v3.0.8: Update CHANGELOG, README, llms.txt, llms-full.txt, and bump version

codexstar69 · codexstar69 · commit 5d33e23d6a6b · 2026-03-13T10:25:23.000+05:30
- CHANGELOG: full 3.0.8 entry with all 11 fixes detailed
- README: updated 'New in This Update' section, test count (61), project structure (all schemas + test files)
- llms.txt: Bun 1.2+ lockfile support noted
- llms-full.txt: test count updated to 61
- package.json: version bumped to 3.0.8
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,33 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.0.8] - 2026-03-13
+
+### Highlights
+- **All 61 tests pass.** Systematic reliability audit fixed 11 bugs across schemas, scripts, and the orchestrator — 10 previously-failing tests now pass, plus one new test added.
+- **`High` severity now works end-to-end.** All JSON schemas, severity ranking functions, and payload-guard templates recognize `High` as a valid severity level.
+- **Confidence threshold is fully configurable.** The `--confidence-threshold` flag now propagates through the entire pipeline — from the orchestrator through `processPendingChunks` to `record-findings`.
+- **Shell injection fixed in doc-lookup.** Library names and IDs passed to `chub` CLI are now properly shell-quoted.
+- **Modern Bun support.** `dep-scan.cjs` detects `bun.lock` (Bun 1.2+ text format) alongside the legacy `bun.lockb` binary format.
+
+### Fixed
+- `schemas/findings.schema.json`, `schemas/skeptic.schema.json`, `schemas/referee.schema.json`, `schemas/fix-report.schema.json`: added missing `High` to severity enums — previously only `Critical`, `Medium`, and `Low` were accepted, causing valid findings to fail schema validation
+- `scripts/bug-hunter-state.cjs`: `severityRank()` now returns rank 2 for `High` severity — previously returned -1 (unknown), breaking severity ordering and dedup logic
+- `scripts/run-bug-hunter.cjs`: `classifyStrategy()` added explicit parentheses around compound conditions to prevent operator-precedence misclassification
+- `scripts/run-bug-hunter.cjs`: `runCommandOnce()` now clears the SIGKILL failsafe timer on normal exit — previously leaked a timer handle that could fire after the process had already exited
+- `scripts/run-bug-hunter.cjs`: `processPendingChunks()` now receives and forwards `confidenceThreshold` to `record-findings` — previously the configurable threshold was silently ignored, always defaulting to 75
+- `scripts/worktree-harvest.cjs`: commit log parsing no longer truncates the hash or drops the message when a `git log` line contains no space separator
+- `scripts/dep-scan.cjs`: lockfile detection now checks for `bun.lock` (text format, Bun ≥1.2) in addition to `bun.lockb`
+- `scripts/payload-guard.cjs`: hunter and fixer severity template strings now include `High` alongside `Critical`, `Medium`, and `Low`
+- `scripts/doc-lookup.cjs`: `chubSearch()` and `chubGet()` now shell-quote all interpolated arguments via single-quote wrapping — previously, library names containing shell metacharacters could cause command injection
+
+### Changed
+- `scripts/bug-hunter-state.cjs`: `record-findings` command now accepts an optional 4th positional argument for confidence threshold (defaults to 75 for backwards compatibility)
+- Test suite expanded from 50 passing / 10 failing to **61 passing / 0 failing**
+
+### Added
+- `scripts/tests/bug-hunter-state.test.cjs`: new test verifying that `High` severity findings are ranked above `Medium` and `Low`, and that re-recording with higher severity upgrades the existing ledger entry
+
 ## [3.0.7] - 2026-03-12
 
 ### Highlights
@@ -212,7 +239,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Coverage enforcement - partial audits produce explicit warnings
 - Large codebase strategy with domain-first tiered scanning
 
-[Unreleased]: https://github.com/codexstar69/bug-hunter/compare/v3.0.5...HEAD
+[Unreleased]: https://github.com/codexstar69/bug-hunter/compare/v3.0.8...HEAD
+[3.0.8]: https://github.com/codexstar69/bug-hunter/compare/v3.0.7...v3.0.8
+[3.0.7]: https://github.com/codexstar69/bug-hunter/compare/v3.0.5...v3.0.7
 [3.0.5]: https://github.com/codexstar69/bug-hunter/compare/v3.0.4...v3.0.5
 [3.0.4]: https://github.com/codexstar69/bug-hunter/compare/v3.0.3...v3.0.4
 [3.0.3]: https://github.com/codexstar69/bug-hunter/compare/v3.0.2...v3.0.3
diff --git a/README.md b/README.md
@@ -51,13 +51,15 @@ npm install -g @aisuite/chub
 
 ## New in This Update
 
-This release makes Bug Hunter much better at PR-first auditing and safer at automated remediation.
+This release is a reliability hardening pass — 11 bugs fixed, 10 previously-failing tests now pass, and the full pipeline is more robust end-to-end.
 
-- **PR review is now a first-class workflow.** Review the current PR, the most recent PR, or a specific PR number with `--pr`, `--pr current`, `--pr recent`, or `--pr 123`.
-- **PR security review is now built in.** `--pr-security` runs a PR-scoped security audit with threat-model and dependency context, without editing code.
-- **Strategic remediation is now explicit.** Bug Hunter writes `fix-strategy.json` and `fix-plan.json` before fixes run, so auto-fix decisions stay explainable and reviewable.
-- **The security pack is now bundled locally.** `commit-security-scan`, `security-review`, `threat-model-generation`, and `vulnerability-validation` now ship inside the repo under `skills/`.
-- **Fix execution is harder to break.** This update adds schema-validated fix plans, atomic lock handling, safer worktree cleanup, stash preservation, and shell-safe worker command templating.
+- **`High` severity works everywhere.** All JSON schemas, severity ranking, and payload-guard templates now recognize `High` — previously only `Critical`, `Medium`, and `Low` were accepted, silently dropping valid findings.
+- **Confidence threshold is fully wired.** `--confidence-threshold` now propagates from the CLI through the orchestrator to `record-findings`. Previously the flag was parsed but never forwarded, always defaulting to 75.
+- **Shell injection fixed in doc-lookup.** Library names passed to `chub` CLI are now properly shell-quoted — prevents command injection via crafted library names.
+- **SIGKILL timer leak fixed.** The failsafe kill timer in `runCommandOnce` is now cleared on normal exit — previously it could fire after the child had already exited.
+- **Modern Bun lockfile support.** `dep-scan.cjs` now detects `bun.lock` (text format, Bun 1.2+) alongside the legacy `bun.lockb` binary format.
+- **Worktree commit parsing hardened.** Edge case where `git log` lines with no space separator caused truncated hashes and wrong messages is now handled.
+- **61 tests, 0 failures.** Up from 50 passing / 10 failing — the test suite now covers severity ranking, schema validation, confidence threshold propagation, and shell-safe worker templating.
 
 <p align="center">
   <img src="docs/images/2026-03-12-pr-review-flow.png" alt="PR review workflow banner — pull request scope, security checks, threat-model context, and final verdict in a clean product-style UI" width="100%">
@@ -688,7 +690,7 @@ All flags compose: `/bug-hunter --deps --threat-model --fix src/`
 
 Bug Hunter ships with a test fixture containing an Express app with **6 intentionally planted bugs** (2 Critical, 3 Medium, 1 Low):
 
-The repository also ships with **60 Node.js regression tests** covering orchestration, schemas, PR scope resolution, fix-plan validation, lock behavior, worktree lifecycle, and the bundled local security-skill routing.
+The repository also ships with **61 Node.js regression tests** covering orchestration, schemas, PR scope resolution, fix-plan validation, lock behavior, worktree lifecycle, severity ranking, and the bundled local security-skill routing.
 
 ```bash
 /bug-hunter test-fixture/
@@ -758,8 +760,12 @@ bug-hunter/
 │   ├── findings.schema.json              #   Hunter findings schema
 │   ├── skeptic.schema.json               #   Skeptic artifact schema
 │   ├── referee.schema.json               #   Referee artifact schema
+│   ├── fix-report.schema.json            #   Fix report artifact schema
 │   ├── fix-strategy.schema.json          #   Strategic remediation schema
-│   └── fix-plan.schema.json              #   Fix execution schema
+│   ├── fix-plan.schema.json              #   Fix execution schema
+│   ├── coverage.schema.json              #   Coverage tracking schema
+│   ├── recon.schema.json                 #   Recon artifact schema
+│   └── shared.schema.json                #   Shared definitions
 │
 ├── skills/                               # Bundled local security pack
 │   ├── commit-security-scan/
@@ -781,6 +787,10 @@ bug-hunter/
 │   ├── code-index.cjs                    #   Cross-domain analysis (optional)
 │   └── tests/                            #   Test suite (node --test)
 │       ├── run-bug-hunter.test.cjs       #     Orchestrator tests
+│       ├── bug-hunter-state.test.cjs     #     State management tests
+│       ├── code-index.test.cjs           #     Code index tests
+│       ├── delta-mode.test.cjs           #     Delta mode tests
+│       ├── pr-scope.test.cjs             #     PR scope resolution tests
 │       └── worktree-harvest.test.cjs     #     Worktree lifecycle tests
 │
 ├── templates/
diff --git a/llms-full.txt b/llms-full.txt
@@ -166,7 +166,7 @@ bug-hunter/
 │   ├── doc-lookup.cjs     # Context Hub + Context7 doc lookup
 │   ├── context7-api.cjs   # Context7 standalone fallback
 │   ├── prepublish-guard.cjs # Publish safety net
-│   └── tests/             # Test suite (60 tests)
+│   └── tests/             # Test suite (61 tests)
 ├── templates/             # Subagent launch template
 └── test-fixture/          # 6 planted bugs for validation
 ```
diff --git a/llms.txt b/llms.txt
@@ -13,7 +13,7 @@ Bug Hunter is an automated adversarial code auditing skill for AI coding agents.
 - Security classification: STRIDE threat categories, CWE weakness IDs, CVSS 3.1 scoring
 - Documentation verification: checks claims against official library docs via Context Hub + Context7
 - Safe auto-fix: git-branched fixes with worktree isolation, canary rollout, test verification, and automatic rollback
-- Dependency CVE scanning: lockfile-aware audits for npm, pnpm, yarn, bun
+- Dependency CVE scanning: lockfile-aware audits for npm, pnpm, yarn, bun (including Bun 1.2+ text-format lockfiles)
 - PR review: first-class `--pr` workflow for reviewing current, recent, or numbered PRs
 - Enterprise security pack: bundled STRIDE threat modeling, vulnerability validation, and security review skills
 
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@codexstar/bug-hunter",
-  "version": "3.0.7",
+  "version": "3.0.8",
   "description": "Adversarial AI bug hunter — multi-agent pipeline finds security vulnerabilities, logic errors, and runtime bugs, then fixes them autonomously. Works with Claude Code, Cursor, Codex CLI, Copilot, Kiro, and more.",
   "license": "MIT",
   "main": "bin/bug-hunter",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@codexstar/bug-hunter",`
`3`		`- "version": "3.0.7",`
	`3`	`+ "version": "3.0.8",`
`4`	`4`	`"description": "Adversarial AI bug hunter — multi-agent pipeline finds security vulnerabilities, logic errors, and runtime bugs, then fixes them autonomously. Works with Claude Code, Cursor, Codex CLI, Copilot, Kiro, and more.",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"main": "bin/bug-hunter",`