chore: sync core lib and CLAUDE.md from agent-core

[avifenesh]

Automated sync of lib/ and CLAUDE.md from agent-core.

---

Note

Medium Risk
Touches the runtime binary download/extraction path and changes tasks.json corruption handling from silent fallback to throwing/optimistic-lock updates, which could affect installs and workflow state under concurrency or bad disk data.

Overview
Hardens runtime installation of the agent-analyzer binary by verifying each GitHub release asset against a required <asset>.sha256 sidecar and refusing to install unverified/mismatched downloads (with a skipChecksum dev-only escape hatch).

Reworks archive extraction to be safer: extracts into an isolated scratch dir, validates archive entry paths against traversal/absolute/UNC patterns, rejects symlinks, and then copies only the expected binary into the final install location; Windows zip extraction now uses a PowerShell -File helper with env-passed paths and per-entry validation.

Adds lib/repo-intel/queries.js with typed wrappers around agent-analyzer repo-intel query ... (including a dedicated RepoIntelMissingError). Updates workflow-state tasks.json storage to a canonical schema and introduces versioned writes plus optimistic-lock helpers (updateTasks, claimTask, releaseTask), while changing corrupted JSON handling to throw/avoid overwriting instead of silently returning defaults.

^{Reviewed by Cursor Bugbot for commit 473d265. Configure here.}

[gemini-code-assist]

Code Review

This pull request introduces significant security hardening for binary management, including SHA-256 checksum verification and robust archive entry validation to prevent path traversal attacks. It also adds a new module for repository intelligence queries and implements optimistic locking for workflow state management to safely handle concurrent task updates. The review feedback suggests improving the portability of the tar commands by explicitly specifying stdin as the input source using the -f - flag.

[gemini-code-assist]

For better portability across different tar implementations (especially on Linux), it is recommended to explicitly specify that input should be read from stdin using the -f - flag. Some versions of tar do not default to stdin when no file is provided.

Suggested change

	const tar = cp.spawn('tar', ['-tz'], { stdio: ['pipe', 'pipe', 'pipe'] });
	const tar = cp.spawn('tar', ['-tzf', '-'], { stdio: ['pipe', 'pipe', 'pipe'] });

[gemini-code-assist]

Similar to the listing command, adding -f - ensures that tar correctly reads the archive from stdin across various platforms and tar versions.

Suggested change

	const tar = cp.spawn('tar', ['xz', '-C', scratch], { stdio: ['pipe', 'pipe', 'pipe'] });
	const tar = cp.spawn('tar', ['-xzf', '-', '-C', scratch], { stdio: ['pipe', 'pipe', 'pipe'] });

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 473d265. Configure here.}

[cursor]

Busy-wait loop ignores existing sleepForRetry utility

Medium Severity

The new updateTasks retry loop uses a CPU-spinning busy-wait (while (Date.now() - start < jitter) {}) for its jitter delay, while sleepForRetry is already imported on line 19 and used by the analogous updateFlow function at line 396 for the same purpose. sleepForRetry uses Atomics.wait for a proper non-blocking synchronous sleep, avoiding needless CPU consumption. This is both inconsistent with the existing pattern and wasteful.

Additional Locations (1)

• lib/state/workflow-state.js#L18-L19

 

^{Reviewed by Cursor Bugbot for commit 473d265. Configure here.}