@codexstar/bug-hunter 3.0.0 → 3.0.5

package/scripts/schema-runtime.cjs

@@ -0,0 +1,273 @@
+const fs = require('fs');
+const path = require('path');
+
+const SCHEMA_FILES = {
+  recon: 'recon.schema.json',
+  findings: 'findings.schema.json',
+  skeptic: 'skeptic.schema.json',
+  referee: 'referee.schema.json',
+  coverage: 'coverage.schema.json',
+  'fix-report': 'fix-report.schema.json',
+  'fix-plan': 'fix-plan.schema.json',
+  'fix-strategy': 'fix-strategy.schema.json',
+  shared: 'shared.schema.json'
+};
+
+const SCHEMA_CACHE = new Map();
+
+function getSchemaDir() {
+  return path.resolve(__dirname, '..', 'schemas');
+}
+
+function getKnownArtifacts() {
+  return Object.keys(SCHEMA_FILES).filter((name) => name !== 'shared');
+}
+
+function getSchemaPath(artifactName) {
+  const fileName = SCHEMA_FILES[artifactName];
+  if (!fileName) {
+    throw new Error(`Unknown artifact schema: ${artifactName}`);
+  }
+  return path.join(getSchemaDir(), fileName);
+}
+
+function loadArtifactSchema(artifactName) {
+  if (!SCHEMA_FILES[artifactName]) {
+    throw new Error(`Unknown artifact schema: ${artifactName}`);
+  }
+  if (!SCHEMA_CACHE.has(artifactName)) {
+    const schemaPath = getSchemaPath(artifactName);
+    const schema = JSON.parse(fs.readFileSync(schemaPath, 'utf8'));
+    if (!Number.isInteger(schema.schemaVersion) || schema.schemaVersion <= 0) {
+      throw new Error(`Schema ${artifactName} is missing a valid schemaVersion`);
+    }
+    SCHEMA_CACHE.set(artifactName, { schema, schemaPath });
+  }
+  return SCHEMA_CACHE.get(artifactName);
+}
+
+function createSchemaRef(artifactName) {
+  const { schema, schemaPath } = loadArtifactSchema(artifactName);
+  return {
+    artifact: artifactName,
+    schemaVersion: schema.schemaVersion,
+    schemaFile: path.relative(path.resolve(__dirname, '..'), schemaPath)
+  };
+}
+
+function validateSchemaRef(reference) {
+  const errors = [];
+  if (!reference || typeof reference !== 'object' || Array.isArray(reference)) {
+    return { ok: false, errors: ['outputSchema must be an object'] };
+  }
+
+  const artifactName = String(reference.artifact || '').trim();
+  if (!artifactName) {
+    errors.push('outputSchema.artifact must be a non-empty string');
+  } else if (!getKnownArtifacts().includes(artifactName)) {
+    errors.push(`outputSchema.artifact must be one of: ${getKnownArtifacts().join(', ')}`);
+  }
+
+  if (!Number.isInteger(reference.schemaVersion) || reference.schemaVersion <= 0) {
+    errors.push('outputSchema.schemaVersion must be a positive integer');
+  }
+
+  if (artifactName && getKnownArtifacts().includes(artifactName)) {
+    const { schema, schemaPath } = loadArtifactSchema(artifactName);
+    const expectedRelativePath = path.relative(path.resolve(__dirname, '..'), schemaPath);
+    if (reference.schemaVersion !== schema.schemaVersion) {
+      errors.push(`outputSchema.schemaVersion must match ${artifactName} schema version ${schema.schemaVersion}`);
+    }
+    if ('schemaFile' in reference && reference.schemaFile !== expectedRelativePath) {
+      errors.push(`outputSchema.schemaFile must match ${expectedRelativePath}`);
+    }
+  }
+
+  return { ok: errors.length === 0, errors };
+}
+
+function describeType(value) {
+  if (Array.isArray(value)) {
+    return 'array';
+  }
+  if (value === null) {
+    return 'null';
+  }
+  return typeof value;
+}
+
+function resolveRef(rootSchema, ref) {
+  if (!ref.startsWith('#/')) {
+    throw new Error(`Unsupported schema ref: ${ref}`);
+  }
+  const parts = ref
+    .slice(2)
+    .split('/')
+    .map((part) => part.replace(/~1/g, '/').replace(/~0/g, '~'));
+  let current = rootSchema;
+  for (const part of parts) {
+    if (!current || typeof current !== 'object' || !(part in current)) {
+      throw new Error(`Unable to resolve schema ref: ${ref}`);
+    }
+    current = current[part];
+  }
+  return current;
+}
+
+function validateAgainstSchema({ value, schema, rootSchema, jsonPath, errors }) {
+  if (schema.$ref) {
+    const resolved = resolveRef(rootSchema, schema.$ref);
+    validateAgainstSchema({ value, schema: resolved, rootSchema, jsonPath, errors });
+    return;
+  }
+
+  if (schema.const !== undefined && value !== schema.const) {
+    errors.push(`${jsonPath} must equal ${JSON.stringify(schema.const)}`);
+    return;
+  }
+
+  if (schema.enum && !schema.enum.includes(value)) {
+    errors.push(`${jsonPath} must be one of: ${schema.enum.join(', ')}`);
+    return;
+  }
+
+  if (schema.type === 'object') {
+    if (describeType(value) !== 'object') {
+      errors.push(`${jsonPath} must be an object`);
+      return;
+    }
+    const properties = schema.properties || {};
+    const required = schema.required || [];
+    for (const propertyName of required) {
+      if (!(propertyName in value)) {
+        errors.push(`${jsonPath}.${propertyName} is required`);
+      }
+    }
+    for (const [propertyName, propertyValue] of Object.entries(value)) {
+      if (properties[propertyName]) {
+        validateAgainstSchema({
+          value: propertyValue,
+          schema: properties[propertyName],
+          rootSchema,
+          jsonPath: `${jsonPath}.${propertyName}`,
+          errors
+        });
+        continue;
+      }
+      if (schema.additionalProperties === false) {
+        errors.push(`${jsonPath}.${propertyName} is not allowed`);
+      }
+    }
+    return;
+  }
+
+  if (schema.type === 'array') {
+    if (!Array.isArray(value)) {
+      errors.push(`${jsonPath} must be an array`);
+      return;
+    }
+    if (Number.isInteger(schema.minItems) && value.length < schema.minItems) {
+      errors.push(`${jsonPath} must contain at least ${schema.minItems} item(s)`);
+    }
+    if (schema.items) {
+      value.forEach((item, index) => {
+        validateAgainstSchema({
+          value: item,
+          schema: schema.items,
+          rootSchema,
+          jsonPath: `${jsonPath}[${index}]`,
+          errors
+        });
+      });
+    }
+    return;
+  }
+
+  if (schema.type === 'string') {
+    if (typeof value !== 'string') {
+      errors.push(`${jsonPath} must be a string`);
+      return;
+    }
+    if (Number.isInteger(schema.minLength) && value.length < schema.minLength) {
+      errors.push(`${jsonPath} must not be empty`);
+    }
+    if (schema.pattern) {
+      const matcher = new RegExp(schema.pattern);
+      if (!matcher.test(value)) {
+        errors.push(`${jsonPath} must match ${schema.pattern}`);
+      }
+    }
+    return;
+  }
+
+  if (schema.type === 'number') {
+    if (typeof value !== 'number' || !Number.isFinite(value)) {
+      errors.push(`${jsonPath} must be a number`);
+      return;
+    }
+    if (typeof schema.minimum === 'number' && value < schema.minimum) {
+      errors.push(`${jsonPath} must be >= ${schema.minimum}`);
+    }
+    if (typeof schema.maximum === 'number' && value > schema.maximum) {
+      errors.push(`${jsonPath} must be <= ${schema.maximum}`);
+    }
+    return;
+  }
+
+  if (schema.type === 'integer') {
+    if (!Number.isInteger(value)) {
+      errors.push(`${jsonPath} must be an integer`);
+      return;
+    }
+    if (typeof schema.minimum === 'number' && value < schema.minimum) {
+      errors.push(`${jsonPath} must be >= ${schema.minimum}`);
+    }
+    if (typeof schema.maximum === 'number' && value > schema.maximum) {
+      errors.push(`${jsonPath} must be <= ${schema.maximum}`);
+    }
+    return;
+  }
+
+  if (schema.type === 'boolean' && typeof value !== 'boolean') {
+    errors.push(`${jsonPath} must be a boolean`);
+  }
+}
+
+function validateArtifactValue({ artifactName, value }) {
+  const { schema, schemaPath } = loadArtifactSchema(artifactName);
+  const errors = [];
+  validateAgainstSchema({
+    value,
+    schema,
+    rootSchema: schema,
+    jsonPath: '$',
+    errors
+  });
+  return {
+    ok: errors.length === 0,
+    artifact: artifactName,
+    schemaVersion: schema.schemaVersion,
+    schemaFile: path.relative(path.resolve(__dirname, '..'), schemaPath),
+    errors
+  };
+}
+
+function validateArtifactFile({ artifactName, filePath }) {
+  try {
+    const value = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+    return validateArtifactValue({ artifactName, value });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { ok: false, artifact: artifactName, errors: [message] };
+  }
+}
+
+module.exports = {
+  createSchemaRef,
+  getKnownArtifacts,
+  getSchemaPath,
+  loadArtifactSchema,
+  validateArtifactFile,
+  validateArtifactValue,
+  validateSchemaRef
+};

package/scripts/schema-validate.cjs

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+
+const path = require('path');
+
+const {
+  getKnownArtifacts,
+  validateArtifactFile
+} = require('./schema-runtime.cjs');
+
+function usage() {
+  console.error('Usage:');
+  console.error('  schema-validate.cjs <artifact-name> <file-path>');
+  console.error('');
+  console.error(`Artifacts: ${getKnownArtifacts().join(', ')}`);
+}
+
+function main() {
+  const [artifactName, targetPath] = process.argv.slice(2);
+  if (!artifactName || !targetPath) {
+    usage();
+    process.exit(1);
+  }
+
+  const result = validateArtifactFile({
+    artifactName,
+    filePath: path.resolve(targetPath)
+  });
+  console.log(JSON.stringify(result));
+  if (!result.ok) {
+    process.exit(1);
+  }
+}
+
+try {
+  main();
+} catch (error) {
+  const message = error instanceof Error ? error.message : String(error);
+  console.error(message);
+  process.exit(1);
+}

package/scripts/tests/bug-hunter-state.test.cjs

@@ -49,8 +49,32 @@ test('bug-hunter-state init/mark/hash/filter/record works end-to-end', () => {
 
   const findingsJson = path.join(sandbox, 'findings.json');
   writeJson(findingsJson, [
-    { bugId: 'BUG-1', severity: 'Low', file: 'src/x.ts', lines: '1', claim: 'x' },
-    { bugId: 'BUG-2', severity: 'Critical', file: 'src/x.ts', lines: '1', claim: 'x' }
+    {
+      bugId: 'BUG-1',
+      severity: 'Low',
+      category: 'logic',
+      file: 'src/x.ts',
+      lines: '1',
+      claim: 'x',
+      evidence: 'src/x.ts:1 first evidence',
+      runtimeTrigger: 'Call x()',
+      crossReferences: ['Single file'],
+      confidenceScore: 40
+    },
+    {
+      bugId: 'BUG-2',
+      severity: 'Critical',
+      category: 'security',
+      file: 'src/x.ts',
+      lines: '1',
+      claim: 'x',
+      evidence: 'src/x.ts:1 upgraded evidence',
+      runtimeTrigger: 'Call x() with attacker-controlled input',
+      crossReferences: ['Single file'],
+      confidenceScore: 95,
+      stride: 'Tampering',
+      cwe: 'CWE-20'
+    }
   ]);
   const recorded = runJson('node', [stateScript, 'record-findings', statePath, findingsJson, 'test']);
   assert.equal(recorded.inserted, 1);
@@ -64,7 +88,8 @@ test('bug-hunter-state init/mark/hash/filter/record works end-to-end', () => {
 
   const state = readJson(statePath);
   assert.equal(state.bugLedger[0].severity, 'Critical');
-  assert.equal(state.metrics.lowConfidenceFindings, 1);
+  assert.equal(state.bugLedger[0].confidenceScore, 95);
+  assert.equal(state.metrics.lowConfidenceFindings, 0);
 
   const extraFile = path.join(sandbox, 'c.ts');
   fs.writeFileSync(extraFile, 'const c = 3;\n', 'utf8');
@@ -85,3 +110,43 @@ test('bug-hunter-state init/mark/hash/filter/record works end-to-end', () => {
   const updatedState = readJson(statePath);
   assert.equal(updatedState.factCards['chunk-1'].apiContracts.length, 1);
 });
+
+test('bug-hunter-state rejects malformed findings artifacts', () => {
+  const sandbox = makeSandbox('bug-hunter-state-invalid-');
+  const stateScript = resolveSkillScript('bug-hunter-state.cjs');
+  const filePath = path.join(sandbox, 'a.ts');
+  fs.writeFileSync(filePath, 'const a = 1;\n', 'utf8');
+
+  const filesJson = path.join(sandbox, 'files.json');
+  writeJson(filesJson, [filePath]);
+  const statePath = path.join(sandbox, 'state.json');
+  runJson('node', [stateScript, 'init', statePath, 'extended', filesJson, '1']);
+
+  const findingsJson = path.join(sandbox, 'findings.json');
+  writeJson(findingsJson, [
+    {
+      bugId: 'BUG-1',
+      severity: 'Low',
+      category: 'logic',
+      file: 'src/x.ts',
+      lines: '1',
+      evidence: 'src/x.ts:1 evidence',
+      runtimeTrigger: 'Call x()',
+      crossReferences: ['Single file'],
+      confidenceScore: 40
+    }
+  ]);
+
+  const result = require('node:child_process').spawnSync('node', [
+    stateScript,
+    'record-findings',
+    statePath,
+    findingsJson,
+    'test'
+  ], {
+    encoding: 'utf8'
+  });
+
+  assert.notEqual(result.status, 0);
+  assert.match(`${result.stderr}${result.stdout}`, /Invalid findings artifact/);
+});

package/scripts/tests/code-index.test.cjs

@@ -55,3 +55,18 @@ test('code-index build captures symbols, call graph, boundaries, and query scope
   assert.equal(queryResult.selected.includes(serviceFile), true);
   assert.equal(queryResult.trustBoundaryFiles.includes(routeFile), true);
 });
+
+test('code-index query-bugs cleans up temp seed files after failures', () => {
+  const sandbox = makeSandbox('code-index-query-bugs-');
+  const codeIndex = resolveSkillScript('code-index.cjs');
+  const bugsJson = path.join(sandbox, 'bugs.json');
+  const missingIndexPath = path.join(sandbox, 'missing-index.json');
+  const sourceFile = path.join(sandbox, 'src', 'feature.ts');
+  fs.mkdirSync(path.dirname(sourceFile), { recursive: true });
+  fs.writeFileSync(sourceFile, 'export const feature = true;\n', 'utf8');
+  writeJson(bugsJson, [{ bugId: 'BUG-1', file: sourceFile }]);
+
+  const result = require('./test-utils.cjs').runRaw('node', [codeIndex, 'query-bugs', missingIndexPath, bugsJson, '1']);
+  assert.notEqual(result.status, 0);
+  assert.equal(fs.existsSync(path.join(sandbox, '.seed-files.tmp.json')), false);
+});

package/scripts/tests/fix-lock.test.cjs

@@ -9,7 +9,7 @@ const {
   runRaw
 } = require('./test-utils.cjs');
 
-test('fix-lock enforces single writer and supports release', () => {
+test('fix-lock enforces single writer and supports token-protected release', () => {
   const sandbox = makeSandbox('fix-lock-');
   const lockScript = resolveSkillScript('fix-lock.cjs');
   const lockPath = path.join(sandbox, 'bug-hunter-fix.lock');
@@ -17,20 +17,78 @@ test('fix-lock enforces single writer and supports release', () => {
   const acquire1 = runJson('node', [lockScript, 'acquire', lockPath, '120']);
   assert.equal(acquire1.ok, true);
   assert.equal(acquire1.acquired, true);
+  assert.equal(typeof acquire1.lock.ownerToken, 'string');
+  assert.equal(acquire1.lock.ownerToken.length > 8, true);
 
   const acquire2 = runRaw('node', [lockScript, 'acquire', lockPath, '120']);
   assert.notEqual(acquire2.status, 0);
   const output2 = `${acquire2.stdout || ''}${acquire2.stderr || ''}`;
   assert.match(output2, /lock-held/);
 
+  const renew = runJson('node', [lockScript, 'renew', lockPath, acquire1.lock.ownerToken]);
+  assert.equal(renew.ok, true);
+  assert.equal(renew.renewed, true);
+
+  const badRelease = runRaw('node', [lockScript, 'release', lockPath, 'wrong-token']);
+  assert.notEqual(badRelease.status, 0);
+  assert.match(`${badRelease.stdout || ''}${badRelease.stderr || ''}`, /lock-owner-mismatch/);
+
   const status = runJson('node', [lockScript, 'status', lockPath, '120']);
   assert.equal(status.exists, true);
   assert.equal(status.stale, false);
 
-  const release = runJson('node', [lockScript, 'release', lockPath]);
+  const release = runJson('node', [lockScript, 'release', lockPath, acquire1.lock.ownerToken]);
   assert.equal(release.ok, true);
   assert.equal(release.released, true);
 
   const statusAfter = runJson('node', [lockScript, 'status', lockPath, '120']);
   assert.equal(statusAfter.exists, false);
 });
+
+test('fix-lock does not steal an expired lock from a still-running owner', () => {
+  const sandbox = makeSandbox('fix-lock-live-owner-');
+  const lockScript = resolveSkillScript('fix-lock.cjs');
+  const lockPath = path.join(sandbox, 'bug-hunter-fix.lock');
+
+  require('fs').writeFileSync(lockPath, `${JSON.stringify({
+    pid: process.pid,
+    host: 'test-host',
+    cwd: sandbox,
+    createdAtMs: Date.now() - 10_000,
+    createdAt: new Date(Date.now() - 10_000).toISOString(),
+    ownerToken: 'existing-owner-token'
+  }, null, 2)}\n`, 'utf8');
+
+  const acquire = runRaw('node', [lockScript, 'acquire', lockPath, '1']);
+  assert.notEqual(acquire.status, 0);
+  assert.match(`${acquire.stdout || ''}${acquire.stderr || ''}`, /lock-held-by-live-owner|lock-held/);
+});
+
+test('fix-lock acquires atomically under contention', async () => {
+  const sandbox = makeSandbox('fix-lock-race-');
+  const lockScript = resolveSkillScript('fix-lock.cjs');
+  const lockPath = path.join(sandbox, 'bug-hunter-fix.lock');
+
+  const results = await Promise.all(Array.from({ length: 20 }, () => {
+    return new Promise((resolve) => {
+      const child = require('node:child_process').spawn('node', [lockScript, 'acquire', lockPath, '120'], {
+        stdio: ['ignore', 'pipe', 'pipe']
+      });
+      child.on('close', (code) => resolve(code));
+    });
+  }));
+
+  const successCount = results.filter((code) => code === 0).length;
+  assert.equal(successCount, 1);
+});
+
+test('fix-lock recovers from a corrupted lock file', () => {
+  const sandbox = makeSandbox('fix-lock-corrupt-');
+  const lockScript = resolveSkillScript('fix-lock.cjs');
+  const lockPath = path.join(sandbox, 'bug-hunter-fix.lock');
+  require('fs').writeFileSync(lockPath, '{broken json', 'utf8');
+
+  const result = runJson('node', [lockScript, 'acquire', lockPath, '120']);
+  assert.equal(result.ok, true);
+  assert.equal(result.acquired, true);
+});

package/scripts/tests/fixtures/flaky-worker.cjs

@@ -54,9 +54,14 @@ if (findingsJson) {
     {
       bugId: `BUG-${chunkId}`,
       severity: 'Medium',
+      category: 'logic',
       file: `src/retry-${chunkId}.ts`,
       lines: '10-11',
-      claim: `retry-success-${chunkId}`
+      claim: `retry-success-${chunkId}`,
+      evidence: `src/retry-${chunkId}.ts:10-11 retry success evidence`,
+      runtimeTrigger: `Retry attempt for ${chunkId}`,
+      crossReferences: ['Single file'],
+      confidenceScore: 88
     }
   ];
   fs.writeFileSync(findingsJson, `${JSON.stringify(payload, null, 2)}\n`, 'utf8');

package/scripts/tests/fixtures/low-confidence-worker.cjs

@@ -54,10 +54,16 @@ if (findingsJson && scanFiles.length > 0) {
     {
       bugId: `BUG-${chunkId}`,
       severity: 'Critical',
-      confidence: Number.isInteger(confidence) ? confidence : 60,
+      category: 'security',
       file: scanFiles[0],
       lines: '1',
-      claim: `Low-confidence risk in ${path.basename(scanFiles[0])}`
+      claim: `Low-confidence risk in ${path.basename(scanFiles[0])}`,
+      evidence: `${scanFiles[0]}:1 fixture evidence`,
+      runtimeTrigger: `Load ${path.basename(scanFiles[0])} through the low-confidence worker`,
+      crossReferences: ['Single file'],
+      confidenceScore: Number.isInteger(confidence) ? confidence : 60,
+      stride: 'Tampering',
+      cwe: 'CWE-20'
     }
   ]);
 }

package/scripts/tests/fixtures/success-worker.cjs

@@ -34,9 +34,14 @@ const payload = [
   {
     bugId: `BUG-${options['chunk-id'] || '0'}`,
     severity: 'Low',
+    category: 'logic',
     file: 'src/example.ts',
     lines: '1',
-    claim: 'example'
+    claim: 'example',
+    evidence: 'src/example.ts:1 example evidence',
+    runtimeTrigger: 'Run the success worker fixture',
+    crossReferences: ['Single file'],
+    confidenceScore: 80
   }
 ];
 fs.writeFileSync(findingsJson, `${JSON.stringify(payload, null, 2)}\n`, 'utf8');