@bookedsolid/rea 0.6.1 → 0.7.0

package/hooks/commit-review-gate.sh

@@ -16,37 +16,60 @@ set -uo pipefail
 INPUT=$(cat)
 
 # ── 1a. Cross-repo guard (must come FIRST — before any rea-scoped check) ──────
-# Mirror of push-review-gate.sh. When CLAUDE_PROJECT_DIR points to rea but
-# the current git checkout is a DIFFERENT repository (distinct object DB),
-# exit 0 — rea's gate does not own that commit.
-#
-# Identity via `--git-common-dir` so linked worktrees of rea
-# (`git worktree add`, `.claude/worktrees/*`) are correctly recognized as
-# the SAME repo and kept under the gate — they share object DB, refs, and
-# HEAD history with rea's main checkout. Path-prefix fallback fires
-# when either side is not a git checkout. Must run BEFORE the jq and HALT
-# checks: a missing-jq or HALT-frozen rea must not block commits in other
-# repos that merely share a Claude Code session with rea. Fixed in 0.6.1.
-REA_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+# BUG-012 (0.6.2) — mirror of push-review-gate.sh §1a. Script-location
+# anchor (not CLAUDE_PROJECT_DIR) owns the trust decision. See the
+# push-gate comment and THREAT_MODEL.md § CLAUDE_PROJECT_DIR for the full
+# rationale. In short: CLAUDE_PROJECT_DIR is caller-controlled, cannot be
+# trusted for authorization, and the hook's own filesystem location is the
+# only forge-resistant anchor available to a bash script.
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]:-$0}")" && pwd -P 2>/dev/null)"
+# Walk up from SCRIPT_DIR looking for `.rea/policy.yaml`. Matches every
+# reasonable install topology (see push-review-gate.sh §1a for the full
+# rationale). A hard-coded `../..` breaks the source-path invocation
+# (`bash hooks/commit-review-gate.sh`) and silently reads .rea state from
+# the WRONG directory.
+REA_ROOT=""
+_anchor_candidate="$SCRIPT_DIR"
+for _ in 1 2 3 4; do
+  _anchor_candidate="$(cd -- "$_anchor_candidate/.." && pwd -P 2>/dev/null || true)"
+  if [[ -n "$_anchor_candidate" && -f "$_anchor_candidate/.rea/policy.yaml" ]]; then
+    REA_ROOT="$_anchor_candidate"
+    break
+  fi
+done
+if [[ -z "$REA_ROOT" ]]; then
+  printf 'rea-hook: no .rea/policy.yaml found within 4 parents of %s\n' \
+    "$SCRIPT_DIR" >&2
+  printf 'rea-hook:   is this an installed rea hook, or is `.rea/policy.yaml`\n' >&2
+  printf 'rea-hook:   nested more than 4 directories above the hook script?\n' >&2
+  exit 2
+fi
+unset _anchor_candidate
+
 if [[ -n "${CLAUDE_PROJECT_DIR:-}" ]]; then
-  CWD_REAL=$(pwd -P 2>/dev/null || pwd)
-  if REA_REAL=$(cd "$REA_ROOT" 2>/dev/null && pwd -P 2>/dev/null); then
-    CWD_COMMON=$(git -C "$CWD_REAL" rev-parse --path-format=absolute --git-common-dir 2>/dev/null || true)
-    REA_COMMON=$(git -C "$REA_REAL" rev-parse --path-format=absolute --git-common-dir 2>/dev/null || true)
-    if [[ -n "$CWD_COMMON" && -n "$REA_COMMON" ]]; then
-      CWD_COMMON_REAL=$(cd "$CWD_COMMON" 2>/dev/null && pwd -P 2>/dev/null || echo "$CWD_COMMON")
-      REA_COMMON_REAL=$(cd "$REA_COMMON" 2>/dev/null && pwd -P 2>/dev/null || echo "$REA_COMMON")
-      if [[ "$CWD_COMMON_REAL" != "$REA_COMMON_REAL" ]]; then
-        exit 0
-      fi
-    else
-      case "$CWD_REAL/" in
-        "$REA_REAL"/*|"$REA_REAL"/) : ;;  # inside rea — run the gate
-        *) exit 0 ;;                       # outside rea — not our gate
-      esac
-    fi
+  CPD_REAL=$(cd -- "${CLAUDE_PROJECT_DIR}" 2>/dev/null && pwd -P 2>/dev/null || true)
+  if [[ -n "$CPD_REAL" && "$CPD_REAL" != "$REA_ROOT" ]]; then
+    printf 'rea-hook: ignoring CLAUDE_PROJECT_DIR=%s — anchoring to script location %s\n' \
+      "$CLAUDE_PROJECT_DIR" "$REA_ROOT" >&2
+  fi
+fi
+
+CWD_REAL=$(pwd -P 2>/dev/null || pwd)
+CWD_COMMON=$(git -C "$CWD_REAL" rev-parse --path-format=absolute --git-common-dir 2>/dev/null || true)
+REA_COMMON=$(git -C "$REA_ROOT" rev-parse --path-format=absolute --git-common-dir 2>/dev/null || true)
+if [[ -n "$CWD_COMMON" && -n "$REA_COMMON" ]]; then
+  CWD_COMMON_REAL=$(cd "$CWD_COMMON" 2>/dev/null && pwd -P 2>/dev/null || echo "$CWD_COMMON")
+  REA_COMMON_REAL=$(cd "$REA_COMMON" 2>/dev/null && pwd -P 2>/dev/null || echo "$REA_COMMON")
+  if [[ "$CWD_COMMON_REAL" != "$REA_COMMON_REAL" ]]; then
+    exit 0
   fi
+elif [[ -z "$CWD_COMMON" && -z "$REA_COMMON" ]]; then
+  case "$CWD_REAL/" in
+    "$REA_ROOT"/*|"$REA_ROOT"/) : ;;  # inside rea — run the gate
+    *) exit 0 ;;                       # outside rea — not our gate
+  esac
 fi
+# Mixed state or probe error → fail CLOSED: run the gate.
 
 # ── 2. Dependency check ──────────────────────────────────────────────────────
 if ! command -v jq >/dev/null 2>&1; then

package/hooks/push-review-gate-git.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# Native git `.husky/pre-push` adapter for the REA push-review gate.
+# Fires BEFORE `git push` via husky. Runs a full diff analysis against the
+# target branch and requests security + code review before allowing the push.
+#
+# Exit codes:
+#   0 = allow (no meaningful diff, cached review pass, or escape hatch
+#              invoked with successful audit-append)
+#   2 = block (review required — protected-path gate OR general push-review
+#              gate — or escape hatch invoked but audit-append failed)
+#
+# ── Install ───────────────────────────────────────────────────────────────────
+# This adapter is the recommended entry point for husky-driven pushes. Point
+# `.husky/pre-push` at this file:
+#
+#   #!/bin/sh
+#   REA_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
+#   exec "$REA_ROOT/.claude/hooks/push-review-gate-git.sh" "$@"
+#
+# `REA_ROOT` is resolved inside `.husky/pre-push` itself because neither git
+# nor husky provides that env var — a bare `"$REA_ROOT/..."` would expand to
+# `/.claude/...` and exit 126. See rea's own `.husky/pre-push` for the
+# reference implementation.
+#
+# Git's native pre-push contract is:
+#   - stdin: one line per ref being pushed, `<local_ref> <local_sha> <remote_ref> <remote_sha>`
+#   - argv:  `<remote_name> <remote_url>`
+#
+# ── Architecture ──────────────────────────────────────────────────────────────
+# This file is a thin ADAPTER. All logic lives in
+# `hooks/_lib/push-review-core.sh` (see `pr_core_run`). The core ships a
+# `pr_parse_prepush_stdin` helper that recognises git's native refspec stdin
+# and synthesises an equivalent `git push <remote>` CMD for the downstream
+# protected-path detection.
+#
+# Two adapters share the core:
+#   - push-review-gate.sh      ← Claude Code PreToolUse stdin (JSON `.tool_input.command`)
+#   - push-review-gate-git.sh  ← this file, native `.husky/pre-push` stdin
+#
+# The core's BUG-008 stdin sniff makes either shape work from either adapter,
+# so a consumer CAN wire `push-review-gate.sh` into `.husky/pre-push` and it
+# just works. The git-native adapter exists so `.husky/pre-push` expresses
+# its install intent clearly and so future git-only behaviour (e.g. remote-
+# URL-scoped policy overrides) has a natural home that does not bloat the
+# generic Claude Code adapter.
+#
+# ── Escape hatches ────────────────────────────────────────────────────────────
+#   REA_SKIP_CODEX_REVIEW=<reason>  — bypass the Codex adversarial-review
+#                                     requirement for this push. Audit record
+#                                     `tool_name: "codex.review.skipped"`.
+#                                     Currently a whole-gate bypass (see
+#                                     task #85); the distinct audit tool_name
+#                                     keeps it from satisfying the Codex-
+#                                     review jq predicate.
+#   REA_SKIP_PUSH_REVIEW=<reason>   — bypass the WHOLE gate for this push.
+#                                     Audit record
+#                                     `tool_name: "push.review.skipped"`.
+#
+# Both hatches are value-carrying: the env value IS the reason recorded in
+# the audit receipt. An empty value (`REA_SKIP_...=`) is treated as unset.
+# The hatches sit behind `.rea/HALT` — HALT always wins.
+#
+# Fail-closed contract:
+#   - `dist/audit/append.js` missing → exit 2 (build rea first)
+#   - Node invocation failure → exit 2
+#   - Unable to resolve actor from git config → exit 2
+
+set -uo pipefail
+
+# Read ALL stdin immediately. For husky-driven pushes this is git's refspec
+# list; for any other caller it is whatever they hand us. The core's sniff
+# decides.
+INPUT=$(cat)
+
+# Resolve the core library from this adapter's own on-disk location. Using
+# BASH_SOURCE (not argv $0) so invocations from `.husky/pre-push`, from a
+# consumer's `.claude/hooks/`, or from a direct `bash hooks/push-review-gate-git.sh`
+# all find `_lib/` next to the adapter. Consistent with the BUG-012
+# script-anchor rationale in core.
+_adapter_script="${BASH_SOURCE[0]:-$0}"
+_adapter_dir="$(cd -- "$(dirname -- "$_adapter_script")" && pwd -P 2>/dev/null)"
+_core_lib="${_adapter_dir}/_lib/push-review-core.sh"
+if [[ ! -f "$_core_lib" ]]; then
+  printf 'rea-hook: push-review-core.sh not found next to %s\n' \
+    "$_adapter_script" >&2
+  printf 'rea-hook:   expected at %s\n' "$_core_lib" >&2
+  exit 2
+fi
+# shellcheck source=_lib/push-review-core.sh
+source "$_core_lib"
+
+pr_core_run "$_adapter_script" "$INPUT" "$@"