@bookedsolid/rea 0.9.4 → 0.10.1

package/dist/gateway/middleware/audit-types.d.ts

@@ -1,4 +1,31 @@
 import type { Tier, InvocationStatus } from '../../policy/types.js';
+/**
+ * Emission-path discriminator for the audit record (defect P).
+ *
+ * The push-review gate trusts `tool_name: "codex.review"` records to certify
+ * a real Codex adversarial review ran on the given commit SHA. Before this
+ * field existed, any script with filesystem access to `node_modules` could
+ * call `appendAuditRecord(...)` with a `codex.review` tool name and forge
+ * the certification — the governance promise was a convention, not enforced.
+ *
+ * `emission_source` tags the code path that wrote the record:
+ *
+ *   - `"rea-cli"`   — emitted by the `rea` CLI itself (e.g. `rea audit
+ *                     record codex-review`). The rea CLI is classified by
+ *                     `reaCommandTier()` (defect E) and is an audited,
+ *                     policy-governed entry point.
+ *   - `"codex-cli"` — emitted by the Codex adversarial review path itself,
+ *                     the authoritative source.
+ *   - `"other"`     — every other caller of the public
+ *                     `appendAuditRecord()` helper (consumer plugins,
+ *                     ad-hoc scripts, tests). Legitimate for event types
+ *                     OTHER than `codex.review`; REJECTED by the
+ *                     push-review cache gate for `codex.review` lookups.
+ *
+ * The field is part of the hashed record body — it cannot be altered after
+ * the fact without breaking the chain.
+ */
+export type EmissionSource = 'rea-cli' | 'codex-cli' | 'other';
 export interface AuditRecord {
     timestamp: string;
     session_id: string;
@@ -21,6 +48,14 @@ export interface AuditRecord {
      * the redaction middleware runs on `ctx.arguments`, not on metadata.
      */
     metadata?: Record<string, unknown>;
+    /**
+     * Defect P (0.10.1). Discriminates the emission path: `"rea-cli"` for
+     * rea's own CLI, `"codex-cli"` for the Codex adversarial reviewer,
+     * `"other"` for every other caller of the public audit helper. Required
+     * field; the push-review gate refuses to accept `codex.review` records
+     * whose source is `"other"` (or missing, for pre-0.10.1 legacy records).
+     */
+    emission_source: EmissionSource;
     hash: string;
     prev_hash: string;
 }

package/dist/gateway/middleware/audit.js

@@ -95,6 +95,12 @@ metrics) {
                         autonomy_level: autonomyLevel,
                         duration_ms,
                         prev_hash: prevHash,
+                        // Defect P: gateway middleware records every proxied tool call.
+                        // rea itself is the writer — tag as rea-cli so the schema is
+                        // consistent. "rea-cli" here is a misnomer (the gateway isn't a
+                        // CLI) but is part of the stable 0.10.1 discriminator set;
+                        // semantically it means "written by @bookedsolid/rea itself".
+                        emission_source: 'rea-cli',
                     };
                     if (ctx.error) {
                         recordBase.error = ctx.error;

package/dist/gateway/middleware/blocked-paths.js

@@ -376,6 +376,44 @@ function matchesBlockedPattern(value, pattern) {
         }
         return false;
     }
+    // Defect H (rea#79): dot-anchored patterns. A pattern whose base starts with
+    // `.` (e.g. `.rea/`, `.env`, `.husky/`) is meant to block ONLY leading-dot
+    // filesystem entries — never any path segment that happens to be spelled
+    // similarly without the dot. The previous suffix-based match let pattern
+    // `.rea/` trip on `Projects/rea/Bug Reports` (any project folder named
+    // `rea`) because `suffix.startsWith(base)` was false but the final
+    // `segs.includes(base)` fallback conflated `.rea` with `rea` through
+    // normalization downstream in some code paths. By explicitly requiring
+    // leading-dot segment equality, dot-prefixed patterns cannot bleed across
+    // the dot/no-dot boundary regardless of normalization rule drift.
+    const dotAnchored = base.startsWith('.');
+    if (dotAnchored) {
+        // Dot-anchored: segment must equal base exactly. Dir patterns also match
+        // "<base>/..." via the trailing slash marker. Never scans non-dot
+        // segments, so `Projects/rea/...` can never match `.rea/`.
+        for (let i = 0; i < segs.length; i++) {
+            const seg = segs[i];
+            if (seg === base) {
+                // Exact segment match — for a non-dir pattern this matches a FILE
+                // named exactly `.env`; for a dir pattern it matches the directory
+                // entry itself (the trailing-slash below covers its contents).
+                if (!dirPattern && i !== segs.length - 1)
+                    continue;
+                return true;
+            }
+            if (dirPattern && seg === base)
+                return true;
+        }
+        if (dirPattern) {
+            // Dir pattern: any suffix that starts with `<base>/` matches.
+            for (let i = 0; i < segs.length; i++) {
+                const suffix = segs.slice(i).join('/');
+                if (suffix === base || suffix.startsWith(`${base}/`))
+                    return true;
+            }
+        }
+        return false;
+    }
     for (let i = 0; i < segs.length; i++) {
         const suffix = segs.slice(i).join('/');
         if (suffix === base)

package/dist/gateway/middleware/policy.js

@@ -1,6 +1,48 @@
 import { AutonomyLevel, InvocationStatus, Tier } from '../../policy/types.js';
-import { classifyTool, isToolBlocked } from '../../config/tier-map.js';
+import { classifyTool, isToolBlocked, reaCommandTier } from '../../config/tier-map.js';
 import { loadPolicyAsync } from '../../policy/loader.js';
+const BASH_DISPLAY_MAX_LEN = 80;
+/** Extract the `rea <subcommand>` head from a Bash command string for display
+ * in deny messages. Returns `null` when the command is not a rea invocation. */
+function extractReaSubcommand(command) {
+    const tokens = command.trim().split(/\s+/);
+    if (tokens.length === 0)
+        return null;
+    const first = tokens[0];
+    if (first === undefined)
+        return null;
+    let idx = 0;
+    if (first === 'npx' && tokens.length >= 2 && (tokens[1] === 'rea' || tokens[1] === '@bookedsolid/rea')) {
+        idx = 2;
+    }
+    else if (first === 'rea' || first.endsWith('/rea')) {
+        idx = 1;
+    }
+    else {
+        return null;
+    }
+    const sub = tokens[idx];
+    if (sub === undefined)
+        return 'rea';
+    const sub2 = tokens[idx + 1];
+    if (sub2 !== undefined && /^[a-z][a-z-]*$/.test(sub2)) {
+        return `rea ${sub} ${sub2}`;
+    }
+    return `rea ${sub}`;
+}
+/** Build a readable `Bash: <head>` display string for deny messages. Caller
+ * is responsible for only invoking this for tool_name === 'Bash'. Uses
+ * JSON.stringify to escape hostile characters (newlines, control chars). */
+function formatBashDisplay(command, reaDisplay) {
+    if (reaDisplay !== null) {
+        return `Bash (${reaDisplay})`;
+    }
+    const trimmed = command.trim();
+    const truncated = trimmed.length > BASH_DISPLAY_MAX_LEN
+        ? `${trimmed.slice(0, BASH_DISPLAY_MAX_LEN - 1)}…`
+        : trimmed;
+    return `Bash (${JSON.stringify(truncated)})`;
+}
 /**
  * Autonomy level tier permissions:
  * - L0: Read only
@@ -48,7 +90,23 @@ export function createPolicyMiddleware(initialPolicy, gatewayConfig, baseDir) {
         }
         // SECURITY: Re-derive tier from tool_name — do NOT trust ctx.tier from prior middleware.
         // This prevents a rogue middleware from downgrading a destructive tool to read-tier.
-        const tier = classifyTool(ctx.tool_name, ctx.server_name, gatewayConfig);
+        let tier = classifyTool(ctx.tool_name, ctx.server_name, gatewayConfig);
+        // Defect E (rea#78): when the invocation is a `Bash` call whose command
+        // parses as `rea <subcommand>`, classify by subcommand instead of the
+        // generic `Write` Bash default. REA's own CLI must not be denied by REA's
+        // own middleware at the autonomy level the gate's remediation text
+        // targets. Returns null on non-rea commands so the generic tier stands.
+        let reaSubcommandDisplay = null;
+        if (ctx.tool_name === 'Bash') {
+            const command = ctx.arguments['command'];
+            if (typeof command === 'string') {
+                const subTier = reaCommandTier(command);
+                if (subTier !== null) {
+                    tier = subTier;
+                    reaSubcommandDisplay = extractReaSubcommand(command);
+                }
+            }
+        }
         ctx.tier = tier; // Overwrite with authoritative classification
         // Validate autonomy level is known
         const allowed = TIER_ALLOWED[policy.autonomy_level];
@@ -60,7 +118,14 @@ export function createPolicyMiddleware(initialPolicy, gatewayConfig, baseDir) {
         // Check autonomy level vs tier (fail-closed: deny if tier unknown)
         if (!allowed.has(tier)) {
             ctx.status = InvocationStatus.Denied;
-            ctx.error = `Autonomy level ${policy.autonomy_level} does not allow ${tier}-tier tools. Tool: ${ctx.tool_name}`;
+            // Defect E composition: when the denial is a Bash invocation, include
+            // the command head so the deny-reason is actionable. `Bash` alone tells
+            // the operator nothing about WHICH shell command tripped the gate.
+            const toolDisplay = ctx.tool_name === 'Bash' && typeof ctx.arguments['command'] === 'string'
+                ? formatBashDisplay(ctx.arguments['command'], reaSubcommandDisplay)
+                : ctx.tool_name;
+            ctx.error = `Autonomy level ${policy.autonomy_level} does not allow ${tier}-tier tools. Tool: ${toolDisplay}`;
+            ctx.metadata['reason_code'] = 'tier_exceeds_autonomy';
             return;
         }
         // Store current autonomy level in metadata for audit middleware

package/dist/registry/tofu-gate.js

@@ -141,7 +141,10 @@ async function emitSideEffects(baseDir, c, log) {
         boxLine(` current: ${c.current.slice(0, 16)}…`),
         boxLine(''),
         boxLine(' The server will NOT connect. Other servers remain up.'),
-        boxLine(' To accept (once):  REA_ACCEPT_DRIFT=<name> rea serve'),
+        boxLine(' After a legitimate registry edit:'),
+        boxLine(`   rea tofu accept ${c.server} --reason "<why>"`),
+        boxLine(' One-shot bypass (not recommended):'),
+        boxLine(`   REA_ACCEPT_DRIFT=${c.server} rea serve`),
         `  ╚${'═'.repeat(BOX_INNER_WIDTH)}╝`,
         '',
     ].join('\n'));

package/hooks/_lib/push-review-core.sh

@@ -719,12 +719,20 @@ pr_core_run() {
   # fail-closed and require an explicit review.
   local SOURCE_SHA="" MERGE_BASE="" TARGET_BRANCH="" SOURCE_REF=""
   local HAS_DELETE=0 BEST_COUNT=0
-  local rec local_sha remote_sha local_ref remote_ref target mb mb_status count count_status
+  local rec local_sha remote_sha local_ref remote_ref target resolved_base mb mb_status count count_status
   for rec in "${REFSPEC_RECORDS[@]}"; do
     IFS='|' read -r local_sha remote_sha local_ref remote_ref <<<"$rec"
     target="${remote_ref#refs/heads/}"
     target="${target#refs/for/}"
     [[ -z "$target" ]] && target="main"
+    # Defect N: track the SEMANTIC base (the ref the diff was anchored on)
+    # distinctly from `target` (the pushed remote ref). For a tracked branch
+    # they coincide; for a new branch, `target` is the branch name being
+    # created — which is NOT what we reviewed against, so `Target:` must
+    # echo `resolved_base` instead. Default to `target` for the tracked
+    # case; the new-branch path overrides with the resolved default_ref
+    # short name below.
+    resolved_base="$target"
 
     if [[ "$local_sha" == "$ZERO_SHA" ]]; then
       HAS_DELETE=1
@@ -774,25 +782,81 @@ pr_core_run() {
       #
       # argv_remote is set from the adapter's argv (git passes the remote name
       # as $1 on pre-push); defaults to "origin" when absent (BUG-008 sniff).
-      local default_ref default_ref_status
-      default_ref=$(cd "$REA_ROOT" && git symbolic-ref "refs/remotes/${argv_remote}/HEAD" 2>/dev/null)
-      default_ref_status=$?
-      if [[ "$default_ref_status" -ne 0 || -z "$default_ref" ]]; then
-        # symbolic-ref failed (common on shallow or mirror clones where
-        # origin/HEAD was never set). Probe the common default-branch names in
-        # order: main, then master. Both are remote-tracking refs and still
-        # server-authoritative; the order matters only for projects that still
-        # default to `master` (older internal forks), where without this
-        # fallback the first push of a new branch would fail closed.
-        if cd "$REA_ROOT" && git rev-parse --verify --quiet "refs/remotes/${argv_remote}/main" >/dev/null 2>&1; then
-          default_ref="refs/remotes/${argv_remote}/main"
-        elif cd "$REA_ROOT" && git rev-parse --verify --quiet "refs/remotes/${argv_remote}/master" >/dev/null 2>&1; then
-          default_ref="refs/remotes/${argv_remote}/master"
-        else
-          default_ref=""
+      #
+      # Defect N (0.10.1): BEFORE falling back to the remote's default branch,
+      # consult per-branch config `branch.<source>.base`. A feature branch
+      # targeting `dev` in a main-as-production repo would otherwise resolve
+      # against `origin/main` silently, producing a diff that spans the entire
+      # dev→main history — reviewers see "Scope: 28690 lines" for a 4-file
+      # change. The git-config route uses local branch knowledge that is
+      # authoritative for this working copy (set via `git branch --set-upstream`,
+      # or by CI tooling that tracks the intended target). This is consulted
+      # BEFORE origin/HEAD because the latter is a server-default that may
+      # mis-represent the reviewer's actual intent for this specific branch.
+      local default_ref default_ref_status configured_base source_branch
+      source_branch="${local_ref#refs/heads/}"
+      default_ref=""
+      # Codex 0.10.1 finding #1: `local` is function-scoped, not loop-
+      # iteration-scoped — without an explicit reset, iteration N inherits
+      # iteration N-1's configured_base and falsely promotes resolved_base
+      # when the current refspec's local_ref does NOT begin with refs/heads/
+      # (tag push, gerrit-style refs/for/, etc.). Reset before every
+      # potential assignment so each iteration sees a clean slate.
+      configured_base=""
+
+      if [[ -n "$source_branch" && "$source_branch" != "HEAD" ]]; then
+        configured_base=$(cd "$REA_ROOT" && git config --get "branch.${source_branch}.base" 2>/dev/null || echo "")
+        if [[ -n "$configured_base" ]]; then
+          # Prefer the REMOTE-TRACKING form so the gate still anchors on a
+          # server-authoritative ref (see the local-ref hijack explanation
+          # above). Fall back to the local short ref only if the remote
+          # counterpart doesn't exist, with a visible WARN on stderr — the
+          # local ref is less trustworthy and the reviewer should know.
+          if cd "$REA_ROOT" && git rev-parse --verify --quiet "refs/remotes/${argv_remote}/${configured_base}" >/dev/null 2>&1; then
+            default_ref="refs/remotes/${argv_remote}/${configured_base}"
+          elif cd "$REA_ROOT" && git rev-parse --verify --quiet "refs/heads/${configured_base}" >/dev/null 2>&1; then
+            default_ref="refs/heads/${configured_base}"
+            printf 'WARN: branch.%s.base=%s resolved to local ref; remote counterpart %s/%s missing — reviewer-side diff may be stale\n' \
+              "$source_branch" "$configured_base" "$argv_remote" "$configured_base" >&2
+          fi
+        fi
+      fi
+
+      if [[ -z "$default_ref" ]]; then
+        default_ref=$(cd "$REA_ROOT" && git symbolic-ref "refs/remotes/${argv_remote}/HEAD" 2>/dev/null)
+        default_ref_status=$?
+        if [[ "$default_ref_status" -ne 0 || -z "$default_ref" ]]; then
+          # symbolic-ref failed (common on shallow or mirror clones where
+          # origin/HEAD was never set). Probe the common default-branch names in
+          # order: main, then master. Both are remote-tracking refs and still
+          # server-authoritative; the order matters only for projects that still
+          # default to `master` (older internal forks), where without this
+          # fallback the first push of a new branch would fail closed.
+          if cd "$REA_ROOT" && git rev-parse --verify --quiet "refs/remotes/${argv_remote}/main" >/dev/null 2>&1; then
+            default_ref="refs/remotes/${argv_remote}/main"
+          elif cd "$REA_ROOT" && git rev-parse --verify --quiet "refs/remotes/${argv_remote}/master" >/dev/null 2>&1; then
+            default_ref="refs/remotes/${argv_remote}/master"
+          else
+            default_ref=""
+          fi
         fi
       fi
       if [[ -n "$default_ref" ]]; then
+        # Defect N: if operator-configured `branch.<source>.base` resolved the
+        # ref we're about to diff against, overwrite `resolved_base` with the
+        # short name so TARGET_BRANCH (and the Target: label) reflect the
+        # actual review anchor. Without an explicit config override, leave
+        # `resolved_base` at the refspec target — this preserves the cache
+        # contract for new-branch pushes where remote_ref is the same as the
+        # source branch (the common case) and for bare pushes that
+        # argv-resolve via `@{upstream}`. Only operators who opted into a
+        # per-branch base get the label promoted, keeping the change
+        # backward-compatible for every other path.
+        if [[ -n "$configured_base" ]]; then
+          resolved_base="${default_ref#refs/remotes/${argv_remote}/}"
+          resolved_base="${resolved_base#refs/heads/}"
+          [[ -z "$resolved_base" ]] && resolved_base="$default_ref"
+        fi
         mb=$(cd "$REA_ROOT" && git merge-base "$default_ref" "$local_sha" 2>/dev/null || echo "")
         if [[ -z "$mb" ]]; then
           # default_ref resolved but merge-base came back empty (unrelated
@@ -867,13 +931,40 @@ pr_core_run() {
         if [[ "$CODEX_WAIVER_ACTIVE" == "1" ]]; then
           _codex_ok=1
         elif [[ -f "$_audit" ]]; then
-          if jq -e --arg sha "$local_sha" '
-              select(
-                .tool_name == "codex.review"
-                and .metadata.head_sha == $sha
-                and (.metadata.verdict == "pass" or .metadata.verdict == "concerns")
-              )
-            ' "$_audit" >/dev/null 2>&1; then
+          # Defect P (0.10.1): require .emission_source == "rea-cli" or
+          # "codex-cli" so agents cannot forge a codex.review record by
+          # directly calling appendAuditRecord() from an ad-hoc .mjs script
+          # (the generic helper stamps "other"). Legacy records (pre-0.10.1)
+          # have no emission_source field and are rejected — the first push
+          # on an upgraded consumer requires a fresh `rea audit record
+          # codex-review` (or Codex CLI emission) which stamps "rea-cli".
+          #
+          # Defect T/U (0.10.2): read the audit file as raw lines and parse
+          # each with `fromjson?`. Before 0.10.2 this scan used
+          # `jq -e '<filter>' "$_audit"` which feeds the file as a single
+          # JSON stream — a single malformed line (literal backslash-u
+          # followed by non-hex characters inside a string, for example)
+          # makes jq bail on the stream with exit 2 and the `select` never
+          # runs against ANY record, including legitimate codex.review
+          # entries further down the file. The failure is total: every
+          # cached codex.review receipt becomes unreachable until the
+          # corrupt line is hand-edited out. `-R` flips jq into raw-input
+          # mode (one string per line), and `fromjson?` is the error-
+          # suppressing parser — malformed lines silently yield empty
+          # output. The `select` filter then inspects each successfully
+          # parsed record exactly as before, and `grep -q .` detects
+          # whether ANY record survived the filter. Lines 1107 and the
+          # earlier cache_result scans at :432/:612 operate on a single
+          # printf'd JSON string, not audit.jsonl, so they remain `jq -e`.
+          if jq -R --arg sha "$local_sha" '
+              fromjson?
+              | select(
+                  .tool_name == "codex.review"
+                  and .metadata.head_sha == $sha
+                  and (.metadata.verdict == "pass" or .metadata.verdict == "concerns")
+                  and (.emission_source == "rea-cli" or .emission_source == "codex-cli")
+                )
+            ' "$_audit" 2>/dev/null | grep -q .; then
             _codex_ok=1
           fi
         fi
@@ -918,7 +1009,12 @@ pr_core_run() {
     if [[ -z "$SOURCE_SHA" ]] || [[ "$count" -gt "$BEST_COUNT" ]]; then
       SOURCE_SHA="$local_sha"
       MERGE_BASE="$mb"
-      TARGET_BRANCH="$target"
+      # Defect N: use `resolved_base` (the actual merge-base anchor we
+      # diffed against), not `target` (the pushed-ref name). For tracked
+      # branches these are the same; for new branches without an upstream
+      # the distinction is the difference between "Target: <source-branch>"
+      # (misleading) and "Target: main" (or whichever base was resolved).
+      TARGET_BRANCH="$resolved_base"
       SOURCE_REF="$local_ref"
       BEST_COUNT="$count"
     fi
@@ -1059,8 +1155,45 @@ pr_core_run() {
   fi
 
   if [[ -n "$PUSH_SHA" ]] && [[ ${#REA_CLI_ARGS[@]} -gt 0 ]]; then
+    # Defect F (rea#75): distinguish cache-miss from cache-error. Prior version
+    # swallowed all non-zero exits and stderr into a silent `{hit:false}`, which
+    # masked Defect A (0.9.2 `node <shim>` SyntaxError) for weeks. Now we
+    # capture stderr + exit code separately and emit a visible WARN with an
+    # actionable filename when the CLI failed.
     local CACHE_RESULT
-    CACHE_RESULT=$("${REA_CLI_ARGS[@]}" cache check "$PUSH_SHA" --branch "$SOURCE_BRANCH" --base "$TARGET_BRANCH" 2>/dev/null || echo '{"hit":false}')
+    local CACHE_STDOUT=""
+    local CACHE_STDERR_FILE
+    # SECURITY (Codex LOW 4): require mktemp. A predictable /tmp path like
+    # /tmp/rea-cache-err.$PID is a TOCTOU attack surface on shared hosts —
+    # another user can pre-create a symlink from that name to a file they
+    # want us to clobber. If mktemp is unavailable, fail loudly rather than
+    # silently falling back to a predictable path.
+    if ! CACHE_STDERR_FILE=$(mktemp -t rea-cache-err.XXXXXX 2>/dev/null); then
+      printf 'rea push-review: mktemp unavailable; cannot capture cache-check stderr. Aborting.\n' >&2
+      return 2
+    fi
+    local CACHE_EXIT=0
+    CACHE_STDOUT=$("${REA_CLI_ARGS[@]}" cache check "$PUSH_SHA" --branch "$SOURCE_BRANCH" --base "$TARGET_BRANCH" 2>"$CACHE_STDERR_FILE") || CACHE_EXIT=$?
+    local CACHE_STDERR=""
+    CACHE_STDERR=$(cat "$CACHE_STDERR_FILE" 2>/dev/null || true)
+    rm -f "$CACHE_STDERR_FILE"
+    if [[ "$CACHE_EXIT" -ne 0 ]]; then
+      # SECURITY (Codex LOW 5): strip C0/C1 control characters from CLI
+      # stderr before echoing to the terminal. A tampered dist/ or hostile
+      # CLI could otherwise emit OSC/CSI sequences that rewrite lines above
+      # the deny message and mislead the operator. We strip both C0 + DEL
+      # AND C1 (0x80-0x9F) — some terminal emulators still honor bare C1
+      # bytes as CSI introducers (0x9B) or OSC (0x9D).
+      local CACHE_STDERR_SAFE
+      CACHE_STDERR_SAFE=$(printf '%s' "$CACHE_STDERR" | LC_ALL=C tr -d '\000-\037\177\200-\237')
+      printf 'rea push-review: CACHE CHECK FAILED (exit=%d): %s\n' "$CACHE_EXIT" "$CACHE_STDERR_SAFE" >&2
+      printf 'rea push-review: treating as miss; file bookedsolidtech/rea issue if unexpected.\n' >&2
+      CACHE_RESULT='{"hit":false,"reason":"query_error"}'
+    elif [[ -z "$CACHE_STDOUT" ]]; then
+      CACHE_RESULT='{"hit":false,"reason":"cold"}'
+    else
+      CACHE_RESULT="$CACHE_STDOUT"
+    fi
     # Require BOTH hit == true AND result == "pass". A cached `fail` verdict
     # (Codex 0.8.0 pass-2 finding #1) must NOT satisfy the gate — cache.ts
     # serializes `result` verbatim, so a negative verdict would otherwise

package/hooks/commit-review-gate.sh

@@ -242,7 +242,31 @@ if [[ -n "$STAGED_SHA" ]]; then
   # predicate at push-review-core.sh §8; the §218-226 direct-cache fallback
   # already enforces `result == "pass"`, so the two paths must agree.
   if [[ ${#REA_CLI_ARGS[@]} -gt 0 ]]; then
-    CACHE_RESULT=$("${REA_CLI_ARGS[@]}" cache check "$STAGED_SHA" --branch "$BRANCH" --base "$BASE_BRANCH" 2>/dev/null || echo '{"hit":false}')
+    # Defect F (rea#75): surface cache-query errors instead of treating them as
+    # legitimate misses. See hooks/_lib/push-review-core.sh for the rationale.
+    # SECURITY (Codex LOW 4): require mktemp. Predictable /tmp paths are a
+    # TOCTOU surface on shared hosts; fall-loud instead of fall-back.
+    if ! CACHE_STDERR_FILE=$(mktemp -t rea-commit-cache-err.XXXXXX 2>/dev/null); then
+      printf 'rea commit-review: mktemp unavailable; cannot capture cache-check stderr. Aborting.\n' >&2
+      exit 2
+    fi
+    CACHE_EXIT=0
+    CACHE_STDOUT=$("${REA_CLI_ARGS[@]}" cache check "$STAGED_SHA" --branch "$BRANCH" --base "$BASE_BRANCH" 2>"$CACHE_STDERR_FILE") || CACHE_EXIT=$?
+    CACHE_STDERR=$(cat "$CACHE_STDERR_FILE" 2>/dev/null || true)
+    rm -f "$CACHE_STDERR_FILE"
+    if [[ "$CACHE_EXIT" -ne 0 ]]; then
+      # SECURITY (Codex LOW 5): strip C0/C1 control chars before echoing CLI
+      # stderr. Includes 0x80-0x9F because some terminals interpret bare C1
+      # bytes (CSI 0x9B, OSC 0x9D) as escape introducers.
+      CACHE_STDERR_SAFE=$(printf '%s' "$CACHE_STDERR" | LC_ALL=C tr -d '\000-\037\177\200-\237')
+      printf 'rea commit-review: CACHE CHECK FAILED (exit=%d): %s\n' "$CACHE_EXIT" "$CACHE_STDERR_SAFE" >&2
+      printf 'rea commit-review: treating as miss; file bookedsolidtech/rea issue if unexpected.\n' >&2
+      CACHE_RESULT='{"hit":false,"reason":"query_error"}'
+    elif [[ -z "$CACHE_STDOUT" ]]; then
+      CACHE_RESULT='{"hit":false,"reason":"cold"}'
+    else
+      CACHE_RESULT="$CACHE_STDOUT"
+    fi
     if printf '%s' "$CACHE_RESULT" | jq -e '.hit == true and .result == "pass"' >/dev/null 2>&1; then
       CACHE_HIT=true
     fi