Skip to content

Releases: CodesWhat/rolester

v0.5.2 — eliminate the slug-trim ReDoS

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 23:32

A security patch. The slugify idiom .replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") had a polynomial-ReDoS in the trailing -+$ (O(n²) backtracking). CodeQL flagged two reachable sites; this fixes the whole class — 15 sites across providers, tracker, profile, comms, research, interview, and a script. The preceding collapse makes boundary dashes single, so /^-|-$/g is equivalent and quantifier-free.

rolester update    # or: npm i -g rolester@0.5.2

v0.5.1 — complete the bad-tag-filter fix

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 23:17

A one-line security patch. The 0.4.1 HTML-stripper fix used </script\s*>, which still misses real end tags like </script bar> (an HTML parser closes the element on </script + any non-> chars + >). htmlToText now uses [^>]* so script/style stripping can't be bypassed. Caught by CodeQL's PR diff (js/bad-tag-filter).

rolester update    # or: npm i -g rolester@0.5.1

v0.5.0 — report-issue skill + ship the scripts skills invoke

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 22:38

What's new

  • report-issue skill — when Rolester itself looks broken (a crash, stack trace, non-zero exit, or clearly-wrong output), the agent now knows to help you file a bug. It first separates a real defect from a config problem (setup issues route to configure / doctor), assembles redacted diagnostics — no candidate PII, comp, employer/recruiter names, or workspace contents, with home paths normalized — and, only with your explicit yes, opens a GitHub issue on this repo under your own gh identity. It never auto-files and falls back to a prefilled issue URL when gh isn't available. Say "this is broken", "report a bug", or "file an issue".

Fixes

  • Ship the scripts the skills actually invoke. The package files allowlist shipped only install-skills.mjs, but skills call npm run verify:tracker (13×), calibrate:style (9×), scan:sourced, analyze:outcomes, and more — all of which point at scripts/*.mjs that weren't in the package. So those commands broke in every installed and live copy (the missing verify-tracker.mjs failure). This release ships all 8 user-facing scripts. If you maintain a live tree, rolester update (or update-live) now pulls them in.

Housekeeping

  • New packaging guard: a test now fails if any script reachable from a skill or a published npm run alias isn't in the files allowlist (dev-only demo build/deploy scripts exempted) — so this regression class can't ship again.
  • Docs: backfilled the missing company-health entry in the skills reference.
rolester update    # or: npm i -g rolester@0.5.0

v0.4.1 — security hardening

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 22:25

A security-hardening patch. These fixes were flagged by CodeQL and landed just after 0.4.0 went out; since they touch shipped src/ files, this release gets them to users.

Security fixes

  • Markdown-table escaping — the escapeCell helpers (interview packet, sourced-intake, sourced-delta) now escape backslashes before pipes, so a trailing \ can't escape the cell delimiter and break out of a table cell. (js/incomplete-sanitization)
  • HTML stripper — the liveness job-link checker's htmlToText now tolerates whitespace in </script > / </style > end-tags, closing a tag-filter bypass. (js/bad-tag-filter)
  • Library drawer — tag rendering clones DOM nodes instead of round-tripping innerHTML, removing an XSS-through-DOM path. (js/xss-through-dom)

Housekeeping

  • CodeQL now scans the dev release branch, not just main — releases ship from dev, so the scanner had never analyzed the actually-released code. The dev baseline is clean.

No schema or workflow changes; this is a drop-in update.

rolester update    # or: npm i -g rolester@0.4.1

v0.4.0

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 22:03

What's new

The global rolester binary now exposes the full command surface. Every workflow CLI is reachable as rolester <cmd>companies, tracker-dev, modes, activity, research, stories, strategy-review, analytics, evidence, gate, learnings, status-map, and install-skills — not just via npm run. They're all listed in rolester help.

Fixes

  • Documented commands now actually run. The command-form sweep left a stray npm -- separator on the binary form. The global binary forwards args verbatim, so rolester automation -- status failed with unknown command "--". Fixed across 49 call sites, including the fix-it guidance rolester doctor prints to users.
  • Fixed the non-existent rolester render alias (now rolester tracker).

Housekeeping

  • All command references across the skills, AGENTS.md, docs, docs-site, website, and templates now use the rolester binary form.

Update: rolester update (your candidate/ and workspace/ data is untouched).

v0.3.3

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 00:54

What's changed

  • Added shared agent guidance for doctor, rolester next, and the dashboard Next agent task card.
  • Added rolester next / npm run next with durable discovery skip recording for optional board/company discovery steps.
  • Updated onboarding/search/discovery router docs so agents steer through setup-searches -> research-boards -> discover-companies -> search-jobs and keep recommending the next useful skill after setup.
  • Tightened empty search/company source outputs and manual rolester start --no-agent handoff text.

Verification

  • npm test
  • npm run doctor
  • npm run lint:placeholders
  • npm run next
  • npm run tracker -- --json
  • npm pack --dry-run

Rolester v0.3.2

Choose a tag to compare

@scttbnsn scttbnsn released this 30 Jun 00:12

What's changed

  • Adds an onboarding target posting-age preference and threads it into generated search recency.
  • Makes doctor, search source, and company source CLIs surface readiness instead of leaving users to infer what has or has not run.
  • Aligns the post-onboarding discovery flow around setup-searches -> research-boards -> discover-companies -> search-jobs.
  • Fixes capture:search-sources YAML loading for canonical searches[] configs, query-to-term mapping, and HiringCafe checkpoint failures.

Verification

  • npm test
  • npm run doctor
  • npm run lint:placeholders
  • npx biome check on touched source/test files
  • npm pack --dry-run

v0.3.1

Choose a tag to compare

@scttbnsn scttbnsn released this 29 Jun 15:57
0baf675

Bugfix-led patch with one backward-compatible feature.

Fixed — reevaluation gate false positive (and the same class elsewhere)

The reevaluation gate could fire a false "thresholds tripped" because contract prose invited the agent to recompute the gate from cumulative rejections instead of reading the persisted analytics block, which trips on the delta since the last review.

  • reevaluate-strategy reads tracker.json#analytics.reevaluation (npm run analytics), not the descriptive analyze:outcomes; fit-bands come from persisted app.fitBucket.
  • AGENTS.md reevaluation contract clarified (delta not cumulative; read-the-block; dashboard nudge vs reevaluation.due are distinct gates).
  • track-outcomes refreshes the analytics block (npm run analytics -- --write) before re-render, so the gate isn't read stale.
  • company-health counts screen toward the interview fire-band.
  • apply-job reads persisted fitBucket before re-deriving the FIT tier.

Added

  • compEstimate staleness — comp estimates now carry asOf and a comp_estimate.recheck_days window (default 30), mirroring company_health; the comp card shows "as of <date>". Additive, non-breaking.

909 tests pass.

rolester 0.3.0 — company-health, docs site, analytics

Choose a tag to compare

@scttbnsn scttbnsn released this 28 Jun 12:13
e3fca4e

Feature release.

Highlights

  • Company-health / sentiment skill — a role-scoped healthy | watch | risky rating (layoff risk, hiring momentum, financials, sentiment, leadership) that dents the fit score only where a poor dimension intersects a stated candidate need. Cost-gated firing (manual anytime; auto at the interview stage by default), persisted to the tracker, internal signal only — never enters an outbound artifact. Card badge + drawer health section on the dashboard.
  • Docs site — Fumadocs documentation served at /docs (friendly + advanced tracks).
  • Outcome analytics as SSOT — one persisted reevaluation block, read everywhere.
  • Demo overhaul — fixture rebalanced to a believable search, explicit company-logo field, evergreen date rebase, honest jobs funnel.
  • Website launch-polish — footer, docs links, scroll-reveal, favicon, demo embed, softened positioning copy.
  • License — back to MIT.

Quality

  • Full test suite green: 912 pass / 0 fail.
  • Published with npm provenance via OIDC Trusted Publishing.

Install: npm install -g rolester

v0.2.4

Choose a tag to compare

@biggest-littlest biggest-littlest released this 26 Jun 22:02
711a9ae

0.2.4

Relicensed under BUSL-1.1. Starting with 0.2.4, Rolester is source-available under the Business Source License 1.1: free for personal and non-commercial use (including running your own job search) and for internal evaluation. Offering it as a hosted or commercial service requires a commercial license. Auto-converts to Apache 2.0 on 2030-06-26. Versions 0.2.0–0.2.3 remain MIT.

Clone-canonical install. Getting started is now git clonenpm installnode bin/rolester.mjs start everywhere (README, AGENTS.md, docs, website). The agent runs in-tree, so a local clone is the correct path, not a global npm install. Keep current with node bin/rolester.mjs update. Added a fictional sample job posting under examples/sample-jobs/ so testers have something to paste.

Node-native DOCX export. Document DOCX styling (Helvetica, all-black, tight spacing, narrow margins) moved into the Node export path via a generated pandoc reference doc and the OOXML fallback. Dropped the lone Python helper — no Python dependency anymore.