Release/v1.4.2#7
Merged
Merged
Conversation
Replaces the 1.4.1-gal development tag that landed via PR #6 with a proper release version. Updated across package.json, package-lock.json, src/cli/index.ts, and src/mcp/server.ts." # 2. Unrelated but worth fixing: NODE_ENV=production is set in your shell. # This made npm install skip devDependencies and cost us 10 minutes of confusion. # Check your ~/.zshrc or shell init for `export NODE_ENV=production` and remove it — # it's the wrong default for a developer workstation. echo $NODE_ENV # should be empty or "development
When PR #6 (0253fa9) added the external-mode annotation example block in src/agents/prompts.ts, it did not wrap the example lines in an @shield guard the way the inline-mode branch does. Because GuardLink's parser is line-based and matches any line starting with @<verb>, the example lines — which are JavaScript string literals — were parsed as real annotations and produced 4 parse errors during 'guardlink validate .' (the CI dogfood step). Fix: wrap the external-mode example lines in @shield:begin / @shield:end, matching the existing pattern used by the inline-mode branch and by the other example blocks in this file (lines 181, 201, 218, 234). Agent instruction files re-synced by guardlink automatically after the fix.
PR #6 shipped the flag as --mode inline|external, but README.md still referenced --mode inline|gal at two locations, which would leave users running 'guardlink annotate --mode gal' with a cryptic error.
Covers: - The two headline features from PR #6 (external annotation mode, --stdout) - Three incidental quality fixes bundled in PR #6 (HTML/CSS comment writeback, review ID uniqueness, decorator robustness in writeback) - The prompts.ts shield-wrap fix resolving main's CI failure - Version bump, lockfile cleanup, doc corrections Contributor credit: @jordi-murgo (PR #6).
Animesh-Sri-bugb
added a commit
that referenced
this pull request
May 12, 2026
…ut shapes
Pentest finding confidence renders as 'N%' literal in the dashboard
sidebar drawer and the findings table. The previous code assumed CXG
always emits confidence as an integer percentage:
'<span style="font-weight:600">' + f.confidence + '%</span>'
CXG output has actually varied across versions and template authors:
- Most current versions: integer percentage (50)
- Some templates pre-normalization: severity-style string ('high')
- Older or partial scans: missing / null entirely
When confidence was a string, the dashboard rendered 'high%'. When it
was missing, 'undefined%'. When it was an object (broken upstream),
'[object Object]%'.
Adds src/analyze/format.ts with formatConfidence(), a small pure
helper that normalizes any of the above into a renderable string:
- number -> 'N%' (clamped to [0,100], rounded)
- numeric string ('50' or '50%') -> 'N%'
- severity-word string -> uppercase ('HIGH')
- null/undefined/empty/non-renderable -> em-dash
Wires the helper into both render sites:
- src/dashboard/generate.ts server-side template (line 1742): uses
the imported helper directly.
- The browser-side openPentestDrawer JS (line 474, runs in dashboard
runtime) gets a small inline mirror function with the same logic.
Comments mark these two as needing to stay in sync.
Loosens PentestFinding.confidence type from 'number' to
'number | string | null' to match what CXG actually emits.
Adds tests/format.test.ts (9 tests) covering all input shapes
including adversarial input (Symbol, Date, Error) — formatConfidence
never throws.
What this fix does NOT do: change the user-visible '50%' that CXG
currently emits for every finding regardless of evidence quality.
That is a CXG-side bug — CXG normalizes template-emitted strings
('high', 'medium') down to a hardcoded integer and the integer is
always 50 in current builds. This GuardLink fix means the dashboard
will display the right value as soon as the CXG bug is addressed.
Track upstream CXG fix separately. Address punch-list bug #7
defensively from the GuardLink side.
Animesh-Sri-bugb
added a commit
that referenced
this pull request
May 12, 2026
Reconcile version references across the project to 1.4.3, the agreed
target for the v1.5.1-deferred bug-fix batch on the feat/v1.5.0 branch.
Touched:
- package.json: 1.4.1 -> 1.4.3
- package-lock.json: 1.4.1 -> 1.4.3 (root + packages[''])
- src/cli/index.ts: program.version('1.4.1') -> '1.4.3'
- src/mcp/server.ts: McpServer version '1.4.0' -> '1.4.3'
The MCP server was inconsistently at 1.4.0 even when other surfaces
reported 1.4.1; reconciling all four to 1.4.3 closes that gap.
Scope rationale (from the v1.5.1 discussion): the work on this branch
is materially bug-fix oriented — confidence rendering (#7), topology
dedup (#9), prompt.md migration (#14), fatal tier reservation (#6),
JWT redaction opt-in (#11) — even though two additive features
landed alongside (multi-hop @flows chains, quoted refs in #5). Patch
bump rather than minor reflects the intent: this is the v1.4.x line
plus tight fixes, not a v1.5 product cut. The minor bump and broader
release notes will happen at the rebase against main and the formal
v1.5.0 cut.
Verified: 'guardlink --version' prints 1.4.3; npm build clean;
167/167 tests pass.
Fixes punch-list bug #12.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Type
Checklist
npm run buildpassesnpm testpassesguardlink validate .passes (if annotations changed)Spec changes
N/A