@bookedsolid/rea 0.9.2 → 0.9.4

package/hooks/_lib/common.sh

@@ -87,7 +87,12 @@ triage_score() {
   local diff_input
   diff_input=$(cat)
   local line_count
-  line_count=$(printf '%s' "$diff_input" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || echo "0")
+  # Defect K (rea#62) sibling: see `hooks/commit-review-gate.sh` for the
+  # full bug rationale. `|| echo "0"` captures "0\n0" on no-match, which
+  # breaks arithmetic comparisons downstream. `|| true` + bash default keeps
+  # the branch arithmetic-safe.
+  line_count=$(printf '%s' "$diff_input" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || true)
+  line_count="${line_count:-0}"
 
   # Check for sensitive paths
   local sensitive=0

package/hooks/_lib/push-review-core.sh

@@ -341,15 +341,7 @@ pr_core_run() {
     exit 0
   fi
 
-  # ── 5. Check if quality gates are enabled ─────────────────────────────────
-  local POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-  if [[ -f "$POLICY_FILE" ]]; then
-    if grep -qE 'push_review:[[:space:]]*false' "$POLICY_FILE" 2>/dev/null; then
-      exit 0
-    fi
-  fi
-
-  # ── 5a. REA_SKIP_PUSH_REVIEW — whole-gate escape hatch ────────────────────
+  # ── 5. REA_SKIP_PUSH_REVIEW — whole-gate escape hatch ─────────────────────
   # An opt-in bypass for the ENTIRE push-review gate (not just the Codex
   # branch). Exists to unblock consumers when rea itself is broken or a
   # corrupt policy/audit file would otherwise deadlock a push. Requires an
@@ -443,8 +435,8 @@ pr_core_run() {
       --arg os_uid "$SKIP_OS_UID" \
       --arg os_whoami "$SKIP_OS_WHOAMI" \
       --arg os_hostname "$SKIP_OS_HOST" \
-      --arg os_pid "$SKIP_OS_PID" \
-      --arg os_ppid "$SKIP_OS_PPID" \
+      --argjson os_pid "$SKIP_OS_PID" \
+      --argjson os_ppid "$SKIP_OS_PPID" \
       --arg os_ppid_cmd "$SKIP_OS_PPID_CMD" \
       --arg os_tty "$SKIP_OS_TTY" \
       --arg os_ci "$SKIP_OS_CI" \
@@ -856,7 +848,7 @@ pr_core_run() {
         } >&2
         exit 2
       fi
-      if printf '%s\n' "$_refspec_hits" | awk -v re='^(src/gateway/middleware/|hooks/|[.]claude/hooks/|src/policy/|[.]github/workflows/)' '
+      if printf '%s\n' "$_refspec_hits" | awk -v re='^(src/gateway/middleware/|hooks/|[.]claude/hooks/|src/policy/|[.]github/workflows/|[.]rea/|[.]husky/)' '
           {
             status = $1
             if (status !~ /^[ACDMRTU]/) next
@@ -896,6 +888,8 @@ pr_core_run() {
             printf '    - .claude/hooks/\n'
             printf '    - src/policy/\n'
             printf '    - .github/workflows/\n'
+            printf '    - .rea/\n'
+            printf '    - .husky/\n'
             printf '\n'
             printf '  Run /codex-review against %s, then retry the push.\n' "$local_sha"
             printf '  The codex-adversarial agent emits the required audit entry.\n'
@@ -930,17 +924,26 @@ pr_core_run() {
     fi
   done
 
+  # Defect J (rea#61): branch-deletion guard MUST fail closed regardless of
+  # whether another refspec in the same push resolved a SOURCE_SHA. A mixed
+  # push like `git push origin safe:safe :main` iterates both refspecs; the
+  # safe refspec sets SOURCE_SHA from its local_sha, and the deletion refspec
+  # sets only HAS_DELETE=1 via its `continue` branch. If we check HAS_DELETE
+  # INSIDE the `-z SOURCE_SHA` fallback, the delete slips through unchecked.
+  # Hoist the check above the fallback so any deletion anywhere in the push
+  # blocks the entire push.
+  if [[ "$HAS_DELETE" -eq 1 ]]; then
+    {
+      printf 'PUSH BLOCKED: refspec is a branch deletion.\n'
+      printf '\n'
+      printf '  Branch deletions are sensitive operations and require explicit\n'
+      printf '  human action outside the agent. Perform the deletion manually.\n'
+      printf '\n'
+    } >&2
+    exit 2
+  fi
+
   if [[ -z "$SOURCE_SHA" || -z "$MERGE_BASE" ]]; then
-    if [[ "$HAS_DELETE" -eq 1 ]]; then
-      {
-        printf 'PUSH BLOCKED: refspec is a branch deletion.\n'
-        printf '\n'
-        printf '  Branch deletions are sensitive operations and require explicit\n'
-        printf '  human action outside the agent. Perform the deletion manually.\n'
-        printf '\n'
-      } >&2
-      exit 2
-    fi
     {
       printf 'PUSH BLOCKED: could not resolve a merge-base for any push refspec.\n'
       printf '\n'
@@ -975,8 +978,13 @@ pr_core_run() {
     exit 0
   fi
 
+  # Defect K (rea#62): `grep -c ... || echo "0"` captures `0\n0` when grep
+  # exits non-zero on no-match — grep still prints its own `0` to stdout before
+  # exiting, and the `|| echo "0"` branch appends another. `|| true` swallows
+  # the non-zero exit, and `${LINE_COUNT:-0}` defaults an empty result to 0.
   local LINE_COUNT
-  LINE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || echo "0")
+  LINE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || true)
+  LINE_COUNT="${LINE_COUNT:-0}"
 
   # ── 7a. Protected-path Codex adversarial review gate ──────────────────────
   # The per-refspec check runs inside the main loop (section 7, above) so
@@ -987,8 +995,36 @@ pr_core_run() {
   # refspec was either clean or had an acceptable audit.
 
   # ── 8. Check review cache ─────────────────────────────────────────────────
-  local PUSH_SHA
-  PUSH_SHA=$(printf '%s' "$DIFF_FULL" | shasum -a 256 | cut -d' ' -f1 2>/dev/null || echo "")
+  # Defect L (rea#63): `shasum` is not installed on Alpine, distroless, or
+  # most minimal Linux CI images — only `sha256sum` is. The prior `shasum -a
+  # 256 ... || echo ""` chain silently produced an empty PUSH_SHA, which the
+  # rest of the gate treats as "no cache entry" rather than "hasher missing".
+  # Combined with the silent-cache-miss fallback (Defect F), every push from
+  # such a runner burned a full fresh codex review invisibly.
+  #
+  # Portable chain: sha256sum → shasum → openssl. The openssl branch uses
+  # `awk '{print $NF}'` WITHOUT `-r` — `-r` was added in OpenSSL 3.0 /
+  # LibreSSL 3.3+; on OpenSSL 1.1.1 (Debian 11, Ubuntu 20.04, RHEL 8,
+  # Amazon Linux 2, Alpine 3.13–3.14) `-r` is rejected and stdout is empty.
+  # `$NF` handles BOTH default output shapes: `(stdin)= <hex>` (1.1.x) and
+  # `<hex> *stdin` (3.x/LibreSSL coreutils-style).
+  #
+  # Hex-64 validation catches broken pipes, partial reads, or unexpected
+  # hasher output that would otherwise be silently cached as garbage.
+  local PUSH_SHA=""
+  if command -v sha256sum >/dev/null 2>&1; then
+    PUSH_SHA=$(printf '%s' "$DIFF_FULL" | sha256sum 2>/dev/null | awk '{print $1}')
+  elif command -v shasum >/dev/null 2>&1; then
+    PUSH_SHA=$(printf '%s' "$DIFF_FULL" | shasum -a 256 2>/dev/null | awk '{print $1}')
+  elif command -v openssl >/dev/null 2>&1; then
+    PUSH_SHA=$(printf '%s' "$DIFF_FULL" | openssl dgst -sha256 2>/dev/null | awk '{print $NF}')
+  else
+    printf 'rea push-review: WARN no sha256 hasher found (sha256sum/shasum/openssl); cache disabled\n' >&2
+  fi
+  if [[ -n "$PUSH_SHA" && ! "$PUSH_SHA" =~ ^[0-9a-f]{64}$ ]]; then
+    printf 'rea push-review: WARN hasher returned invalid output; cache disabled\n' >&2
+    PUSH_SHA=""
+  fi
 
   local -a REA_CLI_ARGS
   REA_CLI_ARGS=()
@@ -1043,8 +1079,10 @@ pr_core_run() {
   fi
 
   # ── 9. Block and request review ───────────────────────────────────────────
+  # Defect K (rea#62): same `0\n0` bug as LINE_COUNT above.
   local FILE_COUNT
-  FILE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -c '^\+\+\+ ' 2>/dev/null || echo "0")
+  FILE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -c '^\+\+\+ ' 2>/dev/null || true)
+  FILE_COUNT="${FILE_COUNT:-0}"
 
   {
     printf 'PUSH REVIEW GATE: Review required before pushing\n'
@@ -1056,8 +1094,23 @@ pr_core_run() {
     printf '  Action required:\n'
     printf '  1. Spawn a code-reviewer agent to review: git diff %s..%s\n' "$MERGE_BASE" "$SOURCE_SHA"
     printf '  2. Spawn a security-engineer agent for security review\n'
-    printf '  3. After both pass, cache the result:\n'
-    printf '     rea cache set %s pass --branch %s --base %s\n' "$PUSH_SHA" "$SOURCE_BRANCH" "$TARGET_BRANCH"
+    # Defect L (rea#63) follow-up: when no sha256 hasher is available the
+    # cache is disabled and PUSH_SHA is empty. Emitting `rea cache set <blank>
+    # pass ...` would be a dead-end — the CLI rejects the empty positional.
+    # Print an alternate completion path in that case. The Codex-adversarial
+    # review concerns list flagged this UX cliff in the 0.9.4 pass.
+    if [[ -n "$PUSH_SHA" ]]; then
+      printf '  3. After both pass, cache the result:\n'
+      printf '     rea cache set %s pass --branch %s --base %s\n' "$PUSH_SHA" "$SOURCE_BRANCH" "$TARGET_BRANCH"
+    else
+      printf '  3. Cache is DISABLED on this host (no sha256 hasher found).\n'
+      printf '     After both reviews pass, bypass the push-review gate with:\n'
+      printf '       REA_SKIP_PUSH_REVIEW="<reason>" git push ...\n'
+      printf '     The bypass is audited as push.review.skipped — this is the\n'
+      printf '     documented escape hatch when cache is unavailable.\n'
+      printf '     To restore the cache path, install one of: sha256sum,\n'
+      printf '     shasum (Perl Digest::SHA), or openssl.\n'
+    fi
     printf '\n'
   } >&2
   exit 2

package/hooks/commit-review-gate.sh

@@ -103,18 +103,7 @@ if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--amend'; then
   exit 0
 fi
 
-# ── 5. Check if quality gates are enabled ─────────────────────────────────────
-# Fail-open if policy doesn't exist or doesn't have quality_gates
-POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-if [[ -f "$POLICY_FILE" ]]; then
-  if grep -qE '^quality_gates:' "$POLICY_FILE" 2>/dev/null; then
-    if grep -qE 'commit_review:[[:space:]]*false' "$POLICY_FILE" 2>/dev/null; then
-      exit 0
-    fi
-  fi
-fi
-
-# ── 6. Compute diff stats ────────────────────────────────────────────────────
+# ── 5. Compute diff stats ────────────────────────────────────────────────────
 # Get staged diff (what would be committed)
 DIFF_OUTPUT=$(cd "$REA_ROOT" && git diff --cached --stat 2>/dev/null || echo "")
 DIFF_FULL=$(cd "$REA_ROOT" && git diff --cached 2>/dev/null || echo "")
@@ -125,7 +114,16 @@ if [[ -z "$DIFF_OUTPUT" ]]; then
 fi
 
 # Count changed lines (additions + deletions)
-LINE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || echo "0")
+# Defect K (rea#62) sibling: `|| echo "0"` captures "0\n0" into LINE_COUNT
+# when grep exits non-zero on a no-match — grep still prints its own `0` and
+# `echo "0"` appends another. At this site the concatenated `"0\n0"` is then
+# evaluated as arithmetic (`-gt $SIGNIFICANT_THRESHOLD`, `-ge $TRIVIAL_THRESHOLD`
+# below) and bash emits a "syntax error in expression" at runtime on any
+# rename-only / mode-only / empty-file-add diff. `|| true` + bash-default
+# expansion fixes both the banner cosmetic and the arithmetic-unsafe control
+# flow in one shot.
+LINE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || true)
+LINE_COUNT="${LINE_COUNT:-0}"
 
 # Check for sensitive paths
 SENSITIVE=0
@@ -173,17 +171,79 @@ fi
 
 # ── 10. Check review cache for all non-trivial commits ────────────────────────
 # Compute SHA and branch here so both standard and significant tiers share them.
-STAGED_SHA=$(cd "$REA_ROOT" && git diff --cached | shasum -a 256 | cut -d' ' -f1 2>/dev/null || echo "")
+#
+# Defect L (rea#63) sibling: `shasum` is not installed on Alpine, distroless,
+# or most minimal Linux CI images — only `sha256sum` is. The prior chain
+# silently produced an empty STAGED_SHA, which the cache block then skipped
+# AND the banner at §11 rendered as `rea cache set  pass` — a dead-end the
+# agent cannot execute. Portable chain mirrors push-review-core.sh §8:
+# sha256sum → shasum → openssl. The openssl branch uses `awk '{print $NF}'`
+# WITHOUT `-r` to stay compatible with OpenSSL 1.1.x (Debian 11, Ubuntu
+# 20.04, RHEL 8, Amazon Linux 2, Alpine 3.13–3.14).
+STAGED_SHA=""
+if command -v sha256sum >/dev/null 2>&1; then
+  STAGED_SHA=$(printf '%s' "$DIFF_FULL" | sha256sum 2>/dev/null | awk '{print $1}')
+elif command -v shasum >/dev/null 2>&1; then
+  STAGED_SHA=$(printf '%s' "$DIFF_FULL" | shasum -a 256 2>/dev/null | awk '{print $1}')
+elif command -v openssl >/dev/null 2>&1; then
+  STAGED_SHA=$(printf '%s' "$DIFF_FULL" | openssl dgst -sha256 2>/dev/null | awk '{print $NF}')
+else
+  printf 'rea commit-review: WARN no sha256 hasher found (sha256sum/shasum/openssl); cache disabled\n' >&2
+fi
+if [[ -n "$STAGED_SHA" && ! "$STAGED_SHA" =~ ^[0-9a-f]{64}$ ]]; then
+  printf 'rea commit-review: WARN hasher returned invalid output; cache disabled\n' >&2
+  STAGED_SHA=""
+fi
 BRANCH=$(cd "$REA_ROOT" && git branch --show-current 2>/dev/null || echo "")
 CACHE_FILE="${REA_ROOT}/.rea/review-cache.json"
 
+# Codex pass-3 finding #1: `rea cache check` and `rea cache set` both declare
+# `--base` as a `requiredOption` in src/cli/index.ts. Prior versions of this
+# gate omitted `--base`, so (a) the CLI path exited non-zero and the
+# `|| echo '{"hit":false}'` fallback quietly masked the contract error, and
+# (b) the section-11 banner instructed the agent to run `rea cache set <sha>
+# pass` — also missing `--base`, rejected by the CLI on every retry. A
+# successful cache flow was unreachable.
+#
+# Resolve BASE_BRANCH by the same preference order the push-gate uses in
+# push-review-core.sh §7 (lines 778-794): origin/HEAD → origin/main →
+# origin/master → empty. If nothing resolves, disable the cache (the
+# alternative is emitting a cache command the CLI rejects on every call).
+BASE_BRANCH=""
+_origin_head=$(cd "$REA_ROOT" && git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null || true)
+if [[ -n "$_origin_head" ]]; then
+  BASE_BRANCH="${_origin_head#refs/remotes/origin/}"
+fi
+if [[ -z "$BASE_BRANCH" ]]; then
+  # Use `git -C` so the current-shell cwd is never mutated — matches the
+  # cross-repo guard at §1a and keeps the file's dominant idiom. Raw
+  # `cd "$REA_ROOT" && git …` would leave the hook process sitting in
+  # $REA_ROOT, which is safe today but breaks silently if a future edit
+  # adds a relative-path command downstream.
+  if git -C "$REA_ROOT" rev-parse --verify --quiet refs/remotes/origin/main >/dev/null 2>&1; then
+    BASE_BRANCH="main"
+  elif git -C "$REA_ROOT" rev-parse --verify --quiet refs/remotes/origin/master >/dev/null 2>&1; then
+    BASE_BRANCH="master"
+  fi
+fi
+if [[ -z "$BASE_BRANCH" && -n "$STAGED_SHA" ]]; then
+  printf 'rea commit-review: WARN could not resolve base branch (no origin/HEAD, no origin/main, no origin/master); cache disabled\n' >&2
+  STAGED_SHA=""
+fi
+unset _origin_head
+
 if [[ -n "$STAGED_SHA" ]]; then
   CACHE_HIT=false
 
-  # Primary: use CLI when available — handles TTL, expiry, and branch-scoped keys
+  # Primary: use CLI when available — handles TTL, expiry, and branch-scoped keys.
+  # Cache predicate must require BOTH `.hit == true` AND `.result == "pass"` —
+  # a cached `fail` verdict would otherwise satisfy `.hit == true` and let the
+  # commit proceed despite a recorded negative review. Mirrors the push-gate
+  # predicate at push-review-core.sh §8; the §218-226 direct-cache fallback
+  # already enforces `result == "pass"`, so the two paths must agree.
   if [[ ${#REA_CLI_ARGS[@]} -gt 0 ]]; then
-    CACHE_RESULT=$("${REA_CLI_ARGS[@]}" cache check "$STAGED_SHA" --branch "$BRANCH" 2>/dev/null || echo '{"hit":false}')
-    if printf '%s' "$CACHE_RESULT" | jq -e '.hit == true' >/dev/null 2>&1; then
+    CACHE_RESULT=$("${REA_CLI_ARGS[@]}" cache check "$STAGED_SHA" --branch "$BRANCH" --base "$BASE_BRANCH" 2>/dev/null || echo '{"hit":false}')
+    if printf '%s' "$CACHE_RESULT" | jq -e '.hit == true and .result == "pass"' >/dev/null 2>&1; then
       CACHE_HIT=true
     fi
   fi
@@ -221,8 +281,25 @@ fi
   printf '  1. Inspect:  git diff --cached\n'
   printf '  2. Decide:   Is this safe to commit? (initial commits, refactors, and\n'
   printf '               feature work are normal — use judgement, not ceremony)\n'
-  printf '  3. Approve:  rea cache set %s pass\n' "$STAGED_SHA"
-  printf '  4. Retry the git commit command\n'
+  # Defect L follow-up: when no sha256 hasher is available STAGED_SHA is empty
+  # and `rea cache set  pass` is a dead-end the CLI rejects. Branch the banner
+  # to surface an actionable path instead. Unlike push-review-core.sh there is
+  # no `REA_SKIP_COMMIT_REVIEW` env escape hatch (the commit gate only fires
+  # under Claude Code's Bash `PreToolUse` matcher, so a human direct-shell
+  # commit bypasses it entirely). The only remediation is to install a sha256
+  # hasher or ask the user to commit directly.
+  if [[ -n "$STAGED_SHA" ]]; then
+    printf '  3. Approve:  rea cache set %s pass --branch %s --base %s\n' \
+      "$STAGED_SHA" "$BRANCH" "$BASE_BRANCH"
+    printf '  4. Retry the git commit command\n'
+  else
+    printf '  3. Cache is DISABLED on this host (no sha256 hasher or no base\n'
+    printf '     branch resolvable). Install one of: sha256sum (Linux coreutils),\n'
+    printf '     shasum (perl-core), or openssl; or ensure origin/HEAD is set so\n'
+    printf '     the gate can identify the merge target. Without these the cache\n'
+    printf '     path cannot complete — escalate to the user if neither can be\n'
+    printf '     provided.\n'
+  fi
   printf '\n'
   printf '  Only escalate to the user if you find a genuine problem in the diff.\n'
 } >&2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/rea",
-  "version": "0.9.2",
+  "version": "0.9.4",
   "description": "Agentic governance layer for Claude Code — policy enforcement, hook-based safety gates, audit logging, and Codex-integrated adversarial review for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/scripts/tarball-smoke.sh

@@ -222,17 +222,134 @@ if [ -n "$SEC_CHANGESETS" ]; then
   echo "[smoke] security-claim gate: $(printf '%s\n' "$SEC_CHANGESETS" | wc -l | awk '{print $1}') changeset(s) tagged [security]"
 
   SEC_SRC_TESTS="$(cd "$REPO_ROOT" && find src -type f \( -name '*sanitize*.test.ts' -o -name '*security*.test.ts' \) 2>/dev/null | sort)"
-  if [ -z "$SEC_SRC_TESTS" ]; then
-    echo "[smoke] FAIL — [security] changeset present but no *sanitize*.test.ts or *security*.test.ts under src/" >&2
+  # 0.9.3 extension — some security hotfixes touch ONLY shell hooks (no TS/dist
+  # symbols), so the compiled-symbol gate above doesn't apply. For those, the
+  # regression proof lives under __tests__/hooks/*{security,bypass,injection,
+  # sanitize}*.test.ts and the tarball must ship the hook file(s) the test
+  # exercises. This block runs IN ADDITION to the src/ symbol gate — either
+  # layer alone can satisfy a [security] changeset, but at least one MUST.
+  SEC_HOOK_TESTS="$(cd "$REPO_ROOT" && find __tests__/hooks -type f \( -name '*security*.test.ts' -o -name '*bypass*.test.ts' -o -name '*sanitize*.test.ts' -o -name '*injection*.test.ts' \) 2>/dev/null | sort)"
+
+  if [ -z "$SEC_SRC_TESTS" ] && [ -z "$SEC_HOOK_TESTS" ]; then
+    echo "[smoke] FAIL — [security] changeset present but no matching regression test found:" >&2
+    echo "[smoke]        - src/**/(*sanitize*|*security*).test.ts — for compiled-symbol fixes" >&2
+    echo "[smoke]        - __tests__/hooks/(*security*|*bypass*|*sanitize*|*injection*).test.ts — for hook fixes" >&2
     echo "[smoke]        a security-claim changeset with no matching regression test is a trust violation" >&2
     exit 2
   fi
 
-  # For each security test, collect the named imports pulled from relative
+  # Hook-level gate: for each hook-security test FILE, extract the hook
+  # file path(s) it installs/exercises (relative to REPO_ROOT) and assert
+  # the tarball ships that hook under node_modules/@bookedsolid/rea/hooks/
+  # AND that `rea init` fanned it out to $SMOKE_DIR/.claude/hooks/.
+  #
+  # Known narrowness (called out honestly rather than papered over):
+  #   - Granularity is per-test-file, not per-`it()` block. A file may
+  #     contain multiple `it(...)` cases; the extractor scans the whole
+  #     file body. In practice a [security]-claim test file should focus
+  #     on one defect class; mixing unrelated `it()` cases with different
+  #     hook refs dilutes the proof. PR review is the mitigation.
+  #   - A [security] file with zero extractable refs fails LOUDLY (see
+  #     EMPTY_REF_TESTS below). The narrowness only applies to files that
+  #     do extract refs but don't scope them per `it()`.
+  if [ -n "$SEC_HOOK_TESTS" ]; then
+    HOOK_MISSING=""
+    HOOK_COUNT=0
+    EMPTY_REF_TESTS=""
+    while IFS= read -r hook_test; do
+      [ -z "$hook_test" ] && continue
+      # Pull hook paths referenced by the test. Matches forms like:
+      #   'hooks', 'push-review-gate.sh'
+      #   'hooks', '_lib', 'push-review-core.sh'
+      #   'hooks', 'commit-review-gate.sh'
+      HOOK_REFS="$(perl -0777 -ne '
+        while (/path\.join\(\s*REPO_ROOT\s*,\s*[\x27"]hooks[\x27"](?:\s*,\s*[\x27"]([^\x27"]+)[\x27"])*\s*\)/sg) {
+          my $all = $&;
+          my @parts;
+          while ($all =~ /[\x27"]([^\x27"]+)[\x27"]/g) {
+            push @parts, $1 unless $1 eq "REPO_ROOT";
+          }
+          print join("/", @parts), "\n" if @parts;
+        }
+      ' "$REPO_ROOT/$hook_test" 2>/dev/null | sort -u)"
+
+      # Per-test failure: a [security] hook-test that yields zero extractable
+      # refs (e.g. uses template literals, dynamic concatenation, or helper
+      # indirection) is invisible to this gate. Fail loud so the author is
+      # forced to use the extractable path.join(REPO_ROOT, 'hooks', ...) shape,
+      # rather than having a lone extractable neighbor test silently satisfy
+      # the whole gate.
+      if [ -z "$HOOK_REFS" ]; then
+        EMPTY_REF_TESTS="$EMPTY_REF_TESTS
+  $hook_test"
+        continue
+      fi
+
+      while IFS= read -r rel; do
+        [ -z "$rel" ] && continue
+        HOOK_COUNT=$((HOOK_COUNT + 1))
+        # `rel` already includes the leading `hooks/` segment from perl. It
+        # looks like `hooks/push-review-gate.sh` or
+        # `hooks/_lib/push-review-core.sh`. The tarball ships hooks under
+        # `node_modules/@bookedsolid/rea/hooks/` and `rea init` fans them out
+        # to `$SMOKE_DIR/.claude/hooks/`. Assert BOTH — the tarball
+        # source-of-truth AND the post-init install surface.
+        rel_no_prefix="${rel#hooks/}"
+        TARBALL_HOOK="$SMOKE_DIR/node_modules/@bookedsolid/rea/hooks/$rel_no_prefix"
+        INSTALLED_HOOK="$SMOKE_DIR/.claude/hooks/$rel_no_prefix"
+        if [ ! -f "$TARBALL_HOOK" ] || [ ! -f "$INSTALLED_HOOK" ]; then
+          HOOK_MISSING="$HOOK_MISSING
+  $rel (exercised by $hook_test)"
+        fi
+      done <<< "$HOOK_REFS"
+    done <<< "$SEC_HOOK_TESTS"
+
+    if [ -n "$HOOK_MISSING" ]; then
+      echo "[smoke] FAIL — [security] hook-test gate: hook file(s) under test are MISSING from tarball:" >&2
+      printf '%s\n' "$HOOK_MISSING" >&2
+      exit 2
+    fi
+
+    if [ -n "$EMPTY_REF_TESTS" ]; then
+      echo "[smoke] FAIL — [security] hook-test gate: one or more hook-security tests yielded zero extractable hook references:" >&2
+      printf '%s\n' "$EMPTY_REF_TESTS" >&2
+      echo "[smoke]        hook-security tests MUST reference hook files via the literal shape" >&2
+      echo "[smoke]        path.join(REPO_ROOT, 'hooks', '<name>.sh')  (or with a nested '_lib' arg)" >&2
+      echo "[smoke]        Template literals, dynamic concatenation, and helper indirection are" >&2
+      echo "[smoke]        invisible to this gate and would let hook changes ship unverified." >&2
+      exit 2
+    fi
+
+    if [ "$HOOK_COUNT" -eq 0 ]; then
+      echo "[smoke] FAIL — [security] hook-test gate: no checkable hook references extracted" >&2
+      echo "[smoke]        hook-security tests must reference hook files via path.join(REPO_ROOT, 'hooks', ...)" >&2
+      echo "[smoke]        so the gate can verify the hook ships in the tarball" >&2
+      exit 2
+    fi
+
+    echo "[smoke]   → $(printf '%s\n' "$SEC_HOOK_TESTS" | wc -l | awk '{print $1}') hook-security test(s), $HOOK_COUNT hook ref(s) all present in tarball"
+  fi
+
+  # The compiled-symbol gate below only runs when src/ security tests exist.
+  # A hook-only hotfix satisfies via the block above. Flag the src/ gate to
+  # skip gracefully — the remaining smoke checks (export resolution, tree
+  # equality) still run unconditionally below.
+  SKIP_SRC_SYMBOL_GATE=0
+  if [ -z "$SEC_SRC_TESTS" ]; then
+    SKIP_SRC_SYMBOL_GATE=1
+  fi
+
+  # For each src security test, collect the named imports pulled from relative
   # paths — those are the symbols under test and must be compiled into dist/.
   # Example line we want to match:
   #   import { sanitizeHealthSnapshot, INJECTION_REDACTED_PLACEHOLDER } from './health';
   # We ignore imports from bare package names ('vitest', 'node:fs', etc.).
+  #
+  # Skipped when only __tests__/hooks/ security tests exist (hook-only hotfix);
+  # the hook-test gate above is authoritative for that case.
+  if [ "$SKIP_SRC_SYMBOL_GATE" = "1" ]; then
+    echo "[smoke]   → src/ symbol gate skipped (no src/*{security,sanitize}*.test.ts — hook-test gate is authoritative)"
+  else
   MISSING_SYMBOLS=""
   SYMBOL_COUNT=0
   while IFS= read -r src_test; do
@@ -294,6 +411,7 @@ if [ -n "$SEC_CHANGESETS" ]; then
   fi
 
   echo "[smoke]   → $(printf '%s\n' "$SEC_SRC_TESTS" | wc -l | awk '{print $1}') security regression test(s), $SYMBOL_COUNT imported symbol(s) all present in dist/"
+  fi  # SKIP_SRC_SYMBOL_GATE
 fi
 
 # Verify every declared public export resolves. If the exports map points at a