@windyroad/risk-scorer 0.8.0 → 0.9.0-preview.311

package/.claude-plugin/plugin.json

@@ -1,5 +1,5 @@
 {
   "name": "wr-risk-scorer",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "Pipeline risk scoring, commit/push/release gates for Claude Code"
 }

package/README.md

@@ -65,6 +65,7 @@ The plugin includes six specialised agents:
 | `wr-risk-scorer:plan` | Reviews implementation plans for risk |
 | `wr-risk-scorer:policy` | Validates `RISK-POLICY.md` for ISO 31000 compliance |
 | `wr-risk-scorer:external-comms` | Reviews drafts of outbound prose (gh issues/PRs, advisories, npm publish, changeset bodies) for confidential-information leaks per `RISK-POLICY.md` |
+| `wr-risk-scorer:inbound-report` | Reviews inbound third-party reports (problem-report issues, Q&A discussions, security-advisory submissions) for Request-risk + Fix-risk per `RISK-POLICY.md` § Inbound Report Risk Classes — sibling of `:external-comms` (NOT extension). Consumed by the assessment-pipeline (P079 / ADR-062). Serves JTBD-301 (verdict-on-close acknowledgement) + JTBD-001 (mechanical-stage carve-out). |
 
 ## On-demand assessment skills
 
@@ -73,6 +74,7 @@ The plugin includes six specialised agents:
 | `/wr-risk-scorer:assess-wip` | WIP risk nudge for the current uncommitted diff |
 | `/wr-risk-scorer:assess-release` | Pipeline risk assessment for the unpushed queue (pre-satisfies the commit gate) |
 | `/wr-risk-scorer:assess-external-comms` | External-comms leak review for a draft outbound body (pre-satisfies the external-comms gate) |
+| `/wr-risk-scorer:assess-inbound-report` | Inbound-report risk review for a third-party submission — two-axis (Request-risk + Fix-risk) classification per `RISK-POLICY.md` (P079 / ADR-062). Serves JTBD-005 (on-demand assessment) + JTBD-202 (pre-flight governance check). |
 | `/wr-risk-scorer:create-risk` | Create a standing-risk register entry (interactive authoring; orchestrator-driven prefilled invocation via `--slug` / `--prefill` flags per ADR-059) |
 | `/wr-risk-scorer:bootstrap-catalog` | Bootstrap `docs/risks/` register from existing `.risk-reports/` corpus per ADR-059 — walks reports, dedupes by ADR-056 slug, emits one `R<NNN>-<slug>.active.md` per unique slug. Idempotent. Auto-triggers from `/install-updates` Step 6.5.1 when register is empty + `RISK-POLICY.md` present + `.risk-reports/` non-empty |
 | `/wr-risk-scorer:update-policy` | Generate or update `RISK-POLICY.md` |

package/agents/inbound-report.md

@@ -0,0 +1,126 @@
+---
+name: inbound-report
+description: Reviews third-party prose submitted as inbound reports (gh issue bodies labelled problem-report, gh discussions in Q&A categories, gh security-advisory bodies) for two risk axes — Request-risk (info-extraction / backdoor request / malicious-code injection) and Fix-risk (privilege escalation / removal of load-bearing safety check / adopter-attack-surface expansion). Read-only — emits a structured PASS/FAIL verdict consumed by the assessment-pipeline (ADR-062) for branch routing.
+tools:
+  - Read
+  - Glob
+  - Grep
+model: inherit
+---
+
+You are the Inbound-Report Risk Reviewer. Your single job: read the body of an inbound report (a third-party submission against this repo's intake — a `problem-report.yml` issue, a Q&A discussion, or a security-advisory submission) and return a structured PASS/FAIL verdict against RISK-POLICY.md's Inbound Report Risk Classes (Request-risk + Fix-risk).
+
+You are read-only. You do NOT write files, do NOT post comments upstream, do NOT modify the inbound report. Your verdict is consumed by `/wr-itil:review-problems` Step 8.5's assessment-pipeline (ADR-062) — the pipeline reads your verdict and routes the report to one of three branches: above-threshold-pushback, clear-malicious-close-with-verdict, or safe-and-valid-local-ticket-create.
+
+**Direction of flow**: you review THIRD-PARTY prose flowing INWARD. This is the opposite direction from `wr-risk-scorer:external-comms` (which reviews OUR outbound prose for leaks). The two subagents are siblings, not extensions — the evaluator concerns are semantically distinct (third-party intent vs our-confidential-leakage).
+
+## What you receive
+
+The invoking skill (`/wr-risk-scorer:assess-inbound-report`) or the assessment-pipeline provides:
+
+- The **report body** verbatim — the exact prose submitted on the intake surface.
+- The **report metadata** — submitter handle, surface (`github-issues` / `github-discussions` / `github-security-advisories`), repo, issue/discussion ID when known.
+- The **JTBD-alignment context** — the assessment-pipeline's prior-step verdict (`aligned-with-existing-JTBD` / `aligned-with-new-JTBD-for-existing-persona` / `not-aligned`) so your judgement composes with the alignment classifier's output rather than re-deriving it.
+
+Read `RISK-POLICY.md` (project root) `## Inbound Report Risk Classes` section to get the authoritative class list for both axes.
+
+## Two-axis review
+
+### Axis 1 — Request-risk (is the report itself an attack vector?)
+
+For each Request-risk class in `## Inbound Report Risk Classes`, pass the report body against the class definition. Look for:
+
+- **Info-extraction**: requests for the maintainer to reveal repository internals, build secrets, deployment paths, credentials, contributor PII, or other non-public information that a legitimate problem report does not need.
+- **Backdoor request**: requests to add a backdoor, weaken a safety check, disable a security feature, expose an internal API, or otherwise compromise the project's integrity disguised as a feature/bug.
+- **Malicious-code injection**: requests to incorporate user-supplied code (script snippets, regex patterns, prompt templates, hook payloads) that read as likely-malicious in the context they would execute.
+
+### Axis 2 — Fix-risk (is fixing the report risky?)
+
+Some legitimate-looking reports request changes that are themselves high-risk to ship. For each Fix-risk class:
+
+- **Privilege escalation**: the requested fix would let the requester (or others) escalate privilege within the suite or downstream adopters.
+- **Removal of load-bearing safety check**: the requested fix removes a check whose removal increases risk to users.
+- **Adopter-attack-surface expansion**: the requested fix would expand the suite's attack surface across all adopters (e.g. shipping a credential-handling pattern, broadening a permissive default).
+
+## Verdict combinations
+
+Combine the two axes into one structured outcome:
+
+| Request-risk | Fix-risk | Verdict | Pipeline branch |
+|--------------|----------|---------|-----------------|
+| clear-malicious | (any) | FAIL — `clear-malicious-request` | clear-malicious-close-with-verdict |
+| above-threshold | (any) | FAIL — `above-threshold-risk` | above-threshold-pushback |
+| safe | high | PASS — `safe-high-fix-risk` (continue with maintainer-attention flag) | safe-and-valid-local-ticket-create + flag |
+| safe | low | PASS — `safe-low-fix-risk` | safe-and-valid-local-ticket-create |
+
+`clear-malicious-request` is reserved for unambiguous attacks (named info-extraction / backdoor / malicious-code class with high confidence). `above-threshold-risk` covers the policy-ambiguous middle — content that fits a Request-risk class but at lower confidence or with mitigating context.
+
+## Verdict format (MANDATORY)
+
+End your report with a structured block consumed by the assessment-pipeline + `risk-score-mark.sh` PostToolUse hook. Every field is required.
+
+```
+INBOUND_REPORT_VERDICT: PASS
+INBOUND_REPORT_KEY: <sha256 hex string>
+INBOUND_REPORT_CLASS: <safe-low-fix-risk | safe-high-fix-risk>
+```
+
+OR for a failed review:
+
+```
+INBOUND_REPORT_VERDICT: FAIL
+INBOUND_REPORT_KEY: <sha256 hex string>
+INBOUND_REPORT_CLASS: <above-threshold-risk | clear-malicious-request>
+INBOUND_REPORT_REASON: <one-line description of the axis + class + matched fragment>
+```
+
+Compute the key as:
+
+```
+printf '%s\n%s\n%s' "<report body verbatim>" "<surface name>" "<submitter handle>" | shasum -a 256 | cut -d' ' -f1
+```
+
+The key MUST match the pipeline's computation exactly — a key mismatch means the marker is written for a different report and the assessment-pipeline will re-trigger the subagent on the next pass.
+
+## Grounding (ADR-026)
+
+Every FAIL verdict MUST cite:
+
+- The specific RISK-POLICY.md class violated (verbatim — copy the bullet from the policy).
+- The axis the class belongs to (Request-risk or Fix-risk).
+- The exact substring from the report body that triggered the call (when the class is content-pattern-based).
+- A one-line explanation of why this submission constitutes the class match.
+
+Example:
+
+> INBOUND_REPORT_REASON: Axis 1 Request-risk "Info-extraction" class — report body contains "share the exact path of your CI credentials so I can replicate" requesting non-public deployment information; legitimate `problem-report.yml` submissions do not require maintainer credential paths.
+
+## Constraints
+
+- You are a reviewer, not an editor — do NOT propose rewrites in the verdict block. (Free prose suggestions outside the verdict block are fine when explaining the FAIL reason.)
+- Do NOT score by analogy when the policy names the class.
+- Do NOT write to `/tmp/` or any marker location yourself — the PostToolUse hook owns that.
+- Do NOT skip the `INBOUND_REPORT_KEY` line; without it, the assessment-pipeline has no key to write the marker against and will re-trigger the subagent on the next pass.
+- Do NOT make a block-list decision (P123 scope) — your verdict feeds the audit-log via ADR-062's clear-malicious branch; block-list enforcement is a separate ticket's concern.
+- When the report body is empty (e.g. a Q&A discussion with only a title), review the title + metadata. If neither carries enough content, FAIL with class `above-threshold-risk` and reason "body unresolvable; cannot review without text" so the maintainer can pre-review manually.
+
+## Below-Appetite Output Rule (ADR-013 Rule 5)
+
+When the verdict is PASS at the `safe-low-fix-risk` class, your output may be terse: a one-line "no Inbound Report Risk class matched on either axis; fix risk low" plus the verdict block. Do not pad with advisory prose; policy-authorised submissions proceed silently per ADR-013 Rule 5.
+
+## Above-Appetite (FAIL or safe-high-fix-risk) Output
+
+When the verdict is FAIL OR the class is `safe-high-fix-risk`:
+
+- **FAIL**: surface the matched class, axis, and triggering substring in PROSE BEFORE the verdict block. The pipeline routes this to the pushback branch (which posts a gated comment per ADR-028 amended); maintainer-side context is the prose, machine-side routing is the block.
+- **safe-high-fix-risk**: surface the fix-risk class the maintainer should weigh BEFORE accepting the local ticket. The pipeline still creates the local ticket (safe-and-valid path) but flags it for maintainer attention.
+
+## ADR cross-references
+
+- **ADR-062** (Inbound upstream-report discovery + assessment pipeline) — § Sibling subagent section names this agent + this two-axis framing.
+- **ADR-015** (On-demand assessment skills) — § Scope table includes the sibling `/wr-risk-scorer:assess-inbound-report` skill that wraps this agent for manual invocation.
+- **ADR-028** (External-comms gate, amended) — the pushback / clear-malicious-verdict comments the assessment-pipeline posts after this agent's FAIL verdict ride the P064 + P038 evaluator halves.
+- **ADR-029** (Diagnose before implement) — your verdict follows the hypothesis (axis-class match) / evidence (matched substring or metadata) / structured-verdict (PASS / FAIL + class + key) discipline.
+- **ADR-013 Rule 5** — below-appetite silent-pass output rule applies.
+- **P079** — the parent problem ticket driving this work.
+- **P132** + inverse-P078 — your verdict resolves the branch decision mechanically; the assessment-pipeline does NOT use AskUserQuestion at the branch decision (this is the framework-resolution boundary).

package/agents/test/inbound-report-contract.bats

@@ -0,0 +1,225 @@
+#!/usr/bin/env bats
+# Contract assertions for the wr-risk-scorer:inbound-report subagent
+# (RFC-004 Slice B). Sibling of wr-risk-scorer:external-comms — NOT
+# extension. Reviews INBOUND third-party prose on two axes (Request-risk +
+# Fix-risk) per RISK-POLICY.md § Inbound Report Risk Classes.
+#
+# Structural assertions — Permitted Exception to the source-grep ban
+# per ADR-005 / P011 / ADR-037 / ADR-052 § Surface 2. Subagent prompt
+# prose governs LLM-driven verdict behaviour; behavioural-replay
+# testing requires a synthetic agent harness (P012 / P176). Until that
+# harness lands, contract bats assert the load-bearing rubric + structured
+# verdict format are present so future edits don't silently strip them.
+#
+# @problem P079
+# @rfc RFC-004
+# @adr ADR-062 (inbound discovery + assessment pipeline — § Sibling subagent)
+# @adr ADR-015 (on-demand assessment skills — § Scope table)
+# @adr ADR-026 (grounding discipline — every FAIL verdict cites policy class)
+# @adr ADR-029 (diagnose before implement — hypothesis / evidence / structured verdict)
+# @adr ADR-052 (behavioural-tests default + Permitted Exception)
+# @jtbd JTBD-301 (acknowledgement contract grounded in policy classes)
+# @jtbd JTBD-001 (mechanical-stage carve-out via structured verdict)
+
+setup() {
+  AGENTS_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  AGENT_FILE="${AGENTS_DIR}/inbound-report.md"
+  POLICY_FILE="$(cd "${AGENTS_DIR}/../../.." && pwd)/RISK-POLICY.md"
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Frontmatter + tool surface
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "inbound-report.md exists and has frontmatter (RFC-004 Slice B)" {
+  [ -f "$AGENT_FILE" ]
+  run head -1 "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  [ "$output" = "---" ]
+}
+
+@test "frontmatter name is 'inbound-report' (sibling of external-comms)" {
+  run grep -nE '^name: inbound-report$' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "frontmatter tools are read-only (Read, Glob, Grep)" {
+  # Per ADR-062 § Sibling subagent: read-only contract; subagent emits
+  # verdict, PostToolUse hook owns marker writes.
+  run grep -nE '  - Read' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  run grep -nE '  - Glob' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  run grep -nE '  - Grep' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "frontmatter tools do NOT include Write / Edit / Bash (read-only invariant)" {
+  run grep -nE '^  - (Write|Edit|Bash)$' "$AGENT_FILE"
+  [ "$status" -ne 0 ]
+}
+
+@test "frontmatter model is inherit" {
+  run grep -nE '^model: inherit$' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Sibling-not-extension positioning (ADR-062 § Sibling subagent)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "agent prose names sibling-not-extension positioning vs external-comms" {
+  # ADR-062 explicitly carves the inbound-report subagent as a sibling
+  # (NOT extension) of external-comms. Protects JTBD-101 plugin-developer
+  # constraint "must not break existing plugins" by preserving
+  # external-comms scope-purity.
+  run grep -inE 'sibling.*external-comms|external-comms.*sibling' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "agent prose names the inbound-direction framing (third-party prose flowing INWARD)" {
+  run grep -inE 'INWARD|inbound prose|third-party prose' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Two-axis review structure (Request-risk + Fix-risk)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "Axis 1 Request-risk documented (attack-vector axis)" {
+  run grep -nE 'Axis 1.*Request-risk' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "Axis 1 enumerates info-extraction / backdoor request / malicious-code injection classes" {
+  run grep -inE 'Info-extraction' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  run grep -inE 'Backdoor request' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  run grep -inE 'Malicious-code injection' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "Axis 2 Fix-risk documented (work-to-be-weighed axis)" {
+  run grep -nE 'Axis 2.*Fix-risk' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "Axis 2 enumerates privilege escalation / removal-of-safety-check / adopter-attack-surface-expansion classes" {
+  run grep -inE 'Privilege escalation' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  run grep -inE 'Removal of load-bearing safety check' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+  run grep -inE 'Adopter-attack-surface expansion' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Structured verdict block (consumed by assessment-pipeline branch routing)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "verdict block defines INBOUND_REPORT_VERDICT" {
+  run grep -nE 'INBOUND_REPORT_VERDICT' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "verdict block defines INBOUND_REPORT_KEY (sha256 hex for marker matching)" {
+  run grep -nE 'INBOUND_REPORT_KEY' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "verdict block defines INBOUND_REPORT_CLASS (one of four classifications)" {
+  run grep -nE 'INBOUND_REPORT_CLASS' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "verdict block defines INBOUND_REPORT_REASON for FAIL path" {
+  run grep -nE 'INBOUND_REPORT_REASON' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Four classifications enumerated (branch-routing vocabulary)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "classification safe-low-fix-risk enumerated" {
+  run grep -nE 'safe-low-fix-risk' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "classification safe-high-fix-risk enumerated" {
+  run grep -nE 'safe-high-fix-risk' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "classification above-threshold-risk enumerated" {
+  run grep -nE 'above-threshold-risk' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "classification clear-malicious-request enumerated" {
+  run grep -nE 'clear-malicious-request' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Grounding discipline (ADR-026)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "FAIL verdict requires citing the specific RISK-POLICY.md class" {
+  run grep -inE 'cite|class violated' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "agent prose cites ADR-026 grounding discipline" {
+  run grep -nE 'ADR-026' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Read-only constraints + marker boundary
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "agent declares read-only (no file writes / commits / draft modifications)" {
+  run grep -inE 'read-only' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "agent forbids self-writing to /tmp/ or marker locations" {
+  # PostToolUse hook owns marker writes per ADR-009; the subagent
+  # emits the verdict and the hook computes the marker key.
+  run grep -inE 'NOT write to /tmp|PostToolUse hook owns' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Mechanical-stage carve-out integration (P132 — pipeline branch routing)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "agent prose names the mechanical-stage carve-out integration (P132)" {
+  run grep -nE 'P132|mechanical' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "agent does NOT make a block-list decision (P123 scope carve-out)" {
+  # Block-list enforcement is a separate ticket's concern; this subagent's
+  # verdict feeds the audit-log via the assessment-pipeline's clear-malicious
+  # branch and stops there.
+  run grep -inE 'NOT make a block-list|P123' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# RISK-POLICY.md integration (the policy classes the agent grounds verdicts against)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "RISK-POLICY.md has the '## Inbound Report Risk Classes' section the agent reads" {
+  [ -f "$POLICY_FILE" ]
+  run grep -nE '^## Inbound Report Risk Classes$' "$POLICY_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "agent prose references RISK-POLICY.md § Inbound Report Risk Classes" {
+  run grep -nE 'Inbound Report Risk Classes' "$AGENT_FILE"
+  [ "$status" -eq 0 ]
+}

package/hooks/external-comms-evaluator.conf

@@ -0,0 +1,23 @@
+# Per-package evaluator config for external-comms-gate.sh (ADR-028 amended 2026-05-14).
+# Sourced by the canonical external-comms-gate.sh; NOT synced (each consumer
+# plugin maintains its own .conf).
+
+# Short evaluator id — used in marker filenames (external-comms-<id>-reviewed-<key>).
+EXTERNAL_COMMS_EVALUATOR_ID=risk
+
+# Subagent type the deny message directs to.
+EXTERNAL_COMMS_SUBAGENT_TYPE=wr-risk-scorer:external-comms
+
+# Structured-output prefix the PostToolUse:Agent hook parses from the subagent's
+# stdout (EXTERNAL_COMMS_RISK_VERDICT + EXTERNAL_COMMS_RISK_KEY).
+EXTERNAL_COMMS_VERDICT_PREFIX=EXTERNAL_COMMS_RISK
+
+# On-demand skill for pre-flight delegation.
+EXTERNAL_COMMS_ASSESS_SKILL=/wr-risk-scorer:assess-external-comms
+
+# Policy file whose absence triggers advisory-only mode.
+EXTERNAL_COMMS_POLICY_FILE=RISK-POLICY.md
+
+# Whether to run the leak-pattern pre-filter (lib/leak-detect.sh). Risk evaluator
+# checks confidential-information leaks; voice-tone evaluator does not.
+EXTERNAL_COMMS_LEAK_PREFILTER=yes

package/hooks/external-comms-gate.sh

@@ -1,5 +1,11 @@
 #!/bin/bash
-# PreToolUse hook: gates outbound prose for risk/leak review (P064 / ADR-028 amended).
+# PreToolUse hook: gates outbound prose for evaluator review (P064 / P038 / ADR-028 amended 2026-05-14).
+#
+# This is the CANONICAL hook synced byte-identically into each consumer plugin
+# (risk-scorer, voice-tone, …) via ADR-017 duplicate-script pattern. Each copy
+# sources `${SCRIPT_DIR}/external-comms-evaluator.conf` to determine its
+# evaluator identity (risk / voice-tone / …) — the .conf file is per-package
+# and NOT synced.
 #
 # Surface (matched on Bash command text or Edit/Write file_path):
 #   - gh issue create | comment | edit            (public issue bodies)
@@ -11,23 +17,26 @@
 #
 # Gate behaviour:
 #   1. BYPASS_RISK_GATE=1 short-circuits the gate (consistent with git-push-gate.sh).
-#   2. RISK-POLICY.md absent → advisory-only mode (permits with systemMessage).
+#   2. POLICY_FILE absent → advisory-only mode (permits with systemMessage).
 #   3. Hybrid leak-pattern pre-filter (lib/leak-detect.sh) hard-fails on
 #      credentials, prod-URL prefixes, business-context-paired financial figures,
 #      or business-context-paired user counts. Deny includes the matched class.
-#   4. Otherwise: check for a per-evaluator marker keyed on
+#      (Voice-tone evaluator: skips leak pre-filter — leak detection is the
+#      risk evaluator's concern; voice-tone reviews tone/voice only.)
+#   4. Otherwise: check for THIS evaluator's per-evaluator marker keyed on
 #      sha256(draft_body + '\n' + surface). Marker present → permit.
-#      Marker absent → deny with directive to delegate to wr-risk-scorer:external-comms.
+#      Marker absent → deny with directive to delegate to this plugin's
+#      subagent (configured via external-comms-evaluator.conf).
 #
-# Marker location: ${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}/external-comms-reviewed-<sha256>
-# Marker writer:   PostToolUse:Agent hook (risk-score-mark.sh) on subagent
-#                  type wr-risk-scorer:external-comms.
+# Marker location: ${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}/external-comms-<EVALUATOR_ID>-reviewed-<sha256>
+# Marker writer:   PostToolUse:Agent hook in each consumer plugin
+#                  (risk-score-mark.sh or external-comms-mark-reviewed.sh) on
+#                  subagent type wr-<plugin>:external-comms.
 #
-# Composite-marker scheme (combining with wr-voice-tone:agent verdict for
-# the same draft) is deferred until P038 lands its evaluator. This iteration
-# ships the risk-evaluator side as a standalone gate; the two hooks compose
-# at the PreToolUse:Bash matcher level when both packages are installed.
-# See ADR-028 amendment Reassessment Criteria.
+# Per-evaluator marker scheme (ADR-028 amended 2026-05-14): when both
+# voice-tone and risk-scorer are installed, both gates fire on the same
+# PreToolUse event; each gate denies until its own per-evaluator marker
+# exists. Gates compose at firing level — no shared composite marker.
 
 set -euo pipefail
 
@@ -35,6 +44,29 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 # shellcheck source=lib/leak-detect.sh
 source "$SCRIPT_DIR/lib/leak-detect.sh"
 
+# ---------- Per-package evaluator config (ADR-028 amended 2026-05-14) ----------
+# Each consumer plugin ships its own external-comms-evaluator.conf alongside this
+# byte-identical canonical hook. The .conf defines:
+#   EXTERNAL_COMMS_EVALUATOR_ID    — short id (risk, voice-tone)
+#   EXTERNAL_COMMS_SUBAGENT_TYPE   — subagent to delegate to (wr-<plugin>:external-comms)
+#   EXTERNAL_COMMS_VERDICT_PREFIX  — structured-output prefix the mark hook parses
+#   EXTERNAL_COMMS_ASSESS_SKILL    — on-demand skill path for manual delegation
+#   EXTERNAL_COMMS_POLICY_FILE     — policy doc whose absence triggers advisory-only
+#   EXTERNAL_COMMS_LEAK_PREFILTER  — yes|no — whether to run leak-detect pre-filter
+# Fail-closed if absent: this hook cannot operate without a configured evaluator.
+CONF_FILE="$SCRIPT_DIR/external-comms-evaluator.conf"
+if [ ! -f "$CONF_FILE" ]; then
+    echo "ERROR: external-comms-gate.sh requires $CONF_FILE (ADR-028 amended 2026-05-14)" >&2
+    exit 0
+fi
+# shellcheck source=/dev/null
+source "$CONF_FILE"
+: "${EXTERNAL_COMMS_EVALUATOR_ID:?evaluator id missing from $CONF_FILE}"
+: "${EXTERNAL_COMMS_SUBAGENT_TYPE:?subagent type missing from $CONF_FILE}"
+: "${EXTERNAL_COMMS_ASSESS_SKILL:?assess-skill missing from $CONF_FILE}"
+EXTERNAL_COMMS_POLICY_FILE="${EXTERNAL_COMMS_POLICY_FILE:-RISK-POLICY.md}"
+EXTERNAL_COMMS_LEAK_PREFILTER="${EXTERNAL_COMMS_LEAK_PREFILTER:-yes}"
+
 # ---------- Bypass ----------
 if [ "${BYPASS_RISK_GATE:-0}" = "1" ]; then
     exit 0
@@ -173,31 +205,37 @@ print(json.dumps({'systemMessage': sys.argv[1]}))
 }
 
 # ---------- Advisory-only fallback when policy file is absent ----------
-if [ ! -f "RISK-POLICY.md" ]; then
-    permit_with_advisory "RISK-POLICY.md not found — wr-risk-scorer:external-comms gate is advisory-only on $SURFACE."
+if [ ! -f "$EXTERNAL_COMMS_POLICY_FILE" ]; then
+    permit_with_advisory "$EXTERNAL_COMMS_POLICY_FILE not found — $EXTERNAL_COMMS_SUBAGENT_TYPE gate is advisory-only on $SURFACE."
     exit 0
 fi
 
-# ---------- Hard-fail leak-pattern pre-filter ----------
-if ! leak_detect_scan "$DRAFT"; then
-    REASON=$(printf 'BLOCKED (P064 external-comms gate): %s on %s. Remove the leak before retrying. Override only if intentional: BYPASS_RISK_GATE=1.' \
-        "$LEAK_DETECT_REASON" "$SURFACE")
-    deny_with_reason "$REASON"
-    exit 0
+# ---------- Hard-fail leak-pattern pre-filter (risk evaluator only) ----------
+# Voice-tone evaluator skips this — leak detection is the risk evaluator's
+# concern. Each per-package external-comms-evaluator.conf sets
+# EXTERNAL_COMMS_LEAK_PREFILTER=yes (risk) or =no (voice-tone).
+if [ "$EXTERNAL_COMMS_LEAK_PREFILTER" = "yes" ]; then
+    if ! leak_detect_scan "$DRAFT"; then
+        REASON=$(printf 'BLOCKED (external-comms gate / %s evaluator): %s on %s. Remove the leak before retrying. Override only if intentional: BYPASS_RISK_GATE=1.' \
+            "$EXTERNAL_COMMS_EVALUATOR_ID" "$LEAK_DETECT_REASON" "$SURFACE")
+        deny_with_reason "$REASON"
+        exit 0
+    fi
 fi
 
-# ---------- Marker-based gate ----------
+# ---------- Marker-based gate (per-evaluator marker per ADR-028 amended 2026-05-14) ----------
 SESSION_DIR="${TMPDIR:-/tmp}/claude-risk-${SESSION_ID}"
 mkdir -p "$SESSION_DIR"
 KEY=$(printf '%s\n%s' "$DRAFT" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
-MARKER="${SESSION_DIR}/external-comms-reviewed-${KEY}"
+MARKER="${SESSION_DIR}/external-comms-${EXTERNAL_COMMS_EVALUATOR_ID}-reviewed-${KEY}"
 
 if [ -f "$MARKER" ]; then
     exit 0
 fi
 
 # Marker absent — deny + delegate.
-REASON=$(printf 'BLOCKED (P064 external-comms gate): %s draft has not been risk-reviewed. Delegate to wr-risk-scorer:external-comms (subagent_type: '"'"'wr-risk-scorer:external-comms'"'"') with the draft body for review. The PostToolUse hook will mark this draft reviewed when the subagent emits EXTERNAL_COMMS_RISK_VERDICT: PASS. Use /wr-risk-scorer:assess-external-comms for an interactive walkthrough. Override only when intentional: BYPASS_RISK_GATE=1.' \
-    "$SURFACE")
+VERDICT_PREFIX="${EXTERNAL_COMMS_VERDICT_PREFIX:-EXTERNAL_COMMS_${EXTERNAL_COMMS_EVALUATOR_ID^^}}"
+REASON=$(printf 'BLOCKED (external-comms gate / %s evaluator): %s draft has not been reviewed by %s. Delegate to %s (subagent_type: '"'"'%s'"'"') with the draft body for review. The PostToolUse hook will mark this draft reviewed when the subagent emits %s_VERDICT: PASS. Use %s for an interactive walkthrough. Override only when intentional: BYPASS_RISK_GATE=1.' \
+    "$EXTERNAL_COMMS_EVALUATOR_ID" "$SURFACE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$EXTERNAL_COMMS_SUBAGENT_TYPE" "$VERDICT_PREFIX" "$EXTERNAL_COMMS_ASSESS_SKILL")
 deny_with_reason "$REASON"
 exit 0

package/hooks/risk-score-mark.sh

@@ -204,9 +204,12 @@ if echo "$SUBAGENT" | grep -qE 'risk-scorer.policy'; then
 fi
 
 # ---------------------------------------------------------------------------
-# External-comms reviewer (P064 / ADR-028 amended): write per-draft marker
-# keyed on sha256(draft + '\n' + surface). Subagent emits the key; this hook
-# trusts and uses it. Marker file: external-comms-reviewed-<key>.
+# External-comms reviewer (P064 / ADR-028 amended 2026-05-14): write
+# per-evaluator marker keyed on sha256(draft + '\n' + surface). Subagent
+# emits the key; this hook trusts and uses it. Marker file:
+# external-comms-risk-reviewed-<key>. The voice-tone evaluator (P038)
+# writes its own peer marker external-comms-voice-tone-reviewed-<key>
+# from packages/voice-tone/hooks/external-comms-mark-reviewed.sh.
 # ---------------------------------------------------------------------------
 if echo "$SUBAGENT" | grep -qE 'risk-scorer.external-comms'; then
   VERDICT_LINE=$(echo "$AGENT_OUTPUT" | grep -E '^EXTERNAL_COMMS_RISK_VERDICT:' | tail -1) || true
@@ -216,7 +219,7 @@ if echo "$SUBAGENT" | grep -qE 'risk-scorer.external-comms'; then
   # Validate key: 64 hex chars (sha256 output). Reject anything else.
   if echo "$KEY" | grep -qE '^[0-9a-f]{64}$'; then
     case "$VERDICT" in
-      PASS) touch "${RDIR}/external-comms-reviewed-${KEY}" ;;
+      PASS) touch "${RDIR}/external-comms-risk-reviewed-${KEY}" ;;
       FAIL) ;; # Do NOT create marker — draft must be revised
       *) ;;    # Unknown verdict — fail closed
     esac

package/hooks/test/external-comms-gate.bats

@@ -113,11 +113,11 @@ run_hook() {
   [ -z "$output" ]
 }
 
-@test "marker present for matching draft+surface key allows the call" {
+@test "per-evaluator marker (external-comms-risk-reviewed-<KEY>) allows the call (ADR-028 amended 2026-05-14)" {
   DRAFT="we observed a build failure on Node 20"
   SURFACE="gh-issue-create"
   KEY=$(printf '%s\n%s' "$DRAFT" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
-  touch "${RDIR}/external-comms-reviewed-${KEY}"
+  touch "${RDIR}/external-comms-risk-reviewed-${KEY}"
 
   INPUT=$(build_bash_input "gh issue create --title T --body '$DRAFT'")
   run_hook "$INPUT"
@@ -125,6 +125,20 @@ run_hook() {
   [ -z "$output" ]
 }
 
+@test "legacy combined marker (external-comms-reviewed-<KEY>) does NOT satisfy the risk gate (P038 per-evaluator scheme)" {
+  DRAFT="we observed a build failure on Node 20"
+  SURFACE="gh-issue-create"
+  KEY=$(printf '%s\n%s' "$DRAFT" "$SURFACE" | shasum -a 256 | cut -d' ' -f1)
+  # Pre-amendment combined marker — should NOT satisfy the new per-evaluator gate.
+  touch "${RDIR}/external-comms-reviewed-${KEY}"
+
+  INPUT=$(build_bash_input "gh issue create --title T --body '$DRAFT'")
+  run_hook "$INPUT"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"deny"* ]]
+  [[ "$output" == *"wr-risk-scorer:external-comms"* ]]
+}
+
 @test "RISK-POLICY.md absent yields advisory-only mode (permits)" {
   rm -f "$TEST_PROJECT_DIR/RISK-POLICY.md"
   INPUT=$(build_bash_input "gh issue create --title T --body 'we observed a failure'")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/risk-scorer",
-  "version": "0.8.0",
+  "version": "0.9.0-preview.311",
   "description": "Pipeline risk scoring, commit/push gates, and secret leak detection",
   "bin": {
     "windyroad-risk-scorer": "./bin/install.mjs"

package/skills/assess-inbound-report/SKILL.md

@@ -0,0 +1,131 @@
+---
+name: wr-risk-scorer:assess-inbound-report
+description: On-demand inbound-report risk review. Reviews a third-party submission against this repo's intake (problem-report issue body, Q&A discussion, security-advisory body) for Request-risk (info-extraction / backdoor request / malicious-code injection) and Fix-risk (privilege escalation / removal of load-bearing safety check / adopter-attack-surface expansion) per RISK-POLICY.md. Delegates to wr-risk-scorer:inbound-report and emits the structured verdict consumed by ADR-062's assessment-pipeline branch routing.
+allowed-tools: Read, Glob, Grep, Bash, AskUserQuestion, Skill
+---
+
+# Inbound-Report Risk Assessment Skill
+
+Run a Request-risk + Fix-risk review on demand against a single inbound report — outside the `/wr-itil:review-problems` Step 8.5 assessment-pipeline trigger. Maintainer-facing pre-flight surface per JTBD-005 + JTBD-202; the assessment-pipeline itself invokes the same `wr-risk-scorer:inbound-report` subagent in-loop per ADR-062 § Decision Outcome step 3.
+
+This skill is **read-only**. It does not commit, post comments upstream, or modify the inbound report. The marker (when the skill is invoked as a pre-satisfier for the pipeline's per-report gate) is written automatically by the `PostToolUse:Agent` hook (`risk-score-mark.sh`) after the subagent completes — the skill never writes to `${TMPDIR:-/tmp}/claude-risk-*` directly.
+
+## When to use
+
+- Before running `/wr-itil:review-problems` when a specific inbound report stands out as ambiguous (e.g. a discussion that mixes a legitimate feature request with a question that smells like info-extraction) — pre-flight the classification.
+- After spotting a suspicious submission via `gh issue list` and wanting a second-pass review before the pipeline runs.
+- During a retro on a misclassified prior report (Reassessment Criterion 1 in ADR-062 — false-positive rate exceeds ~10%) — replay the body through the subagent to surface why the prior verdict landed.
+- As part of a P123 block-list eligibility review (a clear-malicious verdict here is the evidence chain the block-list scaffolding consumes when P123 lands).
+
+## Steps
+
+### 1. Parse arguments
+
+Read `$ARGUMENTS` for any of:
+
+- A report body verbatim (e.g. the user pastes the issue body).
+- A `gh issue URL` or `<repo>#<issue-number>` reference — the skill fetches the body via `gh issue view --json body,author,labels`.
+- A surface hint (`github-issues`, `github-discussions`, `github-security-advisories`).
+- A submitter handle (`@user` or `user`).
+- A JTBD-alignment hint from the assessment-pipeline (`aligned-with-existing-JTBD` / `aligned-with-new-JTBD-for-existing-persona` / `not-aligned`). Optional when invoked manually; required when invoked as a pipeline pre-satisfier.
+
+If both body and surface are present, proceed to step 3. If either is missing, step 2.
+
+### 2. Resolve missing context
+
+If the body is missing AND a `gh issue URL` / `<repo>#<issue-number>` reference was supplied, fetch:
+
+```bash
+gh issue view "$ref" --json body,author,title,labels --jq '.'
+```
+
+Cache the JSON for downstream steps. Fail-soft on GH API errors — surface the error to the user and fall back to AskUserQuestion.
+
+If the body is still missing, use `AskUserQuestion`:
+
+> "What report do you want me to review? Paste the body verbatim, or give me a `gh issue URL`."
+
+If the surface is missing AND cannot be inferred (from the URL pattern or context), use `AskUserQuestion`:
+
+- header: "Inbound surface"
+- options:
+  1. `github-issues` (problem-report.yml or similar labelled issue)
+  2. `github-discussions` (Q&A category)
+  3. `github-security-advisories` (private vendor channel)
+
+Do not ask if the surface is obvious from the URL / context.
+
+### 3. Construct the review prompt
+
+Build a self-contained prompt for the `wr-risk-scorer:inbound-report` subagent that includes:
+
+- The **report body** verbatim (between explicit `<report>...</report>` markers so the agent's substring extraction is unambiguous).
+- The **surface** (one of the canonical strings above).
+- The **submitter handle** when known.
+- The **JTBD-alignment hint** when known (composes with the agent's two-axis judgement).
+- A reminder to compute `INBOUND_REPORT_KEY = sha256(body + '\n' + surface + '\n' + submitter)`.
+
+### 4. Delegate to wr-risk-scorer:inbound-report
+
+Invoke the subagent via the Skill / Agent tool with `subagent_type: wr-risk-scorer:inbound-report` and the constructed review prompt.
+
+Wait for the subagent to complete. The subagent will output a structured verdict block (`INBOUND_REPORT_VERDICT: PASS|FAIL` + `INBOUND_REPORT_KEY: <sha>` + `INBOUND_REPORT_CLASS: <class>` + optional `INBOUND_REPORT_REASON: ...`). The `PostToolUse:Agent` hook (`risk-score-mark.sh`) reads that output and writes the per-report marker automatically.
+
+**Do not write to `${TMPDIR:-/tmp}/claude-risk-*` yourself.** The hook is the only correct mechanism.
+
+### 5. Present results
+
+Present the full review report to the user. Highlight:
+
+- The verdict (PASS / FAIL).
+- The classification (`safe-low-fix-risk` / `safe-high-fix-risk` / `above-threshold-risk` / `clear-malicious-request`).
+- The matched RISK-POLICY.md class + axis (Request-risk / Fix-risk) when FAIL.
+- The exact substrings or metadata signals that triggered each finding when FAIL.
+- The pipeline branch this report would route to under ADR-062 § Decision Outcome (pushback / clear-malicious-close-with-verdict / safe-and-valid-local-ticket-create).
+- For `safe-high-fix-risk`: the fix-risk class the maintainer should weigh before accepting the local ticket (the pipeline creates the ticket but flags it for maintainer attention).
+
+### 6. Above-appetite handling (ADR-013 Rule 6 + ADR-062 mechanical-stage carve-out)
+
+The branch decision itself is **mechanical** per ADR-062 § Mechanical-stage carve-out (P132). When invoked as a pipeline pre-satisfier, this skill does NOT use `AskUserQuestion` to ask the maintainer "which branch?" — the verdict + class determine the branch deterministically. The maintainer's role is to accept or override the verdict via re-running with corrections, not to pick the branch.
+
+When invoked manually as an on-demand pre-flight (NOT as a pipeline pre-satisfier), surface a single `AskUserQuestion` for what the maintainer wants to do next:
+
+- header: "Next step"
+- options:
+  1. `Accept verdict + run pipeline` — the maintainer agrees with the classification; `/wr-itil:review-problems` will route accordingly on the next invocation.
+  2. `Override + re-review with extra context` — the maintainer disagrees; pass extra context (e.g. "this submitter is a known good-faith contributor in `<other-repo>`") and re-invoke from step 3.
+  3. `Block reporter (P123 scaffolding)` — surface the audit-log entry for P123 block-list enforcement when that ticket lands. Until then, this option appends to `docs/audits/inbound-discovery-log.md` only.
+  4. `Cancel` — abandon the pre-flight; report intact for later review.
+
+When invoked as a pipeline pre-satisfier (via the `/wr-itil:review-problems` Step 8.5 orchestrator), the skill is silent on this step per the mechanical-stage carve-out.
+
+## Composition with the assessment-pipeline
+
+This skill and the assessment-pipeline (ADR-062 § Decision Outcome) invoke the same `wr-risk-scorer:inbound-report` subagent. The skill is the maintainer-facing manual surface; the pipeline is the automated bulk-processing surface. Verdict shape is identical across both invocation paths (same `INBOUND_REPORT_VERDICT` + `INBOUND_REPORT_KEY` + `INBOUND_REPORT_CLASS` block); the consuming infrastructure (per-report marker, audit-log append, branch routing) is the same.
+
+| Concern | This skill (on-demand) | `/wr-itil:review-problems` Step 8.5 (pipeline) |
+|---------|------------------------|-----------------------------------------------|
+| Invocation | Manual / pre-flight (JTBD-005, JTBD-202) | Automatic, in-loop with channel-config polling |
+| Cardinality | One report per invocation | N reports per pass (channel-config drives N) |
+| Branch decision | Per ADR-062 § Decision Outcome; mechanical | Same |
+| Audit-log append | Yes (via PostToolUse hook) | Yes (via PostToolUse hook) |
+| README rankings impact | None (skill is read-only) | Refreshes `## Inbound Upstream Reports` section in `docs/problems/README.md` Step 9e |
+| AskUserQuestion authority | step 6 above (manual only) | None (mechanical-stage carve-out per P132) |
+
+## ADR cross-references
+
+- **ADR-062** (Inbound upstream-report discovery + assessment pipeline) — § Sibling subagent + § Mechanical-stage carve-out.
+- **ADR-015** (On-demand assessment skills) — § Scope table extended with the `assess-inbound-report` row; § Naming Convention `assess-<artifact>` pattern; § Gate Marker Interaction (no skill-side marker writes).
+- **ADR-009** (Gate marker lifecycle) — per-report marker TTL + drift discipline; same as the existing `external-comms-gate` marker.
+- **ADR-013 Rule 1** + Rule 6 — `AskUserQuestion` only at maintainer-direction branches; mechanical-stage carve-out applies to pipeline invocations.
+- **ADR-014** — assessment skills are read-only and exempt from commit obligation.
+- **ADR-028** (External-comms gate, amended) — the pushback / clear-malicious-verdict comments the assessment-pipeline posts after this skill's FAIL verdict ride the P064 + P038 evaluator halves.
+- **ADR-029** (Diagnose before implement) — verdict follows hypothesis / evidence / structured-verdict discipline.
+- **ADR-044** — decision-delegation contract; mechanical-stage carve-out is the category-4 framework-resolution boundary.
+- **P079** — parent ticket; this skill is Slice B per RFC-004.
+- **P123** — blocked-user-list mechanism; composes with the `Block reporter` option in step 6.
+- **JTBD-005** (Invoke Governance Assessments On Demand) — primary persona driver.
+- **JTBD-202** (Pre-Flight Governance Checks) — secondary persona driver.
+- **JTBD-001** (Enforce Governance Without Slowing Down) — mechanical-stage carve-out preserves "without slowing down".
+
+$ARGUMENTS

package/skills/assess-inbound-report/test/assess-inbound-report-contract.bats

@@ -0,0 +1,132 @@
+#!/usr/bin/env bats
+# Contract assertions for /wr-risk-scorer:assess-inbound-report skill
+# (RFC-004 Slice B — on-demand wrapper per ADR-015). Peer of
+# /wr-risk-scorer:assess-external-comms.
+#
+# Structural assertions — Permitted Exception to the source-grep ban
+# per ADR-005 / P011 / ADR-037 / ADR-052 § Surface 2. SKILL.md prose
+# governs LLM-driven runtime behaviour; behavioural-replay testing
+# requires a synthetic agent harness (P012 / P176). Until that harness
+# lands, contract bats assert the load-bearing contract elements are
+# present so future edits don't silently strip them.
+#
+# @problem P079
+# @rfc RFC-004 (Slice B)
+# @adr ADR-062 (sibling subagent + on-demand wrapper)
+# @adr ADR-015 (on-demand assessment skills — § Scope table extended)
+# @adr ADR-044 (decision-delegation — taste / silent-mechanical authority)
+# @jtbd JTBD-005 (invoke governance assessments on demand)
+# @jtbd JTBD-202 (pre-flight governance checks before release/handover)
+# @jtbd JTBD-001 (mechanical-stage carve-out on pipeline pre-satisfier path)
+
+setup() {
+  SKILL_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  SKILL_FILE="${SKILL_DIR}/SKILL.md"
+  ADR_015="$(cd "${SKILL_DIR}/../../../.." && pwd)/docs/decisions/015-on-demand-assessment-skills.proposed.md"
+}
+
+@test "SKILL.md exists and has frontmatter" {
+  [ -f "$SKILL_FILE" ]
+  run head -1 "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+  [ "$output" = "---" ]
+}
+
+@test "frontmatter name is wr-risk-scorer:assess-inbound-report" {
+  run grep -nE '^name: wr-risk-scorer:assess-inbound-report$' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "frontmatter allowed-tools includes Skill (delegates to subagent)" {
+  # ADR-015 § Gate Marker Interaction: on-demand skills MUST delegate
+  # via Skill tool; never write markers directly.
+  run grep -nE '^allowed-tools:.*Skill' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "frontmatter allowed-tools includes AskUserQuestion (manual-mode step 6)" {
+  # Step 6 (manual invocation only — silent on pipeline pre-satisfier
+  # invocations per P132) uses AskUserQuestion to surface next-step
+  # options.
+  run grep -nE '^allowed-tools:.*AskUserQuestion' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "frontmatter allowed-tools includes Bash (gh issue fetch in step 2)" {
+  # Step 2 can call `gh issue view --json body,author,labels` to fetch
+  # the report body when only a URL/ref is supplied.
+  run grep -nE '^allowed-tools:.*Bash' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Delegation to the sibling subagent (NOT marker self-writes)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "skill delegates to wr-risk-scorer:inbound-report subagent" {
+  run grep -nE 'wr-risk-scorer:inbound-report' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "skill MUST NOT write to /tmp/ markers directly (ADR-009 + ADR-015 boundary)" {
+  # PostToolUse:Agent hook (risk-score-mark.sh) owns marker writes per
+  # ADR-009 + ADR-015 § Gate Marker Interaction.
+  run grep -inE 'NOT write.*/tmp|PostToolUse hook' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Mechanical-stage carve-out: pipeline pre-satisfier path is silent
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "skill names the mechanical-stage carve-out (P132) for pipeline pre-satisfier path" {
+  run grep -inE 'P132|mechanical-stage carve-out' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "step 6 AskUserQuestion fires ONLY on manual invocation (not pipeline pre-satisfier)" {
+  # The carve-out is the load-bearing protection for JTBD-001 + JTBD-006
+  # against inverse-P078 drift. The pipeline pre-satisfier path MUST be
+  # silent on this step. Match the contract in either direction:
+  #   manual-only firing OR pipeline-pre-satisfier silent-on-step.
+  run grep -inE 'invoked manually.*pre-flight|manual only|silent on this step|silent on.*pipeline pre-satisfier' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# Persona anchors (JTBD-005 + JTBD-202)
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "skill cites JTBD-005 (invoke on demand) as primary persona driver" {
+  run grep -nE 'JTBD-005' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+@test "skill cites JTBD-202 (pre-flight governance checks) as secondary persona driver" {
+  run grep -nE 'JTBD-202' "$SKILL_FILE"
+  [ "$status" -eq 0 ]
+}
+
+# ──────────────────────────────────────────────────────────────────────────────
+# ADR-015 Scope table row exists for assess-inbound-report
+# ──────────────────────────────────────────────────────────────────────────────
+
+@test "ADR-015 Scope table includes the assess-inbound-report row" {
+  [ -f "$ADR_015" ]
+  run grep -nE '`assess-inbound-report`' "$ADR_015"
+  [ "$status" -eq 0 ]
+  run grep -nE '`wr-risk-scorer:inbound-report`' "$ADR_015"
+  [ "$status" -eq 0 ]
+}
+
+@test "ADR-015 Confirmation checkbox covers assess-inbound-report skill" {
+  run grep -nE '\[x\] `packages/risk-scorer/skills/assess-inbound-report/SKILL\.md` created' "$ADR_015"
+  [ "$status" -eq 0 ]
+}
+
+@test "ADR-015 Related section names ADR-062 + P079 (driver references)" {
+  run grep -nE 'ADR-062.*inbound|inbound.*ADR-062' "$ADR_015"
+  [ "$status" -eq 0 ]
+  run grep -nE 'P079' "$ADR_015"
+  [ "$status" -eq 0 ]
+}