npm - @windyroad/risk-scorer - Versions diffs - 0.4.0 → 0.4.1-preview.202 - Mend

@windyroad/risk-scorer 0.4.0 → 0.4.1-preview.202

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude-plugin/plugin.json +1 -1
package/hooks/hooks.json +2 -1
package/hooks/lib/gate-helpers.sh +50 -0
package/hooks/risk-slide-marker.sh +40 -0
package/hooks/test/slide-marker-on-subprocess-return.bats +100 -0
package/package.json +1 -1

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
   "name": "wr-risk-scorer",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Pipeline risk scoring, commit/push/release gates for Claude Code"
 }

package/hooks/hooks.json CHANGED Viewed

@@ -14,7 +14,8 @@
     "PostToolUse": [
       { "matcher": "Edit|Write", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/wip-risk-mark.sh" }] },
       { "matcher": "Agent", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-score-mark.sh" }] },
-      { "matcher": "Bash", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-hash-refresh.sh" }] }
+      { "matcher": "Bash", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-hash-refresh.sh" }] },
+      { "matcher": "Agent|Bash", "hooks": [{ "type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/risk-slide-marker.sh" }] }
     ]
   }
 }

package/hooks/lib/gate-helpers.sh CHANGED Viewed

@@ -153,6 +153,56 @@ _risk_dir() {
   echo "$dir"
 }
+# ---------------------------------------------------------------------------
+# Subprocess-completion marker slide (P111, ADR-009 amendment)
+# ---------------------------------------------------------------------------
+# Slides an existing session-review marker forward on subprocess return,
+# treating subprocess wall-clock as continuous parent-session work for TTL
+# purposes. Intended for PostToolUse hooks on Agent / Bash that may have
+# been long-running subprocesses (Agent-tool delegations, `claude -p`
+# iteration subprocesses, run_in_background completions).
+#
+# Contract:
+#   - Touches the marker ONLY if it already exists. NEVER creates a marker
+#     (creating requires a real gate review with verdict parsing).
+#   - Skips the touch if tool_response.is_error == true. A failed
+#     subprocess MUST NOT extend the parent's trust window.
+#   - Fail-safe on parse error: if _HOOK_INPUT cannot be parsed, treat as
+#     error and skip the touch.
+#   - No-op when marker path is empty or marker file does not exist.
+#
+# Why this is NOT cross-process marker sharing (ADR-032 line 123 invariant):
+# the parent's PostToolUse hook touches the parent's OWN marker. The
+# subprocess's session id, marker, and gate state are never read or shared.
+# This is identical in shape to the existing PreToolUse:Edit slide; only
+# the trigger expands to subprocess return.
+#
+# Usage: slide_marker_on_subprocess_return "/tmp/architect-reviewed-${SESSION_ID}"
+slide_marker_on_subprocess_return() {
+    local MARKER="$1"
+    [ -n "$MARKER" ] || return 0
+    [ -f "$MARKER" ] || return 0
+    local IS_ERROR
+    IS_ERROR=$(echo "$_HOOK_INPUT" | python3 -c "
+import sys, json
+try:
+    data = json.load(sys.stdin)
+    tr = data.get('tool_response', {})
+    if isinstance(tr, dict):
+        print('true' if tr.get('is_error') is True else 'false')
+    else:
+        print('false')
+except Exception:
+    print('true')
+" 2>/dev/null || echo "true")
+    if [ "$IS_ERROR" = "false" ]; then
+        touch "$MARKER"
+    fi
+}
 # ---------------------------------------------------------------------------
 # Non-doc file detection for WIP gating
 # ---------------------------------------------------------------------------

package/hooks/risk-slide-marker.sh ADDED Viewed

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Risk Scorer - PostToolUse:Agent|Bash slide-marker hook (P111).
+# Slides the parent session's existing risk score files forward on
+# subprocess return, treating subprocess wall-clock as continuous parent-
+# session work for TTL purposes. Only TOUCHES existing score files — never
+# creates one (creation requires a real risk-scorer:pipeline run that emits
+# RISK_SCORES, parsed in risk-score-mark.sh).
+#
+# Score files that carry TTL semantics (Band A/B/C policy in risk-gate.sh):
+#   ${RDIR}/commit, ${RDIR}/push, ${RDIR}/release.
+#
+# Files DELIBERATELY NOT slid:
+#   - ${RDIR}/*-born — birth timestamps for the 2×TTL hard-cap (P090). The
+#     hard-cap is meant to be invariant under sliding so an unchanged-but-
+#     idle tree cannot ride a single score indefinitely (ADR-009 footnote
+#     "Three-band TTL refinement"). Sliding the born marker would defeat
+#     that protection.
+#   - ${RDIR}/state-hash — drift-detection hash, not TTL-governed.
+#   - ${RDIR}/{reducing,incident}-* — bypass markers, presence-only.
+#   - ${RDIR}/{plan,wip,policy}-reviewed — presence-only review markers.
+#
+# See ADR-009 "Subprocess-boundary refresh" and P111 for context. Failed
+# subprocesses (tool_response.is_error=true) do NOT extend the trust window
+# — see slide_marker_on_subprocess_return in lib/gate-helpers.sh.
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/gate-helpers.sh"
+_parse_input
+SESSION_ID=$(_get_session_id)
+[ -n "$SESSION_ID" ] || exit 0
+RDIR=$(_risk_dir "$SESSION_ID")
+slide_marker_on_subprocess_return "${RDIR}/commit"
+slide_marker_on_subprocess_return "${RDIR}/push"
+slide_marker_on_subprocess_return "${RDIR}/release"
+exit 0

package/hooks/test/slide-marker-on-subprocess-return.bats ADDED Viewed

@@ -0,0 +1,100 @@
+#!/usr/bin/env bats
+# Tests for slide_marker_on_subprocess_return helper (P111).
+#
+# Behavioural contract:
+# - Slides an existing marker forward (touch) on PostToolUse:Agent|Bash
+#   completion, treating subprocess wall-clock as continuous parent-session
+#   work for TTL purposes.
+# - Never CREATES a marker (creating requires a real gate review).
+# - Skips slide on subprocess error (tool_response.is_error=true) so a failed
+#   subprocess does NOT extend the parent's trust window (ADR-009 amendment).
+# - No-op when no marker exists or session_id is empty (fail-safe).
+setup() {
+  HOOKS_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  source "$HOOKS_DIR/lib/gate-helpers.sh"
+  TEST_SESSION="bats-slide-$$-${BATS_TEST_NUMBER}"
+  MARKER="/tmp/architect-reviewed-${TEST_SESSION}"
+  rm -f "$MARKER"
+}
+teardown() {
+  rm -f "$MARKER"
+}
+# Helper: backdate file mtime by N seconds (portable between macOS and Linux)
+_backdate() {
+  local file="$1" seconds="$2"
+  local stamp
+  stamp=$(date -v-${seconds}S +%Y%m%d%H%M.%S 2>/dev/null \
+       || date -d "${seconds} seconds ago" +%Y%m%d%H%M.%S 2>/dev/null)
+  touch -t "$stamp" "$file"
+}
+@test "slide: existing marker is touched on success response" {
+  touch "$MARKER"
+  _backdate "$MARKER" 60
+  BEFORE=$(_mtime "$MARKER")
+  _HOOK_INPUT='{"tool_response":{"content":[]}}'
+  slide_marker_on_subprocess_return "$MARKER"
+  AFTER=$(_mtime "$MARKER")
+  [ "$AFTER" -gt "$BEFORE" ]
+}
+@test "slide: long-running subprocess does NOT cause parent marker expiry on return (P111 reproduction)" {
+  # Simulate the P111 failure mode: parent's marker is set, then a long
+  # subprocess runs (we backdate the marker to simulate elapsed wall-clock),
+  # then PostToolUse fires with a successful tool_response. The marker mtime
+  # must be refreshed so the parent's NEXT PreToolUse gate check (which
+  # compares NOW - mtime against TTL) sees a fresh marker.
+  touch "$MARKER"
+  # Marker is 50 minutes old — under default 60-min TTL but close to expiry.
+  # Without the slide on subprocess return, a subsequent 15-min subprocess
+  # would push the mtime past TTL and the next PreToolUse would deny.
+  _backdate "$MARKER" 3000
+  BEFORE=$(_mtime "$MARKER")
+  _HOOK_INPUT='{"tool_response":{"content":[{"type":"text","text":"OK"}]}}'
+  slide_marker_on_subprocess_return "$MARKER"
+  AFTER=$(_mtime "$MARKER")
+  NOW=$(date +%s)
+  [ "$AFTER" -gt "$BEFORE" ]
+  # And the new mtime is approximately NOW (within 5 seconds of slide call)
+  AGE=$((NOW - AFTER))
+  [ "$AGE" -lt 5 ]
+}
+@test "slide: does NOT touch marker when tool_response.is_error=true" {
+  touch "$MARKER"
+  _backdate "$MARKER" 60
+  BEFORE=$(_mtime "$MARKER")
+  _HOOK_INPUT='{"tool_response":{"is_error":true,"content":[]}}'
+  slide_marker_on_subprocess_return "$MARKER"
+  AFTER=$(_mtime "$MARKER")
+  [ "$BEFORE" = "$AFTER" ]
+}
+@test "slide: no-op when marker does not exist (never creates)" {
+  [ ! -f "$MARKER" ]
+  _HOOK_INPUT='{"tool_response":{"content":[]}}'
+  slide_marker_on_subprocess_return "$MARKER"
+  [ ! -f "$MARKER" ]
+}
+@test "slide: no-op when marker path argument is empty" {
+  _HOOK_INPUT='{"tool_response":{"content":[]}}'
+  run slide_marker_on_subprocess_return ""
+  [ "$status" -eq 0 ]
+}
+@test "slide: malformed hook input is fail-safe (no slide)" {
+  touch "$MARKER"
+  _backdate "$MARKER" 60
+  BEFORE=$(_mtime "$MARKER")
+  _HOOK_INPUT='not valid json'
+  slide_marker_on_subprocess_return "$MARKER"
+  AFTER=$(_mtime "$MARKER")
+  # Fail-safe: when the hook input cannot be parsed, treat as error and skip
+  [ "$BEFORE" = "$AFTER" ]
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.4.0",
+  "version": "0.4.1-preview.202",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"