Releases: CodesWhat/rolester
Release list
v0.5.2 — eliminate the slug-trim ReDoS
A security patch. The slugify idiom .replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") had a polynomial-ReDoS in the trailing -+$ (O(n²) backtracking). CodeQL flagged two reachable sites; this fixes the whole class — 15 sites across providers, tracker, profile, comms, research, interview, and a script. The preceding collapse makes boundary dashes single, so /^-|-$/g is equivalent and quantifier-free.
rolester update # or: npm i -g rolester@0.5.2
v0.5.1 — complete the bad-tag-filter fix
A one-line security patch. The 0.4.1 HTML-stripper fix used </script\s*>, which still misses real end tags like </script bar> (an HTML parser closes the element on </script + any non-> chars + >). htmlToText now uses [^>]* so script/style stripping can't be bypassed. Caught by CodeQL's PR diff (js/bad-tag-filter).
rolester update # or: npm i -g rolester@0.5.1
v0.5.0 — report-issue skill + ship the scripts skills invoke
What's new
report-issueskill — when Rolester itself looks broken (a crash, stack trace, non-zero exit, or clearly-wrong output), the agent now knows to help you file a bug. It first separates a real defect from a config problem (setup issues route toconfigure/doctor), assembles redacted diagnostics — no candidate PII, comp, employer/recruiter names, or workspace contents, with home paths normalized — and, only with your explicit yes, opens a GitHub issue on this repo under your ownghidentity. It never auto-files and falls back to a prefilled issue URL whenghisn't available. Say "this is broken", "report a bug", or "file an issue".
Fixes
- Ship the scripts the skills actually invoke. The package
filesallowlist shipped onlyinstall-skills.mjs, but skills callnpm run verify:tracker(13×),calibrate:style(9×),scan:sourced,analyze:outcomes, and more — all of which point atscripts/*.mjsthat weren't in the package. So those commands broke in every installed and live copy (the missingverify-tracker.mjsfailure). This release ships all 8 user-facing scripts. If you maintain a live tree,rolester update(orupdate-live) now pulls them in.
Housekeeping
- New packaging guard: a test now fails if any script reachable from a skill or a published
npm runalias isn't in thefilesallowlist (dev-only demo build/deploy scripts exempted) — so this regression class can't ship again. - Docs: backfilled the missing
company-healthentry in the skills reference.
rolester update # or: npm i -g rolester@0.5.0
v0.4.1 — security hardening
A security-hardening patch. These fixes were flagged by CodeQL and landed just after 0.4.0 went out; since they touch shipped src/ files, this release gets them to users.
Security fixes
- Markdown-table escaping — the
escapeCellhelpers (interview packet, sourced-intake, sourced-delta) now escape backslashes before pipes, so a trailing\can't escape the cell delimiter and break out of a table cell. (js/incomplete-sanitization) - HTML stripper — the liveness job-link checker's
htmlToTextnow tolerates whitespace in</script >/</style >end-tags, closing a tag-filter bypass. (js/bad-tag-filter) - Library drawer — tag rendering clones DOM nodes instead of round-tripping
innerHTML, removing an XSS-through-DOM path. (js/xss-through-dom)
Housekeeping
- CodeQL now scans the
devrelease branch, not justmain— releases ship fromdev, so the scanner had never analyzed the actually-released code. Thedevbaseline is clean.
No schema or workflow changes; this is a drop-in update.
rolester update # or: npm i -g rolester@0.4.1
v0.4.0
What's new
The global rolester binary now exposes the full command surface. Every workflow CLI is reachable as rolester <cmd> — companies, tracker-dev, modes, activity, research, stories, strategy-review, analytics, evidence, gate, learnings, status-map, and install-skills — not just via npm run. They're all listed in rolester help.
Fixes
- Documented commands now actually run. The command-form sweep left a stray npm
--separator on the binary form. The global binary forwards args verbatim, sorolester automation -- statusfailed withunknown command "--". Fixed across 49 call sites, including the fix-it guidancerolester doctorprints to users. - Fixed the non-existent
rolester renderalias (nowrolester tracker).
Housekeeping
- All command references across the skills, AGENTS.md, docs, docs-site, website, and templates now use the
rolesterbinary form.
Update: rolester update (your candidate/ and workspace/ data is untouched).
v0.3.3
What's changed
- Added shared agent guidance for doctor, rolester next, and the dashboard Next agent task card.
- Added
rolester next/npm run nextwith durable discovery skip recording for optional board/company discovery steps. - Updated onboarding/search/discovery router docs so agents steer through setup-searches -> research-boards -> discover-companies -> search-jobs and keep recommending the next useful skill after setup.
- Tightened empty search/company source outputs and manual
rolester start --no-agenthandoff text.
Verification
- npm test
- npm run doctor
- npm run lint:placeholders
- npm run next
- npm run tracker -- --json
- npm pack --dry-run
Rolester v0.3.2
What's changed
- Adds an onboarding target posting-age preference and threads it into generated search recency.
- Makes doctor, search source, and company source CLIs surface readiness instead of leaving users to infer what has or has not run.
- Aligns the post-onboarding discovery flow around setup-searches -> research-boards -> discover-companies -> search-jobs.
- Fixes capture:search-sources YAML loading for canonical searches[] configs, query-to-term mapping, and HiringCafe checkpoint failures.
Verification
- npm test
- npm run doctor
- npm run lint:placeholders
- npx biome check on touched source/test files
- npm pack --dry-run
v0.3.1
Bugfix-led patch with one backward-compatible feature.
Fixed — reevaluation gate false positive (and the same class elsewhere)
The reevaluation gate could fire a false "thresholds tripped" because contract prose invited the agent to recompute the gate from cumulative rejections instead of reading the persisted analytics block, which trips on the delta since the last review.
- reevaluate-strategy reads
tracker.json#analytics.reevaluation(npm run analytics), not the descriptiveanalyze:outcomes; fit-bands come from persistedapp.fitBucket. - AGENTS.md reevaluation contract clarified (delta not cumulative; read-the-block; dashboard nudge vs
reevaluation.dueare distinct gates). - track-outcomes refreshes the analytics block (
npm run analytics -- --write) before re-render, so the gate isn't read stale. - company-health counts
screentoward the interview fire-band. - apply-job reads persisted
fitBucketbefore re-deriving the FIT tier.
Added
- compEstimate staleness — comp estimates now carry
asOfand acomp_estimate.recheck_dayswindow (default 30), mirroringcompany_health; the comp card shows "as of <date>". Additive, non-breaking.
909 tests pass.
rolester 0.3.0 — company-health, docs site, analytics
Feature release.
Highlights
- Company-health / sentiment skill — a role-scoped
healthy | watch | riskyrating (layoff risk, hiring momentum, financials, sentiment, leadership) that dents the fit score only where a poor dimension intersects a stated candidate need. Cost-gated firing (manual anytime; auto at the interview stage by default), persisted to the tracker, internal signal only — never enters an outbound artifact. Card badge + drawer health section on the dashboard. - Docs site — Fumadocs documentation served at
/docs(friendly + advanced tracks). - Outcome analytics as SSOT — one persisted reevaluation block, read everywhere.
- Demo overhaul — fixture rebalanced to a believable search, explicit company-logo field, evergreen date rebase, honest jobs funnel.
- Website launch-polish — footer, docs links, scroll-reveal, favicon, demo embed, softened positioning copy.
- License — back to MIT.
Quality
- Full test suite green: 912 pass / 0 fail.
- Published with npm provenance via OIDC Trusted Publishing.
Install: npm install -g rolester
v0.2.4
0.2.4
Relicensed under BUSL-1.1. Starting with 0.2.4, Rolester is source-available under the Business Source License 1.1: free for personal and non-commercial use (including running your own job search) and for internal evaluation. Offering it as a hosted or commercial service requires a commercial license. Auto-converts to Apache 2.0 on 2030-06-26. Versions 0.2.0–0.2.3 remain MIT.
Clone-canonical install. Getting started is now git clone → npm install → node bin/rolester.mjs start everywhere (README, AGENTS.md, docs, website). The agent runs in-tree, so a local clone is the correct path, not a global npm install. Keep current with node bin/rolester.mjs update. Added a fictional sample job posting under examples/sample-jobs/ so testers have something to paste.
Node-native DOCX export. Document DOCX styling (Helvetica, all-black, tight spacing, narrow margins) moved into the Node export path via a generated pandoc reference doc and the OOXML fallback. Dropped the lone Python helper — no Python dependency anymore.