Governance guardrails for AI coding agents. Architecture reviews, risk scoring, TDD enforcement, and delivery quality gates that run automatically inside Claude Code.
Built by Windy Road Technology.
AI coding agents are fast. Sometimes too fast. They skip architecture reviews, introduce risk without assessment, ignore your design system, and write implementation before tests. The same governance that keeps human teams shipping safely gets bypassed when an agent writes code.
These plugins bring that governance back -- automatically. They hook into Claude Code's plugin system and enforce your team's standards on every edit, commit, and push. No manual checks. No hoping the agent remembers.
Install all plugins with one command:
npx @windyroad/agent-pluginsRestart Claude Code. That's it. The plugins activate automatically based on what they find in your project.
Install only what you need:
npx @windyroad/agent-plugins --plugin architect tdd risk-scorerOr install a single plugin directly:
npx @windyroad/architectPlugins install to your project by default (not globally), so they won't affect your other projects. Pass
--scope userto install globally.
After installing, type /wr- in Claude Code to see all available skills.
Each plugin uses Claude Code's hook system to intercept actions at the right moment:
- Detect -- A
UserPromptSubmithook scans for relevant project files (e.g.,docs/decisions/for architect,RISK-POLICY.mdfor risk-scorer) - Gate -- A
PreToolUsehook blocks edits to relevant files until the review agent has been consulted - Review -- The agent reviews the proposed change against your project's policy documents
- Unlock -- A
PostToolUsehook marks the review as complete, allowing edits to proceed
Policy files are generated for you. When a plugin detects that its policy file is missing, it blocks edits and directs you to the setup skill (e.g., /wr-voice-tone:update-guide).
These plugins enforce review workflows. They block edits to relevant files until the appropriate review agent has been consulted.
| Package | What it enforces |
|---|---|
@windyroad/architect |
Architecture decisions reviewed before code changes |
@windyroad/risk-scorer |
Pipeline risk scoring, commit/push gates, secret leak detection |
@windyroad/tdd |
Red-Green-Refactor TDD cycle for implementation code |
@windyroad/voice-tone |
User-facing copy reviewed against voice and tone guide |
@windyroad/style-guide |
CSS and UI components reviewed against style guide |
@windyroad/jtbd |
UI changes reviewed against jobs-to-be-done document |
| Package | What it does |
|---|---|
@windyroad/itil |
ITIL-aligned IT service management — problem management (WSJF-prioritised) and evidence-first incident management with automatic handoff |
@windyroad/retrospective |
Session retrospectives that update briefings and create problem tickets |
@windyroad/connect |
Cross-repo agent collaboration via Discord channels (experimental — see plugin README) |
| Package | What it does |
|---|---|
@windyroad/c4 |
C4 architecture diagram generation and validation |
@windyroad/wardley |
Wardley Map generation from source code analysis |
| Package | What it does |
|---|---|
@windyroad/agent-plugins |
One-command installer for all plugins |
Most plugins are standalone. Two have dependencies:
@windyroad/retrospective
└── @windyroad/itil
└── @windyroad/risk-scorer
The installer warns if dependencies are missing.
Each plugin's value framing is anchored to documented Jobs to be Done — persona-grouped jobs that describe what user pain the plugin removes, not just what features it ships. Per ADR-051, every @windyroad/* plugin README cites at least one current JTBD job ID so the README is a navigable index into the JTBD research, not just a feature list.
See docs/jtbd/README.md for the full index.
This suite follows ISO 31000 / ISO 27001 risk management practice. Risk criteria, impact and likelihood scales, appetite, and the matrix are defined in RISK-POLICY.md. Standing risks the suite tolerates and treats are tracked in the risk register. Per-change pipeline risk is scored on every commit, push, and release by @windyroad/risk-scorer and snapshotted to .risk-reports/ for audit purposes.
# Update everything
npx @windyroad/agent-plugins --update
# Update a single plugin
npx @windyroad/architect --update
# Remove everything
npx @windyroad/agent-plugins --uninstall
# Remove a single plugin
npx @windyroad/architect --uninstallFor plugin development, load directly from source with --plugin-dir:
claude --plugin-dir ~/Projects/windyroad-agent-plugins/packages/architectOr load all plugins at once:
./claude-wr.shChanges take effect on session restart -- no install or update step needed.
Hook tests use BATS (Bash Automated Testing System):
npm testThis monorepo uses Changesets for versioning:
npx changeset # Create a changeset
npm run release # Publish to npm
npm run push:watch # Push and watch CIpackages/
agent-plugins/ Meta-installer for all plugins
architect/ Architecture decision enforcement
risk-scorer/ Pipeline risk scoring and gates
tdd/ TDD state machine enforcement
voice-tone/ Voice and tone review
style-guide/ Style guide review
jtbd/ Jobs-to-be-done review
itil/ ITIL problem and incident management
retrospective/ Session retrospectives
connect/ Cross-repo agent collaboration via Discord
c4/ C4 diagram generation
wardley/ Wardley Map generation
shared/ Shared install utilities (internal)