@codexstar/bug-hunter 3.0.0 → 3.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/CHANGELOG.md +149 -83
  2. package/README.md +150 -15
  3. package/SKILL.md +94 -27
  4. package/agents/openai.yaml +4 -0
  5. package/bin/bug-hunter +9 -3
  6. package/docs/images/2026-03-12-fix-plan-rollout.png +0 -0
  7. package/docs/images/2026-03-12-hero-bug-hunter-overview.png +0 -0
  8. package/docs/images/2026-03-12-machine-readable-artifacts.png +0 -0
  9. package/docs/images/2026-03-12-pr-review-flow.png +0 -0
  10. package/docs/images/2026-03-12-security-pack.png +0 -0
  11. package/docs/images/adversarial-debate.png +0 -0
  12. package/docs/images/doc-verify-fix-plan.png +0 -0
  13. package/docs/images/hero.png +0 -0
  14. package/docs/images/pipeline-overview.png +0 -0
  15. package/docs/images/security-finding-card.png +0 -0
  16. package/docs/plans/2026-03-11-structured-output-migration-plan.md +288 -0
  17. package/docs/plans/2026-03-12-audit-bug-fixes-surgical-plan.md +193 -0
  18. package/docs/plans/2026-03-12-enterprise-security-pack-e2e-plan.md +59 -0
  19. package/docs/plans/2026-03-12-local-security-skills-integration-plan.md +39 -0
  20. package/docs/plans/2026-03-12-pr-review-strategic-fix-flow.md +78 -0
  21. package/evals/evals.json +366 -102
  22. package/modes/extended.md +2 -2
  23. package/modes/fix-loop.md +30 -30
  24. package/modes/fix-pipeline.md +32 -6
  25. package/modes/large-codebase.md +14 -15
  26. package/modes/local-sequential.md +44 -20
  27. package/modes/loop.md +56 -56
  28. package/modes/parallel.md +3 -3
  29. package/modes/scaled.md +2 -2
  30. package/modes/single-file.md +3 -3
  31. package/modes/small.md +11 -11
  32. package/package.json +11 -1
  33. package/prompts/fixer.md +37 -23
  34. package/prompts/hunter.md +39 -20
  35. package/prompts/referee.md +34 -20
  36. package/prompts/skeptic.md +25 -22
  37. package/schemas/coverage.schema.json +67 -0
  38. package/schemas/examples/findings.invalid.json +13 -0
  39. package/schemas/examples/findings.valid.json +17 -0
  40. package/schemas/findings.schema.json +76 -0
  41. package/schemas/fix-plan.schema.json +94 -0
  42. package/schemas/fix-report.schema.json +105 -0
  43. package/schemas/fix-strategy.schema.json +99 -0
  44. package/schemas/recon.schema.json +31 -0
  45. package/schemas/referee.schema.json +46 -0
  46. package/schemas/shared.schema.json +51 -0
  47. package/schemas/skeptic.schema.json +21 -0
  48. package/scripts/bug-hunter-state.cjs +35 -12
  49. package/scripts/code-index.cjs +11 -4
  50. package/scripts/fix-lock.cjs +95 -25
  51. package/scripts/payload-guard.cjs +24 -10
  52. package/scripts/pr-scope.cjs +181 -0
  53. package/scripts/prepublish-guard.cjs +82 -0
  54. package/scripts/render-report.cjs +346 -0
  55. package/scripts/run-bug-hunter.cjs +669 -33
  56. package/scripts/schema-runtime.cjs +273 -0
  57. package/scripts/schema-validate.cjs +40 -0
  58. package/scripts/tests/bug-hunter-state.test.cjs +68 -3
  59. package/scripts/tests/code-index.test.cjs +15 -0
  60. package/scripts/tests/fix-lock.test.cjs +60 -2
  61. package/scripts/tests/fixtures/flaky-worker.cjs +6 -1
  62. package/scripts/tests/fixtures/low-confidence-worker.cjs +8 -2
  63. package/scripts/tests/fixtures/success-worker.cjs +6 -1
  64. package/scripts/tests/payload-guard.test.cjs +154 -2
  65. package/scripts/tests/pr-scope.test.cjs +212 -0
  66. package/scripts/tests/render-report.test.cjs +180 -0
  67. package/scripts/tests/run-bug-hunter.test.cjs +686 -2
  68. package/scripts/tests/security-skills-integration.test.cjs +29 -0
  69. package/scripts/tests/skills-packaging.test.cjs +30 -0
  70. package/scripts/tests/worktree-harvest.test.cjs +67 -1
  71. package/scripts/worktree-harvest.cjs +62 -9
  72. package/skills/README.md +19 -0
  73. package/skills/commit-security-scan/SKILL.md +63 -0
  74. package/skills/security-review/SKILL.md +57 -0
  75. package/skills/threat-model-generation/SKILL.md +47 -0
  76. package/skills/vulnerability-validation/SKILL.md +59 -0
  77. package/templates/subagent-wrapper.md +12 -3
  78. package/modes/_dispatch.md +0 -121
package/docs/plans/2026-03-12-pr-review-strategic-fix-flow.md ADDED
@@ -0,0 +1,78 @@
1
+ # PR Review + Strategic Fix Flow
2
+
3
+ This ExecPlan is a living document. The sections `Progress`, `Surprises & Discoveries`, `Decision Log`, and `Outcomes & Retrospective` must stay current as work lands.
4
+
5
+ ## Purpose / Big Picture
6
+
7
+ Bug Hunter already has the ingredients for branch-diff review and safe fix execution, but two user-facing workflows are still underpowered:
8
+
9
+ 1. **Review a recent PR directly** without requiring the user to manually map a PR to a branch/base diff.
10
+ 2. **Plan fixes strategically before editing code** so the tool can distinguish safe autofixes from larger remediation work.
11
+
12
+ After this change, Bug Hunter should support a first-class PR review flow and a first-class fix-strategy flow. A user should be able to run a PR-focused review against the current, recent, or numbered PR, and the tool should produce PR-specific metadata plus a focused review artifact. When bugs are confirmed, the tool should create a machine-readable fix strategy before the fixer phase starts, making the plan visible and auditable.
13
+
14
+ ## Progress
15
+
16
+ - [x] (2026-03-12 06:58Z) Audit the current codebase to confirm existing branch-diff support, fix-plan behavior, and the lack of first-class PR and strategy flows.
17
+ - [x] (2026-03-12 07:23Z) Add `scripts/pr-scope.cjs` plus tests covering `current`, `recent`, explicit numbered PR failure behavior, and git fallback for current-branch review.
18
+ - [x] (2026-03-12 07:24Z) Extend `README.md` and `SKILL.md` with first-class PR-review flags and `--plan-only` strategy-first usage.
19
+ - [x] (2026-03-12 07:26Z) Add canonical `fix-strategy` schema/runtime support plus Markdown rendering.
20
+ - [x] (2026-03-12 07:28Z) Generate `fix-strategy.json` and `fix-strategy.md` from `scripts/run-bug-hunter.cjs` before fix execution.
21
+ - [x] (2026-03-12 07:30Z) Update fix pipeline docs and fixer prompt language so strategy is explicit before patching.
22
+ - [x] (2026-03-12 07:33Z) Run `node --test scripts/tests/*.test.cjs` successfully (39/39 passing).
23
+
24
+ ## Surprises & Discoveries
25
+
26
+ - Observation: branch-diff review is already documented and partially supported, but it is branch-centric rather than PR-centric.
27
+ Evidence: `README.md` and `SKILL.md` support `-b <branch>` and `--staged`, but there is no `--pr` or `--review-pr` workflow.
28
+
29
+ - Observation: the documented fix pipeline is more strategic than the current code-level planner.
30
+ Evidence: `modes/fix-pipeline.md` describes dependency ordering, canary rollout, and circuit breaking, while `scripts/run-bug-hunter.cjs` currently builds a fix plan mostly from confidence/severity sorting plus canary slicing.
31
+
32
+ - Observation: the packaged skill copy is not a git checkout.
33
+ Evidence: `git status` fails in the working directory, so Ralph-loop safety assumptions about git history do not fully apply here.
34
+
35
+ ## Decision Log
36
+
37
+ - Decision: implement PR review as a helper-script-driven scope resolver instead of encoding GitHub logic directly into `SKILL.md` prose.
38
+ Rationale: the resolver is testable, reusable from docs/prompt flows, and lets the prompt stay focused on behavior rather than shell branching.
39
+ Date/Author: 2026-03-12 / Codex
40
+
41
+ - Decision: represent strategy as a canonical JSON artifact (`fix-strategy.json`) alongside the existing fix plan.
42
+ Rationale: strategy needs to be inspectable and machine-validated, not embedded as prose in reports.
43
+ Date/Author: 2026-03-12 / Codex
44
+
45
+ - Decision: keep the existing fix plan artifact, but enrich the pipeline with a prior strategy artifact rather than replacing the whole fix planner.
46
+ Rationale: this minimizes risk and preserves the existing verification/test harness.
47
+ Date/Author: 2026-03-12 / Codex
48
+
49
+ ## Outcomes & Retrospective
50
+
51
+ This implementation landed the intended end-to-end flow. Bug Hunter now has a reusable PR scope resolver (`scripts/pr-scope.cjs`) that turns `current`, `recent`, or explicit PR references into normalized file scope, with a safe git fallback for current-branch review when GitHub metadata is unavailable. The core orchestrator now emits `fix-strategy.json` and `fix-strategy.md` before fix execution, giving users a visible strategy layer ahead of the existing fix plan.
52
+
53
+ The work stayed low-risk because it extended existing artifacts rather than replacing them. `fix-plan.json` still drives rollout/canary handling, while `fix-strategy.json` adds the missing classification layer for safe autofix vs manual review vs larger remediation. The full automated test suite passed after the changes.
54
+
55
+ ## Context and Orientation
56
+
57
+ Relevant files for this effort:
58
+ - `SKILL.md` — user-facing orchestration instructions and argument parsing behavior.
59
+ - `README.md` — public product surface and examples.
60
+ - `scripts/run-bug-hunter.cjs` — orchestrator and fix-plan generation.
61
+ - `scripts/render-report.cjs` — human-readable report rendering from canonical JSON.
62
+ - `scripts/payload-guard.cjs` and `scripts/schema-runtime.cjs` — schema/runtime plumbing.
63
+ - `modes/fix-pipeline.md` — documented fix flow.
64
+ - `scripts/tests/run-bug-hunter.test.cjs` — orchestration safety net.
65
+
66
+ ## Plan of Work
67
+
68
+ ### Milestone 1: PR review scope resolution
69
+ Create a helper script that resolves PR input into a normalized review scope. It should support `current`, `recent`, and numeric PR references. When GitHub CLI metadata is available, it should return PR number, title, head branch, base branch, and changed files. When GitHub CLI is unavailable but the request targets the current branch, it should fall back to git-based branch diff metadata where possible.
70
+
71
+ ### Milestone 2: Strategy artifact generation
72
+ Add a canonical `fix-strategy` artifact that groups confirmed bugs into execution-oriented clusters and classifies them as safe autofix, manual review, larger refactor, or architectural remediation. Generate this artifact inside the orchestrator after findings have been normalized and before fix execution.
73
+
74
+ ### Milestone 3: Prompt and documentation alignment
75
+ Update `SKILL.md`, `README.md`, and fix-pipeline docs so the new flows are explicit: PR review is first-class, and fix execution is preceded by an explicit strategy phase.
76
+
77
+ ### Milestone 4: Validation
78
+ Add tests for PR scope resolution and orchestrator strategy generation. Run the existing test suite to guard against regressions.