@windyroad/risk-scorer 0.12.2 → 0.12.3-preview.546

package/.claude-plugin/plugin.json

@@ -310,5 +310,5 @@
     }
   },
   "name": "wr-risk-scorer",
-  "version": "0.12.2"
+  "version": "0.12.3"
 }

package/bin/wr-risk-scorer-restage-commit

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# Generated by scripts/sync-shim-wrappers.sh from
+# packages/shared/lib/shim-wrapper-template.sh. DO NOT EDIT individual
+# shim files in packages/*/bin/wr-* directly; edit the template + run
+# `npm run sync:shim-wrappers` to regenerate.
+#
+# Resolution (ADR-080):
+#   1. If the wrapper's parent dir is semver-shaped, treat as installed-
+#      cache execution and resolve to the highest-version sibling's
+#      scripts/ entry below.
+#   2. Otherwise (parent dir is e.g. `architect`), treat as source-
+#      monorepo execution and dispatch to own scripts/. The source-repo-
+#      guard `exec` is the anchor parsed by
+#      packages/retrospective/scripts/check-tarball-shipped-shims.sh.
+#   3. If the cache parent contains zero semver-shaped siblings, exit
+#      127 with a stderr message naming the cache parent (per SQ-080-2).
+#
+# @adr ADR-080 (highest-version-wins shim wrapper plugin scaffold)
+# @adr ADR-049 (plugin-bundled scripts resolve via bin/ on $PATH — amended)
+# @problem P343 (mid-session staleness window)
+
+set -euo pipefail
+
+SHIM_DIR="$(cd "$(dirname "$0")" && pwd)"
+OWN_VERSION_DIR="$(dirname "$SHIM_DIR")"
+OWN_VERSION_NAME="$(basename "$OWN_VERSION_DIR")"
+CACHE_PARENT="$(dirname "$OWN_VERSION_DIR")"
+
+SEMVER_RE='^[0-9]+\.[0-9]+\.[0-9]+([-+][0-9A-Za-z.-]+)?$'
+
+# Source-repo guard: own parent dir is NOT semver → dispatch to own scripts/.
+if ! [[ "$OWN_VERSION_NAME" =~ $SEMVER_RE ]]; then
+  exec "$SHIM_DIR/../scripts/restage-commit.sh" "$@"
+fi
+
+# Cache execution: pick the highest-semver sibling under CACHE_PARENT.
+HIGHEST=""
+while IFS= read -r dir; do
+  name="$(basename "$dir")"
+  [[ "$name" =~ $SEMVER_RE ]] || continue
+  if [[ -z "$HIGHEST" ]] || [[ "$(printf '%s\n%s\n' "$HIGHEST" "$name" | sort -V | tail -1)" == "$name" ]]; then
+    HIGHEST="$name"
+  fi
+done < <(find "$CACHE_PARENT" -mindepth 1 -maxdepth 1 -type d 2>/dev/null)
+
+if [[ -z "$HIGHEST" ]]; then
+  printf 'wr-shim: no cached versions in %s\n' "$CACHE_PARENT" >&2
+  exit 127
+fi
+
+exec "$CACHE_PARENT/$HIGHEST/scripts/restage-commit.sh" "$@"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.12.2",
+  "version": "0.12.3-preview.546",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"

package/scripts/restage-commit.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+# packages/risk-scorer/scripts/restage-commit.sh
+#
+# Atomic re-stage-and-commit helper for the ADR-014 commit-gate flow.
+#
+# After the caller delegates to `wr-risk-scorer:pipeline` via the Agent tool
+# (or invokes `/wr-risk-scorer:assess-release`), the Agent-tool boundary
+# sometimes clears the parent index — a previously-staged set comes back as
+# `Changes not staged for commit` and the subsequent `git commit` fails with
+# "no changes added to commit" (P326). The workaround is a re-`git add` before
+# the commit; this helper bundles the re-add + commit into a single atomic call
+# so the SKILL.md surface no longer documents the double-tap.
+#
+# Surface:
+#   wr-risk-scorer-restage-commit -m "<msg>" [-m "<trailer>"] -- <path1> [<path2>...]
+#
+# Behaviour:
+#   - Accumulates all -m flags (repeatable; supports RISK_BYPASS-style trailers).
+#   - Requires `--` separator before paths (P326 grammar — avoids the path-vs-flag
+#     ambiguity when a path begins with `-`).
+#   - Runs `git add -- <paths>` (propagates `git add` exit code on bad paths).
+#   - Asserts the cached diff is non-empty (`git diff --cached --name-only`); exits
+#     1 if nothing got staged, so the caller sees the empty-stage condition rather
+#     than committing an empty-or-misordered set.
+#   - Runs `git commit "${msg_args[@]}"` with the accumulated -m flags.
+#
+# Exit codes:
+#   0 — commit landed
+#   1 — usage error (missing -m, missing --, no paths) OR empty staging
+#   non-zero — propagated from `git add` or `git commit`
+#
+# @adr ADR-014 (governance skills commit their own work)
+# @adr ADR-049 (resolved via bin/wr-risk-scorer-restage-commit shim)
+# @adr ADR-052 (behavioural-fixture coverage at scripts/test/restage-commit.bats)
+# @problem P326 (staged index cleared after risk-scorer pipeline delegation)
+# @problem P057 (git mv + Edit re-stage discipline — composes with this helper)
+
+set -uo pipefail
+
+usage() {
+  cat >&2 <<'USAGE'
+Usage: wr-risk-scorer-restage-commit -m "<msg>" [-m "<trailer>"] -- <path1> [<path2>...]
+
+Atomic re-stage-and-commit after a wr-risk-scorer:pipeline Agent-tool delegation.
+At least one -m flag is required. The `--` separator is mandatory before paths.
+
+Examples:
+  wr-risk-scorer-restage-commit -m "docs(problems): open P999 widget" -- docs/problems/open/999-widget.md docs/problems/README.md
+
+  wr-risk-scorer-restage-commit \
+    -m "docs(problems): capture P999 widget" \
+    -m "RISK_BYPASS: capture-deferred-readme" \
+    -- docs/problems/open/999-widget.md
+USAGE
+}
+
+msg_args=()
+saw_separator=0
+paths=()
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    -m)
+      if [ "$#" -lt 2 ]; then
+        echo "ERROR: -m requires a message argument" >&2
+        usage
+        exit 1
+      fi
+      msg_args+=( -m "$2" )
+      shift 2
+      ;;
+    --)
+      saw_separator=1
+      shift
+      while [ "$#" -gt 0 ]; do
+        paths+=( "$1" )
+        shift
+      done
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "ERROR: unexpected argument '$1' — paths must follow a '--' separator" >&2
+      usage
+      exit 1
+      ;;
+  esac
+done
+
+if [ "${#msg_args[@]}" -eq 0 ]; then
+  echo "ERROR: at least one -m message flag is required" >&2
+  usage
+  exit 1
+fi
+
+if [ "$saw_separator" -eq 0 ]; then
+  echo "ERROR: missing '--' separator before paths" >&2
+  usage
+  exit 1
+fi
+
+if [ "${#paths[@]}" -eq 0 ]; then
+  echo "ERROR: no paths supplied after '--'" >&2
+  usage
+  exit 1
+fi
+
+git add -- "${paths[@]}"
+ADD_STATUS=$?
+if [ "$ADD_STATUS" -ne 0 ]; then
+  exit "$ADD_STATUS"
+fi
+
+if [ -z "$(git diff --cached --name-only)" ]; then
+  echo "ERROR: nothing staged after re-add — supplied paths produced an empty index diff" >&2
+  exit 1
+fi
+
+git commit "${msg_args[@]}"

package/scripts/test/restage-commit.bats

@@ -0,0 +1,137 @@
+#!/usr/bin/env bats
+# Behavioural-fixture coverage for packages/risk-scorer/scripts/restage-commit.sh
+# per ADR-052 (behavioural tests default) and P326 (re-stage-after-scorer-delegation).
+#
+# The script is invoked AFTER the agent delegates to wr-risk-scorer:pipeline
+# to land the commit atomically — re-stages paths the Agent-tool boundary cleared
+# from the index, asserts staging is non-empty, then runs `git commit` with the
+# caller's -m args. Eliminates the silent re-add round-trip P326 documented.
+#
+# Surface:
+#   wr-risk-scorer-restage-commit -m "<msg>" [-m "<trailer>"] -- <path1> [<path2>...]
+
+setup() {
+  REPO_ROOT="$(cd "$(dirname "$BATS_TEST_FILENAME")/../../../.." && pwd)"
+  SCRIPT="$REPO_ROOT/packages/risk-scorer/scripts/restage-commit.sh"
+  SHIM="$REPO_ROOT/packages/risk-scorer/bin/wr-risk-scorer-restage-commit"
+  WORK_DIR="$(mktemp -d)"
+  cd "$WORK_DIR"
+  git init --quiet
+  git config user.email "restage-test@example.com"
+  git config user.name "Restage Test"
+  git config commit.gpgsign false
+  git commit --quiet --allow-empty -m "init"
+}
+
+teardown() {
+  cd /
+  rm -rf "$WORK_DIR"
+}
+
+@test "shim wrapper exists and is executable" {
+  [ -x "$SHIM" ]
+}
+
+@test "shim resolves canonical script (not exit 127)" {
+  echo "seed" > seed.txt
+  run "$SHIM" -m "test" -- seed.txt
+  [ "$status" -ne 127 ]
+}
+
+@test "single path: re-stages and commits (the P326 happy path)" {
+  echo "content" > file.txt
+  run bash "$SCRIPT" -m "test: commit file" -- file.txt
+  [ "$status" -eq 0 ]
+  run git log -1 --name-only --format=
+  echo "$output" | grep -q '^file\.txt$'
+}
+
+@test "multi-path: re-stages all paths and commits them in one commit" {
+  echo "a" > a.txt
+  echo "b" > b.txt
+  echo "c" > c.txt
+  run bash "$SCRIPT" -m "test: multi" -- a.txt b.txt c.txt
+  [ "$status" -eq 0 ]
+  run git log -1 --name-only --format=
+  echo "$output" | grep -q '^a\.txt$'
+  echo "$output" | grep -q '^b\.txt$'
+  echo "$output" | grep -q '^c\.txt$'
+}
+
+@test "multiple -m flags pass through (trailer like RISK_BYPASS)" {
+  echo "x" > x.txt
+  run bash "$SCRIPT" \
+    -m "docs(problems): capture P999 test" \
+    -m "RISK_BYPASS: capture-deferred-readme" \
+    -- x.txt
+  [ "$status" -eq 0 ]
+  run git log -1 --format=%B
+  echo "$output" | grep -q '^docs(problems): capture P999 test'
+  echo "$output" | grep -q 'RISK_BYPASS: capture-deferred-readme'
+}
+
+@test "missing -m flag → exit 1, no commit" {
+  echo "x" > x.txt
+  run bash "$SCRIPT" -- x.txt
+  [ "$status" -ne 0 ]
+  echo "$output" | grep -qi 'message\|usage'
+  run git log --oneline
+  [ "$(echo "$output" | wc -l | tr -d ' ')" = "1" ]
+}
+
+@test "missing -- separator → exit 1" {
+  echo "x" > x.txt
+  run bash "$SCRIPT" -m "test" x.txt
+  [ "$status" -ne 0 ]
+  echo "$output" | grep -qi 'separator\|usage'
+}
+
+@test "no paths after -- → exit 1, no commit" {
+  run bash "$SCRIPT" -m "test" --
+  [ "$status" -ne 0 ]
+  echo "$output" | grep -qi 'path\|usage'
+  run git log --oneline
+  [ "$(echo "$output" | wc -l | tr -d ' ')" = "1" ]
+}
+
+@test "nothing staged after re-add → exit 1, no commit (e.g. unchanged file)" {
+  echo "tracked" > tracked.txt
+  git add tracked.txt
+  git commit --quiet -m "seed tracked"
+  run bash "$SCRIPT" -m "test: should fail" -- tracked.txt
+  [ "$status" -ne 0 ]
+  echo "$output" | grep -qi 'nothing staged\|empty'
+  run git log --oneline
+  [ "$(echo "$output" | wc -l | tr -d ' ')" = "2" ]
+}
+
+@test "path that doesn't exist → exit non-zero (git add propagates)" {
+  run bash "$SCRIPT" -m "test" -- nonexistent.txt
+  [ "$status" -ne 0 ]
+}
+
+@test "rename via git mv survives the re-stage-and-commit (P057 + P326 compose)" {
+  echo "v1" > orig.md
+  git add orig.md
+  git commit --quiet -m "seed"
+  git mv orig.md renamed.md
+  echo "v2" >> renamed.md
+  run bash "$SCRIPT" -m "test: rename+edit" -- renamed.md
+  [ "$status" -eq 0 ]
+  run git log -1 --name-only --format=
+  echo "$output" | grep -q '^renamed\.md$'
+  [ ! -f orig.md ]
+  run cat renamed.md
+  echo "$output" | grep -q 'v2'
+}
+
+@test "doesn't touch unrelated unstaged changes" {
+  echo "subject" > subject.txt
+  echo "bystander" > bystander.txt
+  run bash "$SCRIPT" -m "test: subject only" -- subject.txt
+  [ "$status" -eq 0 ]
+  run git status --porcelain bystander.txt
+  echo "$output" | grep -q '^?? bystander\.txt'
+  run git log -1 --name-only --format=
+  ! echo "$output" | grep -q '^bystander\.txt$'
+}