@bookedsolid/reagent 0.4.0 → 0.5.0

package/hooks/commit-review-gate.sh

@@ -0,0 +1,131 @@
+#!/bin/bash
+# PreToolUse hook: commit-review-gate.sh
+# Fires BEFORE every Bash tool call that matches "git commit".
+# Implements a triage-based review gate:
+#   - trivial (<20 changed lines, non-sensitive paths) → pass immediately
+#   - standard (20-200 lines) → check review cache, pass if cached
+#   - significant (>200 lines or sensitive paths) → block, request agent review
+#
+# Exit codes:
+#   0 = allow (trivial change, or cached review found)
+#   2 = block (needs review — returns additionalContext for agent)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ──────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Parse command ──────────────────────────────────────────────────────────
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Only trigger on git commit commands
+if ! printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit'; then
+  exit 0
+fi
+
+# Skip --amend (reviewing amendments is a future feature)
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit.*--amend'; then
+  exit 0
+fi
+
+# ── 5. Check if quality gates are enabled ─────────────────────────────────────
+# Fail-open if policy doesn't exist or doesn't have quality_gates
+POLICY_FILE="${REAGENT_ROOT}/.reagent/policy.yaml"
+if [[ -f "$POLICY_FILE" ]]; then
+  if grep -qE '^quality_gates:' "$POLICY_FILE" 2>/dev/null; then
+    if grep -qE 'commit_review:[[:space:]]*false' "$POLICY_FILE" 2>/dev/null; then
+      exit 0
+    fi
+  fi
+fi
+
+# ── 6. Compute diff stats ────────────────────────────────────────────────────
+# Get staged diff (what would be committed)
+DIFF_OUTPUT=$(cd "$REAGENT_ROOT" && git diff --cached --stat 2>/dev/null || echo "")
+DIFF_FULL=$(cd "$REAGENT_ROOT" && git diff --cached 2>/dev/null || echo "")
+
+if [[ -z "$DIFF_OUTPUT" ]]; then
+  # No staged changes — let git commit handle the error
+  exit 0
+fi
+
+# Count changed lines (additions + deletions)
+LINE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || echo "0")
+
+# Check for sensitive paths
+SENSITIVE=0
+SENSITIVE_FILES=""
+if printf '%s' "$DIFF_FULL" | grep -qE '^\+\+\+ .*(\.reagent/|\.claude/|\.env|auth|security|\.github/workflows)'; then
+  SENSITIVE=1
+  SENSITIVE_FILES=$(printf '%s' "$DIFF_FULL" | grep -oE '^\+\+\+ .*(\.reagent/|\.claude/|\.env|auth|security|\.github/workflows)[^ ]*' | sed 's/^\+\+\+ [ab]\//  /' | head -5)
+fi
+
+# ── 7. Triage scoring ────────────────────────────────────────────────────────
+TRIVIAL_THRESHOLD=20
+SIGNIFICANT_THRESHOLD=200
+
+if [[ $SENSITIVE -eq 1 ]] || [[ $LINE_COUNT -gt $SIGNIFICANT_THRESHOLD ]]; then
+  SCORE="significant"
+elif [[ $LINE_COUNT -ge $TRIVIAL_THRESHOLD ]]; then
+  SCORE="standard"
+else
+  SCORE="trivial"
+fi
+
+# ── 8. Trivial → pass immediately ─────────────────────────────────────────────
+if [[ "$SCORE" == "trivial" ]]; then
+  exit 0
+fi
+
+# ── 9. Standard → check review cache ─────────────────────────────────────────
+if [[ "$SCORE" == "standard" ]]; then
+  # Compute SHA of staged content for cache lookup
+  STAGED_SHA=$(cd "$REAGENT_ROOT" && git diff --cached | shasum -a 256 | cut -d' ' -f1 2>/dev/null || echo "")
+  BRANCH=$(cd "$REAGENT_ROOT" && git branch --show-current 2>/dev/null || echo "")
+
+  if [[ -n "$STAGED_SHA" ]]; then
+    # Check review cache via reagent CLI
+    CACHE_RESULT=$(node "${REAGENT_ROOT}/node_modules/.bin/reagent" cache check "$STAGED_SHA" --branch "$BRANCH" 2>/dev/null || echo '{"hit":false}')
+    if printf '%s' "$CACHE_RESULT" | jq -e '.hit == true' >/dev/null 2>&1; then
+      exit 0
+    fi
+  fi
+fi
+
+# ── 10. Block and request review ──────────────────────────────────────────────
+{
+  printf 'COMMIT REVIEW GATE: Review required before committing\n'
+  printf '\n'
+  printf '  Score: %s (%s changed lines)\n' "$SCORE" "$LINE_COUNT"
+  if [[ $SENSITIVE -eq 1 ]]; then
+    printf '  Sensitive paths detected:\n'
+    printf '%s\n' "$SENSITIVE_FILES"
+  fi
+  printf '\n'
+  printf '  Action required: Spawn a code-reviewer agent to review the staged changes.\n'
+  printf '  The reviewer should produce structured JSON output with findings.\n'
+  printf '  After review, cache the result with: reagent cache set <sha> pass\n'
+  printf '\n'
+  printf '  To review staged changes: git diff --cached\n'
+} >&2
+exit 2

package/hooks/dangerous-bash-interceptor.sh

@@ -229,6 +229,38 @@ if printf '%s' "$CMD" | grep -qiE '(curl|wget)[^|]*\|[[:space:]]*(bash|sh|zsh|fi
     "Alt: Download first, inspect the script, then execute: curl -o script.sh URL && cat script.sh && bash script.sh"
 fi
 
+# H13: git push --no-verify — bypasses pre-push hooks
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+push.*--no-verify'; then
+  add_high \
+    "git push --no-verify — skipping pre-push hooks" \
+    "Bypasses all pre-push safety gates including CI checks." \
+    "Alt: Fix the underlying hook failure rather than bypassing it."
+fi
+
+# H14: git -c core.hooksPath= — redirects or disables hook execution
+if printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+-c[[:space:]]+core\.hookspath'; then
+  add_high \
+    "git -c core.hooksPath — overriding hooks directory" \
+    "Redirecting the hooks path can disable all safety hooks." \
+    "Alt: Fix the underlying hook issue. Do not bypass the hooks directory."
+fi
+
+# H15: REAGENT_BYPASS env var — attempted escape hatch
+if printf '%s' "$CMD" | grep -qiE '(^|[[:space:];]|&&|\|\|)REAGENT_BYPASS[[:space:]]*='; then
+  add_high \
+    "REAGENT_BYPASS env var — unauthorized bypass attempt" \
+    "Setting REAGENT_BYPASS is not a supported escape mechanism and indicates a bypass attempt." \
+    "Alt: If you need to override a gate, request human escalation."
+fi
+
+# H16: alias/function definitions containing bypass strings
+if printf '%s' "$CMD" | grep -qiE '(alias|function)[[:space:]]+[a-zA-Z_]+.*(--(no-verify|force)|HUSKY=0|core\.hookspath)'; then
+  add_high \
+    "Alias/function definition with bypass — circumventing safety gates" \
+    "Defining aliases or functions that embed bypass flags defeats safety hooks." \
+    "Alt: Do not wrap bypass patterns in aliases or functions."
+fi
+
 # ── 10. MEDIUM severity checks ────────────────────────────────────────────────
 
 # M1: npm install --force

package/hooks/dependency-audit-gate.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+# PreToolUse hook: dependency-audit-gate.sh
+# Fires BEFORE every Bash tool call.
+# Detects package install commands (npm install, pnpm add, yarn add) and
+# verifies the package exists on the registry before allowing the install.
+#
+# Exit codes:
+#   0 = allow (not an install command, or package verified)
+#   2 = block (package not found on registry)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ──────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Parse command ──────────────────────────────────────────────────────────
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# ── 5. Detect package install commands ────────────────────────────────────────
+# Match: npm install <pkg>, npm i <pkg>, pnpm add <pkg>, yarn add <pkg>
+# Skip: npm install (no args), npm ci, npm install --save-dev (without new pkg)
+
+extract_packages() {
+  local cmd="$1"
+
+  # npm install/add with packages (skip flags and local paths)
+  if printf '%s' "$cmd" | grep -qiE '(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install)|yarn[[:space:]]+add)[[:space:]]'; then
+    # Extract the part after the install command
+    local after_cmd
+    after_cmd=$(printf '%s' "$cmd" | sed -E 's/.*(npm[[:space:]]+(install|i|add)|pnpm[[:space:]]+(add|install)|yarn[[:space:]]+add)[[:space:]]+//')
+
+    # Split on spaces and filter
+    for token in $after_cmd; do
+      # Skip flags
+      if [[ "$token" == -* ]]; then continue; fi
+      # Skip local paths
+      if [[ "$token" == ./* || "$token" == /* || "$token" == ../* ]]; then continue; fi
+      # Skip empty
+      if [[ -z "$token" ]]; then continue; fi
+      # Strip version specifier for lookup
+      local pkg_name
+      pkg_name=$(printf '%s' "$token" | sed -E 's/@[^@/]+$//')
+      # Handle scoped packages (@scope/name)
+      if [[ -z "$pkg_name" ]]; then
+        pkg_name="$token"
+      fi
+      printf '%s\n' "$pkg_name"
+    done
+  fi
+}
+
+PACKAGES=$(extract_packages "$CMD")
+
+if [[ -z "$PACKAGES" ]]; then
+  exit 0
+fi
+
+# ── 6. Verify packages exist on registry ──────────────────────────────────────
+FAILED=""
+CHECKED=0
+
+while IFS= read -r pkg; do
+  [[ -z "$pkg" ]] && continue
+  CHECKED=$((CHECKED + 1))
+
+  # Cap at 5 packages per command to avoid slow hook
+  if [[ $CHECKED -gt 5 ]]; then
+    break
+  fi
+
+  # Use npm view to check if package exists
+  # macOS doesn't have `timeout` by default, use a background process with kill
+  if command -v timeout >/dev/null 2>&1; then
+    if ! timeout 5 npm view "$pkg" name >/dev/null 2>&1; then
+      FAILED="${FAILED}  - ${pkg}\n"
+    fi
+  else
+    # Fallback: run npm view without timeout (still fast for simple checks)
+    if ! npm view "$pkg" name >/dev/null 2>&1; then
+      FAILED="${FAILED}  - ${pkg}\n"
+    fi
+  fi
+done <<< "$PACKAGES"
+
+if [[ -n "$FAILED" ]]; then
+  {
+    printf 'DEPENDENCY AUDIT: Package not found on npm registry\n'
+    printf '\n'
+    printf '  The following packages could not be verified:\n'
+    printf '%b' "$FAILED"
+    printf '\n'
+    printf '  Rule: All packages must exist on the npm registry before installation.\n'
+    printf '  Check: Is the package name spelled correctly? Does it exist on npmjs.com?\n'
+  } >&2
+  exit 2
+fi
+
+exit 0

package/hooks/push-review-gate.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# PreToolUse hook: push-review-gate.sh
+# Fires BEFORE every Bash tool call that matches "git push".
+# Runs a full diff analysis against the target branch and requests
+# security + code review before allowing the push.
+#
+# Exit codes:
+#   0 = allow (no meaningful diff, or review cached)
+#   2 = block (needs review)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ──────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Parse command ──────────────────────────────────────────────────────────
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Only trigger on git push commands
+if ! printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+push'; then
+  exit 0
+fi
+
+# ── 5. Check if quality gates are enabled ─────────────────────────────────────
+POLICY_FILE="${REAGENT_ROOT}/.reagent/policy.yaml"
+if [[ -f "$POLICY_FILE" ]]; then
+  if grep -qE 'push_review:[[:space:]]*false' "$POLICY_FILE" 2>/dev/null; then
+    exit 0
+  fi
+fi
+
+# ── 6. Determine target branch ───────────────────────────────────────────────
+CURRENT_BRANCH=$(cd "$REAGENT_ROOT" && git branch --show-current 2>/dev/null || echo "")
+TARGET_BRANCH="main"
+
+# Try to extract target from push command (git push origin <branch>)
+PUSH_TARGET=$(printf '%s' "$CMD" | grep -oE 'git[[:space:]]+push[[:space:]]+[a-zA-Z_-]+[[:space:]]+([a-zA-Z0-9/_-]+)' | awk '{print $NF}' 2>/dev/null || echo "")
+if [[ -n "$PUSH_TARGET" ]]; then
+  TARGET_BRANCH="$PUSH_TARGET"
+fi
+
+# ── 7. Get diff against target ───────────────────────────────────────────────
+MERGE_BASE=$(cd "$REAGENT_ROOT" && git merge-base "$TARGET_BRANCH" HEAD 2>/dev/null || echo "")
+
+if [[ -z "$MERGE_BASE" ]]; then
+  # Can't determine merge base — fail-open
+  exit 0
+fi
+
+DIFF_FULL=$(cd "$REAGENT_ROOT" && git diff "$MERGE_BASE"...HEAD 2>/dev/null || echo "")
+
+if [[ -z "$DIFF_FULL" ]]; then
+  # No diff — nothing to review
+  exit 0
+fi
+
+LINE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -cE '^\+[^+]|^-[^-]' 2>/dev/null || echo "0")
+
+# ── 8. Check review cache ────────────────────────────────────────────────────
+PUSH_SHA=$(printf '%s' "$DIFF_FULL" | shasum -a 256 | cut -d' ' -f1 2>/dev/null || echo "")
+
+if [[ -n "$PUSH_SHA" ]]; then
+  CACHE_RESULT=$(node "${REAGENT_ROOT}/node_modules/.bin/reagent" cache check "$PUSH_SHA" --branch "$CURRENT_BRANCH" --base "$TARGET_BRANCH" 2>/dev/null || echo '{"hit":false}')
+  if printf '%s' "$CACHE_RESULT" | jq -e '.hit == true' >/dev/null 2>&1; then
+    exit 0
+  fi
+fi
+
+# ── 9. Block and request review ──────────────────────────────────────────────
+FILE_COUNT=$(printf '%s' "$DIFF_FULL" | grep -c '^\+\+\+ ' 2>/dev/null || echo "0")
+
+{
+  printf 'PUSH REVIEW GATE: Review required before pushing\n'
+  printf '\n'
+  printf '  Branch: %s → %s\n' "$CURRENT_BRANCH" "$TARGET_BRANCH"
+  printf '  Scope: %s files changed, %s lines\n' "$FILE_COUNT" "$LINE_COUNT"
+  printf '\n'
+  printf '  Action required:\n'
+  printf '  1. Spawn a code-reviewer agent to review: git diff %s...HEAD\n' "$MERGE_BASE"
+  printf '  2. Spawn a security-engineer agent for security review\n'
+  printf '  3. After both pass, cache the result:\n'
+  printf '     reagent cache set %s pass --branch %s --base %s\n' "$PUSH_SHA" "$CURRENT_BRANCH" "$TARGET_BRANCH"
+  printf '\n'
+} >&2
+exit 2

package/hooks/settings-protection.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+# PreToolUse hook: settings-protection.sh
+# Fires BEFORE every Write or Edit tool call.
+# Blocks modifications to critical configuration files that, if tampered with,
+# would disable the entire hook safety layer.
+#
+# Protected paths:
+#   .claude/settings.json       — hook configuration
+#   .claude/settings.local.json — local hook overrides
+#   .claude/hooks/*             — hook scripts themselves
+#   .husky/*                    — git hook scripts
+#   .reagent/policy.yaml        — autonomy/blocking policy
+#   .reagent/HALT               — kill switch file
+#   .reagent/review-cache.json  — review cache (integrity-sensitive)
+#
+# Exit codes:
+#   0 = allow (path not protected)
+#   2 = block (protected path modification attempt)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ──────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Extract file path from payload ─────────────────────────────────────────
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+if [[ -z "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+# ── 5. Normalize path for comparison ──────────────────────────────────────────
+# Convert to relative path from project root for consistent matching
+normalize_path() {
+  local p="$1"
+  local root="$REAGENT_ROOT"
+
+  # Strip project root prefix if present
+  if [[ "$p" == "$root"/* ]]; then
+    p="${p#$root/}"
+  fi
+
+  # URL decode common sequences
+  p=$(printf '%s' "$p" | sed 's/%2[Ff]/\//g; s/%2[Ee]/./g; s/%20/ /g')
+
+  # Collapse path traversals
+  # Remove ./ components
+  p=$(printf '%s' "$p" | sed 's|\./||g')
+
+  # Remove leading ./
+  p="${p#./}"
+
+  printf '%s' "$p"
+}
+
+NORMALIZED=$(normalize_path "$FILE_PATH")
+
+# ── 6. Protected path patterns ────────────────────────────────────────────────
+PROTECTED_PATTERNS=(
+  '.claude/settings.json'
+  '.claude/settings.local.json'
+  '.claude/hooks/'
+  '.husky/'
+  '.reagent/policy.yaml'
+  '.reagent/HALT'
+  '.reagent/review-cache.json'
+)
+
+for pattern in "${PROTECTED_PATTERNS[@]}"; do
+  # Exact match
+  if [[ "$NORMALIZED" == "$pattern" ]]; then
+    {
+      printf 'SETTINGS PROTECTION: Modification blocked\n'
+      printf '\n'
+      printf '  File: %s\n' "$FILE_PATH"
+      printf '  Rule: This file is protected from agent modification.\n'
+      printf '\n'
+      printf '  Protected files include hook scripts, settings, policy,\n'
+      printf '  and kill switch files. These must be modified by humans\n'
+      printf '  via reagent CLI or direct editing.\n'
+      printf '\n'
+      printf '  Use: reagent init (to update hooks/settings)\n'
+      printf '       reagent freeze/unfreeze (for HALT file)\n'
+      printf '       Edit .reagent/policy.yaml manually\n'
+    } >&2
+    exit 2
+  fi
+
+  # Directory prefix match (patterns ending in /)
+  if [[ "$pattern" == */ ]] && [[ "$NORMALIZED" == "$pattern"* ]]; then
+    {
+      printf 'SETTINGS PROTECTION: Modification blocked\n'
+      printf '\n'
+      printf '  File: %s\n' "$FILE_PATH"
+      printf '  Rule: Files under %s are protected from agent modification.\n' "$pattern"
+      printf '\n'
+      printf '  These files control the hook safety layer and must be\n'
+      printf '  modified by humans via reagent CLI or direct editing.\n'
+    } >&2
+    exit 2
+  fi
+done
+
+# ── 7. Case-insensitive fallback check ────────────────────────────────────────
+# Catch case-manipulation bypass attempts (e.g., .Claude/Settings.json)
+LOWER_NORM=$(printf '%s' "$NORMALIZED" | tr '[:upper:]' '[:lower:]')
+for pattern in "${PROTECTED_PATTERNS[@]}"; do
+  LOWER_PATTERN=$(printf '%s' "$pattern" | tr '[:upper:]' '[:lower:]')
+  if [[ "$LOWER_NORM" == "$LOWER_PATTERN" ]]; then
+    {
+      printf 'SETTINGS PROTECTION: Modification blocked (case-insensitive match)\n'
+      printf '\n'
+      printf '  File: %s\n' "$FILE_PATH"
+      printf '  Matched: %s\n' "$pattern"
+    } >&2
+    exit 2
+  fi
+  if [[ "$LOWER_PATTERN" == */ ]] && [[ "$LOWER_NORM" == "$LOWER_PATTERN"* ]]; then
+    {
+      printf 'SETTINGS PROTECTION: Modification blocked (case-insensitive match)\n'
+      printf '\n'
+      printf '  File: %s\n' "$FILE_PATH"
+      printf '  Matched: %s*\n' "$pattern"
+    } >&2
+    exit 2
+  fi
+done
+
+exit 0

package/hooks/task-link-gate.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# PreToolUse hook: task-link-gate.sh
+# Fires BEFORE every Bash tool call that matches "git commit".
+# Checks that the commit message references a task ID (T-NNN format).
+#
+# OPT-IN: Only enforces when .reagent/policy.yaml contains:
+#   task_link_gate: true
+#
+# Exit codes:
+#   0 = allow (disabled, task ref found, or not a commit command)
+#   2 = block (no task reference in commit message)
+
+set -uo pipefail
+
+# ── 1. Read ALL stdin immediately ─────────────────────────────────────────────
+INPUT=$(cat)
+
+# ── 2. Dependency check ──────────────────────────────────────────────────────
+if ! command -v jq >/dev/null 2>&1; then
+  printf 'REAGENT ERROR: jq is required but not installed.\n' >&2
+  printf 'Install: brew install jq  OR  apt-get install -y jq\n' >&2
+  exit 2
+fi
+
+# ── 3. HALT check ────────────────────────────────────────────────────────────
+REAGENT_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+HALT_FILE="${REAGENT_ROOT}/.reagent/HALT"
+if [ -f "$HALT_FILE" ]; then
+  printf 'REAGENT HALT: %s\nAll agent operations suspended. Run: reagent unfreeze\n' \
+    "$(head -c 1024 "$HALT_FILE" 2>/dev/null || echo 'Reason unknown')" >&2
+  exit 2
+fi
+
+# ── 4. Check if task link gate is enabled (opt-in) ───────────────────────────
+POLICY_FILE="${REAGENT_ROOT}/.reagent/policy.yaml"
+if [[ ! -f "$POLICY_FILE" ]]; then
+  exit 0
+fi
+if ! grep -qE '^task_link_gate:[[:space:]]*true' "$POLICY_FILE" 2>/dev/null; then
+  exit 0
+fi
+
+# ── 5. Parse command ──────────────────────────────────────────────────────────
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$CMD" ]]; then
+  exit 0
+fi
+
+# Only trigger on git commit commands
+if ! printf '%s' "$CMD" | grep -qiE 'git[[:space:]]+commit'; then
+  exit 0
+fi
+
+# ── 6. Check for task ID reference (T-NNN) ───────────────────────────────────
+if printf '%s' "$CMD" | grep -qE 'T-[0-9]+'; then
+  exit 0
+fi
+
+# ── 7. Block — no task reference ──────────────────────────────────────────────
+{
+  printf 'TASK LINK GATE: Commit message must reference a task ID\n'
+  printf '\n'
+  printf '  Pattern: T-NNN (e.g., T-001, T-042)\n'
+  printf '  Example: git commit -m "feat: implement cache CLI (T-012)"\n'
+  printf '\n'
+  printf '  To disable: set task_link_gate: false in .reagent/policy.yaml\n'
+  printf '  To see tasks: /tasks\n'
+} >&2
+exit 2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/reagent",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Zero-trust MCP gateway — policy enforcement, secret redaction, and audit logging for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/profiles/bst-internal.json

@@ -8,6 +8,12 @@
   "cursorRules": ["001-no-hallucination", "002-verify-before-act", "003-attribution"],
   "blockedPaths": [".reagent/", ".env"],
   "gitignoreEntries": [".claude/agents/", ".claude/hooks/", ".claude/settings.json", "RESTART.md"],
+  "qualityGates": {
+    "commitReview": { "enabled": true, "trivialThreshold": 20, "significantThreshold": 200 },
+    "pushReview": { "enabled": true },
+    "architectureAdvisory": { "enabled": true }
+  },
+  "pm": { "enabled": true, "taskLinkGate": false, "maxOpenTasks": 50 },
   "claudeMd": {
     "preflightCmd": "pnpm preflight",
     "attributionRule": "Do NOT include AI attribution in commits, PR bodies, code comments, or any content. When block_ai_attribution is enabled in .reagent/policy.yaml, the commit-msg hook REJECTS commits containing structural AI attribution (Co-Authored-By with AI names, 'Generated with [Tool]' footers, etc.). The attribution-advisory hook also blocks gh pr create/edit and git commit commands with attribution. You must remove all attribution markers before committing — the hooks will NOT silently fix them."
@@ -16,17 +22,28 @@
     "PreToolUse": [
       {
         "matcher": "Bash",
-        "hooks": ["dangerous-bash-interceptor", "env-file-protection"]
+        "hooks": [
+          "dangerous-bash-interceptor",
+          "env-file-protection",
+          "dependency-audit-gate",
+          "commit-review-gate",
+          "push-review-gate"
+        ]
       },
       {
         "matcher": "Write|Edit",
-        "hooks": ["secret-scanner"]
+        "hooks": ["secret-scanner", "settings-protection", "blocked-paths-enforcer"]
       },
       {
         "matcher": "Bash",
         "hooks": ["attribution-advisory"]
       }
     ],
-    "PostToolUse": []
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": ["architecture-review-gate"]
+      }
+    ]
   }
 }