@windyroad/risk-scorer 0.3.5-preview.188 → 0.3.6-preview.192

package/.claude-plugin/plugin.json

@@ -1,5 +1,5 @@
 {
   "name": "wr-risk-scorer",
-  "version": "0.3.5",
+  "version": "0.3.6",
   "description": "Pipeline risk scoring, commit/push/release gates for Claude Code"
 }

package/hooks/git-push-gate.sh

@@ -32,7 +32,7 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*git push(\s|$)'; then
     exit 0
 fi
 
-# Gate push:watch on push risk score
+# Gate push:watch on push risk score (inherits three-band TTL via check_risk_gate — P090)
 if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
     if [ -n "$SESSION_ID" ]; then
         RDIR=$(_risk_dir "$SESSION_ID")
@@ -45,27 +45,12 @@ if echo "$COMMAND" | grep -qE '(^|;|&&|\|\|)\s*npm run push:watch(\s|$)'; then
         if [ -f "${RDIR}/clean" ]; then
             exit 0
         fi
-        PUSH_SCORE_FILE="${RDIR}/push"
-        if [ ! -f "$PUSH_SCORE_FILE" ]; then
-            risk_gate_deny "Push blocked: No push risk score found. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk."
-            exit 0
-        fi
-        PUSH_NOW=$(date +%s)
-        PUSH_SCORE_TIME=$(_mtime "$PUSH_SCORE_FILE")
-        PUSH_AGE=$(( PUSH_NOW - PUSH_SCORE_TIME ))
-        PUSH_TTL="${RISK_TTL:-3600}"
-        if [ "$PUSH_AGE" -ge "$PUSH_TTL" ]; then
-            risk_gate_deny "Push blocked: Push risk score expired (${PUSH_AGE}s old, TTL ${PUSH_TTL}s). Delegate to risk-scorer to rescore."
-            exit 0
-        fi
-        PUSH_SCORE=$(cat "$PUSH_SCORE_FILE" 2>/dev/null || echo "")
-        if ! echo "$PUSH_SCORE" | grep -qE '^[0-9]+(\.[0-9]+)?$'; then
-            risk_gate_deny "Push blocked: Push risk score is not yet available (scoring in progress). Wait a moment and retry."
-            exit 0
-        fi
-        PUSH_DENIED=$(python3 -c "print('yes' if float('${PUSH_SCORE}') >= 5 else 'no')" 2>/dev/null || echo "no")
-        if [ "$PUSH_DENIED" = "yes" ]; then
-            risk_gate_deny "Push blocked: Push risk score ${PUSH_SCORE}/25 (Medium or above). To proceed: (1) release first via \`npm run release:watch\`, (2) split the push, or (3) add risk-reducing measures. If risk-neutral or risk-reducing, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') — it will create a bypass marker."
+        if ! check_risk_gate "$SESSION_ID" "push"; then
+            if [ "$RISK_GATE_CATEGORY" = "threshold" ]; then
+                risk_gate_deny "Push blocked: Push risk score ${RISK_GATE_SCORE}/25 (Medium or above). To proceed: (1) release first via \`npm run release:watch\`, (2) split the push, or (3) add risk-reducing measures. If risk-neutral or risk-reducing, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') — it will create a bypass marker."
+            else
+                risk_gate_deny "Push blocked: ${RISK_GATE_REASON}"
+            fi
             exit 0
         fi
     fi

package/hooks/lib/risk-gate.sh

@@ -9,6 +9,18 @@ source "$_RISK_GATE_DIR/gate-helpers.sh"
 
 # Check risk gate for a given action. Returns 0 if allowed, 1 if denied.
 # Sets RISK_GATE_REASON on failure with human-readable message.
+# Also sets RISK_GATE_CATEGORY ∈ {missing, expired, drift, invalid, threshold}
+# and RISK_GATE_SCORE (on threshold) for callers that customise deny messages.
+#
+# Implements the three-band TTL policy (P090, ADR-009 footnote):
+#   Band A: age < TTL/2        → pass silently (no slide).
+#   Band B: TTL/2 ≤ age < TTL  → if state-hash is invariant since the
+#                                scorer ran, pass AND slide the marker
+#                                forward (touch score file); bounded by
+#                                a 2×TTL hard-cap from the scorer-run
+#                                birth time stored in <action>-born.
+#                                If the hash drifted, halt as before.
+#   Band C: age ≥ TTL          → halt with the existing expired message.
 # Usage: check_risk_gate "$SESSION_ID" "commit"
 check_risk_gate() {
   local SESSION_ID="$1"
@@ -16,24 +28,37 @@ check_risk_gate() {
   local RDIR
   RDIR=$(_risk_dir "$SESSION_ID")
   local SCORE_FILE="${RDIR}/${ACTION}"
+  local BORN_FILE="${RDIR}/${ACTION}-born"
   local HASH_FILE="${RDIR}/state-hash"
   local TTL_SECONDS="${RISK_TTL:-3600}"
 
+  RISK_GATE_CATEGORY=""
+  RISK_GATE_SCORE=""
+
   # 1. Score file must exist (fail-closed)
   if [ ! -f "$SCORE_FILE" ]; then
+    RISK_GATE_CATEGORY="missing"
     RISK_GATE_REASON="No ${ACTION} risk score found. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to assess cumulative pipeline risk."
     return 1
   fi
 
-  # 2. TTL check — score file mtime must be within TTL
+  # 2. TTL — Band C hard expiry first
   local NOW=$(date +%s)
   local SCORE_TIME=$(_mtime "$SCORE_FILE")
   local AGE=$(( NOW - SCORE_TIME ))
   if [ "$AGE" -ge "$TTL_SECONDS" ]; then
+    RISK_GATE_CATEGORY="expired"
     RISK_GATE_REASON="Risk score expired (${AGE}s old, TTL ${TTL_SECONDS}s). Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore."
     return 1
   fi
 
+  # Detect Band B candidacy (age in [TTL/2, TTL))
+  local HALF_TTL=$(( TTL_SECONDS / 2 ))
+  local BAND_B=0
+  if [ "$AGE" -ge "$HALF_TTL" ]; then
+    BAND_B=1
+  fi
+
   # 3. Drift detection — pipeline state hash must match
   # The hash is computed from git diff HEAD --stat at prompt submit time.
   # If you staged files AFTER the prompt, the hash will differ.
@@ -43,15 +68,34 @@ check_risk_gate() {
     local CURRENT_HASH
     CURRENT_HASH=$("$_RISK_GATE_DIR/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
     if [ "$STORED_HASH" != "$CURRENT_HASH" ]; then
+      RISK_GATE_CATEGORY="drift"
       RISK_GATE_REASON="Pipeline state drift: working tree changed since the last ${ACTION} risk assessment. Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore against the current state."
       return 1
     fi
+
+    # Band B + hash invariant: slide the marker forward, bounded by 2×TTL
+    # from the scorer-run birth time. The hard cap prevents an unchanged-but-
+    # perpetually-idle tree from riding a single marker indefinitely.
+    if [ "$BAND_B" = "1" ]; then
+      if [ -f "$BORN_FILE" ]; then
+        local BORN_TIME=$(_mtime "$BORN_FILE")
+        local BORN_AGE=$(( NOW - BORN_TIME ))
+        local HARD_CAP=$(( TTL_SECONDS * 2 ))
+        if [ "$BORN_AGE" -ge "$HARD_CAP" ]; then
+          RISK_GATE_CATEGORY="expired"
+          RISK_GATE_REASON="Risk score expired (${BORN_AGE}s total since scoring, hard cap ${HARD_CAP}s). Delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') to rescore."
+          return 1
+        fi
+      fi
+      touch "$SCORE_FILE"
+    fi
   fi
-  # No hash file = backward compat, skip drift check
+  # No hash file = backward compat, skip drift check and Band B slide
 
   # 4. Read and validate score
   local SCORE=$(cat "$SCORE_FILE" 2>/dev/null || echo "")
   if ! echo "$SCORE" | grep -qE '^[0-9]+(\.[0-9]+)?$'; then
+    RISK_GATE_CATEGORY="invalid"
     RISK_GATE_REASON="Risk score file contains an invalid value. Re-run the risk-scorer agent."
     return 1
   fi
@@ -63,6 +107,8 @@ print('yes' if score >= 5 else 'no')
 " 2>/dev/null || echo "no")
 
   if [ "$DENIED" = "yes" ]; then
+    RISK_GATE_CATEGORY="threshold"
+    RISK_GATE_SCORE="$SCORE"
     RISK_GATE_REASON="${ACTION} risk score ${SCORE}/25 (Medium or above). To proceed: (1) split the ${ACTION}, (2) add risk-reducing measures, or (3) for a LIVE INCIDENT, delegate to wr-risk-scorer:pipeline (subagent_type: 'wr-risk-scorer:pipeline') with incident context for an incident bypass."
     return 1
   fi

package/hooks/risk-score-mark.sh

@@ -42,9 +42,13 @@ if echo "$SUBAGENT" | grep -qE 'risk-scorer.pipeline'; then
     PUSH=$(echo "$SCORES_LINE" | grep -oE 'push=[0-9]+' | cut -d= -f2) || true
     RELEASE=$(echo "$SCORES_LINE" | grep -oE 'release=[0-9]+' | cut -d= -f2) || true
 
-    [ -n "$COMMIT" ] && printf '%s' "$COMMIT" > "${RDIR}/commit"
-    [ -n "$PUSH" ] && printf '%s' "$PUSH" > "${RDIR}/push"
-    [ -n "$RELEASE" ] && printf '%s' "$RELEASE" > "${RDIR}/release"
+    # Birth markers (<action>-born) capture the scorer-run timestamp. Band B
+    # of the three-band TTL policy (P090) uses them to enforce a 2×TTL
+    # hard-cap on sliding-window extension, so an unchanged-but-idle tree
+    # cannot ride a single score indefinitely.
+    [ -n "$COMMIT" ] && { printf '%s' "$COMMIT" > "${RDIR}/commit"; touch "${RDIR}/commit-born"; }
+    [ -n "$PUSH" ] && { printf '%s' "$PUSH" > "${RDIR}/push"; touch "${RDIR}/push-born"; }
+    [ -n "$RELEASE" ] && { printf '%s' "$RELEASE" > "${RDIR}/release"; touch "${RDIR}/release-born"; }
   fi
 
   # Parse RISK_BYPASS: reducing|incident

package/hooks/test/risk-gate.bats

@@ -105,3 +105,117 @@ assert_gate_allows() {
   [[ "$output" == *"deny"* ]]
   [[ "$output" == *"Test reason"* ]]
 }
+
+# ---------------------------------------------------------------------------
+# Three-band TTL policy (P090)
+# Band A: age < TTL/2 → pass silently, no slide
+# Band B: TTL/2 <= age < TTL → consult state-hash; if invariant, pass + slide
+#         the marker forward (touch score file) bounded by 2*TTL hard cap
+#         from the scorer-run birth time (<action>-born); if drifted, halt
+# Band C: age >= TTL → halt with existing "expired" message
+# ---------------------------------------------------------------------------
+
+# Helper: backdate file mtime by N seconds (portable between macOS and Linux)
+_backdate() {
+  local file="$1" seconds="$2"
+  local stamp
+  stamp=$(date -v-${seconds}S +%Y%m%d%H%M.%S 2>/dev/null \
+       || date -d "${seconds} seconds ago" +%Y%m%d%H%M.%S 2>/dev/null)
+  touch -t "$stamp" "$file"
+}
+
+# Helper: write a matching state-hash for the current working tree
+_write_matching_hash() {
+  local target="$1"
+  local hash
+  hash=$("$HOOKS_DIR/lib/pipeline-state.sh" --hash-inputs 2>/dev/null | _hashcmd | cut -d' ' -f1)
+  echo "$hash" > "$target"
+}
+
+@test "Band A (age < TTL/2): passes, does NOT slide the marker" {
+  printf '3' > "$SCORE_FILE"
+  touch "$SCORE_FILE"
+  rm -f "$HASH_FILE"
+  BEFORE_MTIME=$(_mtime "$SCORE_FILE")
+  sleep 1
+  assert_gate_allows "$TEST_SESSION" "commit"
+  AFTER_MTIME=$(_mtime "$SCORE_FILE")
+  [ "$BEFORE_MTIME" = "$AFTER_MTIME" ]
+}
+
+@test "Band B (TTL/2 <= age < TTL) with hash invariant: passes AND slides marker forward" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 3
+  _write_matching_hash "$HASH_FILE"
+  touch "${SCORE_FILE}-born"
+  BEFORE_MTIME=$(_mtime "$SCORE_FILE")
+  assert_gate_allows "$TEST_SESSION" "commit"
+  AFTER_MTIME=$(_mtime "$SCORE_FILE")
+  [ "$AFTER_MTIME" -gt "$BEFORE_MTIME" ]
+}
+
+@test "Band B with no hash file: passes but does NOT slide (no invariance proof)" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 3
+  rm -f "$HASH_FILE"
+  BEFORE_MTIME=$(_mtime "$SCORE_FILE")
+  sleep 1
+  assert_gate_allows "$TEST_SESSION" "commit"
+  AFTER_MTIME=$(_mtime "$SCORE_FILE")
+  [ "$BEFORE_MTIME" = "$AFTER_MTIME" ]
+}
+
+@test "Band B with hash mismatch: denies with drift (no slide)" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 3
+  echo "staleold" > "$HASH_FILE"
+  touch "${SCORE_FILE}-born"
+  BEFORE_MTIME=$(_mtime "$SCORE_FILE")
+  assert_gate_denies "$TEST_SESSION" "commit" "drift"
+  AFTER_MTIME=$(_mtime "$SCORE_FILE")
+  [ "$BEFORE_MTIME" = "$AFTER_MTIME" ]
+}
+
+@test "Band B with hard-cap exceeded (born-age >= 2*TTL): denies even if hash invariant" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 3
+  _write_matching_hash "$HASH_FILE"
+  touch "${SCORE_FILE}-born"
+  _backdate "${SCORE_FILE}-born" 12
+  assert_gate_denies "$TEST_SESSION" "commit" "expired"
+}
+
+@test "Band C (age >= TTL): denies regardless of hash invariance" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 10
+  _write_matching_hash "$HASH_FILE"
+  touch "${SCORE_FILE}-born"
+  assert_gate_denies "$TEST_SESSION" "commit" "expired"
+}
+
+@test "Band B denial exports RISK_GATE_CATEGORY=drift on hash mismatch" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 3
+  echo "staleold" > "$HASH_FILE"
+  RISK_GATE_CATEGORY=""
+  ! check_risk_gate "$TEST_SESSION" "commit"
+  [ "$RISK_GATE_CATEGORY" = "drift" ]
+}
+
+@test "Band C denial exports RISK_GATE_CATEGORY=expired" {
+  printf '3' > "$SCORE_FILE"
+  _backdate "$SCORE_FILE" 10
+  RISK_GATE_CATEGORY=""
+  ! check_risk_gate "$TEST_SESSION" "commit"
+  [ "$RISK_GATE_CATEGORY" = "expired" ]
+}
+
+@test "Threshold denial exports RISK_GATE_CATEGORY=threshold and RISK_GATE_SCORE" {
+  printf '7' > "$SCORE_FILE"
+  touch "$SCORE_FILE"
+  RISK_GATE_CATEGORY=""
+  RISK_GATE_SCORE=""
+  ! check_risk_gate "$TEST_SESSION" "commit"
+  [ "$RISK_GATE_CATEGORY" = "threshold" ]
+  [ "$RISK_GATE_SCORE" = "7" ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.3.5-preview.188",
+  "version": "0.3.6-preview.192",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"