0.10.1",
     "proper-lockfile": "^4.1.2",
     "safe-regex": "^2.1.1",
+    "semver": "^7.7.4",
     "yaml": "^2.7.0",
     "zod": "^3.23.0"
   },
@@ -83,6 +84,7 @@
     "@types/node": "^25.5.2",
     "@types/proper-lockfile": "^4.1.4",
     "@types/safe-regex": "^1.1.6",
+    "@types/semver": "^7.7.1",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "@typescript-eslint/parser": "^8.0.0",
     "@vitest/coverage-v8": "^3.2.4",

package/profiles/bst-internal-no-codex.yaml

@@ -31,6 +31,10 @@ blocked_paths:
   - .github/workflows/release.yml
   - SECURITY.md
   - THREAT_MODEL.md
+  # 0.49.0 — gates Write/Edit tool calls targeting `package.json`.
+  # See `bst-internal.yaml` for the rationale and explicit
+  # out-of-scope statement on PM-induced writes.
+  - package.json
 notification_channel: ''
 # G9: Booked-internal consumers retain the stricter 0.2.x posture — a single
 # literal injection match at write/destructive tier denies (does not merely

package/profiles/bst-internal.yaml

@@ -14,6 +14,21 @@ blocked_paths:
   - .github/workflows/release.yml
   - SECURITY.md
   - THREAT_MODEL.md
+  # 0.49.0 — gates Write/Edit/MultiEdit/NotebookEdit tool calls
+  # targeting `package.json`. The bootstrap allowlist passes a
+  # CLI-missing PM payload through ONLY when `package.json` already
+  # declares `@bookedsolid/rea`, so blocking AGENT edits to the
+  # manifest narrows the Edit/Write-tier forge surface (an attacker
+  # can no longer add the declaration via Edit then invoke the
+  # allowed PM command). PM-induced writes to the manifest are
+  # explicitly out of scope (see THREAT_MODEL.md §5.23 "Out of
+  # scope"): a path-based blocklist cannot distinguish agent edits
+  # from PM-tool writes. The static manifest-write detector that
+  # would close that gap was deliberately removed in R17;
+  # defending against agent-initiated PM mutations needs a
+  # different abstraction (process-tree-aware policy / per-tool
+  # capability tokens) — not shipped in 0.49.0.
+  - package.json
 notification_channel: ''
 # G9: Booked-internal consumers retain the stricter 0.2.x posture — a single
 # literal injection match at write/destructive tier denies (does not merely
@@ -80,3 +95,16 @@ attribution:
 delegation_advisory:
   enabled: true
   threshold: 25
+# 0.49.0 bootstrap allowlist (P3-1) — explicit declaration for parity
+# with the dogfood `.rea/policy.yaml`. The other five shipped profiles
+# (open-source*, client-engagement, lit-wc, minimal) inherit the zod
+# schema default (`enabled: true`), so they need no entry here. The
+# bst-internal profile pins it so the operator-visible policy file
+# clearly states the position rather than relying on schema defaults.
+# The allowlist passes a single-segment pnpm install / npm ci / yarn /
+# corepack invocation through when (a) the rea CLI is unreachable, (b)
+# the consumer's package.json declares `@bookedsolid/rea`, and (c)
+# every other precondition (single-segment payload, exact argv shape,
+# audit emission OK) holds. See hooks/_lib/bootstrap-allowlist.sh.
+bootstrap_allowlist:
+  enabled: true

package/profiles/client-engagement.yaml

@@ -15,6 +15,15 @@ blocked_paths:
   - THREAT_MODEL.md
   - secrets/
   - credentials/
+  # 0.49.0 — gates Write/Edit tool calls targeting `package.json`.
+  # Pairs with the always-on `bootstrap_allowlist` (schema default):
+  # the allowlist trusts a CLI-missing PM command only when
+  # `package.json` declares `@bookedsolid/rea`, so blocking AGENT
+  # edits to the manifest narrows the Edit/Write-tier forge surface.
+  # PM-induced writes are explicitly out of scope (see
+  # THREAT_MODEL.md §5.23 "Out of scope") — a path-based blocklist
+  # cannot distinguish agent edits from PM-tool writes.
+  - package.json
 notification_channel: ''
 context_protection:
   delegate_to_subagent:

package/profiles/lit-wc.yaml

@@ -14,6 +14,12 @@ blocked_paths:
   - .github/workflows/release.yml
   - .github/workflows/publish.yml
   - tokens/
+  # 0.49.0 — gates Write/Edit tool calls targeting `package.json`.
+  # Pairs with the always-on `bootstrap_allowlist` so the
+  # "consumer declares @bookedsolid/rea" precondition is meaningful.
+  # PM-induced writes are explicitly out of scope (THREAT_MODEL.md
+  # §5.23 "Out of scope").
+  - package.json
 notification_channel: ''
 # 0.30.0 attribution augmenter — opt-in.
 # Husky prepare-commit-msg hook appends a Co-Authored-By trailer to

package/profiles/minimal.yaml

@@ -8,6 +8,17 @@ block_ai_attribution: true
 blocked_paths:
   - .env
   - .env.*
+  # 0.49.0 — gates Write/Edit tool calls targeting `package.json`.
+  # The always-on `bootstrap_allowlist` (schema default) trusts a
+  # CLI-missing PM payload only when `package.json` declares
+  # `@bookedsolid/rea`; without an Edit/Write gate on the manifest,
+  # an agent could ADD that declaration first and then route an
+  # otherwise-disallowed PM command through the allowlist. PM-
+  # induced writes are explicitly out of scope (THREAT_MODEL.md
+  # §5.23 "Out of scope"). Operators who deliberately want agent
+  # freedom to edit `package.json` should remove this entry AND
+  # set `bootstrap_allowlist.enabled: false` in tandem.
+  - package.json
 notification_channel: ''
 # 0.30.0 attribution augmenter — opt-in.
 # When enabled: true, the husky prepare-commit-msg hook appends a

package/profiles/open-source-no-codex.yaml

@@ -30,6 +30,10 @@ blocked_paths:
   - SECURITY.md
   - .github/workflows/release.yml
   - .github/workflows/publish.yml
+  # 0.49.0 — gates Write/Edit tool calls targeting `package.json`.
+  # See `open-source.yaml` for the rationale; this variant inherits
+  # the same posture sans Codex review.
+  - package.json
 notification_channel: ''
 # 0.30.0 attribution augmenter — opt-in.
 # Husky prepare-commit-msg hook appends a Co-Authored-By trailer to

package/profiles/open-source.yaml

@@ -15,6 +15,17 @@ blocked_paths:
   - SECURITY.md
   - .github/workflows/release.yml
   - .github/workflows/publish.yml
+  # 0.49.0 — gates Write/Edit tool calls targeting `package.json`.
+  # The always-on `bootstrap_allowlist` (schema default) trusts a
+  # CLI-missing PM payload only when `package.json` declares
+  # `@bookedsolid/rea`. Without an Edit/Write-tier gate on the
+  # manifest, an agent could ADD that declaration first and then
+  # invoke the allowed PM command, defeating the precondition.
+  # PM-induced writes are explicitly out of scope (THREAT_MODEL.md
+  # §5.23 "Out of scope"). Operators who need agent freedom to edit
+  # package.json should remove this entry in `.rea/policy.yaml`
+  # AND set `bootstrap_allowlist.enabled: false` in tandem.
+  - package.json
 notification_channel: ''
 # 0.30.0 attribution augmenter — opt-in.
 # Husky prepare-commit-msg hook appends a Co-Authored-By trailer to