Skip to content

release: promote dev → main (v0.3.3 → v0.5.0)#12

Merged
scttbnsn merged 14 commits into
mainfrom
dev
Jun 30, 2026
Merged

release: promote dev → main (v0.3.3 → v0.5.0)#12
scttbnsn merged 14 commits into
mainfrom
dev

Conversation

@scttbnsn

Copy link
Copy Markdown
Contributor

Promotes devmain, reconciling production with the current release line (v0.3.3 → v0.5.0). Merge-commit only (no squash — keeps main's history aligned with dev's individual commits).

What's promoted

Features

  • ✨ feat(cli) — wire the full CLI surface into the rolester binary; 🔄 refactor(cli) — convert all command references to the binary form.
  • ✨ feat(skills) — new report-issue skill: the agent files a redacted GitHub issue on CodesWhat/rolester (confirm-first, never auto-files) when Rolester itself breaks.

Fixes

  • 🐛 fix(security) — clear the CodeQL findings (escapeCell escaping, HTML tag-filter, library XSS-through-DOM) and scan the dev release branch, not just main.
  • 🐛 fix(packaging) — ship the 8 user-facing scripts that skills invoke (verify-tracker, analyze-outcomes, scan-sourced, …). The files allowlist had shipped only install-skills.mjs, so npm run verify:tracker and friends were dead in every installed/live copy. Adds a release-safety guard so this can't regress.

Releases: 0.4.0, 0.4.1, 0.5.0 (all published to npm via OIDC from dev).

Why now

main had been scanned by CodeQL but releases ship from dev, so the 5 open code-scanning alerts were anchored to stale main code that's already fixed on dev. Bringing main current clears them. dev scans clean; 939 tests green; privacy guard 5/5.

CodesWhat added 12 commits June 29, 2026 13:50
The hand-maintained front-door doc had drifted from reality.

- correct the license to MIT (was BUSL-1.1; matches LICENSE + package.json since 0.2.5+)
- add company-health + discover-companies to the skills list (was 21, repo ships 23)
…omepage

The Next-16 framework builder, on an `output: "export"` site, copied only `public/`
into `.vercel/output/static` and wrote a catch-all `→ /404.html` route — the exported
HTML pages (index.html and every route) never landed, so `/` 404'd. `deploy-web.mjs`
papered over it by hand-copying `out/` into `static/`. This fixes the build itself so a
plain `vercel build` (what a git-connected deploy runs) is correct.

- ✨ add website/vercel.json: framework:null + buildCommand + outputDirectory:out, so
  Vercel serves the whole static export from out/ (homepage + routes + /docs). Verified
  live: rolester.codeswhat.com/ → 200, full 75k homepage, /AGENTS.md + /docs 200.
- 🔧 build:docs-content installs docs-site deps when node_modules is missing, so a clean
  CI checkout can build the bundled /docs (docs-site is standalone, not a workspace).
- 🔄 deploy-web.mjs builds via `vercel build` + deploys prebuilt, dropping the manual
  .vercel/output construction and the cp workaround.
Vercel is now git-connected to CodesWhat/rolester (Root Directory=website,
framework:null + vercel.json), and a git-sourced build off dev was verified
READY. Pushes auto-deploy with the same `vercel build`, so the manual
fallback script + its `deploy:web` npm alias are dead weight.
- Add CLIS dispatch entries so `companies`, `tracker-dev`, `modes`, `activity`,
  `research`, `stories`, `strategy-review`, `analytics`, `evidence`, `gate`,
  `learnings`, `status-map`, and `install-skills` are reachable as
  `rolester <cmd>` (previously npm-run / node-script only). Args forward verbatim.
- List them in `rolester help`, including the four that were wired but undocumented
  (install-skills, analytics, strategy-review, status-map).
- Point the starter prompt at `rolester doctor`.
…y form

- 🔄 Sweep `npm run X`, `node bin/rolester.mjs X`, and in-tree
  `node src/cli/{tracker,evaluate}.mjs` references to `rolester X` across the
  skills, AGENTS.md, README, docs, docs-site, website, and templates.
- 🐛 Drop the stray npm `--` separator the conversion left in 49 call sites.
  The binary forwards args verbatim, so `rolester automation -- status` resolved
  the verb as `--` and failed with `unknown command "--"`. Covers the broken
  fix-it guidance doctor.mjs was printing to users.
- 🐛 Fix the non-existent `rolester render` alias -> `rolester tracker`.
- Leave `node src/cli/lint-placeholders.mjs` (no binary subcommand) and the
  npm-only scripts (verify:tracker, calibrate:style, scan:sourced, ...) as-is.
- Update affected tests and dashboard copy.
- ✨ The global `rolester` binary now exposes the full command surface
  (companies, tracker-dev, modes, activity, research, stories, strategy-review,
  analytics, evidence, gate, learnings, status-map, install-skills).
- 🐛 Documented commands now actually run — dropped the stray npm `--` separator
  that made `rolester <cmd> -- <verb>` fail with `unknown command`, and fixed the
  non-existent `rolester render` alias.
- 🔄 All command references across skills, AGENTS.md, docs, and templates use the
  `rolester` binary form.
- 🔧 Run CodeQL on `dev` too (push + PR), not just `main`. Releases ship from
  `dev` and `main` lags weeks behind, so scanning only `main` left the actually-
  released code unanalyzed — all five open alerts were anchored to a stale
  `main` commit.
- 🐛 Escape backslashes before pipes in the three markdown-table `escapeCell`
  helpers (interview/packet, scoring/sourced-intake, scoring/sourced-delta) so a
  trailing `\` can't escape the cell delimiter — js/incomplete-sanitization.
- 🐛 Tolerate whitespace in script/style end-tags in `htmlToText` (`</script >`)
  so the liveness HTML-stripper can't be bypassed — js/bad-tag-filter.
- 🐛 Clone tag nodes instead of round-tripping innerHTML in the library drawer —
  js/xss-through-dom.
Ships the security fixes from 8edc915 (escapeCell backslash-before-pipe,
htmlToText tag-filter whitespace, library-drawer XSS-through-DOM) that landed
after 0.4.0 was published. These touch shipped src/ files, so they need a
release to reach users. CodeQL on dev is clean; main-anchored alerts persist
until main next syncs.
- ✨ feat(skills): new `report-issue` skill — when a `rolester` command crashes
  or a skill misbehaves, the agent separates a real defect from a config problem
  (routing setup issues to `configure`/`doctor`), assembles REDACTED diagnostics
  (no candidate PII, comp, employer/recruiter names, or workspace contents; home
  paths normalized), and only with the user's explicit yes opens a GitHub issue
  on the upstream `CodesWhat/rolester` repo under their own `gh` identity. Never
  auto-files; falls back to a prefilled issue URL when `gh` isn't available.
  Wired into AGENTS.md, templates/AGENTS.md, CLAUDE.md, and the docs catalog.
- 🐛 fix(packaging): ship the 8 user-facing scripts that skills invoke
  (verify-tracker, analyze-outcomes, check-job-links, scan-sourced, delta-sourced,
  capture-board-snapshot, capture-search-sources, calibrate-writing-style). The
  `files` allowlist shipped only install-skills.mjs, so `npm run verify:tracker`
  (referenced by skills 13x) and friends broke in every installed/live copy —
  the missing-verify-tracker.mjs failure hit in a live workspace. npm pack ships
  exactly the allowlist, so a referenced-but-unshipped script is dead on arrival.
- 🧪 test(packaging): guard that every script reachable from a skill or a
  published npm-run alias is in the `files` allowlist (dev-only demo build/deploy
  scripts explicitly exempted). Catches this whole regression class.
- 📝 docs(skills): backfill the missing company-health entry in the skills catalog.
New report-issue skill + ships the user-facing scripts skills invoke (fixes the npm run verify:tracker / friends breakage in installed and live copies).
Comment thread src/core/liveness/job-link-checker.mjs Fixed
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
rolester-website Ready Ready Preview, Comment Jun 30, 2026 11:17pm

CodesWhat added 2 commits June 30, 2026 19:17
The 0.4.1 fix used `</script\s*>`, which still misses real end tags like
`</script bar>` — an HTML parser closes the element on `</script` + any
non-`>` chars + `>`. Use `[^>]*` so script/style stripping can't be bypassed.
CodeQL's PR diff (js/bad-tag-filter) caught the half-fix. Fixes alert #30.
Completes the htmlTo</script> bad-tag-filter fix that 0.4.1 shipped incomplete (js/bad-tag-filter).

@biggest-littlest biggest-littlest left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code-owner approval. Promotes dev→main (v0.3.3→v0.5.1): CLI binary wiring, security fixes (CodeQL clean, incl. the completed bad-tag-filter fix), report-issue skill, and the scripts-allowlist packaging fix. structure-guards green, 939 tests, CodeQL 0 alerts on the merge ref.

@ALARGECOMPANY ALARGECOMPANY left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Second approval. Verified: structure-guards + CodeQL green, 0 open code-scanning alerts on the merge ref, 939 tests pass. Good to promote to main.

@scttbnsn scttbnsn merged commit fcbd432 into main Jun 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants