Conversation
added 12 commits
June 29, 2026 13:50
The hand-maintained front-door doc had drifted from reality. - correct the license to MIT (was BUSL-1.1; matches LICENSE + package.json since 0.2.5+) - add company-health + discover-companies to the skills list (was 21, repo ships 23)
…omepage The Next-16 framework builder, on an `output: "export"` site, copied only `public/` into `.vercel/output/static` and wrote a catch-all `→ /404.html` route — the exported HTML pages (index.html and every route) never landed, so `/` 404'd. `deploy-web.mjs` papered over it by hand-copying `out/` into `static/`. This fixes the build itself so a plain `vercel build` (what a git-connected deploy runs) is correct. - ✨ add website/vercel.json: framework:null + buildCommand + outputDirectory:out, so Vercel serves the whole static export from out/ (homepage + routes + /docs). Verified live: rolester.codeswhat.com/ → 200, full 75k homepage, /AGENTS.md + /docs 200. - 🔧 build:docs-content installs docs-site deps when node_modules is missing, so a clean CI checkout can build the bundled /docs (docs-site is standalone, not a workspace). - 🔄 deploy-web.mjs builds via `vercel build` + deploys prebuilt, dropping the manual .vercel/output construction and the cp workaround.
Vercel is now git-connected to CodesWhat/rolester (Root Directory=website, framework:null + vercel.json), and a git-sourced build off dev was verified READY. Pushes auto-deploy with the same `vercel build`, so the manual fallback script + its `deploy:web` npm alias are dead weight.
- Add CLIS dispatch entries so `companies`, `tracker-dev`, `modes`, `activity`, `research`, `stories`, `strategy-review`, `analytics`, `evidence`, `gate`, `learnings`, `status-map`, and `install-skills` are reachable as `rolester <cmd>` (previously npm-run / node-script only). Args forward verbatim. - List them in `rolester help`, including the four that were wired but undocumented (install-skills, analytics, strategy-review, status-map). - Point the starter prompt at `rolester doctor`.
…y form
- 🔄 Sweep `npm run X`, `node bin/rolester.mjs X`, and in-tree
`node src/cli/{tracker,evaluate}.mjs` references to `rolester X` across the
skills, AGENTS.md, README, docs, docs-site, website, and templates.
- 🐛 Drop the stray npm `--` separator the conversion left in 49 call sites.
The binary forwards args verbatim, so `rolester automation -- status` resolved
the verb as `--` and failed with `unknown command "--"`. Covers the broken
fix-it guidance doctor.mjs was printing to users.
- 🐛 Fix the non-existent `rolester render` alias -> `rolester tracker`.
- Leave `node src/cli/lint-placeholders.mjs` (no binary subcommand) and the
npm-only scripts (verify:tracker, calibrate:style, scan:sourced, ...) as-is.
- Update affected tests and dashboard copy.
- ✨ The global `rolester` binary now exposes the full command surface (companies, tracker-dev, modes, activity, research, stories, strategy-review, analytics, evidence, gate, learnings, status-map, install-skills). - 🐛 Documented commands now actually run — dropped the stray npm `--` separator that made `rolester <cmd> -- <verb>` fail with `unknown command`, and fixed the non-existent `rolester render` alias. - 🔄 All command references across skills, AGENTS.md, docs, and templates use the `rolester` binary form.
- 🔧 Run CodeQL on `dev` too (push + PR), not just `main`. Releases ship from `dev` and `main` lags weeks behind, so scanning only `main` left the actually- released code unanalyzed — all five open alerts were anchored to a stale `main` commit. - 🐛 Escape backslashes before pipes in the three markdown-table `escapeCell` helpers (interview/packet, scoring/sourced-intake, scoring/sourced-delta) so a trailing `\` can't escape the cell delimiter — js/incomplete-sanitization. - 🐛 Tolerate whitespace in script/style end-tags in `htmlToText` (`</script >`) so the liveness HTML-stripper can't be bypassed — js/bad-tag-filter. - 🐛 Clone tag nodes instead of round-tripping innerHTML in the library drawer — js/xss-through-dom.
Ships the security fixes from 8edc915 (escapeCell backslash-before-pipe, htmlToText tag-filter whitespace, library-drawer XSS-through-DOM) that landed after 0.4.0 was published. These touch shipped src/ files, so they need a release to reach users. CodeQL on dev is clean; main-anchored alerts persist until main next syncs.
- ✨ feat(skills): new `report-issue` skill — when a `rolester` command crashes or a skill misbehaves, the agent separates a real defect from a config problem (routing setup issues to `configure`/`doctor`), assembles REDACTED diagnostics (no candidate PII, comp, employer/recruiter names, or workspace contents; home paths normalized), and only with the user's explicit yes opens a GitHub issue on the upstream `CodesWhat/rolester` repo under their own `gh` identity. Never auto-files; falls back to a prefilled issue URL when `gh` isn't available. Wired into AGENTS.md, templates/AGENTS.md, CLAUDE.md, and the docs catalog. - 🐛 fix(packaging): ship the 8 user-facing scripts that skills invoke (verify-tracker, analyze-outcomes, check-job-links, scan-sourced, delta-sourced, capture-board-snapshot, capture-search-sources, calibrate-writing-style). The `files` allowlist shipped only install-skills.mjs, so `npm run verify:tracker` (referenced by skills 13x) and friends broke in every installed/live copy — the missing-verify-tracker.mjs failure hit in a live workspace. npm pack ships exactly the allowlist, so a referenced-but-unshipped script is dead on arrival. - 🧪 test(packaging): guard that every script reachable from a skill or a published npm-run alias is in the `files` allowlist (dev-only demo build/deploy scripts explicitly exempted). Catches this whole regression class. - 📝 docs(skills): backfill the missing company-health entry in the skills catalog.
New report-issue skill + ships the user-facing scripts skills invoke (fixes the npm run verify:tracker / friends breakage in installed and live copies).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
added 2 commits
June 30, 2026 19:17
The 0.4.1 fix used `</script\s*>`, which still misses real end tags like `</script bar>` — an HTML parser closes the element on `</script` + any non-`>` chars + `>`. Use `[^>]*` so script/style stripping can't be bypassed. CodeQL's PR diff (js/bad-tag-filter) caught the half-fix. Fixes alert #30.
Completes the htmlTo</script> bad-tag-filter fix that 0.4.1 shipped incomplete (js/bad-tag-filter).
biggest-littlest
approved these changes
Jun 30, 2026
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Code-owner approval. Promotes dev→main (v0.3.3→v0.5.1): CLI binary wiring, security fixes (CodeQL clean, incl. the completed bad-tag-filter fix), report-issue skill, and the scripts-allowlist packaging fix. structure-guards green, 939 tests, CodeQL 0 alerts on the merge ref.
ALARGECOMPANY
approved these changes
Jun 30, 2026
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Second approval. Verified: structure-guards + CodeQL green, 0 open code-scanning alerts on the merge ref, 939 tests pass. Good to promote to main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes
dev→main, reconciling production with the current release line (v0.3.3 → v0.5.0). Merge-commit only (no squash — keeps main's history aligned with dev's individual commits).What's promoted
Features
✨ feat(cli)— wire the full CLI surface into therolesterbinary;🔄 refactor(cli)— convert all command references to the binary form.✨ feat(skills)— newreport-issueskill: the agent files a redacted GitHub issue onCodesWhat/rolester(confirm-first, never auto-files) when Rolester itself breaks.Fixes
🐛 fix(security)— clear the CodeQL findings (escapeCell escaping, HTML tag-filter, library XSS-through-DOM) and scan thedevrelease branch, not justmain.🐛 fix(packaging)— ship the 8 user-facing scripts that skills invoke (verify-tracker,analyze-outcomes,scan-sourced, …). Thefilesallowlist had shipped onlyinstall-skills.mjs, sonpm run verify:trackerand friends were dead in every installed/live copy. Adds a release-safety guard so this can't regress.Releases: 0.4.0, 0.4.1, 0.5.0 (all published to npm via OIDC from
dev).Why now
mainhad been scanned by CodeQL but releases ship fromdev, so the 5 open code-scanning alerts were anchored to stalemaincode that's already fixed ondev. Bringingmaincurrent clears them.devscans clean; 939 tests green; privacy guard 5/5.