v3.0.8 — Reliability Hardening

What's New

Reliability Hardening — 11 Bugs Fixed, 0 Test Failures

Systematic audit of the entire pipeline. 10 previously-failing tests now pass, 1 new test added. 61 tests, 0 failures.

High Severity Works End-to-End

All JSON schemas (findings, skeptic, referee, fix-report), severity ranking in bug-hunter-state.cjs, and payload-guard templates now recognize High as a valid severity level. Previously only Critical, Medium, and Low were accepted — valid findings were silently dropped.

Confidence Threshold Fully Wired

--confidence-threshold now propagates from the CLI through the orchestrator, through processPendingChunks, all the way to record-findings. Previously the flag was parsed but never forwarded — the pipeline always used the hardcoded default of 75.

Shell Injection Fixed in Doc-Lookup

Library names and IDs passed to the chub CLI in doc-lookup.cjs are now properly shell-quoted. Crafted library names could previously cause command injection via execSync.

SIGKILL Timer Leak Fixed

The failsafe kill timer in runCommandOnce is now cleared on normal process exit. Previously it leaked a timer handle that could fire after the child had already exited cleanly.

Modern Bun Lockfile Support

dep-scan.cjs now detects bun.lock (text format, Bun ≥1.2) alongside the legacy bun.lockb binary format.

Worktree Commit Parsing Hardened

Edge case where git log output lines with no space separator caused truncated hashes and wrong commit messages is now handled correctly.

Other Fixes

• classifyStrategy() — explicit parentheses on compound boolean conditions prevent operator-precedence misclassification
• npm package now includes llms.txt, llms-full.txt, test-fixture/, CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md
• Internal tooling files (autoresearch.*, handoff.md) removed from repo

Install / Update

npm install -g @codexstar/bug-hunter    # npm global
npx skills add codexstar69/bug-hunter   # cross-IDE

Full Changelog

See CHANGELOG.md

v3.0.7 — Skills-First Architecture

What's New

Skills-First Architecture

All pipeline agents are now first-class skills under skills/:

• skills/hunter/ — deep behavioral code analysis
• skills/skeptic/ — adversarial false positive elimination
• skills/referee/ — independent verdicts with CVSS + PoC
• skills/fixer/ — surgical code repair respecting fix strategy
• skills/recon/ — codebase reconnaissance and risk mapping
• skills/doc-lookup/ — unified docs (Context Hub + Context7)

Plus 4 security skills: commit-security-scan, security-review, threat-model-generation, vulnerability-validation

Publish Safety

• prepublish-guard blocks npm publish when git is dirty or unpushed
• Prevents the "published to npm but forgot to push" problem

CI Fixes

• Portable shell detection (SHELL env var instead of hardcoded /bin/zsh)
• Explicit -b main for git init in tests
• All 60 tests passing on Node 18 + 20

Full Changelog

See CHANGELOG.md

v3.0.6

• Add prepublish-guard — blocks npm publish with uncommitted/unpushed changes
• Fix CI: portable shell detection (no hardcoded /bin/zsh)
• Fix CI: explicit -b main for git init in tests
• Sync all v3.0.5 changes that were on npm but missing from GitHub
• Security skills pack, PR review flow, new schemas, doc images
• All 60 tests passing on Node 18 + 20

v3.0.4

run-bug-hunter.cjs phase command for schema-validated Skeptic, Referee, and Fixer phase execution with retry support

Runner tests for invalid Skeptic, Referee, and Fixer artifacts plus Markdown companion rendering

Preflight now checks all shipped structured-output schemas, not just findings

Structured-output migration now enforces orchestrated outbound validation beyond the local/manual path