@windyroad/risk-scorer 0.10.3 → 0.11.0-preview.387

package/.claude-plugin/plugin.json

@@ -310,5 +310,5 @@
     }
   },
   "name": "wr-risk-scorer",
-  "version": "0.10.3"
+  "version": "0.11.0"
 }

package/README.md

@@ -65,7 +65,7 @@ The plugin includes six specialised agents:
 | `wr-risk-scorer:plan` | Reviews implementation plans for risk |
 | `wr-risk-scorer:policy` | Validates `RISK-POLICY.md` for ISO 31000 compliance |
 | `wr-risk-scorer:external-comms` | Reviews drafts of outbound prose (gh issues/PRs, advisories, npm publish, changeset bodies) for confidential-information leaks per `RISK-POLICY.md` |
-| `wr-risk-scorer:inbound-report` | Reviews inbound third-party reports (problem-report issues, Q&A discussions, security-advisory submissions) for Request-risk + Fix-risk per `RISK-POLICY.md` § Inbound Report Risk Classes — sibling of `:external-comms` (NOT extension). Consumed by the assessment-pipeline (P079 / ADR-062). Serves JTBD-301 (verdict-on-close acknowledgement) + JTBD-001 (mechanical-stage carve-out). |
+| `wr-risk-scorer:inbound-report` | Reviews inbound third-party reports (problem-report issues, Q&A discussions, security-advisory submissions) for Request-risk + Fix-risk per `RISK-POLICY.md` § Inbound Report Risk Classes — sibling of `:external-comms` (NOT extension). Consumed by the assessment-pipeline (P079 / ADR-062). Serves the report-without-pre-classifying acknowledgement (verdict-on-close) and the mechanical-stage carve-out. |
 
 ## On-demand assessment skills
 
@@ -74,7 +74,7 @@ The plugin includes six specialised agents:
 | `/wr-risk-scorer:assess-wip` | WIP risk nudge for the current uncommitted diff |
 | `/wr-risk-scorer:assess-release` | Pipeline risk assessment for the unpushed queue (pre-satisfies the commit gate) |
 | `/wr-risk-scorer:assess-external-comms` | External-comms leak review for a draft outbound body (pre-satisfies the external-comms gate) |
-| `/wr-risk-scorer:assess-inbound-report` | Inbound-report risk review for a third-party submission — two-axis (Request-risk + Fix-risk) classification per `RISK-POLICY.md` (P079 / ADR-062). Serves JTBD-005 (on-demand assessment) + JTBD-202 (pre-flight governance check). |
+| `/wr-risk-scorer:assess-inbound-report` | Inbound-report risk review for a third-party submission — two-axis (Request-risk + Fix-risk) classification per `RISK-POLICY.md` (P079 / ADR-062). Serves on-demand assessment and pre-flight governance checks. |
 | `/wr-risk-scorer:create-risk` | Create a standing-risk register entry (interactive authoring; orchestrator-driven prefilled invocation via `--slug` / `--prefill` flags per ADR-059) |
 | `/wr-risk-scorer:bootstrap-catalog` | Bootstrap `docs/risks/` register from existing `.risk-reports/` corpus per ADR-059 — walks reports, dedupes by ADR-056 slug, emits one `R<NNN>-<slug>.active.md` per unique slug. Idempotent. Auto-triggers from `/install-updates` Step 6.5.1 when register is empty + `RISK-POLICY.md` present + `.risk-reports/` non-empty |
 | `/wr-risk-scorer:update-policy` | Generate or update `RISK-POLICY.md` |
@@ -110,24 +110,6 @@ The canonical hook lives at `packages/shared/hooks/external-comms-gate.sh` and
 is synced into each consumer plugin via `scripts/sync-external-comms-gate.sh`
 per ADR-017 (CI runs `npm run check:external-comms-gate` to detect drift).
 
-## Jobs to be Done
-
-This plugin serves the [Jobs to be Done](../../docs/jtbd/) below. Per [ADR-051](../../docs/decisions/051-jtbd-anchored-readme-with-drift-advisory.proposed.md), the persona-grouped JTBD anchor is the canonical source of truth for the README's value framing.
-
-### Tech lead / consultant
-
-- **[JTBD-202 Run Pre-Flight Governance Checks Before Release or Handover](../../docs/jtbd/tech-lead/JTBD-202-pre-flight-governance-check.proposed.md)** — `/wr-risk-scorer:assess-release` produces a structured release-readiness score (commit, push, release layers) that is attachable to a release note or handover doc.
-
-### Solo developer
-
-- **[JTBD-001 Enforce Governance Without Slowing Down](../../docs/jtbd/solo-developer/JTBD-001-enforce-governance.proposed.md)** — pipeline risk is scored on every edit, commit, and push without manual invocation; secret-leak detection runs in the same gate.
-- **[JTBD-002 Ship AI-Assisted Code with Confidence](../../docs/jtbd/solo-developer/JTBD-002-ship-with-confidence.proposed.md)** — every release passes through ISO 31000-aligned criteria defined in the project's own `RISK-POLICY.md` so the safety bar is the team's, not the agent's.
-- **[JTBD-005 Invoke Governance Assessments On Demand](../../docs/jtbd/solo-developer/JTBD-005-assess-on-demand.proposed.md)** — `/wr-risk-scorer:assess-wip`, `assess-release`, and `assess-external-comms` give an on-demand assessment surface outside the hook gate cycle.
-
-### Plugin user
-
-- **[JTBD-302 Trust That the README Describes the Plugin I Just Installed](../../docs/jtbd/plugin-user/JTBD-302-trust-readme-describes-installed-behaviour.proposed.md)** — this README is anchored on current JTBD job IDs; drift between prose and shipped behaviour is detectable at retro time per ADR-051.
-
 ## Updating and Uninstalling
 
 ```bash

package/hooks/external-comms-gate.sh

@@ -24,7 +24,13 @@
 #      (Voice-tone evaluator: skips leak pre-filter — leak detection is the
 #      risk evaluator's concern; voice-tone reviews tone/voice only.)
 #   4. Otherwise: check for THIS evaluator's per-evaluator marker keyed on
-#      sha256(draft_body + '\n' + surface). Marker present → permit.
+#      compute_external_comms_key(draft, surface) =
+#      sha256(normalize(draft, surface) + '\n' + surface) — the SINGLE
+#      canonical key shared with the mark hook (lib/external-comms-key.sh).
+#      For the changeset-author surface normalize() strips the leading YAML
+#      frontmatter block so the gate (which sees the FULL Write content) and
+#      the mark hook (which sees only the <draft> body) hash identical input
+#      (P010 / ADR-028 amended 2026-05-25). Marker present → permit.
 #      Marker absent → deny with directive to delegate to this plugin's
 #      subagent (configured via external-comms-evaluator.conf).
 #
@@ -48,6 +54,12 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 # shellcheck source=lib/leak-detect.sh
 source "$SCRIPT_DIR/lib/leak-detect.sh"
+# shellcheck source=lib/external-comms-key.sh
+# Provides compute_external_comms_key — the SINGLE canonical marker-key
+# normalization shared with the PostToolUse mark hook (ADR-028 amended
+# 2026-05-25 / P010). Sourced via the same $SCRIPT_DIR/lib convention as
+# leak-detect.sh so byte-identity holds across the synced per-package copies.
+source "$SCRIPT_DIR/lib/external-comms-key.sh"
 
 # ---------- Per-package evaluator config (ADR-028 amended 2026-05-14) ----------
 # Each consumer plugin ships its own external-comms-evaluator.conf alongside this
@@ -231,7 +243,12 @@ fi
 # ---------- Marker-based gate (per-evaluator marker per ADR-028 amended 2026-05-14) ----------
 SESSION_DIR="${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}"
 mkdir -p "$SESSION_DIR"
-KEY=$(printf '%s\n%s' "$DRAFT" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+# Canonical marker key — normalize() strips changeset frontmatter + trailing
+# whitespace so this PreToolUse key matches the PostToolUse mark-hook key
+# (compute_external_comms_key in lib/external-comms-key.sh; P010 / ADR-028
+# amended 2026-05-25). For changeset-author $DRAFT is the FULL Write content
+# (frontmatter + body); compute_external_comms_key strips the frontmatter.
+KEY=$(compute_external_comms_key "$DRAFT" "$SURFACE")
 MARKER="${SESSION_DIR}/external-comms-${EXTERNAL_COMMS_EVALUATOR_ID}-reviewed-${KEY}"
 
 if [ -f "$MARKER" ]; then
@@ -244,7 +261,7 @@ fi
 # PostToolUse mark hook can derive the canonical marker key locally
 # (sha256(DRAFT + '\n' + SURFACE)). Single fire per gate cycle.
 VERDICT_PREFIX="${EXTERNAL_COMMS_VERDICT_PREFIX:-EXTERNAL_COMMS_${EXTERNAL_COMMS_EVALUATOR_ID^^}}"
-REASON=$(printf 'BLOCKED (external-comms gate / %s evaluator): %s draft has not been reviewed by %s. Delegate to %s (subagent_type: '"'"'%s'"'"') with a prompt that starts with the line `SURFACE: %s` and wraps the draft body verbatim inside `<draft>...</draft>` markers. The PostToolUse hook derives the marker key from that structure and marks the draft reviewed when the subagent emits %s_VERDICT: PASS — single fire suffices. Use %s for an interactive walkthrough. Override only when intentional: BYPASS_RISK_GATE=1.' \
+REASON=$(printf 'BLOCKED (external-comms gate / %s evaluator): %s draft has not been reviewed by %s. Delegate to %s (subagent_type: '"'"'%s'"'"') with a prompt that starts with the line `SURFACE: %s` and wraps the draft body verbatim inside `<draft>...</draft>` markers (for the changeset-author surface the body is the changeset summary WITHOUT the leading `---` frontmatter block — the gate strips frontmatter before hashing the marker key). The PostToolUse hook derives the marker key from that structure and marks the draft reviewed when the subagent emits %s_VERDICT: PASS — single fire suffices. Use %s for an interactive walkthrough. Override only when intentional: BYPASS_RISK_GATE=1.' \
     "$EXTERNAL_COMMS_EVALUATOR_ID" "$SURFACE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$SURFACE" "$VERDICT_PREFIX" "$EXTERNAL_COMMS_ASSESS_SKILL")
 deny_with_reason "$REASON"
 exit 0

package/hooks/lib/external-comms-key.sh

@@ -1,44 +1,101 @@
 #!/bin/bash
 # Shared helper: derive the external-comms marker key from an agent's
 # tool_input.prompt by extracting the structured `SURFACE: <name>` line
-# and `<draft>...</draft>` block, then computing
-# sha256(DRAFT + '\n' + SURFACE) — the same key shape the gate computes
-# at PreToolUse time (external-comms-gate.sh line 229).
+# and `<draft>...</draft>` block, then computing the canonical key via
+# compute_external_comms_key — the same key shape the gate computes at
+# PreToolUse time (external-comms-gate.sh).
 #
 # P166 + ADR-028 amended 2026-05-16: the PostToolUse:Agent mark hook
 # derives the marker key from observed runtime state instead of trusting
 # an agent-emitted EXTERNAL_COMMS_<EVAL>_KEY line. Removes the
 # double-invocation cost class — single fire per gate cycle suffices.
 #
+# P010 + ADR-028 amended 2026-05-25: the marker key is computed via the
+# SINGLE canonical normalization in compute_external_comms_key, shared
+# byte-for-byte between the gate (PreToolUse) and this mark-hook helper
+# (PostToolUse). The normalization strips the changeset YAML frontmatter
+# block before hashing (the gate sees the FULL Write content incl.
+# frontmatter; the agent wraps only the body in <draft>) and applies a
+# single canonical trailing-whitespace strip so the two sides cannot
+# diverge. Fixes the deny-after-PASS marker-key mismatch (P198 / #149).
+#
 # Canonical source: packages/shared/hooks/lib/external-comms-key.sh
 # Synced byte-identically into each consumer plugin's hooks/lib/ via
 # scripts/sync-external-comms-gate.sh (ADR-017 duplicate-script pattern).
+
+# ---------------------------------------------------------------------------
+# compute_external_comms_key <draft> <surface>
 #
-# Returns the 64-char hex sha256 on stdout when both markers are present
-# in the prompt. Returns empty string when either marker is absent — the
-# caller falls back to the agent-emitted KEY for backward compatibility
-# with cached old SKILL.md / agent prompts.
+# THE single source of truth for the external-comms marker key. Both the
+# PreToolUse gate and the PostToolUse mark hook compute the key through
+# this function so they hash byte-identical input (ADR-028 amended
+# 2026-05-25). Echoes the 64-char lowercase sha256 hex on stdout.
+#
+# normalize(draft, surface):
+#   - changeset-author surface: strip the leading YAML frontmatter block
+#     (`---\n...\n---\n` plus the blank line after it). Changeset files
+#     carry `---\n"@windyroad/x": minor\n---\n\n<body>`; the gate sees the
+#     whole thing via tool_input.content while the agent wraps only the
+#     <body> in <draft>. Stripping frontmatter makes the two inputs equal.
+#     All other surfaces (gh-*, npm-publish) are already body-only via the
+#     gate's --body / --field extraction, so they are left unchanged.
+#   - all surfaces: rstrip ALL trailing whitespace. This single canonical
+#     newline normalization subsumes both the gate's `$()` trailing-newline
+#     strip and this helper's `<draft>` regex single-newline strip, so the
+#     two sides are provably symmetric on trailing whitespace.
+#   key = sha256(normalize(draft, surface) + '\n' + surface)
+# ---------------------------------------------------------------------------
+compute_external_comms_key() {
+    local draft="$1" surface="$2"
+    EXTCOMMS_DRAFT="$draft" EXTCOMMS_SURFACE="$surface" python3 -c "
+import os, re, hashlib
+draft = os.environ.get('EXTCOMMS_DRAFT', '')
+surface = os.environ.get('EXTCOMMS_SURFACE', '')
+# changeset-author: strip the leading YAML frontmatter block + blank line.
+if surface == 'changeset-author':
+    draft = re.sub(r'^---\n.*?\n---\n\n?', '', draft, count=1, flags=re.DOTALL)
+# Single canonical newline normalization: strip all trailing whitespace.
+draft = draft.rstrip()
+print(hashlib.sha256((draft + '\n' + surface).encode('utf-8')).hexdigest())
+" 2>/dev/null
+}
 
+# ---------------------------------------------------------------------------
+# derive_external_comms_key_from_prompt <prompt>
+#
+# Extracts the (SURFACE, draft-body) pair from an agent prompt's structured
+# `SURFACE: <name>` line + `<draft>...</draft>` block, then delegates to
+# compute_external_comms_key so the normalization lives in exactly one place.
+#
+# Returns the 64-char hex sha256 on stdout when both markers are present in
+# the prompt. Returns empty string when either marker is absent — the caller
+# falls back to the agent-emitted KEY for backward compatibility with cached
+# old SKILL.md / agent prompts.
+# ---------------------------------------------------------------------------
 derive_external_comms_key_from_prompt() {
     local prompt="$1"
     [ -n "$prompt" ] || { echo ""; return 0; }
-    printf '%s' "$prompt" | python3 -c "
-import sys, re, hashlib
+    # Extract SURFACE + <draft> body in one pass. The two fields are emitted
+    # \x1f-separated (ASCII unit separator) so a body containing newlines — or
+    # an empty body — round-trips through command substitution intact (only
+    # trailing newlines are dropped, which compute_external_comms_key rstrips
+    # anyway). Empty output when either marker is absent → empty key.
+    local extracted
+    extracted=$(printf '%s' "$prompt" | python3 -c "
+import sys, re
 text = sys.stdin.read()
-# DRAFT extraction: non-greedy match between <draft>...</draft>.
-# Tolerates an optional newline immediately after <draft> and before </draft>
-# so the body content does not capture wrapping newlines.
+# DRAFT: non-greedy match between <draft>...</draft>, tolerating an optional
+# newline immediately after <draft> and before </draft>.
 draft_match = re.search(r'<draft>\n?(.*?)\n?</draft>', text, re.DOTALL)
-# SURFACE extraction: must be anchored to line start (MULTILINE) to avoid
-# matching prose like 'context says SURFACE: x'. Surface name is a single
-# token: letter + word/hyphen chars.
+# SURFACE: anchored to line start (MULTILINE) so prose like 'context says
+# SURFACE: x' does not match. Surface name is a single letter+word/hyphen token.
 surface_match = re.search(r'^SURFACE:\s*([A-Za-z][\w-]*)', text, re.MULTILINE)
 if not draft_match or not surface_match:
-    print('')
     sys.exit(0)
-draft = draft_match.group(1)
-surface = surface_match.group(1)
-payload = (draft + '\n' + surface).encode('utf-8')
-print(hashlib.sha256(payload).hexdigest())
-" 2>/dev/null
+sys.stdout.write(surface_match.group(1) + '\x1f' + draft_match.group(1))
+" 2>/dev/null) || extracted=""
+    [ -n "$extracted" ] || { echo ""; return 0; }
+    local surface="${extracted%%$'\x1f'*}"
+    local body="${extracted#*$'\x1f'}"
+    compute_external_comms_key "$body" "$surface"
 }

package/hooks/lib/risk-gate.sh

@@ -100,16 +100,53 @@ check_risk_gate() {
     return 1
   fi
 
-  # 5. Threshold check
-  local DENIED=$(python3 -c "
-score = float('$SCORE')
-print('yes' if score >= 5 else 'no')
-" 2>/dev/null || echo "no")
+  # 5. Threshold check — block when the score EXCEEDS the project's
+  #    RISK-POLICY.md risk appetite (P007 / ADR-065). The threshold is the
+  #    adopter's documented appetite, not a code constant: a project whose
+  #    policy sets a higher appetite (e.g. "exceeds 9") must not have its
+  #    within-appetite changes gate-rejected.
+  #    Precedence: RISK_APPETITE env override > RISK-POLICY.md § Risk Appetite
+  #    parse > default 4. Default 4 reproduces the prior hardcoded `score >= 5`
+  #    behaviour exactly for integer scores (5 blocks, 4 passes) when the
+  #    policy is absent or unparseable. The parse is tolerant of the phrasings
+  #    "Threshold: N", "exceeds N", and "N/Low appetite", scoped to the
+  #    "## Risk Appetite" section. Cost ~3-8ms/invocation (ADR-065 § Consequences).
+  local DECISION
+  DECISION=$(RISK_SCORE_VAL="$SCORE" RISK_APPETITE_ENV="${RISK_APPETITE:-}" python3 -c "
+import os, re, sys
+try:
+    score = float(os.environ['RISK_SCORE_VAL'])
+except Exception:
+    print('no 4'); sys.exit(0)
+N = None
+override = os.environ.get('RISK_APPETITE_ENV', '').strip()
+if override.isdigit():
+    N = int(override)
+else:
+    try:
+        text = open('RISK-POLICY.md', encoding='utf-8').read()
+    except Exception:
+        text = ''
+    if text:
+        # Scope to the '## Risk Appetite' section so unrelated numbers
+        # elsewhere in the policy cannot match.
+        sec = re.search(r'##\s*Risk Appetite\s*(.*?)(?=\n##\s|\Z)', text, re.DOTALL | re.IGNORECASE)
+        scope = sec.group(1) if sec else text
+        for pat in (r'Threshold:\s*(\d+)', r'exceeds\s+(\d+)', r'(\d+)\s*/\s*Low appetite'):
+            m = re.search(pat, scope, re.IGNORECASE)
+            if m:
+                N = int(m.group(1)); break
+if N is None:
+    N = 4
+print(('yes' if score > N else 'no') + ' ' + str(N))
+" 2>/dev/null || echo "no 4")
+  local DENIED="${DECISION%% *}"
+  local APPETITE="${DECISION##* }"
 
   if [ "$DENIED" = "yes" ]; then
     RISK_GATE_CATEGORY="threshold"
     RISK_GATE_SCORE="$SCORE"
-    RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 (Medium or above). To proceed: (1) split the ${ACTION}, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') with incident context for an incident bypass."
+    RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 exceeds the project appetite of ${APPETITE}/25 (RISK-POLICY.md). To proceed: (1) split the ${ACTION}, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') with incident context for an incident bypass."
     return 1
   fi
 

package/hooks/test/external-comms-gate.bats

@@ -186,3 +186,29 @@ run_hook() {
   [[ "$output" == *"deny"* ]]
   [[ "$output" == *"wr-risk-scorer:external-comms"* ]]
 }
+
+# ---------------------------------------------------------------------------
+# P010 / ADR-028 amended 2026-05-25 — deny-after-PASS regression.
+# The gate sees the FULL Write content (YAML frontmatter + body) on the
+# changeset-author surface, but the mark hook keys the marker on the body
+# the agent wrapped in <draft>. Before the fix the gate hashed the full
+# content (incl. frontmatter), so the body-keyed PASS marker landed at a
+# key the gate never re-read → permanent deny-after-PASS. After the fix the
+# gate strips frontmatter before hashing, so a body-keyed marker permits.
+# ---------------------------------------------------------------------------
+
+@test "P010: changeset Write permits when the PASS marker is keyed on the <draft> body (frontmatter stripped before hash)" {
+  BODY="external-comms gate strips changeset frontmatter before key hash"
+  SURFACE="changeset-author"
+  # Marker keyed on the body the mark-hook helper derives from <draft> — for a
+  # frontmatter-free body the canonical key equals the raw printf-of-body key.
+  KEY=$(printf '%s\n%s' "$BODY" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+  touch "${RDIR}/external-comms-risk-reviewed-${KEY}"
+
+  # The gate sees the full changeset file: frontmatter + blank line + body.
+  CONTENT=$'---\n"@windyroad/risk-scorer": patch\n---\n\n'"$BODY"
+  INPUT=$(build_write_input ".changeset/p010-fix.md" "$CONTENT")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [ -z "$output" ]
+}

package/hooks/test/risk-gate.bats

@@ -17,6 +17,21 @@ setup() {
 
 teardown() {
   rm -rf "${TMPDIR:-/tmp}/claude-risk-${TEST_SESSION}"
+  [ -n "${POLICY_DIR:-}" ] && rm -rf "$POLICY_DIR"
+  unset RISK_APPETITE 2>/dev/null || true
+}
+
+# Write a RISK-POLICY.md whose § Risk Appetite carries $1 into a fresh temp
+# dir and cd into it, so check_risk_gate reads the appetite from cwd. Pass an
+# empty string to OMIT the file entirely (absent-policy default path).
+_use_policy() {
+  local appetite_section="$1"
+  POLICY_DIR=$(mktemp -d)
+  if [ -n "$appetite_section" ]; then
+    printf '# Risk Policy\n\n## Risk Appetite\n\n%s\n\n## Impact Levels\n| L | x |\n' \
+      "$appetite_section" > "$POLICY_DIR/RISK-POLICY.md"
+  fi
+  cd "$POLICY_DIR"
 }
 
 # Helper: call check_risk_gate directly (not via run) so RISK_GATE_REASON is visible
@@ -219,3 +234,79 @@ _write_matching_hash() {
   [ "$RISK_GATE_CATEGORY" = "threshold" ]
   [ "$RISK_GATE_SCORE" = "7" ]
 }
+
+# ---------------------------------------------------------------------------
+# P007 / ADR-065 — the block threshold is the project's RISK-POLICY.md risk
+# appetite (block when score > N), not a hardcoded 5. Default N=4 when the
+# policy is absent or unparseable, which reproduces the prior `score >= 5`
+# behaviour exactly for integer scores. Precedence: RISK_APPETITE env >
+# RISK-POLICY.md parse > default 4. (Behavioural fixtures per ADR-052.)
+# ---------------------------------------------------------------------------
+
+@test "appetite 9 (exceeds 9): score 7 within the 5-9 band PASSES" {
+  _use_policy 'Pipeline gates block when cumulative residual risk exceeds 9.'
+  printf '7' > "$SCORE_FILE"
+  rm -f "$HASH_FILE"
+  assert_gate_allows "$TEST_SESSION" "commit"
+}
+
+@test "appetite 9 (exceeds 9): score 10 above the band FAILS and deny renders the parsed appetite 9/25" {
+  _use_policy 'Pipeline gates block when cumulative residual risk exceeds 9.'
+  printf '10' > "$SCORE_FILE"
+  rm -f "$HASH_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "appetite of 9/25"
+}
+
+@test "appetite via 'Threshold: 9' phrasing: score 9 PASSES, score 10 FAILS" {
+  _use_policy '**Threshold: 9 (Medium)**'
+  rm -f "$HASH_FILE"
+  printf '9' > "$SCORE_FILE"
+  assert_gate_allows "$TEST_SESSION" "commit"
+  printf '10' > "$SCORE_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "10/25"
+}
+
+@test "appetite 4 (exceeds 4): score 4 PASSES, score 5 FAILS" {
+  _use_policy 'Pipeline gates block when cumulative residual risk exceeds 4.'
+  rm -f "$HASH_FILE"
+  printf '4' > "$SCORE_FILE"
+  assert_gate_allows "$TEST_SESSION" "commit"
+  printf '5' > "$SCORE_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "appetite of 4/25"
+}
+
+@test "absent RISK-POLICY.md: defaults to appetite 4 (4 PASSES, 5 FAILS)" {
+  _use_policy ''   # no RISK-POLICY.md in the temp dir
+  rm -f "$HASH_FILE"
+  printf '4' > "$SCORE_FILE"
+  assert_gate_allows "$TEST_SESSION" "commit"
+  printf '5' > "$SCORE_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "appetite of 4/25"
+}
+
+@test "unparseable RISK-POLICY.md (no appetite integer): defaults to appetite 4" {
+  _use_policy 'We are conservative about risk but state no number here.'
+  rm -f "$HASH_FILE"
+  printf '4' > "$SCORE_FILE"
+  assert_gate_allows "$TEST_SESSION" "commit"
+  printf '5' > "$SCORE_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "appetite of 4/25"
+}
+
+@test "fractional score 4.5 FAILS under default appetite 4 (4.5 > 4)" {
+  _use_policy ''
+  rm -f "$HASH_FILE"
+  printf '4.5' > "$SCORE_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "4.5/25"
+}
+
+@test "RISK_APPETITE env override takes precedence over RISK-POLICY.md parse" {
+  _use_policy 'Pipeline gates block when cumulative residual risk exceeds 4.'
+  rm -f "$HASH_FILE"
+  RISK_APPETITE=9
+  printf '7' > "$SCORE_FILE"
+  assert_gate_allows "$TEST_SESSION" "commit"
+  printf '10' > "$SCORE_FILE"
+  assert_gate_denies "$TEST_SESSION" "commit" "appetite of 9/25"
+  unset RISK_APPETITE
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.10.3",
+  "version": "0.11.0-preview.387",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"