v2.1 — community skills · CI gate · security fixes

Second major bundle release. 51 → 71 skills, a CI quality/safety gate, a docs site, and security fixes to the toolkit's own code.

✨ Added

• 20 new hunt-* skills (community v3 expansion — thanks @muhsiindeniiz): hunt-lfi, hunt-nosqli, hunt-deserialization, hunt-cors, hunt-host-header, hunt-open-redirect, hunt-brute-force, hunt-session, hunt-ldap, hunt-nextjs, hunt-nodejs, hunt-dom, hunt-websocket, hunt-grpc, hunt-laravel, hunt-springboot, hunt-k8s, hunt-cicd, hunt-source-leak, hunt-tls-network. (28 → 48 hunt modules.)
• CI skill-linter — validates every SKILL.md and blocks leaked secrets + client/engagement identifiers (SHA-256 denylist; plaintext names never enter the repo).
• Docs site — GitHub Pages under docs/ with a searchable, auto-generated skill catalog.
• Community infrastructure — issue/PR templates, CODEOWNERS, CODE_OF_CONDUCT.md, CHANGELOG.md, FUNDING.yml.
• New hunt-auth-bypass function-level access control section; Azure App Service takeover fingerprint in hunt-subdomain.

🔒 Fixed (security — closes #13)

• Path traversal (cbh recon) and arbitrary file write (cbh report --out) — real path containment.
• Shell injection in the hunt.sh engagement scaffold — neutralized.
• Q5 validation-gate logic (duplicates no longer pass).
• Loud warning when --proxy disables TLS verification.

Credit: @sseshachala (report + fix), @muhsiindeniiz (skills), @xiaolai (earlier PRs).

💜 Sponsor

Atlas Cloud — full-modal AI inference, one API for video/image/LLM.

Full changelog: https://github.com/elementalsouls/Claude-BugHunter/blob/main/CHANGELOG.md

v2.0 — report-curation + 5 missing surfaces + chains + engagements

Workstream A — Report-curation backfill across 11 hunt-* skills.
hunt-graphql 3 -> 12 | hunt-race-condition 3 -> 12 | hunt-xxe 4 -> 10
hunt-cache-poison 4 -> 10 | hunt-auth-bypass 4 -> 12 | hunt-business-logic 7 -> 12
hunt-sqli 8 -> 12 | hunt-ssrf 9 -> 15 | hunt-csrf 10 -> 15
hunt-oauth 10 -> 19 | hunt-subdomain 11 -> 15.
Citations are primary-source URLs (HackerOne reports, GitHub Security
Advisories, PortSwigger Research, vendor advisories).

Workstream B — Five 2024-2026 surfaces previously missing now covered:
Duende BFF role-partitioned CSRF + token-confusion (hunt-csrf, hunt-auth-bypass)
OData WAF blacklist bypass (hunt-api-misconfig)
NSwag/Swagger spec exposure + ~100-path discovery wordlist
(hunt-api-misconfig, web2-recon)
Cognito IdentityPool unauthenticated-role chain (cloud-iam-deep)
CloudWatch RUM weaponization (hunt-cloud-misconfig).

Workstream C — HTTP/2 single-packet attack 145-line deep reference in
hunt-race-condition: last-byte-sync mechanic explained step by step,
Wireshark validation procedure, h2.0 single-frame vs h2.cl multi-frame
variants, race-window estimation methodology, Turbo Intruder Engine.BURP2
template explained line-by-line, multi-connection-single-stream decision
tree, Flatt Security's 10,000-request first-sequence-sync extension,
operator playbook. Cites Kettle DEF CON 31 + Flatt 2024 explicitly.

Workstream D — Zero-report skills backfilled:
cloud-iam-deep 0 -> 6 | okta-attack 0 -> 8
vmware-vcenter-attack 0 -> 10 | supply-chain-attack-recon 0 -> 12.
All citations primary-source URLs (CISA KEV, Mandiant, ZDI,
vendor advisories, GitHub Security blog).

Workstream E — Chains & Compositions sections on the 5 high-volume skills
(hunt-misc, hunt-xss, hunt-rce, hunt-idor, hunt-subdomain). 29
fully-developed A->B->C chain examples. Each chain: primitive A,
primitive B, terminal impact, real-world reference, severity rationale.

Workstream F — New ENGAGEMENTS.md (continent-level abstraction, SoW-redacted)
documenting two authorized engagements as the evidence file under the
README's "battle-tested" claim. Explicitly separates training-platform
exercises from authorized-engagement validation.

Bundle metrics:
report_count 574 -> 681 (+107)
top-3 dominance 81.2% -> 68.4% (-13 pp)
skills at report_count = 0 4 -> 0
named missing 2024-26 surfaces 5/5 -> 0/5
documented chain examples 0 -> 29