Skip to content

Release/v1.4.2 #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Animesh-Sri-bugb merged 6 commits into from
Apr 24, 2026
Merged

Release/v1.4.2 #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
88bfd97
chore: remove committed bun.lock, ignore alternate package-manager lo…
Animesh-Sri-bugb Apr 24, 2026
279c516
chore: bump version to 1.4.2
Animesh-Sri-bugb Apr 24, 2026
c1f1b4c
fix(prompts): wrap external-mode example annotations in @shield
Animesh-Sri-bugb Apr 24, 2026
b246d6f
docs(readme): correct --mode flag value (external, not gal)
Animesh-Sri-bugb Apr 24, 2026
fe10d8a
docs: update reference for external annotation mode
Animesh-Sri-bugb Apr 24, 2026
29a3816
docs(changelog): add 1.4.2 entry
Animesh-Sri-bugb Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 18 additions & 15 deletions .clinerules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,13 @@ Every time you write or modify code that touches security-relevant behavior, you

### Open Exposures (need @mitigates or @audit)

- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
- #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
- #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #init exposed to #data-exposure [low] (src/init/index.ts:12)
- #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
- #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
Expand All @@ -61,15 +61,6 @@ Every time you write or modify code that touches security-relevant behavior, you

### Existing Data Flows (extend, don't duplicate)

- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #llm-client via serializeModel
- ProjectFiles -> #llm-client via readFileSync
- #llm-client -> ReportFile via writeFileSync
Expand All @@ -79,13 +70,22 @@ Every time you write or modify code that touches security-relevant behavior, you
- LLMToolCall -> #llm-client via createToolExecutor
- #llm-client -> NVD via fetch
- ProjectFiles -> #llm-client via readFileSync
- UserArgs -> #cli via process.argv
- #cli -> FileSystem via writeFile
- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #dashboard via computeStats
- SourceFiles -> #dashboard via readFileSync
- ... and 48 more

### Model Stats

291 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows

<!-- guardlink:end -->

Expand All @@ -109,6 +109,9 @@ Every time you write or modify code that touches security-relevant behavior, you









Expand Down
30 changes: 15 additions & 15 deletions .cursor/rules/guardlink.mdc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@ Every time you write or modify code that touches security-relevant behavior, you

### Open Exposures (need @mitigates or @audit)

- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
- #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
- #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #init exposed to #data-exposure [low] (src/init/index.ts:12)
- #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
- #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
Expand All @@ -66,15 +66,6 @@ Every time you write or modify code that touches security-relevant behavior, you

### Existing Data Flows (extend, don't duplicate)

- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #llm-client via serializeModel
- ProjectFiles -> #llm-client via readFileSync
- #llm-client -> ReportFile via writeFileSync
Expand All @@ -84,10 +75,19 @@ Every time you write or modify code that touches security-relevant behavior, you
- LLMToolCall -> #llm-client via createToolExecutor
- #llm-client -> NVD via fetch
- ProjectFiles -> #llm-client via readFileSync
- UserArgs -> #cli via process.argv
- #cli -> FileSystem via writeFile
- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #dashboard via computeStats
- SourceFiles -> #dashboard via readFileSync
- ... and 48 more

### Model Stats

291 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
33 changes: 18 additions & 15 deletions .gemini/GEMINI.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,13 +57,13 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c

### Open Exposures (need @mitigates or @audit)

- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
- #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
- #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #init exposed to #data-exposure [low] (src/init/index.ts:12)
- #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
- #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
Expand All @@ -75,15 +75,6 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c

### Existing Data Flows (extend, don't duplicate)

- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #llm-client via serializeModel
- ProjectFiles -> #llm-client via readFileSync
- #llm-client -> ReportFile via writeFileSync
Expand All @@ -93,13 +84,22 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c
- LLMToolCall -> #llm-client via createToolExecutor
- #llm-client -> NVD via fetch
- ProjectFiles -> #llm-client via readFileSync
- UserArgs -> #cli via process.argv
- #cli -> FileSystem via writeFile
- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #dashboard via computeStats
- SourceFiles -> #dashboard via readFileSync
- ... and 48 more

### Model Stats

291 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows

> **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes.
> Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs
Expand Down Expand Up @@ -127,6 +127,9 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c









Expand Down
33 changes: 18 additions & 15 deletions .github/copilot-instructions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,13 +57,13 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c

### Open Exposures (need @mitigates or @audit)

- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
- #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
- #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #init exposed to #data-exposure [low] (src/init/index.ts:12)
- #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
- #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
Expand All @@ -75,15 +75,6 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c

### Existing Data Flows (extend, don't duplicate)

- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #llm-client via serializeModel
- ProjectFiles -> #llm-client via readFileSync
- #llm-client -> ReportFile via writeFileSync
Expand All @@ -93,13 +84,22 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c
- LLMToolCall -> #llm-client via createToolExecutor
- #llm-client -> NVD via fetch
- ProjectFiles -> #llm-client via readFileSync
- UserArgs -> #cli via process.argv
- #cli -> FileSystem via writeFile
- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #dashboard via computeStats
- SourceFiles -> #dashboard via readFileSync
- ... and 48 more

### Model Stats

291 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows

> **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes.
> Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs
Expand Down Expand Up @@ -128,6 +128,9 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c









Expand Down
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ node_modules/
dist/
*.tsbuildinfo

# Alternate package managers — we standardize on npm (package-lock.json is canonical)
bun.lock
yarn.lock
pnpm-lock.yaml

# OS
.DS_Store

Expand Down
33 changes: 18 additions & 15 deletions .windsurfrules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,13 @@ Every time you write or modify code that touches security-relevant behavior, you

### Open Exposures (need @mitigates or @audit)

- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
- #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
- #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
- #init exposed to #data-exposure [low] (src/init/index.ts:12)
- #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
- #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
Expand All @@ -61,15 +61,6 @@ Every time you write or modify code that touches security-relevant behavior, you

### Existing Data Flows (extend, don't duplicate)

- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #llm-client via serializeModel
- ProjectFiles -> #llm-client via readFileSync
- #llm-client -> ReportFile via writeFileSync
Expand All @@ -79,13 +70,22 @@ Every time you write or modify code that touches security-relevant behavior, you
- LLMToolCall -> #llm-client via createToolExecutor
- #llm-client -> NVD via fetch
- ProjectFiles -> #llm-client via readFileSync
- UserArgs -> #cli via process.argv
- #cli -> FileSystem via writeFile
- EnvVars -> #agent-launcher via process.env
- ConfigFile -> #agent-launcher via readFileSync
- #agent-launcher -> ConfigFile via writeFileSync
- UserPrompt -> #agent-launcher via launchAgent
- #agent-launcher -> AgentProcess via spawn
- AgentProcess -> #agent-launcher via stdout
- UserPrompt -> #agent-launcher via buildAnnotatePrompt
- ThreatModel -> #agent-launcher via model
- #agent-launcher -> AgentPrompt via return
- ThreatModel -> #dashboard via computeStats
- SourceFiles -> #dashboard via readFileSync
- ... and 48 more

### Model Stats

291 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows

<!-- guardlink:end -->

Expand All @@ -109,6 +109,9 @@ Every time you write or modify code that touches security-relevant behavior, you









Expand Down
Loading
Loading