@codexstar/bug-hunter 3.0.0 → 3.0.6

package/scripts/fix-lock.cjs

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 
+const crypto = require('crypto');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
@@ -7,9 +8,10 @@ const path = require('path');
 function usage() {
   console.error('Usage:');
   console.error('  fix-lock.cjs acquire <lockPath> [ttlSeconds]');
-  console.error('  fix-lock.cjs renew <lockPath>');
-  console.error('  fix-lock.cjs release <lockPath>');
+  console.error('  fix-lock.cjs renew <lockPath> <ownerToken>');
+  console.error('  fix-lock.cjs release <lockPath> <ownerToken>');
   console.error('  fix-lock.cjs status <lockPath> [ttlSeconds]');
+  console.error('  Note: acquire returns lock.ownerToken; pass it to renew/release.');
 }
 
 function nowMs() {
@@ -24,7 +26,11 @@ function readLock(lockPath) {
   if (!fs.existsSync(lockPath)) {
     return null;
   }
-  return JSON.parse(fs.readFileSync(lockPath, 'utf8'));
+  try {
+    return JSON.parse(fs.readFileSync(lockPath, 'utf8'));
+  } catch {
+    return null;
+  }
 }
 
 function pidAlive(pid) {
@@ -47,67 +53,131 @@ function lockIsStale(lockData, ttlSeconds) {
   return expired;
 }
 
-function writeLock(lockPath) {
+function writeLock(lockPath, ownerTokenRaw, exclusive = true) {
   ensureParent(lockPath);
   const lockData = {
     pid: process.pid,
     host: os.hostname(),
     cwd: process.cwd(),
+    ownerToken: ownerTokenRaw || crypto.randomUUID(),
     createdAtMs: nowMs(),
     createdAt: new Date().toISOString()
   };
-  fs.writeFileSync(lockPath, `${JSON.stringify(lockData, null, 2)}\n`, 'utf8');
+  const fd = fs.openSync(lockPath, exclusive ? 'wx' : 'w');
+  try {
+    fs.writeFileSync(fd, `${JSON.stringify(lockData, null, 2)}\n`, 'utf8');
+  } finally {
+    fs.closeSync(fd);
+  }
   return lockData;
 }
 
-function renew(lockPath) {
+function assertOwner(existing, ownerToken) {
+  if (!existing || !existing.ownerToken) {
+    return true;
+  }
+  return ownerToken === existing.ownerToken;
+}
+
+function renew(lockPath, ownerToken) {
   const existing = readLock(lockPath);
   if (!existing) {
     console.log(JSON.stringify({ ok: false, renewed: false, reason: 'no-lock' }, null, 2));
     process.exit(1);
     return;
   }
+  if (!assertOwner(existing, ownerToken)) {
+    console.log(JSON.stringify({ ok: false, renewed: false, reason: 'lock-owner-mismatch' }, null, 2));
+    process.exit(1);
+    return;
+  }
   existing.createdAtMs = nowMs();
   existing.renewedAt = new Date().toISOString();
-  fs.writeFileSync(lockPath, `${JSON.stringify(existing, null, 2)}\n`, 'utf8');
+  const tempPath = `${lockPath}.${process.pid}.tmp`;
+  fs.writeFileSync(tempPath, `${JSON.stringify(existing, null, 2)}\n`, 'utf8');
+  fs.renameSync(tempPath, lockPath);
   console.log(JSON.stringify({ ok: true, renewed: true, lock: existing }, null, 2));
 }
 
 function acquire(lockPath, ttlSeconds) {
   const existing = readLock(lockPath);
   if (!existing) {
-    const lockData = writeLock(lockPath);
-    console.log(JSON.stringify({ ok: true, acquired: true, lock: lockData }, null, 2));
-    return;
+    if (fs.existsSync(lockPath)) {
+      fs.unlinkSync(lockPath);
+    }
+    try {
+      const lockData = writeLock(lockPath);
+      console.log(JSON.stringify({ ok: true, acquired: true, lock: lockData }, null, 2));
+      return;
+    } catch (error) {
+      if (error && error.code === 'EEXIST') {
+        const current = readLock(lockPath);
+        console.log(JSON.stringify({
+          ok: false,
+          acquired: false,
+          reason: 'lock-held',
+          lock: current
+        }, null, 2));
+        process.exit(1);
+        return;
+      }
+      throw error;
+    }
   }
 
-  if (!lockIsStale(existing, ttlSeconds)) {
+  const stale = lockIsStale(existing, ttlSeconds);
+  const ownerAlive = typeof existing.pid === 'number' ? pidAlive(existing.pid) : false;
+
+  if (!stale || ownerAlive) {
     console.log(JSON.stringify({
       ok: false,
       acquired: false,
-      reason: 'lock-held',
+      reason: ownerAlive ? 'lock-held-by-live-owner' : 'lock-held',
+      stale,
+      ownerAlive,
       lock: existing
     }, null, 2));
     process.exit(1);
   }
 
   fs.unlinkSync(lockPath);
-  const lockData = writeLock(lockPath);
-  console.log(JSON.stringify({
-    ok: true,
-    acquired: true,
-    recoveredFromStaleLock: true,
-    previousLock: existing,
-    lock: lockData
-  }, null, 2));
+  try {
+    const lockData = writeLock(lockPath);
+    console.log(JSON.stringify({
+      ok: true,
+      acquired: true,
+      recoveredFromStaleLock: true,
+      previousLock: existing,
+      lock: lockData
+    }, null, 2));
+    return;
+  } catch (error) {
+    if (error && error.code === 'EEXIST') {
+      const current = readLock(lockPath);
+      console.log(JSON.stringify({
+        ok: false,
+        acquired: false,
+        reason: 'lock-held',
+        lock: current
+      }, null, 2));
+      process.exit(1);
+      return;
+    }
+    throw error;
+  }
 }
 
-function release(lockPath) {
+function release(lockPath, ownerToken) {
   const existing = readLock(lockPath);
   if (!existing) {
     console.log(JSON.stringify({ ok: true, released: false, reason: 'no-lock' }, null, 2));
     return;
   }
+  if (!assertOwner(existing, ownerToken)) {
+    console.log(JSON.stringify({ ok: false, released: false, reason: 'lock-owner-mismatch' }, null, 2));
+    process.exit(1);
+    return;
+  }
   fs.unlinkSync(lockPath);
   console.log(JSON.stringify({ ok: true, released: true, previousLock: existing }, null, 2));
 }
@@ -130,12 +200,12 @@ function status(lockPath, ttlSeconds) {
 }
 
 function main() {
-  const [command, lockPath, ttlRaw] = process.argv.slice(2);
+  const [command, lockPath, rawArg] = process.argv.slice(2);
   if (!command || !lockPath) {
     usage();
     process.exit(1);
   }
-  const ttlParsed = Number.parseInt(ttlRaw || '', 10);
+  const ttlParsed = Number.parseInt(rawArg || '', 10);
   const ttlSeconds = Number.isInteger(ttlParsed) && ttlParsed > 0 ? ttlParsed : 1800;
 
   if (command === 'acquire') {
@@ -143,11 +213,11 @@ function main() {
     return;
   }
   if (command === 'renew') {
-    renew(lockPath);
+    renew(lockPath, rawArg);
     return;
   }
   if (command === 'release') {
-    release(lockPath);
+    release(lockPath, rawArg);
     return;
   }
   if (command === 'status') {

package/scripts/payload-guard.cjs

@@ -2,6 +2,10 @@
 
 const fs = require('fs');
 const path = require('path');
+const {
+  createSchemaRef,
+  validateSchemaRef
+} = require('./schema-runtime.cjs');
 
 const REQUIRED_BY_ROLE = {
   recon: ['skillDir', 'targetFiles', 'outputSchema'],
@@ -16,20 +20,20 @@ const TEMPLATES = {
   recon: {
     skillDir: '/absolute/path/to/bug-hunter',
     targetFiles: ['src/example.ts'],
-    outputSchema: { format: 'risk-map', version: 1 }
+    outputSchema: createSchemaRef('recon')
   },
   'triage-hunter': {
     skillDir: '/absolute/path/to/bug-hunter',
     targetFiles: ['src/example.ts'],
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'triage-findings', version: 1 }
+    outputSchema: createSchemaRef('findings')
   },
   hunter: {
     skillDir: '/absolute/path/to/bug-hunter',
     targetFiles: ['src/example.ts'],
     riskMap: { critical: [], high: [], medium: [], contextOnly: [] },
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'findings', version: 1 }
+    outputSchema: createSchemaRef('findings')
   },
   skeptic: {
     skillDir: '/absolute/path/to/bug-hunter',
@@ -46,13 +50,24 @@ const TEMPLATES = {
       }
     ],
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'challenges', version: 1 }
+    outputSchema: createSchemaRef('skeptic')
   },
   referee: {
     skillDir: '/absolute/path/to/bug-hunter',
-    findings: [{ bugId: 'BUG-1', severity: '', file: '', lines: '', claim: '', evidence: '', runtimeTrigger: '' }],
+    findings: [{
+      bugId: 'BUG-1',
+      severity: 'Critical',
+      category: 'security',
+      file: 'src/example.ts',
+      lines: '10-15',
+      claim: 'One-sentence description of the bug',
+      evidence: 'Exact code quote from the file',
+      runtimeTrigger: 'Specific scenario that triggers this bug',
+      crossReferences: ['Single file'],
+      confidenceScore: 92
+    }],
     skepticResults: { accepted: ['BUG-1'], disproved: [], details: [] },
-    outputSchema: { format: 'verdicts', version: 1 }
+    outputSchema: createSchemaRef('referee')
   },
   fixer: {
     skillDir: '/absolute/path/to/bug-hunter',
@@ -67,7 +82,7 @@ const TEMPLATES = {
       }
     ],
     techStack: { framework: '', auth: '', database: '', dependencies: [] },
-    outputSchema: { format: 'fix-report', version: 1 }
+    outputSchema: createSchemaRef('fix-report')
   }
 };
 
@@ -130,9 +145,8 @@ function validate(role, payload) {
   }
 
   if ('outputSchema' in payload) {
-    if (!payload.outputSchema || typeof payload.outputSchema !== 'object') {
-      errors.push('outputSchema must be an object');
-    }
+    const schemaValidation = validateSchemaRef(payload.outputSchema);
+    errors.push(...schemaValidation.errors);
   }
 
   return {

package/scripts/pr-scope.cjs

@@ -0,0 +1,181 @@
+#!/usr/bin/env node
+
+const childProcess = require('child_process');
+const path = require('path');
+
+function usage() {
+  console.error('Usage:');
+  console.error('  pr-scope.cjs resolve <current|recent|pr-number> [--repo-root <path>] [--base <branch>] [--gh-bin <path>] [--git-bin <path>]');
+}
+
+function parseOptions(argv) {
+  const options = {};
+  let index = 0;
+  while (index < argv.length) {
+    const token = argv[index];
+    if (!token.startsWith('--')) {
+      index += 1;
+      continue;
+    }
+    const key = token.slice(2);
+    const value = argv[index + 1];
+    if (!value || value.startsWith('--')) {
+      options[key] = 'true';
+      index += 1;
+      continue;
+    }
+    options[key] = value;
+    index += 2;
+  }
+  return options;
+}
+
+function runJson(bin, args, cwd) {
+  const result = childProcess.spawnSync(bin, args, {
+    encoding: 'utf8',
+    cwd
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr || '').trim();
+    const stdout = (result.stdout || '').trim();
+    throw new Error(stderr || stdout || `${bin} ${args.join(' ')} failed`);
+  }
+  const output = (result.stdout || '').trim();
+  return output ? JSON.parse(output) : null;
+}
+
+function runLines(bin, args, cwd) {
+  const result = childProcess.spawnSync(bin, args, {
+    encoding: 'utf8',
+    cwd
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr || '').trim();
+    const stdout = (result.stdout || '').trim();
+    throw new Error(stderr || stdout || `${bin} ${args.join(' ')} failed`);
+  }
+  return (result.stdout || '')
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean);
+}
+
+function ghMetadataSelector(selector) {
+  if (selector === 'current') {
+    return [];
+  }
+  return [String(selector)];
+}
+
+function resolveWithGh({ selector, ghBin, cwd }) {
+  if (selector === 'recent') {
+    const list = runJson(ghBin, [
+      'pr',
+      'list',
+      '--limit',
+      '1',
+      '--state',
+      'open',
+      '--json',
+      'number,title,headRefName,baseRefName,url'
+    ], cwd);
+    const pr = Array.isArray(list) ? list[0] : null;
+    if (!pr) {
+      throw new Error('No recent pull requests found');
+    }
+    const changedFiles = runLines(ghBin, ['pr', 'diff', String(pr.number), '--name-only'], cwd);
+    return {
+      ok: true,
+      source: 'gh',
+      selector,
+      pr,
+      changedFiles
+    };
+  }
+
+  const pr = runJson(ghBin, [
+    'pr',
+    'view',
+    ...ghMetadataSelector(selector),
+    '--json',
+    'number,title,headRefName,baseRefName,url'
+  ], cwd);
+  const changedFiles = runLines(ghBin, ['pr', 'diff', ...ghMetadataSelector(selector), '--name-only'], cwd);
+  return {
+    ok: true,
+    source: 'gh',
+    selector,
+    pr,
+    changedFiles
+  };
+}
+
+function resolveDefaultBaseBranch({ gitBin, cwd, explicitBase }) {
+  if (explicitBase) {
+    return { baseRefName: explicitBase, diffBaseRef: explicitBase };
+  }
+
+  const symbolicRef = runLines(gitBin, ['symbolic-ref', 'refs/remotes/origin/HEAD'], cwd)[0];
+  const match = symbolicRef && symbolicRef.match(/^refs\/remotes\/origin\/(.+)$/);
+  if (match && match[1]) {
+    return { baseRefName: match[1], diffBaseRef: `origin/${match[1]}` };
+  }
+
+  throw new Error('Unable to determine default base branch for git fallback');
+}
+
+function resolveWithGitFallback({ gitBin, cwd, base }) {
+  const headRefName = runLines(gitBin, ['rev-parse', '--abbrev-ref', 'HEAD'], cwd)[0];
+  const { baseRefName, diffBaseRef } = resolveDefaultBaseBranch({ gitBin, cwd, explicitBase: base });
+  const changedFiles = runLines(gitBin, ['diff', '--name-only', `${diffBaseRef}...${headRefName}`], cwd);
+  return {
+    ok: true,
+    source: 'git',
+    selector: 'current',
+    pr: {
+      number: null,
+      title: `Current branch diff (${headRefName} vs ${baseRefName})`,
+      headRefName,
+      baseRefName,
+      url: null
+    },
+    changedFiles
+  };
+}
+
+function resolveScope({ selector, options }) {
+  const cwd = path.resolve(options['repo-root'] || process.cwd());
+  const ghBin = options['gh-bin'] || process.env.BUG_HUNTER_GH_BIN || 'gh';
+  const gitBin = options['git-bin'] || process.env.BUG_HUNTER_GIT_BIN || 'git';
+  const base = options.base || null;
+
+  try {
+    return resolveWithGh({ selector, ghBin, cwd });
+  } catch (error) {
+    if (selector !== 'current') {
+      throw error;
+    }
+    const fallback = resolveWithGitFallback({ gitBin, cwd, base });
+    fallback.fallbackReason = error instanceof Error ? error.message : String(error);
+    return fallback;
+  }
+}
+
+function main() {
+  const [command, selector, ...rest] = process.argv.slice(2);
+  if (command !== 'resolve' || !selector) {
+    usage();
+    process.exit(1);
+  }
+  const options = parseOptions(rest);
+  const result = resolveScope({ selector, options });
+  console.log(JSON.stringify(result, null, 2));
+}
+
+try {
+  main();
+} catch (error) {
+  const message = error instanceof Error ? error.message : String(error);
+  console.error(message);
+  process.exit(1);
+}

package/scripts/prepublish-guard.cjs

@@ -0,0 +1,82 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * prepublish-guard.cjs
+ *
+ * Blocks `npm publish` unless:
+ *   1. Git working tree is clean (no uncommitted changes)
+ *   2. Current HEAD is pushed to origin (no unpushed commits)
+ *   3. package.json version matches the git tag (if tag exists)
+ *
+ * This prevents the "published to npm but forgot to commit/push" problem.
+ * Bypass with: SKIP_PREPUBLISH_GUARD=1 npm publish
+ */
+
+const { execSync } = require('child_process');
+
+if (process.env.SKIP_PREPUBLISH_GUARD === '1') {
+  console.log('⚠️  prepublish-guard: SKIPPED (SKIP_PREPUBLISH_GUARD=1)');
+  process.exit(0);
+}
+
+const run = (cmd) => execSync(cmd, { encoding: 'utf8' }).trim();
+
+const errors = [];
+
+// 1. Check for uncommitted changes
+try {
+  const status = run('git status --porcelain');
+  if (status) {
+    errors.push(
+      '❌ Uncommitted changes detected. Commit or stash before publishing.\n' +
+      status.split('\n').map(l => `   ${l}`).join('\n')
+    );
+  }
+} catch {
+  errors.push('❌ Not a git repository or git not available.');
+}
+
+// 2. Check for unpushed commits
+try {
+  const unpushed = run('git log --oneline origin/main..HEAD 2>/dev/null');
+  if (unpushed) {
+    errors.push(
+      '❌ Unpushed commits. Run `git push` before publishing.\n' +
+      unpushed.split('\n').map(l => `   ${l}`).join('\n')
+    );
+  }
+} catch {
+  // If origin/main doesn't exist, skip this check
+}
+
+// 3. Version/tag consistency check
+try {
+  const version = require('../package.json').version;
+  const tagExists = (() => {
+    try { run(`git rev-parse v${version} 2>/dev/null`); return true; } catch { return false; }
+  })();
+  if (tagExists) {
+    const tagCommit = run(`git rev-parse v${version}`);
+    const headCommit = run('git rev-parse HEAD');
+    if (tagCommit !== headCommit) {
+      errors.push(
+        `❌ Tag v${version} exists but points to a different commit.\n` +
+        `   Tag:  ${tagCommit.slice(0, 8)}\n` +
+        `   HEAD: ${headCommit.slice(0, 8)}\n` +
+        `   Bump the version or move the tag.`
+      );
+    }
+  }
+} catch {
+  // Non-fatal
+}
+
+if (errors.length > 0) {
+  console.error('\n🛑 prepublish-guard: publish blocked\n');
+  errors.forEach(e => console.error(e + '\n'));
+  console.error('Bypass with: SKIP_PREPUBLISH_GUARD=1 npm publish\n');
+  process.exit(1);
+}
+
+console.log('✅ prepublish-guard: clean tree, all pushed — safe to publish');