npm - @windyroad/risk-scorer - Versions diffs - 0.3.4 → 0.3.5 - Mend

@windyroad/risk-scorer 0.3.4 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/.claude-plugin/plugin.json +2 -2
package/hooks/lib/pipeline-state.sh +31 -15
package/hooks/test/pipeline-state-hash.bats +195 -0
package/package.json +1 -1

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
   "name": "wr-risk-scorer",
-  "version": "0.3.0",
+  "version": "0.3.5",
   "description": "Pipeline risk scoring, commit/push/release gates for Claude Code"
-}
+}

package/hooks/lib/pipeline-state.sh CHANGED Viewed

@@ -33,25 +33,41 @@ for arg in "$@"; do
 done
 # --- Fast hash inputs mode: output only metadata for drift detection hash ---
-# NOTE: Do NOT include `git status --porcelain` (changes on staging) or
-# `git rev-parse HEAD` (changes on commit). Both cause false drift detection.
-# Use diff --stat which reflects actual content changes only.
+# Tree-based hash — stable across BOTH commit and push operations (P054).
+# Captures the conceptual "HEAD + index + working tree" state by asking git
+# to build a tree object that reflects what a commit of the current state
+# would contain. This makes the hash invariant over:
+#   - git commit (content moves from index to HEAD; tree SHA is identical)
+#   - git push  (HEAD is unchanged locally; tree SHA is identical)
+# The previous approach hashed `git diff origin/main --stat`, which shrinks
+# to empty after a push advances origin/main, producing spurious drift
+# denials on npm run release:watch even though the commits being released
+# were the same ones already scored.
 if [ "$SHOW_HASH_INPUTS" = true ]; then
-    # Single stable diff: all local changes (staged + committed) vs remote.
-    # This is stable across commit and push operations — content moves between
-    # pipeline stages (staged → committed → pushed) without changing the hash.
-    # Previous approach used git diff HEAD + git diff origin/main..HEAD which
-    # broke on every commit because content shifted between the two diffs.
-    # Exclude docs/governance paths from hash — they cannot affect the running application
+    # Exclude docs/governance paths — they cannot affect the running application.
     EXCL=$(_doc_exclusions)
-    if git rev-parse --verify origin/main >/dev/null 2>&1; then
-        eval "git diff origin/main --stat -- $EXCL" 2>/dev/null || true
-    elif git rev-parse --verify origin/master >/dev/null 2>&1; then
-        eval "git diff origin/master --stat -- $EXCL" 2>/dev/null || true
+    # git stash create writes a commit object (tree + parents) representing
+    # index + working tree, without touching HEAD, the index, or any refs.
+    # Returns empty when there is nothing to stash (clean tree).
+    STASH_COMMIT=$(git stash create 2>/dev/null || true)
+    if [ -n "$STASH_COMMIT" ]; then
+        CONCEPTUAL_TREE=$(git rev-parse "${STASH_COMMIT}^{tree}" 2>/dev/null || echo "")
     else
-        eval "git diff HEAD --stat -- $EXCL" 2>/dev/null || true
+        CONCEPTUAL_TREE=$(git rev-parse HEAD^{tree} 2>/dev/null || echo "")
     fi
-    # Changeset count (affects release/changeset risk)
+    if [ -n "$CONCEPTUAL_TREE" ]; then
+        # Diff against the empty tree to enumerate every file in the
+        # conceptual tree with its blob SHA (shown as "added"). git diff
+        # supports `:!` pathspec exclusions where `git ls-tree` does not,
+        # so this is the path that honours the doc exclusions above.
+        # Same-content trees produce identical output regardless of which
+        # ref points at them, which is what gives push stability.
+        # 4b825dc642cb6eb9a060e54bf8d69288fbee4904 is git's well-known empty-tree SHA.
+        eval "git diff --raw 4b825dc642cb6eb9a060e54bf8d69288fbee4904 $CONCEPTUAL_TREE -- $EXCL" 2>/dev/null || true
+    fi
+    # Changeset count (affects release/changeset risk — tracked separately
+    # because .changeset/ is in the doc-exclusions list and therefore not
+    # reflected in the tree listing above).
     if [ -d ".changeset" ]; then
         find .changeset -name '*.md' -not -name 'README.md' 2>/dev/null | wc -l | tr -d ' '
     fi

package/hooks/test/pipeline-state-hash.bats ADDED Viewed

@@ -0,0 +1,195 @@
+#!/usr/bin/env bats
+# Tests for pipeline-state.sh --hash-inputs stability
+# Covers P054: the hash must be stable across both commit AND push so the
+# release gate does not fire spurious "state drift" denials after a
+# policy-authorised push advances origin/main.
+setup() {
+  HOOKS_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  SCRIPT="$HOOKS_DIR/lib/pipeline-state.sh"
+  # Set up a temp git repo with an origin remote so origin/main is meaningful.
+  TEST_DIR="$(mktemp -d)"
+  REMOTE_DIR="$(mktemp -d)"
+  # Bare remote
+  (cd "$REMOTE_DIR" && git init --bare --initial-branch=main >/dev/null 2>&1)
+  # Working repo
+  cd "$TEST_DIR"
+  git init --initial-branch=main >/dev/null 2>&1
+  git config user.email "test@example.com"
+  git config user.name "Test"
+  git remote add origin "$REMOTE_DIR"
+  # Seed initial commit
+  echo "initial" > README.md
+  git add README.md
+  git commit -m "initial" >/dev/null 2>&1
+  git push -u origin main >/dev/null 2>&1
+}
+teardown() {
+  rm -rf "$TEST_DIR" "$REMOTE_DIR"
+}
+# Helper: compute the hash of --hash-inputs output in the current directory.
+compute_hash() {
+  bash "$SCRIPT" --hash-inputs 2>/dev/null | shasum -a 256 | cut -d' ' -f1
+}
+@test "hash is stable across git commit of staged changes" {
+  cd "$TEST_DIR"
+  echo "line 1" > feature.ts
+  git add feature.ts
+  HASH_BEFORE=$(compute_hash)
+  git commit -m "add feature" >/dev/null 2>&1
+  HASH_AFTER=$(compute_hash)
+  [ "$HASH_BEFORE" = "$HASH_AFTER" ] || {
+    echo "Hash changed on commit."
+    echo "before: $HASH_BEFORE"
+    echo "after:  $HASH_AFTER"
+    return 1
+  }
+}
+@test "hash is stable across git push (P054 regression guard)" {
+  cd "$TEST_DIR"
+  echo "line 1" > feature.ts
+  git add feature.ts
+  git commit -m "add feature" >/dev/null 2>&1
+  HASH_BEFORE=$(compute_hash)
+  git push origin main >/dev/null 2>&1
+  HASH_AFTER=$(compute_hash)
+  [ "$HASH_BEFORE" = "$HASH_AFTER" ] || {
+    echo "Hash changed on push — this is the P054 regression."
+    echo "before: $HASH_BEFORE"
+    echo "after:  $HASH_AFTER"
+    return 1
+  }
+}
+@test "hash is stable across full commit-then-push sequence" {
+  cd "$TEST_DIR"
+  echo "line 1" > feature.ts
+  git add feature.ts
+  HASH_STAGED=$(compute_hash)
+  git commit -m "add feature" >/dev/null 2>&1
+  HASH_COMMITTED=$(compute_hash)
+  git push origin main >/dev/null 2>&1
+  HASH_PUSHED=$(compute_hash)
+  [ "$HASH_STAGED" = "$HASH_COMMITTED" ] || {
+    echo "Hash changed on commit step."
+    return 1
+  }
+  [ "$HASH_COMMITTED" = "$HASH_PUSHED" ] || {
+    echo "Hash changed on push step."
+    return 1
+  }
+}
+@test "hash changes when a new tracked file is edited" {
+  cd "$TEST_DIR"
+  echo "v1" > feature.ts
+  git add feature.ts
+  git commit -m "v1" >/dev/null 2>&1
+  git push origin main >/dev/null 2>&1
+  HASH_BEFORE=$(compute_hash)
+  echo "v2" > feature.ts
+  HASH_AFTER=$(compute_hash)
+  [ "$HASH_BEFORE" != "$HASH_AFTER" ] || {
+    echo "Hash did not change on content edit."
+    return 1
+  }
+}
+@test "hash changes when a new changeset is added" {
+  cd "$TEST_DIR"
+  mkdir -p .changeset
+  HASH_BEFORE=$(compute_hash)
+  cat > .changeset/abc.md <<'CS'
+---
+"@windyroad/itil": patch
+---
+Fix something.
+CS
+  HASH_AFTER=$(compute_hash)
+  [ "$HASH_BEFORE" != "$HASH_AFTER" ] || {
+    echo "Hash did not change on new changeset."
+    return 1
+  }
+}
+@test "hash is stable with no upstream remote (works on a fresh repo)" {
+  # Fresh repo with no remote tracking branch.
+  NO_REMOTE_DIR="$(mktemp -d)"
+  cd "$NO_REMOTE_DIR"
+  git init --initial-branch=main >/dev/null 2>&1
+  git config user.email "test@example.com"
+  git config user.name "Test"
+  echo "init" > README.md
+  git add README.md
+  git commit -m "init" >/dev/null 2>&1
+  # Should not error out, should emit a hash input
+  run bash "$SCRIPT" --hash-inputs
+  [ "$status" -eq 0 ]
+  [ -n "$output" ]
+  # Two consecutive calls should produce the same hash (deterministic)
+  HASH_A=$(compute_hash)
+  HASH_B=$(compute_hash)
+  [ "$HASH_A" = "$HASH_B" ]
+  rm -rf "$NO_REMOTE_DIR"
+}
+@test "hash is stable with clean working tree (no stash-create content)" {
+  cd "$TEST_DIR"
+  # Working tree is clean after setup's push. Two consecutive calls are stable.
+  HASH_A=$(compute_hash)
+  HASH_B=$(compute_hash)
+  [ "$HASH_A" = "$HASH_B" ] || {
+    echo "Hash is non-deterministic on clean tree."
+    return 1
+  }
+}
+@test "hash is stable with dirty working tree (uncommitted edits)" {
+  cd "$TEST_DIR"
+  echo "dirty" > work.txt
+  git add work.txt
+  echo "more dirty" > unstaged.txt
+  HASH_A=$(compute_hash)
+  HASH_B=$(compute_hash)
+  [ "$HASH_A" = "$HASH_B" ] || {
+    echo "Hash is non-deterministic on dirty tree."
+    return 1
+  }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"