npm - @codexstar/bug-hunter - Versions diffs - 3.0.0 → 3.0.5 - Mend

@codexstar/bug-hunter 3.0.0 → 3.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/CHANGELOG.md +149 -83
package/README.md +150 -15
package/SKILL.md +94 -27
package/agents/openai.yaml +4 -0
package/bin/bug-hunter +9 -3
package/docs/images/2026-03-12-fix-plan-rollout.png +0 -0
package/docs/images/2026-03-12-hero-bug-hunter-overview.png +0 -0
package/docs/images/2026-03-12-machine-readable-artifacts.png +0 -0
package/docs/images/2026-03-12-pr-review-flow.png +0 -0
package/docs/images/2026-03-12-security-pack.png +0 -0
package/docs/images/adversarial-debate.png +0 -0
package/docs/images/doc-verify-fix-plan.png +0 -0
package/docs/images/hero.png +0 -0
package/docs/images/pipeline-overview.png +0 -0
package/docs/images/security-finding-card.png +0 -0
package/docs/plans/2026-03-11-structured-output-migration-plan.md +288 -0
package/docs/plans/2026-03-12-audit-bug-fixes-surgical-plan.md +193 -0
package/docs/plans/2026-03-12-enterprise-security-pack-e2e-plan.md +59 -0
package/docs/plans/2026-03-12-local-security-skills-integration-plan.md +39 -0
package/docs/plans/2026-03-12-pr-review-strategic-fix-flow.md +78 -0
package/evals/evals.json +366 -102
package/modes/extended.md +2 -2
package/modes/fix-loop.md +30 -30
package/modes/fix-pipeline.md +32 -6
package/modes/large-codebase.md +14 -15
package/modes/local-sequential.md +44 -20
package/modes/loop.md +56 -56
package/modes/parallel.md +3 -3
package/modes/scaled.md +2 -2
package/modes/single-file.md +3 -3
package/modes/small.md +11 -11
package/package.json +10 -1
package/prompts/fixer.md +37 -23
package/prompts/hunter.md +39 -20
package/prompts/referee.md +34 -20
package/prompts/skeptic.md +25 -22
package/schemas/coverage.schema.json +67 -0
package/schemas/examples/findings.invalid.json +13 -0
package/schemas/examples/findings.valid.json +17 -0
package/schemas/findings.schema.json +76 -0
package/schemas/fix-plan.schema.json +94 -0
package/schemas/fix-report.schema.json +105 -0
package/schemas/fix-strategy.schema.json +99 -0
package/schemas/recon.schema.json +31 -0
package/schemas/referee.schema.json +46 -0
package/schemas/shared.schema.json +51 -0
package/schemas/skeptic.schema.json +21 -0
package/scripts/bug-hunter-state.cjs +35 -12
package/scripts/code-index.cjs +11 -4
package/scripts/fix-lock.cjs +95 -25
package/scripts/payload-guard.cjs +24 -10
package/scripts/pr-scope.cjs +181 -0
package/scripts/render-report.cjs +346 -0
package/scripts/run-bug-hunter.cjs +667 -32
package/scripts/schema-runtime.cjs +273 -0
package/scripts/schema-validate.cjs +40 -0
package/scripts/tests/bug-hunter-state.test.cjs +68 -3
package/scripts/tests/code-index.test.cjs +15 -0
package/scripts/tests/fix-lock.test.cjs +60 -2
package/scripts/tests/fixtures/flaky-worker.cjs +6 -1
package/scripts/tests/fixtures/low-confidence-worker.cjs +8 -2
package/scripts/tests/fixtures/success-worker.cjs +6 -1
package/scripts/tests/payload-guard.test.cjs +154 -2
package/scripts/tests/pr-scope.test.cjs +212 -0
package/scripts/tests/render-report.test.cjs +180 -0
package/scripts/tests/run-bug-hunter.test.cjs +686 -2
package/scripts/tests/security-skills-integration.test.cjs +29 -0
package/scripts/tests/skills-packaging.test.cjs +30 -0
package/scripts/tests/worktree-harvest.test.cjs +66 -0
package/scripts/worktree-harvest.cjs +62 -9
package/skills/README.md +19 -0
package/skills/commit-security-scan/SKILL.md +63 -0
package/skills/security-review/SKILL.md +57 -0
package/skills/threat-model-generation/SKILL.md +47 -0
package/skills/vulnerability-validation/SKILL.md +59 -0
package/templates/subagent-wrapper.md +12 -3
package/modes/_dispatch.md +0 -121

package/scripts/fix-lock.cjs CHANGED Viewed

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
+const crypto = require('crypto');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
@@ -7,9 +8,10 @@ const path = require('path');
 function usage() {
   console.error('Usage:');
   console.error('  fix-lock.cjs acquire <lockPath> [ttlSeconds]');
-  console.error('  fix-lock.cjs renew <lockPath>');
-  console.error('  fix-lock.cjs release <lockPath>');
+  console.error('  fix-lock.cjs renew <lockPath> <ownerToken>');
+  console.error('  fix-lock.cjs release <lockPath> <ownerToken>');
   console.error('  fix-lock.cjs status <lockPath> [ttlSeconds]');
+  console.error('  Note: acquire returns lock.ownerToken; pass it to renew/release.');
 }
 function nowMs() {
@@ -24,7 +26,11 @@ function readLock(lockPath) {
   if (!fs.existsSync(lockPath)) {
     return null;
   }
-  return JSON.parse(fs.readFileSync(lockPath, 'utf8'));
+  try {
+    return JSON.parse(fs.readFileSync(lockPath, 'utf8'));
+  } catch {
+    return null;
+  }
 }
 function pidAlive(pid) {
@@ -47,67 +53,131 @@ function lockIsStale(lockData, ttlSeconds) {
   return expired;
 }
-function writeLock(lockPath) {
+function writeLock(lockPath, ownerTokenRaw, exclusive = true) {
   ensureParent(lockPath);
   const lockData = {
     pid: process.pid,
     host: os.hostname(),
     cwd: process.cwd(),
+    ownerToken: ownerTokenRaw || crypto.randomUUID(),
     createdAtMs: nowMs(),
     createdAt: new Date().toISOString()
   };
-  fs.writeFileSync(lockPath, `${JSON.stringify(lockData, null, 2)}\n`, 'utf8');
+  const fd = fs.openSync(lockPath, exclusive ? 'wx' : 'w');
+  try {
+    fs.writeFileSync(fd, `${JSON.stringify(lockData, null, 2)}\n`, 'utf8');
+  } finally {
+    fs.closeSync(fd);
+  }
   return lockData;
 }
-function renew(lockPath) {
+function assertOwner(existing, ownerToken) {
+  if (!existing || !existing.ownerToken) {
+    return true;
+  }
+  return ownerToken === existing.ownerToken;
+}
+function renew(lockPath, ownerToken) {
   const existing = readLock(lockPath);
   if (!existing) {
     console.log(JSON.stringify({ ok: false, renewed: false, reason: 'no-lock' }, null, 2));
     process.exit(1);
     return;
   }
+  if (!assertOwner(existing, ownerToken)) {
+    console.log(JSON.stringify({ ok: false, renewed: false, reason: 'lock-owner-mismatch' }, null, 2));
+    process.exit(1);
+    return;
+  }
   existing.createdAtMs = nowMs();
   existing.renewedAt = new Date().toISOString();
-  fs.writeFileSync(lockPath, `${JSON.stringify(existing, null, 2)}\n`, 'utf8');
+  const tempPath = `${lockPath}.${process.pid}.tmp`;
+  fs.writeFileSync(tempPath, `${JSON.stringify(existing, null, 2)}\n`, 'utf8');
+  fs.renameSync(tempPath, lockPath);
   console.log(JSON.stringify({ ok: true, renewed: true, lock: existing }, null, 2));
 }
 function acquire(lockPath, ttlSeconds) {
   const existing = readLock(lockPath);
   if (!existing) {
-    const lockData = writeLock(lockPath);
-    console.log(JSON.stringify({ ok: true, acquired: true, lock: lockData }, null, 2));
-    return;
+    if (fs.existsSync(lockPath)) {
+      fs.unlinkSync(lockPath);
+    }
+    try {
+      const lockData = writeLock(lockPath);
+      console.log(JSON.stringify({ ok: true, acquired: true, lock: lockData }, null, 2));
+      return;
+    } catch (error) {
+      if (error && error.code === 'EEXIST') {
+        const current = readLock(lockPath);
+        console.log(JSON.stringify({
+          ok: false,
+          acquired: false,
+          reason: 'lock-held',
+          lock: current
+        }, null, 2));
+        process.exit(1);
+        return;
+      }
+      throw error;
+    }
   }
-  if (!lockIsStale(existing, ttlSeconds)) {
+  const stale = lockIsStale(existing, ttlSeconds);
+  const ownerAlive = typeof existing.pid === 'number' ? pidAlive(existing.pid) : false;
+  if (!stale || ownerAlive) {
     console.log(JSON.stringify({
       ok: false,
       acquired: false,
-      reason: 'lock-held',
+      reason: ownerAlive ? 'lock-held-by-live-owner' : 'lock-held',
+      stale,
+      ownerAlive,
       lock: existing
     }, null, 2));
     process.exit(1);
   }
   fs.unlinkSync(lockPath);
-  const lockData = writeLock(lockPath);
-  console.log(JSON.stringify({
-    ok: true,
-    acquired: true,
-    recoveredFromStaleLock: true,
-    previousLock: existing,
-    lock: lockData
-  }, null, 2));
+  try {
+    const lockData = writeLock(lockPath);
+    console.log(JSON.stringify({
+      ok: true,
+      acquired: true,
+      recoveredFromStaleLock: true,
+      previousLock: existing,
+      lock: lockData
+    }, null, 2));
+    return;
+  } catch (error) {
+    if (error && error.code === 'EEXIST') {
+      const current = readLock(lockPath);
+      console.log(JSON.stringify({
+        ok: false,
+        acquired: false,
+        reason: 'lock-held',
+        lock: current
+      }, null, 2));
+      process.exit(1);
+      return;
+    }
+    throw error;
+  }
 }
-function release(lockPath) {
+function release(lockPath, ownerToken) {
   const existing = readLock(lockPath);
   if (!existing) {
     console.log(JSON.stringify({ ok: true, released: false, reason: 'no-lock' }, null, 2));
     return;
   }
+  if (!assertOwner(existing, ownerToken)) {
+    console.log(JSON.stringify({ ok: false, released: false, reason: 'lock-owner-mismatch' }, null, 2));
+    process.exit(1);
+    return;
+  }
   fs.unlinkSync(lockPath);
   console.log(JSON.stringify({ ok: true, released: true, previousLock: existing }, null, 2));
 }
@@ -130,12 +200,12 @@ function status(lockPath, ttlSeconds) {
 }
 function main() {
-  const [command, lockPath, ttlRaw] = process.argv.slice(2);
+  const [command, lockPath, rawArg] = process.argv.slice(2);
   if (!command || !lockPath) {
     usage();
     process.exit(1);
   }
-  const ttlParsed = Number.parseInt(ttlRaw || '', 10);
+  const ttlParsed = Number.parseInt(rawArg || '', 10);
   const ttlSeconds = Number.isInteger(ttlParsed) && ttlParsed > 0 ? ttlParsed : 1800;
   if (command === 'acquire') {
@@ -143,11 +213,11 @@ function main() {
     return;
   }
   if (command === 'renew') {
-    renew(lockPath);
+    renew(lockPath, rawArg);
     return;
   }
   if (command === 'release') {
-    release(lockPath);
+    release(lockPath, rawArg);
     return;
   }
   if (command === 'status') {

package/scripts/payload-guard.cjs CHANGED Viewed

@@ -2,6 +2,10 @@
 const fs = require('fs');
 const path = require('path');
+const {
+  createSchemaRef,
+  validateSchemaRef
+} = require('./schema-runtime.cjs');
 const REQUIRED_BY_ROLE = {
   recon: ['skillDir', 'targetFiles', 'outputSchema'],
@@ -16,20 +20,20 @@ const TEMPLATES = {
   recon: {
     skillDir: '/absolute/path/to/bug-hunter',
     targetFiles: ['src/example.ts'],
-    outputSchema: { format: 'risk-map', version: 1 }
+    outputSchema: createSchemaRef('recon')
   },
   'triage-hunter': {
     skillDir: '/absolute/path/to/bug-hunter',
     targetFiles: ['src/example.ts'],
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'triage-findings', version: 1 }
+    outputSchema: createSchemaRef('findings')
   },
   hunter: {
     skillDir: '/absolute/path/to/bug-hunter',
     targetFiles: ['src/example.ts'],
     riskMap: { critical: [], high: [], medium: [], contextOnly: [] },
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'findings', version: 1 }
+    outputSchema: createSchemaRef('findings')
   },
   skeptic: {
     skillDir: '/absolute/path/to/bug-hunter',
@@ -46,13 +50,24 @@ const TEMPLATES = {
       }
     ],
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'challenges', version: 1 }
+    outputSchema: createSchemaRef('skeptic')
   },
   referee: {
     skillDir: '/absolute/path/to/bug-hunter',
-    findings: [{ bugId: 'BUG-1', severity: '', file: '', lines: '', claim: '', evidence: '', runtimeTrigger: '' }],
+    findings: [{
+      bugId: 'BUG-1',
+      severity: 'Critical',
+      category: 'security',
+      file: 'src/example.ts',
+      lines: '10-15',
+      claim: 'One-sentence description of the bug',
+      evidence: 'Exact code quote from the file',
+      runtimeTrigger: 'Specific scenario that triggers this bug',
+      crossReferences: ['Single file'],
+      confidenceScore: 92
+    }],
     skepticResults: { accepted: ['BUG-1'], disproved: [], details: [] },
-    outputSchema: { format: 'verdicts', version: 1 }
+    outputSchema: createSchemaRef('referee')
   },
   fixer: {
     skillDir: '/absolute/path/to/bug-hunter',
@@ -67,7 +82,7 @@ const TEMPLATES = {
       }
     ],
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'fix-report', version: 1 }
+    outputSchema: createSchemaRef('fix-report')
   }
 };
@@ -130,9 +145,8 @@ function validate(role, payload) {
   }
   if ('outputSchema' in payload) {
-    if (!payload.outputSchema || typeof payload.outputSchema !== 'object') {
-      errors.push('outputSchema must be an object');
-    }
+    const schemaValidation = validateSchemaRef(payload.outputSchema);
+    errors.push(...schemaValidation.errors);
   }
   return {

package/scripts/pr-scope.cjs ADDED Viewed

@@ -0,0 +1,181 @@
+#!/usr/bin/env node
+const childProcess = require('child_process');
+const path = require('path');
+function usage() {
+  console.error('Usage:');
+  console.error('  pr-scope.cjs resolve <current|recent|pr-number> [--repo-root <path>] [--base <branch>] [--gh-bin <path>] [--git-bin <path>]');
+}
+function parseOptions(argv) {
+  const options = {};
+  let index = 0;
+  while (index < argv.length) {
+    const token = argv[index];
+    if (!token.startsWith('--')) {
+      index += 1;
+      continue;
+    }
+    const key = token.slice(2);
+    const value = argv[index + 1];
+    if (!value || value.startsWith('--')) {
+      options[key] = 'true';
+      index += 1;
+      continue;
+    }
+    options[key] = value;
+    index += 2;
+  }
+  return options;
+}
+function runJson(bin, args, cwd) {
+  const result = childProcess.spawnSync(bin, args, {
+    encoding: 'utf8',
+    cwd
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr || '').trim();
+    const stdout = (result.stdout || '').trim();
+    throw new Error(stderr || stdout || `${bin} ${args.join(' ')} failed`);
+  }
+  const output = (result.stdout || '').trim();
+  return output ? JSON.parse(output) : null;
+}
+function runLines(bin, args, cwd) {
+  const result = childProcess.spawnSync(bin, args, {
+    encoding: 'utf8',
+    cwd
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr || '').trim();
+    const stdout = (result.stdout || '').trim();
+    throw new Error(stderr || stdout || `${bin} ${args.join(' ')} failed`);
+  }
+  return (result.stdout || '')
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean);
+}
+function ghMetadataSelector(selector) {
+  if (selector === 'current') {
+    return [];
+  }
+  return [String(selector)];
+}
+function resolveWithGh({ selector, ghBin, cwd }) {
+  if (selector === 'recent') {
+    const list = runJson(ghBin, [
+      'pr',
+      'list',
+      '--limit',
+      '1',
+      '--state',
+      'open',
+      '--json',
+      'number,title,headRefName,baseRefName,url'
+    ], cwd);
+    const pr = Array.isArray(list) ? list[0] : null;
+    if (!pr) {
+      throw new Error('No recent pull requests found');
+    }
+    const changedFiles = runLines(ghBin, ['pr', 'diff', String(pr.number), '--name-only'], cwd);
+    return {
+      ok: true,
+      source: 'gh',
+      selector,
+      pr,
+      changedFiles
+    };
+  }
+  const pr = runJson(ghBin, [
+    'pr',
+    'view',
+    ...ghMetadataSelector(selector),
+    '--json',
+    'number,title,headRefName,baseRefName,url'
+  ], cwd);
+  const changedFiles = runLines(ghBin, ['pr', 'diff', ...ghMetadataSelector(selector), '--name-only'], cwd);
+  return {
+    ok: true,
+    source: 'gh',
+    selector,
+    pr,
+    changedFiles
+  };
+}
+function resolveDefaultBaseBranch({ gitBin, cwd, explicitBase }) {
+  if (explicitBase) {
+    return { baseRefName: explicitBase, diffBaseRef: explicitBase };
+  }
+  const symbolicRef = runLines(gitBin, ['symbolic-ref', 'refs/remotes/origin/HEAD'], cwd)[0];
+  const match = symbolicRef && symbolicRef.match(/^refs\/remotes\/origin\/(.+)$/);
+  if (match && match[1]) {
+    return { baseRefName: match[1], diffBaseRef: `origin/${match[1]}` };
+  }
+  throw new Error('Unable to determine default base branch for git fallback');
+}
+function resolveWithGitFallback({ gitBin, cwd, base }) {
+  const headRefName = runLines(gitBin, ['rev-parse', '--abbrev-ref', 'HEAD'], cwd)[0];
+  const { baseRefName, diffBaseRef } = resolveDefaultBaseBranch({ gitBin, cwd, explicitBase: base });
+  const changedFiles = runLines(gitBin, ['diff', '--name-only', `${diffBaseRef}...${headRefName}`], cwd);
+  return {
+    ok: true,
+    source: 'git',
+    selector: 'current',
+    pr: {
+      number: null,
+      title: `Current branch diff (${headRefName} vs ${baseRefName})`,
+      headRefName,
+      baseRefName,
+      url: null
+    },
+    changedFiles
+  };
+}
+function resolveScope({ selector, options }) {
+  const cwd = path.resolve(options['repo-root'] || process.cwd());
+  const ghBin = options['gh-bin'] || process.env.BUG_HUNTER_GH_BIN || 'gh';
+  const gitBin = options['git-bin'] || process.env.BUG_HUNTER_GIT_BIN || 'git';
+  const base = options.base || null;
+  try {
+    return resolveWithGh({ selector, ghBin, cwd });
+  } catch (error) {
+    if (selector !== 'current') {
+      throw error;
+    }
+    const fallback = resolveWithGitFallback({ gitBin, cwd, base });
+    fallback.fallbackReason = error instanceof Error ? error.message : String(error);
+    return fallback;
+  }
+}
+function main() {
+  const [command, selector, ...rest] = process.argv.slice(2);
+  if (command !== 'resolve' || !selector) {
+    usage();
+    process.exit(1);
+  }
+  const options = parseOptions(rest);
+  const result = resolveScope({ selector, options });
+  console.log(JSON.stringify(result, null, 2));
+}
+try {
+  main();
+} catch (error) {
+  const message = error instanceof Error ? error.message : String(error);
+  console.error(message);
+  process.exit(1);
+}