@bookedsolid/reagent 0.1.0

package/commands/rea.md

@@ -0,0 +1,76 @@
+You are REA — the Reactive Execution Agent. The active ingredient of reagent (`rea` + `gent` = `reagent`).
+
+You are the AI orchestrator for this project. You govern the AI agent team, route tasks to specialists, evaluate the roster, and enforce zero-trust across all AI operations.
+
+## First Steps — Every Invocation
+
+1. Read `.reagent/policy.yaml` — confirm autonomy level and profile
+2. Check for `.reagent/HALT` — if present, report FROZEN and stop
+3. Identify the project context (read CLAUDE.md, check for `.clarity/` submodule, scan `.claude/agents/`)
+
+## What you can do
+
+Based on `$ARGUMENTS`, handle one of these:
+
+### Team Status / Roster Review
+
+If asked about team status, roster, or agents:
+
+1. List all agents in `.claude/agents/` (including symlinked directories)
+2. Count by category
+3. Identify gaps, redundancies, or merge candidates
+4. Evaluate using: Business Value (30%), Uniqueness (20%), Depth (20%), Zero-Trust Readiness (15%), Cross-Validation Ability (15%)
+
+### Task Routing
+
+If given a task to route:
+
+1. Analyze the task requirements
+2. Identify the best specialist agent(s) from the roster
+3. Recommend delegation with rationale
+4. Flag if no agent covers the need (gap analysis)
+
+### Gap Analysis
+
+If asked about gaps or missing capabilities:
+
+1. Map current agent coverage against the project's domain needs
+2. Identify uncovered domains
+3. Propose new agents or merges with justification
+4. Prioritize by business impact
+
+### Agent Evaluation
+
+If asked to evaluate specific agents:
+
+1. Read the agent definition file
+2. Score against the evaluation framework
+3. Compare with overlapping agents
+4. Recommend: keep, merge, retire, or enhance
+
+### Zero-Trust Audit
+
+If asked about zero-trust compliance:
+
+1. Read agent definitions
+2. Check for zero-trust DNA (source validation, no LLM memory trust, cross-validation, freshness, graduated autonomy, HALT compliance, audit awareness)
+3. Flag non-compliant agents
+4. Recommend fixes
+
+### Health Check
+
+If asked about health or status with no specific focus:
+
+1. Read `.reagent/policy.yaml`
+2. Check `.reagent/HALT`
+3. Run `git status` — report branch, clean/dirty
+4. Count agents by category
+5. Report autonomy level and any constraints
+
+## Constraints
+
+- ALWAYS read `.reagent/policy.yaml` before taking action — respect autonomy levels
+- ALWAYS check for `.reagent/HALT` before proceeding
+- NEVER modify agent files without explicit approval — recommend changes, don't make them
+- NEVER trust claims about agent capabilities without reading the definition file
+- Present analysis with evidence, not opinions

package/commands/restart.md

@@ -0,0 +1,105 @@
+Handle both session spin-down and spin-up for any reagent-managed project.
+
+## Which mode to run — explicit args win, context as fallback
+
+Check `$ARGUMENTS` first:
+
+- `/restart down` → **spin-down** (save state, write RESTART.md, output restart prompt)
+- `/restart up` → **spin-up** (read RESTART.md, orient, list Up Next)
+- `/restart` with no args → infer from context:
+  - If this is clearly early in a fresh session (few messages, no code changes) → **spin-up**
+  - If there's meaningful work done this session → **spin-down**
+  - If ambiguous → **ask**: "Spin down (save state) or spin up (orient from last session)?"
+
+---
+
+## SPIN-DOWN: Save state and prepare handoff
+
+1. Read `.reagent/policy.yaml` to capture current autonomy level and profile
+2. Run `git status` and `git log --oneline -10` to capture repo state
+3. Review the conversation for completed work, in-progress items, and next steps
+4. Rewrite `RESTART.md` (gitignored) in full:
+
+```markdown
+# Session Restart Context
+
+_Last updated: [DATE]_
+
+## Completed This Session
+
+- [bullet list of everything finished — features, fixes, commits, changesets]
+
+## In Progress
+
+- [anything started but not committed/tested — or "Nothing in progress" if clean]
+
+## Up Next
+
+- [ordered list of immediate next steps for the new session]
+
+## Pending Changesets / PRs
+
+- [open changesets, staged changes, PRs awaiting review/merge — or "None"]
+
+## Key Context & Decisions
+
+- [important decisions made, constraints, gotchas, things not to forget]
+
+## Repo State
+
+- Branch: [current branch]
+- Last commit: [hash + message]
+- Working tree: [clean / list modified files]
+- Autonomy level: [from policy.yaml]
+- Profile: [from policy.yaml]
+```
+
+5. Output this exactly:
+
+---
+
+RESTART.md updated. To resume in a new session:
+
+```
+/restart
+```
+
+Claude will read RESTART.md automatically and orient itself. Then confirm "Ready — here's where we left off" and list Up Next.
+
+---
+
+## SPIN-UP: Orient from saved state
+
+1. Read `RESTART.md`
+2. Read `.reagent/policy.yaml` — confirm autonomy level, check for HALT
+3. Run these in parallel:
+   - `git status` and `git log --oneline -5` — verify repo state matches RESTART.md
+   - Check for `.reagent/HALT` — if present, report FROZEN status and reason
+4. Note any drift or issues:
+   - New commits since RESTART.md was written
+   - Autonomy level changes
+   - HALT file present (agent operations blocked)
+5. Output a brief orientation:
+
+---
+
+**Resuming session.**
+
+**Health:** [✓ reagent active | ⚠ FROZEN: reason]
+**Autonomy:** [L0-L3 from policy.yaml]
+
+**Last session completed:**
+[bullet summary from RESTART.md]
+
+**In progress:**
+[from RESTART.md, or "Nothing — clean state"]
+
+**Up next:**
+[ordered list from RESTART.md]
+
+**Repo state:** branch `[branch]`, last commit `[hash] [message]`
+[If drift detected: "Note: [X] new commits since RESTART.md was written"]
+
+Ready to continue — say the word.
+
+---

package/cursor/rules/001-no-hallucination.mdc

@@ -0,0 +1,28 @@
+---
+description: Prohibits Claude from fabricating APIs, packages, file paths, or code that hasn't been verified to exist
+globs: ["**/*"]
+alwaysApply: true
+---
+
+# No Hallucination
+
+**"I'm not sure" is always better than guessing.**
+
+## Rules
+
+1. **Never invent APIs or function signatures.** If you haven't read the source or docs, say so. Do not guess method names, parameter shapes, or return types.
+
+2. **Never invent file paths.** Before referencing a file path, verify it exists. Use the available file-read tools — do not construct paths from assumptions.
+
+3. **Never invent package names.** If you're not certain a package exists on the registry, say so. Do not `npm install` or `composer require` a package you haven't confirmed exists.
+
+4. **Never invent test results.** If you haven't run the tests, do not claim they pass. Run them first.
+
+5. **Prefer "I need to check X" over confident-but-wrong statements.** Uncertainty stated explicitly is a recoverable state. Confident fabrication causes downstream rework.
+
+## When to apply
+
+- Before referencing any external API or library method
+- Before writing import statements for unfamiliar packages
+- Before asserting that a file, function, or type exists
+- Before claiming tests pass or build succeeds without running them

package/cursor/rules/002-verify-before-act.mdc

@@ -0,0 +1,28 @@
+---
+description: Requires Claude to read before writing, verify before installing, and confirm before destructive operations
+globs: ["**/*"]
+alwaysApply: true
+---
+
+# Verify Before Acting
+
+**Read before writing. Verify before installing. Confirm before deleting.**
+
+## Rules
+
+1. **Read before writing.** Before editing a file, read the current version. Never overwrite without knowing what's there. Never assume file contents from memory.
+
+2. **Verify package existence before installing.** Before running `npm install <pkg>`, `composer require <pkg>`, or any equivalent, confirm the package exists and its name is spelled correctly. Use the package registry, not your training data.
+
+3. **Confirm before destructive operations.** Before `git reset`, `git clean`, file deletion, or database drops — state what you're about to do and why. Wait for acknowledgement if there's any doubt.
+
+4. **Check current state before declaring it.** Before saying "the build passes" or "there are no TypeScript errors", run the check. Do not rely on previous results from earlier in the session.
+
+5. **Verify tool availability before use.** Before running a CLI tool (docker, act, composer, drush, etc.), check that it's installed. Don't assume availability.
+
+## When to apply
+
+- Before any write or edit operation
+- Before any `install`, `add`, `require`, or `update` command
+- Before any destructive git operation
+- Before any claim about current system state

package/cursor/rules/003-attribution.mdc

@@ -0,0 +1,36 @@
+---
+description: Prohibits AI attribution strings in commits, PR bodies, code comments, and client-facing content
+globs: ["**/*"]
+alwaysApply: true
+---
+
+# No AI Attribution in Client-Facing Content
+
+**Do not expose AI tooling in client git history, PR descriptions, or code comments.**
+
+## What to remove
+
+Remove these patterns from all commits, PR bodies, commit messages, and code:
+
+- `Co-Authored-By: Claude <noreply@anthropic.com>`
+- `Co-Authored-By: Claude ...` (any variant)
+- `Generated with Claude Code`
+- `🤖 Generated with [Claude Code](https://claude.com/claude-code)`
+- `claude.ai` references in commit messages or PR descriptions
+- AI assistant footers in PR templates
+
+## Enforcement
+
+- **commit-msg hook** strips attribution automatically from every commit message
+- This rule governs PR bodies and code comments, which the hook does not cover
+- Before running `gh pr create`, review the body — remove attribution strings manually
+
+## What's allowed
+
+- Internal tooling notes in `.claude/` config files (gitignored)
+- Documentation about the AI workflow in team-facing docs (e.g., `CONTRIBUTING.md`) when explicitly approved
+- Attribution in commits to internal/private BST repos where it's expected
+
+## Why
+
+Client projects are delivered work product. AI tooling attribution in git history creates unnecessary disclosure, may violate NDA scope, and makes commits less professional. The work speaks for itself.

package/hooks/attribution-advisory.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+# PreToolUse hook: attribution-advisory.sh
+# Fires BEFORE every Bash tool call.
+# Advisory only (exit 0 + stderr warning) — CANNOT rewrite tool input.
+#
+# Detects when a gh pr create / gh pr edit command body may contain AI
+# attribution strings and warns Claude to self-correct before submitting.
+#
+# Hook protocol: PreToolUse hooks can ONLY block (exit 2) or allow (exit 0).
+# This hook exits 0 in advisory mode and exits 2 only when HALT is active.
+# The commit-msg hook is the mechanical enforcement for git commits.
+#
+# Exit codes:
+#   0 = allow (advisory mode — always, unless HALT is active)
+#   2 = block (only when .reagent/HALT is present)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately before doing anything else ──────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ───────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ─────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(cat "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Parse tool_input.command from the hook payload ─────────────────────────
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# ── 5. Only check gh pr commands ──────────────────────────────────────────────
+if ! printf '%s' "$CMD" | grep -qiE 'gh[[:space:]]+pr[[:space:]]+(create|edit)'; then
+  exit 0
+fi
+
+# ── 6. Check for attribution strings in the command ───────────────────────────
+FOUND_ATTRIBUTION=0
+
+if printf '%s' "$CMD" | grep -qiE '(Co-Authored-By:[[:space:]]+Claude|Generated with Claude Code|claude\.ai|🤖[[:space:]]+Generated)'; then
+  FOUND_ATTRIBUTION=1
+fi
+
+if [[ $FOUND_ATTRIBUTION -eq 1 ]]; then
+  {
+    printf 'ATTRIBUTION ADVISORY: gh pr command may include AI attribution strings.\n'
+    printf '\n'
+    printf '  Detected AI attribution pattern in gh pr create/edit command.\n'
+    printf '  Review the PR body before proceeding — remove:\n'
+    printf '    - Co-Authored-By: Claude ...\n'
+    printf '    - Generated with Claude Code\n'
+    printf '    - 🤖 Generated with ...\n'
+    printf '    - claude.ai references\n'
+    printf '\n'
+    printf '  Note: commit-msg hook strips attribution from git commits automatically.\n'
+    printf '  PR bodies must be cleaned manually — the commit-msg hook does not cover them.\n'
+  } >&2
+fi
+
+# Always allow in advisory mode
+exit 0

package/hooks/dangerous-bash-interceptor.sh

@@ -0,0 +1,287 @@
+#!/bin/bash
+# PreToolUse hook: dangerous-bash-interceptor.sh
+# Fires BEFORE every Bash tool call.
+# Detects destructive shell commands and blocks them (exit 2) or warns (exit 0).
+#
+# Compatible with: interactive sessions + headless Docker (no TTY required).
+# All diagnostic output goes to stderr only.
+#
+# Content extraction:
+#   Bash tool → tool_input.command
+#
+# Exit codes:
+#   0 = safe or advisory-only — allow the command to run
+#   2 = HIGH severity danger detected — block the command with feedback
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately before doing anything else ──────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ───────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ─────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(cat "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Parse tool_input.command from the hook payload ─────────────────────────
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# ── 5. Helper: truncate command for display ────────────────────────────────────
+truncate_cmd() {
+  local STR="$1"
+  local MAX=200
+  if [[ ${#STR} -gt $MAX ]]; then
+    printf '%s' "${STR:0:$MAX}..."
+  else
+    printf '%s' "$STR"
+  fi
+}
+
+# ── 6. Violation accumulators ──────────────────────────────────────────────────
+HIGH_FILE=$(mktemp "${TMPDIR:-/tmp}/reagent-bash-high-XXXXXX")
+MEDIUM_FILE=$(mktemp "${TMPDIR:-/tmp}/reagent-bash-medium-XXXXXX")
+
+cleanup_violations() {
+  rm -f "$HIGH_FILE" "$MEDIUM_FILE"
+}
+trap cleanup_violations EXIT
+
+add_high() {
+  local LABEL="$1"
+  local DETAIL="$2"
+  shift 2
+  printf 'HIGH|%s|%s\n' "$LABEL" "$DETAIL" >> "$HIGH_FILE"
+  for ALT in "$@"; do
+    printf 'ALT:%s\n' "$ALT" >> "$HIGH_FILE"
+  done
+  printf 'END_VIOLATION\n' >> "$HIGH_FILE"
+}
+
+add_medium() {
+  local LABEL="$1"
+  local DETAIL="$2"
+  shift 2
+  printf 'MEDIUM|%s|%s\n' "$LABEL" "$DETAIL" >> "$MEDIUM_FILE"
+  for ALT in "$@"; do
+    printf 'ALT:%s\n' "$ALT" >> "$MEDIUM_FILE"
+  done
+  printf 'END_VIOLATION\n' >> "$MEDIUM_FILE"
+}
+
+# ── 7. Per-segment evaluation helper ──────────────────────────────────────────
+# Split on &&, ||, ;, and newlines and test a pattern against each segment.
+# Returns 0 if ANY segment matches the pattern.
+any_segment_matches() {
+  local PATTERN="$1"
+  while IFS= read -r SEG; do
+    if printf '%s' "$SEG" | grep -qiE "$PATTERN"; then
+      return 0
+    fi
+  done < <(printf '%s' "$CMD" | sed 's/&&/\n/g; s/||/\n/g; s/;/\n/g')
+  return 1
+}
+
+# ── 8. Smart exclusion flags ──────────────────────────────────────────────────
+CMD_IS_REBASE_SAFE=0
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+(rebase)[[:space:]].*(--abort|--continue)'; then
+  CMD_IS_REBASE_SAFE=1
+fi
+
+CMD_IS_CLEAN_DRY=0
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+clean.*([ \t]-n|--dry-run)'; then
+  CMD_IS_CLEAN_DRY=1
+fi
+
+# ── 9. HIGH severity checks ────────────────────────────────────────────────────
+
+# H1: git push --force or -f (per-segment — prevents --force-with-lease poisoning)
+# A segment containing --force-with-lease is excluded; other segments are not.
+while IFS= read -r SEGMENT; do
+  SEGMENT=$(printf '%s' "$SEGMENT" | sed 's/^[[:space:]]*//')
+  [[ -z "$SEGMENT" ]] && continue
+  # Skip segments that use the safe --force-with-lease
+  if printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*--force-with-lease'; then
+    continue
+  fi
+  if printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*(--force|-f[[:space:]])' || \
+     printf '%s' "$SEGMENT" | grep -qiE 'git[[:space:]]+push.*(--force|-f)$'; then
+    add_high \
+      "git push --force — force push detected" \
+      "Force-pushing rewrites public history and breaks collaborators' local copies." \
+      "Alt: Use 'git push --force-with-lease' — blocks if upstream has new commits you haven't pulled."
+    break
+  fi
+done < <(printf '%s' "$CMD" | sed 's/&&/\n/g; s/||/\n/g; s/;/\n/g')
+
+# H2: git rebase — advisory (MEDIUM)
+if [[ $CMD_IS_REBASE_SAFE -eq 0 ]]; then
+  if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+rebase([[:space:]]|$)'; then
+    add_medium \
+      "git rebase — rewrites commit history (advisory)" \
+      "Rebase changes commit SHAs. Safe on local feature branches; dangerous on shared/published branches." \
+      "Alt: 'git merge origin/main' preserves history (creates merge commit)." \
+      "     'git rebase --abort' to cancel if in progress."
+  fi
+fi
+
+# H3: git checkout -- .
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+checkout[[:space:]]+--[[:space:]]+\.'; then
+  add_high \
+    "git checkout -- . — discards all uncommitted changes" \
+    "Overwrites working tree changes with HEAD. Uncommitted work is lost permanently." \
+    "Alt: 'git stash' to temporarily shelve changes, 'git restore <file>' for individual files."
+fi
+
+# H4: git restore . (any form — with or without --staged flag)
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+restore[[:space:]].*[[:space:]]\.([[:space:]]|$)' || \
+   printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+restore[[:space:]]+\.[[:space:]]*$'; then
+  add_high \
+    "git restore . — discards all uncommitted changes" \
+    "Restores every tracked file to HEAD, permanently discarding all working tree modifications." \
+    "Alt: 'git stash' to save changes temporarily, or restore individual files: 'git restore <file>'."
+fi
+
+# H5: git clean -f
+if [[ $CMD_IS_CLEAN_DRY -eq 0 ]]; then
+  if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'; then
+    add_high \
+      "git clean -f — removes untracked files" \
+      "Permanently deletes untracked files from the working tree. Cannot be undone via git." \
+      "Alt: 'git clean -n' (dry-run) to preview what would be deleted before committing."
+  fi
+fi
+
+# H6: DROP TABLE or DROP DATABASE in psql
+if printf '%s' "$CMD" | grep -qiE '(psql|pgcli)[^|&;]*DROP[[:space:]]+(TABLE|DATABASE|SCHEMA)'; then
+  add_high \
+    "DROP TABLE/DATABASE via psql — destructive DDL" \
+    "Running destructive DDL directly in psql bypasses migration pipeline safety checks." \
+    "Alt: Use your project's migration tool. Never run DROP via ad-hoc psql."
+fi
+
+# H7: kill -9 with pgrep subshell
+if printf '%s' "$CMD" | grep -qiE 'kill[[:space:]]+-9[[:space:]]+(\$\(|`)'; then
+  add_high \
+    "kill -9 with pgrep subshell — aggressive process termination" \
+    "Sends SIGKILL to processes matched by name, which may kill unintended processes." \
+    "Alt: 'kill -15 <pid>' (SIGTERM) for graceful shutdown."
+fi
+
+# H8: killall -9
+if printf '%s' "$CMD" | grep -qiE 'killall[[:space:]]+-9[[:space:]]+\S'; then
+  add_high \
+    "killall -9 — SIGKILL all matching processes" \
+    "Immediately terminates all processes with the given name without cleanup." \
+    "Alt: 'killall -15 <name>' (SIGTERM) allows graceful shutdown."
+fi
+
+# H9: git commit --no-verify
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--no-verify'; then
+  add_high \
+    "git commit --no-verify — skipping pre-commit hooks" \
+    "Bypasses all pre-commit safety gates including secret scanning and linting." \
+    "Alt: Fix the underlying hook failure rather than bypassing it."
+fi
+
+# H10: HUSKY=0 bypass — suppresses all git hooks without --no-verify
+if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)HUSKY=0[[:space:]]+git[[:space:]]+(commit|push|tag)'; then
+  add_high \
+    "HUSKY=0 — bypasses all husky git hooks" \
+    "Setting HUSKY=0 disables pre-commit, commit-msg, and pre-push safety gates without --no-verify." \
+    "Alt: Fix the underlying hook failure rather than suppressing all hooks."
+fi
+
+# H11: rm -rf with broad targets
+# Covers combined flags (rm -rf, rm -fr), split flags (rm -r -f), and long flags (rm --recursive --force)
+BROAD_TARGETS='(\/|~\/|\.\/\*|\*|\.|src|dist|build|node_modules)'
+if printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
+   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*f[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
+   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*r[[:space:]]+-[a-zA-Z]*f[[:space:]]+${BROAD_TARGETS}" || \
+   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+-[a-zA-Z]*f[[:space:]]+-[a-zA-Z]*r[[:space:]]+${BROAD_TARGETS}" || \
+   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+--recursive[[:space:]]+--force[[:space:]]+${BROAD_TARGETS}" || \
+   printf '%s' "$CMD" | grep -qiE "rm[[:space:]]+--force[[:space:]]+--recursive[[:space:]]+${BROAD_TARGETS}"; then
+  add_high \
+    "rm -rf with broad target — mass file deletion" \
+    "Permanently deletes files and directories. Cannot be undone." \
+    "Alt: Move to a temp location first, or use 'rm -ri' for interactive deletion."
+fi
+
+# H12: curl/wget piped directly to shell (supply chain attack vector)
+if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fish)'; then
+  add_high \
+    "curl/wget piped to shell — remote code execution" \
+    "Executing remote scripts without inspection is a major supply chain risk." \
+    "Alt: Download first, inspect the script, then execute: curl -o script.sh URL && cat script.sh && bash script.sh"
+fi
+
+# ── 10. MEDIUM severity checks ────────────────────────────────────────────────
+
+# M1: npm install --force
+if printf '%s' "$CMD" | grep -qiE 'npm[[:space:]]+(install|i)[[:space:]].*--force'; then
+  add_medium \
+    "npm install --force — bypasses dependency resolution" \
+    "--force skips conflict checks and can install incompatible package versions." \
+    "Alt: Resolve the dependency conflict explicitly. Use --legacy-peer-deps if needed."
+fi
+
+# ── 11. Evaluate and report ───────────────────────────────────────────────────
+
+TRUNCATED_CMD=$(truncate_cmd "$CMD")
+
+print_violations() {
+  local VF="$1"
+  local NOTE_LABEL="$2"
+  while IFS= read -r LINE; do
+    case "$LINE" in
+      HIGH\|*|MEDIUM\|*)
+        local SEV LABEL DETAIL
+        SEV=$(printf '%s' "$LINE" | cut -d'|' -f1)
+        LABEL=$(printf '%s' "$LINE" | cut -d'|' -f2)
+        DETAIL=$(printf '%s' "$LINE" | cut -d'|' -f3)
+        printf '  %s: %s\n' "$SEV" "$LABEL"
+        printf '  %s: %s\n' "$NOTE_LABEL" "$DETAIL"
+        ;;
+      ALT:*)
+        printf '  %s\n' "${LINE#ALT:}"
+        ;;
+      END_VIOLATION)
+        printf '\n'
+        ;;
+    esac
+  done < "$VF"
+}
+
+if [[ -s "$HIGH_FILE" ]]; then
+  {
+    printf 'BASH INTERCEPTED: Dangerous command blocked\n'
+    print_violations "$HIGH_FILE" "Reason"
+    printf '  BLOCKED COMMAND: %s\n' "$TRUNCATED_CMD"
+  } >&2
+  exit 2
+fi
+
+if [[ -s "$MEDIUM_FILE" ]]; then
+  {
+    printf 'BASH ADVISORY: Potentially risky command (not blocked)\n'
+    print_violations "$MEDIUM_FILE" "Note"
+    printf '  COMMAND: %s\n' "$TRUNCATED_CMD"
+  } >&2
+  exit 0
+fi
+
+exit 0