Description
The wr-risk-scorer:external-comms PreToolUse gate matches on git commit invocations, requiring a wr-risk-scorer:external-comms subagent to review every commit-message body before the commit is permitted. The subagent emits EXTERNAL_COMMS_RISK_VERDICT: PASS, the PostToolUse hook writes a marker, and only then can git commit -m "<body>" proceed.
Git commit messages on a private repo are not external comms. They never leave the repo. The plugin's own agent description at packages/risk-scorer/agents/external-comms.md defines its purpose as: "Reviews drafts of external-facing prose (gh issues / PRs / advisories, npm publish content, .changeset/.md bodies) for confidential-information leaks per RISK-POLICY.md."* — none of those four surfaces (gh issues, PRs, security advisories, npm publish content, changeset bodies) is "git commit messages". The gate's enforcement scope has extended past its own stated scope.
On a private repository:
- The commit-message body never reaches external readers.
- Confidential information CAN appear in commit messages without leaking — the entire repo is access-gated.
- Even if the repo flips public later, history rewriting + force-push handles cleanup (and the public-flip event is the documented reassessment trigger in RISK-POLICY.md § 7, not the per-commit gate moment).
Observed: every git commit -m "<body>" in a 2026-06-08 session against a private repo blocked with BLOCKED (external-comms gate / risk evaluator): git-commit-message draft has not been reviewed by wr-risk-scorer:external-comms. The subagent dispatch cost ~15s + ~18k tokens per commit. For a session with N commits, that's N × ~18k tokens of leak-review burned on internal text that never leaves the repo.
Why this matters: every commit is reviewed. Vanishingly few would actually leak anything. The LLM doing the review can be fooled if needed (so this isn't even a security control against an adversarial author). The signal-to-noise ratio is structurally bad on private repos.
Related but distinct from #217
Issue #217 covers the marker-hash-invalidated-by-body-delta failure mode (Co-Authored-By trailer triggers re-review). That failure mode is observed here too — the second commit in the 2026-06-08 session required dropping the Co-Authored-By trailer to satisfy the hash-stable contract. But #217's scope is "make the marker stable across body deltas"; this issue's scope is "don't fire the gate at all on private-repo git commits". Different root causes, different fix shapes; #217 doesn't address the over-reach concern.
Symptoms
Workaround
Currently: drop trailers (including the standard Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Anthropic convention) from commit body so it matches the subagent-reviewed draft exactly. Or BYPASS_RISK_GATE=1 to skip the gate entirely (but this skips ALL gates, not just external-comms).
Neither workaround is good: option 1 forces dropping a standard convention; option 2 disables governance you actually want for non-commit surfaces.
Affected plugin or component
@windyroad/risk-scorer
Frequency
Every git commit on a private repo. Observed twice in a single /wr-itil:review-problems session on 2026-06-08; the pattern is structural (PreToolUse matcher unconditional on git commit).
Local plugin version
@windyroad/risk-scorer@0.12.7
Upstream package version
not applicable
Claude Code CLI version
2.1.150
Node version
v22.17.1
Operating system
Darwin 25.3.0 x86_64
Evidence
- Plugin agent description:
packages/risk-scorer/agents/external-comms.md documents the four target surfaces (gh issues / PRs / advisories, npm publish content, changeset bodies) — git commit messages are NOT listed.
- BLOCKED directive observed verbatim: "BLOCKED (external-comms gate / risk evaluator): git-commit-message draft has not been reviewed by wr-risk-scorer:external-comms. Delegate to wr-risk-scorer:external-comms (subagent_type: 'wr-risk-scorer:external-comms') with a prompt that starts with the line
SURFACE: git-commit-message and wraps the draft body verbatim inside <draft>...</draft> markers..."
- Repo: private GitHub repo.
gh repo view --json visibility returns PRIVATE.
Probable fix shapes (pick one — author's preference is option 2)
- Default-allow on private repos: gate checks
gh repo view --json visibility (or git config remote.origin.url against a public-host allow-list) at fire time; default-allow on PRIVATE. Public-repo behaviour unchanged.
- Drop git-commit-message from the gate's surface taxonomy entirely: the documented purpose covers four external surfaces only. Commit-message gating belongs in a separate opt-in agent (e.g.
wr-risk-scorer:commit-message-leak), not in the default external-comms gate.
- Configuration knob: env var
RISK_SCORER_GATE_GIT_COMMITS=false (default true for backwards-compat, but documented and recommended for private-repo adopters).
The author prefers option 2 (scope correction). The current behaviour is a scope bug relative to the documented agent description, not a tunable preference.
Cross-reference
Reported from a downstream private repo. Tracked locally as P084 in the downstream project's docs/problems/ directory.
Description
The
wr-risk-scorer:external-commsPreToolUse gate matches ongit commitinvocations, requiring awr-risk-scorer:external-commssubagent to review every commit-message body before the commit is permitted. The subagent emitsEXTERNAL_COMMS_RISK_VERDICT: PASS, the PostToolUse hook writes a marker, and only then cangit commit -m "<body>"proceed.Git commit messages on a private repo are not external comms. They never leave the repo. The plugin's own agent description at
packages/risk-scorer/agents/external-comms.mddefines its purpose as: "Reviews drafts of external-facing prose (gh issues / PRs / advisories, npm publish content, .changeset/.md bodies) for confidential-information leaks per RISK-POLICY.md."* — none of those four surfaces (gh issues, PRs, security advisories, npm publish content, changeset bodies) is "git commit messages". The gate's enforcement scope has extended past its own stated scope.On a private repository:
Observed: every
git commit -m "<body>"in a 2026-06-08 session against a private repo blocked withBLOCKED (external-comms gate / risk evaluator): git-commit-message draft has not been reviewed by wr-risk-scorer:external-comms. The subagent dispatch cost ~15s + ~18k tokens per commit. For a session with N commits, that's N × ~18k tokens of leak-review burned on internal text that never leaves the repo.Why this matters: every commit is reviewed. Vanishingly few would actually leak anything. The LLM doing the review can be fooled if needed (so this isn't even a security control against an adversarial author). The signal-to-noise ratio is structurally bad on private repos.
Related but distinct from #217
Issue #217 covers the marker-hash-invalidated-by-body-delta failure mode (Co-Authored-By trailer triggers re-review). That failure mode is observed here too — the second commit in the 2026-06-08 session required dropping the Co-Authored-By trailer to satisfy the hash-stable contract. But #217's scope is "make the marker stable across body deltas"; this issue's scope is "don't fire the gate at all on private-repo git commits". Different root causes, different fix shapes; #217 doesn't address the over-reach concern.
Symptoms
git commit -m "<body>"invocation blocks with the BLOCKED directive until awr-risk-scorer:external-commssubagent dispatch runs.BYPASS_RISK_GATE=1(too broad — disables ALL gates).Workaround
Currently: drop trailers (including the standard
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>Anthropic convention) from commit body so it matches the subagent-reviewed draft exactly. OrBYPASS_RISK_GATE=1to skip the gate entirely (but this skips ALL gates, not just external-comms).Neither workaround is good: option 1 forces dropping a standard convention; option 2 disables governance you actually want for non-commit surfaces.
Affected plugin or component
@windyroad/risk-scorer
Frequency
Every git commit on a private repo. Observed twice in a single
/wr-itil:review-problemssession on 2026-06-08; the pattern is structural (PreToolUse matcher unconditional ongit commit).Local plugin version
@windyroad/risk-scorer@0.12.7
Upstream package version
not applicable
Claude Code CLI version
2.1.150
Node version
v22.17.1
Operating system
Darwin 25.3.0 x86_64
Evidence
packages/risk-scorer/agents/external-comms.mddocuments the four target surfaces (gh issues / PRs / advisories, npm publish content, changeset bodies) — git commit messages are NOT listed.SURFACE: git-commit-messageand wraps the draft body verbatim inside<draft>...</draft>markers..."gh repo view --json visibilityreturnsPRIVATE.Probable fix shapes (pick one — author's preference is option 2)
gh repo view --json visibility(orgit config remote.origin.urlagainst a public-host allow-list) at fire time; default-allow onPRIVATE. Public-repo behaviour unchanged.wr-risk-scorer:commit-message-leak), not in the default external-comms gate.RISK_SCORER_GATE_GIT_COMMITS=false(defaulttruefor backwards-compat, but documented and recommended for private-repo adopters).The author prefers option 2 (scope correction). The current behaviour is a scope bug relative to the documented agent description, not a tunable preference.
Cross-reference
Reported from a downstream private repo. Tracked locally as P084 in the downstream project's
docs/problems/directory.