npm - @codexstar/bug-hunter - Versions diffs - 3.0.0 → 3.0.5 - Mend

@codexstar/bug-hunter 3.0.0 → 3.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/CHANGELOG.md +149 -83
package/README.md +150 -15
package/SKILL.md +94 -27
package/agents/openai.yaml +4 -0
package/bin/bug-hunter +9 -3
package/docs/images/2026-03-12-fix-plan-rollout.png +0 -0
package/docs/images/2026-03-12-hero-bug-hunter-overview.png +0 -0
package/docs/images/2026-03-12-machine-readable-artifacts.png +0 -0
package/docs/images/2026-03-12-pr-review-flow.png +0 -0
package/docs/images/2026-03-12-security-pack.png +0 -0
package/docs/images/adversarial-debate.png +0 -0
package/docs/images/doc-verify-fix-plan.png +0 -0
package/docs/images/hero.png +0 -0
package/docs/images/pipeline-overview.png +0 -0
package/docs/images/security-finding-card.png +0 -0
package/docs/plans/2026-03-11-structured-output-migration-plan.md +288 -0
package/docs/plans/2026-03-12-audit-bug-fixes-surgical-plan.md +193 -0
package/docs/plans/2026-03-12-enterprise-security-pack-e2e-plan.md +59 -0
package/docs/plans/2026-03-12-local-security-skills-integration-plan.md +39 -0
package/docs/plans/2026-03-12-pr-review-strategic-fix-flow.md +78 -0
package/evals/evals.json +366 -102
package/modes/extended.md +2 -2
package/modes/fix-loop.md +30 -30
package/modes/fix-pipeline.md +32 -6
package/modes/large-codebase.md +14 -15
package/modes/local-sequential.md +44 -20
package/modes/loop.md +56 -56
package/modes/parallel.md +3 -3
package/modes/scaled.md +2 -2
package/modes/single-file.md +3 -3
package/modes/small.md +11 -11
package/package.json +10 -1
package/prompts/fixer.md +37 -23
package/prompts/hunter.md +39 -20
package/prompts/referee.md +34 -20
package/prompts/skeptic.md +25 -22
package/schemas/coverage.schema.json +67 -0
package/schemas/examples/findings.invalid.json +13 -0
package/schemas/examples/findings.valid.json +17 -0
package/schemas/findings.schema.json +76 -0
package/schemas/fix-plan.schema.json +94 -0
package/schemas/fix-report.schema.json +105 -0
package/schemas/fix-strategy.schema.json +99 -0
package/schemas/recon.schema.json +31 -0
package/schemas/referee.schema.json +46 -0
package/schemas/shared.schema.json +51 -0
package/schemas/skeptic.schema.json +21 -0
package/scripts/bug-hunter-state.cjs +35 -12
package/scripts/code-index.cjs +11 -4
package/scripts/fix-lock.cjs +95 -25
package/scripts/payload-guard.cjs +24 -10
package/scripts/pr-scope.cjs +181 -0
package/scripts/render-report.cjs +346 -0
package/scripts/run-bug-hunter.cjs +667 -32
package/scripts/schema-runtime.cjs +273 -0
package/scripts/schema-validate.cjs +40 -0
package/scripts/tests/bug-hunter-state.test.cjs +68 -3
package/scripts/tests/code-index.test.cjs +15 -0
package/scripts/tests/fix-lock.test.cjs +60 -2
package/scripts/tests/fixtures/flaky-worker.cjs +6 -1
package/scripts/tests/fixtures/low-confidence-worker.cjs +8 -2
package/scripts/tests/fixtures/success-worker.cjs +6 -1
package/scripts/tests/payload-guard.test.cjs +154 -2
package/scripts/tests/pr-scope.test.cjs +212 -0
package/scripts/tests/render-report.test.cjs +180 -0
package/scripts/tests/run-bug-hunter.test.cjs +686 -2
package/scripts/tests/security-skills-integration.test.cjs +29 -0
package/scripts/tests/skills-packaging.test.cjs +30 -0
package/scripts/tests/worktree-harvest.test.cjs +66 -0
package/scripts/worktree-harvest.cjs +62 -9
package/skills/README.md +19 -0
package/skills/commit-security-scan/SKILL.md +63 -0
package/skills/security-review/SKILL.md +57 -0
package/skills/threat-model-generation/SKILL.md +47 -0
package/skills/vulnerability-validation/SKILL.md +59 -0
package/templates/subagent-wrapper.md +12 -3
package/modes/_dispatch.md +0 -121

package/modes/_dispatch.md DELETED Viewed

@@ -1,121 +0,0 @@
-# Shared Dispatch Patterns
-This file defines how to dispatch each pipeline role (Recon, Hunter, Skeptic, Referee, Fixer) using any `AGENT_BACKEND`. Mode files reference this instead of duplicating dispatch boilerplate.
----
-## Dispatch by Backend
-### local-sequential
-You execute the role yourself:
-1. Read the prompt file: `read({ path: "$SKILL_DIR/prompts/<role>.md" })`
-2. If the role needs doc-lookup: also read `$SKILL_DIR/prompts/doc-lookup.md`
-3. **Switch mindset** to the role (important for Skeptic/Referee — genuinely adversarial)
-4. Execute the role's instructions using the Read tool to examine source files
-5. Write output to the role's output file (see Output Files table below)
-### subagent
-1. Read the prompt file: `read({ path: "$SKILL_DIR/prompts/<role>.md" })`
-2. Read the wrapper template: `read({ path: "$SKILL_DIR/templates/subagent-wrapper.md" })`
-3. Generate payload:
-   ```bash
-   node "$SKILL_DIR/scripts/payload-guard.cjs" generate <role> ".bug-hunter/payloads/<role>-<context>.json"
-   ```
-4. Edit the payload JSON — fill in `skillDir`, `targetFiles`, and role-specific fields
-5. Validate:
-   ```bash
-   node "$SKILL_DIR/scripts/payload-guard.cjs" validate <role> ".bug-hunter/payloads/<role>-<context>.json"
-   ```
-6. Fill the subagent-wrapper template variables:
-   - `{ROLE_NAME}` = role name (see table below)
-   - `{ROLE_DESCRIPTION}` = role description (see table below)
-   - `{PROMPT_CONTENT}` = full contents of the prompt .md file
-   - `{TARGET_DESCRIPTION}` = what is being scanned
-   - `{SKILL_DIR}` = absolute path to skill directory
-   - `{FILE_LIST}` = files in scan order (CRITICAL first)
-   - `{RISK_MAP}` = risk classification from triage or Recon
-   - `{TECH_STACK}` = framework, auth, DB from Recon
-   - `{PHASE_SPECIFIC_CONTEXT}` = role-specific context (see below)
-   - `{OUTPUT_FILE_PATH}` = output file path
-7. Dispatch:
-   ```
-   subagent({ agent: "<role>-agent", task: "<filled template>", output: "<output-path>" })
-   ```
-8. Read the output file after completion
-### teams
-Same as subagent, but dispatch with:
-```
-teams({ tasks: [{ text: "<filled template>" }], maxTeammates: 1 })
-```
-### interactive_shell
-```
-interactive_shell({ command: 'pi "<filled task prompt>"', mode: "dispatch" })
-```
----
-## Role Reference
-| Role | Prompt File | Role Description | Output File | Phase-Specific Context |
-|------|-------------|-----------------|-------------|----------------------|
-| `recon` | `prompts/recon.md` | Reconnaissance agent — map the codebase and classify files by risk | `.bug-hunter/recon.md` | Triage JSON path (if exists) |
-| `hunter` | `prompts/hunter.md` | Bug Hunter — find behavioral bugs in source code | `.bug-hunter/findings.md` | `doc-lookup.md` + risk map + tech stack |
-| `skeptic` | `prompts/skeptic.md` | Skeptic — adversarial review to disprove false positives | `.bug-hunter/skeptic.md` | Hunter findings (compact: bugId, severity, file, lines, claim, evidence, runtimeTrigger) + `doc-lookup.md` |
-| `referee` | `prompts/referee.md` | Referee — impartial final judge of all findings | `.bug-hunter/referee.md` | Hunter findings + Skeptic challenges |
-| `fixer` | `prompts/fixer.md` | Surgical code fixer — implement minimal fixes for confirmed bugs | `.bug-hunter/fix-report.md` | Confirmed bugs from Referee + tech stack + `doc-lookup.md` |
----
-## Fixer Dispatch: Worktree Isolation (subagent/teams only)
-When `WORKTREE_MODE=true`, the Fixer runs in a managed git worktree for isolation. The orchestrator handles the full lifecycle — the Fixer just edits and commits.
-**Key differences from other role dispatches:**
-1. The worktree is created by the orchestrator via `worktree-harvest.cjs prepare` BEFORE dispatch.
-2. The Fixer's working directory is set to the worktree's absolute path, not the project root.
-3. The Fixer MUST `git add` + `git commit` each fix (uncommitted work = `FIX_FAILED`).
-4. The orchestrator harvests commits via `worktree-harvest.cjs harvest` AFTER dispatch.
-5. The orchestrator cleans up via `worktree-harvest.cjs cleanup` AFTER harvest.
-**CRITICAL — do NOT use `isolation: "worktree"` on the Agent tool:**
-The Agent tool's built-in worktree isolation creates an ephemeral branch and auto-cleans on exit, which loses Fixer commits. We manage worktrees ourselves so the Fixer commits land directly on the fix branch.
-**Fixer-specific template variables for `{PHASE_SPECIFIC_CONTEXT}`:**
-- `WORKTREE_DIR: <absolute path to worktree>`
-- `FIX_BRANCH: <branch name>`
-- `COMMIT_FORMAT: fix(bug-hunter): BUG-N — [description]`
-- Worktree isolation rules (see `{WORKTREE_RULES}` in subagent-wrapper.md)
-**Lifecycle diagram:**
-```
-Orchestrator                         Fixer (in worktree)
-     |                                     |
-     |-- prepare (worktree-harvest.cjs) -->|
-     |                                     |-- read code
-     |                                     |-- edit files
-     |                                     |-- git add + commit per bug
-     |                                     |-- report done
-     |<-- harvest (worktree-harvest.cjs) --|
-     |-- cleanup (worktree-harvest.cjs)    |
-     |-- verify on fix branch              |
-```
----
-## Context Pruning Rules
-When passing data between phases, include only what the receiving role needs:
-**To Skeptic:** For each bug: BUG-ID, severity, file, lines, claim, evidence, runtimeTrigger, cross-references. Omit: Hunter's internal reasoning, scan coverage stats, FILES SCANNED/SKIPPED metadata.
-**To Referee:** Full Hunter findings + full Skeptic challenges. The Referee needs both sides to judge.
-**To Fixer:** For each confirmed bug: BUG-ID, severity, file, line range, description, suggested fix direction, tech stack context. Omit: Skeptic challenges, Referee reasoning.