@windyroad/itil 0.54.2 → 0.54.3-preview.792

package/.claude-plugin/plugin.json

@@ -497,5 +497,5 @@
     }
   },
   "name": "wr-itil",
-  "version": "0.54.2"
+  "version": "0.54.3"
 }

package/hooks/itil-changeset-discipline.sh

@@ -97,8 +97,10 @@ command_invokes_git_commit "$COMMAND" || exit 0
 
 # Run detection. Helper echoes offending plugin slug on stdout when
 # detected; returns 1 in that case. Returns 0 (allow) on no-trap,
-# bypass env, or fail-open (non-git tree, parse error).
-TRAPPED_SLUG=$(detect_changeset_required 2>/dev/null) && exit 0
+# bypass env, or fail-open (non-git tree, parse error). The COMMAND is
+# passed so Check 2b can change-scope to the commit's work-item ID (P387):
+# an in-scope changeset for an UNRELATED ticket no longer covers this commit.
+TRAPPED_SLUG=$(detect_changeset_required "$COMMAND" 2>/dev/null) && exit 0
 
 # Trap detected — emit deny with terse recovery.
 # Voice-tone budget per ADR-045 deny-band ≤300 bytes total. Names the

package/hooks/lib/changeset-detect.sh

@@ -118,12 +118,13 @@
 # repo with no remotes), Check 2b returns 1 (no in-range scope to
 # inspect) — Phase 1 strict-deny behaviour is preserved.
 #
-# Returns: 0 (an in-scope changeset covers the plugin → allow)
+# Returns: 0 (≥1 in-scope changeset targets the plugin → paths echoed on
+#            stdout, newline-separated, for the caller's change-scope check)
 #          1 (no covering changeset found → caller falls through)
 _changeset_in_scope_covers_plugin() {
   local slug="$1"
   local base
-  local candidates path
+  local candidates path found=""
 
   base=$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null) \
     || base="origin/main"
@@ -159,25 +160,55 @@ _changeset_in_scope_covers_plugin() {
     # awk scoping prevents false positives from prose body mentions.
     if awk '/^---[[:space:]]*$/ { c++; if (c == 1) next; if (c == 2) exit } c == 1 { print }' "$path" 2>/dev/null \
         | grep -qE "^\"@windyroad/${slug}\":[[:space:]]"; then
-      return 0
+      found="${found}${path}
+"
     fi
   done <<EOF
 $candidates
 EOF
 
-  return 1
+  [ -n "$found" ] || return 1
+  printf '%s' "$found"
+  return 0
+}
+
+# P387 helper — echo the space-separated, upper-cased, de-duplicated set of
+# work-item IDs found in the text passed as $1. Work-item identity = problem
+# ticket (`P<NNN>`), RFC (`RFC-<NNN>`), or story (`STORY-<NNN>`). ADR refs are
+# deliberately excluded — an ADR is cross-cutting context cited in passing, not
+# the identity of the change a changeset documents.
+#
+# Used to compare a committing change's ticket reference(s) (from the
+# git-commit COMMAND string) against an in-scope changeset's reference(s)
+# (filename + body). Matching is inclusive and case-insensitive: extracting a
+# spurious extra ID only widens the overlap (the allow direction) and can never
+# manufacture a false deny, which keeps Check 2b conservative.
+_work_item_ids() {
+  printf '%s' "$1" \
+    | grep -oiE '\b(P[0-9]+|RFC-[0-9]+|STORY-[0-9]+)\b' 2>/dev/null \
+    | tr '[:lower:]' '[:upper:]' \
+    | sort -u \
+    | tr '\n' ' '
 }
 
 # Detect whether the current staged set requires a changeset that is
 # not satisfied by either staged Check 2a or in-scope Check 2b.
 #
+# $1 (optional) — the git-commit COMMAND string (or commit message). Its
+#   work-item ID(s) are matched against in-scope changesets for the P387
+#   change-scoped Check 2b. Empty / omitted → Check 2b falls back to the
+#   pre-P387 plugin-scoped behaviour (any covering changeset allows), which
+#   is the conservative choice when no commit context is available.
+#
 # Echoes the offending plugin slug on stdout when detected.
 #
 # Returns:
 #   0 — no change required, BYPASS env set, fail-open, or an in-scope
-#       changeset covers the plugin (Phase 2 Check 2b)
-#   1 — change required + no covering changeset (caller should deny)
+#       changeset covers the plugin AND is change-scoped to it (Check 2b)
+#   1 — change required + no covering (or only unrelated-sibling) changeset
+#       (caller should deny)
 detect_changeset_required() {
+  local commit_msg="${1:-}"
   # Bypass via env var — single most-common legitimate escape.
   if [ "${BYPASS_CHANGESET_GATE:-}" = "1" ]; then
     return 0
@@ -270,12 +301,54 @@ EOF
     return 0
   fi
 
-  # Check 2b (P141 Phase 2) — in-scope changeset targeting the plugin
-  # satisfies. Scope = unpushed-range commits + untracked + modified-
-  # not-staged working-tree files. Once consumed onto origin, the
-  # changeset is gone and a fresh one is required.
-  if _changeset_in_scope_covers_plugin "$plugin_source_slug"; then
-    return 0
+  # Check 2b (P141 Phase 2 + P387 change-scoped) — an in-scope changeset
+  # targeting the plugin satisfies, but only when it is change-scoped to
+  # THIS commit. Scope = unpushed-range commits + untracked + modified-
+  # not-staged working-tree files. Once consumed onto origin, the changeset
+  # is gone and a fresh one is required.
+  local covering
+  if covering=$(_changeset_in_scope_covers_plugin "$plugin_source_slug"); then
+    # P387: tighten plugin-scoped → change-scoped. A plugin can carry a
+    # changeset for an unrelated change; before P387 that wrongly covered
+    # THIS commit, shipping it to npm with no CHANGELOG record of its own
+    # (witnessed: P164's fix rode P374's changeset). Deny only on positive
+    # evidence the covering changeset(s) belong to a DIFFERENT change: the
+    # commit cites work-item ID(s), EVERY covering changeset cites work-item
+    # ID(s), and none overlap. Any ambiguity allows — a ticket-less commit,
+    # a prose-only changeset, or an ID overlap — so the ADR-014 batch-grain
+    # (same-slice commits share a ticket) and prose-only / adopter changesets
+    # are never over-fired.
+    local commit_ids cs_path cs_ids id has_idless=0 overlap=0
+    commit_ids=$(_work_item_ids "$commit_msg")
+
+    # Commit cites no work-item ID → cannot change-scope; allow (pre-P387).
+    [ -n "$commit_ids" ] || return 0
+
+    while IFS= read -r cs_path; do
+      [ -n "$cs_path" ] || continue
+      cs_ids=$(_work_item_ids "${cs_path}
+$(cat "$cs_path" 2>/dev/null)")
+      if [ -z "$cs_ids" ]; then
+        has_idless=1
+        continue
+      fi
+      for id in $commit_ids; do
+        case " $cs_ids " in
+          *" $id "*) overlap=1; break ;;
+        esac
+      done
+      [ "$overlap" -eq 1 ] && break
+    done <<EOF
+$covering
+EOF
+
+    # Overlapping ID (same change) or a prose-only covering changeset
+    # (cannot prove it is for a different change) → allow.
+    if [ "$overlap" -eq 1 ] || [ "$has_idless" -eq 1 ]; then
+      return 0
+    fi
+    # Else: every covering changeset cites work-item ID(s), none matching
+    # the commit → unrelated-sibling signature → fall through to deny.
   fi
 
   printf '%s\n' "$plugin_source_slug"

package/hooks/test/itil-changeset-discipline.bats

@@ -574,3 +574,87 @@ mark_origin_at_head() {
   [[ "$output" == *"\"permissionDecision\": \"deny\""* ]]
   [[ "$output" == *"P141"* ]]
 }
+
+# --- P387: Check 2b is change-scoped, not merely plugin-scoped ---
+#
+# P141 Phase 2's Check 2b passed a plugin-source commit if ANY in-scope
+# changeset targeted the plugin — even one authored for a DIFFERENT change.
+# So a change shipped to npm with no CHANGELOG record of its own, riding a
+# sibling changeset's coattails (witnessed: P164's octal fix shipped
+# undocumented under P374's changeset, @windyroad/risk-scorer 0.13.5/0.14.0).
+#
+# P387 tightens Check 2b to change-scoped via conservative work-item-ID
+# (ticket) keying. The commit's work-item IDs (P<NNN> / RFC-<NNN> /
+# STORY-<NNN>, extracted from the git-commit COMMAND string passed into the
+# helper) are compared against each in-scope covering changeset's work-item
+# IDs (extracted from its filename + body). Check 2b DENIES only on positive
+# evidence of an unrelated sibling: the commit cites work-item ID(s), EVERY
+# covering changeset cites work-item ID(s), and none overlap. Any ambiguity
+# allows — a ticket-less commit, a prose-only changeset, or an ID overlap.
+# This preserves the ADR-014 batch-grain (same-slice commits share a ticket,
+# so the slice's changeset still covers them) and never over-fires on
+# adopter/prose-only changesets that carry no ticket ref.
+
+@test "P387 deny: plugin-source commit citing a DIFFERENT ticket than the only in-scope changeset (unrelated sibling) denies" {
+  mark_origin_at_head
+  # Commit 1: P374's changeset + its source.
+  echo "p374 work" > packages/itil/skills/foo/SKILL.md
+  printf -- '---\n"@windyroad/itil": patch\n---\nP374 work. Refs: P374.\n' > .changeset/wr-itil-p374.md
+  git add packages/itil/skills/foo/SKILL.md .changeset/wr-itil-p374.md
+  git -c commit.gpgsign=false commit --quiet -m "fix(itil): P374 work (P374)"
+  # Commit 2: P164's UNRELATED fix — stages itil source, authors NO changeset.
+  # The only in-scope changeset is P374's. Change-scoped Check 2b must DENY.
+  echo "octal fix" > packages/itil/scripts/extract.sh
+  git add packages/itil/scripts/extract.sh
+  run run_bash_hook "git commit -m 'fix(itil): octal eval (P164)'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"\"permissionDecision\": \"deny\""* ]]
+  [[ "$output" == *"P141"* ]]
+  [[ "$output" == *"itil"* ]]
+}
+
+@test "P387 allow: plugin-source commit citing the SAME ticket as the in-scope changeset (same change) allows" {
+  mark_origin_at_head
+  # Commit 1: P347's changeset + slice-1 source.
+  echo "p347 slice 1" > packages/itil/skills/foo/SKILL.md
+  printf -- '---\n"@windyroad/itil": patch\n---\nP347 slice. Refs: P347.\n' > .changeset/wr-itil-p347.md
+  git add packages/itil/skills/foo/SKILL.md .changeset/wr-itil-p347.md
+  git -c commit.gpgsign=false commit --quiet -m "feat(itil): P347 slice 1 (P347)"
+  # Commit 2: same P347 slice — no new changeset; the in-range P347 changeset
+  # shares the commit's ticket, so the ADR-014 batch is preserved. Allow.
+  echo "p347 slice 2" > packages/itil/skills/foo/SKILL.md
+  git add packages/itil/skills/foo/SKILL.md
+  run run_bash_hook "git commit -m 'feat(itil): P347 slice 2 (P347)'"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+  [ "${#output}" -eq 0 ]
+}
+
+@test "P387 allow: plugin-source commit with NO work-item ID falls back to plugin-scoped allow (conservative)" {
+  mark_origin_at_head
+  # In-range changeset cites P374; the new commit cites no ticket at all —
+  # we cannot prove it is a DIFFERENT change, so we must not over-fire.
+  printf -- '---\n"@windyroad/itil": patch\n---\nsome fix. Refs: P374.\n' > .changeset/wr-itil-p374.md
+  git add .changeset/wr-itil-p374.md
+  git -c commit.gpgsign=false commit --quiet -m "chore: add changeset"
+  echo "skill body" > packages/itil/skills/foo/SKILL.md
+  git add packages/itil/skills/foo/SKILL.md
+  run run_bash_hook "git commit -m 'feat without a ticket ref'"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "P387 allow: prose-only in-scope changeset (no work-item ID) does not over-fire even when the commit cites a ticket" {
+  mark_origin_at_head
+  # An adopter (or a plain) changeset with no ticket ref in filename or body.
+  # The commit cites P164, but we cannot prove the prose-only changeset is for
+  # a different change, so Check 2b allows (no over-fire on prose changesets).
+  printf -- '---\n"@windyroad/itil": patch\n---\nfix the thing\n' > .changeset/wr-itil-feature.md
+  git add .changeset/wr-itil-feature.md
+  git -c commit.gpgsign=false commit --quiet -m "chore: add changeset"
+  echo "skill body" > packages/itil/skills/foo/SKILL.md
+  git add packages/itil/skills/foo/SKILL.md
+  run run_bash_hook "git commit -m 'fix(itil): a thing (P164)'"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/itil",
-  "version": "0.54.2",
+  "version": "0.54.3-preview.792",
   "description": "ITIL-aligned IT service management for Claude Code (problem, and future incident/change skills)",
   "bin": {
     "windyroad-itil": "./bin/install.mjs"