@codexstar/bug-hunter 3.0.0 → 3.0.5

package/scripts/tests/payload-guard.test.cjs

@@ -13,6 +13,7 @@ const {
 test('payload-guard accepts valid hunter payload and rejects malformed payload', () => {
   const sandbox = makeSandbox('payload-guard-');
   const guardScript = resolveSkillScript('payload-guard.cjs');
+  const schemaRuntime = require(resolveSkillScript('schema-runtime.cjs'));
   const validPayloadPath = path.join(sandbox, 'valid.json');
   const invalidPayloadPath = path.join(sandbox, 'invalid.json');
 
@@ -21,7 +22,7 @@ test('payload-guard accepts valid hunter payload and rejects malformed payload',
     targetFiles: ['src/a.ts'],
     riskMap: {},
     techStack: { framework: 'express' },
-    outputSchema: { type: 'object' }
+    outputSchema: schemaRuntime.createSchemaRef('findings')
   });
 
   const valid = runJson('node', [guardScript, 'validate', 'hunter', validPayloadPath]);
@@ -31,11 +32,162 @@ test('payload-guard accepts valid hunter payload and rejects malformed payload',
   writeJson(invalidPayloadPath, {
     skillDir: 'relative/path',
     targetFiles: [],
-    outputSchema: null
+    outputSchema: { artifact: 'findings', schemaVersion: 999, schemaFile: 'schemas/findings.schema.json' }
   });
 
   const invalid = runRaw('node', [guardScript, 'validate', 'hunter', invalidPayloadPath]);
   assert.notEqual(invalid.status, 0);
   const output = `${invalid.stdout || ''}\n${invalid.stderr || ''}`;
   assert.match(output, /Missing required field: riskMap/);
+  assert.match(output, /schema version 1/);
+});
+
+test('schema-validate validates example findings fixtures', () => {
+  const validatorScript = resolveSkillScript('schema-validate.cjs');
+  const validPath = resolveSkillScript('..', 'schemas', 'examples', 'findings.valid.json');
+  const invalidPath = resolveSkillScript('..', 'schemas', 'examples', 'findings.invalid.json');
+
+  const valid = runJson('node', [validatorScript, 'findings', validPath]);
+  assert.equal(valid.ok, true);
+
+  const invalid = runRaw('node', [validatorScript, 'findings', invalidPath]);
+  assert.notEqual(invalid.status, 0);
+  assert.match(`${invalid.stdout}${invalid.stderr}`, /\$\[0\]\.claim is required/);
+});
+
+test('schema-validate accepts valid skeptic, referee, fix-report, fix-strategy, and fix-plan artifacts', () => {
+  const sandbox = makeSandbox('schema-validate-more-');
+  const validatorScript = resolveSkillScript('schema-validate.cjs');
+  const skepticPath = path.join(sandbox, 'skeptic.json');
+  const refereePath = path.join(sandbox, 'referee.json');
+  const fixReportPath = path.join(sandbox, 'fix-report.json');
+  const fixStrategyPath = path.join(sandbox, 'fix-strategy.json');
+  const fixPlanPath = path.join(sandbox, 'fix-plan.json');
+
+  writeJson(skepticPath, [
+    {
+      bugId: 'BUG-1',
+      response: 'ACCEPT',
+      analysisSummary: 'The finding holds after re-reading the code.'
+    }
+  ]);
+  writeJson(refereePath, [
+    {
+      bugId: 'BUG-1',
+      verdict: 'REAL_BUG',
+      trueSeverity: 'Critical',
+      confidenceScore: 95,
+      confidenceLabel: 'high',
+      verificationMode: 'INDEPENDENTLY_VERIFIED',
+      analysisSummary: 'Confirmed by direct code trace.'
+    }
+  ]);
+  writeJson(fixReportPath, {
+    version: '3.0.0',
+    fix_branch: 'bug-hunter-fix-20260311-200000',
+    base_commit: 'abc123',
+    dry_run: false,
+    circuit_breaker_tripped: false,
+    phase2_timeout_hit: false,
+    fixes: [
+      {
+        bugId: 'BUG-1',
+        severity: 'CRITICAL',
+        status: 'FIXED',
+        files: ['src/a.ts'],
+        lines: '10-12',
+        commit: 'def456',
+        description: 'Parameterized the query.'
+      }
+    ],
+    verification: {
+      baseline_pass: 10,
+      baseline_fail: 1,
+      flaky_tests: 0,
+      final_pass: 11,
+      final_fail: 0,
+      new_failures: 0,
+      resolved_failures: 1,
+      typecheck_pass: true,
+      build_pass: true,
+      fixer_bugs_found: 0
+    },
+    summary: {
+      total_confirmed: 1,
+      eligible: 1,
+      manual_review: 0,
+      fixed: 1,
+      fix_reverted: 0,
+      fix_failed: 0,
+      skipped: 0,
+      fixer_bug: 0,
+      partial: 0
+    }
+  });
+  writeJson(fixStrategyPath, {
+    version: '3.1.0',
+    generatedAt: '2026-03-12T00:00:00.000Z',
+    confidenceThreshold: 75,
+    summary: {
+      confirmed: 1,
+      safeAutofix: 1,
+      manualReview: 0,
+      largerRefactor: 0,
+      architecturalRemediation: 0,
+      canaryCandidates: 1,
+      rolloutCandidates: 0
+    },
+    clusters: [
+      {
+        clusterId: 'cluster-1',
+        strategy: 'safe-autofix',
+        executionStage: 'canary',
+        autofixEligible: true,
+        bugIds: ['BUG-1'],
+        files: ['src/a.ts'],
+        maxSeverity: 'CRITICAL',
+        summary: '1 bug(s) in src classified as safe-autofix.',
+        recommendedAction: 'Proceed through the guarded fix pipeline with canary verification and rollback safety.',
+        reasons: ['Finding is localized enough for a guarded surgical fix.']
+      }
+    ]
+  });
+  writeJson(fixPlanPath, {
+    generatedAt: '2026-03-12T00:00:00.000Z',
+    confidenceThreshold: 75,
+    canarySize: 1,
+    totals: {
+      findings: 1,
+      eligible: 1,
+      canary: 1,
+      rollout: 0,
+      manualReview: 0
+    },
+    canary: [
+      {
+        bugId: 'BUG-1',
+        severity: 'Critical',
+        category: 'logic',
+        file: 'src/a.ts',
+        lines: '10-12',
+        claim: 'x',
+        evidence: 'src/a.ts:10-12 evidence',
+        runtimeTrigger: 'Call x()',
+        crossReferences: ['Single file'],
+        confidenceScore: 95,
+        strategy: 'safe-autofix',
+        executionStage: 'canary',
+        autofixEligible: true,
+        reason: 'Finding is localized enough for a guarded surgical fix.'
+      }
+    ],
+    rollout: [],
+    manualReview: []
+  });
+
+  assert.equal(runJson('node', [validatorScript, 'skeptic', skepticPath]).ok, true);
+  assert.equal(runJson('node', [validatorScript, 'referee', refereePath]).ok, true);
+  assert.equal(runJson('node', [validatorScript, 'fix-report', fixReportPath]).ok, true);
+  assert.equal(runJson('node', [validatorScript, 'fix-strategy', fixStrategyPath]).ok, true);
+  assert.equal(runJson('node', [validatorScript, 'fix-plan', fixPlanPath]).ok, true);
 });

package/scripts/tests/pr-scope.test.cjs

@@ -0,0 +1,212 @@
+const assert = require('node:assert/strict');
+const fs = require('fs');
+const path = require('path');
+const test = require('node:test');
+
+const {
+  makeSandbox,
+  resolveSkillScript,
+  runJson,
+  runRaw
+} = require('./test-utils.cjs');
+
+function writeExecutable(filePath, content) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, content, 'utf8');
+  fs.chmodSync(filePath, 0o755);
+}
+
+test('pr-scope resolves the current PR via gh metadata', () => {
+  const sandbox = makeSandbox('pr-scope-current-');
+  const script = resolveSkillScript('pr-scope.cjs');
+  const ghPath = path.join(sandbox, 'gh-mock.cjs');
+
+  writeExecutable(ghPath, `#!/usr/bin/env node
+const args = process.argv.slice(2);
+if (args[0] === 'pr' && args[1] === 'view') {
+  process.stdout.write(JSON.stringify({ number: 42, title: 'Fix auth flow', headRefName: 'feature/auth', baseRefName: 'main', url: 'https://example.test/pr/42' }));
+  process.exit(0);
+}
+if (args[0] === 'pr' && args[1] === 'diff') {
+  process.stdout.write('src/auth.ts\\nsrc/session.ts\\n');
+  process.exit(0);
+}
+process.exit(1);
+`);
+
+  const result = runJson('node', [script, 'resolve', 'current', '--repo-root', sandbox, '--gh-bin', ghPath]);
+  assert.equal(result.ok, true);
+  assert.equal(result.source, 'gh');
+  assert.equal(result.pr.number, 42);
+  assert.deepEqual(result.changedFiles, ['src/auth.ts', 'src/session.ts']);
+});
+
+test('pr-scope falls back to git when current PR metadata is unavailable', () => {
+  const sandbox = makeSandbox('pr-scope-fallback-');
+  const script = resolveSkillScript('pr-scope.cjs');
+  const ghPath = path.join(sandbox, 'gh-fail.cjs');
+  const gitPath = path.join(sandbox, 'git-mock.cjs');
+
+  writeExecutable(ghPath, `#!/usr/bin/env node
+process.stderr.write('gh unavailable');
+process.exit(1);
+`);
+
+  writeExecutable(gitPath, `#!/usr/bin/env node
+const args = process.argv.slice(2);
+if (args[0] === 'rev-parse') {
+  process.stdout.write('feature/local\\n');
+  process.exit(0);
+}
+if (args[0] === 'diff') {
+  process.stdout.write('src/local.ts\\n');
+  process.exit(0);
+}
+process.exit(1);
+`);
+
+  const result = runJson('node', [
+    script,
+    'resolve',
+    'current',
+    '--repo-root',
+    sandbox,
+    '--gh-bin',
+    ghPath,
+    '--git-bin',
+    gitPath,
+    '--base',
+    'develop'
+  ]);
+  assert.equal(result.ok, true);
+  assert.equal(result.source, 'git');
+  assert.equal(result.pr.headRefName, 'feature/local');
+  assert.equal(result.pr.baseRefName, 'develop');
+  assert.deepEqual(result.changedFiles, ['src/local.ts']);
+});
+
+test('pr-scope resolves the most recent PR via gh list + diff', () => {
+  const sandbox = makeSandbox('pr-scope-recent-');
+  const script = resolveSkillScript('pr-scope.cjs');
+  const ghPath = path.join(sandbox, 'gh-recent.cjs');
+
+  writeExecutable(ghPath, `#!/usr/bin/env node
+const args = process.argv.slice(2);
+if (args[0] === 'pr' && args[1] === 'list') {
+  process.stdout.write(JSON.stringify([{ number: 7, title: 'Recent PR', headRefName: 'feature/recent', baseRefName: 'main', url: 'https://example.test/pr/7' }]));
+  process.exit(0);
+}
+if (args[0] === 'pr' && args[1] === 'diff') {
+  process.stdout.write('src/recent.ts\\n');
+  process.exit(0);
+}
+process.exit(1);
+`);
+
+  const result = runJson('node', [script, 'resolve', 'recent', '--repo-root', sandbox, '--gh-bin', ghPath]);
+  assert.equal(result.ok, true);
+  assert.equal(result.source, 'gh');
+  assert.equal(result.pr.number, 7);
+  assert.deepEqual(result.changedFiles, ['src/recent.ts']);
+});
+
+test('pr-scope uses the discovered default branch for current-branch fallback', () => {
+  const sandbox = makeSandbox('pr-scope-default-branch-');
+  const script = resolveSkillScript('pr-scope.cjs');
+  const ghPath = path.join(sandbox, 'gh-fail.cjs');
+  const gitPath = path.join(sandbox, 'git-default.cjs');
+
+  writeExecutable(ghPath, `#!/usr/bin/env node
+process.stderr.write('gh unavailable');
+process.exit(1);
+`);
+
+  writeExecutable(gitPath, `#!/usr/bin/env node
+const args = process.argv.slice(2);
+if (args[0] === 'rev-parse' && args[1] === '--abbrev-ref') {
+  process.stdout.write('feature/local\\n');
+  process.exit(0);
+}
+if (args[0] === 'symbolic-ref') {
+  process.stdout.write('refs/remotes/origin/trunk\\n');
+  process.exit(0);
+}
+if (args[0] === 'diff' && args[2] === 'origin/trunk...feature/local') {
+  process.stdout.write('src/from-trunk.ts\\n');
+  process.exit(0);
+}
+process.stderr.write('unexpected command: ' + args.join(' '));
+process.exit(1);
+`);
+
+  const result = runJson('node', [
+    script,
+    'resolve',
+    'current',
+    '--repo-root',
+    sandbox,
+    '--gh-bin',
+    ghPath,
+    '--git-bin',
+    gitPath
+  ]);
+  assert.equal(result.ok, true);
+  assert.equal(result.source, 'git');
+  assert.equal(result.pr.baseRefName, 'trunk');
+  assert.deepEqual(result.changedFiles, ['src/from-trunk.ts']);
+});
+
+test('pr-scope fails current-branch fallback when no trustworthy base branch is available', () => {
+  const sandbox = makeSandbox('pr-scope-no-base-');
+  const script = resolveSkillScript('pr-scope.cjs');
+  const ghPath = path.join(sandbox, 'gh-fail.cjs');
+  const gitPath = path.join(sandbox, 'git-partial.cjs');
+
+  writeExecutable(ghPath, `#!/usr/bin/env node
+process.stderr.write('gh unavailable');
+process.exit(1);
+`);
+
+  writeExecutable(gitPath, `#!/usr/bin/env node
+const args = process.argv.slice(2);
+if (args[0] === 'rev-parse' && args[1] === '--abbrev-ref') {
+  process.stdout.write('feature/local\\n');
+  process.exit(0);
+}
+process.stderr.write('missing default branch');
+process.exit(1);
+`);
+
+  const result = runRaw('node', [
+    script,
+    'resolve',
+    'current',
+    '--repo-root',
+    sandbox,
+    '--gh-bin',
+    ghPath,
+    '--git-bin',
+    gitPath
+  ], {
+    encoding: 'utf8'
+  });
+  assert.notEqual(result.status, 0);
+  assert.match(`${result.stdout || ''}${result.stderr || ''}`, /base branch|default branch|missing default branch/i);
+});
+
+test('pr-scope fails for numbered PRs when gh metadata cannot be resolved', () => {
+  const sandbox = makeSandbox('pr-scope-numbered-');
+  const script = resolveSkillScript('pr-scope.cjs');
+  const ghPath = path.join(sandbox, 'gh-fail.cjs');
+
+  writeExecutable(ghPath, `#!/usr/bin/env node
+process.stderr.write('not found');
+process.exit(1);
+`);
+
+  const result = runRaw('node', [script, 'resolve', '123', '--repo-root', sandbox, '--gh-bin', ghPath], {
+    encoding: 'utf8'
+  });
+  assert.notEqual(result.status, 0);
+  assert.match(`${result.stdout || ''}${result.stderr || ''}`, /not found/);
+});

package/scripts/tests/render-report.test.cjs

@@ -0,0 +1,180 @@
+const assert = require('node:assert/strict');
+const fs = require('fs');
+const path = require('path');
+const test = require('node:test');
+
+const {
+  makeSandbox,
+  resolveSkillScript,
+  runRaw,
+  writeJson
+} = require('./test-utils.cjs');
+
+test('render-report renders a markdown summary from findings and referee JSON', () => {
+  const sandbox = makeSandbox('render-report-');
+  const script = resolveSkillScript('render-report.cjs');
+  const findingsPath = path.join(sandbox, 'findings.json');
+  const refereePath = path.join(sandbox, 'referee.json');
+
+  writeJson(findingsPath, [
+    {
+      bugId: 'BUG-1',
+      severity: 'Critical',
+      category: 'security',
+      file: 'src/api.ts',
+      lines: '10-12',
+      claim: 'User input reaches an unsafe sink',
+      evidence: 'src/api.ts:10-12 ...',
+      runtimeTrigger: 'POST /api with attacker input',
+      crossReferences: ['Single file'],
+      confidenceScore: 90
+    }
+  ]);
+
+  writeJson(refereePath, [
+    {
+      bugId: 'BUG-1',
+      verdict: 'REAL_BUG',
+      trueSeverity: 'Critical',
+      confidenceScore: 91,
+      confidenceLabel: 'high',
+      verificationMode: 'INDEPENDENTLY_VERIFIED',
+      analysisSummary: 'Confirmed by tracing the sink.'
+    }
+  ]);
+
+  const result = runRaw('node', [script, 'report', findingsPath, refereePath], {
+    encoding: 'utf8'
+  });
+
+  assert.equal(result.status, 0);
+  assert.match(result.stdout, /# Bug Hunter Report/);
+  assert.match(result.stdout, /BUG-1 \| Critical \| src\/api.ts/);
+  assert.match(result.stdout, /Confirmed by tracing the sink/);
+});
+
+test('render-report renders coverage markdown from coverage JSON', () => {
+  const sandbox = makeSandbox('render-coverage-');
+  const script = resolveSkillScript('render-report.cjs');
+  const coveragePath = path.join(sandbox, 'coverage.json');
+
+  writeJson(coveragePath, {
+    schemaVersion: 1,
+    iteration: 2,
+    status: 'COMPLETE',
+    files: [{ path: 'src/a.ts', status: 'done' }],
+    bugs: [{ bugId: 'BUG-1', severity: 'Low', file: 'src/a.ts', claim: 'example' }],
+    fixes: [{ bugId: 'BUG-1', status: 'MANUAL_REVIEW' }]
+  });
+
+  const result = runRaw('node', [script, 'coverage', coveragePath], {
+    encoding: 'utf8'
+  });
+
+  assert.equal(result.status, 0);
+  assert.match(result.stdout, /# Bug Hunter Coverage/);
+  assert.match(result.stdout, /done \| src\/a.ts/);
+  assert.match(result.stdout, /BUG-1 \| Low \| src\/a.ts \| example/);
+});
+
+test('render-report renders a markdown summary from fix-report JSON', () => {
+  const sandbox = makeSandbox('render-fix-report-');
+  const script = resolveSkillScript('render-report.cjs');
+  const fixReportPath = path.join(sandbox, 'fix-report.json');
+
+  writeJson(fixReportPath, {
+    version: '3.0.0',
+    fix_branch: 'bug-hunter-fix-20260311-200000',
+    base_commit: 'abc123',
+    dry_run: false,
+    circuit_breaker_tripped: false,
+    phase2_timeout_hit: false,
+    fixes: [
+      {
+        bugId: 'BUG-1',
+        severity: 'CRITICAL',
+        status: 'FIXED',
+        files: ['src/a.ts'],
+        lines: '10-12',
+        commit: 'def456',
+        description: 'Parameterized the query.'
+      }
+    ],
+    verification: {
+      baseline_pass: 10,
+      baseline_fail: 1,
+      flaky_tests: 0,
+      final_pass: 11,
+      final_fail: 0,
+      new_failures: 0,
+      resolved_failures: 1,
+      typecheck_pass: true,
+      build_pass: true,
+      fixer_bugs_found: 0
+    },
+    summary: {
+      total_confirmed: 1,
+      eligible: 1,
+      manual_review: 0,
+      fixed: 1,
+      fix_reverted: 0,
+      fix_failed: 0,
+      skipped: 0,
+      fixer_bug: 0,
+      partial: 0
+    }
+  });
+
+  const result = runRaw('node', [script, 'fix-report', fixReportPath], {
+    encoding: 'utf8'
+  });
+
+  assert.equal(result.status, 0);
+  assert.match(result.stdout, /# Fix Report/);
+  assert.match(result.stdout, /BUG-1 \| FIXED \| CRITICAL/);
+  assert.match(result.stdout, /Parameterized the query/);
+});
+
+test('render-report renders a markdown summary from fix-strategy JSON', () => {
+  const sandbox = makeSandbox('render-fix-strategy-');
+  const script = resolveSkillScript('render-report.cjs');
+  const fixStrategyPath = path.join(sandbox, 'fix-strategy.json');
+
+  writeJson(fixStrategyPath, {
+    version: '3.1.0',
+    generatedAt: '2026-03-12T00:00:00.000Z',
+    confidenceThreshold: 75,
+    summary: {
+      confirmed: 2,
+      safeAutofix: 1,
+      manualReview: 1,
+      largerRefactor: 0,
+      architecturalRemediation: 0,
+      canaryCandidates: 1,
+      rolloutCandidates: 0
+    },
+    clusters: [
+      {
+        clusterId: 'cluster-1',
+        strategy: 'safe-autofix',
+        executionStage: 'canary',
+        autofixEligible: true,
+        bugIds: ['BUG-1'],
+        files: ['src/a.ts'],
+        maxSeverity: 'CRITICAL',
+        summary: '1 bug(s) in src classified as safe-autofix.',
+        recommendedAction: 'Proceed through the guarded fix pipeline with canary verification and rollback safety.',
+        reasons: ['Finding is localized enough for a guarded surgical fix.']
+      }
+    ]
+  });
+
+  const result = runRaw('node', [script, 'fix-strategy', fixStrategyPath], {
+    encoding: 'utf8'
+  });
+
+  assert.equal(result.status, 0);
+  assert.match(result.stdout, /# Fix Strategy/);
+  assert.match(result.stdout, /cluster-1 \| safe-autofix \| canary/);
+  assert.match(result.stdout, /guarded fix pipeline/);
+});