@windyroad/risk-scorer 0.1.1 → 0.1.2

package/bin/install.mjs

@@ -20,6 +20,7 @@ Pipeline risk scoring, commit/push gates, and secret leak detection
 Options:
   --update     Update this plugin and its skills
   --uninstall  Remove this plugin
+  --scope      Installation scope: project (default) or user
   --dry-run    Show what would be done without executing
   --help, -h   Show this help
 `);
@@ -38,5 +39,5 @@ if (flags.uninstall) {
 } else if (flags.update) {
   utils.updatePackage(PLUGIN);
 } else {
-  utils.installPackage(PLUGIN, { deps: DEPS });
+  utils.installPackage(PLUGIN, { deps: DEPS, scope: flags.scope });
 }

package/hooks/git-push-gate.sh

@@ -47,7 +47,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
         fi
         PUSH_SCORE_FILE="${RDIR}/push"
         if [ ! -f "$PUSH_SCORE_FILE" ]; then
-            risk_gate_deny "Push blocked: No push risk score found. Delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') to assess cumulative pipeline risk."
+            risk_gate_deny "Push blocked: No push risk score found. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk."
             exit 0
         fi
         PUSH_NOW=$(date +%s)
@@ -65,7 +65,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
         fi
         PUSH_DENIED=$(python3 -c "print('yes' if float('${PUSH_SCORE}') >= 5 else 'no')" 2>/dev/null || echo "no")
         if [ "$PUSH_DENIED" = "yes" ]; then
-            risk_gate_deny "Push blocked: Push risk score ${PUSH_SCORE}/25 (Medium or above). To proceed: (1) release first via \`npm run release:watch\`, (2) split the push, or (3) add risk-reducing measures. If risk-neutral or risk-reducing, delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') — it will create a bypass marker."
+            risk_gate_deny "Push blocked: Push risk score ${PUSH_SCORE}/25 (Medium or above). To proceed: (1) release first via \`npm run release:watch\`, (2) split the push, or (3) add risk-reducing measures. If risk-neutral or risk-reducing, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') — it will create a bypass marker."
             exit 0
         fi
     fi
@@ -101,7 +101,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run release:watch(\s|$)'; the
             exit 0
         fi
         if ! check_risk_gate "$SESSION_ID" "release"; then
-            risk_gate_deny "Release blocked: ${RISK_GATE_REASON}. To proceed: (1) split the release, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') with incident context for an incident bypass."
+            risk_gate_deny "Release blocked: ${RISK_GATE_REASON}. To proceed: (1) split the release, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') with incident context for an incident bypass."
             exit 0
         fi
     fi

package/hooks/lib/risk-gate.sh

@@ -21,7 +21,7 @@ check_risk_gate() {
 
   # 1. Score file must exist (fail-closed)
   if [ ! -f "$SCORE_FILE" ]; then
-    RISK_GATE_REASON="No ${ACTION} risk score found. The risk-scorer agent must run first. It runs automatically on each prompt."
+    RISK_GATE_REASON="No ${ACTION} risk score found. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk."
     return 1
   fi
 
@@ -30,7 +30,7 @@ check_risk_gate() {
   local SCORE_TIME=$(_mtime "$SCORE_FILE")
   local AGE=$(( NOW - SCORE_TIME ))
   if [ "$AGE" -ge "$TTL_SECONDS" ]; then
-    RISK_GATE_REASON="Risk score expired (${AGE}s old, TTL ${TTL_SECONDS}s). Stage all files with git add first, then submit a new prompt — the scorer runs automatically. Then call git commit in that response."
+    RISK_GATE_REASON="Risk score expired (${AGE}s old, TTL ${TTL_SECONDS}s). Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore."
     return 1
   fi
 

package/hooks/risk-score-commit-gate.sh

@@ -57,7 +57,7 @@ fi
 
 # Gate check: existence, TTL, drift, threshold
 if ! check_risk_gate "$SESSION_ID" "commit"; then
-    risk_gate_deny "Commit blocked: ${RISK_GATE_REASON} To proceed: (1) stage files with git add, (2) delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') to assess cumulative pipeline risk. If the commit is risk-neutral or risk-reducing, the scorer will create a bypass marker."
+    risk_gate_deny "Commit blocked: ${RISK_GATE_REASON} To proceed: (1) stage files with git add, (2) delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk. If the commit is risk-neutral or risk-reducing, the scorer will create a bypass marker."
     exit 0
 fi
 

package/hooks/risk-score-mark.sh

@@ -4,7 +4,7 @@
 # risk-scorer agents. This is the ONLY place score files are written —
 # agents output structured markers, this hook writes the files.
 #
-# Handles: risk-scorer-pipeline, risk-scorer-plan, risk-scorer-wip, risk-scorer-policy
+# Handles: wr-risk-scorer:pipeline, wr-risk-scorer:plan, wr-risk-scorer:wip, wr-risk-scorer:policy
 # Replaces: risk-policy-mark-reviewed.sh (which had fragile P001 backup parsing)
 
 set -euo pipefail
@@ -34,7 +34,7 @@ RDIR=$(_risk_dir "$SESSION_ID")
 # ---------------------------------------------------------------------------
 # Pipeline scorer: write commit/push/release scores + bypass markers
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-pipeline'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.pipeline'; then
   # Parse RISK_SCORES: commit=N push=N release=N
   SCORES_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^RISK_SCORES:' | tail -1) || true
   if [ -n "$SCORES_LINE" ]; then
@@ -79,7 +79,7 @@ fi
 # ---------------------------------------------------------------------------
 # Plan scorer: write plan-reviewed marker on PASS
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-plan'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.plan'; then
   VERDICT_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^RISK_VERDICT:' | tail -1) || true
   VERDICT=$(echo "$VERDICT_LINE" | sed 's/^RISK_VERDICT:[[:space:]]*//' | tr -d '[:space:]')
   case "$VERDICT" in
@@ -98,7 +98,7 @@ fi
 # ---------------------------------------------------------------------------
 # WIP scorer: write wip-reviewed marker (unblocks next edit)
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-wip'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.wip'; then
   # WIP assessment was done — unblock next edit regardless of CONTINUE/PAUSE
   # (PAUSE is advisory guidance to the user, not a hard gate)
   touch "${RDIR}/wip-reviewed"
@@ -107,7 +107,7 @@ fi
 # ---------------------------------------------------------------------------
 # Policy scorer: write policy-reviewed marker on PASS
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-policy'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.policy'; then
   VERDICT_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^RISK_VERDICT:' | tail -1) || true
   VERDICT=$(echo "$VERDICT_LINE" | sed 's/^RISK_VERDICT:[[:space:]]*//' | tr -d '[:space:]')
   case "$VERDICT" in

package/hooks/risk-score-plan-enforce.sh

@@ -24,7 +24,7 @@ cat <<'EOF'
   "hookSpecificOutput": {
     "hookEventName": "PreToolUse",
     "permissionDecision": "deny",
-    "permissionDecisionReason": "BLOCKED: Risk-scorer must review the plan before exiting plan mode. Delegate to risk-scorer-plan (subagent_type: 'risk-scorer-plan') to review the plan file for risk, including projected release risk."
+    "permissionDecisionReason": "BLOCKED: Risk-scorer must review the plan before exiting plan mode. Delegate to wr-risk-scorer:plan (subagent_type: 'wr-risk-scorer:plan') to review the plan file for risk, including projected release risk."
   }
 }
 EOF

package/hooks/wip-risk-gate.sh

@@ -37,7 +37,7 @@ cat <<'EOF'
   "hookSpecificOutput": {
     "hookEventName": "PreToolUse",
     "permissionDecision": "deny",
-    "permissionDecisionReason": "WIP risk assessment required. Delegate to risk-scorer-wip (subagent_type: 'risk-scorer-wip') to assess cumulative pipeline risk for changes so far."
+    "permissionDecisionReason": "WIP risk assessment required. Delegate to wr-risk-scorer:wip (subagent_type: 'wr-risk-scorer:wip') to assess cumulative pipeline risk for changes so far."
   }
 }
 EOF

package/lib/install-utils.mjs

@@ -46,15 +46,6 @@ export function checkPrerequisites() {
     );
     process.exit(1);
   }
-
-  try {
-    execSync("npx --version", { stdio: "pipe" });
-  } catch {
-    console.error(
-      "Error: 'npx' not found. Install Node.js first:\n  https://nodejs.org\n"
-    );
-    process.exit(1);
-  }
 }
 
 export function addMarketplace() {
@@ -64,9 +55,9 @@ export function addMarketplace() {
   );
 }
 
-export function installPlugin(pluginName) {
+export function installPlugin(pluginName, { scope = "project" } = {}) {
   return run(
-    `claude plugin install ${pluginName}@${MARKETPLACE_NAME}`,
+    `claude plugin install ${pluginName}@${MARKETPLACE_NAME} --scope ${scope}`,
     pluginName
   );
 }
@@ -79,33 +70,14 @@ export function uninstallPlugin(pluginName) {
   return run(`claude plugin uninstall ${pluginName}`, `Removing ${pluginName}`);
 }
 
-export function installSkills() {
-  return run(
-    `npx -y skills add --yes --all ${MARKETPLACE_REPO}`,
-    "Skills (via skills package)"
-  );
-}
-
-export function updateSkills() {
-  return run("npx -y skills update", "Skills update");
-}
-
-export function removeSkills() {
-  return run(
-    `npx -y skills remove --yes --all ${MARKETPLACE_REPO}`,
-    "Removing skills"
-  );
-}
-
 /**
- * Install a single package: marketplace add + plugin install + skills.
+ * Install a single package: marketplace add + plugin install.
  */
-export function installPackage(pluginName, { deps = [] } = {}) {
-  console.log(`\nInstalling @windyroad/${pluginName.replace("wr-", "")}...\n`);
+export function installPackage(pluginName, { deps = [], scope = "project" } = {}) {
+  console.log(`\nInstalling @windyroad/${pluginName.replace("wr-", "")} (${scope} scope)...\n`);
 
   addMarketplace();
-  installPlugin(pluginName);
-  installSkills();
+  installPlugin(pluginName, { scope });
 
   if (deps.length > 0) {
     console.log(`\nNote: This plugin works best with:`);
@@ -130,7 +102,6 @@ export function updatePackage(pluginName) {
     "Updating marketplace"
   );
   updatePlugin(pluginName);
-  updateSkills();
 
   console.log("\nDone! Restart Claude Code to apply updates.\n");
 }
@@ -144,9 +115,6 @@ export function uninstallPackage(pluginName) {
   uninstallPlugin(pluginName);
 
   console.log("\nDone. Restart Claude Code to apply changes.\n");
-  console.log("Note: Skills are shared across packages. Run");
-  console.log("  npx @windyroad/agent-plugins --uninstall");
-  console.log("to remove all skills.\n");
 }
 
 /**
@@ -154,10 +122,22 @@ export function uninstallPackage(pluginName) {
  */
 export function parseStandardArgs(argv) {
   const args = argv.slice(2);
-  return {
+  const flags = {
     help: args.includes("--help") || args.includes("-h"),
     uninstall: args.includes("--uninstall"),
     update: args.includes("--update"),
     dryRun: args.includes("--dry-run"),
+    scope: "project",
   };
+  const scopeIdx = args.indexOf("--scope");
+  if (scopeIdx !== -1 && args[scopeIdx + 1]) {
+    const val = args[scopeIdx + 1];
+    if (["project", "user", "local"].includes(val)) {
+      flags.scope = val;
+    } else {
+      console.error("--scope requires: project, user, or local");
+      process.exit(1);
+    }
+  }
+  return flags;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"