@windyroad/risk-scorer 0.1.4 → 0.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/hooks/git-push-gate.sh +9 -2
- package/hooks/lib/risk-gate.sh +2 -2
- package/package.json +1 -1
package/hooks/git-push-gate.sh
CHANGED
|
@@ -72,12 +72,19 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
|
|
|
72
72
|
exit 0
|
|
73
73
|
fi
|
|
74
74
|
|
|
75
|
+
# Block `changeset version` — versioning is done by the release pipeline,
|
|
76
|
+
# not locally. Creating changesets (`npx changeset`) is fine.
|
|
77
|
+
if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*(npx changeset|npm run changeset)\s+version(\s|$)'; then
|
|
78
|
+
risk_gate_deny "Do not run \`changeset version\` locally. The release pipeline handles versioning automatically. To release: (1) push your changes with \`npm run push:watch\`, (2) the pipeline creates a release PR via changesets, (3) merge the release PR to publish. If you need to create a changeset, use \`npx changeset\` (without \`version\`)."
|
|
79
|
+
exit 0
|
|
80
|
+
fi
|
|
81
|
+
|
|
75
82
|
# Gate changeset creation on release risk score (fail-closed).
|
|
76
83
|
# Changesets feed directly into releases, so gate on the release score.
|
|
77
84
|
if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*(npx changeset|npm run changeset)(\s|$)'; then
|
|
78
85
|
if [ -n "$SESSION_ID" ]; then
|
|
79
86
|
if ! check_risk_gate "$SESSION_ID" "release"; then
|
|
80
|
-
risk_gate_deny "Changeset blocked: ${RISK_GATE_REASON}"
|
|
87
|
+
risk_gate_deny "Changeset blocked: ${RISK_GATE_REASON}. To create a changeset, the release risk score must be within appetite. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess."
|
|
81
88
|
exit 0
|
|
82
89
|
fi
|
|
83
90
|
fi
|
|
@@ -101,7 +108,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run release:watch(\s|$)'; the
|
|
|
101
108
|
exit 0
|
|
102
109
|
fi
|
|
103
110
|
if ! check_risk_gate "$SESSION_ID" "release"; then
|
|
104
|
-
risk_gate_deny "Release blocked: ${RISK_GATE_REASON}
|
|
111
|
+
risk_gate_deny "Release blocked: ${RISK_GATE_REASON}"
|
|
105
112
|
exit 0
|
|
106
113
|
fi
|
|
107
114
|
fi
|
package/hooks/lib/risk-gate.sh
CHANGED
|
@@ -43,7 +43,7 @@ check_risk_gate() {
|
|
|
43
43
|
local CURRENT_HASH
|
|
44
44
|
CURRENT_HASH=$("$_RISK_GATE_DIR/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
|
|
45
45
|
if [ "$STORED_HASH" != "$CURRENT_HASH" ]; then
|
|
46
|
-
RISK_GATE_REASON="Pipeline state drift:
|
|
46
|
+
RISK_GATE_REASON="Pipeline state drift: working tree changed since the last ${ACTION} risk assessment. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore against the current state."
|
|
47
47
|
return 1
|
|
48
48
|
fi
|
|
49
49
|
fi
|
|
@@ -63,7 +63,7 @@ print('yes' if score >= 5 else 'no')
|
|
|
63
63
|
" 2>/dev/null || echo "no")
|
|
64
64
|
|
|
65
65
|
if [ "$DENIED" = "yes" ]; then
|
|
66
|
-
RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 (Medium or above).
|
|
66
|
+
RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 (Medium or above). To proceed: (1) split the ${ACTION}, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') with incident context for an incident bypass."
|
|
67
67
|
return 1
|
|
68
68
|
fi
|
|
69
69
|
|