@windyroad/risk-scorer 0.2.0 → 0.2.1-preview.70

package/README.md

@@ -0,0 +1,74 @@
+# @windyroad/risk-scorer
+
+**Pipeline risk scoring, commit/push gates, and secret leak detection for Claude Code.** Scores every change for risk and blocks high-risk commits and pushes before they happen.
+
+Part of [Windy Road Agent Plugins](../../README.md).
+
+## What It Does
+
+The risk-scorer plugin brings ISO 31000-aligned risk management to your AI coding workflow. It:
+
+1. **Scores risk** on every edit, assessing cumulative pipeline risk as changes build up
+2. **Gates commits** -- blocks `git commit` when cumulative risk exceeds your policy threshold
+3. **Gates pushes** -- blocks `git push` for high-risk changesets (use `npm run push:watch` instead)
+4. **Detects secrets** -- scans edits for API keys, tokens, passwords, and other credentials before they're written
+5. **Reviews plans** -- scores implementation plans for risk before you start building
+
+All thresholds are configurable through your project's `RISK-POLICY.md`.
+
+## Install
+
+```bash
+npx @windyroad/risk-scorer
+```
+
+Restart Claude Code after installing.
+
+## Usage
+
+The plugin works automatically once installed. On first run in a project without a risk policy, it blocks edits and directs you to generate one:
+
+```
+/wr-risk-scorer:update-policy
+```
+
+This creates a `RISK-POLICY.md` tailored to your project, defining impact levels, likelihood scales, risk appetite, and the risk matrix -- all aligned to ISO 31000.
+
+## How It Works
+
+| Hook | Trigger | What it does |
+|------|---------|-------------|
+| `risk-score.sh` | Every prompt | Injects risk scoring context |
+| `secret-leak-gate.sh` | Edit or Write | Blocks writes containing secrets |
+| `wip-risk-gate.sh` | Edit or Write | Blocks edits if WIP risk hasn't been assessed |
+| `risk-policy-enforce-edit.sh` | Edit or Write | Blocks edits if no `RISK-POLICY.md` exists |
+| `git-push-gate.sh` | Bash (git push) | Blocks direct `git push`; requires `npm run push:watch` |
+| `risk-score-commit-gate.sh` | Bash (git commit) | Blocks commits when risk exceeds threshold |
+| `risk-score-plan-enforce.sh` | ExitPlanMode | Ensures plans are risk-scored before execution |
+| `plan-risk-guidance.sh` | EnterPlanMode | Injects risk guidance into plan mode |
+| `wip-risk-mark.sh` | After edit | Records WIP risk assessment |
+| `risk-score-mark.sh` | Agent completes | Marks risk review as done |
+| `risk-hash-refresh.sh` | After Bash | Refreshes content hashes |
+
+## Agents
+
+The plugin includes five specialised agents:
+
+| Agent | Purpose |
+|-------|---------|
+| `wr-risk-scorer:agent` | Routes to the appropriate mode-specific agent |
+| `wr-risk-scorer:wip` | Assesses cumulative risk after each edit |
+| `wr-risk-scorer:pipeline` | Scores pipeline actions (commit, push, release) |
+| `wr-risk-scorer:plan` | Reviews implementation plans for risk |
+| `wr-risk-scorer:policy` | Validates `RISK-POLICY.md` for ISO 31000 compliance |
+
+## Updating and Uninstalling
+
+```bash
+npx @windyroad/risk-scorer --update
+npx @windyroad/risk-scorer --uninstall
+```
+
+## Licence
+
+[MIT](../../LICENSE)

package/agents/pipeline.md

@@ -98,18 +98,35 @@ Assess whether each action is risk-reducing, risk-neutral, or risk-increasing. I
 
 For live incidents (outage, security, information disclosure), include `RISK_BYPASS: incident`.
 
-## Downstream Back-Pressure
+## Below-Appetite Output Rule (ADR-013 Rule 5)
 
-- **Commit**: If adding this commit would push the push queue risk >= 5, warn.
-- **Push**: If pushing would push the release queue risk >= 5, warn.
+When ALL cumulative scores are within appetite (≤ 4 per RISK-POLICY.md), your output MUST contain ONLY:
+1. The Pipeline Risk Report structure (layers, risk items, summary table)
+2. `RISK_SCORES: commit=N push=N release=N`
+3. `RISK_BYPASS: reducing` (if applicable)
 
-## Confidential Information Disclosure
+Do NOT emit: "Suggested Actions", "Your call:", advisory warnings, back-pressure notes, or any prose that implies the user needs to make a decision. Policy-authorised releases proceed silently.
 
-Check diffs for business metrics (revenue, user counts, pricing, traffic volumes). Flag as a standalone risk if found.
+## Above-Appetite Remediations
+
+When ANY cumulative score exceeds appetite (> 4), emit a structured `RISK_REMEDIATIONS:` block after the `RISK_SCORES:` line. This gives the calling skill machine-readable input for structured decision prompts.
+
+Format:
+```
+RISK_REMEDIATIONS:
+- R1 | <description of remediation> | <files affected>
+- R2 | <description of remediation> | <files affected>
+```
+
+Include downstream back-pressure in the remediation list:
+- **Commit**: If adding this commit would push the push queue risk >= 5, include a remediation to split the commit.
+- **Push**: If pushing would push the release queue risk >= 5, include a remediation to release first.
 
-## Suggested Actions
+Do NOT emit free-text "Your call:" or "consider splitting" prose. The structured `RISK_REMEDIATIONS:` block is the only output for above-appetite guidance.
 
-If any cumulative risk >= 5, suggest specific actions referencing which layer is driving the risk.
+## Confidential Information Disclosure
+
+Check diffs for business metrics (revenue, user counts, pricing, traffic volumes). Flag as a standalone risk if found.
 
 ## Report History
 

package/agents/plan.md

@@ -22,8 +22,8 @@ You are the Risk Scorer in plan review mode. Assess both the plan's own risk AND
 
 ## Verdict Logic
 
-- **PASS** if both the plan's own residual risk AND projected release risk are within appetite
-- **FAIL** if either exceeds appetite — explain which and what the plan should include
+- **PASS** if both the plan's own residual risk AND projected release risk are within appetite. Do NOT emit advisory prose, suggestions, or "consider" recommendations on PASS — the plan is policy-authorised (ADR-013 Rule 5).
+- **FAIL** if either exceeds appetite — emit a structured `RISK_REMEDIATIONS:` block (see below) explaining which dimension failed and what the plan should include.
 
 ## Output Format
 
@@ -49,6 +49,14 @@ You are the Risk Scorer in plan review mode. Assess both the plan's own risk AND
 
 End your report with `RISK_VERDICT: PASS` or `RISK_VERDICT: FAIL` on its own line. A PostToolUse hook reads this and writes the marker files — do NOT write files yourself.
 
+On FAIL, emit a structured `RISK_REMEDIATIONS:` block after the verdict:
+```
+RISK_REMEDIATIONS:
+- R1 | <description of what the plan must add/change> | <affected area>
+```
+
+Do NOT emit free-text "consider" or "you should" prose. The structured block is the only output for above-appetite guidance.
+
 ## Control Discovery
 
 For each control claimed to reduce risk:

package/agents/wip.md

@@ -45,15 +45,25 @@ Always provide the cumulative risk picture:
 - [specific guidance based on current pipeline state]
 ```
 
-If cumulative risk is **within appetite** (< 5): provide the assessment and say "Continue." The verdict is CONTINUE.
+### Below-Appetite Rule (ADR-013 Rule 5)
 
-If cumulative risk **exceeds appetite** (>= 5): provide specific risk-reducing suggestions:
-- "Commit your current changes to move WIP forward"
-- "Write tests for [risk item from report]" — name the specific risk and test file
-- "The release report flags [X] — address it before adding more changes"
-- "Push your commits to get CI feedback"
+If cumulative risk is **within appetite** (< 5): provide the assessment table and verdict only. Do NOT emit advisory prose, recommendations, or suggestions. The verdict is `RISK_VERDICT: CONTINUE`.
 
-The verdict is PAUSE. This blocks the next edit until the risk is addressed.
+### Above-Appetite Remediations
+
+If cumulative risk **exceeds appetite** (>= 5): provide the assessment table, then emit a structured `RISK_REMEDIATIONS:` block with specific risk-reducing actions:
+
+```
+RISK_REMEDIATIONS:
+- R1 | Commit current changes to move WIP forward | <uncommitted files>
+- R2 | Write tests for <risk item from report> | <test file to create/extend>
+- R3 | Address release report risk <X> before adding more changes | <affected files>
+- R4 | Push commits to get CI feedback | N/A
+```
+
+Do NOT emit free-text suggestions as prose. The structured block is the only output for above-appetite guidance.
+
+The verdict is `RISK_VERDICT: PAUSE`. This blocks the next edit until the risk is addressed.
 
 ## Control Discovery
 

package/bin/install.mjs

@@ -4,7 +4,7 @@ import { resolve, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const utils = await import(resolve(__dirname, "../../shared/install-utils.mjs"));
+const utils = await import(resolve(__dirname, "../lib/install-utils.mjs"));
 
 const PLUGIN = "wr-risk-scorer";
 const DEPS = [];
@@ -20,6 +20,7 @@ Pipeline risk scoring, commit/push gates, and secret leak detection
 Options:
   --update     Update this plugin and its skills
   --uninstall  Remove this plugin
+  --scope      Installation scope: project (default) or user
   --dry-run    Show what would be done without executing
   --help, -h   Show this help
 `);
@@ -38,5 +39,5 @@ if (flags.uninstall) {
 } else if (flags.update) {
   utils.updatePackage(PLUGIN);
 } else {
-  utils.installPackage(PLUGIN, { deps: DEPS });
+  utils.installPackage(PLUGIN, { deps: DEPS, scope: flags.scope });
 }

package/hooks/git-push-gate.sh

@@ -47,7 +47,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
         fi
         PUSH_SCORE_FILE="${RDIR}/push"
         if [ ! -f "$PUSH_SCORE_FILE" ]; then
-            risk_gate_deny "Push blocked: No push risk score found. Delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') to assess cumulative pipeline risk."
+            risk_gate_deny "Push blocked: No push risk score found. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk."
             exit 0
         fi
         PUSH_NOW=$(date +%s)
@@ -65,19 +65,26 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
         fi
         PUSH_DENIED=$(python3 -c "print('yes' if float('${PUSH_SCORE}') >= 5 else 'no')" 2>/dev/null || echo "no")
         if [ "$PUSH_DENIED" = "yes" ]; then
-            risk_gate_deny "Push blocked: Push risk score ${PUSH_SCORE}/25 (Medium or above). To proceed: (1) release first via \`npm run release:watch\`, (2) split the push, or (3) add risk-reducing measures. If risk-neutral or risk-reducing, delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') — it will create a bypass marker."
+            risk_gate_deny "Push blocked: Push risk score ${PUSH_SCORE}/25 (Medium or above). To proceed: (1) release first via \`npm run release:watch\`, (2) split the push, or (3) add risk-reducing measures. If risk-neutral or risk-reducing, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') — it will create a bypass marker."
             exit 0
         fi
     fi
     exit 0
 fi
 
+# Block `changeset version` — versioning is done by the release pipeline,
+# not locally. Creating changesets (`npx changeset`) is fine.
+if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*(npx changeset|npm run changeset)\s+version(\s|$)'; then
+    risk_gate_deny "Do not run \`changeset version\` locally. The release pipeline handles versioning automatically. To release: (1) push your changes with \`npm run push:watch\`, (2) the pipeline creates a release PR via changesets, (3) merge the release PR to publish. If you need to create a changeset, use \`npx changeset\` (without \`version\`)."
+    exit 0
+fi
+
 # Gate changeset creation on release risk score (fail-closed).
 # Changesets feed directly into releases, so gate on the release score.
 if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*(npx changeset|npm run changeset)(\s|$)'; then
     if [ -n "$SESSION_ID" ]; then
         if ! check_risk_gate "$SESSION_ID" "release"; then
-            risk_gate_deny "Changeset blocked: ${RISK_GATE_REASON}"
+            risk_gate_deny "Changeset blocked: ${RISK_GATE_REASON}. To create a changeset, the release risk score must be within appetite. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess."
             exit 0
         fi
     fi
@@ -101,7 +108,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run release:watch(\s|$)'; the
             exit 0
         fi
         if ! check_risk_gate "$SESSION_ID" "release"; then
-            risk_gate_deny "Release blocked: ${RISK_GATE_REASON}. To proceed: (1) split the release, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') with incident context for an incident bypass."
+            risk_gate_deny "Release blocked: ${RISK_GATE_REASON}"
             exit 0
         fi
     fi
@@ -110,7 +117,16 @@ fi
 
 # Match gh pr merge. Should go via npm run release:watch instead.
 if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*gh pr merge(\s|$)'; then
-    risk_gate_deny "Use \`npm run release:watch\` instead of \`gh pr merge\`. It merges the release PR, watches the publish pipeline, and surfaces the production URL when live -- or tells you what failed and how to fix it."
+    # Check if the project has a release:watch script
+    if [ -f "package.json" ] && python3 -c "
+import json, sys
+pkg = json.load(open('package.json'))
+sys.exit(0 if 'release:watch' in pkg.get('scripts', {}) else 1)
+" 2>/dev/null; then
+        risk_gate_deny "Use \`npm run release:watch\` instead of \`gh pr merge\`. It merges the release PR, watches the publish pipeline, and surfaces the production URL when live -- or tells you what failed and how to fix it."
+    else
+        risk_gate_deny "Direct \`gh pr merge\` is blocked (no release:watch script found). Create a release:watch npm script that: (1) finds and merges the release PR with \`gh pr merge\`, (2) waits for the CI workflow with \`gh run list\`, and (3) watches it with \`gh run watch --exit-status\`. Then run \`npm run release:watch\` to release."
+    fi
     exit 0
 fi
 

package/hooks/hooks.json

@@ -15,10 +15,6 @@
       { "matcher": "Edit|Write", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/wip-risk-mark.sh" }] },
       { "matcher": "Agent", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-score-mark.sh" }] },
       { "matcher": "Bash", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-hash-refresh.sh" }] }
-    ],
-    "Stop": [
-      { "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-score-reset.sh" }] },
-      { "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-policy-reset-marker.sh" }] }
     ]
   }
 }

package/hooks/lib/risk-gate.sh

@@ -21,7 +21,7 @@ check_risk_gate() {
 
   # 1. Score file must exist (fail-closed)
   if [ ! -f "$SCORE_FILE" ]; then
-    RISK_GATE_REASON="No ${ACTION} risk score found. The risk-scorer agent must run first. It runs automatically on each prompt."
+    RISK_GATE_REASON="No ${ACTION} risk score found. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk."
     return 1
   fi
 
@@ -30,7 +30,7 @@ check_risk_gate() {
   local SCORE_TIME=$(_mtime "$SCORE_FILE")
   local AGE=$(( NOW - SCORE_TIME ))
   if [ "$AGE" -ge "$TTL_SECONDS" ]; then
-    RISK_GATE_REASON="Risk score expired (${AGE}s old, TTL ${TTL_SECONDS}s). Stage all files with git add first, then submit a new prompt — the scorer runs automatically. Then call git commit in that response."
+    RISK_GATE_REASON="Risk score expired (${AGE}s old, TTL ${TTL_SECONDS}s). Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore."
     return 1
   fi
 
@@ -43,7 +43,7 @@ check_risk_gate() {
     local CURRENT_HASH
     CURRENT_HASH=$("$_RISK_GATE_DIR/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
     if [ "$STORED_HASH" != "$CURRENT_HASH" ]; then
-      RISK_GATE_REASON="Pipeline state drift: git diff changed between scoring and ${ACTION}. The hash is computed at prompt submit time. If you staged files (git add) after the prompt, re-submit: stage all files first, then submit a new prompt, then commit in that response."
+      RISK_GATE_REASON="Pipeline state drift: working tree changed since the last ${ACTION} risk assessment. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore against the current state."
       return 1
     fi
   fi
@@ -63,7 +63,7 @@ print('yes' if score >= 5 else 'no')
 " 2>/dev/null || echo "no")
 
   if [ "$DENIED" = "yes" ]; then
-    RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 (Medium or above). Reduce changes or address outstanding risk first, then re-run the risk-scorer agent."
+    RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 (Medium or above). To proceed: (1) split the ${ACTION}, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') with incident context for an incident bypass."
     return 1
   fi
 

package/hooks/risk-policy-enforce-edit.sh

@@ -18,6 +18,16 @@ if [ -z "$SESSION_ID" ] || [ -z "$FILE_PATH" ]; then
   exit 0
 fi
 
+# P004: Only gate files inside the project root.
+case "$FILE_PATH" in
+  /*)
+    case "$FILE_PATH" in
+      "$PWD"/*) ;;
+      *) exit 0 ;;
+    esac
+    ;;
+esac
+
 # Only gate RISK-POLICY.md
 BASENAME=$(basename "$FILE_PATH")
 if [ "$BASENAME" != "RISK-POLICY.md" ]; then
@@ -35,7 +45,7 @@ cat <<'EOF'
   "hookSpecificOutput": {
     "hookEventName": "PreToolUse",
     "permissionDecision": "deny",
-    "permissionDecisionReason": "BLOCKED: Cannot edit RISK-POLICY.md directly. Run the /risk-policy skill first -- it enforces ISO 31000 compliance (reads the risk-scorer contract, discovers project context, checks for incidents, validates with you, and smoke-tests the result). Use the Skill tool with skill: \"risk-policy\"."
+    "permissionDecisionReason": "BLOCKED: Cannot edit RISK-POLICY.md directly. Run /wr-risk-scorer:update-policy first -- it enforces ISO 31000 compliance (reads the risk-scorer contract, discovers project context, checks for incidents, validates with you, and smoke-tests the result). Use the Skill tool with skill: \"wr-risk-scorer:update-policy\"."
   }
 }
 EOF

package/hooks/risk-score-commit-gate.sh

@@ -57,7 +57,7 @@ fi
 
 # Gate check: existence, TTL, drift, threshold
 if ! check_risk_gate "$SESSION_ID" "commit"; then
-    risk_gate_deny "Commit blocked: ${RISK_GATE_REASON} To proceed: (1) stage files with git add, (2) delegate to risk-scorer-pipeline (subagent_type: 'risk-scorer-pipeline') to assess cumulative pipeline risk. If the commit is risk-neutral or risk-reducing, the scorer will create a bypass marker."
+    risk_gate_deny "Commit blocked: ${RISK_GATE_REASON} To proceed: (1) stage files with git add, (2) delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk. If the commit is risk-neutral or risk-reducing, the scorer will create a bypass marker."
     exit 0
 fi
 

package/hooks/risk-score-mark.sh

@@ -4,7 +4,7 @@
 # risk-scorer agents. This is the ONLY place score files are written —
 # agents output structured markers, this hook writes the files.
 #
-# Handles: risk-scorer-pipeline, risk-scorer-plan, risk-scorer-wip, risk-scorer-policy
+# Handles: wr-risk-scorer:pipeline, wr-risk-scorer:plan, wr-risk-scorer:wip, wr-risk-scorer:policy
 # Replaces: risk-policy-mark-reviewed.sh (which had fragile P001 backup parsing)
 
 set -euo pipefail
@@ -34,7 +34,7 @@ RDIR=$(_risk_dir "$SESSION_ID")
 # ---------------------------------------------------------------------------
 # Pipeline scorer: write commit/push/release scores + bypass markers
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-pipeline'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.pipeline'; then
   # Parse RISK_SCORES: commit=N push=N release=N
   SCORES_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^RISK_SCORES:' | tail -1) || true
   if [ -n "$SCORES_LINE" ]; then
@@ -79,7 +79,7 @@ fi
 # ---------------------------------------------------------------------------
 # Plan scorer: write plan-reviewed marker on PASS
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-plan'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.plan'; then
   VERDICT_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^RISK_VERDICT:' | tail -1) || true
   VERDICT=$(echo "$VERDICT_LINE" | sed 's/^RISK_VERDICT:[[:space:]]*//' | tr -d '[:space:]')
   case "$VERDICT" in
@@ -98,7 +98,7 @@ fi
 # ---------------------------------------------------------------------------
 # WIP scorer: write wip-reviewed marker (unblocks next edit)
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-wip'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.wip'; then
   # WIP assessment was done — unblock next edit regardless of CONTINUE/PAUSE
   # (PAUSE is advisory guidance to the user, not a hard gate)
   touch "${RDIR}/wip-reviewed"
@@ -107,7 +107,7 @@ fi
 # ---------------------------------------------------------------------------
 # Policy scorer: write policy-reviewed marker on PASS
 # ---------------------------------------------------------------------------
-if echo "$SUBAGENT" | grep -qE 'risk-scorer-policy'; then
+if echo "$SUBAGENT" | grep -qE 'risk-scorer.policy'; then
   VERDICT_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^RISK_VERDICT:' | tail -1) || true
   VERDICT=$(echo "$VERDICT_LINE" | sed 's/^RISK_VERDICT:[[:space:]]*//' | tr -d '[:space:]')
   case "$VERDICT" in

package/hooks/risk-score-plan-enforce.sh

@@ -24,7 +24,7 @@ cat <<'EOF'
   "hookSpecificOutput": {
     "hookEventName": "PreToolUse",
     "permissionDecision": "deny",
-    "permissionDecisionReason": "BLOCKED: Risk-scorer must review the plan before exiting plan mode. Delegate to risk-scorer-plan (subagent_type: 'risk-scorer-plan') to review the plan file for risk, including projected release risk."
+    "permissionDecisionReason": "BLOCKED: Risk-scorer must review the plan before exiting plan mode. Delegate to wr-risk-scorer:plan (subagent_type: 'wr-risk-scorer:plan') to review the plan file for risk, including projected release risk."
   }
 }
 EOF

package/hooks/test/git-push-gate.bats

@@ -0,0 +1,82 @@
+#!/usr/bin/env bats
+# Tests for git-push-gate.sh — gh pr merge block and release:watch guidance
+
+setup() {
+  HOOKS_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  HOOK="$HOOKS_DIR/git-push-gate.sh"
+
+  TEST_SESSION="bats-push-gate-$$-${BATS_TEST_NUMBER}"
+  # Ensure a clean risk dir
+  RDIR="${TMPDIR:-/tmp}/claude-risk-${TEST_SESSION}"
+  rm -rf "$RDIR"
+  mkdir -p "$RDIR"
+
+  # Create a temp project dir for package.json detection
+  TEST_PROJECT_DIR="$(mktemp -d)"
+}
+
+teardown() {
+  rm -rf "$RDIR"
+  rm -rf "$TEST_PROJECT_DIR"
+}
+
+# Helper: build a PreToolUse Bash input with a given command
+build_input() {
+  local cmd="$1"
+  cat <<ENDJSON
+{
+  "session_id": "$TEST_SESSION",
+  "tool_name": "Bash",
+  "tool_input": {
+    "command": "$cmd"
+  }
+}
+ENDJSON
+}
+
+@test "gh pr merge is blocked with release:watch guidance when script exists" {
+  # Create a package.json with release:watch
+  cat > "$TEST_PROJECT_DIR/package.json" <<'PKG'
+{ "scripts": { "release:watch": "bash scripts/release-watch.sh" } }
+PKG
+
+  INPUT=$(build_input "gh pr merge 4 --merge")
+  run bash -c "cd '$TEST_PROJECT_DIR' && echo '$INPUT' | '$HOOK'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"permissionDecision"* ]]
+  [[ "$output" == *"deny"* ]]
+  [[ "$output" == *"release:watch"* ]]
+}
+
+@test "gh pr merge tells agent to create release:watch when script missing" {
+  # Create a package.json WITHOUT release:watch
+  cat > "$TEST_PROJECT_DIR/package.json" <<'PKG'
+{ "scripts": { "test": "echo test" } }
+PKG
+
+  INPUT=$(build_input "gh pr merge 4 --merge")
+  run bash -c "cd '$TEST_PROJECT_DIR' && echo '$INPUT' | '$HOOK'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"permissionDecision"* ]]
+  [[ "$output" == *"deny"* ]]
+  # Should tell agent to create the script
+  [[ "$output" == *"no release:watch script"* ]]
+  [[ "$output" == *"gh pr merge"* ]]
+  [[ "$output" == *"gh run watch"* ]]
+}
+
+@test "gh pr merge tells agent to create release:watch when no package.json" {
+  local empty_dir="$(mktemp -d)"
+
+  INPUT=$(build_input "gh pr merge 4 --merge")
+  run bash -c "cd '$empty_dir' && echo '$INPUT' | '$HOOK'"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"permissionDecision"* ]]
+  [[ "$output" == *"deny"* ]]
+  # Should tell agent to create the script
+  [[ "$output" == *"no release:watch script"* ]]
+  [[ "$output" == *"gh pr merge"* ]]
+  [[ "$output" == *"gh run watch"* ]]
+
+  rm -rf "$empty_dir"
+}

package/hooks/test/risk-policy-project-root.bats

@@ -0,0 +1,20 @@
+#!/usr/bin/env bats
+
+# P004: risk-policy-enforce-edit.sh project-root check.
+
+setup() {
+  SCRIPT_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  HOOK="$SCRIPT_DIR/risk-policy-enforce-edit.sh"
+}
+
+run_hook_with_file() {
+  local file_path="$1"
+  local json="{\"tool_input\":{\"file_path\":\"${file_path}\"},\"session_id\":\"test-$$\"}"
+  echo "$json" | bash "$HOOK"
+}
+
+@test "risk-policy project-root: RISK-POLICY.md outside project exits 0" {
+  run run_hook_with_file "/Users/other/project/RISK-POLICY.md"
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"BLOCKED"* ]]
+}

package/hooks/test/risk-score-mark.bats

@@ -0,0 +1,112 @@
+#!/usr/bin/env bats
+
+# Tests for risk-score-mark.sh — verifies the PostToolUse:Agent hook
+# parses risk-scorer agent output and writes the right files into
+# the session-scoped risk dir.
+#
+# Per ADR-005 (P011): behavioural assertions are functional — they
+# pipe mock hook input to the script and assert on side-effects, not
+# on what the source happens to contain. The four "echo X | grep X"
+# tautologies that previously lived here have been removed (they
+# always passed regardless of hook behaviour).
+
+setup() {
+  SCRIPT_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  HOOK="$SCRIPT_DIR/risk-score-mark.sh"
+  ORIG_DIR="$PWD"
+  TEST_DIR=$(mktemp -d)
+  cd "$TEST_DIR"
+  TMPDIR="$TEST_DIR/tmp"
+  export TMPDIR
+  mkdir -p "$TMPDIR"
+  SESSION_ID="test-session-$$"
+  RDIR="$TMPDIR/claude-risk-${SESSION_ID}"
+}
+
+teardown() {
+  cd "$ORIG_DIR"
+  rm -rf "$TEST_DIR"
+}
+
+# Helper: build the PostToolUse:Agent JSON envelope and pipe it to the hook.
+# AGENT_OUTPUT is wrapped in tool_response.content[0].text to match the
+# real Claude Code PostToolUse hook payload shape.
+run_hook() {
+  local subagent="$1"
+  local agent_output="$2"
+  python3 -c "
+import json, sys
+print(json.dumps({
+  'tool_name': 'Agent',
+  'session_id': '${SESSION_ID}',
+  'tool_input': {'subagent_type': '${subagent}'},
+  'tool_response': {'content': [{'type': 'text', 'text': sys.stdin.read()}]}
+}))" <<<"$agent_output" | bash "$HOOK"
+}
+
+# --- Pipeline scorer: writes commit/push/release score files ---
+
+@test "pipeline: writes commit/push/release scores from RISK_SCORES line" {
+  run_hook "wr-risk-scorer:pipeline" "Header text
+RISK_SCORES: commit=2 push=3 release=1
+Trailing text"
+  [ "$(cat "$RDIR/commit")" = "2" ]
+  [ "$(cat "$RDIR/push")" = "3" ]
+  [ "$(cat "$RDIR/release")" = "1" ]
+}
+
+@test "pipeline: writes reducing bypass markers when RISK_BYPASS: reducing" {
+  run_hook "wr-risk-scorer:pipeline" "RISK_SCORES: commit=2 push=2 release=0
+RISK_BYPASS: reducing"
+  [ -f "$RDIR/reducing-commit" ]
+  [ -f "$RDIR/reducing-push" ]
+  [ -f "$RDIR/reducing-release" ]
+}
+
+@test "pipeline: writes incident bypass marker when RISK_BYPASS: incident" {
+  run_hook "wr-risk-scorer:pipeline" "RISK_SCORES: commit=10 push=10 release=10
+RISK_BYPASS: incident"
+  [ -f "$RDIR/incident-release" ]
+}
+
+@test "pipeline: writes nothing when output has no RISK_SCORES line" {
+  run_hook "wr-risk-scorer:pipeline" "No score line in this output"
+  [ ! -f "$RDIR/commit" ]
+  [ ! -f "$RDIR/push" ]
+  [ ! -f "$RDIR/release" ]
+}
+
+# --- Plan scorer: writes plan-reviewed marker on PASS only ---
+
+@test "plan: writes plan-reviewed marker on RISK_VERDICT: PASS" {
+  run_hook "wr-risk-scorer:plan" "RISK_VERDICT: PASS"
+  [ -f "$RDIR/plan-reviewed" ]
+}
+
+@test "plan: does NOT write plan-reviewed marker on RISK_VERDICT: FAIL" {
+  run_hook "wr-risk-scorer:plan" "RISK_VERDICT: FAIL"
+  [ ! -f "$RDIR/plan-reviewed" ]
+}
+
+# --- Subagent routing: case guard ignores non-risk-scorer agents ---
+
+@test "case guard: skips unrelated agent without writing files" {
+  run_hook "wr-architect:agent" "RISK_SCORES: commit=99 push=99 release=99"
+  [ ! -f "$RDIR/commit" ]
+}
+
+@test "case guard: matches wr-risk-scorer:pipeline subagent" {
+  SUBAGENT="wr-risk-scorer:pipeline"
+  case "$SUBAGENT" in
+    *risk-scorer*) true ;;
+    *) false ;;
+  esac
+}
+
+@test "case guard: does NOT match wr-architect:agent" {
+  SUBAGENT="wr-architect:agent"
+  case "$SUBAGENT" in
+    *risk-scorer*) false ;;
+    *) true ;;
+  esac
+}

package/hooks/test/risk-scorer-no-stop-hook.bats

@@ -0,0 +1,19 @@
+#!/usr/bin/env bats
+
+# P001 / ADR-009: Stop-hook marker reset removed.
+
+setup() {
+  PLUGIN_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/../.." && pwd)"
+}
+
+@test "risk-scorer: hooks.json has no Stop hook entry (ADR-009)" {
+  ! grep -q '"Stop"' "$PLUGIN_DIR/hooks/hooks.json"
+}
+
+@test "risk-scorer: risk-score-reset.sh has been removed" {
+  [ ! -f "$PLUGIN_DIR/hooks/risk-score-reset.sh" ]
+}
+
+@test "risk-scorer: risk-policy-reset-marker.sh has been removed" {
+  [ ! -f "$PLUGIN_DIR/hooks/risk-policy-reset-marker.sh" ]
+}

package/hooks/wip-risk-gate.sh

@@ -37,7 +37,7 @@ cat <<'EOF'
   "hookSpecificOutput": {
     "hookEventName": "PreToolUse",
     "permissionDecision": "deny",
-    "permissionDecisionReason": "WIP risk assessment required. Delegate to risk-scorer-wip (subagent_type: 'risk-scorer-wip') to assess cumulative pipeline risk for changes so far."
+    "permissionDecisionReason": "WIP risk assessment required. Delegate to wr-risk-scorer:wip (subagent_type: 'wr-risk-scorer:wip') to assess cumulative pipeline risk for changes so far."
   }
 }
 EOF

package/hooks/wip-risk-mark.sh

@@ -17,16 +17,8 @@ SESSION_ID=$(_get_session_id)
 
 MARKER="$(_risk_dir "$SESSION_ID")/wip-reviewed"
 
-case "$TOOL_NAME" in
-  Edit|Write)
-    FILE_PATH=$(_get_file_path)
-    [ -n "$FILE_PATH" ] || exit 0
-
-    if ! _is_doc_file "$FILE_PATH"; then
-        rm -f "$MARKER"
-    fi
-    ;;
-  # Agent case handled by risk-score-mark.sh
-esac
+# WIP marker persists after assessment — allows multiple edits.
+# Marker lifecycle: TTL + drift detection (ADR-009).
+# Agent case (marker creation) handled by risk-score-mark.sh.
 
 exit 0

package/lib/install-utils.mjs

@@ -0,0 +1,143 @@
+/**
+ * Shared install utilities for @windyroad/* packages.
+ * Used by both per-plugin installers and the meta-installer.
+ */
+
+import { execSync } from "node:child_process";
+
+const MARKETPLACE_REPO = "windyroad/agent-plugins";
+const MARKETPLACE_NAME = "windyroad";
+
+let _dryRun = false;
+
+export { MARKETPLACE_REPO, MARKETPLACE_NAME };
+
+export function setDryRun(value) {
+  _dryRun = value;
+}
+
+export function isDryRun() {
+  return _dryRun;
+}
+
+export function run(cmd, label) {
+  console.log(`  ${label}...`);
+  if (_dryRun) {
+    console.log(`    [dry-run] ${cmd}`);
+    return true;
+  }
+  try {
+    execSync(cmd, { stdio: "inherit" });
+    return true;
+  } catch {
+    console.error(`  FAILED: ${label}`);
+    return false;
+  }
+}
+
+export function checkPrerequisites() {
+  if (_dryRun) return;
+
+  try {
+    execSync("claude --version", { stdio: "pipe" });
+  } catch {
+    console.error(
+      "Error: 'claude' CLI not found. Install Claude Code first:\n  https://docs.anthropic.com/en/docs/claude-code\n"
+    );
+    process.exit(1);
+  }
+}
+
+export function addMarketplace() {
+  return run(
+    `claude plugin marketplace add ${MARKETPLACE_REPO}`,
+    `Marketplace: ${MARKETPLACE_NAME}`
+  );
+}
+
+export function installPlugin(pluginName, { scope = "project" } = {}) {
+  return run(
+    `claude plugin install ${pluginName}@${MARKETPLACE_NAME} --scope ${scope}`,
+    pluginName
+  );
+}
+
+export function updatePlugin(pluginName) {
+  return run(`claude plugin update ${pluginName}`, pluginName);
+}
+
+export function uninstallPlugin(pluginName) {
+  return run(`claude plugin uninstall ${pluginName}`, `Removing ${pluginName}`);
+}
+
+/**
+ * Install a single package: marketplace add + plugin install.
+ */
+export function installPackage(pluginName, { deps = [], scope = "project" } = {}) {
+  console.log(`\nInstalling @windyroad/${pluginName.replace("wr-", "")} (${scope} scope)...\n`);
+
+  addMarketplace();
+  installPlugin(pluginName, { scope });
+
+  if (deps.length > 0) {
+    console.log(`\nNote: This plugin works best with:`);
+    for (const dep of deps) {
+      console.log(`  - @windyroad/${dep.replace("wr-", "")} (npx @windyroad/${dep.replace("wr-", "")})`);
+    }
+  }
+
+  console.log(
+    `\nDone! Restart Claude Code to activate.\n`
+  );
+}
+
+/**
+ * Update a single package.
+ */
+export function updatePackage(pluginName) {
+  console.log(`\nUpdating @windyroad/${pluginName.replace("wr-", "")}...\n`);
+
+  run(
+    `claude plugin marketplace update ${MARKETPLACE_NAME}`,
+    "Updating marketplace"
+  );
+  updatePlugin(pluginName);
+
+  console.log("\nDone! Restart Claude Code to apply updates.\n");
+}
+
+/**
+ * Uninstall a single package.
+ */
+export function uninstallPackage(pluginName) {
+  console.log(`\nUninstalling @windyroad/${pluginName.replace("wr-", "")}...\n`);
+
+  uninstallPlugin(pluginName);
+
+  console.log("\nDone. Restart Claude Code to apply changes.\n");
+}
+
+/**
+ * Parse standard flags used by all per-plugin installers.
+ */
+export function parseStandardArgs(argv) {
+  const args = argv.slice(2);
+  const flags = {
+    help: args.includes("--help") || args.includes("-h"),
+    uninstall: args.includes("--uninstall"),
+    update: args.includes("--update"),
+    dryRun: args.includes("--dry-run"),
+    scope: "project",
+  };
+  const scopeIdx = args.indexOf("--scope");
+  if (scopeIdx !== -1 && args[scopeIdx + 1]) {
+    const val = args[scopeIdx + 1];
+    if (["project", "user", "local"].includes(val)) {
+      flags.scope = val;
+    } else {
+      console.error("--scope requires: project, user, or local");
+      process.exit(1);
+    }
+  }
+  return flags;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.2.0",
+  "version": "0.2.1-preview.70",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"
@@ -23,6 +23,7 @@
     "agents/",
     "hooks/",
     "skills/",
-    ".claude-plugin/"
+    ".claude-plugin/",
+    "lib/"
   ]
 }

package/skills/{wr:risk-policy → update-policy}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: wr:risk-policy
+name: wr-risk-scorer:update-policy
 description: Create or update the project's RISK-POLICY.md per ISO 31000 and the risk-scorer agent. Examines the project to derive business-specific impact levels.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep, AskUserQuestion, Agent
 ---

package/hooks/risk-policy-reset-marker.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-# Stop hook: Clears risk-policy session marker.
-# Mirrors: architect-reset-marker.sh
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-source "$SCRIPT_DIR/lib/gate-helpers.sh"
-
-_parse_input
-
-SESSION_ID=$(_get_session_id)
-
-if [ -n "$SESSION_ID" ]; then
-  RDIR=$(_risk_dir "$SESSION_ID")
-  rm -f "${RDIR}/policy-reviewed" "${RDIR}/plan-reviewed"
-fi
-
-exit 0

package/hooks/risk-score-reset.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-# Stop hook: Clears risk score temp files on session end.
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-source "$SCRIPT_DIR/lib/gate-helpers.sh"
-
-_parse_input
-
-SESSION_ID=$(_get_session_id)
-
-if [ -n "$SESSION_ID" ]; then
-    # Remove the entire session-scoped directory
-    RDIR="${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}"
-    rm -rf "$RDIR"
-fi
-
-exit 0