@windyroad/risk-scorer 0.12.7-preview.598 → 0.12.8-preview.617

package/.claude-plugin/plugin.json

@@ -310,5 +310,5 @@
     }
   },
   "name": "wr-risk-scorer",
-  "version": "0.12.7"
+  "version": "0.12.8"
 }

package/hooks/git-push-gate.sh

@@ -36,10 +36,23 @@ fi
 if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
     if [ -n "$SESSION_ID" ]; then
         RDIR=$(_risk_dir "$SESSION_ID")
-        # Risk-reducing/neutral bypass for push
+        # Risk-reducing/neutral bypass for push — session-scoped, drift-
+        # revalidated (P192). Persists across multiple push attempts while
+        # pipeline-state hash matches and TTL is unexpired; consumed on
+        # drift or TTL expiry. Symmetric with the commit-gate change above.
         if [ -f "${RDIR}/reducing-push" ]; then
+            NOW=$(date +%s)
+            MARK_TIME=$(_mtime "${RDIR}/reducing-push")
+            AGE=$(( NOW - MARK_TIME ))
+            TTL_SECONDS="${RISK_TTL:-3600}"
+            if [ "$AGE" -lt "$TTL_SECONDS" ] && [ -f "${RDIR}/state-hash" ]; then
+                STORED_HASH=$(cat "${RDIR}/state-hash")
+                CURRENT_HASH=$("$SCRIPT_DIR/lib/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
+                if [ "$STORED_HASH" = "$CURRENT_HASH" ]; then
+                    exit 0
+                fi
+            fi
             rm -f "${RDIR}/reducing-push"
-            exit 0
         fi
         # Clean tree bypass: if no uncommitted changes, pushing existing commits is safe
         if [ -f "${RDIR}/clean" ]; then
@@ -99,10 +112,21 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run release:watch(\s|$)'; the
             rm -f "${RDIR}/incident-release"
             exit 0
         fi
-        # Risk-reducing bypass for release
+        # Risk-reducing bypass for release — session-scoped, drift-
+        # revalidated (P192). Same lifecycle as reducing-push above.
         if [ -f "${RDIR}/reducing-release" ]; then
+            NOW=$(date +%s)
+            MARK_TIME=$(_mtime "${RDIR}/reducing-release")
+            AGE=$(( NOW - MARK_TIME ))
+            TTL_SECONDS="${RISK_TTL:-3600}"
+            if [ "$AGE" -lt "$TTL_SECONDS" ] && [ -f "${RDIR}/state-hash" ]; then
+                STORED_HASH=$(cat "${RDIR}/state-hash")
+                CURRENT_HASH=$("$SCRIPT_DIR/lib/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
+                if [ "$STORED_HASH" = "$CURRENT_HASH" ]; then
+                    exit 0
+                fi
+            fi
             rm -f "${RDIR}/reducing-release"
-            exit 0
         fi
         # CI-status precondition (P208): a green CI run on the target
         # branch is required before shipping. Fail-closed on gh errors.

package/hooks/hooks.json

@@ -16,7 +16,7 @@
       { "matcher": "Edit|Write", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/wip-risk-mark.sh" }] },
       { "matcher": "Agent", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-score-mark.sh" }] },
       { "matcher": "Bash", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-hash-refresh.sh" }] },
-      { "matcher": "Agent|Bash", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-slide-marker.sh" }] }
+      { "matcher": "Agent|Bash|Skill", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-slide-marker.sh" }] }
     ]
   }
 }

package/hooks/risk-score-commit-gate.sh

@@ -64,10 +64,25 @@ if [ -f "${RDIR}/clean" ]; then
     exit 0
 fi
 
-# Risk-reducing/neutral bypass
+# Risk-reducing/neutral bypass — session-scoped, drift-revalidated (P192).
+# Preserved across multiple commits while pipeline-state hash matches and
+# TTL is unexpired; consumed on drift or TTL expiry so a genuine risk-
+# profile change forces a fresh wr-risk-scorer:pipeline rescore. Mirrors
+# the clean-marker persist-until-drift precedent (above) — distinct from
+# incident-release / ci-bypass, which remain deliberate one-time overrides.
 if [ -f "${RDIR}/reducing-commit" ]; then
+    NOW=$(date +%s)
+    MARK_TIME=$(_mtime "${RDIR}/reducing-commit")
+    AGE=$(( NOW - MARK_TIME ))
+    TTL_SECONDS="${RISK_TTL:-3600}"
+    if [ "$AGE" -lt "$TTL_SECONDS" ] && [ -f "${RDIR}/state-hash" ]; then
+        STORED_HASH=$(cat "${RDIR}/state-hash")
+        CURRENT_HASH=$("$SCRIPT_DIR/lib/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
+        if [ "$STORED_HASH" = "$CURRENT_HASH" ]; then
+            exit 0
+        fi
+    fi
     rm -f "${RDIR}/reducing-commit"
-    exit 0
 fi
 
 # Gate check: existence, TTL, drift, threshold

package/hooks/risk-slide-marker.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Risk Scorer - PostToolUse:Agent|Bash slide-marker hook (P111).
+# Risk Scorer - PostToolUse:Agent|Bash|Skill slide-marker hook (P111 + P213).
 # Slides the parent session's existing risk score files forward on
 # subprocess return, treating subprocess wall-clock as continuous parent-
 # session work for TTL purposes. Only TOUCHES existing score files — never

package/hooks/test/reducing-marker-persistence.bats

@@ -0,0 +1,236 @@
+#!/usr/bin/env bats
+# P192: Risk-reducing/within-appetite bypass markers (`reducing-commit`,
+# `reducing-push`, `reducing-release`) must persist across multiple commits/
+# pushes/releases within the standard TTL window AS LONG AS the pipeline-state
+# hash still matches what was scored — eliminating the per-commit re-mint
+# round-trip that drives the 3+-rescores-per-session friction. Drift or TTL
+# expiry consumes the marker and forces a fresh `wr-risk-scorer:pipeline`
+# rescore. `incident-release` remains single-use (deliberate one-time
+# override).
+#
+# Behavioural contract:
+#   (a) reducing-* marker exists + tree hash matches stored state-hash + TTL
+#       not expired → gate allows AND marker persists (reusable).
+#   (b) reducing-* marker exists + tree hash differs from state-hash → marker
+#       consumed, gate falls through to check_risk_gate (which denies on
+#       drift or missing score).
+#   (c) reducing-* marker exists + TTL expired (relative to marker mtime) →
+#       marker consumed, gate falls through.
+#   (d) incident-release marker stays single-use (unchanged behaviour) —
+#       regression guard.
+#
+# Tests invoke the gate hooks directly (script + stdin JSON), the way the
+# Claude Code hook runtime calls them.
+
+setup() {
+  HOOKS_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  COMMIT_GATE="$HOOKS_DIR/risk-score-commit-gate.sh"
+  PUSH_GATE="$HOOKS_DIR/git-push-gate.sh"
+
+  TEST_SESSION="bats-p192-$$-${BATS_TEST_NUMBER}"
+  RDIR="${TMPDIR:-/tmp}/claude-risk-${TEST_SESSION}"
+  rm -rf "$RDIR"
+  mkdir -p "$RDIR"
+
+  # Minimal git repo so pipeline-state.sh --hash-inputs produces a stable
+  # tree hash (git stash create needs a real repo).
+  TMP_REPO="$(mktemp -d)"
+  cd "$TMP_REPO"
+  git init -q -b main
+  git config user.email "test@example.com"
+  git config user.name "Test"
+  cat > RISK-POLICY.md <<EOF
+# Risk Policy
+
+Last reviewed: $(date -u +%Y-%m-%d)
+
+## Risk Appetite
+
+Pipeline gates block when cumulative residual risk exceeds 4.
+EOF
+  git add RISK-POLICY.md
+  git commit -q -m "initial"
+
+  # Default short TTL so we can exercise expiry without slow tests.
+  export RISK_TTL=5
+}
+
+teardown() {
+  rm -rf "$RDIR"
+  rm -rf "$TMP_REPO"
+  unset RISK_TTL 2>/dev/null || true
+}
+
+# Compute the current pipeline-state hash the same way the gate does
+_current_hash() {
+  bash -c "
+    source '$HOOKS_DIR/lib/gate-helpers.sh'
+    '$HOOKS_DIR/lib/pipeline-state.sh' --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1
+  "
+}
+
+# Portable backdate by N seconds
+_backdate() {
+  local file="$1" seconds="$2"
+  local stamp
+  stamp=$(date -v-${seconds}S +%Y%m%d%H%M.%S 2>/dev/null \
+       || date -d "${seconds} seconds ago" +%Y%m%d%H%M.%S 2>/dev/null)
+  touch -t "$stamp" "$file"
+}
+
+invoke_commit_gate() {
+  local cmd="$1"
+  local input
+  input=$(python3 -c "
+import json, sys
+print(json.dumps({
+  'tool_name': 'Bash',
+  'tool_input': {'command': sys.argv[1]},
+  'session_id': sys.argv[2],
+}))
+" "$cmd" "$TEST_SESSION")
+  echo "$input" | bash "$COMMIT_GATE"
+}
+
+invoke_push_gate() {
+  local cmd="$1"
+  local input
+  input=$(python3 -c "
+import json, sys
+print(json.dumps({
+  'tool_name': 'Bash',
+  'tool_input': {'command': sys.argv[1]},
+  'session_id': sys.argv[2],
+}))
+" "$cmd" "$TEST_SESSION")
+  echo "$input" | bash "$PUSH_GATE"
+}
+
+# ---------------------------------------------------------------------------
+# Commit gate — reducing-commit persistence
+# ---------------------------------------------------------------------------
+
+@test "reducing-commit marker persists when tree hash matches stored state-hash" {
+  HASH=$(_current_hash)
+  echo "$HASH" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-commit"
+
+  run invoke_commit_gate 'git commit -m "x"'
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"deny"* ]]
+
+  # Marker MUST still exist after a successful allow — this is the load-
+  # bearing behaviour change.
+  [ -f "$RDIR/reducing-commit" ]
+}
+
+@test "reducing-commit marker survives back-to-back commits (no rescore round-trip)" {
+  HASH=$(_current_hash)
+  echo "$HASH" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-commit"
+
+  # Three sequential allows — current single-use marker consumes on first,
+  # leaving #2 and #3 to fall through to check_risk_gate (which denies on
+  # missing score). New persistent-within-TTL contract: all three pass.
+  run invoke_commit_gate 'git commit -m "1"'; [ "$status" -eq 0 ]; [[ "$output" != *"deny"* ]]
+  run invoke_commit_gate 'git commit -m "2"'; [ "$status" -eq 0 ]; [[ "$output" != *"deny"* ]]
+  run invoke_commit_gate 'git commit -m "3"'; [ "$status" -eq 0 ]; [[ "$output" != *"deny"* ]]
+
+  [ -f "$RDIR/reducing-commit" ]
+}
+
+@test "reducing-commit marker is consumed when tree hash drifts from stored state-hash" {
+  echo "stale-hash-value-from-prior-tree" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-commit"
+
+  run invoke_commit_gate 'git commit -m "x"'
+  # Marker MUST be consumed when drift detected.
+  [ ! -f "$RDIR/reducing-commit" ]
+}
+
+@test "reducing-commit marker is consumed when TTL has expired" {
+  HASH=$(_current_hash)
+  echo "$HASH" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-commit"
+  _backdate "$RDIR/reducing-commit" 10  # TTL is 5
+
+  run invoke_commit_gate 'git commit -m "x"'
+  # TTL-expired marker MUST be consumed and the gate must NOT silently allow
+  # purely on marker presence.
+  [ ! -f "$RDIR/reducing-commit" ]
+}
+
+@test "reducing-commit marker without state-hash file is consumed (no invariance proof)" {
+  rm -f "$RDIR/state-hash"
+  touch "$RDIR/reducing-commit"
+
+  run invoke_commit_gate 'git commit -m "x"'
+  # No way to verify tree-invariance → consume the marker rather than ride it.
+  [ ! -f "$RDIR/reducing-commit" ]
+}
+
+# ---------------------------------------------------------------------------
+# Push gate — reducing-push persistence
+# ---------------------------------------------------------------------------
+
+@test "reducing-push marker persists when tree hash matches stored state-hash" {
+  HASH=$(_current_hash)
+  echo "$HASH" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-push"
+
+  run invoke_push_gate 'npm run push:watch'
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"deny"* ]]
+
+  [ -f "$RDIR/reducing-push" ]
+}
+
+@test "reducing-push marker is consumed when tree hash drifts" {
+  echo "stale-hash" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-push"
+
+  run invoke_push_gate 'npm run push:watch'
+  [ ! -f "$RDIR/reducing-push" ]
+}
+
+# ---------------------------------------------------------------------------
+# Release gate — reducing-release persistence
+# ---------------------------------------------------------------------------
+
+@test "reducing-release marker persists when tree hash matches stored state-hash" {
+  HASH=$(_current_hash)
+  echo "$HASH" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-release"
+
+  run invoke_push_gate 'npm run release:watch'
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"deny"* ]]
+
+  [ -f "$RDIR/reducing-release" ]
+}
+
+@test "reducing-release marker is consumed when tree hash drifts" {
+  echo "stale-hash" > "$RDIR/state-hash"
+  touch "$RDIR/reducing-release"
+
+  run invoke_push_gate 'npm run release:watch'
+  [ ! -f "$RDIR/reducing-release" ]
+}
+
+# ---------------------------------------------------------------------------
+# incident-release — single-use regression guard
+# ---------------------------------------------------------------------------
+
+@test "incident-release marker REMAINS single-use (regression guard)" {
+  HASH=$(_current_hash)
+  echo "$HASH" > "$RDIR/state-hash"
+  touch "$RDIR/incident-release"
+
+  run invoke_push_gate 'npm run release:watch'
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"deny"* ]]
+
+  # incident bypass is a deliberate one-time override — must be consumed
+  # even when tree hash matches.
+  [ ! -f "$RDIR/incident-release" ]
+}

package/hooks/test/slide-marker-on-subprocess-return.bats

@@ -98,3 +98,21 @@ _backdate() {
   # Fail-safe: when the hook input cannot be parsed, treat as error and skip
   [ "$BEFORE" = "$AFTER" ]
 }
+
+@test "slide: triggers correctly on Skill tool_response shape (P213, ADR-009 2026-06-08 amendment)" {
+  # hooks.json matcher expansion Agent|Bash → Agent|Bash|Skill (P213 Option D)
+  # widens slide-marker coverage to PostToolUse:Skill completions (e.g. the
+  # /wr-risk-scorer:assess-* sibling assessor SKILLs run as long subprocesses
+  # by the AFK orchestrator). The Skill tool_response shape is identical to
+  # Agent|Bash (Claude Code's uniform PostToolUse contract), so the matcher-
+  # agnostic helper composes without code changes. This test documents that
+  # contract explicitly so a future hook_input shape divergence regression
+  # surfaces here rather than at the gate-denial site.
+  touch "$MARKER"
+  _backdate "$MARKER" 60
+  BEFORE=$(_mtime "$MARKER")
+  _HOOK_INPUT='{"tool_name":"Skill","tool_response":{"content":[{"type":"text","text":"OK"}]}}'
+  slide_marker_on_subprocess_return "$MARKER"
+  AFTER=$(_mtime "$MARKER")
+  [ "$AFTER" -gt "$BEFORE" ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.12.7-preview.598",
+  "version": "0.12.8-preview.617",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"