Hunter is a source-review harness for running multiple autonomous agents against an authorized local or open-source target repository. This public tree contains only the reusable harness: runner scripts, generic queue templates, and report formats.
It intentionally does not include prior findings, walkthroughs, exploit packages, live validation scripts, target checkouts, logs, caches, or generated run state.
- Bash
- Git
- One supported agent CLI:
claudecodexcopilot
- Optional: Semgrep, language-specific build tools for the target under review
# Clone or link a target into ./target and launch 3 reviewers.
bash scripts/run-hunt.sh https://github.com/org/repo 3
# Check status.
bash scripts/status.sh
# Consolidate reports.
bash scripts/consolidate-reports.shBy default, the scripts do not pass unsandboxed permission-bypass flags to agent CLIs. If you understand the implications and need fully non-interactive operation, set:
export AGENT_UNSANDBOXED=1Choose the engine and model with environment variables:
export ENGINE=codex
export CODEX_MODEL=gpt-5
# or
export ENGINE=claude
export CLAUDE_MODEL=sonnet
# or
export ENGINE=copilot
export COPILOT_MODEL=autoCopilot CLI runs in scripted mode with --no-ask-user and default tool
permissions of read,shell,write. To customize those permissions, set
COPILOT_ALLOW_TOOLS. For fully autonomous Copilot autopilot mode with all
permissions, set AGENT_UNSANDBOXED=1; you can also set
COPILOT_AUTOPILOT=1 and COPILOT_MAX_AUTOPILOT_CONTINUES=<n> explicitly.
scripts/ runner and utility scripts
hunts/bootstrap/ clean seed hunts copied into backlog by reset.sh
hunts/backlog/ generated queue items, ignored by Git
reports/ generated findings and context, ignored by Git
target/ cloned or linked target repository, ignored by Git
This repository is source-only. It does not contain target-specific reports, old run artifacts, live service validators, or proof packages. Generated artifacts stay ignored so a public publish starts clean.