fix(cli,hooks,middleware): governance recovery + audit integrity + base-branch resolution + audit-chain corruption-tolerance (Defects S+P+N+T+U) (0.10.2)

[himerus]

Summary

0.10.2 patch rolling five independent fixes into one release. S, P, and N were the original 0.10.1 scope that never shipped standalone — T and U surfaced on the same working tree and ship together rather than as a same-day follow-up patch. Package bump remains patch (0.10.0 → 0.10.2; 0.10.1 superseded).

Defect S — TOFU drift recovery CLI (HIGH, governance recovery)

New rea tofu list [--json] / rea tofu accept <name> [--reason] CLI closes the gap where gateways spawned indirectly (Claude Code via .mcp.json, systemd units, wrapper spawns) have no env-injection surface for REA_ACCEPT_DRIFT. Legitimate registry edits no longer require hand-editing .rea/fingerprints.json or restarting the gateway with environment scaffolding. Accept emits a tofu.drift_accepted_by_cli audit record carrying stored + current fingerprints + operator reason on the hash chain. Drift banner in src/registry/tofu-gate.ts and rea doctor both point at the new CLI.

Defect P — codex.review forgery surface closed (CRITICAL, integrity)

AuditRecord gains a required emission_source field (\"rea-cli\" | \"codex-cli\" | \"other\") hashed into the chain. The public appendAuditRecord() helper always stamps \"other\"; the new appendCodexReviewAuditRecord() helper is the only write path that stamps \"rea-cli\" and is only reachable through rea audit record codex-review (Write-tier Bash, defect E). Push-review gate's jq predicate now requires .emission_source == \"rea-cli\" or \"codex-cli\" for codex.review lookups — records written through the generic helper (stamped \"other\") and legacy pre-0.10.2 records (field missing) are rejected. Forgery surface that .reports/hook-patches/emit-audit-*.mjs exploited is closed.

Upgrade effect: First push per branch after upgrade requires a fresh rea audit record codex-review invocation. Subsequent pushes hit the cache normally. CI pipelines bridge with REA_SKIP_CODEX_REVIEW=<reason> or pre-stamp with rea audit record codex-review ... --also-set-cache before upgrading.

Defect N — base-branch resolution consults branch.<name>.base (MEDIUM, partial)

hooks/_lib/push-review-core.sh new-branch merge-base resolution now consults git config branch.<source>.base <ref> BEFORE falling back to origin/HEAD. Operator opt-in only; no default behavior change. configured_base reset per refspec-loop iteration (Codex 0.10.1 finding #1). Fail-loud-no-base and general Target:-label fix deferred to defect G's TypeScript port.

Defect T — audit writer serialization self-check (MEDIUM, integrity) — NEW in 0.10.2

appendAuditRecord() + appendCodexReviewAuditRecord() now JSON.parse-self-check the serialized line BEFORE fs.appendFile(). A throw aborts the append without touching .rea/audit.jsonl; the diagnostic names tool_name/server_name so a future regression source is localizable. Defense-in-depth against a class of bug that would otherwise corrupt the hash chain at write time and only surface at rea audit verify time (or — worse — at push-gate scan time, which is precisely defect U).

rea audit verify now collects every unparseable line across every file in the walk instead of aborting at the first one. Each failure reports as audit.jsonl:LINE[:COL] <parser message>, and chain verification continues over the parseable subset — a genuine hash tamper on a surviving record still surfaces alongside the parse failures. Tamper diagnostics now carry BOTH the parseable-subset record index AND the 1-based original-file line number — the two diverge whenever a malformed line precedes the tamper, and the file line is the authoritative operator jump target. Empty lines mid-file are a distinct parse failure class (not silently skipped).

Scope: self-check covers the two public entry points every external consumer (Helix, Codex CLI, ad-hoc CLI scripts) reaches. Gateway middleware + rotation-marker emitters still write raw JSON.stringify; widening T to cover those paths requires a shared serialization helper and is tracked as a followup.

Defect U — push-review-core.sh audit scan tolerates malformed lines (HIGH, availability) — NEW in 0.10.2

_codex_ok scan switched from jq -e '<filter>' \"\$_audit\" (single JSON stream, exits 2 on the first malformed line anywhere in the file) to jq -R 'fromjson? | select(<filter>)' \"\$_audit\" 2>/dev/null | grep -q . (per-line raw parse with error-suppression). The old pipeline locked the gate closed on a single stray backslash sequence — every legitimate codex.review receipt past the corruption became unreachable until the offending line was hand-edited out. The new pipeline evaluates each line independently; malformed lines yield empty output and the predicate runs against every successfully parsed record.

Predicate body (tool_name, head_sha, verdict, emission_source) is byte-identical, so defect P's forgery rejection still holds line-by-line. Mirrored in both hooks/_lib/push-review-core.sh and .claude/hooks/_lib/push-review-core.sh. The two other jq scans in the file (cache_result inspection at ~432/~612, cache hit/pass at ~1107) operate on single printf'd JSON strings — left as jq -e.

Codex adversarial review

Completed pre-push on 3814d38 (S+P+N) and aeda953 (T+U incremental). No blocking findings on either pass. Concerns tracked in the changeset Followups section (1 blocking on S+P+N's original pass — configured_base iteration leak — was fixed on this branch; 2 concerns on T+U — widen T to middleware/rotator, chain-failure file-line reporting — concern 2 addressed in the T+U commit, concern 1 documented as followup).

Deferred to 0.11.0

• G (push-review-core.sh → TypeScript port) — 1154 LOC shell+jq+awk with 10 integration test suites. Dedicated review cycle; absorbs fail-loud-no-base and general Target:-label halves of N.
• Widen T to gateway middleware + rotation-marker emitters via a shared serialization helper.
• Codex 0.10.1 followups: proxied-MCP stamp discrimination (chore(ci)(deps): bump actions/setup-node from 4.0.3 to 6.3.0 #2), rea tofu accept write-order (chore(ci)(deps): bump pnpm/action-setup from 4.0.0 to 6.0.1 #3), shell-level P integration test (chore(ci)(deps): bump changesets/action from 1.4.6 to 1.7.0 #4).

Test plan

• pnpm lint — clean
• pnpm type-check — clean
• pnpm test — 1292 passed, 1 skipped, 0 failed (67 suites; 10 new tests for T+U: 1 append self-check + 5 verify collect-all-errors + 4 fromjson tolerance)
• pnpm build — clean
• Codex adversarial review (two passes: S+P+N on 3814d38, T+U on aeda953) — no blocking, concerns tracked
• Mirror parity: hooks/_lib/push-review-core.sh ≡ .claude/hooks/_lib/push-review-core.sh (sha256 c4024182a992a493151dec77f741712d5442d543c6456806c2373da5817673a8)
• DCO sign-off on both commits
• Changeset entry renamed to .changeset/rea-0-10-2-audit-integrity.md with combined S+P+N+T+U narrative

Bug report (canonical tracking)

Entries S, P, N, T, U updated in Projects/rea/Bug Reports/Rea Bug Reports.md post-merge. Summary-table shipped-in-0.10.2 row replaces the previous 0.10.1 row. Only G remains open for 0.11.0.