npm - @windyroad/risk-scorer - Versions diffs - 0.2.1 → 0.3.0 - Mend

@windyroad/risk-scorer 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/skills/assess-release/SKILL.md +92 -0
package/skills/assess-wip/SKILL.md +61 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"

package/skills/assess-release/SKILL.md ADDED Viewed

@@ -0,0 +1,92 @@
+---
+name: wr-risk-scorer:assess-release
+description: On-demand release risk assessment. Scores commit, push, and release risk for the current unpushed changes. Delegates to wr-risk-scorer:pipeline and satisfies the commit gate for the current session.
+allowed-tools: Read, Glob, Grep, Bash, AskUserQuestion, Skill
+---
+# Release Risk Assessment Skill
+Run a pipeline risk assessment on demand — outside a hook gate trigger. Scores commit, push, and release risk layers for the current unpushed changes and satisfies the gate for the current session.
+This skill is **read-only**. It does not commit, push, or modify files. The bypass marker is written automatically by the `PostToolUse:Agent` hook (`risk-score-mark.sh`) after the subagent completes — the skill never writes to `$TMPDIR/claude-risk-*` directly.
+## When to use
+- Before committing: confirm the risk score before running `git commit`
+- Pre-flight release check: get a release readiness score before deciding to ship
+- On-demand: any time you want a risk score without triggering a gate event
+## Steps
+### 1. Parse arguments
+Read `$ARGUMENTS` for an explicit release scope (e.g., "release v1.3.0", "commits since last tag", "changeset X"). If a scope is provided, use it. If empty, proceed to auto-detection.
+### 2. Auto-detect context
+Run the following to establish the assessment scope:
+```bash
+# Unpushed commits
+git log origin/$(git rev-parse --abbrev-ref HEAD)..HEAD --oneline 2>/dev/null || git log HEAD --oneline -10
+# Staged diff
+git diff --cached --stat
+# Changesets directory (if present)
+ls .changeset/*.md 2>/dev/null | head -20
+```
+Summarise what you find:
+- Number of unpushed commits and their subjects
+- Files staged for commit (if any)
+- Changesets queued for release (if any)
+### 3. Resolve ambiguity
+If the scope is genuinely ambiguous (e.g., no unpushed commits but the user said "assess the release"), use `AskUserQuestion` to ask:
+> "I don't see any unpushed commits. What scope should I assess?
+> (a) All commits since the last git tag
+> (b) Only the currently staged diff
+> (c) A specific range — please specify
+> (d) Cancel"
+Do not ask if there is an obvious unpushed commit queue.
+### 4. Construct the assessment prompt
+Build a self-contained prompt for the pipeline subagent that includes:
+- The git log summary (unpushed commits with subjects)
+- The staged diff summary (file names and line counts)
+- The changeset list (if any)
+- Any explicit scope the user provided
+### 5. Delegate to wr-risk-scorer:pipeline
+Invoke the pipeline subagent via the `Skill` tool:
+```
+subagent_type: wr-risk-scorer:pipeline
+prompt: <constructed assessment prompt from step 4>
+```
+Wait for the subagent to complete. The subagent will output a structured `RISK_SCORES:` block. The `PostToolUse:Agent` hook (`risk-score-mark.sh`) reads that output and writes the bypass marker files automatically.
+**Do not write to `$TMPDIR/claude-risk-*` yourself.** The hook is the only correct mechanism.
+### 6. Present results
+Present the full risk report to the user. Highlight:
+- The three risk scores (commit / push / release) and their labels
+- Any risks above appetite (score ≥ 5 per RISK-POLICY.md)
+- Whether the gate is now pre-satisfied for the current session (i.e., a subsequent `git commit` will reuse the bypass marker without re-triggering the scorer)
+If any score is above appetite, use `AskUserQuestion` to ask whether the user wants to:
+- (a) Proceed anyway (bypass)
+- (b) Remediate the identified risks first
+- (c) Cancel
+Do not make the decision unilaterally — per ADR-013 Rule 1, all above-appetite risk decisions are the user's.
+$ARGUMENTS

package/skills/assess-wip/SKILL.md ADDED Viewed

@@ -0,0 +1,61 @@
+---
+name: wr-risk-scorer:assess-wip
+description: On-demand WIP risk nudge. Scores the current uncommitted diff for pipeline risk. Use during development to catch high-risk changes before committing.
+allowed-tools: Read, Glob, Grep, Bash, AskUserQuestion, Skill
+---
+# WIP Risk Assessment Skill
+Run a WIP (work-in-progress) risk assessment on demand. Scores the current uncommitted diff — staged and unstaged — for pipeline risk. Use during development to get early feedback before committing.
+This skill is **read-only**. It does not commit, push, or modify files.
+Unlike `assess-release`, this skill does not pre-satisfy the commit gate. WIP assessment is a development nudge; the pipeline gate is satisfied only by a full `wr-risk-scorer:pipeline` assessment (via `assess-release` or a commit attempt).
+## When to use
+- After a significant edit: check whether the change is introducing high pipeline risk
+- Before `git add`: confirm the uncommitted diff is within appetite
+- Exploratory: understand the risk profile of a branch mid-development
+## Steps
+### 1. Auto-detect context
+Run the following to capture the current WIP state:
+```bash
+# All uncommitted changes (staged + unstaged, non-binary)
+git diff HEAD --stat
+# Summary of what's changed
+git status --short
+```
+If `git diff HEAD` is empty (clean working tree), report "No uncommitted changes detected" and exit. Do not invoke the subagent with an empty scope.
+### 2. Construct the assessment prompt
+Build a self-contained prompt for the wip subagent that includes:
+- The edited file path(s) (from `git diff HEAD --name-only`)
+- A summary of what changed (stat output)
+### 3. Delegate to wr-risk-scorer:wip
+Invoke the wip subagent via the `Skill` tool:
+```
+subagent_type: wr-risk-scorer:wip
+prompt: <constructed assessment prompt from step 2>
+```
+Wait for the subagent to complete.
+### 4. Present results
+Present the WIP risk nudge to the user. The wip subagent provides guidance and recommendations, not a formal gate score. Highlight:
+- The highest-risk files or change patterns identified
+- Any recommendations to reduce risk before committing
+- Whether a full pipeline assessment (`assess-release`) is recommended before committing
+$ARGUMENTS