diff --git a/.clinerules b/.clinerules index 7fbb9e1..2141dea 100644 --- a/.clinerules +++ b/.clinerules @@ -1,7 +1,7 @@ # GuardLink Security Annotations -This project uses GuardLink annotations in source code comments or standalone .gal files. +This project uses GuardLink annotations in source code comments. ## Core Requirement Every time you write or modify code that touches security-relevant behavior, you MUST add GuardLink annotations in the same change. This includes: new endpoints, auth logic, data validation, database queries, file I/O, external API calls, crypto, process spawning, user input handling, config parsing. Do NOT annotate pure business logic, formatting utilities, UI components, or helpers that never touch security boundaries. @@ -9,9 +9,10 @@ Every time you write or modify code that touches security-relevant behavior, you ## Key Rules - ANNOTATE NEW CODE. When you add a function or endpoint that handles user input, accesses data, or crosses a trust boundary — add @exposes, @mitigates, @flows, @handles, or at minimum @comment. This is not optional. - NEVER write @accepts — that is a human-only governance decision. For risks with no mitigation: write @exposes + @audit + @comment suggesting potential controls. +- Use @confirmed for verified exploits. When pentest/scanning/manual reproduction proves a threat is exploitable: @confirmed #threat on Asset [severity] -- "evidence". Distinct from @exposes (theoretical) — @confirmed means real, verified, no false positives. - Preserve existing annotations — do not delete or mangle them. - Definitions (@asset, @threat, @control with (#id)) live in .guardlink/definitions.ts. Reuse IDs — never redefine. Add new definitions there first, then reference in source files. -- Relationship annotations use verbs: @mitigates, @exposes, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers. +- Source files use relationship verbs: @mitigates, @exposes, @confirmed, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers, @feature. - Write coupled annotation blocks: risk + control (or audit) + data flow + context note. - Avoid @shield unless a human explicitly asks to hide code from AI. @@ -30,6 +31,8 @@ Every time you write or modify code that touches security-relevant behavior, you - @handles pii on App.API -- "Processes email, token" - @validates #prepared-stmts for App.API -- "CI test ensures placeholders" - @audit App.API -- "Token rotation review" +- @confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +- @feature "SSO Login" -- "Single sign-on authentication flow" - @owns security-team for App.API -- "Team responsible" - @comment -- "Rate limit: 100 req/15min" @@ -43,33 +46,25 @@ Every time you write or modify code that touches security-relevant behavior, you ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -77,15 +72,29 @@ Every time you write or modify code that touches security-relevant behavior, you - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features @@ -106,6 +115,16 @@ Every time you write or modify code that touches security-relevant behavior, you + + + + + + + + + + diff --git a/.cursor/rules/guardlink.mdc b/.cursor/rules/guardlink.mdc index 7841c07..f8efbbb 100644 --- a/.cursor/rules/guardlink.mdc +++ b/.cursor/rules/guardlink.mdc @@ -6,7 +6,7 @@ alwaysApply: true # GuardLink Security Annotations -This project uses GuardLink annotations in source code comments or standalone .gal files. +This project uses GuardLink annotations in source code comments. ## Core Requirement Every time you write or modify code that touches security-relevant behavior, you MUST add GuardLink annotations in the same change. This includes: new endpoints, auth logic, data validation, database queries, file I/O, external API calls, crypto, process spawning, user input handling, config parsing. Do NOT annotate pure business logic, formatting utilities, UI components, or helpers that never touch security boundaries. @@ -14,9 +14,10 @@ Every time you write or modify code that touches security-relevant behavior, you ## Key Rules - ANNOTATE NEW CODE. When you add a function or endpoint that handles user input, accesses data, or crosses a trust boundary — add @exposes, @mitigates, @flows, @handles, or at minimum @comment. This is not optional. - NEVER write @accepts — that is a human-only governance decision. For risks with no mitigation: write @exposes + @audit + @comment suggesting potential controls. +- Use @confirmed for verified exploits. When pentest/scanning/manual reproduction proves a threat is exploitable: @confirmed #threat on Asset [severity] -- "evidence". Distinct from @exposes (theoretical) — @confirmed means real, verified, no false positives. - Preserve existing annotations — do not delete or mangle them. - Definitions (@asset, @threat, @control with (#id)) live in .guardlink/definitions.ts. Reuse IDs — never redefine. Add new definitions there first, then reference in source files. -- Relationship annotations use verbs: @mitigates, @exposes, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers. +- Source files use relationship verbs: @mitigates, @exposes, @confirmed, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers, @feature. - Write coupled annotation blocks: risk + control (or audit) + data flow + context note. - Avoid @shield unless a human explicitly asks to hide code from AI. @@ -35,6 +36,8 @@ Every time you write or modify code that touches security-relevant behavior, you - @handles pii on App.API -- "Processes email, token" - @validates #prepared-stmts for App.API -- "CI test ensures placeholders" - @audit App.API -- "Token rotation review" +- @confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +- @feature "SSO Login" -- "Single sign-on authentication flow" - @owns security-team for App.API -- "Team responsible" - @comment -- "Rate limit: 100 req/15min" @@ -48,33 +51,25 @@ Every time you write or modify code that touches security-relevant behavior, you ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -82,12 +77,26 @@ Every time you write or modify code that touches security-relevant behavior, you - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features diff --git a/.gemini/GEMINI.md b/.gemini/GEMINI.md index c5ec022..cfe8ef8 100644 --- a/.gemini/GEMINI.md +++ b/.gemini/GEMINI.md @@ -3,7 +3,7 @@ ## GuardLink — Security Annotations (Required) -This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments or standalone `.gal` files. +This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments. **Full reference: `docs/GUARDLINK_REFERENCE.md`** ### Core Requirement @@ -14,11 +14,12 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c 1. **Annotate new code.** When you add a function, endpoint, or module that handles user input, accesses data, crosses a trust boundary, or could fail in a security-relevant way — add `@exposes`, `@mitigates`, `@flows`, `@handles`, or at minimum `@comment` annotations. This is not optional. 2. **NEVER write `@accepts`.** That is a human-only governance decision. When you find a risk with no mitigation in code, write `@exposes` to document the risk + `@audit` to flag it for human review + `@comment` to suggest potential controls. -3. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. -4. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. -5. Relationship annotations use verbs like: `@mitigates`, `@exposes`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`. -6. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. -7. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. +3. **Use `@confirmed` for verified exploits.** When a pentest, CXG scan, or manual reproduction proves a threat is exploitable, mark it with `@confirmed #threat on Asset [severity] -- "evidence"`. This is distinct from `@exposes` (theoretical) — `@confirmed` means real, verified, not a false positive. Include severity based on actual observed impact. +4. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. +5. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. +6. Source files use relationship verbs only: `@mitigates`, `@exposes`, `@confirmed`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`, `@feature`. +7. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. +8. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. ### Workflow (while coding) @@ -43,6 +44,8 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c @handles pii on App.API -- "Processes email and session token" @validates #prepared-stmts for App.API -- "sqlInjectionTest.ts ensures placeholders used" @audit App.API -- "Token rotation logic needs crypto review" +@confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +@feature "SSO Login" -- "Single sign-on authentication flow" @owns security-team for App.API -- "Team responsible for reviews" @comment -- "Rate limit: 100 req/15min via express-rate-limit" ``` @@ -57,33 +60,25 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -91,15 +86,29 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features > **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes. > Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs @@ -124,6 +133,16 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c + + + + + + + + + + diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 337ebbc..570624d 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -3,7 +3,7 @@ ## GuardLink — Security Annotations (Required) -This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments or standalone `.gal` files. +This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments. **Full reference: `docs/GUARDLINK_REFERENCE.md`** ### Core Requirement @@ -14,11 +14,12 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c 1. **Annotate new code.** When you add a function, endpoint, or module that handles user input, accesses data, crosses a trust boundary, or could fail in a security-relevant way — add `@exposes`, `@mitigates`, `@flows`, `@handles`, or at minimum `@comment` annotations. This is not optional. 2. **NEVER write `@accepts`.** That is a human-only governance decision. When you find a risk with no mitigation in code, write `@exposes` to document the risk + `@audit` to flag it for human review + `@comment` to suggest potential controls. -3. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. -4. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. -5. Relationship annotations use verbs like: `@mitigates`, `@exposes`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`. -6. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. -7. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. +3. **Use `@confirmed` for verified exploits.** When a pentest, CXG scan, or manual reproduction proves a threat is exploitable, mark it with `@confirmed #threat on Asset [severity] -- "evidence"`. This is distinct from `@exposes` (theoretical) — `@confirmed` means real, verified, not a false positive. Include severity based on actual observed impact. +4. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. +5. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. +6. Source files use relationship verbs only: `@mitigates`, `@exposes`, `@confirmed`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`, `@feature`. +7. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. +8. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. ### Workflow (while coding) @@ -43,6 +44,8 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c @handles pii on App.API -- "Processes email and session token" @validates #prepared-stmts for App.API -- "sqlInjectionTest.ts ensures placeholders used" @audit App.API -- "Token rotation logic needs crypto review" +@confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +@feature "SSO Login" -- "Single sign-on authentication flow" @owns security-team for App.API -- "Team responsible for reviews" @comment -- "Rate limit: 100 req/15min via express-rate-limit" ``` @@ -57,33 +60,25 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -91,15 +86,29 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features > **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes. > Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs @@ -125,6 +134,16 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c + + + + + + + + + + diff --git a/.gitignore b/.gitignore index 582eb4e..7f9a03e 100644 --- a/.gitignore +++ b/.gitignore @@ -17,5 +17,15 @@ pnpm-lock.yaml # GuardLink runtime config (API keys - do not commit) .guardlink/config.json +# Generated outputs at repo root (canonical samples live in docs/examples/). +# Running `guardlink dashboard .` or `guardlink report .` from the repo root +# writes here by default — those local copies should never be committed. +/threat-dashboard.html +/threat-model.md +/threat-model.json +/guardlink-pentest.html +/guardlink-pentest.json +/guardlink-pentest.sarif + # Debug / internal _debug.ts diff --git a/.guardlink/prompt.md b/.guardlink/prompt.md new file mode 100644 index 0000000..3fbc86d --- /dev/null +++ b/.guardlink/prompt.md @@ -0,0 +1,24 @@ +# guardlink — Project Description + + + + +## What This Application Does + + + +## Key Components + + + +## Trust Boundaries + + + +## Data Sensitivity + + + +## Deployment Context + + diff --git a/.windsurfrules b/.windsurfrules index 7fbb9e1..2141dea 100644 --- a/.windsurfrules +++ b/.windsurfrules @@ -1,7 +1,7 @@ # GuardLink Security Annotations -This project uses GuardLink annotations in source code comments or standalone .gal files. +This project uses GuardLink annotations in source code comments. ## Core Requirement Every time you write or modify code that touches security-relevant behavior, you MUST add GuardLink annotations in the same change. This includes: new endpoints, auth logic, data validation, database queries, file I/O, external API calls, crypto, process spawning, user input handling, config parsing. Do NOT annotate pure business logic, formatting utilities, UI components, or helpers that never touch security boundaries. @@ -9,9 +9,10 @@ Every time you write or modify code that touches security-relevant behavior, you ## Key Rules - ANNOTATE NEW CODE. When you add a function or endpoint that handles user input, accesses data, or crosses a trust boundary — add @exposes, @mitigates, @flows, @handles, or at minimum @comment. This is not optional. - NEVER write @accepts — that is a human-only governance decision. For risks with no mitigation: write @exposes + @audit + @comment suggesting potential controls. +- Use @confirmed for verified exploits. When pentest/scanning/manual reproduction proves a threat is exploitable: @confirmed #threat on Asset [severity] -- "evidence". Distinct from @exposes (theoretical) — @confirmed means real, verified, no false positives. - Preserve existing annotations — do not delete or mangle them. - Definitions (@asset, @threat, @control with (#id)) live in .guardlink/definitions.ts. Reuse IDs — never redefine. Add new definitions there first, then reference in source files. -- Relationship annotations use verbs: @mitigates, @exposes, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers. +- Source files use relationship verbs: @mitigates, @exposes, @confirmed, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers, @feature. - Write coupled annotation blocks: risk + control (or audit) + data flow + context note. - Avoid @shield unless a human explicitly asks to hide code from AI. @@ -30,6 +31,8 @@ Every time you write or modify code that touches security-relevant behavior, you - @handles pii on App.API -- "Processes email, token" - @validates #prepared-stmts for App.API -- "CI test ensures placeholders" - @audit App.API -- "Token rotation review" +- @confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +- @feature "SSO Login" -- "Single sign-on authentication flow" - @owns security-team for App.API -- "Team responsible" - @comment -- "Rate limit: 100 req/15min" @@ -43,33 +46,25 @@ Every time you write or modify code that touches security-relevant behavior, you ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -77,15 +72,29 @@ Every time you write or modify code that touches security-relevant behavior, you - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features @@ -106,6 +115,16 @@ Every time you write or modify code that touches security-relevant behavior, you + + + + + + + + + + diff --git a/AGENTS.md b/AGENTS.md index c5ec022..e19e481 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -3,7 +3,7 @@ ## GuardLink — Security Annotations (Required) -This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments or standalone `.gal` files. +This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments. **Full reference: `docs/GUARDLINK_REFERENCE.md`** ### Core Requirement @@ -14,11 +14,12 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c 1. **Annotate new code.** When you add a function, endpoint, or module that handles user input, accesses data, crosses a trust boundary, or could fail in a security-relevant way — add `@exposes`, `@mitigates`, `@flows`, `@handles`, or at minimum `@comment` annotations. This is not optional. 2. **NEVER write `@accepts`.** That is a human-only governance decision. When you find a risk with no mitigation in code, write `@exposes` to document the risk + `@audit` to flag it for human review + `@comment` to suggest potential controls. -3. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. -4. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. -5. Relationship annotations use verbs like: `@mitigates`, `@exposes`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`. -6. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. -7. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. +3. **Use `@confirmed` for verified exploits.** When a pentest, CXG scan, or manual reproduction proves a threat is exploitable, mark it with `@confirmed #threat on Asset [severity] -- "evidence"`. This is distinct from `@exposes` (theoretical) — `@confirmed` means real, verified, not a false positive. Include severity based on actual observed impact. +4. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. +5. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. +6. Source files use relationship verbs only: `@mitigates`, `@exposes`, `@confirmed`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`, `@feature`. +7. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. +8. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. ### Workflow (while coding) @@ -43,6 +44,8 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c @handles pii on App.API -- "Processes email and session token" @validates #prepared-stmts for App.API -- "sqlInjectionTest.ts ensures placeholders used" @audit App.API -- "Token rotation logic needs crypto review" +@confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +@feature "SSO Login" -- "Single sign-on authentication flow" @owns security-team for App.API -- "Team responsible for reviews" @comment -- "Rate limit: 100 req/15min via express-rate-limit" ``` @@ -57,33 +60,25 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -91,15 +86,29 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features > **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes. > Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs @@ -126,6 +135,26 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c + + + + + + + + + + + + + + + + + + + + diff --git a/CHANGELOG.md b/CHANGELOG.md index 19aabe0..9507375 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,86 @@ # Changelog - All notable changes to GuardLink CLI will be documented in this file. -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## \[1.4.3\] — 2026-05-13 + +### Added + +- **Multi-hop** `@flows` **chains** — `@flows A -> B -> C -> D` is now valid syntax for chains of any length, expanding into N-1 pairwise flows that share the same mechanism, description, and source location. Single-hop syntax (`A -> B`) unchanged. Downstream consumers (DFD, sequence diagram, MCP queries, SARIF) still see the pairwise shape — multi-hop is purely a parser-side expansion. + +- **Quoted asset and threat refs in relationships** — `ASSET_REF` and `THREAT_REF` now accept double-quoted strings as a third alternative alongside `#id` and `Dotted.Path`. Example: `@flows User -> "/rest/user/login" -> "SQLite db"` parses cleanly. Same syntax works in `@exposes`, `@confirmed`, `@boundary`, `@audit`, and other relationship verbs. Definition annotations (`@asset`, `@threat`, `@control`) remain strict — declarations stay on `#id` and dotted paths. + +- **Opt-in pentest evidence redaction** (`guardlink config set redact-evidence true`) — surgical redaction for teams whose compliance posture requires no cleartext credentials at rest. When enabled, JWT signatures are stripped (header + payload preserved as proof of exploit), `Authorization: Basic`/`Digest`/`NTLM` values are fully redacted, credential field values in JSON / query-strings / cookies are masked (field names preserved). Default OFF; OSS users running against test targets see full evidence. Dashboard shows a banner when redaction is active. Full operational guide: [`docs/handling-evidence.md`](docs/handling-evidence.md). + +- `@confirmed` **annotation** — New verb for verified exploitable findings. Distinct from `@exposes` (theoretical) and `@accepts` (governance). Syntax: `@confirmed #threat on Asset [severity] cwe:CWE-NNN -- "evidence"`. A `@confirmed` annotation means the threat has been proven exploitable through pentest, automated CXG scan with reproducible evidence, or manual reproduction — not a false positive. Full pipeline: parser, model assembly, dangling-ref validation, SARIF `error`-level export, CLI `status` output, dashboard emphasis, LLM report inclusion, MCP `guardlink_lookup "confirmed"`. + +- `@feature` **annotation** — New metadata verb to tag files/code with a named product feature. Syntax: `@feature "Feature Name" -- "description"`. Association is file-level: all annotations in a file with `@feature "X"` are considered part of that feature. Enables feature-scoped filtering across all output modes. + +- **Feature filtering (**`--feature` **flag)** — `guardlink status`, `guardlink report`, and `guardlink dashboard` all gain `--feature ` (comma-separated). Filters all output — assets, threats, exposures, flows — to files tagged with the named feature(s). Dashboard gets a live feature filter dropdown in the header with a dismissible banner. TUI gains `/feature [name]` command to list features or drill into one. + +- `guardlink translate [prompt]` — New command that translates GuardLink threat model findings into CERT-X-GEN (CXG) pentest templates (generation only, no execution). Supports all agent backends: `--claude-code`, `--codex`, `--gemini`, `--cursor`, `--windsurf`, `--clipboard`. Reads CXG reference docs and skeleton templates from `GUARDLINK_CXG_ROOT` env or configured default path. + +- `guardlink ask ` — New command that answers natural-language questions about the threat model and codebase context, launching an AI agent with full model serialization as context. + +- **Pentest integration** — GuardLink now loads CXG scan results from `.guardlink/pentest-findings/` (JSON) and template metadata from `.guardlink/cxg-templates/`. New interfaces: `PentestFinding`, `PentestScanResult`, `PentestTemplate`, `PentestData`. Findings are injected as a `` block into AI threat reports, `guardlink threat-report`, and the dashboard. Dashboard gains a dedicated **Pentest Findings** sidebar section with scan summary tables and per-finding detail drawers. + +- **Expanded threat model report** (`guardlink report`) — `generateReport()` now produces 10 structured sections (was: Executive Summary + tables): + + 1. Application Overview (auto-populated from `.guardlink/prompt.md` if present) + 2. Scope of This Threat Model + 3. Architecture (Mermaid DFD) + 4. Key Flows & Sequence (new Mermaid sequence diagram from `@flows`) + 5. Data Inventory + 6. Roles & Access + 7. Dependencies + 8. Secrets, Keys & Credential Management + 9. Logging, Monitoring & Audit + 10. AI/ML System Details (conditional — emitted only when AI-related threats are detected) -## [1.4.2] — 2026-04-24 + Report header now includes GuardLink version and git commit/branch from metadata. Confirmed exploitable findings appear as a row in the Executive Summary table. + +- **Sequence diagram** (`src/report/sequence.ts`) — New Mermaid `sequenceDiagram` generator built from `@flows` annotations, showing step-by-step participant interactions. Used in the Key Flows & Sequence report section. + +- `.guardlink/prompt.md` — `guardlink init` and `guardlink sync` now create this skeleton file. AI annotation agents fill it in with a security-focused project overview (what the app does, components, trust boundaries, data sensitivity, deployment). `guardlink report` reads it and injects the content as the Application Overview section. + +- **SARIF: confirmed exploitable rule** — New `guardlink/confirmed-exploitable` SARIF rule emitting `error`-level results for `@confirmed` annotations. These appear alongside unmitigated exposures in GitHub Advanced Security. + +- **MCP** `guardlink_lookup` **queries** — Two new query types: `"confirmed"` returns all `@confirmed` verified findings; `"features"` returns all `@feature`-tagged feature names with their associated files. + +- **LLM prompt improvements** — `buildUserMessage()` accepts pentest findings context. AI prompts now distinguish pentest-confirmable threats from governance/design gaps, and teach agents when to use `@confirmed` vs `@exposes` vs `@audit`. + +### Changed + +- `guardlink status` — Now prints `@confirmed` findings with a red badge below the exposure list. Accepts `--feature` for filtered output. +- `guardlink report` — Accepts `--feature` for scoped reports. Reads `.guardlink/prompt.md` for Application Overview. +- `guardlink dashboard` — Accepts `--feature`. Risk score formula now accounts for confirmed finding count. Feature filter dropdown in header. +- `guardlink threat-report` — Pentest findings from `.guardlink/pentest-findings/` are automatically included in AI analysis context. AI prompted to emit a dedicated "Pentest Results" section when findings are present. +- `/gal` **TUI command** — Documents `@feature` tagging with examples. +- **SARIF export** — `@confirmed` findings now appear as `error`-level entries under the new rule; `@exposes` severity mapping unchanged. +- **MCP server** — Status tool description updated to reflect confirmed count. `guardlink_lookup` extended with `confirmed` and `features` queries. + +### Fixed + +- **`guardlink report` no longer prints "Fix errors above before generating report"** when diagnostics contain errors — the message was misleading because the report generated anyway. Per-annotation parse errors don't block report generation; affected annotations are skipped while the rest of the model still renders. Behavior now matches `dashboard`, `sarif`, and `threat-report`. +- **MCP `guardlink_lookup` resolver agrees with itself across query types** — `asset #login` previously returned `count: 0` when an identifier was referenced (e.g. via `@confirmed`) but never declared in `definitions.ts`, even though `threats for #login`, `unmitigated`, and `confirmed` all returned the joined record. Bare `#id` queries had the same problem — they returned `no_match` for identifiers other queries happily resolved. Both `lookupAsset()` and `lookupFuzzy()` now fall back to the annotation graph (exposures, confirmed, mitigations, acceptances, audits, flows, boundaries) and synthesize stub records marked `declared: false` with a `referenced_in: [...]` audit trail. Consumers can distinguish synthesized stubs from real declarations. +- **MCP `guardlink_lookup` no_match hint no longer mangles its quotes** — the hint contained literal double-quote characters that got escaped twice through the MCP transport (content wrap + JSON-RPC envelope), rendering as `\\\"asset \\\"` in clients that print the raw response. Hint now uses backticks around examples so it survives both `JSON.stringify` passes intact. +- **Pentest template card titles in the dashboard now show the actual template id** (e.g. `login-sqli-network`) instead of fragments like `ge` or `e`. The previous loader regex `/id[:\s]*["']?([a-z0-9_-]+)["']?/i` matched the substring "id" inside words like `bridge` and `guide`. +- **Pentest template card severity is no longer hardcoded to `medium`** — the loader's severity regex required a colon between the field name and the value, missing Python templates that use `severity = "critical"` (equals separator). Both regexes now anchor on a complete field name with optional surrounding quotes (for JSON `"id": "x"` form) and accept `:` or `=` as the separator before a quoted value. +- **`guardlink status` row labels** — renamed the file-counting rows from `Annotated`/`Not annotated` to `Files annotated`/`Files unannotated`, removing the visual collision with the `Annotations` row directly below. The count of files-with-annotations is no longer easily misread as the total annotation count. +- **Pentest finding confidence renders defensively across CXG output shapes** — the dashboard previously hardcoded `${f.confidence}%`, assuming integer percentage. CXG has emitted confidence as integers, severity-style strings (`"high"`), and missing values across versions; the inline rendering produced `high%`, `undefined%`, and even `[object Object]%`. New `formatConfidence()` helper handles every case, clamps integers to `[0, 100]`, and never throws. The dashboard still shows `50%` for every finding today because CXG itself hardcodes that — a CXG-side fix lands separately; GuardLink will display the correct value when it does. +- **Topology dedupes undeclared refs across kinds** — an undeclared identifier like `#login-sqli` referenced as both an asset (by `@exposes`) and a threat (by `@confirmed`) previously synthesized two separate nodes in different clusters of the force-directed dashboard graph. The alias resolver now does cross-kind dedup before synthesizing; declared assets/threats/controls always take priority. New `declared: boolean` field on topology nodes lets downstream consumers distinguish synthesized stubs from real declarations. +- **Multi-hop** `@flows` **annotations are no longer rejected** — `@flows User -> /api -> DB` previously failed with `Malformed @flows annotation: could not parse arguments` because the regex required exactly two `ASSET_REF` captures separated by a single arrow. See Added section for the new multi-hop syntax. +- **URL-style and whitespace-containing refs work in** `@flows` **and other relationships** — `/rest/user/login`, `"SQLite db"`, `"Auth Service"` now parse where they didn't before. The `ASSET_REF` regex previously accepted only `#id` and `Dotted.Path` forms. See Added section for quoted-ref syntax. +- **`.guardlink/prompt.md` auto-migrates for v1.4.x projects on first** `guardlink report` — projects upgraded from earlier versions didn't have the new file (since `guardlink init` short-circuits when `.guardlink/` exists), causing reports to silently fall back to a boilerplate Application Overview. Now created automatically on first report with a one-line stderr nudge so the user discovers the feature. Existing user content is never overwritten; the operation is idempotent. New `ensurePromptMd()` helper in `src/init/migrate.ts`. + +### Internal + +- **Generated samples moved to `docs/examples/`** — `threat-dashboard.html`, `threat-model.md`, and `guardlink-pentest.{html,json,sarif}` were previously committed at the repo root, where every `guardlink dashboard .` run from the project root rewrote them and produced churn in unrelated PRs. They now live under `docs/examples/` (with a `README.md` documenting how to regenerate them deliberately) and the root paths are git-ignored. +- **`fatal` diagnostic tier reserved** — `ParseDiagnostic.level` extended from `'error' | 'warning'` to `'error' | 'warning' | 'fatal'` with detailed JSDoc explaining tier semantics. No code path currently emits a fatal; this is a non-breaking type widening so v1.6 can introduce the first emission site (for unrecoverable conditions like schema version mismatch or unparseable definitions) without a coordinated cross-file change. New `diagnosticIcon()` helper in `src/parser/format.ts` centralizes the level → icon mapping (`✗✗` / `✗` / `⚠`); CLI and TUI printers use it consistently. A `TODO(fatal-tier)` note in `src/types/index.ts` enumerates the 11 audit sites that need updating before the first emission lands. +- **Test coverage** — new test files: `tests/lookup.test.ts` (14 tests across the MCP query DSL with regression guards for the resolver bugs), `tests/pentest-loader.test.ts` (10 tests covering JSON/Python/YAML conventions for template metadata extraction), `tests/format.test.ts` (9 tests for confidence rendering across number/string/missing inputs), `tests/migrate.test.ts` (5 tests for prompt.md migration outcomes including idempotence), `tests/diagnostics.test.ts` (7 tests covering the fatal-tier vocabulary and icon mapping), `tests/redact.test.ts` (27 tests for surgical evidence redaction including JWT split-redact, Authorization header variants, JSON / query-string / cookie credential patterns, object-key inspection, and safety properties), plus extensions to `tests/parser.test.ts` (+19 tests for multi-hop chains and quoted refs) and `tests/dashboard.test.ts` (+4 tests for cross-kind topology dedup). Suite total: 72 → 167. + +## \[1.4.2\] — 2026-04-24 ### Added @@ -35,15 +110,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Version**: bump from `1.4.1-gal` development tag (landed via #6) to `1.4.2` across `package.json`, `package-lock.json`, `src/cli/index.ts`, and `src/mcp/server.ts`. - **Lockfiles**: remove committed `bun.lock` (landed via #6). This project standardizes on npm; `package-lock.json` is canonical. Added `bun.lock`, `yarn.lock`, and `pnpm-lock.yaml` to `.gitignore` so contributors using alternate package managers locally do not accidentally commit a second lockfile. -## [1.4.1] — 2026-03-12 +## \[1.4.1\] — 2026-03-12 ### Fixed - -- **GAL reference (`/gal`, `guardlink gal`)**: Fixed all syntax examples to match the actual parser — descriptions now correctly show `-- "quoted text"` format instead of the non-functional `: text` format; severity now shows bracket notation `[high]` / `[P0]` instead of `severity:high`; `@flows` now shows `->` arrow syntax instead of `to`; `@validates` now shows `for` preposition instead of `on`; `@owns` now includes the required `for` preposition; `@mitigates` now documents `using` as the primary keyword (with `with` as v1 compat) +- **GAL reference (**`/gal`**,** `guardlink gal`**)**: Fixed all syntax examples to match the actual parser — descriptions now correctly show `-- "quoted text"` format instead of the non-functional `: text` format; severity now shows bracket notation `[high]` / `[P0]` instead of `severity:high`; `@flows` now shows `->` arrow syntax instead of `to`; `@validates` now shows `for` preposition instead of `on`; `@owns` now includes the required `for` preposition; `@mitigates` now documents `using` as the primary keyword (with `with` as v1 compat) - **GAL reference**: Added missing documentation for external references (`cwe:CWE-89`, `owasp:A03:2021`, `capec:CAPEC-66`, `attack:T1190`) on `@threat` and `@exposes` annotations - **GAL reference**: Added missing `@boundary` alternate syntaxes (`@boundary between A and B`, `@boundary A | B`) and `(#id)` support - **GAL reference**: Added missing standalone `@shield` single-line marker (was only documenting `@shield:begin/end` blocks) -- **TUI `/help`**: Added missing `/unannotated` command to the help output (was registered and functional but not listed) +- **TUI** `/help`: Added missing `/unannotated` command to the help output (was registered and functional but not listed) - **CLI version**: Fixed `guardlink --version` reporting `1.1.0` instead of the actual package version ### Changed @@ -53,7 +127,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Annotations**: Changed `@comment` to `@audit` on agent-launcher timeout note for better governance visibility - **Annotations**: Added `@audit` to MCP suggest module, added workspace-related controls to definitions -## [1.4.0] — 2026-02-27 +## \[1.4.0\] — 2026-02-27 ### Added diff --git a/CLAUDE.md b/CLAUDE.md index 337ebbc..766e8df 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -3,7 +3,7 @@ ## GuardLink — Security Annotations (Required) -This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments or standalone `.gal` files. +This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments. **Full reference: `docs/GUARDLINK_REFERENCE.md`** ### Core Requirement @@ -14,11 +14,12 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c 1. **Annotate new code.** When you add a function, endpoint, or module that handles user input, accesses data, crosses a trust boundary, or could fail in a security-relevant way — add `@exposes`, `@mitigates`, `@flows`, `@handles`, or at minimum `@comment` annotations. This is not optional. 2. **NEVER write `@accepts`.** That is a human-only governance decision. When you find a risk with no mitigation in code, write `@exposes` to document the risk + `@audit` to flag it for human review + `@comment` to suggest potential controls. -3. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. -4. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. -5. Relationship annotations use verbs like: `@mitigates`, `@exposes`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`. -6. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. -7. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. +3. **Use `@confirmed` for verified exploits.** When a pentest, CXG scan, or manual reproduction proves a threat is exploitable, mark it with `@confirmed #threat on Asset [severity] -- "evidence"`. This is distinct from `@exposes` (theoretical) — `@confirmed` means real, verified, not a false positive. Include severity based on actual observed impact. +4. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model. +5. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files. +6. Source files use relationship verbs only: `@mitigates`, `@exposes`, `@confirmed`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`, `@feature`. +7. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up. +8. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots. ### Workflow (while coding) @@ -43,6 +44,8 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c @handles pii on App.API -- "Processes email and session token" @validates #prepared-stmts for App.API -- "sqlInjectionTest.ts ensures placeholders used" @audit App.API -- "Token rotation logic needs crypto review" +@confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param" +@feature "SSO Login" -- "Single sign-on authentication flow" @owns security-team for App.API -- "Team responsible for reviews" @comment -- "Rate limit: 100 req/15min via express-rate-limit" ``` @@ -57,33 +60,25 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c ### Open Exposures (need @mitigates or @audit) -- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) -- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13) - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15) - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6) -- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15) -- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31) -- #init exposed to #data-exposure [low] (src/init/index.ts:12) +- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10) +- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12) +- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17) +- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33) +- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16) - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4) - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30) - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34) - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16) +- #init exposed to #data-exposure [low] (src/init/index.ts:12) - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8) - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11) - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15) ### Existing Data Flows (extend, don't duplicate) -- ThreatModel -> #llm-client via serializeModel -- ProjectFiles -> #llm-client via readFileSync -- #llm-client -> ReportFile via writeFileSync -- LLMConfig -> #llm-client via chatCompletion -- #llm-client -> LLMProvider via fetch -- LLMProvider -> #llm-client via response -- LLMToolCall -> #llm-client via createToolExecutor -- #llm-client -> NVD via fetch -- ProjectFiles -> #llm-client via readFileSync - EnvVars -> #agent-launcher via process.env - ConfigFile -> #agent-launcher via readFileSync - #agent-launcher -> ConfigFile via writeFileSync @@ -91,15 +86,29 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c - #agent-launcher -> AgentProcess via spawn - AgentProcess -> #agent-launcher via stdout - UserPrompt -> #agent-launcher via buildAnnotatePrompt +- UserPrompt -> #agent-launcher via buildTranslatePrompt +- UserPrompt -> #agent-launcher via buildAskPrompt - ThreatModel -> #agent-launcher via model - #agent-launcher -> AgentPrompt via return -- ThreatModel -> #dashboard via computeStats -- SourceFiles -> #dashboard via readFileSync -- ... and 48 more +- ThreatModel -> #llm-client via serializeModel +- ProjectFiles -> #llm-client via readFileSync +- #llm-client -> ReportFile via writeFileSync +- PentestFindings -> #llm-client via readFileSync +- LLMConfig -> #llm-client via chatCompletion +- #llm-client -> LLMProvider via fetch +- LLMProvider -> #llm-client via response +- LLMToolCall -> #llm-client via createToolExecutor +- #llm-client -> NVD via fetch +- ... and 55 more + +### Features (filter with `--feature`) + +- "Dashboard" +- "MCP Integration" ### Model Stats -289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows +310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features > **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes. > Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs @@ -126,6 +135,26 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c + + + + + + + + + + + + + + + + + + + + diff --git a/README.md b/README.md index 6d8aee9..164b6fd 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,8 @@ GuardLink ships an MCP server and behavioral directives for AI coding agents. Af | `guardlink sarif [dir]` | Export unmitigated exposures as SARIF 2.1.0 | | `guardlink threat-report [fw]` | AI threat report (stride/dread/pasta/attacker/rapid/general) | | `guardlink threat-reports` | List saved AI threat reports | +| `guardlink translate [prompt]` | Generate CERT-X-GEN pentest templates from threat model findings | +| `guardlink ask ` | Ask a natural-language question about the threat model and codebase | | `guardlink review [dir]` | Interactive governance review — accept, remediate, or skip unmitigated exposures | | `guardlink review --list` | List reviewable exposures without prompting | | `guardlink clear [dir]` | Remove all annotations from source files (with `--dry-run` preview) | @@ -259,6 +261,8 @@ GuardLink annotations can live in source comments in any language or in standalo | `@control` | Define a security control | `@control WAF (#waf)` | | `@mitigates` | Control protects asset against threat | `@mitigates #api against #sqli using #prepared-stmts` | | `@exposes` | Asset vulnerable to threat | `@exposes #api to #xss [P1]` | +| `@confirmed` | Threat verified exploitable (pentest/scan) | `@confirmed #sqli on #api [critical] -- "Verified in pen test"` | +| `@feature` | Tag code with a product feature name | `@feature "SSO Login" -- "Single sign-on authentication flow"` | | `@accepts` | Risk acknowledged | `@accepts #dos on #api -- "By design"` | | `@transfers` | Risk moved between assets | `@transfers #sqli from #api to #db` | | `@flow` | Data flow between assets | `@flow #api -> #db via "SQL"` | @@ -321,7 +325,33 @@ For workspace setups, GuardLink provides two additional workflow templates: a pe ### SARIF -`guardlink sarif` exports unmitigated exposures as SARIF 2.1.0. Upload to GitHub Advanced Security and every `@exposes` appears as a code scanning alert with file, line, severity, and CWE. +`guardlink sarif` exports unmitigated exposures and `@confirmed` findings as SARIF 2.1.0. Upload to GitHub Advanced Security: unmitigated `@exposes` appear as warnings or errors by severity; `@confirmed` exploitable findings appear as errors. + +### Pentest Integration + +GuardLink bridges threat modeling and penetration testing in both directions. + +**From threat model to pentest templates** — `guardlink translate` reads your `@exposes` annotations and generates CERT-X-GEN (CXG) pentest template stubs targeting the specific threats you've documented. Run it with any agent backend: + +```bash +guardlink translate --claude-code +guardlink translate "focus on injection paths" --clipboard +``` + +**From pentest results back to the threat model** — Drop CXG scan result JSON files into `.guardlink/pentest-findings/`. GuardLink reads them automatically and: +- Injects findings as empirical evidence in `guardlink threat-report` and AI analyses +- Displays a **Pentest Findings** section in `guardlink dashboard` +- Teaches agents to cross-reference scan results against `@exposes` annotations + +**Marking verified findings** — When a pentest or scan proves a threat is exploitable, add `@confirmed` to close the loop: + +```typescript +// @confirmed #sqli on App.API [critical] cwe:CWE-89 -- "CXG scan 2026-04: time-based blind SQLi on /login confirmed" +``` + +`@confirmed` is distinct from `@exposes` (hypothesis) — it means real, verified, not a false positive. + +**Handling evidence safely** — Pentest finding JSON files in `.guardlink/pentest-findings/` and generated templates in `.guardlink/cxg-templates/` often contain live tokens, JWTs, credential payloads, and other replay-enabling material captured from successful exploits. Before running scans against any system you care about, add these directories to your repository's ignore file. GuardLink also supports opt-in surgical redaction (`guardlink config set redact-evidence true`) for enterprise users whose compliance posture requires no cleartext credentials at rest. See [docs/handling-evidence.md](docs/handling-evidence.md) for the full operational guide. --- diff --git a/docs/GUARDLINK_REFERENCE.md b/docs/GUARDLINK_REFERENCE.md index f99d3fc..93d5bd5 100644 --- a/docs/GUARDLINK_REFERENCE.md +++ b/docs/GUARDLINK_REFERENCE.md @@ -12,6 +12,7 @@ DEFINE @asset (#id) -- "description" RELATE @mitigates against <#threat> using <#control> -- "how" @exposes to <#threat> [severity] cwe:CWE-NNN -- "what's wrong" + @confirmed <#threat> on [severity] cwe:CWE-NNN -- "verified evidence" @accepts <#threat> on -- "HUMAN-ONLY — AI agents must use @audit instead" @transfers <#threat> from to -- "who handles it" @@ -26,6 +27,8 @@ LIFECYCLE @handles on @assumes -- "unverified assumption" +METADATA @feature "Feature Name" -- "tag code with a feature for filtering" + COMMENT @comment -- "security-relevant developer note" PROTECT @shield -- "reason" @@ -69,10 +72,12 @@ Use the same GAL syntax without language comment prefixes. Definitions still bel | Writing new endpoint/handler | `@exposes` + `@mitigates` (or `@audit`) + `@flows` + `@comment` — tell the complete story | | New service/component | `@asset` in definitions, then reference in source | | Security gap exists | `@exposes Asset to #threat` + `@audit Asset` | +| Threat verified exploitable | `@confirmed #threat on Asset [severity] -- "pentest/scan evidence"` | | Risk with no fix yet | `@audit Asset` + `@comment` explaining potential controls. NEVER `@accepts`. | | Implementing a fix | `@mitigates Asset against #threat using #control` | | Processing sensitive data | `@handles pii on Asset` | | Proprietary algorithm | `@shield:begin` ... `@shield:end` (only if human requests it) | +| Tagging code to a feature | `@feature "SSO Login" -- "Single sign-on flow"` | | Unsure which annotation | `@comment -- "describe what you see"` | ## CLI Commands @@ -94,6 +99,8 @@ guardlink diff [ref] # Compare threat model against a git ref guardlink threat-report # AI threat report (see frameworks below) guardlink threat-reports # List saved threat reports guardlink annotate [--mode inline|external] # Launch coding agent to add annotations +guardlink translate [prompt] # Generate CERT-X-GEN pentest templates from threat findings +guardlink ask # Ask questions about the threat model and codebase guardlink config # Manage LLM provider / CLI agent configuration # Governance & Maintenance @@ -102,11 +109,18 @@ guardlink review --list [--severity X] # List reviewable exposures without prom guardlink clear [dir] [--dry-run] # Remove all annotations from source files guardlink sync [dir] # Sync agent instruction files with current threat model guardlink unannotated [dir] # List source files with no annotations +guardlink feature list [dir] # List all @feature tags with stats +guardlink feature show # Show threat model for a specific feature # Interactive guardlink tui [dir] # Interactive TUI: slash commands + AI chat guardlink mcp # Start MCP server (stdio) for Claude Code, Cursor, etc. guardlink gal # Display GAL annotation language quick reference + +# Feature filtering (--feature flag on report, dashboard, status, translate) +guardlink report . --feature "SSO Login" # Report filtered to feature +guardlink dashboard . --feature "SSO,Payments" # Dashboard filtered to features +guardlink status . --feature "SSO Login" # Status filtered to feature ``` ## Threat Report Frameworks @@ -169,6 +183,7 @@ Run `guardlink tui` for the interactive terminal interface: /diff [ref] Compare model vs git ref (default: HEAD~1) /sarif [-o file] Export SARIF 2.1.0 /gal GAL annotation language guide +/feature List all @feature tags (freeform text) Chat about your threat model with AI ``` @@ -176,12 +191,12 @@ Run `guardlink tui` for the interactive terminal interface: 1. **@boundary requires TWO assets**: `@boundary between #A and #B` or `@boundary #A | #B`. 2. **@flows is ONE source → ONE target per line**: `@flows -> via `. -3. **@exposes / @mitigates require defined #id refs**: Every `#id` must have a definition in `.guardlink/definitions.*`. -4. **Severity in square brackets**: `[P0]` `[P1]` `[P2]` `[P3]` or `[critical]` `[high]` `[medium]` `[low]`. Goes AFTER the threat ref. +3. **@exposes / @mitigates / @confirmed require defined #id refs**: Every `#id` must have a definition in `.guardlink/definitions.*`. +4. **Severity in square brackets**: `[P0]` `[P1]` `[P2]` `[P3]` or `[critical]` `[high]` `[medium]` `[low]`. Goes AFTER the threat ref on `@exposes`; on `@confirmed` it reflects **verified** impact (optional but recommended). 5. **Descriptions in double quotes after --**: `-- "description text here"`. 6. **IDs use parentheses in definitions, hash in references**: Define `(#sqli)`, reference `#sqli`. 7. **Asset references**: Use `#id` or `Dotted.Path` — no spaces or special chars. -8. **External refs space-separated after severity**: `cwe:CWE-89 owasp:A03:2021 capec:CAPEC-66`. +8. **External refs space-separated after severity**: `cwe:CWE-89 owasp:A03:2021 capec:CAPEC-66` (on `@threat`, `@exposes`, `@confirmed`). 9. **@comment always needs -- and quotes**: `@comment -- "your note here"`. 10. **One annotation per comment line.** Do NOT put two @verbs on the same line. @@ -189,7 +204,7 @@ Run `guardlink tui` for the interactive terminal interface: When connected via `.mcp.json`, use: - `guardlink_parse` — parse annotations, return threat model -- `guardlink_lookup` — query threats, controls, exposures by ID +- `guardlink_lookup` — query threats, controls, exposures by ID (try `unmitigated`, `confirmed`) - `guardlink_suggest` — get annotation suggestions for a file - `guardlink_validate` — check for syntax errors - `guardlink_status` — coverage stats diff --git a/docs/SPEC.md b/docs/SPEC.md index 9fb9752..33d3b12 100644 --- a/docs/SPEC.md +++ b/docs/SPEC.md @@ -24,7 +24,7 @@ GuardLink extends the original ThreatSpec specification (dormant since 2020) wit **1.3. Annotations are structured data.** While readable as English, every annotation has a deterministic grammar that can be parsed by regex into typed data structures. Ambiguous or free-form syntax is avoided. -**1.4. Annotations capture intent, not implementation.** An `@exposes` annotation says "this code is vulnerable to X" — it does not describe how the vulnerability works. A `@mitigates` annotation says "this code defends against X" — it does not duplicate the implementation. The annotation is a pointer from code to the threat model. +**1.4. Annotations capture intent, not implementation.** An `@exposes` annotation says "this code is vulnerable to X" — it does not describe how the vulnerability works. A `@mitigates` annotation says "this code defends against X" — it does not duplicate the implementation. A `@confirmed` annotation says "this threat was verified exploitable here" with evidence summarized in the description — it is not a false positive. The annotation is a pointer from code to the threat model. **1.5. Annotations are incremental.** A codebase does not need 100% annotation coverage to be useful. A single `@exposes` annotation on a critical endpoint is valuable. Tools should work with partial annotation and measure coverage over time. @@ -347,6 +347,40 @@ def get_user(user_id: int): return db.get_user(user_id) # Anyone can access any user ``` +#### `@confirmed` — Verified Exploitable Finding + +``` +@confirmed on [] [] [-- ""] +``` + +Declares that a threat against an asset has been **verified** through penetration testing, automated security scanning with reproducible evidence, or manual exploitation — not a theoretical risk. This is distinct from `@exposes` (developer hypothesis) and from `@accepts` (governance decision to live with risk). Tools should surface `@confirmed` as highest-priority findings (e.g., SARIF `error`, dashboard emphasis). + +The optional `[severity]` reflects **observed** impact from verification; it may differ from the severity on a matching `@exposes` or `@threat` definition. + +```typescript +// @confirmed #secret-exposure on App.Config [critical] cwe:CWE-798 -- "TruffleHog + manual: live API key in committed .env.example, verified against provider" +``` + +#### `@feature` — Feature Tag + +``` +@feature "" [-- ""] +``` + +Tags the file with a named product feature. All annotations in a file that carries `@feature "X"` are associated with that feature. A file may carry multiple `@feature` tags. Feature names are free-form quoted strings. + +Feature tags are metadata only — they have no effect on validation or coverage scoring. Their purpose is to allow threat model consumers (CLI, dashboard, reports) to filter or scope the model to a subset of the system: + +- `guardlink status . --feature "SSO Login"` — coverage stats for one feature +- `guardlink report . --feature "Payments"` — report scoped to that feature +- Dashboard feature filter dropdown + +```typescript +// @feature "SSO Login" -- "Single sign-on authentication flow" +// @feature "Payment Processing" +export async function handleOAuthCallback(req: Request) { ... } +``` + #### `@accepts` — Acknowledge a Risk ``` diff --git a/docs/examples/README.md b/docs/examples/README.md new file mode 100644 index 0000000..17414ec --- /dev/null +++ b/docs/examples/README.md @@ -0,0 +1,44 @@ +# GuardLink output examples + +These files are sample outputs generated by running GuardLink against its own +codebase. They serve as concrete reference material for the formats GuardLink +produces and as visible dogfood evidence that the tool works on a real +TypeScript project. + +| File | Generated by | What it shows | +|---|---|---| +| `threat-model.md` | `guardlink report .` | Markdown threat model report — the canonical narrative output (Application Overview → Confirmed Exploitable → Audit Items). | +| `threat-dashboard.html` | `guardlink dashboard .` | Self-contained interactive HTML dashboard — Executive Summary, Topology graph, Pentest Findings sidebar, severity breakdown, attack-surface view. | +| `guardlink-pentest.json` | `cxg scan ... --output-format json` | Machine-readable scan results (findings, evidence, scan metadata) ingested by the dashboard's Pentest Findings tab. | +| `guardlink-pentest.sarif` | `cxg scan ... --output-format sarif` | SARIF 2.1.0 export — the format GitHub Advanced Security and most CI security tools consume. | +| `guardlink-pentest.html` | `cxg scan ... --output-format html` | Human-readable scan report from CXG. | + +## How these are produced + +These are NOT hand-edited. To regenerate from a fresh clone: + +```bash +npm install && npm run build && npm link + +# Threat model + dashboard from GuardLink's own annotations +guardlink report . -o docs/examples/threat-model.md +guardlink dashboard . -o docs/examples/threat-dashboard.html + +# Pentest scan (requires CXG installed and templates in .guardlink/cxg-templates/) +cxg scan --scope local://. \ + --template-dir .guardlink/cxg-templates/ \ + --output docs/examples/guardlink-pentest \ + --output-format json,sarif,html +``` + +## Why they live here, not at the repo root + +Earlier versions of v1.5.0 committed these files at the repo root, where +every `guardlink dashboard .` run would overwrite them and create a noisy +git diff. They're now under `docs/examples/` — out of the working +directory tools default to — and the repo root paths (`threat-dashboard.html`, +`threat-model.md`, `guardlink-pentest.*`) are git-ignored so accidental +local regeneration doesn't touch tracked files. + +Update them deliberately when the tool's output format changes +materially, not on every push. diff --git a/docs/examples/guardlink-pentest.html b/docs/examples/guardlink-pentest.html new file mode 100644 index 0000000..58088d1 --- /dev/null +++ b/docs/examples/guardlink-pentest.html @@ -0,0 +1,979 @@ + + + + + + CERT-X-GEN Security Scan Report + + + +
+ +
+

🛡️ CERT-X-GEN Security Scan Report

+

Scan ID: 60be8e79-14f7-4040-afd2-ebf9fad1853e

+
+ 📅 2026-03-31 20:03:16 UTC + ⏱️ 30.00s duration + 🔧 v1.1.0 +
+
+ +
+
+
1
+
Targets Scanned
+
+
+
13
+
Templates Executed
+
+
+
9
+
Total Findings
+
+
+
30.00s
+
Duration
+
+
+ +
+
+
0
+
Critical
+
+
+
4
+
High
+
+
+
2
+
Medium
+
+
+
3
+
Low
+
+
+
0
+
Info
+
+
+ +
+

📋 Findings

+
+ +
+
+

Full Threat Model Exposed via MCP guardlink_parse

+ medium +
+
+
+
+
Target
+
/path/to/guardlink-sample
+
+
+
Template
+
guardlink-data-exposure-mcp
+
+
+
Confidence
+
80%
+
+
+
Timestamp
+
2026-03-31 20:03:19 UTC
+
+ +
+
Vulnerability IDs
+
CWE-200
+
+
+
+ Description: The MCP guardlink_parse tool returns the complete threat model including: exposures (62 entries), mitigations (44 entries), data flows (71 entries), absolute paths (3 found). Any MCP client connected to the server has full visibility into the project's security posture, including known vulnerabilities and their locations. +
+ + +
+
+ Evidence + Raw output +
+ 

+                    

+                    
+                

+            

+
+            

+                

+                    
Unmitigated Vulnerability Details Exposed via MCP

+                    medium
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-data-exposure-mcp

+                        

+                        

+                            
Confidence

+                            
80%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:19 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-200

+                        

+                    

+                    

+                        Description: The MCP guardlink_status tool reveals 17 unmitigated exposures (5 critical/high severity) with exact file paths and line numbers. This provides a detailed attack roadmap to any connected MCP client.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        

+                    

+                    
+                

+            

+
+            

+                

+                    
MCP Resource Accessible Without Auth: guardlink://model

+                    low
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-data-exposure-mcp

+                        

+                        

+                            
Confidence

+                            
80%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:19 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-200

+                        

+                    

+                    

+                        Description: The MCP resource guardlink://model (Full threat model) is accessible without any authentication or authorization check. Response size: 79717 chars.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        
{
+  "version": "1.1.0",
+  "project": "unknown",
+  "generated_at": "2026-03-31T20:03:18.347Z",
+  "source_files": 76,
+  "annotations_parsed": 297,
+  "annotated_files": [
+    ".cxg-test-symlink/external.ts",
+    ".guardlink/definitions.ts",
+    "src/agents/config.ts",
+    "src/agents/index.ts",
+    "sr

+                    

+                    
+                

+            

+
+            

+                

+                    
MCP Resource Accessible Without Auth: guardlink://definitions

+                    low
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-data-exposure-mcp

+                        

+                        

+                            
Confidence

+                            
80%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:19 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-200

+                        

+                    

+                    

+                        Description: The MCP resource guardlink://definitions (Asset/threat/control definitions) is accessible without any authentication or authorization check. Response size: 7384 chars.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        
{
+  "assets": [
+    {
+      "id": "parser",
+      "path": "GuardLink.Parser",
+      "description": "Reads source files from disk, extracts security annotations using regex patterns"
+    },
+    {
+      "id": "cli",
+      "path": "GuardLink.CLI",
+      "description": "Command-line interface, handles u

+                    

+                    
+                

+            

+
+            

+                

+                    
MCP Resource Accessible Without Auth: guardlink://unmitigated

+                    low
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-data-exposure-mcp

+                        

+                        

+                            
Confidence

+                            
80%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:19 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-200

+                        

+                    

+                    

+                        Description: The MCP resource guardlink://unmitigated (Unmitigated exposure list) is accessible without any authentication or authorization check. Response size: 2361 chars.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        
[
+  {
+    "asset": "App",
+    "threat": "#sqli",
+    "file": ".cxg-test-symlink/external.ts",
+    "line": 1
+  },
+  {
+    "asset": "#llm-client",
+    "threat": "#data-exposure",
+    "severity": "low",
+    "file": "src/analyze/index.ts",
+    "line": 12
+  },
+  {
+    "asset": "#llm-client",
+    "threat"

+                    

+                    
+                

+            

+
+            

+                

+                    
MCP Path Traversal via root Parameter (guardlink_parse)

+                    high
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-path-traversal-mcp

+                        

+                        

+                            
Confidence

+                            
85%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:20 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-22

+                        

+                    

+                    

+                        Description: The MCP server accepted root='/etc' and returned data from outside the project directory. An MCP client can read arbitrary directory contents through the parse tool.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        
EACCES: permission denied, scandir '/etc/cups/certs'

+                    

+                    
+                

+            

+
+            

+                

+                    
MCP Path Traversal via root Parameter (guardlink_status)

+                    high
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-path-traversal-mcp

+                        

+                        

+                            
Confidence

+                            
85%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:20 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-22

+                        

+                    

+                    

+                        Description: The MCP server accepted root='/etc' in guardlink_status and returned status data for files outside the project.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        
EACCES: permission denied, scandir '/etc/cups/certs'

+                    

+                    
+                

+            

+
+            

+                

+                    
MCP Arbitrary File Write via Report Output Path

+                    high
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-path-traversal-mcp

+                        

+                        

+                            
Confidence

+                            
85%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:20 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-22

+                        

+                    

+                    

+                        Description: The MCP guardlink_report tool wrote a file to /var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md outside the project root by manipulating the output parameter.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        

+                    

+                    
+                

+            

+
+            

+                

+                    
Symlink Escape in guardlink clear

+                    high
+                

+                

+                    

+                        

+                            
Target

+                            
/path/to/guardlink-sample

+                        

+                        

+                            
Template

+                            
guardlink-parser-arbitrary-write

+                        

+                        

+                            
Confidence

+                            
80%

+                        

+                        

+                            
Timestamp

+                            
2026-03-31 20:03:46 UTC

+                        

+                        
+                        

+                            
Vulnerability IDs

+                            
CWE-73

+                        

+                    

+                    

+                        Description: The 'guardlink clear' command follows symlinks and would modify files outside the project root. External file '/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/cxg-arb-write-7lyia0j6/external.ts' was included in the clear operation via a symlink.
+                    

+                    
+                    
+                    

+                        

+                            Evidence
+                            Raw output
+                        

+                        
+Found 294 annotation line(s) across 39 file(s):
+
+  .cxg-test-symlink/external.ts  (1 line)
+  src/agents/config.ts  (10 lines)
+  src/agents/index.ts  (2 lines)
+  src/agents/launcher.ts  (11 lines)
+  src/agents/prompts.ts  (62 lines)
+  src/analyzer/index.ts  (2 lines)
+  src/analyzer/sarif.ts  (5 lines)
+  src/cli/index.ts  (12 lines)
+  src/dashboard/generate.ts  (8 lines)
+  src/dashboard/index.ts  (4 lines)
+  src/diff/git.ts  (10 lines)
+  src/diff/index.ts  (3 lines)
+  src/init/detect.ts  (4 lines)
+  src/init/index.ts  (10 lines)
+  src/analyze/index.ts  (10 lines)
+  src/analyze/llm.ts  (11 lines)
+  src/analyze/prompts.ts  (2 lines)
+  src/analyze/tools.ts  (10 lines)
+  src/mcp/index.ts  (4 lines)
+  src/mcp/lookup.ts  (4 lines)
+  src/mcp/server.ts  (16 lines)
+  src/mcp/suggest.ts  (9 lines)
+  src/parser/clear.ts  (7 lines)
+  src/parser/parse-file.ts  (5 lines)
+  src/parser/parse-line.ts  (3 lines)
+  src/parser/parse-project.ts  (7 lines)
+  src/report/index.ts  (2 lines)
+  src/report/report

+                    

+                    
+                

+            

+
+        

+
+        

+            Generated by CERT-X-GEN v1.1.0 | 2026-03-31 20:03:16 UTC
+        

+    

+
+
diff --git a/docs/examples/guardlink-pentest.json b/docs/examples/guardlink-pentest.json
new file mode 100644
index 0000000..f631566
--- /dev/null
+++ b/docs/examples/guardlink-pentest.json
@@ -0,0 +1,290 @@
+{
+  "scan_id": "60be8e79-14f7-4040-afd2-ebf9fad1853e",
+  "started_at": "2026-03-31T20:03:16.873740Z",
+  "completed_at": "2026-03-31T20:03:46.877445Z",
+  "findings": [
+    {
+      "id": "0093d7e0-13fb-4a0e-a836-6e8d08a3e7e8",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-data-exposure-mcp",
+      "severity": "medium",
+      "confidence": 80,
+      "title": "Full Threat Model Exposed via MCP guardlink_parse",
+      "description": "The MCP guardlink_parse tool returns the complete threat model including: exposures (62 entries), mitigations (44 entries), data flows (71 entries), absolute paths (3 found). Any MCP client connected to the server has full visibility into the project's security posture, including known vulnerabilities and their locations.",
+      "evidence": {
+        "request": "guardlink_parse",
+        "response": "",
+        "matched_patterns": [],
+        "data": {
+          "tool": "guardlink_parse",
+          "model_size_chars": "79717",
+          "sensitive_fields": "[\"exposures (62 entries)\", \"mitigations (44 entries)\", \"data flows (71 entries)\", \"absolute paths (3 found)\"]",
+          "abs_paths_sample": "[\"\\\"/report, /sarif, /dashboard write files\\\"\", \"\\\"/annotate and /threat-report spawn child processes\\\"\", \"\\\"/model handles API key input and storage\\\"\"]"
+        },
+        "timestamp": "2026-03-31T20:03:19.090615Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-200"
+      ],
+      "cvss_score": null,
+      "remediation": "Consider access control for MCP tool calls. Redact absolute file paths from MCP responses. Implement scoped access where clients only see relevant subsets.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:19.090616Z"
+    },
+    {
+      "id": "bb85be3d-0253-4788-aadd-f800d7a91af0",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-data-exposure-mcp",
+      "severity": "medium",
+      "confidence": 80,
+      "title": "Unmitigated Vulnerability Details Exposed via MCP",
+      "description": "The MCP guardlink_status tool reveals 17 unmitigated exposures (5 critical/high severity) with exact file paths and line numbers. This provides a detailed attack roadmap to any connected MCP client.",
+      "evidence": {
+        "request": "guardlink_status",
+        "response": "",
+        "matched_patterns": [],
+        "data": {
+          "total_unmitigated": "17",
+          "critical_high": "5",
+          "sample": "[{\"asset\": \"App\", \"threat\": \"#sqli\", \"file\": \".cxg-test-symlink/external.ts\", \"line\": 1}, {\"asset\": \"#llm-client\", \"threat\": \"#data-exposure\", \"severity\": \"low\", \"file\": \"src/analyze/index.ts\", \"line\": 12}, {\"asset\": \"#llm-client\", \"threat\": \"#prompt-injection\", \"severity\": \"medium\", \"file\": \"src/analyze/llm.ts\", \"line\": 17}]",
+          "tool": "guardlink_status"
+        },
+        "timestamp": "2026-03-31T20:03:19.090618Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-200"
+      ],
+      "cvss_score": null,
+      "remediation": "Implement MCP client authentication/authorization. Redact sensitive details (absolute paths, severity, exact locations) from MCP responses unless the client is trusted. Consider a read-only mode that omits vulnerability details.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:19.090618Z"
+    },
+    {
+      "id": "2e777b8a-73c6-4352-b86d-efe7fe3f3770",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-data-exposure-mcp",
+      "severity": "low",
+      "confidence": 80,
+      "title": "MCP Resource Accessible Without Auth: guardlink://model",
+      "description": "The MCP resource guardlink://model (Full threat model) is accessible without any authentication or authorization check. Response size: 79717 chars.",
+      "evidence": {
+        "request": "guardlink://model",
+        "response": "{\n  \"version\": \"1.1.0\",\n  \"project\": \"unknown\",\n  \"generated_at\": \"2026-03-31T20:03:18.347Z\",\n  \"source_files\": 76,\n  \"annotations_parsed\": 297,\n  \"annotated_files\": [\n    \".cxg-test-symlink/external.ts\",\n    \".guardlink/definitions.ts\",\n    \"src/agents/config.ts\",\n    \"src/agents/index.ts\",\n    \"sr",
+        "matched_patterns": [],
+        "data": {
+          "description": "Full threat model",
+          "response_size": "79717",
+          "resource_uri": "guardlink://model",
+          "content_snippet": "{\n  \"version\": \"1.1.0\",\n  \"project\": \"unknown\",\n  \"generated_at\": \"2026-03-31T20:03:18.347Z\",\n  \"source_files\": 76,\n  \"annotations_parsed\": 297,\n  \"annotated_files\": [\n    \".cxg-test-symlink/external.ts\",\n    \".guardlink/definitions.ts\",\n    \"src/agents/config.ts\",\n    \"src/agents/index.ts\",\n    \"sr"
+        },
+        "timestamp": "2026-03-31T20:03:19.090626Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-200"
+      ],
+      "cvss_score": null,
+      "remediation": "Implement MCP client authentication/authorization. Redact sensitive details (absolute paths, severity, exact locations) from MCP responses unless the client is trusted. Consider a read-only mode that omits vulnerability details.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:19.090626Z"
+    },
+    {
+      "id": "daa0e139-ae7f-44ca-bfdd-3fcdb2ce810e",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-data-exposure-mcp",
+      "severity": "low",
+      "confidence": 80,
+      "title": "MCP Resource Accessible Without Auth: guardlink://definitions",
+      "description": "The MCP resource guardlink://definitions (Asset/threat/control definitions) is accessible without any authentication or authorization check. Response size: 7384 chars.",
+      "evidence": {
+        "request": "guardlink://definitions",
+        "response": "{\n  \"assets\": [\n    {\n      \"id\": \"parser\",\n      \"path\": \"GuardLink.Parser\",\n      \"description\": \"Reads source files from disk, extracts security annotations using regex patterns\"\n    },\n    {\n      \"id\": \"cli\",\n      \"path\": \"GuardLink.CLI\",\n      \"description\": \"Command-line interface, handles u",
+        "matched_patterns": [],
+        "data": {
+          "description": "Asset/threat/control definitions",
+          "content_snippet": "{\n  \"assets\": [\n    {\n      \"id\": \"parser\",\n      \"path\": \"GuardLink.Parser\",\n      \"description\": \"Reads source files from disk, extracts security annotations using regex patterns\"\n    },\n    {\n      \"id\": \"cli\",\n      \"path\": \"GuardLink.CLI\",\n      \"description\": \"Command-line interface, handles u",
+          "response_size": "7384",
+          "resource_uri": "guardlink://definitions"
+        },
+        "timestamp": "2026-03-31T20:03:19.090627Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-200"
+      ],
+      "cvss_score": null,
+      "remediation": "Implement MCP client authentication/authorization. Redact sensitive details (absolute paths, severity, exact locations) from MCP responses unless the client is trusted. Consider a read-only mode that omits vulnerability details.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:19.090627Z"
+    },
+    {
+      "id": "60fee1fd-94f1-49c5-a2b6-af1d4eab9a69",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-data-exposure-mcp",
+      "severity": "low",
+      "confidence": 80,
+      "title": "MCP Resource Accessible Without Auth: guardlink://unmitigated",
+      "description": "The MCP resource guardlink://unmitigated (Unmitigated exposure list) is accessible without any authentication or authorization check. Response size: 2361 chars.",
+      "evidence": {
+        "request": "guardlink://unmitigated",
+        "response": "[\n  {\n    \"asset\": \"App\",\n    \"threat\": \"#sqli\",\n    \"file\": \".cxg-test-symlink/external.ts\",\n    \"line\": 1\n  },\n  {\n    \"asset\": \"#llm-client\",\n    \"threat\": \"#data-exposure\",\n    \"severity\": \"low\",\n    \"file\": \"src/analyze/index.ts\",\n    \"line\": 12\n  },\n  {\n    \"asset\": \"#llm-client\",\n    \"threat\"",
+        "matched_patterns": [],
+        "data": {
+          "response_size": "2361",
+          "resource_uri": "guardlink://unmitigated",
+          "content_snippet": "[\n  {\n    \"asset\": \"App\",\n    \"threat\": \"#sqli\",\n    \"file\": \".cxg-test-symlink/external.ts\",\n    \"line\": 1\n  },\n  {\n    \"asset\": \"#llm-client\",\n    \"threat\": \"#data-exposure\",\n    \"severity\": \"low\",\n    \"file\": \"src/analyze/index.ts\",\n    \"line\": 12\n  },\n  {\n    \"asset\": \"#llm-client\",\n    \"threat\"",
+          "description": "Unmitigated exposure list"
+        },
+        "timestamp": "2026-03-31T20:03:19.090629Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-200"
+      ],
+      "cvss_score": null,
+      "remediation": "Implement MCP client authentication/authorization. Redact sensitive details (absolute paths, severity, exact locations) from MCP responses unless the client is trusted. Consider a read-only mode that omits vulnerability details.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:19.090629Z"
+    },
+    {
+      "id": "095476cd-ca1d-49f9-b03d-412167ca080f",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-path-traversal-mcp",
+      "severity": "high",
+      "confidence": 85,
+      "title": "MCP Path Traversal via root Parameter (guardlink_parse)",
+      "description": "The MCP server accepted root='/etc' and returned data from outside the project directory. An MCP client can read arbitrary directory contents through the parse tool.",
+      "evidence": {
+        "request": "{\"tool\": \"guardlink_parse\", \"traversal_root\": \"/etc\", \"response_snippet\": \"EACCES: permission denied, scandir '/etc/cups/certs'\"}",
+        "response": "EACCES: permission denied, scandir '/etc/cups/certs'",
+        "matched_patterns": [],
+        "data": {
+          "response_snippet": "EACCES: permission denied, scandir '/etc/cups/certs'",
+          "traversal_root": "/etc",
+          "tool": "guardlink_parse"
+        },
+        "timestamp": "2026-03-31T20:03:20.214651Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-22"
+      ],
+      "cvss_score": null,
+      "remediation": "Validate and canonicalize the root parameter using realpath(). Reject paths that resolve outside the expected project directory. Apply allowlist-based path validation at the MCP tool boundary.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:20.214653Z"
+    },
+    {
+      "id": "def6712b-bbd9-447c-8705-4ccf67d7cb19",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-path-traversal-mcp",
+      "severity": "high",
+      "confidence": 85,
+      "title": "MCP Path Traversal via root Parameter (guardlink_status)",
+      "description": "The MCP server accepted root='/etc' in guardlink_status and returned status data for files outside the project.",
+      "evidence": {
+        "request": "{\"tool\": \"guardlink_status\", \"traversal_root\": \"/etc\", \"response_snippet\": \"EACCES: permission denied, scandir '/etc/cups/certs'\"}",
+        "response": "EACCES: permission denied, scandir '/etc/cups/certs'",
+        "matched_patterns": [],
+        "data": {
+          "traversal_root": "/etc",
+          "tool": "guardlink_status",
+          "response_snippet": "EACCES: permission denied, scandir '/etc/cups/certs'"
+        },
+        "timestamp": "2026-03-31T20:03:20.214687Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-22"
+      ],
+      "cvss_score": null,
+      "remediation": "Validate and canonicalize the root parameter using realpath(). Reject paths that resolve outside the expected project directory. Apply allowlist-based path validation at the MCP tool boundary.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:20.214687Z"
+    },
+    {
+      "id": "5edab871-57b8-4909-ac0d-36df8cdce448",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-path-traversal-mcp",
+      "severity": "high",
+      "confidence": 85,
+      "title": "MCP Arbitrary File Write via Report Output Path",
+      "description": "The MCP guardlink_report tool wrote a file to /var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md outside the project root by manipulating the output parameter.",
+      "evidence": {
+        "request": "{\"tool\": \"guardlink_report\", \"output_path\": \"../../../../var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md\", \"file_created\": \"/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md\"}",
+        "response": "",
+        "matched_patterns": [],
+        "data": {
+          "tool": "guardlink_report",
+          "output_path": "../../../../var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md",
+          "file_created": "/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md"
+        },
+        "timestamp": "2026-03-31T20:03:20.214690Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-22"
+      ],
+      "cvss_score": null,
+      "remediation": "Validate and canonicalize the root parameter using realpath(). Reject paths that resolve outside the expected project directory. Apply allowlist-based path validation at the MCP tool boundary.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:20.214690Z"
+    },
+    {
+      "id": "e8186cef-bd63-47f9-aa14-d7f9f792ec7e",
+      "target": "/path/to/guardlink-sample",
+      "template_id": "guardlink-parser-arbitrary-write",
+      "severity": "high",
+      "confidence": 80,
+      "title": "Symlink Escape in guardlink clear",
+      "description": "The 'guardlink clear' command follows symlinks and would modify files outside the project root. External file '/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/cxg-arb-write-7lyia0j6/external.ts' was included in the clear operation via a symlink.",
+      "evidence": {
+        "request": "{\"symlink\": \"/path/to/guardlink-sample/.cxg-test-symlink\", \"external_target\": \"/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/cxg-arb-write-7lyia0j6\"}",
+        "response": "\nFound 294 annotation line(s) across 39 file(s):\n\n  .cxg-test-symlink/external.ts  (1 line)\n  src/agents/config.ts  (10 lines)\n  src/agents/index.ts  (2 lines)\n  src/agents/launcher.ts  (11 lines)\n  src/agents/prompts.ts  (62 lines)\n  src/analyzer/index.ts  (2 lines)\n  src/analyzer/sarif.ts  (5 lines)\n  src/cli/index.ts  (12 lines)\n  src/dashboard/generate.ts  (8 lines)\n  src/dashboard/index.ts  (4 lines)\n  src/diff/git.ts  (10 lines)\n  src/diff/index.ts  (3 lines)\n  src/init/detect.ts  (4 lines)\n  src/init/index.ts  (10 lines)\n  src/analyze/index.ts  (10 lines)\n  src/analyze/llm.ts  (11 lines)\n  src/analyze/prompts.ts  (2 lines)\n  src/analyze/tools.ts  (10 lines)\n  src/mcp/index.ts  (4 lines)\n  src/mcp/lookup.ts  (4 lines)\n  src/mcp/server.ts  (16 lines)\n  src/mcp/suggest.ts  (9 lines)\n  src/parser/clear.ts  (7 lines)\n  src/parser/parse-file.ts  (5 lines)\n  src/parser/parse-line.ts  (3 lines)\n  src/parser/parse-project.ts  (7 lines)\n  src/report/index.ts  (2 lines)\n  src/report/report",
+        "matched_patterns": [],
+        "data": {
+          "external_target": "/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/cxg-arb-write-7lyia0j6",
+          "output_excerpt": "\nFound 294 annotation line(s) across 39 file(s):\n\n  .cxg-test-symlink/external.ts  (1 line)\n  src/agents/config.ts  (10 lines)\n  src/agents/index.ts  (2 lines)\n  src/agents/launcher.ts  (11 lines)\n  src/agents/prompts.ts  (62 lines)\n  src/analyzer/index.ts  (2 lines)\n  src/analyzer/sarif.ts  (5 lines)\n  src/cli/index.ts  (12 lines)\n  src/dashboard/generate.ts  (8 lines)\n  src/dashboard/index.ts  (4 lines)\n  src/diff/git.ts  (10 lines)\n  src/diff/index.ts  (3 lines)\n  src/init/detect.ts  (4 lines)\n  src/init/index.ts  (10 lines)\n  src/analyze/index.ts  (10 lines)\n  src/analyze/llm.ts  (11 lines)\n  src/analyze/prompts.ts  (2 lines)\n  src/analyze/tools.ts  (10 lines)\n  src/mcp/index.ts  (4 lines)\n  src/mcp/lookup.ts  (4 lines)\n  src/mcp/server.ts  (16 lines)\n  src/mcp/suggest.ts  (9 lines)\n  src/parser/clear.ts  (7 lines)\n  src/parser/parse-file.ts  (5 lines)\n  src/parser/parse-line.ts  (3 lines)\n  src/parser/parse-project.ts  (7 lines)\n  src/report/index.ts  (2 lines)\n  src/report/report",
+          "symlink": "/path/to/guardlink-sample/.cxg-test-symlink"
+        },
+        "timestamp": "2026-03-31T20:03:46.871903Z"
+      },
+      "cve_ids": [],
+      "cwe_ids": [
+        "CWE-73"
+      ],
+      "cvss_score": null,
+      "remediation": "1. Resolve and canonicalize all paths with realpath() before operations.\n2. Verify resolved paths are within the project root using startsWith().\n3. Add followSymlinks: false to fast-glob options.\n4. Reject root/dir arguments that resolve outside the expected project boundary.",
+      "references": [],
+      "tags": [],
+      "timestamp": "2026-03-31T20:03:46.871907Z"
+    }
+  ],
+  "statistics": {
+    "targets_scanned": 1,
+    "templates_executed": 13,
+    "findings_by_severity": {
+      "medium": 2,
+      "high": 4,
+      "low": 3
+    },
+    "network_requests": 0,
+    "data_transferred": 0,
+    "duration": {
+      "secs": 30,
+      "nanos": 3705000
+    },
+    "success_rate": 0.6923076923076923
+  },
+  "errors": []
+}
\ No newline at end of file
diff --git a/docs/examples/guardlink-pentest.sarif b/docs/examples/guardlink-pentest.sarif
new file mode 100644
index 0000000..253a7c7
--- /dev/null
+++ b/docs/examples/guardlink-pentest.sarif
@@ -0,0 +1,233 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "results": [
+        {
+          "level": "warning",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP guardlink_parse tool returns the complete threat model including: exposures (62 entries), mitigations (44 entries), data flows (71 entries), absolute paths (3 found). Any MCP client connected to the server has full visibility into the project's security posture, including known vulnerabilities and their locations."
+          },
+          "properties": {
+            "confidence": 80,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-200"
+            ],
+            "severity": "medium"
+          },
+          "ruleId": "guardlink-data-exposure-mcp"
+        },
+        {
+          "level": "warning",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP guardlink_status tool reveals 17 unmitigated exposures (5 critical/high severity) with exact file paths and line numbers. This provides a detailed attack roadmap to any connected MCP client."
+          },
+          "properties": {
+            "confidence": 80,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-200"
+            ],
+            "severity": "medium"
+          },
+          "ruleId": "guardlink-data-exposure-mcp"
+        },
+        {
+          "level": "note",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP resource guardlink://model (Full threat model) is accessible without any authentication or authorization check. Response size: 79717 chars."
+          },
+          "properties": {
+            "confidence": 80,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-200"
+            ],
+            "severity": "low"
+          },
+          "ruleId": "guardlink-data-exposure-mcp"
+        },
+        {
+          "level": "note",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP resource guardlink://definitions (Asset/threat/control definitions) is accessible without any authentication or authorization check. Response size: 7384 chars."
+          },
+          "properties": {
+            "confidence": 80,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-200"
+            ],
+            "severity": "low"
+          },
+          "ruleId": "guardlink-data-exposure-mcp"
+        },
+        {
+          "level": "note",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP resource guardlink://unmitigated (Unmitigated exposure list) is accessible without any authentication or authorization check. Response size: 2361 chars."
+          },
+          "properties": {
+            "confidence": 80,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-200"
+            ],
+            "severity": "low"
+          },
+          "ruleId": "guardlink-data-exposure-mcp"
+        },
+        {
+          "level": "error",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP server accepted root='/etc' and returned data from outside the project directory. An MCP client can read arbitrary directory contents through the parse tool."
+          },
+          "properties": {
+            "confidence": 85,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-22"
+            ],
+            "severity": "high"
+          },
+          "ruleId": "guardlink-path-traversal-mcp"
+        },
+        {
+          "level": "error",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP server accepted root='/etc' in guardlink_status and returned status data for files outside the project."
+          },
+          "properties": {
+            "confidence": 85,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-22"
+            ],
+            "severity": "high"
+          },
+          "ruleId": "guardlink-path-traversal-mcp"
+        },
+        {
+          "level": "error",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The MCP guardlink_report tool wrote a file to /var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/guardlink-cxg-mcp-266fkcf_/stolen-report.md outside the project root by manipulating the output parameter."
+          },
+          "properties": {
+            "confidence": 85,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-22"
+            ],
+            "severity": "high"
+          },
+          "ruleId": "guardlink-path-traversal-mcp"
+        },
+        {
+          "level": "error",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "/path/to/guardlink-sample"
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "The 'guardlink clear' command follows symlinks and would modify files outside the project root. External file '/var/folders/zn/h5q5_5155fzcq32ddvgz2v0r0000gn/T/cxg-arb-write-7lyia0j6/external.ts' was included in the clear operation via a symlink."
+          },
+          "properties": {
+            "confidence": 80,
+            "cveIds": [],
+            "cweIds": [
+              "CWE-73"
+            ],
+            "severity": "high"
+          },
+          "ruleId": "guardlink-parser-arbitrary-write"
+        }
+      ],
+      "tool": {
+        "driver": {
+          "informationUri": "https://cert-x-gen.io",
+          "name": "CERT-X-GEN",
+          "version": "1.1.0"
+        }
+      }
+    }
+  ],
+  "version": "2.1.0"
+}
\ No newline at end of file
diff --git a/threat-dashboard.html b/docs/examples/threat-dashboard.html
similarity index 54%
rename from threat-dashboard.html
rename to docs/examples/threat-dashboard.html
index b81e728..faa3127 100644
--- a/threat-dashboard.html
+++ b/docs/examples/threat-dashboard.html
@@ -3,256 +3,1310 @@
 
 
 
-GuardLink — unknown Threat Model
+GuardLink — guardlink Threat Model
 
 
 
 
@@ -264,20 +1318,37 @@
 

   

     
-    
unknown

+    
guardlink

     Threat Model
   

   

-    
Assets 16

-    
Open 15

-    
Controls 12

-    
Coverage 0%

+    

+      
Assets 16

+      
Open 16

+      
Controls 12

+      
Coverage 0%

+    

+    

+      
+    

     
   

 

 
+
+

+  Filtered to feature:
+  
+  
+  
+

+
 

 
 
@@ -285,6 +1356,7 @@ 
unknown

   

      Executive Summary
      Threat Reports
+     Pentest Findings
      Threats & Exposures
      Diagrams
      Code & Annotations
@@ -317,29 +1389,34 @@ 
unknown

   
   

     
16
Assets

-    
15
Open Threats

+    
16
Open Threats

+    
     
45
Mitigated

     
12
Controls

-    
68
Data Flows

+    
75
Data Flows

     
9
Boundaries

     
0
Transfers

     
0
Validations

-    
19
Audits

+    
20
Audits

     
0
Assumptions

     
0
Ownership

-    
18
Comments

-    
16
Shields

+    
24
Comments

+    
14
Shields

   

 
+  

   
+  

   
Threat Mitigation Coverage

-  

-    75%
-    45 of 60 exposures mitigated
+  

+    74%
+    45 of 61 exposures mitigated
+  

+  

   

-  

 
   
+  

   
Severity Breakdown

   

     

@@ -349,13 +1426,13 @@ 
unknown

   

     

     High
-    

+    

     25
   

     

     Medium
-    

-    24
+    

+    25
   

     

     Low
@@ -364,12 +1441,15 @@ 
unknown

   

     
   

+  

+  

 
   
   
-  
⚠ Open Threats (No Mitigation)

+  

+  
⚠ Open Threats (No Mitigation)

   
-  

+  

     

       #prompt-injection
       medium
@@ -377,7 +1457,7 @@ 
unknown

     
User prompt passed to agent CLI as argument

     
Asset: #agent-launcher

   

-  

+  

     

       #dos
       low
@@ -385,7 +1465,7 @@ 
unknown

     
No timeout on foreground spawn; agent controls duration

     
Asset: #agent-launcher

   

-  

+  

     

       #prompt-injection
       high
@@ -393,7 +1473,15 @@ 
unknown

     
User prompt concatenated into agent instruction text

     
Asset: #agent-launcher

   

-  

+  

+    

+      #config-tamper
+      medium
+    

+    
Translate prompt may read CXG reference paths from environment overrides

+    
Asset: #agent-launcher

+  

+  

     

       #data-exposure
       low
@@ -401,7 +1489,7 @@ 
unknown

     
Serializes full threat model and code snippets for LLM

     
Asset: #llm-client

   

-  

+  

     

       #prompt-injection
       medium
@@ -409,7 +1497,7 @@ 
unknown

     
User prompts sent to LLM API

     
Asset: #llm-client

   

-  

+  

     

       #data-exposure
       low
@@ -417,7 +1505,7 @@ 
unknown

     
Exposes threat model findings to SARIF consumers

     
Asset: #sarif

   

-  

+  

     

       #cmd-injection
       critical
@@ -425,7 +1513,7 @@ 
unknown

     
Agent launcher spawns child processes

     
Asset: #cli

   

-  

+  

     

       #data-exposure
       low
@@ -433,7 +1521,7 @@ 
unknown

     
Writes API key config to .guardlink/config.json

     
Asset: #init

   

-  

+  

     

       #cmd-injection
       high
@@ -441,7 +1529,7 @@ 
unknown

     
Accepts tool calls from external MCP clients

     
Asset: #mcp

   

-  

+  

     

       #prompt-injection
       medium
@@ -449,7 +1537,7 @@ 
unknown

     
annotate and threat_report tools pass user prompts to LLM

     
Asset: #mcp

   

-  

+  

     

       #data-exposure
       medium
@@ -457,7 +1545,7 @@ 
unknown

     
Resources expose full threat model to MCP clients

     
Asset: #mcp

   

-  

+  

     

       #dos
       low
@@ -465,7 +1553,7 @@ 
unknown

     
Large files loaded into memory for pattern scanning

     
Asset: #suggest

   

-  

+  

     

       #arbitrary-write
       high
@@ -473,7 +1561,7 @@ 
unknown

     
Writes modified content back to discovered files

     
Asset: #parser

   

-  

+  

     

       #cmd-injection
       high
@@ -481,7 +1569,7 @@ 
unknown

     
/annotate and /threat-report spawn child processes

     
Asset: #tui

   

-  

+  

     

       #prompt-injection
       medium
@@ -489,612 +1577,777 @@ 
unknown

     
Freeform chat sends user text to LLM

     
Asset: #tui

   

+  

 
   
   
+  

   
Data Flows

   
     
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-      
+      
+    
+    
+      
+      
+      
+      
+      
+    
+    
+      
+      
+      
+      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
+      
+      
+      
+      
+      
+    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
+    
+    
+      
+      
+      
+      
+      
-    
+    
-      
+      
+      
+      
+      
+    
+    
+      
+      
-    
+    
+      
+      
+      
+      
+      
+    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
+      
+      
+      
+      
+      
+    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      

     
SourceTargetMechanismLocation

     

       EnvVars
       #agent-launcher
       process.env
       src/agents/config.ts:19
     

       ConfigFile
       #agent-launcher
       readFileSync
       src/agents/config.ts:20
     

       #agent-launcher
       ConfigFile
       writeFileSync
       src/agents/config.ts:21
     

       UserPrompt
       #agent-launcher
       launchAgent
       src/agents/launcher.ts:17
     

       #agent-launcher
       AgentProcess
       spawn
       src/agents/launcher.ts:18
     

       AgentProcess
       #agent-launcher
       stdout
       src/agents/launcher.ts:19
     

       UserPrompt
       #agent-launcher
       buildAnnotatePromptsrc/agents/prompts.ts:10src/agents/prompts.ts:12
UserPrompt#agent-launcherbuildTranslatePromptsrc/agents/prompts.ts:13
UserPrompt#agent-launcherbuildAskPromptsrc/agents/prompts.ts:14
     

       ThreatModel
       #agent-launcher
       modelsrc/agents/prompts.ts:11src/agents/prompts.ts:15
     

       #agent-launcher
       AgentPrompt
       returnsrc/agents/prompts.ts:12src/agents/prompts.ts:16
     

       ThreatModel
       #llm-client
       serializeModel
       src/analyze/index.ts:14
     

       ProjectFiles
       #llm-client
       readFileSync
       src/analyze/index.ts:15
     

       #llm-client
       ReportFile
       writeFileSync
       src/analyze/index.ts:16
     
PentestFindings#llm-clientreadFileSyncsrc/analyze/index.ts:688

       LLMConfig
       #llm-client
       chatCompletion
       src/analyze/llm.ts:19
     

       #llm-client
       LLMProvider
       fetch
       src/analyze/llm.ts:20
     

       LLMProvider
       #llm-client
       response
       src/analyze/llm.ts:21
     

       LLMToolCall
       #llm-client
       createToolExecutor
       src/analyze/tools.ts:15
     

       #llm-client
       NVD
       fetch
       src/analyze/tools.ts:16
     

       ProjectFiles
       #llm-client
       readFileSync
       src/analyze/tools.ts:17
     

       ThreatModel
       #sarif
       generateSarifsrc/analyzer/sarif.ts:18src/analyzer/sarif.ts:19
     

       #sarif
       SarifLog
       returnsrc/analyzer/sarif.ts:19src/analyzer/sarif.ts:20
     

       UserArgs
       #cli
       process.argvsrc/cli/index.ts:33src/cli/index.ts:35
     

       #cli
       FileSystem
       writeFilesrc/cli/index.ts:34src/cli/index.ts:36
ThreatModel#dashboardgenerateThreatGraphsrc/dashboard/diagrams.ts:15
     

       ThreatModel#dashboardgenerateTopologyDatasrc/dashboard/diagrams.ts:16
ThreatModel
       #dashboard
       computeStats
       src/dashboard/generate.ts:12
     
ThreatModel#dashboardtopologyDatasrc/dashboard/generate.ts:13

       SourceFiles
       #dashboard
       readFileSyncsrc/dashboard/generate.ts:13src/dashboard/generate.ts:14
     

       #dashboard
       HTML
       returnsrc/dashboard/generate.ts:14src/dashboard/generate.ts:15
     

       ThreatModel
       #dashboard
       generateDashboardHTML
       src/dashboard/index.ts:6
     

       GitRef
       #diff
       execSync
       src/diff/git.ts:12
     

       #diff
       TempDir
       writeFileSync
       src/diff/git.ts:13
     

       #diff
       ThreatModel
       parseProject
       src/diff/git.ts:14
     

       GitRef
       #diff
       parseAtRef
       src/diff/index.ts:6
     

       ProjectRoot
       #init
       detectProject
       src/init/detect.ts:7
     

       ProjectRoot
       #init
       options.root
       src/init/index.ts:14
     

       #init
       AgentFiles
       writeFileSync
       src/init/index.ts:15
     

       #init
       ConfigFile
       writeFileSync
       src/init/index.ts:16
     

       MCPClient
       #mcp
       stdio
       src/mcp/index.ts:6
     

       QueryString
       #mcp
       lookupsrc/mcp/lookup.ts:18src/mcp/lookup.ts:19
     

       MCPClient
       #mcp
       tool_call
       src/mcp/server.ts:36
     

       #mcp
       FileSystem
       writeFile
       src/mcp/server.ts:37
     

       #mcp
       #llm-client
       generateThreatReport
       src/mcp/server.ts:38
     

       #mcp
       MCPClient
       resource
       src/mcp/server.ts:39
     

       FilePath
       #suggest
       readFileSync
       src/mcp/suggest.ts:18
     

       #suggest
       Suggestions
       suggestAnnotations
       src/mcp/suggest.ts:19
     

       ProjectRoot
       #parser
       fast-globsrc/parser/clear.ts:11src/parser/clear.ts:12
     

       #parser
       SourceFiles
       writeFilesrc/parser/clear.ts:12src/parser/clear.ts:13
     

       FilePath
       #parser
       readFilesrc/parser/parse-file.ts:8src/parser/parse-file.ts:9
     

       #parser
       Annotations
       parseStringsrc/parser/parse-file.ts:9src/parser/parse-file.ts:10
     

       ProjectRoot
       #parser
       fast-glob
       src/parser/parse-project.ts:9
     

       #parser
       ThreatModel
       assembleModel
       src/parser/parse-project.ts:10
     

       ThreatModel
       #report
       generateReport
       src/report/report.ts:8
     

       #report
       Markdown
       return
       src/report/report.ts:9
     
ThreatModel#reportgenerateSequenceDiagramsrc/report/sequence.ts:7

       ThreatModel
       #cli
       getReviewableExposures
       src/review/index.ts:13
     

       #cli
       SourceFiles
       writeFile
       src/review/index.ts:14
     

       UserArgs
       #tui
       args
       src/tui/commands.ts:17
     

       #tui
       FileSystem
       writeFile
       src/tui/commands.ts:18
     

       #tui
       #agent-launcher
       launchAgent
       src/tui/commands.ts:19
     

       #tui
       #llm-client
       chatCompletion
       src/tui/commands.ts:20
     

       ConfigFile
       #tui
       loadProjectConfig
       src/tui/config.ts:9
     

       #tui
       ConfigFile
       saveProjectConfig
       src/tui/config.ts:10
     

       UserInput
       #tui
       readline
       src/tui/index.ts:13
     

       #tui
       Commands
       dispatch
       src/tui/index.ts:14
     

       RawStdin
       #tui
       process.stdin
       src/tui/input.ts:17
     

       #tui
       Terminal
       process.stdout
       src/tui/input.ts:18
     

       UserArgs
       #workspace-link
       linkProject
       src/workspace/link.ts:8
     

       #workspace-link
       AgentFiles
       updateAgentWorkspaceContext
       src/workspace/link.ts:9
     

       ReportJSON
       #merge-engine
       mergeReports
       src/workspace/merge.ts:10
     

       #merge-engine
       MergedReport
       mergeReports
       src/workspace/merge.ts:11
     

       GitRepo
       #report-metadata
       execSync
       src/workspace/metadata.ts:8
     

       #report-metadata
       ThreatModel
       populateMetadata
       src/workspace/metadata.ts:9
     

     
   

+  

 

 
 

   
 Threat Reports

+  

   

     
     
   

   

+  

+

+
+

+  
🔬 Pentest Findings

+
+  
+
+  
+  
+  

+    
9Total Findings

+    
0Critical

+    
4High

+    
2Medium

+    
3Low

+    
0Templates

+    
1Scans

+  

+
+  
+  
Findings (9)

+  
Results from CXG security scans — click a finding for full evidence details.

+  
+      

+        

+          Scan 60be8e79
+          2026-03-31 20:03:46 · 30s · 9 finding(s)
+          guardlink-pentest.json
+        

+        
+          
+          
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+            
+            
+            
+            
+            
+          
+          
+        
SeverityTitleTemplateCWEConfidence
mediumFull Threat Model Exposed via MCP guardlink_parseguardlink-data-exposure-mcpCWE-20080%
mediumUnmitigated Vulnerability Details Exposed via MCPguardlink-data-exposure-mcpCWE-20080%
lowMCP Resource Accessible Without Auth: guardlink://modelguardlink-data-exposure-mcpCWE-20080%
lowMCP Resource Accessible Without Auth: guardlink://definitionsguardlink-data-exposure-mcpCWE-20080%
lowMCP Resource Accessible Without Auth: guardlink://unmitigatedguardlink-data-exposure-mcpCWE-20080%
highMCP Path Traversal via root Parameter (guardlink_parse)guardlink-path-traversal-mcpCWE-2285%
highMCP Path Traversal via root Parameter (guardlink_status)guardlink-path-traversal-mcpCWE-2285%
highMCP Arbitrary File Write via Report Output Pathguardlink-path-traversal-mcpCWE-2285%
highSymlink Escape in guardlink clearguardlink-parser-arbitrary-writeCWE-7380%

+  
+
+  
+  
 

 
 

   
 Threats & Exposures

 
-  
Open Threats (15)

-  
Exposed in code but not mitigated by any control.

+  
+
+  
Open Threats (16)

+  
Exposed in code but not mitigated by any control.

   
   
     
-    
+    
-    
+    
-    
+    
-    
+    
+      
+      
+      
+      
+      
+    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-    
+    
@@ -1104,321 +2357,321 @@ 
unknown

     
AssetThreatSeverityDescriptionLocation

     

       #agent-launcher
       #prompt-injection
       medium
       User prompt passed to agent CLI as argument
       src/agents/launcher.ts:13
     

       #agent-launcher
       #dos
       low
       No timeout on foreground spawn; agent controls duration
       src/agents/launcher.ts:15
     

       #agent-launcher
       #prompt-injection
       high
       User prompt concatenated into agent instruction text
       src/agents/prompts.ts:6
     
#agent-launcher#config-tampermediumTranslate prompt may read CXG reference paths from environment overridessrc/agents/prompts.ts:10

       #llm-client
       #data-exposure
       low
       Serializes full threat model and code snippets for LLM
       src/analyze/index.ts:12
     

       #llm-client
       #prompt-injection
       medium
       User prompts sent to LLM API
       src/analyze/llm.ts:17
     

       #sarif
       #data-exposure
       low
       Exposes threat model findings to SARIF consumerssrc/analyzer/sarif.ts:15src/analyzer/sarif.ts:16
     

       #cli
       #cmd-injection
       critical
       Agent launcher spawns child processessrc/cli/index.ts:31src/cli/index.ts:33
     

       #init
       #data-exposure
       low
       Writes API key config to .guardlink/config.json
       src/init/index.ts:12
     

       #mcp
       #cmd-injection
       high
       Accepts tool calls from external MCP clients
       src/mcp/index.ts:4
     

       #mcp
       #prompt-injection
       medium
       annotate and threat_report tools pass user prompts to LLM
       src/mcp/server.ts:30
     

       #mcp
       #data-exposure
       medium
       Resources expose full threat model to MCP clients
       src/mcp/server.ts:34
     

       #suggest
       #dos
       low
       Large files loaded into memory for pattern scanning
       src/mcp/suggest.ts:16
     

       #parser
       #arbitrary-write
       high
       Writes modified content back to discovered filessrc/parser/clear.ts:7src/parser/clear.ts:8
     

       #tui
       #cmd-injection
       high
       /annotate and /threat-report spawn child processes
       src/tui/commands.ts:11
     

       #tui
       #prompt-injection
       medium
     

   

 
-  
Mitigated Threats (45)

+  
Mitigated Threats (45)

   
   
     
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
@@ -1433,12 +2686,12 @@ 
unknown

   
 
   
-  
All Exposures (60)

+  
All Exposures (61)

     
AssetThreatSeverityDescriptionLocation

     

       #agent-launcher
       #api-key-exposure
       high
       API keys loaded from env vars, files; stored in config.json
       src/agents/config.ts:13
     

       #agent-launcher
       #path-traversal
       medium
       Config paths resolved from root and homedir
       src/agents/config.ts:15
     

       #agent-launcher
       #arbitrary-write
       medium
       saveProjectConfig writes to .guardlink/config.json
       src/agents/config.ts:17
     

       #agent-launcher
       #child-proc-injection
       critical
       spawn/spawnSync execute external binaries
       src/agents/launcher.ts:10
     

       #agent-launcher
       #path-traversal
       medium
       Reads reference docs from root-relative paths
       src/agents/prompts.ts:8
     

       #llm-client
       #path-traversal
       medium
       buildProjectContext reads files from root-relative paths
       src/analyze/index.ts:8
     

       #llm-client
       #arbitrary-write
       medium
       writeFileSync saves threat reports to .guardlink/
       src/analyze/index.ts:10
     

       #llm-client
       #ssrf
       medium
       fetch() calls external LLM API endpoints
       src/analyze/llm.ts:13
     

       #llm-client
       #api-key-exposure
       high
       API keys passed in Authorization headers
       src/analyze/llm.ts:15
     

       #llm-client
       #ssrf
       medium
       lookupCve fetches from NVD API with user-controlled CVE ID
       src/analyze/tools.ts:9
     

       #llm-client
       #path-traversal
       medium
       searchCodebase reads files from project root
       src/analyze/tools.ts:11
     

       #llm-client
       #dos
       low
       searchCodebase reads many files; bounded by maxResults
       src/analyze/tools.ts:13
     

       #cli
       #path-traversal
       high
       User-supplied dir argument resolved via path.resolvesrc/cli/index.ts:25src/cli/index.ts:27
     

       #cli
       #arbitrary-write
       high
       init/report/sarif/dashboard write files to user-specified pathssrc/cli/index.ts:27src/cli/index.ts:29
     

       #cli
       #api-key-exposure
       high
       API keys handled in config set/show commandssrc/cli/index.ts:29src/cli/index.ts:31
     

       #dashboard
       #xss
       high
       Generates HTML with user-controlled threat model data
       src/dashboard/generate.ts:8
     

       #dashboard
       #path-traversal
       medium
       readFileSync reads code files for annotation context
       src/dashboard/generate.ts:10
     

       #dashboard
       #xss
       high
       Generates HTML with threat model data
       src/dashboard/index.ts:4
     

       #diff
       #cmd-injection
       high
       execSync runs git commands with ref argument
       src/diff/git.ts:6
     

       #diff
       #arbitrary-write
       medium
       writeFileSync creates files in temp directory
       src/diff/git.ts:8
     

       #diff
       #path-traversal
       medium
       git show extracts files based on ls-tree output
       src/diff/git.ts:10
     

       #diff
       #cmd-injection
       high
       git.ts uses execSync with ref argument
       src/diff/index.ts:4
     

       #init
       #path-traversal
       low
       Reads package.json, pyproject.toml, etc. from root
       src/init/detect.ts:5
     

       #init
       #arbitrary-write
       high
       Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc.
       src/init/index.ts:8
     

       #init
       #path-traversal
       medium
       Reads/writes files based on root argument
       src/init/index.ts:10
     

       #mcp
       #redos
       low
       Regex patterns applied to query stringssrc/mcp/lookup.ts:16src/mcp/lookup.ts:17
     

       #mcp
       #path-traversal
       high
       Tool arguments include 'root' directory path from external client
       src/mcp/server.ts:26
     

       #mcp
       #arbitrary-write
       high
       report, dashboard, sarif tools write files
       src/mcp/server.ts:28
     

       #mcp
       #api-key-exposure
       medium
       threat_report tool uses API keys from environment
       src/mcp/server.ts:32
     

       #suggest
       #path-traversal
       high
       File path from MCP client joined with root
       src/mcp/suggest.ts:12
     

       #suggest
       #redos
       medium
       Complex regex patterns applied to source code
       src/mcp/suggest.ts:14
     

       #parser
       #path-traversal
       high
       Glob patterns determine which files are modifiedsrc/parser/clear.ts:8src/parser/clear.ts:9
     

       #parser
       #path-traversal
       high
       File path from caller read via readFile; no validation heresrc/parser/parse-file.ts:5src/parser/parse-file.ts:6
     

       #parser
       #dos
       medium
       Large files loaded entirely into memorysrc/parser/parse-file.ts:6src/parser/parse-file.ts:7
     

       #parser
       #redos
       medium
       Complex regex patterns applied to annotation text
       src/parser/parse-line.ts:5
     

       #parser
       #path-traversal
       high
       Glob patterns could escape root directory
       src/parser/parse-project.ts:5
     

       #parser
       #dos
       medium
       Large projects with many files could exhaust memory
       src/parser/parse-project.ts:7
     

       #cli
       #arbitrary-write
       medium
       Writes @accepts/@audit annotations into source files
       src/review/index.ts:10
     

       #tui
       #path-traversal
       high
       File paths from user args in /view, /sarif -o
       src/tui/commands.ts:7
     

       #tui
       #arbitrary-write
       high
       /report, /sarif, /dashboard write files
       src/tui/commands.ts:9
     

       #tui
       #api-key-exposure
       high
       /model handles API key input and storage
       src/tui/commands.ts:13
     

       #tui
       #api-key-exposure
       high
       API keys loaded from and saved to config files
       src/tui/config.ts:7
     

       #tui
       #path-traversal
       high
       User-supplied dir argument resolved via path.resolve
       src/tui/index.ts:9
     

       #tui
       #api-key-exposure
       medium
       API keys displayed in banner via resolveLLMConfig
       src/tui/index.ts:11
     

       #tui
       #dos
       low
   

     
-    
+    
@@ -1446,7 +2699,7 @@ 
unknown

-    
+    
@@ -1454,7 +2707,7 @@ 
unknown

-    
+    
@@ -1462,7 +2715,7 @@ 
unknown

-    
+    
@@ -1470,7 +2723,7 @@ 
unknown

-    
+    
@@ -1478,7 +2731,7 @@ 
unknown

-    
+    
@@ -1486,7 +2739,7 @@ 
unknown

-    
+    
@@ -1494,7 +2747,7 @@ 
unknown

-    
+    
@@ -1502,7 +2755,15 @@ 
unknown

-    
+    
+      
+      
+      
+      
+      
+      
+    
+    
@@ -1510,7 +2771,7 @@ 
unknown

-    
+    
@@ -1518,7 +2779,7 @@ 
unknown

-    
+    
@@ -1526,7 +2787,7 @@ 
unknown

-    
+    
@@ -1534,7 +2795,7 @@ 
unknown

-    
+    
@@ -1542,7 +2803,7 @@ 
unknown

-    
+    
@@ -1550,7 +2811,7 @@ 
unknown

-    
+    
@@ -1558,7 +2819,7 @@ 
unknown

-    
+    
@@ -1566,7 +2827,7 @@ 
unknown

-    
+    
@@ -1574,47 +2835,47 @@ 
unknown

-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
@@ -1622,7 +2883,7 @@ 
unknown

-    
+    
@@ -1630,7 +2891,7 @@ 
unknown

-    
+    
@@ -1638,7 +2899,7 @@ 
unknown

-    
+    
@@ -1646,7 +2907,7 @@ 
unknown

-    
+    
@@ -1654,7 +2915,7 @@ 
unknown

-    
+    
@@ -1662,7 +2923,7 @@ 
unknown

-    
+    
@@ -1670,7 +2931,7 @@ 
unknown

-    
+    
@@ -1678,7 +2939,7 @@ 
unknown

-    
+    
@@ -1686,7 +2947,7 @@ 
unknown

-    
+    
@@ -1694,7 +2955,7 @@ 
unknown

-    
+    
@@ -1702,7 +2963,7 @@ 
unknown

-    
+    
@@ -1710,15 +2971,15 @@ 
unknown

-    
+    
-      
+      
-    
+    
@@ -1726,7 +2987,7 @@ 
unknown

-    
+    
@@ -1734,7 +2995,7 @@ 
unknown

-    
+    
@@ -1742,7 +3003,7 @@ 
unknown

-    
+    
@@ -1750,7 +3011,7 @@ 
unknown

-    
+    
@@ -1758,7 +3019,7 @@ 
unknown

-    
+    
@@ -1766,7 +3027,7 @@ 
unknown

-    
+    
@@ -1774,7 +3035,7 @@ 
unknown

-    
+    
@@ -1782,39 +3043,39 @@ 
unknown

-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
@@ -1822,7 +3083,7 @@ 
unknown

-    
+    
@@ -1830,7 +3091,7 @@ 
unknown

-    
+    
@@ -1838,7 +3099,7 @@ 
unknown

-    
+    
@@ -1846,7 +3107,7 @@ 
unknown

-    
+    
@@ -1854,7 +3115,7 @@ 
unknown

-    
+    
@@ -1862,7 +3123,7 @@ 
unknown

-    
+    
@@ -1870,7 +3131,7 @@ 
unknown

-    
+    
@@ -1878,7 +3139,7 @@ 
unknown

-    
+    
@@ -1886,7 +3147,7 @@ 
unknown

-    
+    
@@ -1894,7 +3155,7 @@ 
unknown

-    
+    
@@ -1902,7 +3163,7 @@ 
unknown

-    
+    
@@ -1910,7 +3171,7 @@ 
unknown

-    
+    
@@ -1924,418 +3185,504 @@ 
unknown

   
 Diagrams

-  
Interactive diagrams from annotations. Scroll to zoom, drag to pan, double-click to reset.

+  
Interactive diagrams generated from annotations. The topology view supports search, filtering, drag, pan, and node inspection.

   

-    
+    
   

-  
+  

+      

+        

+          Risk Topology
+          

+            
+            
+            
+            
+          

+        

+        

+          
+          

+            
+            
+            
+            
+          

+          78 nodes · 174 links
+        

+        

+          Edges
+          
+          
+          
+          
+          
+        

+        

+          

+          
+        

+        

+          Asset
+          Threat
+          Control
+          Confirmed
+          Exposure
+          Mitigates
+          Flow
+          Boundary
+        

+      

+    

+

+      

+        

+          Threat Graph
+          

+            
+            
+            
+            
+          

+        

+        

+          
+%%{init: {"flowchart": {"nodeSpacing": 55, "rankSpacing": 150, "curve": "monotoneX", "htmlLabels": false, "padding": 24}}}%%
 graph LR
-  subgraph TZ0["🧱 #agent-launcher"]
-    _agent_launcher["🔷 #agent-launcher [SECRETS, INTERNAL]"]
-  end
-  subgraph TZ1["🧱 AgentProcess"]
-  end
-  subgraph TZ2["🧱 #llm-client"]
-    _llm_client["🔷 #llm-client [INTERNAL, SECRETS]"]
-  end
-  subgraph TZ3["🧱 LLMProvider"]
-  end
-  subgraph TZ4["🧱 NVD"]
+  subgraph TZ0["🧱 Trust boundary at process spawn"]
+    agent_launcher["🔷 GuardLink.Agent_Launcher [SECRETS, INTERNAL]"]
   end
-  subgraph TZ5["🧱 #cli"]
-    _cli["🔷 #cli [SECRETS, INTERNAL]"]
+  subgraph TZ1["🧱 Trust boundary at external API call"]
+    llm_client["🔷 GuardLink.LLM_Client [INTERNAL, SECRETS]"]
   end
-  subgraph TZ6["🧱 UserInput"]
+  subgraph TZ3["🧱 Trust boundary at CLI argument parsing"]
+    cli["🔷 GuardLink.CLI [SECRETS, INTERNAL]"]
   end
-  subgraph TZ7["🧱 #diff"]
-    _diff["🔷 #diff"]
+  subgraph TZ4["🧱 Trust boundary at git command execution"]
+    diff["🔷 GuardLink.Diff"]
   end
-  subgraph TZ8["🧱 GitRepo"]
+  subgraph TZ5["🧱 Trust boundary at MCP protocol"]
+    mcp["🔷 GuardLink.MCP [INTERNAL]"]
   end
-  subgraph TZ9["🧱 #mcp"]
-    _mcp["🔷 #mcp [INTERNAL]"]
+  subgraph TZ7["🧱 Trust boundary between parser and disk …"]
+    parser["🔷 GuardLink.Parser [INTERNAL]"]
   end
-  subgraph TZ10["🧱 MCPClient"]
+  subgraph TZ8["🧱 Trust boundary at interactive input"]
+    tui["🔷 GuardLink.TUI [SECRETS]"]
   end
-  subgraph TZ11["🧱 #parser"]
-    _parser["🔷 #parser [INTERNAL]"]
-  end
-  subgraph TZ12["🧱 FileSystem"]
-  end
-  subgraph TZ13["🧱 #tui"]
-    _tui["🔷 #tui [SECRETS, SECRETS, SECRETS]"]
-  end
-  _sarif["🔷 #sarif"]
-  _dashboard["🔷 #dashboard [INTERNAL]"]
-  _init["🔷 #init [INTERNAL]"]
-  _suggest["🔷 #suggest"]
-  _merge_engine["🔷 #merge-engine"]
-  _workspace_config["🔷 #workspace-config"]
-  _api_key_exposure["🟠 API_Key_Exposure (cwe:CWE-798)"]:::threat
-  _path_traversal["🟠 Path_Traversal (cwe:CWE-22)"]:::threat
-  _arbitrary_write["🟠 Arbitrary_File_Write (cwe:CWE-73)"]:::threat
-  _child_proc_injection["🔴 Child_Process_Injection (cwe:CWE-78)"]:::threat
-  _prompt_injection["🟠 Prompt_Injection (cwe:CWE-77)"]:::threat
-  _dos["🟡 Denial_of_Service (cwe:CWE-400)"]:::threat
-  _data_exposure["🟡 Sensitive_Data_Exposure (cwe:CWE-200)"]:::threat
-  _ssrf["🟡 Server_Side_Request_Forgery (cwe:CWE-918)"]:::threat
-  _cmd_injection["🔴 Command_Injection (cwe:CWE-78)"]:::threat
-  _xss["🟠 Cross_Site_Scripting (cwe:CWE-79)"]:::threat
-  _redos["🟡 ReDoS (cwe:CWE-1333)"]:::threat
-  _tag_collision["🟡 Tag_Collision"]:::threat
-  _config_tamper["🟡 Config_Tampering (cwe:CWE-15)"]:::threat
-  _key_redaction["🛡️ key-redaction"]:::control
-  _path_validation["🛡️ path-validation"]:::control
-  _param_commands["🛡️ param-commands"]:::control
-  _config_validation["🛡️ config-validation"]:::control
-  _input_sanitize["🛡️ input-sanitize"]:::control
-  _glob_filtering["🛡️ glob-filtering"]:::control
-  _resource_limits["🛡️ resource-limits"]:::control
-  _output_encoding["🛡️ output-encoding"]:::control
-  _regex_anchoring["🛡️ regex-anchoring"]:::control
-  _prefix_ownership["🛡️ prefix-ownership"]:::control
-  _yaml_validation["🛡️ yaml-validation"]:::control
-  _agent_launcher -. exposed .-> _api_key_exposure
-  _agent_launcher -. exposed .-> _path_traversal
-  _agent_launcher -. exposed .-> _arbitrary_write
-  _agent_launcher -. exposed .-> _child_proc_injection
-  _agent_launcher -. exposed .-> _prompt_injection
-  _agent_launcher -. exposed .-> _dos
-  _llm_client -. exposed .-> _path_traversal
-  _llm_client -. exposed .-> _arbitrary_write
-  _llm_client -. exposed .-> _data_exposure
-  _llm_client -. exposed .-> _ssrf
-  _llm_client -. exposed .-> _api_key_exposure
-  _llm_client -. exposed .-> _prompt_injection
-  _llm_client -. exposed .-> _dos
-  _sarif -. exposed .-> _data_exposure
-  _cli -. exposed .-> _path_traversal
-  _cli -. exposed .-> _arbitrary_write
-  _cli -. exposed .-> _api_key_exposure
-  _cli -. exposed .-> _cmd_injection
-  _dashboard -. exposed .-> _xss
-  _dashboard -. exposed .-> _path_traversal
-  _diff -. exposed .-> _cmd_injection
-  _diff -. exposed .-> _arbitrary_write
-  _diff -. exposed .-> _path_traversal
-  _init -. exposed .-> _path_traversal
-  _init -. exposed .-> _arbitrary_write
-  _init -. exposed .-> _data_exposure
-  _mcp -. exposed .-> _cmd_injection
-  _mcp -. exposed .-> _redos
-  _mcp -. exposed .-> _path_traversal
-  _mcp -. exposed .-> _arbitrary_write
-  _mcp -. exposed .-> _prompt_injection
-  _mcp -. exposed .-> _api_key_exposure
-  _mcp -. exposed .-> _data_exposure
-  _suggest -. exposed .-> _path_traversal
-  _suggest -. exposed .-> _redos
-  _suggest -. exposed .-> _dos
-  _parser -. exposed .-> _arbitrary_write
-  _parser -. exposed .-> _path_traversal
-  _parser -. exposed .-> _dos
-  _parser -. exposed .-> _redos
-  _tui -. exposed .-> _path_traversal
-  _tui -. exposed .-> _arbitrary_write
-  _tui -. exposed .-> _cmd_injection
-  _tui -. exposed .-> _api_key_exposure
-  _tui -. exposed .-> _prompt_injection
-  _tui -. exposed .-> _dos
-  _key_redaction -- mitigates --> _api_key_exposure
-  _key_redaction -.- _agent_launcher
-  _path_validation -- mitigates --> _path_traversal
-  _path_validation -.- _agent_launcher
-  _path_validation -- mitigates --> _arbitrary_write
-  _param_commands -- mitigates --> _child_proc_injection
-  _param_commands -.- _agent_launcher
-  _param_commands -- mitigates --> _cmd_injection
-  _path_validation -.- _llm_client
-  _config_validation -- mitigates --> _ssrf
-  _config_validation -.- _llm_client
-  _key_redaction -.- _llm_client
-  _input_sanitize -- mitigates --> _ssrf
-  _input_sanitize -.- _llm_client
-  _glob_filtering -- mitigates --> _path_traversal
-  _glob_filtering -.- _llm_client
-  _resource_limits -- mitigates --> _dos
-  _resource_limits -.- _llm_client
-  _path_validation -.- _cli
-  _key_redaction -.- _cli
-  _output_encoding -- mitigates --> _xss
-  _output_encoding -.- _dashboard
-  _path_validation -.- _dashboard
-  _input_sanitize -- mitigates --> _cmd_injection
-  _input_sanitize -.- _diff
-  _path_validation -.- _diff
-  _glob_filtering -.- _diff
-  _path_validation -.- _init
-  _regex_anchoring -- mitigates --> _redos
-  _regex_anchoring -.- _mcp
-  _path_validation -.- _mcp
-  _key_redaction -.- _mcp
-  _path_validation -.- _suggest
-  _regex_anchoring -.- _suggest
-  _glob_filtering -.- _parser
-  _regex_anchoring -.- _parser
-  _resource_limits -.- _parser
-  _path_validation -.- _tui
-  _key_redaction -.- _tui
-  _resource_limits -.- _tui
-  _prefix_ownership -- mitigates --> _tag_collision
-  _prefix_ownership -.- _merge_engine
-  _yaml_validation -- mitigates --> _config_tamper
-  _yaml_validation -.- _workspace_config
-  _mcp -- "📡 generateThreatReport" --> _llm_client
-  _tui -- "📡 launchAgent" --> _agent_launcher
-  _tui -- "📡 chatCompletion" --> _llm_client
-  classDef threat fill:#991b1b,stroke:#ef4444,color:#fecaca
-  classDef control fill:#065f46,stroke:#10b981,color:#a7f3d0
-

-
-%%{init: {"flowchart": {"nodeSpacing": 43, "rankSpacing": 59, "curve": "basis"}}}%%
+  sarif["🔷 GuardLink.SARIF"]
+  dashboard["🔷 GuardLink.Dashboard [INTERNAL]"]
+  init["🔷 GuardLink.Init [INTERNAL]"]
+  suggest["🔷 GuardLink.Suggest"]
+  merge_engine["🔷 Workspace.Merge"]
+  workspace_config["🔷 Workspace.Config"]
+  api_key_exposure["🟠 API_Key_Exposure (cwe:CWE-798)"]:::threat
+  path_traversal["🟠 Path_Traversal (cwe:CWE-22)"]:::threat
+  arbitrary_write["🟠 Arbitrary_File_Write (cwe:CWE-73)"]:::threat
+  child_proc_injection["🔴 Child_Process_Injection (cwe:CWE-78)"]:::threat
+  prompt_injection["🟠 Prompt_Injection (cwe:CWE-77)"]:::threat
+  dos["🟡 Denial_of_Service (cwe:CWE-400)"]:::threat
+  config_tamper["🟡 Config_Tampering (cwe:CWE-15)"]:::threat
+  data_exposure["🟡 Sensitive_Data_Exposure (cwe:CWE-200)"]:::threat
+  ssrf["🟡 Server_Side_Request_Forgery (cwe:CWE-918)"]:::threat
+  cmd_injection["🔴 Command_Injection (cwe:CWE-78)"]:::threat
+  xss["🟠 Cross_Site_Scripting (cwe:CWE-79)"]:::threat
+  redos["🟡 ReDoS (cwe:CWE-1333)"]:::threat
+  tag_collision["🟡 Tag_Collision"]:::threat
+  key_redaction["🛡️ Key_Redaction"]:::control
+  path_validation["🛡️ Path_Validation"]:::control
+  param_commands["🛡️ Parameterized_Commands"]:::control
+  config_validation["🛡️ Config_Validation"]:::control
+  input_sanitize["🛡️ Input_Sanitization"]:::control
+  glob_filtering["🛡️ Glob_Pattern_Filtering"]:::control
+  resource_limits["🛡️ Resource_Limits"]:::control
+  output_encoding["🛡️ Output_Encoding"]:::control
+  regex_anchoring["🛡️ Regex_Anchoring"]:::control
+  prefix_ownership["🛡️ Prefix_Ownership"]:::control
+  yaml_validation["🛡️ YAML_Validation"]:::control
+  agent_launcher -. exposes .-> api_key_exposure
+  agent_launcher -. exposes .-> path_traversal
+  agent_launcher -. exposes .-> arbitrary_write
+  agent_launcher -. exposes .-> child_proc_injection
+  agent_launcher -. exposes .-> prompt_injection
+  agent_launcher -. exposes .-> dos
+  agent_launcher -. exposes .-> config_tamper
+  llm_client -. exposes .-> path_traversal
+  llm_client -. exposes .-> arbitrary_write
+  llm_client -. exposes .-> data_exposure
+  llm_client -. exposes .-> ssrf
+  llm_client -. exposes .-> api_key_exposure
+  llm_client -. exposes .-> prompt_injection
+  llm_client -. exposes .-> dos
+  sarif -. exposes .-> data_exposure
+  cli -. exposes .-> path_traversal
+  cli -. exposes .-> arbitrary_write
+  cli -. exposes .-> api_key_exposure
+  cli -. exposes .-> cmd_injection
+  dashboard -. exposes .-> xss
+  dashboard -. exposes .-> path_traversal
+  diff -. exposes .-> cmd_injection
+  diff -. exposes .-> arbitrary_write
+  diff -. exposes .-> path_traversal
+  init -. exposes .-> path_traversal
+  init -. exposes .-> arbitrary_write
+  init -. exposes .-> data_exposure
+  mcp -. exposes .-> cmd_injection
+  mcp -. exposes .-> redos
+  mcp -. exposes .-> path_traversal
+  mcp -. exposes .-> arbitrary_write
+  mcp -. exposes .-> prompt_injection
+  mcp -. exposes .-> api_key_exposure
+  mcp -. exposes .-> data_exposure
+  suggest -. exposes .-> path_traversal
+  suggest -. exposes .-> redos
+  suggest -. exposes .-> dos
+  parser -. exposes .-> arbitrary_write
+  parser -. exposes .-> path_traversal
+  parser -. exposes .-> dos
+  parser -. exposes .-> redos
+  tui -. exposes .-> path_traversal
+  tui -. exposes .-> arbitrary_write
+  tui -. exposes .-> cmd_injection
+  tui -. exposes .-> api_key_exposure
+  tui -. exposes .-> prompt_injection
+  tui -. exposes .-> dos
+  key_redaction -- mitigates --> api_key_exposure
+  key_redaction -. protects .-> agent_launcher
+  path_validation -- mitigates --> path_traversal
+  path_validation -. protects .-> agent_launcher
+  path_validation -- mitigates --> arbitrary_write
+  param_commands -- mitigates --> child_proc_injection
+  param_commands -. protects .-> agent_launcher
+  param_commands -- mitigates --> cmd_injection
+  path_validation -. protects .-> llm_client
+  config_validation -- mitigates --> ssrf
+  config_validation -. protects .-> llm_client
+  key_redaction -. protects .-> llm_client
+  input_sanitize -- mitigates --> ssrf
+  input_sanitize -. protects .-> llm_client
+  glob_filtering -- mitigates --> path_traversal
+  glob_filtering -. protects .-> llm_client
+  resource_limits -- mitigates --> dos
+  resource_limits -. protects .-> llm_client
+  path_validation -. protects .-> cli
+  key_redaction -. protects .-> cli
+  output_encoding -- mitigates --> xss
+  output_encoding -. protects .-> dashboard
+  path_validation -. protects .-> dashboard
+  input_sanitize -- mitigates --> cmd_injection
+  input_sanitize -. protects .-> diff
+  path_validation -. protects .-> diff
+  glob_filtering -. protects .-> diff
+  path_validation -. protects .-> init
+  regex_anchoring -- mitigates --> redos
+  regex_anchoring -. protects .-> mcp
+  path_validation -. protects .-> mcp
+  key_redaction -. protects .-> mcp
+  path_validation -. protects .-> suggest
+  regex_anchoring -. protects .-> suggest
+  glob_filtering -. protects .-> parser
+  regex_anchoring -. protects .-> parser
+  resource_limits -. protects .-> parser
+  prefix_ownership -- mitigates --> tag_collision
+  prefix_ownership -. protects .-> parser
+  path_validation -. protects .-> tui
+  key_redaction -. protects .-> tui
+  resource_limits -. protects .-> tui
+  prefix_ownership -. protects .-> merge_engine
+  yaml_validation -- mitigates --> config_tamper
+  yaml_validation -. protects .-> workspace_config
+  mcp -- "📡 generateThreatReport" --> llm_client
+  tui -- "📡 launchAgent" --> agent_launcher
+  tui -- "📡 chatCompletion" --> llm_client
+  classDef threat fill:#3a1010,stroke:#ea1d1d,color:#f0f0f0,stroke-width:1.3px
+  classDef control fill:#102a24,stroke:#33d49d,color:#f0f0f0,stroke-width:1.3px
+

+          
+        

+        
Assets, threats, controls, and mitigations. 

+      

+    

+

+      

+        

+          Data Flow
+
+          

+            
+            
+            
+          

+        

+        
+%%{init: {"flowchart": {"nodeSpacing": 47, "rankSpacing": 67, "curve": "basis", "htmlLabels": false}}}%%
 graph LR
-  subgraph Z0["🧱 Trust Zone · #agent-launcher"]
-    _agent_launcher["🧩 #agent-launcher"]
+  subgraph Z0["🧱 GuardLink.Agent_Launcher · Trust boundary at process spawn"]
+    agent_launcher["🧩 GuardLink.Agent_Launcher · secrets, internal"]
   end
-  subgraph Z1["🧱 Trust Zone · AgentProcess"]
-    AgentProcess["🧩 AgentProcess"]
+  subgraph Z1["🧱 AgentProcess · Trust boundary at process spawn"]
+    agentprocess["🧩 AgentProcess"]
   end
-  subgraph Z2["🧱 Trust Zone · #llm-client"]
-    _llm_client["👤 #llm-client"]
+  subgraph Z2["🧱 GuardLink.LLM_Client · Trust boundary at external API call"]
+    llm_client["👤 GuardLink.LLM_Client · internal, secrets"]
   end
-  subgraph Z3["🧱 Trust Zone · LLMProvider"]
-    LLMProvider["🧩 LLMProvider"]
+  subgraph Z3["🧱 LLMProvider · Trust boundary at external API call"]
+    llmprovider["🧩 LLMProvider"]
   end
-  subgraph Z4["🧱 Trust Zone · NVD"]
-    NVD["🧩 NVD"]
+  subgraph Z4["🧱 NVD · Trust boundary at external API"]
+    nvd["🧩 NVD"]
   end
-  subgraph Z5["🧱 Trust Zone · #cli"]
-    _cli["🧩 #cli"]
+  subgraph Z5["🧱 GuardLink.CLI · Trust boundary at CLI argument parsing"]
+    cli["🧩 GuardLink.CLI · secrets, internal"]
   end
-  subgraph Z6["🧱 Trust Zone · UserInput"]
-    UserInput["👤 UserInput"]
+  subgraph Z6["🧱 UserInput · Trust boundary at CLI argument parsing"]
+    userinput["👤 UserInput"]
   end
-  subgraph Z7["🧱 Trust Zone · #diff"]
-    _diff["🧩 #diff"]
+  subgraph Z7["🧱 GuardLink.Diff · Trust boundary at git command execution"]
+    diff["🧩 GuardLink.Diff"]
   end
-  subgraph Z8["🧱 Trust Zone · GitRepo"]
-    GitRepo["🧩 GitRepo"]
+  subgraph Z8["🧱 GitRepo · Trust boundary at git command execution"]
+    gitrepo["🧩 GitRepo"]
   end
-  subgraph Z9["🧱 Trust Zone · #mcp"]
-    _mcp["🧩 #mcp"]
+  subgraph Z9["🧱 GuardLink.MCP · Trust boundary at MCP protocol"]
+    mcp["🧩 GuardLink.MCP · internal"]
   end
-  subgraph Z10["🧱 Trust Zone · MCPClient"]
-    MCPClient["👤 MCPClient"]
+  subgraph Z10["🧱 MCPClient · Trust boundary at MCP protocol"]
+    mcpclient["👤 MCPClient"]
   end
-  subgraph Z11["🧱 Trust Zone · #parser"]
-    _parser["🧩 #parser"]
+  subgraph Z11["🧱 GuardLink.Parser · Trust boundary between parser and disk I/O"]
+    parser["🧩 GuardLink.Parser · internal"]
   end
-  subgraph Z12["🧱 Trust Zone · FileSystem"]
-    FileSystem["🧩 FileSystem"]
+  subgraph Z12["🧱 FileSystem · Trust boundary between parser and disk I/O"]
+    filesystem["🧩 FileSystem"]
   end
-  subgraph Z13["🧱 Trust Zone · #tui"]
-    _tui["👤 #tui"]
+  subgraph Z13["🧱 GuardLink.TUI · Trust boundary at interactive input"]
+    tui["👤 GuardLink.TUI · secrets"]
   end
-  _agent_launcher -.-|🧱 Trust boundary at process spawn| AgentProcess
-  _llm_client -.-|🧱 Trust boundary at external API call| LLMProvider
-  _llm_client -.-|🧱 Trust boundary at external API| NVD
-  _cli -.-|🧱 Trust boundary at CLI argument parsing| UserInput
-  _diff -.-|🧱 Trust boundary at git command execution| GitRepo
-  _mcp -.-|🧱 Trust boundary at MCP protocol| MCPClient
-  _mcp -.-|🧱 Trust boundary at tool argument parsing| MCPClient
-  _parser -.-|🧱 Trust boundary between parser and disk I/O| FileSystem
-  _tui -.-|🧱 Trust boundary at interactive input| UserInput
-  EnvVars["🧩 EnvVars"]
-  ConfigFile["🧩 ConfigFile"]
-  UserPrompt["👤 UserPrompt"]
-  ThreatModel["🧩 ThreatModel"]
-  AgentPrompt["🧩 AgentPrompt"]
-  ProjectFiles["🧩 ProjectFiles"]
-  ReportFile["🧩 ReportFile"]
-  LLMConfig["🧩 LLMConfig"]
-  LLMToolCall["🧩 LLMToolCall"]
-  _sarif["🧩 #sarif"]
-  SarifLog["🧩 SarifLog"]
-  UserArgs["👤 UserArgs"]
-  _dashboard["🧩 #dashboard · internal"]
-  SourceFiles["🧩 SourceFiles"]
-  HTML["🧩 HTML"]
-  GitRef["🧩 GitRef"]
-  TempDir["🧩 TempDir"]
-  ProjectRoot["🧩 ProjectRoot"]
-  _init["🧩 #init · internal"]
-  AgentFiles["🧩 AgentFiles"]
-  QueryString["🧩 QueryString"]
-  FilePath["🧩 FilePath"]
-  _suggest["🧩 #suggest"]
-  Suggestions["🧩 Suggestions"]
-  Annotations["🧩 Annotations"]
-  _report["🧩 #report"]
-  Markdown["🧩 Markdown"]
-  Commands["🧩 Commands"]
-  RawStdin["🧩 RawStdin"]
-  Terminal["🧩 Terminal"]
-  _workspace_link["🧩 #workspace-link"]
-  ReportJSON["🧩 ReportJSON"]
-  _merge_engine["🧩 #merge-engine"]
-  MergedReport["🧩 MergedReport"]
-  _report_metadata["🧩 #report-metadata"]
-  EnvVars -- "📡 process.env" --> _agent_launcher
-  ConfigFile -- "🗄️ readFileSync" --> _agent_launcher
-  _agent_launcher -- "🗄️ writeFileSync" --> ConfigFile
-  UserPrompt -- "📡 launchAgent" --> _agent_launcher
-  _agent_launcher -- "📡 spawn" --> AgentProcess
-  AgentProcess -- "📡 stdout" --> _agent_launcher
-  UserPrompt -- "📡 buildAnnotatePrompt" --> _agent_launcher
-  ThreatModel -- "📡 model" --> _agent_launcher
-  _agent_launcher -- "📡 return" --> AgentPrompt
-  ThreatModel -- "📡 serializeModel" --> _llm_client
-  ProjectFiles -- "🗄️ readFileSync" --> _llm_client
-  _llm_client -- "🗄️ writeFileSync" --> ReportFile
-  LLMConfig -- "📡 chatCompletion" --> _llm_client
-  _llm_client -- "📡 fetch" --> LLMProvider
-  LLMProvider -- "📡 response" --> _llm_client
-  LLMToolCall -- "📡 createToolExecutor" --> _llm_client
-  _llm_client -- "📡 fetch" --> NVD
-  ProjectFiles -- "🗄️ readFileSync" --> _llm_client
-  ThreatModel -- "📡 generateSarif" --> _sarif
-  _sarif -- "📡 return" --> SarifLog
-  UserArgs -- "📡 process.argv" --> _cli
-  _cli -- "🗄️ writeFile" --> FileSystem
-  ThreatModel -- "📡 computeStats" --> _dashboard
-  SourceFiles -- "🗄️ readFileSync" --> _dashboard
-  _dashboard -- "📡 return" --> HTML
-  ThreatModel -- "📡 generateDashboardHTML" --> _dashboard
-  GitRef -- "📡 execSync" --> _diff
-  _diff -- "🗄️ writeFileSync" --> TempDir
-  _diff -- "📡 parseProject" --> ThreatModel
-  GitRef -- "📡 parseAtRef" --> _diff
-  ProjectRoot -- "📡 detectProject" --> _init
-  ProjectRoot -- "📡 options.root" --> _init
-  _init -- "🗄️ writeFileSync" --> AgentFiles
-  _init -- "🗄️ writeFileSync" --> ConfigFile
-  MCPClient -- "📡 stdio" --> _mcp
-  QueryString -- "📡 lookup" --> _mcp
-  MCPClient -- "📡 tool_call" --> _mcp
-  _mcp -- "🗄️ writeFile" --> FileSystem
-  _mcp -- "📡 generateThreatReport" --> _llm_client
-  _mcp -- "📡 resource" --> MCPClient
-  FilePath -- "🗄️ readFileSync" --> _suggest
-  _suggest -- "📡 suggestAnnotations" --> Suggestions
-  ProjectRoot -- "📡 fast-glob" --> _parser
-  _parser -- "🗄️ writeFile" --> SourceFiles
-  FilePath -- "🗄️ readFile" --> _parser
-  _parser -- "📡 parseString" --> Annotations
-  ProjectRoot -- "📡 fast-glob" --> _parser
-  _parser -- "📡 assembleModel" --> ThreatModel
-  ThreatModel -- "📡 generateReport" --> _report
-  _report -- "📡 return" --> Markdown
-  ThreatModel -- "📡 getReviewableExposures" --> _cli
-  _cli -- "🗄️ writeFile" --> SourceFiles
-  UserArgs -- "📡 args" --> _tui
-  _tui -- "🗄️ writeFile" --> FileSystem
-  _tui -- "📡 launchAgent" --> _agent_launcher
-  _tui -- "📡 chatCompletion" --> _llm_client
-  ConfigFile -- "📡 loadProjectConfig" --> _tui
-  _tui -- "📡 saveProjectConfig" --> ConfigFile
-  UserInput -- "📡 readline" --> _tui
-  _tui -- "📡 dispatch" --> Commands
-  RawStdin -- "📡 process.stdin" --> _tui
-  _tui -- "📡 process.stdout" --> Terminal
-  UserArgs -- "📡 linkProject" --> _workspace_link
-  _workspace_link -- "📡 updateAgentWorkspaceContext" --> AgentFiles
-  ReportJSON -- "📡 mergeReports" --> _merge_engine
-  _merge_engine -- "📡 mergeReports" --> MergedReport
-  GitRepo -- "📡 execSync" --> _report_metadata
-  _report_metadata -- "📡 populateMetadata" --> ThreatModel
-

-
-graph LR
-  subgraph A__agent_launcher["#agent-launcher"]
+  envvars["🧩 EnvVars"]
+  configfile["🧩 ConfigFile"]
+  userprompt["👤 UserPrompt"]
+  threatmodel["🧩 ThreatModel"]
+  agentprompt["🧩 AgentPrompt"]
+  projectfiles["🧩 ProjectFiles"]
+  reportfile["🧩 ReportFile"]
+  pentestfindings["🧩 PentestFindings"]
+  llmconfig["🧩 LLMConfig"]
+  llmtoolcall["🧩 LLMToolCall"]
+  sarif["🧩 GuardLink.SARIF"]
+  sariflog["🧩 SarifLog"]
+  userargs["👤 UserArgs"]
+  dashboard["🧩 GuardLink.Dashboard · internal"]
+  sourcefiles["🧩 SourceFiles"]
+  html["🧩 HTML"]
+  gitref["🧩 GitRef"]
+  tempdir["🧩 TempDir"]
+  projectroot["🧩 ProjectRoot"]
+  init["🧩 GuardLink.Init · internal"]
+  agentfiles["🧩 AgentFiles"]
+  querystring["🧩 QueryString"]
+  filepath["🧩 FilePath"]
+  suggest["🧩 GuardLink.Suggest"]
+  suggestions["🧩 Suggestions"]
+  annotations["🧩 Annotations"]
+  report["🧩 GuardLink.Report"]
+  markdown["🧩 Markdown"]
+  commands["🧩 Commands"]
+  rawstdin["🧩 RawStdin"]
+  terminal["🧩 Terminal"]
+  workspace_link["🧩 Workspace.Link"]
+  reportjson["🧩 ReportJSON"]
+  merge_engine["🧩 Workspace.Merge"]
+  mergedreport["🧩 MergedReport"]
+  report_metadata["🧩 Workspace.Metadata"]
+  agent_launcher -.-|🧱 Trust boundary at process spawn| agentprocess
+  llm_client -.-|🧱 Trust boundary at external API call| llmprovider
+  llm_client -.-|🧱 Trust boundary at external API| nvd
+  cli -.-|🧱 Trust boundary at CLI argument parsing| userinput
+  diff -.-|🧱 Trust boundary at git command execution| gitrepo
+  mcp -.-|🧱 Trust boundary at MCP protocol| mcpclient
+  parser -.-|🧱 Trust boundary between parser and disk I/O| filesystem
+  tui -.-|🧱 Trust boundary at interactive input| userinput
+  envvars -- "📡 process.env" --> agent_launcher
+  configfile -- "🗄️ readFileSync" --> agent_launcher
+  agent_launcher -- "🗄️ writeFileSync" --> configfile
+  userprompt -- "📡 launchAgent" --> agent_launcher
+  agent_launcher -- "📡 spawn" --> agentprocess
+  agentprocess -- "📡 stdout" --> agent_launcher
+  userprompt -- "📡 buildAnnotatePrompt" --> agent_launcher
+  userprompt -- "📡 buildTranslatePrompt" --> agent_launcher
+  userprompt -- "📡 buildAskPrompt" --> agent_launcher
+  threatmodel -- "📡 model" --> agent_launcher
+  agent_launcher -- "📡 return" --> agentprompt
+  threatmodel -- "📡 serializeModel" --> llm_client
+  projectfiles -- "🗄️ readFileSync" --> llm_client
+  llm_client -- "🗄️ writeFileSync" --> reportfile
+  pentestfindings -- "🗄️ readFileSync" --> llm_client
+  llmconfig -- "📡 chatCompletion" --> llm_client
+  llm_client -- "📡 fetch" --> llmprovider
+  llmprovider -- "📡 response" --> llm_client
+  llmtoolcall -- "📡 createToolExecutor" --> llm_client
+  llm_client -- "📡 fetch" --> nvd
+  threatmodel -- "📡 generateSarif" --> sarif
+  sarif -- "📡 return" --> sariflog
+  userargs -- "📡 process.argv" --> cli
+  cli -- "🗄️ writeFile" --> filesystem
+  threatmodel -- "📡 generateThreatGraph" --> dashboard
+  threatmodel -- "📡 generateTopologyData" --> dashboard
+  threatmodel -- "📡 computeStats" --> dashboard
+  threatmodel -- "📡 topologyData" --> dashboard
+  sourcefiles -- "🗄️ readFileSync" --> dashboard
+  dashboard -- "📡 return" --> html
+  threatmodel -- "📡 generateDashboardHTML" --> dashboard
+  gitref -- "📡 execSync" --> diff
+  diff -- "🗄️ writeFileSync" --> tempdir
+  diff -- "📡 parseProject" --> threatmodel
+  gitref -- "📡 parseAtRef" --> diff
+  projectroot -- "📡 detectProject" --> init
+  projectroot -- "📡 options.root" --> init
+  init -- "🗄️ writeFileSync" --> agentfiles
+  init -- "🗄️ writeFileSync" --> configfile
+  mcpclient -- "📡 stdio" --> mcp
+  querystring -- "📡 lookup" --> mcp
+  mcpclient -- "📡 tool_call" --> mcp
+  mcp -- "🗄️ writeFile" --> filesystem
+  mcp -- "📡 generateThreatReport" --> llm_client
+  mcp -- "📡 resource" --> mcpclient
+  filepath -- "🗄️ readFileSync" --> suggest
+  suggest -- "📡 suggestAnnotations" --> suggestions
+  projectroot -- "📡 fast-glob" --> parser
+  parser -- "🗄️ writeFile" --> sourcefiles
+  filepath -- "🗄️ readFile" --> parser
+  parser -- "📡 parseString" --> annotations
+  parser -- "📡 assembleModel" --> threatmodel
+  threatmodel -- "📡 generateReport" --> report
+  report -- "📡 return" --> markdown
+  threatmodel -- "📡 generateSequenceDiagram" --> report
+  threatmodel -- "📡 getReviewableExposures" --> cli
+  cli -- "🗄️ writeFile" --> sourcefiles
+  userargs -- "📡 args" --> tui
+  tui -- "🗄️ writeFile" --> filesystem
+  tui -- "📡 launchAgent" --> agent_launcher
+  tui -- "📡 chatCompletion" --> llm_client
+  configfile -- "📡 loadProjectConfig" --> tui
+  tui -- "📡 saveProjectConfig" --> configfile
+  userinput -- "📡 readline" --> tui
+  tui -- "📡 dispatch" --> commands
+  rawstdin -- "📡 process.stdin" --> tui
+  tui -- "📡 process.stdout" --> terminal
+  userargs -- "📡 linkProject" --> workspace_link
+  workspace_link -- "📡 updateAgentWorkspaceContext" --> agentfiles
+  reportjson -- "📡 mergeReports" --> merge_engine
+  merge_engine -- "📡 mergeReports" --> mergedreport
+  gitrepo -- "📡 execSync" --> report_metadata
+  report_metadata -- "📡 populateMetadata" --> threatmodel
+

+        
Trust zones (🧱) and data movement across system boundaries. Each boundary shows both sides of the trust line.

+      

+    

+

+      

+        

+          Attack Surface
+
+          

+            
+            
+            
+          

+        

+        
+%%{init: {"flowchart": {"nodeSpacing": 38, "rankSpacing": 48, "curve": "linear", "htmlLabels": false}}}%%
+graph TB
+  subgraph A_agent_launcher["GuardLink.Agent_Launcher · ⚠ 3 open"]
     direction TB
-    E0["✅ child-proc-injection"]:::sev_crit
-    E1["✅ api-key-exposure"]:::sev_high
-    E2["⚠️ prompt-injection x2"]:::sev_high
-    E3["✅ path-traversal x2"]:::sev_med
-    E4["✅ arbitrary-write"]:::sev_med
-    E5["⚠️ dos"]:::sev_low
+    E0["✅ Child_Process_Injection"]:::sev_crit
+    E1["✅ API_Key_Exposure"]:::sev_high
+    E2["⚠️ Prompt_Injection ×2"]:::sev_high
+    E3["✅ Path_Traversal ×2"]:::sev_med
+    E4["✅ Arbitrary_File_Write"]:::sev_med
+    E5["⚠️ Config_Tampering"]:::sev_med
+    E6["⚠️ Denial_of_Service"]:::sev_low
   end
-  subgraph A__llm_client["#llm-client"]
+  subgraph A_mcp["GuardLink.MCP · ⚠ 3 open"]
     direction TB
-    E6["✅ api-key-exposure"]:::sev_high
-    E7["✅ path-traversal x2"]:::sev_med
-    E8["✅ arbitrary-write"]:::sev_med
-    E9["✅ ssrf x2"]:::sev_med
-    E10["⚠️ prompt-injection"]:::sev_med
-    E11["⚠️ data-exposure"]:::sev_low
-    E12["✅ dos"]:::sev_low
+    E7["⚠️ Command_Injection"]:::sev_high
+    E8["✅ Path_Traversal"]:::sev_high
+    E9["✅ Arbitrary_File_Write"]:::sev_high
+    E10["⚠️ Prompt_Injection"]:::sev_med
+    E11["✅ API_Key_Exposure"]:::sev_med
+    E12["⚠️ Sensitive_Data_Exposure"]:::sev_med
+    E13["✅ ReDoS"]:::sev_low
   end
-  subgraph A__sarif["#sarif"]
+  subgraph A_llm_client["GuardLink.LLM_Client · ⚠ 2 open"]
     direction TB
-    E13["⚠️ data-exposure"]:::sev_low
+    E14["✅ API_Key_Exposure"]:::sev_high
+    E15["✅ Path_Traversal ×2"]:::sev_med
+    E16["✅ Arbitrary_File_Write"]:::sev_med
+    E17["✅ Server_Side_Request_Forgery ×2"]:::sev_med
+    E18["⚠️ Prompt_Injection"]:::sev_med
+    E19["⚠️ Sensitive_Data_Exposure"]:::sev_low
+    E20["✅ Denial_of_Service"]:::sev_low
   end
-  subgraph A__cli["#cli"]
+  subgraph A_tui["GuardLink.TUI · ⚠ 2 open"]
     direction TB
-    E14["⚠️ cmd-injection"]:::sev_crit
-    E15["✅ path-traversal"]:::sev_high
-    E16["✅ arbitrary-write x2"]:::sev_high
-    E17["✅ api-key-exposure"]:::sev_high
+    E21["✅ Path_Traversal ×2"]:::sev_high
+    E22["✅ Arbitrary_File_Write"]:::sev_high
+    E23["⚠️ Command_Injection"]:::sev_high
+    E24["✅ API_Key_Exposure ×3"]:::sev_high
+    E25["⚠️ Prompt_Injection"]:::sev_med
+    E26["✅ Denial_of_Service"]:::sev_low
   end
-  subgraph A__dashboard["#dashboard"]
+  subgraph A_cli["GuardLink.CLI · ⚠ 1 open"]
     direction TB
-    E18["✅ xss x2"]:::sev_high
-    E19["✅ path-traversal"]:::sev_med
+    E27["⚠️ Command_Injection"]:::sev_crit
+    E28["✅ Path_Traversal"]:::sev_high
+    E29["✅ Arbitrary_File_Write ×2"]:::sev_high
+    E30["✅ API_Key_Exposure"]:::sev_high
   end
-  subgraph A__diff["#diff"]
+  subgraph A_init["GuardLink.Init · ⚠ 1 open"]
     direction TB
-    E20["✅ cmd-injection x2"]:::sev_high
-    E21["✅ arbitrary-write"]:::sev_med
-    E22["✅ path-traversal"]:::sev_med
+    E31["✅ Arbitrary_File_Write"]:::sev_high
+    E32["✅ Path_Traversal ×2"]:::sev_med
+    E33["⚠️ Sensitive_Data_Exposure"]:::sev_low
   end
-  subgraph A__init["#init"]
+  subgraph A_parser["GuardLink.Parser · ⚠ 1 open"]
     direction TB
-    E23["✅ arbitrary-write"]:::sev_high
-    E24["✅ path-traversal x2"]:::sev_med
-    E25["⚠️ data-exposure"]:::sev_low
+    E34["⚠️ Arbitrary_File_Write"]:::sev_high
+    E35["✅ Path_Traversal ×3"]:::sev_high
+    E36["✅ Denial_of_Service ×2"]:::sev_med
+    E37["✅ ReDoS"]:::sev_med
   end
-  subgraph A__mcp["#mcp"]
+  subgraph A_sarif["GuardLink.SARIF · ⚠ 1 open"]
     direction TB
-    E26["⚠️ cmd-injection"]:::sev_high
-    E27["✅ path-traversal"]:::sev_high
-    E28["✅ arbitrary-write"]:::sev_high
-    E29["⚠️ prompt-injection"]:::sev_med
-    E30["✅ api-key-exposure"]:::sev_med
-    E31["⚠️ data-exposure"]:::sev_med
-    E32["✅ redos"]:::sev_low
+    E38["⚠️ Sensitive_Data_Exposure"]:::sev_low
   end
-  subgraph A__suggest["#suggest"]
+  subgraph A_suggest["GuardLink.Suggest · ⚠ 1 open"]
     direction TB
-    E33["✅ path-traversal"]:::sev_high
-    E34["✅ redos"]:::sev_med
-    E35["⚠️ dos"]:::sev_low
+    E39["✅ Path_Traversal"]:::sev_high
+    E40["✅ ReDoS"]:::sev_med
+    E41["⚠️ Denial_of_Service"]:::sev_low
   end
-  subgraph A__parser["#parser"]
+  subgraph A_dashboard["GuardLink.Dashboard · ✅ 100% covered"]
     direction TB
-    E36["⚠️ arbitrary-write"]:::sev_high
-    E37["✅ path-traversal x3"]:::sev_high
-    E38["✅ dos x2"]:::sev_med
-    E39["✅ redos"]:::sev_med
+    E42["✅ Cross_Site_Scripting ×2"]:::sev_high
+    E43["✅ Path_Traversal"]:::sev_med
   end
-  subgraph A__tui["#tui"]
+  subgraph A_diff["GuardLink.Diff · ✅ 100% covered"]
     direction TB
-    E40["✅ path-traversal x2"]:::sev_high
-    E41["✅ arbitrary-write"]:::sev_high
-    E42["⚠️ cmd-injection"]:::sev_high
-    E43["✅ api-key-exposure x3"]:::sev_high
-    E44["⚠️ prompt-injection"]:::sev_med
-    E45["✅ dos"]:::sev_low
+    E44["✅ Command_Injection ×2"]:::sev_high
+    E45["✅ Arbitrary_File_Write"]:::sev_med
+    E46["✅ Path_Traversal"]:::sev_med
   end
-  classDef sev_crit fill:#7f1d1d,stroke:#ef4444,color:#fecaca
-  classDef sev_high fill:#7c2d12,stroke:#f97316,color:#fed7aa
-  classDef sev_med fill:#78350f,stroke:#f59e0b,color:#fef3c7
-  classDef sev_low fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
-  classDef sev_unset fill:#374151,stroke:#9ca3af,color:#e5e7eb
-

+  classDef sev_crit fill:#3a1010,stroke:#ea1d1d,color:#f0f0f0,stroke-width:1.4px
+  classDef sev_high fill:#402019,stroke:#ea1d1d,color:#f0f0f0,stroke-width:1.2px
+  classDef sev_med fill:#1f3943,stroke:#55899e,color:#f0f0f0
+  classDef sev_low fill:#10263b,stroke:#0360a2,color:#f0f0f0
+  classDef sev_unset fill:#223942,stroke:#3b6779,color:#f0f0f0
+

+        
Exposures per asset, severity-coloured. 💥 confirmed, ⚠️ open, ✅ mitigated, 🟦 accepted.

+      

+    

@@ -2344,7 +3691,7 @@ 
unknown

     Every file with GuardLink annotations. Click any annotation to see details.
   

   
-  

+  

     

       .guardlink/definitions.ts
       
@@ -2689,7 +4036,7 @@ 
unknown

       

     

   

-  

+  

     

       src/agents/config.ts
       
@@ -2791,7 +4138,7 @@ 
unknown

       

     

   

-  

+  

     

       src/agents/index.ts
       
@@ -2821,7 +4168,7 @@ 
unknown

       

     

   

-  

+  

     

       src/agents/launcher.ts
       
@@ -2932,11 +4279,11 @@ 
unknown

       

     

   

-  

+  

     

       src/agents/prompts.ts
       
-        24
+        26
         
       
     

@@ -2949,7 +4296,7 @@ 
unknown

           #agent-launcher → #prompt-injection
         

         
User prompt concatenated into agent instruction text

-        
   1 │ /**   2 │  * GuardLink Agents — Prompt builders for annotation and analysis.   3 │  *   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"

+        
   1 │ /**   2 │  * GuardLink Agents — Prompt builders for annotation and analysis.   3 │  *   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"

       

       

         

@@ -2958,7 +4305,7 @@ 
unknown

           Audit: #agent-launcher
         

         
Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context

-        
   2 │  * GuardLink Agents — Prompt builders for annotation and analysis.   3 │  *   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"

+        
   2 │  * GuardLink Agents — Prompt builders for annotation and analysis.   3 │  *   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"

       

       

         

@@ -2967,7 +4314,7 @@ 
unknown

           #agent-launcher → #path-traversal
         

         
Reads reference docs from root-relative paths

-        
   3 │  *   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  13 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"

+        
   3 │  *   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"

       

       

         

@@ -2976,195 +4323,213 @@ 
unknown

           #path-validation mitigates #path-traversal
         

         
resolve() with root constrains file access

-        
   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  13 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  14 │  */

+        
   4 │  * Extracted from tui/commands.ts for shared use across CLI, TUI, MCP.   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"

       

       

         

           L10
-          flow
-          UserPrompt → #agent-launcher
+          exposes
+          #agent-launcher → #config-tamper
         

-        
User instruction input

-        
   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  13 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  14 │  */  15 │ 

+        
Translate prompt may read CXG reference paths from environment overrides

+        
   5 │  *   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"

       

       

         

           L11
-          flow
-          ThreatModel → #agent-launcher
+          audit
+          Audit: #agent-launcher
         

-        
Model context injection

-        
   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  13 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  14 │  */  15 │   16 │ import { existsSync, readFileSync } from 'node:fs';

+        
Environment override paths are optional convenience; verify trusted local paths in CI

+        
   6 │  * @exposes #agent-launcher to #prompt-injection [high] cwe:CWE-77 -- "User prompt concatenated into agent instruction text"   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"

       

       

         

           L12
           flow
-          #agent-launcher → AgentPrompt
+          UserPrompt → #agent-launcher
         

-        
Assembled prompt output

-        
   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  13 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  14 │  */  15 │   16 │ import { existsSync, readFileSync } from 'node:fs';  17 │ import { resolve } from 'node:path';

+        
User instruction input

+        
   7 │  * @audit #agent-launcher -- "Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context"   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  17 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"

       

       

         

           L13
-          handles
-          #agent-launcher: internal
+          flow
+          UserPrompt → #agent-launcher
         

-        
Serializes threat model IDs and flows into prompt

-        
   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  11 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  12 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  13 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  14 │  */  15 │   16 │ import { existsSync, readFileSync } from 'node:fs';  17 │ import { resolve } from 'node:path';  18 │ import type { ThreatModel } from '../types/index.js';

+        
Template translation instruction input

+        
   8 │  * @exposes #agent-launcher to #path-traversal [medium] cwe:CWE-22 -- "Reads reference docs from root-relative paths"   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  17 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  18 │  */

       

       

         

-          L148
-          shield
-          Example annotation block for reference, excluded from parsing
+          L14
+          flow
+          UserPrompt → #agent-launcher
         

-        
-        
 143 │  144 │ ### Always Couple Annotations Together 145 │ A file's doc-block should paint the full security picture of that module. Group annotations logically: 146 │  147 │ \`\`\` 148 │ // @shield:begin -- "Example annotation block for reference, excluded from parsing" 149 │ // 150 │ // GOOD — Complete story at a single code location: 151 │ // @exposes #auth-api to #sqli [P1] cwe:CWE-89 -- "User-supplied email passed to findUser() query builder" 152 │ // @mitigates #auth-api against #sqli using #input-validation -- "Zod schema validates email format before query" 153 │ // @flows User_Input -> #auth-api via POST./login -- "Login form submits credentials"

+        
Threat model question input

+        
   9 │  * @mitigates #agent-launcher against #path-traversal using #path-validation -- "resolve() with root constrains file access"  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  17 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  18 │  */  19 │ 

       

       

         

-          L161
-          shield
-          Shielded region
+          L15
+          flow
+          ThreatModel → #agent-launcher
         

-        
-        
 156 │ // @comment -- "Password comparison uses bcrypt.compare with timing-safe equality" 157 │ // 158 │ // BAD — Isolated annotation with no context: 159 │ // @exposes #auth-api to #sqli -- "SQL injection possible" 160 │ // 161 │ // @shield:end 162 │ \`\`\` 163 │  164 │ ### Description Style — Reference Actual Code 165 │ Descriptions must reference the real code: function names, variable names, libraries, mechanisms. 166 │ 

+        
Model context injection

+        
  10 │  * @exposes #agent-launcher to #config-tamper [medium] cwe:CWE-15 -- "Translate prompt may read CXG reference paths from environment overrides"  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  17 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  18 │  */  19 │   20 │ import { existsSync, readFileSync } from 'node:fs';

       

       

         

-          L168
-          shield
-          Description examples, excluded from parsing
+          L16
+          flow
+          #agent-launcher → AgentPrompt
         

-        
-        
 163 │  164 │ ### Description Style — Reference Actual Code 165 │ Descriptions must reference the real code: function names, variable names, libraries, mechanisms. 166 │  167 │ \`\`\` 168 │ // @shield:begin -- "Description examples, excluded from parsing" 169 │ // 170 │ // GOOD: -- "req.body.token passed to jwt.verify() without audience check" 171 │ // GOOD: -- "bcrypt rounds set to 12 via BCRYPT_COST env var" 172 │ // GOOD: -- "Rate limiter uses express-rate-limit at 100req/15min on /api/*" 173 │ //

+        
Assembled prompt output

+        
  11 │  * @audit #agent-launcher -- "Environment override paths are optional convenience; verify trusted local paths in CI"  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  17 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  18 │  */  19 │   20 │ import { existsSync, readFileSync } from 'node:fs';  21 │ import { resolve } from 'node:path';

       

       

         

-          L178
-          shield
-          Shielded region
+          L17
+          handles
+          #agent-launcher: internal
         

-        
-        
 173 │ // 174 │ // BAD:  -- "Input not validated"             (too vague — WHICH input? WHERE?) 175 │ // BAD:  -- "Uses encryption"                 (WHAT encryption? On WHAT data?) 176 │ // BAD:  -- "Security vulnerability exists"   (meaningless — be specific) 177 │ // 178 │ // @shield:end 179 │ \`\`\` 180 │  181 │ ### @flows — Stitch the Complete Data Path 182 │ @flows is the backbone of the threat model. Trace data movement accurately: 183 │ 

+        
Serializes threat model IDs and flows into prompt

+        
  12 │  * @flows UserPrompt -> #agent-launcher via buildAnnotatePrompt -- "User instruction input"  13 │  * @flows UserPrompt -> #agent-launcher via buildTranslatePrompt -- "Template translation instruction input"  14 │  * @flows UserPrompt -> #agent-launcher via buildAskPrompt -- "Threat model question input"  15 │  * @flows ThreatModel -> #agent-launcher via model -- "Model context injection"  16 │  * @flows #agent-launcher -> AgentPrompt via return -- "Assembled prompt output"  17 │  * @handles internal on #agent-launcher -- "Serializes threat model IDs and flows into prompt"  18 │  */  19 │   20 │ import { existsSync, readFileSync } from 'node:fs';  21 │ import { resolve } from 'node:path';  22 │ import { homedir } from 'node:os';

       

       

         

-          L185
+          L204
           shield
-          Flow examples, excluded from parsing
+          Example annotation block for reference, excluded from parsing
         

         
-        
 180 │  181 │ ### @flows — Stitch the Complete Data Path 182 │ @flows is the backbone of the threat model. Trace data movement accurately: 183 │  184 │ \`\`\` 185 │ // @shield:begin -- "Flow examples, excluded from parsing" 186 │ // 187 │ // Trace a request through the full stack: 188 │ // @flows User_Browser -> #api-gateway via HTTPS -- "Client sends auth request" 189 │ // @flows #api-gateway -> #auth-service via internal.gRPC -- "Gateway forwards to auth microservice" 190 │ // @flows #auth-service -> #user-db via pg.query -- "Looks up user record by email"

+        
 199 │  200 │ ### Always Couple Annotations Together 201 │ A file's doc-block should paint the full security picture of that module. Group annotations logically: 202 │  203 │ \`\`\` 204 │ // @shield:begin -- "Example annotation block for reference, excluded from parsing" 205 │ // 206 │ // GOOD — Complete story at a single code location: 207 │ // @exposes #auth-api to #sqli [P1] cwe:CWE-89 -- "User-supplied email passed to findUser() query builder" 208 │ // @mitigates #auth-api against #sqli using #input-validation -- "Zod schema validates email format before query" 209 │ // @flows User_Input -> #auth-api via POST./login -- "Login form submits credentials"

       

       

         

-          L194
+          L217
           shield
           Shielded region
         

         
-        
 189 │ // @flows #api-gateway -> #auth-service via internal.gRPC -- "Gateway forwards to auth microservice" 190 │ // @flows #auth-service -> #user-db via pg.query -- "Looks up user record by email" 191 │ // @flows #auth-service -> #session-store via redis.set -- "Stores session token with TTL" 192 │ // @flows #auth-service -> User_Browser via Set-Cookie -- "Returns session cookie to client" 193 │ // 194 │ // @shield:end 195 │ \`\`\` 196 │  197 │ ### @boundary — Mark Every Trust Zone Crossing 198 │ Place @boundary annotations where trust level changes between two components: 199 │ 

+        
 212 │ // @comment -- "Password comparison uses bcrypt.compare with timing-safe equality" 213 │ // 214 │ // BAD — Isolated annotation with no context: 215 │ // @exposes #auth-api to #sqli -- "SQL injection possible" 216 │ // 217 │ // @shield:end 218 │ \`\`\` 219 │  220 │ ### Description Style — Reference Actual Code 221 │ Descriptions must reference the real code: function names, variable names, libraries, mechanisms. 222 │ 

       

       

         

-          L201
+          L224
           shield
-          Boundary examples, excluded from parsing
+          Description examples, excluded from parsing
         

         
-        
 196 │  197 │ ### @boundary — Mark Every Trust Zone Crossing 198 │ Place @boundary annotations where trust level changes between two components: 199 │  200 │ \`\`\` 201 │ // @shield:begin -- "Boundary examples, excluded from parsing" 202 │ // 203 │ // @boundary between #api-gateway and External_Internet (#public-boundary) -- "TLS termination, rate limiting at edge" 204 │ // @boundary between #backend and #database (#data-boundary) -- "Application to persistence layer, connection pooling via pgBouncer" 205 │ // @boundary between #app and #payment-provider (#vendor-boundary) -- "PCI-DSS scope boundary, tokenized card data only" 206 │ //

+        
 219 │  220 │ ### Description Style — Reference Actual Code 221 │ Descriptions must reference the real code: function names, variable names, libraries, mechanisms. 222 │  223 │ \`\`\` 224 │ // @shield:begin -- "Description examples, excluded from parsing" 225 │ // 226 │ // GOOD: -- "req.body.token passed to jwt.verify() without audience check" 227 │ // GOOD: -- "bcrypt rounds set to 12 via BCRYPT_COST env var" 228 │ // GOOD: -- "Rate limiter uses express-rate-limit at 100req/15min on /api/*" 229 │ //

       

       

         

-          L207
+          L234
           shield
           Shielded region
         

         
-        
 202 │ // 203 │ // @boundary between #api-gateway and External_Internet (#public-boundary) -- "TLS termination, rate limiting at edge" 204 │ // @boundary between #backend and #database (#data-boundary) -- "Application to persistence layer, connection pooling via pgBouncer" 205 │ // @boundary between #app and #payment-provider (#vendor-boundary) -- "PCI-DSS scope boundary, tokenized card data only" 206 │ // 207 │ // @shield:end 208 │ \`\`\` 209 │  210 │ ### Where to Place Annotations 211 │ Annotations go in the file's top doc-block comment OR directly above the security-relevant code: 212 │ 

+        
 229 │ // 230 │ // BAD:  -- "Input not validated"             (too vague — WHICH input? WHERE?) 231 │ // BAD:  -- "Uses encryption"                 (WHAT encryption? On WHAT data?) 232 │ // BAD:  -- "Security vulnerability exists"   (meaningless — be specific) 233 │ // 234 │ // @shield:end 235 │ \`\`\` 236 │  237 │ ### @flows — Stitch the Complete Data Path 238 │ @flows is the backbone of the threat model. Trace data movement accurately: 239 │ 

       

       

         

-          L214
+          L241
           shield
-          Placement examples, excluded from parsing
+          Flow examples, excluded from parsing
         

         
-        
 209 │  210 │ ### Where to Place Annotations 211 │ Annotations go in the file's top doc-block comment OR directly above the security-relevant code: 212 │  213 │ \`\`\` 214 │ // @shield:begin -- "Placement examples, excluded from parsing" 215 │ // 216 │ // FILE-LEVEL (top doc-block) — for module-wide security properties: 217 │ // Place @exposes, @mitigates, @flows, @handles, @boundary that describe the module as a whole 218 │ // 219 │ // INLINE (above specific functions/methods) — for function-specific concerns:

+        
 236 │  237 │ ### @flows — Stitch the Complete Data Path 238 │ @flows is the backbone of the threat model. Trace data movement accurately: 239 │  240 │ \`\`\` 241 │ // @shield:begin -- "Flow examples, excluded from parsing" 242 │ // 243 │ // Trace a request through the full stack: 244 │ // @flows User_Browser -> #api-gateway via HTTPS -- "Client sends auth request" 245 │ // @flows #api-gateway -> #auth-service via internal.gRPC -- "Gateway forwards to auth microservice" 246 │ // @flows #auth-service -> #user-db via pg.query -- "Looks up user record by email"

       

       

         

-          L223
+          L250
           shield
           Shielded region
         

         
-        
 218 │ // 219 │ // INLINE (above specific functions/methods) — for function-specific concerns: 220 │ // Place @exposes, @mitigates above the exact function where the risk or control lives 221 │ // Place @comment above tricky security-relevant code to explain intent 222 │ // 223 │ // @shield:end 224 │ \`\`\` 225 │  226 │ ### Severity — Be Honest, Not Alarmist 227 │ Annotations capture what COULD go wrong, calibrated to realistic risk: 228 │ - **[P0] / [critical]**: Directly exploitable by external attacker, severe impact (RCE, auth bypass, data breach)

+        
 245 │ // @flows #api-gateway -> #auth-service via internal.gRPC -- "Gateway forwards to auth microservice" 246 │ // @flows #auth-service -> #user-db via pg.query -- "Looks up user record by email" 247 │ // @flows #auth-service -> #session-store via redis.set -- "Stores session token with TTL" 248 │ // @flows #auth-service -> User_Browser via Set-Cookie -- "Returns session cookie to client" 249 │ // 250 │ // @shield:end 251 │ \`\`\` 252 │  253 │ ### @boundary — Mark Every Trust Zone Crossing 254 │ Place @boundary annotations where trust level changes between two components: 255 │ 

       

       

         

-          L250
+          L257
           shield
-          @accepts alternative examples, excluded from parsing
+          Boundary examples, excluded from parsing
         

         
-        
 245 │ 3. Add @comment explaining what controls COULD be added 246 │ 4. Optionally add @assumes to document any assumptions the code makes 247 │  248 │ Example — what to do when no mitigation exists: 249 │ \`\`\` 250 │ // @shield:begin -- "@accepts alternative examples, excluded from parsing" 251 │ // 252 │ // WRONG (AI rubber-stamping risk): 253 │ // @accepts #prompt-injection on #ai-endpoint -- "Relying on model safety filters" 254 │ // 255 │ // RIGHT (flag for human review):

+        
 252 │  253 │ ### @boundary — Mark Every Trust Zone Crossing 254 │ Place @boundary annotations where trust level changes between two components: 255 │  256 │ \`\`\` 257 │ // @shield:begin -- "Boundary examples, excluded from parsing" 258 │ // 259 │ // @boundary between #api-gateway and External_Internet (#public-boundary) -- "TLS termination, rate limiting at edge" 260 │ // @boundary between #backend and #database (#data-boundary) -- "Application to persistence layer, connection pooling via pgBouncer" 261 │ // @boundary between #app and #payment-provider (#vendor-boundary) -- "PCI-DSS scope boundary, tokenized card data only" 262 │ //

       

       

         

-          L260
+          L263
           shield
           Shielded region
         

         
-        
 255 │ // RIGHT (flag for human review): 256 │ // @exposes #ai-endpoint to #prompt-injection [P1] cwe:CWE-77 -- "User prompt passed directly to LLM API without sanitization" 257 │ // @audit #ai-endpoint -- "No prompt sanitization — needs human review to decide: add input filter or accept risk" 258 │ // @comment -- "Potential controls: #prompt-filter (input sanitization), #output-validator (response filtering)" 259 │ // 260 │ // @shield:end 261 │ \`\`\` 262 │  263 │ Leaving exposures unmitigated is HONEST. The dashboard and reports will surface them as open risks for humans to triage. 264 │  265 │ ### @shield — DO NOT USE Unless Explicitly Asked

+        
 258 │ // 259 │ // @boundary between #api-gateway and External_Internet (#public-boundary) -- "TLS termination, rate limiting at edge" 260 │ // @boundary between #backend and #database (#data-boundary) -- "Application to persistence layer, connection pooling via pgBouncer" 261 │ // @boundary between #app and #payment-provider (#vendor-boundary) -- "PCI-DSS scope boundary, tokenized card data only" 262 │ // 263 │ // @shield:end 264 │ \`\`\` 265 │  266 │ ### Where to Place Annotations 267 │ ${annotationMode === 'external' 268 │     ? 'Annotations go in associated `.gal` files, grouped by `@source` blocks that point at the real code location:'

       

       

         

-          L277
+          L322
           shield
-          Definition syntax examples, excluded from parsing
+          @accepts alternative examples, excluded from parsing
         

         
-        
 272 │  273 │ Definitions go in .guardlink/definitions.{ts,js,py,rs}. Source files use only relationship verbs. 274 │  275 │ ### Definitions (in .guardlink/definitions file) 276 │ \`\`\` 277 │ // @shield:begin -- "Definition syntax examples, excluded from parsing" 278 │ // @asset Server.Auth (#auth) -- "Authentication service handling login and session management" 279 │ // @threat SQL_Injection (#sqli) [P0] cwe:CWE-89 -- "Unsanitized input reaches SQL query builder" 280 │ // @control Prepared_Statements (#prepared-stmts) -- "Parameterized queries via ORM or driver placeholders" 281 │ // @shield:end 282 │ \`\`\`

+        
 317 │ 3. Add @comment explaining what controls COULD be added 318 │ 4. Optionally add @assumes to document any assumptions the code makes 319 │  320 │ Example — what to do when no mitigation exists: 321 │ \`\`\` 322 │ // @shield:begin -- "@accepts alternative examples, excluded from parsing" 323 │ // 324 │ // WRONG (AI rubber-stamping risk): 325 │ // @accepts #prompt-injection on #ai-endpoint -- "Relying on model safety filters" 326 │ // 327 │ // RIGHT (flag for human review):

       

       

         

-          L281
+          L332
           shield
           Shielded region
         

         
-        
 276 │ \`\`\` 277 │ // @shield:begin -- "Definition syntax examples, excluded from parsing" 278 │ // @asset Server.Auth (#auth) -- "Authentication service handling login and session management" 279 │ // @threat SQL_Injection (#sqli) [P0] cwe:CWE-89 -- "Unsanitized input reaches SQL query builder" 280 │ // @control Prepared_Statements (#prepared-stmts) -- "Parameterized queries via ORM or driver placeholders" 281 │ // @shield:end 282 │ \`\`\` 283 │  284 │ ### Relationships (in source files) 285 │ \`\`\` 286 │ // @shield:begin -- "Relationship syntax examples, excluded from parsing"

+        
 327 │ // RIGHT (flag for human review): 328 │ // @exposes #ai-endpoint to #prompt-injection [P1] cwe:CWE-77 -- "User prompt passed directly to LLM API without sanitization" 329 │ // @audit #ai-endpoint -- "No prompt sanitization — needs human review to decide: add input filter or accept risk" 330 │ // @comment -- "Potential controls: #prompt-filter (input sanitization), #output-validator (response filtering)" 331 │ // 332 │ // @shield:end 333 │ \`\`\` 334 │  335 │ Leaving exposures unmitigated is HONEST. The dashboard and reports will surface them as open risks for humans to triage. 336 │  337 │ ### Pentest-Confirmable vs Governance-Only Gaps

       

       

         

-          L286
+          L359
           shield
-          Relationship syntax examples, excluded from parsing
+          Definition syntax examples, excluded from parsing
         

         
-        
 281 │ // @shield:end 282 │ \`\`\` 283 │  284 │ ### Relationships (in source files) 285 │ \`\`\` 286 │ // @shield:begin -- "Relationship syntax examples, excluded from parsing" 287 │ // @exposes #auth to #sqli [P0] cwe:CWE-89 owasp:A03:2021 -- "User input concatenated into query" 288 │ // @mitigates #auth against #sqli using #prepared-stmts -- "Uses parameterized queries via sqlx" 289 │ // @audit #auth -- "Timing attack risk — needs human review to decide if bcrypt constant-time comparison is sufficient" 290 │ // @transfers #ddos from #api to #cdn -- "Cloudflare handles L7 DDoS mitigation" 291 │ // @flows req.body.username -> db.query via string-concat -- "User input flows to SQL"

+        
 354 │  355 │ Definitions go in .guardlink/definitions.{ts,js,py,rs}. Relationship annotations can live in source comments or standalone .gal files. 356 │  357 │ ### Definitions (in .guardlink/definitions file) 358 │ \`\`\` 359 │ // @shield:begin -- "Definition syntax examples, excluded from parsing" 360 │ // @asset Server.Auth (#auth) -- "Authentication service handling login and session management" 361 │ // @threat SQL_Injection (#sqli) [P0] cwe:CWE-89 -- "Unsanitized input reaches SQL query builder" 362 │ // @control Prepared_Statements (#prepared-stmts) -- "Parameterized queries via ORM or driver placeholders" 363 │ // @shield:end 364 │ \`\`\`

       

       

         

-          L299
+          L363
+          shield
+          Shielded region
+        

+        
+        
 358 │ \`\`\` 359 │ // @shield:begin -- "Definition syntax examples, excluded from parsing" 360 │ // @asset Server.Auth (#auth) -- "Authentication service handling login and session management" 361 │ // @threat SQL_Injection (#sqli) [P0] cwe:CWE-89 -- "Unsanitized input reaches SQL query builder" 362 │ // @control Prepared_Statements (#prepared-stmts) -- "Parameterized queries via ORM or driver placeholders" 363 │ // @shield:end 364 │ \`\`\` 365 │  366 │ ### Relationships (in source files) 367 │ \`\`\` 368 │ // @shield:begin -- "Relationship syntax examples, excluded from parsing"

+      

+      

+        

+          L368
+          shield
+          Relationship syntax examples, excluded from parsing
+        

+        
+        
 363 │ // @shield:end 364 │ \`\`\` 365 │  366 │ ### Relationships (in source files) 367 │ \`\`\` 368 │ // @shield:begin -- "Relationship syntax examples, excluded from parsing" 369 │ // @exposes #auth to #sqli [P0] cwe:CWE-89 owasp:A03:2021 -- "User input concatenated into query" 370 │ // @confirmed #sqli on #auth [critical] cwe:CWE-89 -- "Pentest 2026-04: time-based blind SQLi on /login confirmed" 371 │ // @mitigates #auth against #sqli using #prepared-stmts -- "Uses parameterized queries via sqlx" 372 │ // @audit #auth -- "Timing attack risk — needs human review to decide if bcrypt constant-time comparison is sufficient" 373 │ // @transfers #ddos from #api to #cdn -- "Cloudflare handles L7 DDoS mitigation"

+      

+      

+        

+          L383
           shield
           Shielded region
         

         
-        
 294 │ // @validates #prepared-stmts for #auth -- "Integration test sqlInjectionTest.ts confirms parameterized queries block SQLi payloads" 295 │ // @audit #auth -- "Session token rotation logic needs cryptographic review" 296 │ // @assumes #auth -- "Upstream API gateway has already validated TLS and rate-limited requests" 297 │ // @owns security-team for #auth -- "Security team reviews all auth PRs" 298 │ // @comment -- "Password hashing uses bcrypt with cost factor 12, migration from SHA256 completed in v2.1" 299 │ // @shield:end 300 │ \`\`\` 301 │  302 │ ## CRITICAL SYNTAX RULES (violations cause parse errors) 303 │  304 │ 1. **@boundary requires TWO assets**: \`@boundary between #A and #B\` or \`@boundary #A | #B\`.

+        
 378 │ // @audit #auth -- "Session token rotation logic needs cryptographic review" 379 │ // @assumes #auth -- "Upstream API gateway has already validated TLS and rate-limited requests" 380 │ // @owns security-team for #auth -- "Security team reviews all auth PRs" 381 │ // @feature "SSO Login" -- "Single sign-on authentication flow" 382 │ // @comment -- "Password hashing uses bcrypt with cost factor 12, migration from SHA256 completed in v2.1" 383 │ // @shield:end 384 │ \`\`\` 385 │  386 │ ### Relationships (in standalone .gal files) 387 │ \`\`\` 388 │ @source file:src/auth/login.ts line:42 symbol:authenticate

       

     

-  

+  

     

       src/analyze/index.ts
       
-        10
+        13
         
       
     

@@ -3260,9 +4625,36 @@ 
unknown

         
Processes project dependencies, env examples, code snippets

         
  12 │  * @exposes #llm-client to #data-exposure [low] cwe:CWE-200 -- "Serializes full threat model and code snippets for LLM"  13 │  * @audit #llm-client -- "Threat model data intentionally sent to LLM for analysis"  14 │  * @flows ThreatModel -> #llm-client via serializeModel -- "Model serialization input"  15 │  * @flows ProjectFiles -> #llm-client via readFileSync -- "Project context read"  16 │  * @flows #llm-client -> ReportFile via writeFileSync -- "Report output"  17 │  * @handles internal on #llm-client -- "Processes project dependencies, env examples, code snippets"  18 │  */  19 │   20 │ import { existsSync, mkdirSync, writeFileSync, readdirSync, readFileSync } from 'node:fs';  21 │ import { join, relative } from 'node:path';  22 │ import type { ThreatModel } from '../types/index.js';

       

+      

+        

+          L688
+          flow
+          PentestFindings → #llm-client
+        

+        
Reads CXG scan results for dashboard and report context

+        
 683 │ } 684 │  685 │ // ─── Pentest findings loader ───────────────────────────────────────── 686 │  687 │ /** 688 │  * @flows PentestFindings -> #llm-client via readFileSync -- "Reads CXG scan results for dashboard and report context" 689 │  * @handles internal on #llm-client -- "Processes pentest scan output (JSON/SARIF)" 690 │  */ 691 │  692 │ export interface PentestFinding { 693 │   id: string;

+      

+      

+        

+          L689
+          handles
+          #llm-client: internal
+        

+        
Processes pentest scan output (JSON/SARIF)

+        
 684 │  685 │ // ─── Pentest findings loader ───────────────────────────────────────── 686 │  687 │ /** 688 │  * @flows PentestFindings -> #llm-client via readFileSync -- "Reads CXG scan results for dashboard and report context" 689 │  * @handles internal on #llm-client -- "Processes pentest scan output (JSON/SARIF)" 690 │  */ 691 │  692 │ export interface PentestFinding { 693 │   id: string; 694 │   target: string;

+      

+      

+        

+          L761
+          mitigates
+          #path-validation mitigates #path-traversal
+        

+        
join() constrains reads to .guardlink/

+        
 756 │  757 │ /** 758 │  * Load pentest findings from .guardlink/pentest-findings/ and template 759 │  * metadata from .guardlink/cxg-templates/. 760 │  * 761 │  * @mitigates #llm-client against #path-traversal using #path-validation -- "join() constrains reads to .guardlink/" 762 │  */ 763 │ export function loadPentestData(root: string): PentestData { 764 │   const data: PentestData = { scans: [], templates: [], totalFindings: 0, findingsBySeverity: {} }; 765 │  766 │   // Load scan results (JSON files)

+      

     

-  

+  

     

       src/analyze/llm.ts
       
@@ -3373,7 +4765,7 @@ 
unknown

       

     

   

-  

+  

     

       src/analyze/prompts.ts
       
@@ -3403,7 +4795,7 @@ 
unknown

       

     

   

-  

+  

     

       src/analyze/tools.ts
       
@@ -3505,7 +4897,7 @@ 
unknown

       

     

   

-  

+  

     

       src/analyzer/index.ts
       
@@ -3535,7 +4927,7 @@ 
unknown

       

     

   

-  

+  

     

       src/analyzer/sarif.ts
       
@@ -3547,52 +4939,52 @@ 
unknown

       
       

         

-          L15
+          L16
           exposes
           #sarif → #data-exposure
         

         
Exposes threat model findings to SARIF consumers

-        
  10 │  * We emit results for:  11 │  *   1. Unmitigated exposures (the primary security findings)  12 │  *   2. Parse errors (annotation syntax problems)  13 │  *   3. Dangling references (broken #id refs)  14 │  *  15 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  16 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  17 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  18 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  19 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  20 │  */

+        
  11 │  *   1. Unmitigated exposures (the primary security findings)  12 │  *   2. @confirmed verified exploitable annotations (always error-level)  13 │  *   3. Parse errors (annotation syntax problems)  14 │  *   4. Dangling references (broken #id refs)  15 │  *  16 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  17 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  18 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  19 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  20 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  21 │  */

       

       

         

-          L16
+          L17
           audit
           Audit: #sarif
         

         
SARIF output intentionally reveals security findings for CI/CD integration

-        
  11 │  *   1. Unmitigated exposures (the primary security findings)  12 │  *   2. Parse errors (annotation syntax problems)  13 │  *   3. Dangling references (broken #id refs)  14 │  *  15 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  16 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  17 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  18 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  19 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  20 │  */  21 │ 

+        
  12 │  *   2. @confirmed verified exploitable annotations (always error-level)  13 │  *   3. Parse errors (annotation syntax problems)  14 │  *   4. Dangling references (broken #id refs)  15 │  *  16 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  17 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  18 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  19 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  20 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  21 │  */  22 │ 

       

       

         

-          L17
+          L18
           comment
           Pure function: transforms ThreatModel to SARIF JSON; no I/O
         

         
Pure function: transforms ThreatModel to SARIF JSON; no I/O

-        
  12 │  *   2. Parse errors (annotation syntax problems)  13 │  *   3. Dangling references (broken #id refs)  14 │  *  15 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  16 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  17 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  18 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  19 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  20 │  */  21 │   22 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic, Severity } from '../types/index.js';

+        
  13 │  *   3. Parse errors (annotation syntax problems)  14 │  *   4. Dangling references (broken #id refs)  15 │  *  16 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  17 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  18 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  19 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  20 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  21 │  */  22 │   23 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic, Severity } from '../types/index.js';

       

       

         

-          L18
+          L19
           flow
           ThreatModel → #sarif
         

         
Model input

-        
  13 │  *   3. Dangling references (broken #id refs)  14 │  *  15 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  16 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  17 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  18 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  19 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  20 │  */  21 │   22 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic, Severity } from '../types/index.js';  23 │ 

+        
  14 │  *   4. Dangling references (broken #id refs)  15 │  *  16 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  17 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  18 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  19 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  20 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  21 │  */  22 │   23 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic, Severity } from '../types/index.js';  24 │ 

       

       

         

-          L19
+          L20
           flow
           #sarif → SarifLog
         

         
SARIF output

-        
  14 │  *  15 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  16 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  17 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  18 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  19 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  20 │  */  21 │   22 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic, Severity } from '../types/index.js';  23 │   24 │ // ─── SARIF 2.1.0 types (subset) ─────────────────────────────────────

+        
  15 │  *  16 │  * @exposes #sarif to #data-exposure [low] cwe:CWE-200 -- "Exposes threat model findings to SARIF consumers"  17 │  * @audit #sarif -- "SARIF output intentionally reveals security findings for CI/CD integration"  18 │  * @comment -- "Pure function: transforms ThreatModel to SARIF JSON; no I/O"  19 │  * @flows ThreatModel -> #sarif via generateSarif -- "Model input"  20 │  * @flows #sarif -> SarifLog via return -- "SARIF output"  21 │  */  22 │   23 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic, Severity } from '../types/index.js';  24 │   25 │ // ─── SARIF 2.1.0 types (subset) ─────────────────────────────────────

       

     

   

-  

+  

     

       src/cli/index.ts
       
@@ -3604,199 +4996,265 @@ 
unknown

       
       

         

-          L25
+          L27
           exposes
           #cli → #path-traversal
         

         
User-supplied dir argument resolved via path.resolve

-        
  20 │  *   guardlink tui [dir]               Interactive TUI with slash commands + AI chat  21 │  *   guardlink gal                     Display GAL annotation language quick reference  22 │  *   guardlink link-project <repos...>  Link repos into a shared workspace  23 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  24 │  *  25 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"

+        
  22 │  *   guardlink tui [dir]               Interactive TUI with slash commands + AI chat  23 │  *   guardlink gal                     Display GAL annotation language quick reference  24 │  *   guardlink link-project <repos...>  Link repos into a shared workspace  25 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  26 │  *  27 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"

       

       

         

-          L26
+          L28
           mitigates
           #path-validation mitigates #path-traversal
         

         
resolve() canonicalizes paths; cwd-relative by design

-        
  21 │  *   guardlink gal                     Display GAL annotation language quick reference  22 │  *   guardlink link-project <repos...>  Link repos into a shared workspace  23 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  24 │  *  25 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"

+        
  23 │  *   guardlink gal                     Display GAL annotation language quick reference  24 │  *   guardlink link-project <repos...>  Link repos into a shared workspace  25 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  26 │  *  27 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"

       

       

         

-          L27
+          L29
           exposes
           #cli → #arbitrary-write
         

         
init/report/sarif/dashboard write files to user-specified paths

-        
  22 │  *   guardlink link-project <repos...>  Link repos into a shared workspace  23 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  24 │  *  25 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"

+        
  24 │  *   guardlink link-project <repos...>  Link repos into a shared workspace  25 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  26 │  *  27 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"

       

       

         

-          L28
+          L30
           mitigates
           #path-validation mitigates #arbitrary-write
         

         
Output paths resolved relative to project root

-        
  23 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  24 │  *  25 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"

+        
  25 │  *   guardlink merge <files...>         Merge repo reports into unified dashboard  26 │  *  27 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"

       

       

         

-          L29
+          L31
           exposes
           #cli → #api-key-exposure
         

         
API keys handled in config set/show commands

-        
  24 │  *  25 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"

+        
  26 │  *  27 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"

       

       

         

-          L30
+          L32
           mitigates
           #key-redaction mitigates #api-key-exposure
         

         
maskKey() redacts keys in show output

-        
  25 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"

+        
  27 │  * @exposes #cli to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"

       

       

         

-          L31
+          L33
           exposes
           #cli → #cmd-injection
         

         
Agent launcher spawns child processes

-        
  26 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  36 │  * @handles secrets on #cli -- "Processes API keys via config commands"

+        
  28 │  * @mitigates #cli against #path-traversal using #path-validation -- "resolve() canonicalizes paths; cwd-relative by design"  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  38 │  * @handles secrets on #cli -- "Processes API keys via config commands"

       

       

         

-          L32
+          L34
           audit
           Audit: #cli
         

         
Child process spawning delegated to agents/launcher.ts with explicit args

-        
  27 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  36 │  * @handles secrets on #cli -- "Processes API keys via config commands"  37 │  */

+        
  29 │  * @exposes #cli to #arbitrary-write [high] cwe:CWE-73 -- "init/report/sarif/dashboard write files to user-specified paths"  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  38 │  * @handles secrets on #cli -- "Processes API keys via config commands"  39 │  */

       

       

         

-          L33
+          L35
           flow
           UserArgs → #cli
         

         
CLI argument input path

-        
  28 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  36 │  * @handles secrets on #cli -- "Processes API keys via config commands"  37 │  */  38 │ 

+        
  30 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  38 │  * @handles secrets on #cli -- "Processes API keys via config commands"  39 │  */  40 │ 

       

       

         

-          L34
+          L36
           flow
           #cli → FileSystem
         

         
Report/config output path

-        
  29 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  36 │  * @handles secrets on #cli -- "Processes API keys via config commands"  37 │  */  38 │   39 │ import { Command } from 'commander';

+        
  31 │  * @exposes #cli to #api-key-exposure [high] cwe:CWE-798 -- "API keys handled in config set/show commands"  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  38 │  * @handles secrets on #cli -- "Processes API keys via config commands"  39 │  */  40 │   41 │ import { Command } from 'commander';

       

       

         

-          L35
+          L37
           boundary
           #cli ↔ UserInput
         

         
Trust boundary at CLI argument parsing

-        
  30 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  36 │  * @handles secrets on #cli -- "Processes API keys via config commands"  37 │  */  38 │   39 │ import { Command } from 'commander';  40 │ import { resolve, basename } from 'node:path';

+        
  32 │  * @mitigates #cli against #api-key-exposure using #key-redaction -- "maskKey() redacts keys in show output"  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  38 │  * @handles secrets on #cli -- "Processes API keys via config commands"  39 │  */  40 │   41 │ import { Command } from 'commander';  42 │ import { resolve, basename } from 'node:path';

       

       

         

-          L36
+          L38
           handles
           #cli: secrets
         

         
Processes API keys via config commands

-        
  31 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  32 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  33 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  34 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  35 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  36 │  * @handles secrets on #cli -- "Processes API keys via config commands"  37 │  */  38 │   39 │ import { Command } from 'commander';  40 │ import { resolve, basename } from 'node:path';  41 │ import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';

+        
  33 │  * @exposes #cli to #cmd-injection [critical] cwe:CWE-78 -- "Agent launcher spawns child processes"  34 │  * @audit #cli -- "Child process spawning delegated to agents/launcher.ts with explicit args"  35 │  * @flows UserArgs -> #cli via process.argv -- "CLI argument input path"  36 │  * @flows #cli -> FileSystem via writeFile -- "Report/config output path"  37 │  * @boundary #cli and UserInput (#cli-input-boundary) -- "Trust boundary at CLI argument parsing"  38 │  * @handles secrets on #cli -- "Processes API keys via config commands"  39 │  */  40 │   41 │ import { Command } from 'commander';  42 │ import { resolve, basename } from 'node:path';  43 │ import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';

       

     

   

-  

+  

     

-      src/dashboard/generate.ts
+      src/dashboard/diagrams.ts
       
-        8
+        4
         
       
     

     

       
       

+        

+          L15
+          flow
+          ThreatModel → #dashboard
+        

+        
Threat model relationships rendered as Mermaid source

+        
  10 │  * All four generators share a single alias map so that #id, bare id, name, and  11 │  * path.join() forms of an asset/threat/control collapse onto the same node.  12 │  * This removes the long-standing duplicate-node bug that made the Mermaid  13 │  * diagrams render the same asset twice whenever sources mixed ref forms.  14 │  *  15 │  * @flows ThreatModel -> #dashboard via generateThreatGraph -- "Threat model relationships rendered as Mermaid source"  16 │  * @flows ThreatModel -> #dashboard via generateTopologyData -- "Threat model relationships rendered as structured D3 graph data"  17 │  * @mitigates #dashboard against #xss using #output-encoding -- "Diagram labels are sanitized for Mermaid and emitted to D3 as text data"  18 │  * @comment -- "Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identity"  19 │  */  20 │ 

+      

+      

+        

+          L16
+          flow
+          ThreatModel → #dashboard
+        

+        
Threat model relationships rendered as structured D3 graph data

+        
  11 │  * path.join() forms of an asset/threat/control collapse onto the same node.  12 │  * This removes the long-standing duplicate-node bug that made the Mermaid  13 │  * diagrams render the same asset twice whenever sources mixed ref forms.  14 │  *  15 │  * @flows ThreatModel -> #dashboard via generateThreatGraph -- "Threat model relationships rendered as Mermaid source"  16 │  * @flows ThreatModel -> #dashboard via generateTopologyData -- "Threat model relationships rendered as structured D3 graph data"  17 │  * @mitigates #dashboard against #xss using #output-encoding -- "Diagram labels are sanitized for Mermaid and emitted to D3 as text data"  18 │  * @comment -- "Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identity"  19 │  */  20 │   21 │ import type { ThreatModel } from '../types/index.js';

+      

+      

+        

+          L17
+          mitigates
+          #output-encoding mitigates #xss
+        

+        
Diagram labels are sanitized for Mermaid and emitted to D3 as text data

+        
  12 │  * This removes the long-standing duplicate-node bug that made the Mermaid  13 │  * diagrams render the same asset twice whenever sources mixed ref forms.  14 │  *  15 │  * @flows ThreatModel -> #dashboard via generateThreatGraph -- "Threat model relationships rendered as Mermaid source"  16 │  * @flows ThreatModel -> #dashboard via generateTopologyData -- "Threat model relationships rendered as structured D3 graph data"  17 │  * @mitigates #dashboard against #xss using #output-encoding -- "Diagram labels are sanitized for Mermaid and emitted to D3 as text data"  18 │  * @comment -- "Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identity"  19 │  */  20 │   21 │ import type { ThreatModel } from '../types/index.js';  22 │ 

+      

+      

+        

+          L18
+          comment
+          Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identity
+        

+        
Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identity

+        
  13 │  * diagrams render the same asset twice whenever sources mixed ref forms.  14 │  *  15 │  * @flows ThreatModel -> #dashboard via generateThreatGraph -- "Threat model relationships rendered as Mermaid source"  16 │  * @flows ThreatModel -> #dashboard via generateTopologyData -- "Threat model relationships rendered as structured D3 graph data"  17 │  * @mitigates #dashboard against #xss using #output-encoding -- "Diagram labels are sanitized for Mermaid and emitted to D3 as text data"  18 │  * @comment -- "Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identity"  19 │  */  20 │   21 │ import type { ThreatModel } from '../types/index.js';  22 │   23 │ /* ══════════════════════════════════════════════════════════════════════════

+      

+    

+  

+  

+    

+      src/dashboard/generate.ts
+      
+        10
+        
+      
+    

+    

+      
+      

         

           L8
           exposes
           #dashboard → #xss
         

         
Generates HTML with user-controlled threat model data

-        
   3 │  *   4 │  * Sidebar navigation + drawer detail panel + dark/light toggle.   5 │  * 7 pages: Summary, AI Analysis, Threats, Diagrams, Code, Data, Assets.   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"

+        
   3 │  *   4 │  * Sidebar navigation + drawer detail panel + dark/light toggle.   5 │  * 7 pages: Summary, AI Analysis, Threats, Diagrams, Code, Data, Assets.   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"

       

-      

+      

         

           L9
           mitigates
           #output-encoding mitigates #xss
         

         
esc() HTML-encodes all interpolated values

-        
   4 │  * Sidebar navigation + drawer detail panel + dark/light toggle.   5 │  * 7 pages: Summary, AI Analysis, Threats, Diagrams, Code, Data, Assets.   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"

+        
   4 │  * Sidebar navigation + drawer detail panel + dark/light toggle.   5 │  * 7 pages: Summary, AI Analysis, Threats, Diagrams, Code, Data, Assets.   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"

       

-      

+      

         

           L10
           exposes
           #dashboard → #path-traversal
         

         
readFileSync reads code files for annotation context

-        
   5 │  * 7 pages: Summary, AI Analysis, Threats, Diagrams, Code, Data, Assets.   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  15 │  * @handles internal on #dashboard -- "Processes and displays threat model data"

+        
   5 │  * 7 pages: Summary, AI Analysis, Threats, Diagrams, Code, Data, Assets.   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"

       

-      

+      

         

           L11
           mitigates
           #path-validation mitigates #path-traversal
         

         
resolve() with root constrains file access

-        
   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  15 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  16 │  */

+        
   6 │  * Mermaid.js via CDN for diagrams. Zero build step.   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"

       

-      

+      

         

           L12
           flow
           ThreatModel → #dashboard
         

         
Model statistics input

-        
   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  15 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  16 │  */  17 │ 

+        
   7 │  *   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"  17 │  * @handles internal on #dashboard -- "Processes and displays threat model data"

       

-      

+      

         

           L13
           flow
+          ThreatModel → #dashboard
+        

+        
Serialized diagram graph consumed by client-side D3 renderer

+        
   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"  17 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  18 │  * @feature "Dashboard" -- "Interactive HTML threat model dashboard"

+      

+      

+        

+          L14
+          flow
           SourceFiles → #dashboard
         

         
Code snippet reads

-        
   8 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with user-controlled threat model data"   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  15 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  16 │  */  17 │   18 │ import type { ThreatModel } from '../types/index.js';

+        
   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"  17 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  18 │  * @feature "Dashboard" -- "Interactive HTML threat model dashboard"  19 │  */

       

-      

+      

         

-          L14
+          L15
           flow
           #dashboard → HTML
         

         
Generated HTML output

-        
   9 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() HTML-encodes all interpolated values"  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  15 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  16 │  */  17 │   18 │ import type { ThreatModel } from '../types/index.js';  19 │ import { computeStats, computeSeverity, computeExposures, computeAssetHeatmap } from './data.js';

+        
  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"  17 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  18 │  * @feature "Dashboard" -- "Interactive HTML threat model dashboard"  19 │  */  20 │ 

       

-      

+      

         

-          L15
+          L16
+          mitigates
+          #output-encoding mitigates #xss
+        

+        
Serialized diagram data escapes closing script tags; D3 writes labels as text

+        
  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"  17 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  18 │  * @feature "Dashboard" -- "Interactive HTML threat model dashboard"  19 │  */  20 │   21 │ import type { ThreatModel } from '../types/index.js';

+      

+      

+        

+          L17
           handles
           #dashboard: internal
         

         
Processes and displays threat model data

-        
  10 │  * @exposes #dashboard to #path-traversal [medium] cwe:CWE-22 -- "readFileSync reads code files for annotation context"  11 │  * @mitigates #dashboard against #path-traversal using #path-validation -- "resolve() with root constrains file access"  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  14 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  15 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  16 │  */  17 │   18 │ import type { ThreatModel } from '../types/index.js';  19 │ import { computeStats, computeSeverity, computeExposures, computeAssetHeatmap } from './data.js';  20 │ import type { DashboardStats, SeverityBreakdown, ExposureRow, AssetHeatmapEntry } from './data.js';

+        
  12 │  * @flows ThreatModel -> #dashboard via computeStats -- "Model statistics input"  13 │  * @flows ThreatModel -> #dashboard via topologyData -- "Serialized diagram graph consumed by client-side D3 renderer"  14 │  * @flows SourceFiles -> #dashboard via readFileSync -- "Code snippet reads"  15 │  * @flows #dashboard -> HTML via return -- "Generated HTML output"  16 │  * @mitigates #dashboard against #xss using #output-encoding -- "Serialized diagram data escapes closing script tags; D3 writes labels as text"  17 │  * @handles internal on #dashboard -- "Processes and displays threat model data"  18 │  * @feature "Dashboard" -- "Interactive HTML threat model dashboard"  19 │  */  20 │   21 │ import type { ThreatModel } from '../types/index.js';  22 │ import { listFeatures } from '../parser/feature-filter.js';

       

     

   

-  

+  

     

       src/dashboard/index.ts
       
@@ -3806,7 +5264,7 @@ 
unknown

     

     

       
-      

+      

         

           L4
           exposes
@@ -3815,7 +5273,7 @@ 
unknown

         
Generates HTML with threat model data

         
   1 │ /**   2 │  * GuardLink Dashboard — Self-contained HTML threat model dashboard.   3 │  *   4 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with threat model data"   5 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() function encodes all interpolated values"   6 │  * @flows ThreatModel -> #dashboard via generateDashboardHTML -- "Model to HTML transformation"   7 │  * @comment -- "Self-contained HTML; no external data injection after generation"   8 │  */   9 │ 

       

-      

+      

         

           L5
           mitigates
@@ -3824,7 +5282,7 @@ 
unknown

         
esc() function encodes all interpolated values

         
   1 │ /**   2 │  * GuardLink Dashboard — Self-contained HTML threat model dashboard.   3 │  *   4 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with threat model data"   5 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() function encodes all interpolated values"   6 │  * @flows ThreatModel -> #dashboard via generateDashboardHTML -- "Model to HTML transformation"   7 │  * @comment -- "Self-contained HTML; no external data injection after generation"   8 │  */   9 │   10 │ export { generateDashboardHTML } from './generate.js';

       

-      

+      

         

           L6
           flow
@@ -3833,7 +5291,7 @@ 
unknown

         
Model to HTML transformation

         
   1 │ /**   2 │  * GuardLink Dashboard — Self-contained HTML threat model dashboard.   3 │  *   4 │  * @exposes #dashboard to #xss [high] cwe:CWE-79 -- "Generates HTML with threat model data"   5 │  * @mitigates #dashboard against #xss using #output-encoding -- "esc() function encodes all interpolated values"   6 │  * @flows ThreatModel -> #dashboard via generateDashboardHTML -- "Model to HTML transformation"   7 │  * @comment -- "Self-contained HTML; no external data injection after generation"   8 │  */   9 │   10 │ export { generateDashboardHTML } from './generate.js';  11 │ export { computeStats, computeSeverity, computeExposures, computeAssetHeatmap } from './data.js';

       

-      

+      

         

           L7
           comment
@@ -3844,7 +5302,7 @@ 
unknown

       

     

   

-  

+  

     

       src/diff/git.ts
       
@@ -3854,7 +5312,7 @@ 
unknown

     

     

       
-      

+      

         

           L6
           exposes
@@ -3863,7 +5321,7 @@ 
unknown

         
execSync runs git commands with ref argument

         
   1 │ /**   2 │  * GuardLink Diff — Git integration.   3 │  * Resolves git refs to threat models by checking out files at a given commit   4 │  * and parsing them in a temp directory.   5 │  *   6 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "execSync runs git commands with ref argument"   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"

       

-      

+      

         

           L7
           mitigates
@@ -3872,7 +5330,7 @@ 
unknown

         
rev-parse validates ref exists before use in other commands

         
   2 │  * GuardLink Diff — Git integration.   3 │  * Resolves git refs to threat models by checking out files at a given commit   4 │  * and parsing them in a temp directory.   5 │  *   6 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "execSync runs git commands with ref argument"   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"

       

-      

+      

         

           L8
           exposes
@@ -3881,7 +5339,7 @@ 
unknown

         
writeFileSync creates files in temp directory

         
   3 │  * Resolves git refs to threat models by checking out files at a given commit   4 │  * and parsing them in a temp directory.   5 │  *   6 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "execSync runs git commands with ref argument"   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"

       

-      

+      

         

           L9
           mitigates
@@ -3890,7 +5348,7 @@ 
unknown

         
mkdtempSync creates isolated temp dir; rmSync cleans up

         
   4 │  * and parsing them in a temp directory.   5 │  *   6 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "execSync runs git commands with ref argument"   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"  14 │  * @flows #diff -> ThreatModel via parseProject -- "Parsed model output"

       

-      

+      

         

           L10
           exposes
@@ -3899,7 +5357,7 @@ 
unknown

         
git show extracts files based on ls-tree output

         
   5 │  *   6 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "execSync runs git commands with ref argument"   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"  14 │  * @flows #diff -> ThreatModel via parseProject -- "Parsed model output"  15 │  * @boundary #diff and GitRepo (#git-boundary) -- "Trust boundary at git command execution"

       

-      

+      

         

           L11
           mitigates
@@ -3908,7 +5366,7 @@ 
unknown

         
Files constrained to relevantFiles from git ls-tree

         
   6 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "execSync runs git commands with ref argument"   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"  14 │  * @flows #diff -> ThreatModel via parseProject -- "Parsed model output"  15 │  * @boundary #diff and GitRepo (#git-boundary) -- "Trust boundary at git command execution"  16 │  */

       

-      

+      

         

           L12
           flow
@@ -3917,7 +5375,7 @@ 
unknown

         
Git command execution

         
   7 │  * @mitigates #diff against #cmd-injection using #input-sanitize -- "rev-parse validates ref exists before use in other commands"   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"  14 │  * @flows #diff -> ThreatModel via parseProject -- "Parsed model output"  15 │  * @boundary #diff and GitRepo (#git-boundary) -- "Trust boundary at git command execution"  16 │  */  17 │ 

       

-      

+      

         

           L13
           flow
@@ -3926,7 +5384,7 @@ 
unknown

         
Extracted file writes

         
   8 │  * @exposes #diff to #arbitrary-write [medium] cwe:CWE-73 -- "writeFileSync creates files in temp directory"   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"  14 │  * @flows #diff -> ThreatModel via parseProject -- "Parsed model output"  15 │  * @boundary #diff and GitRepo (#git-boundary) -- "Trust boundary at git command execution"  16 │  */  17 │   18 │ import { execSync } from 'node:child_process';

       

-      

+      

         

           L14
           flow
@@ -3935,7 +5393,7 @@ 
unknown

         
Parsed model output

         
   9 │  * @mitigates #diff against #arbitrary-write using #path-validation -- "mkdtempSync creates isolated temp dir; rmSync cleans up"  10 │  * @exposes #diff to #path-traversal [medium] cwe:CWE-22 -- "git show extracts files based on ls-tree output"  11 │  * @mitigates #diff against #path-traversal using #glob-filtering -- "Files constrained to relevantFiles from git ls-tree"  12 │  * @flows GitRef -> #diff via execSync -- "Git command execution"  13 │  * @flows #diff -> TempDir via writeFileSync -- "Extracted file writes"  14 │  * @flows #diff -> ThreatModel via parseProject -- "Parsed model output"  15 │  * @boundary #diff and GitRepo (#git-boundary) -- "Trust boundary at git command execution"  16 │  */  17 │   18 │ import { execSync } from 'node:child_process';  19 │ import { mkdtempSync, writeFileSync, rmSync, mkdirSync } from 'node:fs';

       

-      

+      

         

           L15
           boundary
@@ -3946,7 +5404,7 @@ 
unknown

       

     

   

-  

+  

     

       src/diff/index.ts
       
@@ -3956,7 +5414,7 @@ 
unknown

     

     

       
-      

+      

         

           L4
           exposes
@@ -3965,7 +5423,7 @@ 
unknown

         
git.ts uses execSync with ref argument

         
   1 │ /**   2 │  * GuardLink Diff — exports.   3 │  *   4 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "git.ts uses execSync with ref argument"   5 │  * @audit #diff -- "Git commands use execSync; ref is validated with rev-parse before use"   6 │  * @flows GitRef -> #diff via parseAtRef -- "Git reference input"   7 │  */   8 │    9 │ export { diffModels, type ThreatModelDiff, type DiffSummary, type Change, type ChangeKind } from './engine.js';

       

-      

+      

         

           L5
           audit
@@ -3974,7 +5432,7 @@ 
unknown

         
Git commands use execSync; ref is validated with rev-parse before use

         
   1 │ /**   2 │  * GuardLink Diff — exports.   3 │  *   4 │  * @exposes #diff to #cmd-injection [high] cwe:CWE-78 -- "git.ts uses execSync with ref argument"   5 │  * @audit #diff -- "Git commands use execSync; ref is validated with rev-parse before use"   6 │  * @flows GitRef -> #diff via parseAtRef -- "Git reference input"   7 │  */   8 │    9 │ export { diffModels, type ThreatModelDiff, type DiffSummary, type Change, type ChangeKind } from './engine.js';  10 │ export { formatDiff, formatDiffMarkdown } from './format.js';

       

-      

+      

         

           L6
           flow
@@ -3985,7 +5443,7 @@ 
unknown

       

     

   

-  

+  

     

       src/init/detect.ts
       
@@ -3995,7 +5453,7 @@ 
unknown

     

     

       
-      

+      

         

           L5
           exposes
@@ -4004,7 +5462,7 @@ 
unknown

         
Reads package.json, pyproject.toml, etc. from root

         
   1 │ /**   2 │  * GuardLink init — Project detection utilities.   3 │  * Detects language, project name, and existing agent instruction files.   4 │  *   5 │  * @exposes #init to #path-traversal [low] cwe:CWE-22 -- "Reads package.json, pyproject.toml, etc. from root"   6 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with root constrains; reads well-known files only"   7 │  * @flows ProjectRoot -> #init via detectProject -- "Project detection input"   8 │  * @comment -- "Detection is read-only; no file writes"   9 │  */  10 │ 

       

-      

+      

         

           L6
           mitigates
@@ -4013,7 +5471,7 @@ 
unknown

         
join() with root constrains; reads well-known files only

         
   1 │ /**   2 │  * GuardLink init — Project detection utilities.   3 │  * Detects language, project name, and existing agent instruction files.   4 │  *   5 │  * @exposes #init to #path-traversal [low] cwe:CWE-22 -- "Reads package.json, pyproject.toml, etc. from root"   6 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with root constrains; reads well-known files only"   7 │  * @flows ProjectRoot -> #init via detectProject -- "Project detection input"   8 │  * @comment -- "Detection is read-only; no file writes"   9 │  */  10 │   11 │ import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';

       

-      

+      

         

           L7
           flow
@@ -4022,7 +5480,7 @@ 
unknown

         
Project detection input

         
   2 │  * GuardLink init — Project detection utilities.   3 │  * Detects language, project name, and existing agent instruction files.   4 │  *   5 │  * @exposes #init to #path-traversal [low] cwe:CWE-22 -- "Reads package.json, pyproject.toml, etc. from root"   6 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with root constrains; reads well-known files only"   7 │  * @flows ProjectRoot -> #init via detectProject -- "Project detection input"   8 │  * @comment -- "Detection is read-only; no file writes"   9 │  */  10 │   11 │ import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';  12 │ import { join, basename } from 'node:path';

       

-      

+      

         

           L8
           comment
@@ -4033,7 +5491,7 @@ 
unknown

       

     

   

-  

+  

     

       src/init/index.ts
       
@@ -4043,7 +5501,7 @@ 
unknown

     

     

       
-      

+      

         

           L8
           exposes
@@ -4052,7 +5510,7 @@ 
unknown

         
Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc.

         
   3 │  *   4 │  * Detects project language and existing agent files, creates .guardlink/   5 │  * directory with shared definitions, and injects GuardLink instructions   6 │  * into agent instruction files (CLAUDE.md, .cursorrules, etc.).   7 │  *   8 │  * @exposes #init to #arbitrary-write [high] cwe:CWE-73 -- "Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc."   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"

       

-      

+      

         

           L9
           mitigates
@@ -4061,7 +5519,7 @@ 
unknown

         
All paths are relative to root; join() constrains

         
   4 │  * Detects project language and existing agent files, creates .guardlink/   5 │  * directory with shared definitions, and injects GuardLink instructions   6 │  * into agent instruction files (CLAUDE.md, .cursorrules, etc.).   7 │  *   8 │  * @exposes #init to #arbitrary-write [high] cwe:CWE-73 -- "Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc."   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"

       

-      

+      

         

           L10
           exposes
@@ -4070,7 +5528,7 @@ 
unknown

         
Reads/writes files based on root argument

         
   5 │  * directory with shared definitions, and injects GuardLink instructions   6 │  * into agent instruction files (CLAUDE.md, .cursorrules, etc.).   7 │  *   8 │  * @exposes #init to #arbitrary-write [high] cwe:CWE-73 -- "Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc."   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"

       

-      

+      

         

           L11
           mitigates
@@ -4079,7 +5537,7 @@ 
unknown

         
join() with explicit root constrains file access

         
   6 │  * into agent instruction files (CLAUDE.md, .cursorrules, etc.).   7 │  *   8 │  * @exposes #init to #arbitrary-write [high] cwe:CWE-73 -- "Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc."   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"  16 │  * @flows #init -> ConfigFile via writeFileSync -- "Config file write"

       

-      

+      

         

           L12
           exposes
@@ -4088,7 +5546,7 @@ 
unknown

         
Writes API key config to .guardlink/config.json

         
   7 │  *   8 │  * @exposes #init to #arbitrary-write [high] cwe:CWE-73 -- "Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc."   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"  16 │  * @flows #init -> ConfigFile via writeFileSync -- "Config file write"  17 │  * @handles internal on #init -- "Generates definitions and agent instruction content"

       

-      

+      

         

           L13
           audit
@@ -4097,7 +5555,7 @@ 
unknown

         
Config file may contain API keys; .gitignore entry added automatically

         
   8 │  * @exposes #init to #arbitrary-write [high] cwe:CWE-73 -- "Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc."   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"  16 │  * @flows #init -> ConfigFile via writeFileSync -- "Config file write"  17 │  * @handles internal on #init -- "Generates definitions and agent instruction content"  18 │  */

       

-      

+      

         

           L14
           flow
@@ -4106,7 +5564,7 @@ 
unknown

         
Project root input

         
   9 │  * @mitigates #init against #arbitrary-write using #path-validation -- "All paths are relative to root; join() constrains"  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"  16 │  * @flows #init -> ConfigFile via writeFileSync -- "Config file write"  17 │  * @handles internal on #init -- "Generates definitions and agent instruction content"  18 │  */  19 │ 

       

-      

+      

         

           L15
           flow
@@ -4115,7 +5573,7 @@ 
unknown

         
Agent instruction file writes

         
  10 │  * @exposes #init to #path-traversal [medium] cwe:CWE-22 -- "Reads/writes files based on root argument"  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"  16 │  * @flows #init -> ConfigFile via writeFileSync -- "Config file write"  17 │  * @handles internal on #init -- "Generates definitions and agent instruction content"  18 │  */  19 │   20 │ import { existsSync, readFileSync, mkdirSync, writeFileSync, appendFileSync } from 'node:fs';

       

-      

+      

         

           L16
           flow
@@ -4124,7 +5582,7 @@ 
unknown

         
Config file write

         
  11 │  * @mitigates #init against #path-traversal using #path-validation -- "join() with explicit root constrains file access"  12 │  * @exposes #init to #data-exposure [low] cwe:CWE-200 -- "Writes API key config to .guardlink/config.json"  13 │  * @audit #init -- "Config file may contain API keys; .gitignore entry added automatically"  14 │  * @flows ProjectRoot -> #init via options.root -- "Project root input"  15 │  * @flows #init -> AgentFiles via writeFileSync -- "Agent instruction file writes"  16 │  * @flows #init -> ConfigFile via writeFileSync -- "Config file write"  17 │  * @handles internal on #init -- "Generates definitions and agent instruction content"  18 │  */  19 │   20 │ import { existsSync, readFileSync, mkdirSync, writeFileSync, appendFileSync } from 'node:fs';  21 │ import { join, dirname } from 'node:path';

       

-      

+      

         

           L17
           handles
@@ -4135,7 +5593,28 @@ 
unknown

       

     

   

-  

+  

+    

+      src/init/migrate.ts
+      
+        1
+        
+      
+    

+    

+      
+      

+        

+          L9
+          comment
+          Migrations should never modify existing user files. Only create missing ones.
+        

+        
Migrations should never modify existing user files. Only create missing ones.

+        
   4 │  * Small idempotent operations for projects upgrading from older versions of   5 │  * GuardLink that don't have the full v1.5.x layout. Designed to be safe to   6 │  * call repeatedly and to fail closed (do nothing) when the project doesn't   7 │  * have a `.guardlink/` directory at all.   8 │  *   9 │  * @comment -- "Migrations should never modify existing user files. Only create missing ones."  10 │  */  11 │   12 │ import { existsSync, writeFileSync } from 'node:fs';  13 │ import { join } from 'node:path';  14 │ import { detectProject } from './detect.js';

+      

+    

+  

+  

     

       src/mcp/index.ts
       
@@ -4145,7 +5624,7 @@ 
unknown

     

     

       
-      

+      

         

           L4
           exposes
@@ -4154,7 +5633,7 @@ 
unknown

         
Accepts tool calls from external MCP clients

         
   1 │ /**   2 │  * GuardLink MCP Server — exports and stdio entry point.   3 │  *   4 │  * @exposes #mcp to #cmd-injection [high] cwe:CWE-78 -- "Accepts tool calls from external MCP clients"   5 │  * @audit #mcp -- "All tool calls validated by server.ts before execution"   6 │  * @flows MCPClient -> #mcp via stdio -- "MCP protocol transport"   7 │  * @boundary #mcp and MCPClient (#mcp-boundary) -- "Trust boundary at MCP protocol"   8 │  */   9 │ 

       

-      

+      

         

           L5
           audit
@@ -4163,7 +5642,7 @@ 
unknown

         
All tool calls validated by server.ts before execution

         
   1 │ /**   2 │  * GuardLink MCP Server — exports and stdio entry point.   3 │  *   4 │  * @exposes #mcp to #cmd-injection [high] cwe:CWE-78 -- "Accepts tool calls from external MCP clients"   5 │  * @audit #mcp -- "All tool calls validated by server.ts before execution"   6 │  * @flows MCPClient -> #mcp via stdio -- "MCP protocol transport"   7 │  * @boundary #mcp and MCPClient (#mcp-boundary) -- "Trust boundary at MCP protocol"   8 │  */   9 │   10 │ export { createServer } from './server.js';

       

-      

+      

         

           L6
           flow
@@ -4172,7 +5651,7 @@ 
unknown

         
MCP protocol transport

         
   1 │ /**   2 │  * GuardLink MCP Server — exports and stdio entry point.   3 │  *   4 │  * @exposes #mcp to #cmd-injection [high] cwe:CWE-78 -- "Accepts tool calls from external MCP clients"   5 │  * @audit #mcp -- "All tool calls validated by server.ts before execution"   6 │  * @flows MCPClient -> #mcp via stdio -- "MCP protocol transport"   7 │  * @boundary #mcp and MCPClient (#mcp-boundary) -- "Trust boundary at MCP protocol"   8 │  */   9 │   10 │ export { createServer } from './server.js';  11 │ export { lookup, type LookupResult } from './lookup.js';

       

-      

+      

         

           L7
           boundary
@@ -4183,7 +5662,7 @@ 
unknown

       

     

   

-  

+  

     

       src/mcp/lookup.ts
       
@@ -4193,45 +5672,45 @@ 
unknown

     

     

       
-      

+      

         

-          L16
+          L17
           exposes
           #mcp → #redos
         

         
Regex patterns applied to query strings

-        
  11 │  *   - "flows from #config" → data flows with source = config  12 │  *   - "unmitigated" → all unmitigated exposures  13 │  *   - "boundary #config" → boundaries involving asset  14 │  *   - Free text → fuzzy match across assets, threats, controls  15 │  *  16 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  17 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  18 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  19 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  20 │  */  21 │ 

+        
  12 │  *   - "unmitigated" → all unmitigated exposures  13 │  *   - "confirmed" → @confirmed verified exploitable findings  14 │  *   - "boundary #config" → boundaries involving asset  15 │  *   - Free text → fuzzy match across assets, threats, controls  16 │  *  17 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  18 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  19 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  20 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  21 │  */  22 │ 

       

-      

+      

         

-          L17
+          L18
           mitigates
           #regex-anchoring mitigates #redos
         

         
Patterns are simple and bounded

-        
  12 │  *   - "unmitigated" → all unmitigated exposures  13 │  *   - "boundary #config" → boundaries involving asset  14 │  *   - Free text → fuzzy match across assets, threats, controls  15 │  *  16 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  17 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  18 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  19 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  20 │  */  21 │   22 │ import type {

+        
  13 │  *   - "confirmed" → @confirmed verified exploitable findings  14 │  *   - "boundary #config" → boundaries involving asset  15 │  *   - Free text → fuzzy match across assets, threats, controls  16 │  *  17 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  18 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  19 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  20 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  21 │  */  22 │   23 │ import type {

       

-      

+      

         

-          L18
+          L19
           flow
           QueryString → #mcp
         

         
Query input path

-        
  13 │  *   - "boundary #config" → boundaries involving asset  14 │  *   - Free text → fuzzy match across assets, threats, controls  15 │  *  16 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  17 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  18 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  19 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  20 │  */  21 │   22 │ import type {  23 │   ThreatModel, ThreatModelAsset, ThreatModelThreat, ThreatModelControl,

+        
  14 │  *   - "boundary #config" → boundaries involving asset  15 │  *   - Free text → fuzzy match across assets, threats, controls  16 │  *  17 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  18 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  19 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  20 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  21 │  */  22 │   23 │ import type {  24 │   ThreatModel, ThreatModelAsset, ThreatModelThreat, ThreatModelControl,

       

-      

+      

         

-          L19
+          L20
           comment
           Pure function; no I/O; operates on in-memory ThreatModel
         

         
Pure function; no I/O; operates on in-memory ThreatModel

-        
  14 │  *   - Free text → fuzzy match across assets, threats, controls  15 │  *  16 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  17 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  18 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  19 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  20 │  */  21 │   22 │ import type {  23 │   ThreatModel, ThreatModelAsset, ThreatModelThreat, ThreatModelControl,  24 │   ThreatModelExposure, ThreatModelMitigation, ThreatModelFlow,

+        
  15 │  *   - Free text → fuzzy match across assets, threats, controls  16 │  *  17 │  * @exposes #mcp to #redos [low] cwe:CWE-1333 -- "Regex patterns applied to query strings"  18 │  * @mitigates #mcp against #redos using #regex-anchoring -- "Patterns are simple and bounded"  19 │  * @flows QueryString -> #mcp via lookup -- "Query input path"  20 │  * @comment -- "Pure function; no I/O; operates on in-memory ThreatModel"  21 │  */  22 │   23 │ import type {  24 │   ThreatModel, ThreatModelAsset, ThreatModelThreat, ThreatModelControl,  25 │   ThreatModelExposure, ThreatModelMitigation, ThreatModelFlow,

       

     

   

-  

+  

     

       src/mcp/server.ts
       
@@ -4241,7 +5720,7 @@ 
unknown

     

     

       
-      

+      

         

           L26
           exposes
@@ -4250,7 +5729,7 @@ 
unknown

         
Tool arguments include 'root' directory path from external client

         
  21 │  *   guardlink://definitions  — Assets, threats, controls  22 │  *   guardlink://unmitigated  — Unmitigated exposures list  23 │  *  24 │  * Transport: stdio (for Claude Code .mcp.json, Cursor, etc.)  25 │  *  26 │  * @exposes #mcp to #path-traversal [high] cwe:CWE-22 -- "Tool arguments include 'root' directory path from external client"  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"

       

-      

+      

         

           L27
           mitigates
@@ -4259,7 +5738,7 @@ 
unknown

         
Zod schema validates root; resolve() canonicalizes

         
  22 │  *   guardlink://unmitigated  — Unmitigated exposures list  23 │  *  24 │  * Transport: stdio (for Claude Code .mcp.json, Cursor, etc.)  25 │  *  26 │  * @exposes #mcp to #path-traversal [high] cwe:CWE-22 -- "Tool arguments include 'root' directory path from external client"  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"

       

-      

+      

         

           L28
           exposes
@@ -4268,7 +5747,7 @@ 
unknown

         
report, dashboard, sarif tools write files

         
  23 │  *  24 │  * Transport: stdio (for Claude Code .mcp.json, Cursor, etc.)  25 │  *  26 │  * @exposes #mcp to #path-traversal [high] cwe:CWE-22 -- "Tool arguments include 'root' directory path from external client"  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"

       

-      

+      

         

           L29
           mitigates
@@ -4277,7 +5756,7 @@ 
unknown

         
Output paths resolved relative to validated root

         
  24 │  * Transport: stdio (for Claude Code .mcp.json, Cursor, etc.)  25 │  *  26 │  * @exposes #mcp to #path-traversal [high] cwe:CWE-22 -- "Tool arguments include 'root' directory path from external client"  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"

       

-      

+      

         

           L30
           exposes
@@ -4286,7 +5765,7 @@ 
unknown

         
annotate and threat_report tools pass user prompts to LLM

         
  25 │  *  26 │  * @exposes #mcp to #path-traversal [high] cwe:CWE-22 -- "Tool arguments include 'root' directory path from external client"  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"

       

-      

+      

         

           L31
           audit
@@ -4295,7 +5774,7 @@ 
unknown

         
User prompts passed to LLM; model context is read-only

         
  26 │  * @exposes #mcp to #path-traversal [high] cwe:CWE-22 -- "Tool arguments include 'root' directory path from external client"  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"

       

-      

+      

         

           L32
           exposes
@@ -4304,7 +5783,7 @@ 
unknown

         
threat_report tool uses API keys from environment

         
  27 │  * @mitigates #mcp against #path-traversal using #path-validation -- "Zod schema validates root; resolve() canonicalizes"  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"

       

-      

+      

         

           L33
           mitigates
@@ -4313,7 +5792,7 @@ 
unknown

         
Keys from env only; never logged or returned

         
  28 │  * @exposes #mcp to #arbitrary-write [high] cwe:CWE-73 -- "report, dashboard, sarif tools write files"  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"

       

-      

+      

         

           L34
           exposes
@@ -4322,7 +5801,7 @@ 
unknown

         
Resources expose full threat model to MCP clients

         
  29 │  * @mitigates #mcp against #arbitrary-write using #path-validation -- "Output paths resolved relative to validated root"  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"

       

-      

+      

         

           L35
           audit
@@ -4331,7 +5810,7 @@ 
unknown

         
Threat model data intentionally exposed to connected agents

         
  30 │  * @exposes #mcp to #prompt-injection [medium] cwe:CWE-77 -- "annotate and threat_report tools pass user prompts to LLM"  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"

       

-      

+      

         

           L36
           flow
@@ -4340,54 +5819,54 @@ 
unknown

         
Tool invocation input

         
  31 │  * @audit #mcp -- "User prompts passed to LLM; model context is read-only"  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"

       

-      

+      

         

           L37
           flow
           #mcp → FileSystem
         

         
Report/dashboard output

-        
  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  */

+        
  32 │  * @exposes #mcp to #api-key-exposure [medium] cwe:CWE-798 -- "threat_report tool uses API keys from environment"  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  * @feature "MCP Integration" -- "Model Context Protocol server for AI agent tooling"

       

-      

+      

         

           L38
           flow
           #mcp → #llm-client
         

         
LLM API call path

-        
  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  */  43 │ 

+        
  33 │  * @mitigates #mcp against #api-key-exposure using #key-redaction -- "Keys from env only; never logged or returned"  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  * @feature "MCP Integration" -- "Model Context Protocol server for AI agent tooling"  43 │  */

       

-      

+      

         

           L39
           flow
           #mcp → MCPClient
         

         
Threat model data output

-        
  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  */  43 │   44 │ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';

+        
  34 │  * @exposes #mcp to #data-exposure [medium] cwe:CWE-200 -- "Resources expose full threat model to MCP clients"  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  * @feature "MCP Integration" -- "Model Context Protocol server for AI agent tooling"  43 │  */  44 │ 

       

-      

+      

         

           L40
           boundary
           #mcp ↔ MCPClient
         

         
Trust boundary at tool argument parsing

-        
  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  */  43 │   44 │ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';  45 │ import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';

+        
  35 │  * @audit #mcp -- "Threat model data intentionally exposed to connected agents"  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  * @feature "MCP Integration" -- "Model Context Protocol server for AI agent tooling"  43 │  */  44 │   45 │ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';

       

-      

+      

         

           L41
           handles
           #mcp: internal
         

         
Processes project annotations and threat model data

-        
  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  */  43 │   44 │ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';  45 │ import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';  46 │ import { z } from 'zod';

+        
  36 │  * @flows MCPClient -> #mcp via tool_call -- "Tool invocation input"  37 │  * @flows #mcp -> FileSystem via writeFile -- "Report/dashboard output"  38 │  * @flows #mcp -> #llm-client via generateThreatReport -- "LLM API call path"  39 │  * @flows #mcp -> MCPClient via resource -- "Threat model data output"  40 │  * @boundary #mcp and MCPClient (#mcp-tool-boundary) -- "Trust boundary at tool argument parsing"  41 │  * @handles internal on #mcp -- "Processes project annotations and threat model data"  42 │  * @feature "MCP Integration" -- "Model Context Protocol server for AI agent tooling"  43 │  */  44 │   45 │ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';  46 │ import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';

       

     

   

-  

+  

     

       src/mcp/suggest.ts
       
@@ -4397,7 +5876,7 @@ 
unknown

     

     

       
-      

+      

         

           L12
           exposes
@@ -4406,7 +5885,7 @@ 
unknown

         
File path from MCP client joined with root

         
   7 │  *   - HTTP handlers, auth checks, input parsing   8 │  *   - Missing annotations on files that handle sensitive data   9 │  *  10 │  * Designed for both file-based and diff-based analysis (§8.2).  11 │  *  12 │  * @exposes #suggest to #path-traversal [high] cwe:CWE-22 -- "File path from MCP client joined with root"  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"

       

-      

+      

         

           L13
           mitigates
@@ -4415,7 +5894,7 @@ 
unknown

         
join() with validated root constrains access

         
   8 │  *   - Missing annotations on files that handle sensitive data   9 │  *  10 │  * Designed for both file-based and diff-based analysis (§8.2).  11 │  *  12 │  * @exposes #suggest to #path-traversal [high] cwe:CWE-22 -- "File path from MCP client joined with root"  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"

       

-      

+      

         

           L14
           exposes
@@ -4424,7 +5903,7 @@ 
unknown

         
Complex regex patterns applied to source code

         
   9 │  *  10 │  * Designed for both file-based and diff-based analysis (§8.2).  11 │  *  12 │  * @exposes #suggest to #path-traversal [high] cwe:CWE-22 -- "File path from MCP client joined with root"  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"  19 │  * @flows #suggest -> Suggestions via suggestAnnotations -- "Suggestion output"

       

-      

+      

         

           L15
           mitigates
@@ -4433,7 +5912,7 @@ 
unknown

         
Patterns designed with bounded quantifiers

         
  10 │  * Designed for both file-based and diff-based analysis (§8.2).  11 │  *  12 │  * @exposes #suggest to #path-traversal [high] cwe:CWE-22 -- "File path from MCP client joined with root"  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"  19 │  * @flows #suggest -> Suggestions via suggestAnnotations -- "Suggestion output"  20 │  * @comment -- "Skips node_modules and .guardlink directories"

       

-      

+      

         

           L16
           exposes
@@ -4442,7 +5921,7 @@ 
unknown

         
Large files loaded into memory for pattern scanning

         
  11 │  *  12 │  * @exposes #suggest to #path-traversal [high] cwe:CWE-22 -- "File path from MCP client joined with root"  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"  19 │  * @flows #suggest -> Suggestions via suggestAnnotations -- "Suggestion output"  20 │  * @comment -- "Skips node_modules and .guardlink directories"  21 │  */

       

-      

+      

         

           L17
           audit
@@ -4451,7 +5930,7 @@ 
unknown

         
File size is bounded by project scope; production use involves reasonable file sizes

         
  12 │  * @exposes #suggest to #path-traversal [high] cwe:CWE-22 -- "File path from MCP client joined with root"  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"  19 │  * @flows #suggest -> Suggestions via suggestAnnotations -- "Suggestion output"  20 │  * @comment -- "Skips node_modules and .guardlink directories"  21 │  */  22 │ 

       

-      

+      

         

           L18
           flow
@@ -4460,7 +5939,7 @@ 
unknown

         
File read path

         
  13 │  * @mitigates #suggest against #path-traversal using #path-validation -- "join() with validated root constrains access"  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"  19 │  * @flows #suggest -> Suggestions via suggestAnnotations -- "Suggestion output"  20 │  * @comment -- "Skips node_modules and .guardlink directories"  21 │  */  22 │   23 │ import { readFileSync, existsSync } from 'node:fs';

       

-      

+      

         

           L19
           flow
@@ -4469,7 +5948,7 @@ 
unknown

         
Suggestion output

         
  14 │  * @exposes #suggest to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to source code"  15 │  * @mitigates #suggest against #redos using #regex-anchoring -- "Patterns designed with bounded quantifiers"  16 │  * @exposes #suggest to #dos [low] cwe:CWE-400 -- "Large files loaded into memory for pattern scanning"  17 │  * @audit #suggest -- "File size is bounded by project scope; production use involves reasonable file sizes"  18 │  * @flows FilePath -> #suggest via readFileSync -- "File read path"  19 │  * @flows #suggest -> Suggestions via suggestAnnotations -- "Suggestion output"  20 │  * @comment -- "Skips node_modules and .guardlink directories"  21 │  */  22 │   23 │ import { readFileSync, existsSync } from 'node:fs';  24 │ import { join, extname } from 'node:path';

       

-      

+      

         

           L20
           comment
@@ -4480,7 +5959,7 @@ 
unknown

       

     

   

-  

+  

     

       src/parser/clear.ts
       
@@ -4490,72 +5969,93 @@ 
unknown

     

     

       
-      

+      

         

-          L7
+          L8
           exposes
           #parser → #arbitrary-write
         

         
Writes modified content back to discovered files

-        
   2 │  * GuardLink — Annotation clearing utility.   3 │  * Scans project source files and removes all GuardLink annotation comment lines.   4 │  *   5 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   6 │  *   7 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"

+        
   3 │  * Scans project source files and removes all GuardLink annotation lines.   4 │  * Standalone .gal files are treated as raw annotation text.   5 │  *   6 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   7 │  *   8 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"

       

-      

+      

         

-          L8
+          L9
           exposes
           #parser → #path-traversal
         

         
Glob patterns determine which files are modified

-        
   3 │  * Scans project source files and removes all GuardLink annotation comment lines.   4 │  *   5 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   6 │  *   7 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  13 │  * @handles internal on #parser -- "Operates on project source files only"

+        
   4 │  * Standalone .gal files are treated as raw annotation text.   5 │  *   6 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   7 │  *   8 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  14 │  * @handles internal on #parser -- "Operates on project source files only"

       

-      

+      

         

-          L9
+          L10
           mitigates
           #glob-filtering mitigates #path-traversal
         

         
DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope

-        
   4 │  *   5 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   6 │  *   7 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  13 │  * @handles internal on #parser -- "Operates on project source files only"  14 │  */

+        
   5 │  *   6 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   7 │  *   8 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  14 │  * @handles internal on #parser -- "Operates on project source files only"  15 │  */

       

-      

+      

         

-          L10
+          L11
           audit
           Audit: #parser
         

         
Destructive operation requires explicit user confirmation via dryRun flag

-        
   5 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   6 │  *   7 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  13 │  * @handles internal on #parser -- "Operates on project source files only"  14 │  */  15 │ 

+        
   6 │  * Used by `guardlink clear` and `/clear` to let users start fresh with annotations.   7 │  *   8 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  14 │  * @handles internal on #parser -- "Operates on project source files only"  15 │  */  16 │ 

       

-      

+      

         

-          L11
+          L12
           flow
           ProjectRoot → #parser
         

         
File discovery path

-        
   6 │  *   7 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  13 │  * @handles internal on #parser -- "Operates on project source files only"  14 │  */  15 │   16 │ import fg from 'fast-glob';

+        
   7 │  *   8 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  14 │  * @handles internal on #parser -- "Operates on project source files only"  15 │  */  16 │   17 │ import fg from 'fast-glob';

       

-      

+      

         

-          L12
+          L13
           flow
           #parser → SourceFiles
         

         
Modified file write path

-        
   7 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  13 │  * @handles internal on #parser -- "Operates on project source files only"  14 │  */  15 │   16 │ import fg from 'fast-glob';  17 │ import { readFile, writeFile } from 'node:fs/promises';

+        
   8 │  * @exposes #parser to #arbitrary-write [high] cwe:CWE-73 -- "Writes modified content back to discovered files"   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  14 │  * @handles internal on #parser -- "Operates on project source files only"  15 │  */  16 │   17 │ import fg from 'fast-glob';  18 │ import { readFile, writeFile } from 'node:fs/promises';

       

-      

+      

         

-          L13
+          L14
           handles
           #parser: internal
         

         
Operates on project source files only

-        
   8 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"   9 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  10 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  11 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  12 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  13 │  * @handles internal on #parser -- "Operates on project source files only"  14 │  */  15 │   16 │ import fg from 'fast-glob';  17 │ import { readFile, writeFile } from 'node:fs/promises';  18 │ import { relative } from 'node:path';

+        
   9 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns determine which files are modified"  10 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks sensitive dirs; cwd constrains scope"  11 │  * @audit #parser -- "Destructive operation requires explicit user confirmation via dryRun flag"  12 │  * @flows ProjectRoot -> #parser via fast-glob -- "File discovery path"  13 │  * @flows #parser -> SourceFiles via writeFile -- "Modified file write path"  14 │  * @handles internal on #parser -- "Operates on project source files only"  15 │  */  16 │   17 │ import fg from 'fast-glob';  18 │ import { readFile, writeFile } from 'node:fs/promises';  19 │ import { relative } from 'node:path';

       

     

   

-  

+  

+    

+      src/parser/feature-filter.ts
+      
+        1
+        
+      
+    

+    

+      
+      

+        

+          L9
+          comment
+          Pure filtering utility; no I/O
+        

+        
Pure filtering utility; no I/O

+        
   4 │  * Filters a ThreatModel to only include annotations that belong to   5 │  * specific features. Feature association is determined by file-level   6 │  * proximity: if a file contains @feature "X", all annotations in   7 │  * that file are considered part of feature "X".   8 │  *   9 │  * @comment -- "Pure filtering utility; no I/O"  10 │  */  11 │   12 │ import type { ThreatModel } from '../types/index.js';  13 │   14 │ /**

+      

+    

+  

+  

     

       src/parser/parse-file.ts
       
@@ -4565,54 +6065,54 @@ 
unknown

     

     

       
-      

+      

         

-          L5
+          L6
           exposes
           #parser → #path-traversal
         

         
File path from caller read via readFile; no validation here

-        
   1 │ /**   2 │  * GuardLink — File-level parser.   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   6 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   7 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   8 │  * @flows FilePath -> #parser via readFile -- "Disk read path"   9 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  10 │  */

+        
   1 │ /**   2 │  * GuardLink — File-level parser.   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  * Standalone .gal files are treated as raw annotation text.   5 │  *   6 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   8 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   9 │  * @flows FilePath -> #parser via readFile -- "Disk read path"  10 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  11 │  */

       

-      

+      

         

-          L6
+          L7
           exposes
           #parser → #dos
         

         
Large files loaded entirely into memory

-        
   1 │ /**   2 │  * GuardLink — File-level parser.   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   6 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   7 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   8 │  * @flows FilePath -> #parser via readFile -- "Disk read path"   9 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  10 │  */  11 │ 

+        
   2 │  * GuardLink — File-level parser.   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  * Standalone .gal files are treated as raw annotation text.   5 │  *   6 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   8 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   9 │  * @flows FilePath -> #parser via readFile -- "Disk read path"  10 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  11 │  */  12 │ 

       

-      

+      

         

-          L7
+          L8
           audit
           Audit: #parser
         

         
Path validation delegated to callers (CLI/MCP validate root)

-        
   2 │  * GuardLink — File-level parser.   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   6 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   7 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   8 │  * @flows FilePath -> #parser via readFile -- "Disk read path"   9 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  10 │  */  11 │   12 │ import { readFile } from 'node:fs/promises';

+        
   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  * Standalone .gal files are treated as raw annotation text.   5 │  *   6 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   8 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   9 │  * @flows FilePath -> #parser via readFile -- "Disk read path"  10 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  11 │  */  12 │   13 │ import { readFile } from 'node:fs/promises';

       

-      

+      

         

-          L8
+          L9
           flow
           FilePath → #parser
         

         
Disk read path

-        
   3 │  * Reads source files and extracts all GuardLink annotations.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   6 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   7 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   8 │  * @flows FilePath -> #parser via readFile -- "Disk read path"   9 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  10 │  */  11 │   12 │ import { readFile } from 'node:fs/promises';  13 │ import { basename, extname } from 'node:path';

+        
   4 │  * Standalone .gal files are treated as raw annotation text.   5 │  *   6 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   8 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   9 │  * @flows FilePath -> #parser via readFile -- "Disk read path"  10 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  11 │  */  12 │   13 │ import { readFile } from 'node:fs/promises';  14 │ import type { Annotation, ParseDiagnostic, ParseResult, SourceLocation } from '../types/index.js';

       

-      

+      

         

-          L9
+          L10
           flow
           #parser → Annotations
         

         
Parsed annotation output

-        
   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   6 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   7 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   8 │  * @flows FilePath -> #parser via readFile -- "Disk read path"   9 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  10 │  */  11 │   12 │ import { readFile } from 'node:fs/promises';  13 │ import { basename, extname } from 'node:path';  14 │ import type { Annotation, ParseDiagnostic, ParseResult } from '../types/index.js';

+        
   5 │  *   6 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"   8 │  * @audit #parser -- "Path validation delegated to callers (CLI/MCP validate root)"   9 │  * @flows FilePath -> #parser via readFile -- "Disk read path"  10 │  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"  11 │  */  12 │   13 │ import { readFile } from 'node:fs/promises';  14 │ import type { Annotation, ParseDiagnostic, ParseResult, SourceLocation } from '../types/index.js';  15 │ import { isStandaloneAnnotationFile, stripCommentPrefix } from './comment-strip.js';

       

     

   

-  

+  

     

       src/parser/parse-line.ts
       
@@ -4622,7 +6122,7 @@ 
unknown

     

     

       
-      

+      

         

           L5
           exposes
@@ -4631,7 +6131,7 @@ 
unknown

         
Complex regex patterns applied to annotation text

         
   1 │ /**   2 │  * GuardLink — Line-level annotation parser.   3 │  * Parses a single comment line into a typed Annotation.   4 │  *   5 │  * @exposes #parser to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to annotation text"   6 │  * @mitigates #parser against #redos using #regex-anchoring -- "All patterns are anchored (^...$) to prevent backtracking"   7 │  * @comment -- "Regex patterns designed with bounded quantifiers and explicit structure"   8 │  */   9 │   10 │ import type {

       

-      

+      

         

           L6
           mitigates
@@ -4640,7 +6140,7 @@ 
unknown

         
All patterns are anchored (^...$) to prevent backtracking

         
   1 │ /**   2 │  * GuardLink — Line-level annotation parser.   3 │  * Parses a single comment line into a typed Annotation.   4 │  *   5 │  * @exposes #parser to #redos [medium] cwe:CWE-1333 -- "Complex regex patterns applied to annotation text"   6 │  * @mitigates #parser against #redos using #regex-anchoring -- "All patterns are anchored (^...$) to prevent backtracking"   7 │  * @comment -- "Regex patterns designed with bounded quantifiers and explicit structure"   8 │  */   9 │   10 │ import type {  11 │   Annotation, AnnotationVerb, Severity, DataClassification,

       

-      

+      

         

           L7
           comment
@@ -4651,17 +6151,17 @@ 
unknown

       

     

   

-  

+  

     

       src/parser/parse-project.ts
       
-        7
+        8
         
       
     

     

       
-      

+      

         

           L5
           exposes
@@ -4670,63 +6170,102 @@ 
unknown

         
Glob patterns could escape root directory

         
   1 │ /**   2 │  * GuardLink — Project-level parser.   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"

       

-      

+      

         

           L6
           mitigates
           #glob-filtering mitigates #path-traversal
         

         
DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan

-        
   1 │ /**   2 │  * GuardLink — Project-level parser.   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"

+        
   1 │ /**   2 │  * GuardLink — Project-level parser.   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"

       

-      

+      

         

           L7
           exposes
           #parser → #dos
         

         
Large projects with many files could exhaust memory

-        
   2 │  * GuardLink — Project-level parser.   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  12 │  */

+        
   2 │  * GuardLink — Project-level parser.   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"  12 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"

       

-      

+      

         

           L8
           mitigates
           #resource-limits mitigates #dos
         

         
DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count

-        
   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  12 │  */  13 │ 

+        
   3 │  * Walks a directory, parses all source files, and assembles a ThreatModel.   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"  12 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  13 │  */

       

-      

+      

         

           L9
           flow
           ProjectRoot → #parser
         

         
Directory traversal path

-        
   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  12 │  */  13 │   14 │ import fg from 'fast-glob';

+        
   4 │  *   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"  12 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  13 │  */  14 │ 

       

-      

+      

         

           L10
           flow
           #parser → ThreatModel
         

         
Aggregated threat model output

-        
   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  12 │  */  13 │   14 │ import fg from 'fast-glob';  15 │ import { relative } from 'node:path';

+        
   5 │  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "Glob patterns could escape root directory"   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"  12 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  13 │  */  14 │   15 │ import fg from 'fast-glob';

       

-      

+      

         

           L11
+          comment
+          Scans standalone .gal files in addition to comment-based source annotations
+        

+        
Scans standalone .gal files in addition to comment-based source annotations

+        
   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"  12 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  13 │  */  14 │   15 │ import fg from 'fast-glob';  16 │ import { isAbsolute, relative } from 'node:path';

+      

+      

+        

+          L12
           boundary
           #parser ↔ FileSystem
         

         
Trust boundary between parser and disk I/O

-        
   6 │  * @mitigates #parser against #path-traversal using #glob-filtering -- "DEFAULT_EXCLUDE blocks node_modules, .git; fast-glob cwd constrains scan"   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  12 │  */  13 │   14 │ import fg from 'fast-glob';  15 │ import { relative } from 'node:path';  16 │ import type {

+        
   7 │  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large projects with many files could exhaust memory"   8 │  * @mitigates #parser against #dos using #resource-limits -- "DEFAULT_EXCLUDE skips build artifacts, tests; limits effective file count"   9 │  * @flows ProjectRoot -> #parser via fast-glob -- "Directory traversal path"  10 │  * @flows #parser -> ThreatModel via assembleModel -- "Aggregated threat model output"  11 │  * @comment -- "Scans standalone .gal files in addition to comment-based source annotations"  12 │  * @boundary #parser and FileSystem (#fs-boundary) -- "Trust boundary between parser and disk I/O"  13 │  */  14 │   15 │ import fg from 'fast-glob';  16 │ import { isAbsolute, relative } from 'node:path';  17 │ import type {

+      

+    

+  

+  

+    

+      src/parser/validate.ts
+      
+        2
+        
+      
+    

+    

+      
+      

+        

+          L7
+          mitigates
+          #prefix-ownership mitigates #tag-collision
+        

+        
findDanglingRefs ensures #id refs resolve to definitions

+        
   2 │  * GuardLink — Shared validation helpers.   3 │  *   4 │  * Extracted from cli/index.ts and tui/commands.ts to eliminate duplication   5 │  * and ensure consistent validation logic across all entry points.   6 │  *   7 │  * @mitigates #parser against #tag-collision using #prefix-ownership -- "findDanglingRefs ensures #id refs resolve to definitions"   8 │  * @comment -- "@confirmed refs validated same as @exposes for asset and threat"   9 │  */  10 │   11 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic } from '../types/index.js';  12 │ 

+      

+      

+        

+          L8
+          comment
+          @confirmed refs validated same as @exposes for asset and threat
+        

+        
@confirmed refs validated same as @exposes for asset and threat

+        
   3 │  *   4 │  * Extracted from cli/index.ts and tui/commands.ts to eliminate duplication   5 │  * and ensure consistent validation logic across all entry points.   6 │  *   7 │  * @mitigates #parser against #tag-collision using #prefix-ownership -- "findDanglingRefs ensures #id refs resolve to definitions"   8 │  * @comment -- "@confirmed refs validated same as @exposes for asset and threat"   9 │  */  10 │   11 │ import type { ThreatModel, ThreatModelExposure, ParseDiagnostic } from '../types/index.js';  12 │   13 │ /**

       

     

   

-  

+  

     

       src/report/index.ts
       
@@ -4736,7 +6275,7 @@ 
unknown

     

     

       
-      

+      

         

           L4
           comment
@@ -4745,18 +6284,18 @@ 
unknown

         
Report generation is pure transformation; no I/O in this module

         
   1 │ /**   2 │  * GuardLink Report — exports.   3 │  *   4 │  * @comment -- "Report generation is pure transformation; no I/O in this module"   5 │  * @comment -- "File writes handled by CLI/MCP callers"   6 │  */   7 │    8 │ export { generateMermaid } from './mermaid.js';   9 │ export { generateReport } from './report.js';

       

-      

+      

         

           L5
           comment
           File writes handled by CLI/MCP callers
         

         
File writes handled by CLI/MCP callers

-        
   1 │ /**   2 │  * GuardLink Report — exports.   3 │  *   4 │  * @comment -- "Report generation is pure transformation; no I/O in this module"   5 │  * @comment -- "File writes handled by CLI/MCP callers"   6 │  */   7 │    8 │ export { generateMermaid } from './mermaid.js';   9 │ export { generateReport } from './report.js';  10 │ 

+        
   1 │ /**   2 │  * GuardLink Report — exports.   3 │  *   4 │  * @comment -- "Report generation is pure transformation; no I/O in this module"   5 │  * @comment -- "File writes handled by CLI/MCP callers"   6 │  */   7 │    8 │ export { generateMermaid } from './mermaid.js';   9 │ export { generateReport } from './report.js';  10 │ export { generateSequenceDiagram } from './sequence.js';

       

     

   

-  

+  

     

       src/report/report.ts
       
@@ -4766,7 +6305,7 @@ 
unknown

     

     

       
-      

+      

         

           L6
           comment
@@ -4775,7 +6314,7 @@ 
unknown

         
Pure function: transforms ThreatModel to markdown string

         
   1 │ /**   2 │  * GuardLink Report — Markdown report generator.   3 │  * Produces a human-readable threat model report with   4 │  * embedded Mermaid diagram, finding tables, and coverage stats.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel to markdown string"   7 │  * @comment -- "No file I/O; caller (CLI/MCP) handles write"   8 │  * @flows ThreatModel -> #report via generateReport -- "Model input"   9 │  * @flows #report -> Markdown via return -- "Report output"  10 │  */  11 │ 

       

-      

+      

         

           L7
           comment
@@ -4784,7 +6323,7 @@ 
unknown

         
No file I/O; caller (CLI/MCP) handles write

         
   2 │  * GuardLink Report — Markdown report generator.   3 │  * Produces a human-readable threat model report with   4 │  * embedded Mermaid diagram, finding tables, and coverage stats.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel to markdown string"   7 │  * @comment -- "No file I/O; caller (CLI/MCP) handles write"   8 │  * @flows ThreatModel -> #report via generateReport -- "Model input"   9 │  * @flows #report -> Markdown via return -- "Report output"  10 │  */  11 │   12 │ import type { ThreatModel, ThreatModelExposure, Severity } from '../types/index.js';

       

-      

+      

         

           L8
           flow
@@ -4793,18 +6332,48 @@ 
unknown

         
Model input

         
   3 │  * Produces a human-readable threat model report with   4 │  * embedded Mermaid diagram, finding tables, and coverage stats.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel to markdown string"   7 │  * @comment -- "No file I/O; caller (CLI/MCP) handles write"   8 │  * @flows ThreatModel -> #report via generateReport -- "Model input"   9 │  * @flows #report -> Markdown via return -- "Report output"  10 │  */  11 │   12 │ import type { ThreatModel, ThreatModelExposure, Severity } from '../types/index.js';  13 │ import { generateMermaid } from './mermaid.js';

       

-      

+      

         

           L9
           flow
           #report → Markdown
         

         
Report output

-        
   4 │  * embedded Mermaid diagram, finding tables, and coverage stats.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel to markdown string"   7 │  * @comment -- "No file I/O; caller (CLI/MCP) handles write"   8 │  * @flows ThreatModel -> #report via generateReport -- "Model input"   9 │  * @flows #report -> Markdown via return -- "Report output"  10 │  */  11 │   12 │ import type { ThreatModel, ThreatModelExposure, Severity } from '../types/index.js';  13 │ import { generateMermaid } from './mermaid.js';  14 │ 

+        
   4 │  * embedded Mermaid diagram, finding tables, and coverage stats.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel to markdown string"   7 │  * @comment -- "No file I/O; caller (CLI/MCP) handles write"   8 │  * @flows ThreatModel -> #report via generateReport -- "Model input"   9 │  * @flows #report -> Markdown via return -- "Report output"  10 │  */  11 │   12 │ import type { ThreatModel, ThreatModelExposure, Severity } from '../types/index.js';  13 │ import { generateMermaid } from './mermaid.js';  14 │ import { generateSequenceDiagram } from './sequence.js';

+      

+    

+  

+  

+    

+      src/report/sequence.ts
+      
+        2
+        
+      
+    

+    

+      
+      

+        

+          L6
+          comment
+          Pure function: transforms ThreatModel flows to Mermaid sequence diagram
+        

+        
Pure function: transforms ThreatModel flows to Mermaid sequence diagram

+        
   1 │ /**   2 │  * GuardLink Report — Mermaid sequence diagram generator.   3 │  * Builds a sequence diagram from @flows annotations showing   4 │  * the step-by-step interactions between system participants.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel flows to Mermaid sequence diagram"   7 │  * @flows ThreatModel -> #report via generateSequenceDiagram -- "Sequence diagram generation"   8 │  */   9 │   10 │ import type { ThreatModel } from '../types/index.js';  11 │ 

+      

+      

+        

+          L7
+          flow
+          ThreatModel → #report
+        

+        
Sequence diagram generation

+        
   2 │  * GuardLink Report — Mermaid sequence diagram generator.   3 │  * Builds a sequence diagram from @flows annotations showing   4 │  * the step-by-step interactions between system participants.   5 │  *   6 │  * @comment -- "Pure function: transforms ThreatModel flows to Mermaid sequence diagram"   7 │  * @flows ThreatModel -> #report via generateSequenceDiagram -- "Sequence diagram generation"   8 │  */   9 │   10 │ import type { ThreatModel } from '../types/index.js';  11 │   12 │ /** Sanitize participant name for Mermaid sequence diagrams */

       

     

   

-  

+  

     

       src/review/index.ts
       
@@ -4814,7 +6383,7 @@ 
unknown

     

     

       
-      

+      

         

           L10
           exposes
@@ -4823,7 +6392,7 @@ 
unknown

         
Writes @accepts/@audit annotations into source files

         
   5 │  * Users walk through the GAL (Governance Acceptance List) and decide:   6 │  *   accept  — write @accepts + @audit (risk acknowledged, intentional)   7 │  *   remediate — write @audit with planned-fix note   8 │  *   skip    — leave open for now   9 │  *  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"

       

-      

+      

         

           L11
           mitigates
@@ -4832,7 +6401,7 @@ 
unknown

         
Only modifies files already in the parsed project

         
   6 │  *   accept  — write @accepts + @audit (risk acknowledged, intentional)   7 │  *   remediate — write @audit with planned-fix note   8 │  *   skip    — leave open for now   9 │  *  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */

       

-      

+      

         

           L12
           audit
@@ -4841,7 +6410,7 @@ 
unknown

         
Review decisions require human justification; no empty accepts allowed

         
   7 │  *   remediate — write @audit with planned-fix note   8 │  *   skip    — leave open for now   9 │  *  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */  17 │ 

       

-      

+      

         

           L13
           flow
@@ -4850,27 +6419,27 @@ 
unknown

         
Exposure list input

         
   8 │  *   skip    — leave open for now   9 │  *  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */  17 │   18 │ import { readFile, writeFile } from 'node:fs/promises';

       

-      

+      

         

           L14
           flow
           #cli → SourceFiles
         

         
Annotation insertion output

-        
   9 │  *  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */  17 │   18 │ import { readFile, writeFile } from 'node:fs/promises';  19 │ import { resolve } from 'node:path';

+        
   9 │  *  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */  17 │   18 │ import { readFile, writeFile } from 'node:fs/promises';  19 │ import { extname, resolve } from 'node:path';

       

-      

+      

         

           L15
           handles
           #cli: internal
         

         
Processes exposure metadata and user justification text

-        
  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */  17 │   18 │ import { readFile, writeFile } from 'node:fs/promises';  19 │ import { resolve } from 'node:path';  20 │ import { stripCommentPrefix } from '../parser/comment-strip.js';

+        
  10 │  * @exposes #cli to #arbitrary-write [medium] cwe:CWE-73 -- "Writes @accepts/@audit annotations into source files"  11 │  * @mitigates #cli against #arbitrary-write using #path-validation -- "Only modifies files already in the parsed project"  12 │  * @audit #cli -- "Review decisions require human justification; no empty accepts allowed"  13 │  * @flows ThreatModel -> #cli via getReviewableExposures -- "Exposure list input"  14 │  * @flows #cli -> SourceFiles via writeFile -- "Annotation insertion output"  15 │  * @handles internal on #cli -- "Processes exposure metadata and user justification text"  16 │  */  17 │   18 │ import { readFile, writeFile } from 'node:fs/promises';  19 │ import { extname, resolve } from 'node:path';  20 │ import { commentStyleForExt, stripCommentPrefix } from '../parser/comment-strip.js';

       

     

   

-  

+  

     

       src/tui/commands.ts
       
@@ -4880,7 +6449,7 @@ 
unknown

     

     

       
-      

+      

         

           L7
           exposes
@@ -4889,7 +6458,7 @@ 
unknown

         
File paths from user args in /view, /sarif -o

         
   2 │  * GuardLink TUI — Command implementations.   3 │  *   4 │  * Each command function takes (args, ctx) and prints output directly.   5 │  * Returns void. Throws on fatal errors.   6 │  *   7 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "File paths from user args in /view, /sarif -o"   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"

       

-      

+      

         

           L8
           mitigates
@@ -4898,7 +6467,7 @@ 
unknown

         
resolve() with ctx.root constrains file access

         
   3 │  *   4 │  * Each command function takes (args, ctx) and prints output directly.   5 │  * Returns void. Throws on fatal errors.   6 │  *   7 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "File paths from user args in /view, /sarif -o"   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"

       

-      

+      

         

           L9
           exposes
@@ -4907,7 +6476,7 @@ 
unknown

         
/report, /sarif, /dashboard write files

         
   4 │  * Each command function takes (args, ctx) and prints output directly.   5 │  * Returns void. Throws on fatal errors.   6 │  *   7 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "File paths from user args in /view, /sarif -o"   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"

       

-      

+      

         

           L10
           mitigates
@@ -4916,7 +6485,7 @@ 
unknown

         
Output paths resolved relative to project root

         
   5 │  * Returns void. Throws on fatal errors.   6 │  *   7 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "File paths from user args in /view, /sarif -o"   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"

       

-      

+      

         

           L11
           exposes
@@ -4925,7 +6494,7 @@ 
unknown

         
/annotate and /threat-report spawn child processes

         
   6 │  *   7 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "File paths from user args in /view, /sarif -o"   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"

       

-      

+      

         

           L12
           audit
@@ -4934,7 +6503,7 @@ 
unknown

         
Child process spawning delegated to agents/launcher.ts

         
   7 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "File paths from user args in /view, /sarif -o"   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"

       

-      

+      

         

           L13
           exposes
@@ -4943,7 +6512,7 @@ 
unknown

         
/model handles API key input and storage

         
   8 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() with ctx.root constrains file access"   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"

       

-      

+      

         

           L14
           mitigates
@@ -4952,7 +6521,7 @@ 
unknown

         
API keys masked in /model show output

         
   9 │  * @exposes #tui to #arbitrary-write [high] cwe:CWE-73 -- "/report, /sarif, /dashboard write files"  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"

       

-      

+      

         

           L15
           exposes
@@ -4961,7 +6530,7 @@ 
unknown

         
Freeform chat sends user text to LLM

         
  10 │  * @mitigates #tui against #arbitrary-write using #path-validation -- "Output paths resolved relative to project root"  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"

       

-      

+      

         

           L16
           audit
@@ -4970,7 +6539,7 @@ 
unknown

         
User freeform text passed to LLM via cmdChat; model context is read-only

         
  11 │  * @exposes #tui to #cmd-injection [high] cwe:CWE-78 -- "/annotate and /threat-report spawn child processes"  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"

       

-      

+      

         

           L17
           flow
@@ -4979,7 +6548,7 @@ 
unknown

         
Command argument input

         
  12 │  * @audit #tui -- "Child process spawning delegated to agents/launcher.ts"  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"  22 │  */

       

-      

+      

         

           L18
           flow
@@ -4988,7 +6557,7 @@ 
unknown

         
Report/config output

         
  13 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "/model handles API key input and storage"  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"  22 │  */  23 │ 

       

-      

+      

         

           L19
           flow
@@ -4997,7 +6566,7 @@ 
unknown

         
Agent spawn path

         
  14 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "API keys masked in /model show output"  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"  22 │  */  23 │   24 │ import { resolve, basename, isAbsolute } from 'node:path';

       

-      

+      

         

           L20
           flow
@@ -5006,18 +6575,18 @@ 
unknown

         
LLM API call path

         
  15 │  * @exposes #tui to #prompt-injection [medium] cwe:CWE-77 -- "Freeform chat sends user text to LLM"  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"  22 │  */  23 │   24 │ import { resolve, basename, isAbsolute } from 'node:path';  25 │ import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'node:fs';

       

-      

+      

         

           L21
           handles
           #tui: secrets
         

         
Processes and stores API keys via /model

-        
  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"  22 │  */  23 │   24 │ import { resolve, basename, isAbsolute } from 'node:path';  25 │ import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'node:fs';  26 │ import { parseProject, findDanglingRefs, findUnmitigatedExposures, findAcceptedWithoutAudit, findAcceptedExposures, clearAnnotations } from '../parser/index.js';

+        
  16 │  * @audit #tui -- "User freeform text passed to LLM via cmdChat; model context is read-only"  17 │  * @flows UserArgs -> #tui via args -- "Command argument input"  18 │  * @flows #tui -> FileSystem via writeFile -- "Report/config output"  19 │  * @flows #tui -> #agent-launcher via launchAgent -- "Agent spawn path"  20 │  * @flows #tui -> #llm-client via chatCompletion -- "LLM API call path"  21 │  * @handles secrets on #tui -- "Processes and stores API keys via /model"  22 │  */  23 │   24 │ import { resolve, basename, isAbsolute } from 'node:path';  25 │ import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'node:fs';  26 │ import { parseProject, findDanglingRefs, findUnmitigatedExposures, findAcceptedWithoutAudit, findAcceptedExposures, clearAnnotations, listFeatures, filterByFeature, getFeatureSummaries } from '../parser/index.js';

       

     

   

-  

+  

     

       src/tui/config.ts
       
@@ -5027,7 +6596,7 @@ 
unknown

     

     

       
-      

+      

         

           L7
           exposes
@@ -5036,7 +6605,7 @@ 
unknown

         
API keys loaded from and saved to config files

         
   2 │  * GuardLink TUI — Config persistence for LLM settings.   3 │  *   4 │  * Now delegates to the unified agents/config.ts resolution chain.   5 │  * Keeps backward compatibility with tui-config.json (legacy).   6 │  *   7 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "API keys loaded from and saved to config files"   8 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "Delegates to agents/config.ts with masking"   9 │  * @flows ConfigFile -> #tui via loadProjectConfig -- "Config load path"  10 │  * @flows #tui -> ConfigFile via saveProjectConfig -- "Config save path"  11 │  * @handles secrets on #tui -- "API keys stored in .guardlink/config.json"  12 │  */

       

-      

+      

         

           L8
           mitigates
@@ -5045,7 +6614,7 @@ 
unknown

         
Delegates to agents/config.ts with masking

         
   3 │  *   4 │  * Now delegates to the unified agents/config.ts resolution chain.   5 │  * Keeps backward compatibility with tui-config.json (legacy).   6 │  *   7 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "API keys loaded from and saved to config files"   8 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "Delegates to agents/config.ts with masking"   9 │  * @flows ConfigFile -> #tui via loadProjectConfig -- "Config load path"  10 │  * @flows #tui -> ConfigFile via saveProjectConfig -- "Config save path"  11 │  * @handles secrets on #tui -- "API keys stored in .guardlink/config.json"  12 │  */  13 │ 

       

-      

+      

         

           L9
           flow
@@ -5054,7 +6623,7 @@ 
unknown

         
Config load path

         
   4 │  * Now delegates to the unified agents/config.ts resolution chain.   5 │  * Keeps backward compatibility with tui-config.json (legacy).   6 │  *   7 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "API keys loaded from and saved to config files"   8 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "Delegates to agents/config.ts with masking"   9 │  * @flows ConfigFile -> #tui via loadProjectConfig -- "Config load path"  10 │  * @flows #tui -> ConfigFile via saveProjectConfig -- "Config save path"  11 │  * @handles secrets on #tui -- "API keys stored in .guardlink/config.json"  12 │  */  13 │   14 │ import type { LLMConfig, LLMProvider } from '../analyze/llm.js';

       

-      

+      

         

           L10
           flow
@@ -5063,7 +6632,7 @@ 
unknown

         
Config save path

         
   5 │  * Keeps backward compatibility with tui-config.json (legacy).   6 │  *   7 │  * @exposes #tui to #api-key-exposure [high] cwe:CWE-798 -- "API keys loaded from and saved to config files"   8 │  * @mitigates #tui against #api-key-exposure using #key-redaction -- "Delegates to agents/config.ts with masking"   9 │  * @flows ConfigFile -> #tui via loadProjectConfig -- "Config load path"  10 │  * @flows #tui -> ConfigFile via saveProjectConfig -- "Config save path"  11 │  * @handles secrets on #tui -- "API keys stored in .guardlink/config.json"  12 │  */  13 │   14 │ import type { LLMConfig, LLMProvider } from '../analyze/llm.js';  15 │ import { resolveConfig, saveProjectConfig, loadProjectConfig } from '../agents/config.js';

       

-      

+      

         

           L11
           handles
@@ -5074,7 +6643,7 @@ 
unknown

       

     

   

-  

+  

     

       src/tui/index.ts
       
@@ -5084,7 +6653,7 @@ 
unknown

     

     

       
-      

+      

         

           L9
           exposes
@@ -5093,7 +6662,7 @@ 
unknown

         
User-supplied dir argument resolved via path.resolve

         
   4 │  * GuardLink TUI — Interactive terminal interface.   5 │  *   6 │  * Claude Code-style inline REPL: stays in your terminal,   7 │  * slash commands + freeform AI chat, Ctrl+C to exit.   8 │  *   9 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"

       

-      

+      

         

           L10
           mitigates
@@ -5102,7 +6671,7 @@ 
unknown

         
resolve() canonicalizes paths; starts from cwd

         
   5 │  *   6 │  * Claude Code-style inline REPL: stays in your terminal,   7 │  * slash commands + freeform AI chat, Ctrl+C to exit.   8 │  *   9 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"  15 │  * @boundary #tui and UserInput (#tui-input-boundary) -- "Trust boundary at interactive input"

       

-      

+      

         

           L11
           exposes
@@ -5111,7 +6680,7 @@ 
unknown

         
API keys displayed in banner via resolveLLMConfig

         
   6 │  * Claude Code-style inline REPL: stays in your terminal,   7 │  * slash commands + freeform AI chat, Ctrl+C to exit.   8 │  *   9 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"  15 │  * @boundary #tui and UserInput (#tui-input-boundary) -- "Trust boundary at interactive input"  16 │  * @handles secrets on #tui -- "Displays LLM config including masked API keys"

       

-      

+      

         

           L12
           audit
@@ -5120,7 +6689,7 @@ 
unknown

         
API keys masked via maskKey() in banner display

         
   7 │  * slash commands + freeform AI chat, Ctrl+C to exit.   8 │  *   9 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"  15 │  * @boundary #tui and UserInput (#tui-input-boundary) -- "Trust boundary at interactive input"  16 │  * @handles secrets on #tui -- "Displays LLM config including masked API keys"  17 │  */

       

-      

+      

         

           L13
           flow
@@ -5129,7 +6698,7 @@ 
unknown

         
Interactive command input

         
   8 │  *   9 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"  15 │  * @boundary #tui and UserInput (#tui-input-boundary) -- "Trust boundary at interactive input"  16 │  * @handles secrets on #tui -- "Displays LLM config including masked API keys"  17 │  */  18 │ 

       

-      

+      

         

           L14
           flow
@@ -5138,7 +6707,7 @@ 
unknown

         
Command routing

         
   9 │  * @exposes #tui to #path-traversal [high] cwe:CWE-22 -- "User-supplied dir argument resolved via path.resolve"  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"  15 │  * @boundary #tui and UserInput (#tui-input-boundary) -- "Trust boundary at interactive input"  16 │  * @handles secrets on #tui -- "Displays LLM config including masked API keys"  17 │  */  18 │   19 │ import { createInterface, type Interface } from 'node:readline';

       

-      

+      

         

           L15
           boundary
@@ -5147,7 +6716,7 @@ 
unknown

         
Trust boundary at interactive input

         
  10 │  * @mitigates #tui against #path-traversal using #path-validation -- "resolve() canonicalizes paths; starts from cwd"  11 │  * @exposes #tui to #api-key-exposure [medium] cwe:CWE-798 -- "API keys displayed in banner via resolveLLMConfig"  12 │  * @audit #tui -- "API keys masked via maskKey() in banner display"  13 │  * @flows UserInput -> #tui via readline -- "Interactive command input"  14 │  * @flows #tui -> Commands via dispatch -- "Command routing"  15 │  * @boundary #tui and UserInput (#tui-input-boundary) -- "Trust boundary at interactive input"  16 │  * @handles secrets on #tui -- "Displays LLM config including masked API keys"  17 │  */  18 │   19 │ import { createInterface, type Interface } from 'node:readline';  20 │ import { resolve, basename } from 'node:path';

       

-      

+      

         

           L16
           handles
@@ -5158,7 +6727,7 @@ 
unknown

       

     

   

-  

+  

     

       src/tui/input.ts
       
@@ -5168,7 +6737,7 @@ 
unknown

     

     

       
-      

+      

         

           L15
           exposes
@@ -5177,7 +6746,7 @@ 
unknown

         
Rapid keystrokes could consume CPU in raw mode

         
  10 │  *     /files       Browse files  11 │  *     /assets      Asset tree  12 │  *  13 │  * Uses raw stdin mode for full keystroke control.  14 │  *  15 │  * @exposes #tui to #dos [low] cwe:CWE-400 -- "Rapid keystrokes could consume CPU in raw mode"  16 │  * @mitigates #tui against #dos using #resource-limits -- "Keystroke buffer bounded by terminal width"  17 │  * @flows RawStdin -> #tui via process.stdin -- "Raw keystroke input"  18 │  * @flows #tui -> Terminal via process.stdout -- "ANSI escape sequence output"  19 │  * @comment -- "Raw mode enables full keystroke control for command palette"  20 │  */

       

-      

+      

         

           L16
           mitigates
@@ -5186,7 +6755,7 @@ 
unknown

         
Keystroke buffer bounded by terminal width

         
  11 │  *     /assets      Asset tree  12 │  *  13 │  * Uses raw stdin mode for full keystroke control.  14 │  *  15 │  * @exposes #tui to #dos [low] cwe:CWE-400 -- "Rapid keystrokes could consume CPU in raw mode"  16 │  * @mitigates #tui against #dos using #resource-limits -- "Keystroke buffer bounded by terminal width"  17 │  * @flows RawStdin -> #tui via process.stdin -- "Raw keystroke input"  18 │  * @flows #tui -> Terminal via process.stdout -- "ANSI escape sequence output"  19 │  * @comment -- "Raw mode enables full keystroke control for command palette"  20 │  */  21 │ 

       

-      

+      

         

           L17
           flow
@@ -5195,7 +6764,7 @@ 
unknown

         
Raw keystroke input

         
  12 │  *  13 │  * Uses raw stdin mode for full keystroke control.  14 │  *  15 │  * @exposes #tui to #dos [low] cwe:CWE-400 -- "Rapid keystrokes could consume CPU in raw mode"  16 │  * @mitigates #tui against #dos using #resource-limits -- "Keystroke buffer bounded by terminal width"  17 │  * @flows RawStdin -> #tui via process.stdin -- "Raw keystroke input"  18 │  * @flows #tui -> Terminal via process.stdout -- "ANSI escape sequence output"  19 │  * @comment -- "Raw mode enables full keystroke control for command palette"  20 │  */  21 │   22 │ import chalk from 'chalk';

       

-      

+      

         

           L18
           flow
@@ -5204,7 +6773,7 @@ 
unknown

         
ANSI escape sequence output

         
  13 │  * Uses raw stdin mode for full keystroke control.  14 │  *  15 │  * @exposes #tui to #dos [low] cwe:CWE-400 -- "Rapid keystrokes could consume CPU in raw mode"  16 │  * @mitigates #tui against #dos using #resource-limits -- "Keystroke buffer bounded by terminal width"  17 │  * @flows RawStdin -> #tui via process.stdin -- "Raw keystroke input"  18 │  * @flows #tui -> Terminal via process.stdout -- "ANSI escape sequence output"  19 │  * @comment -- "Raw mode enables full keystroke control for command palette"  20 │  */  21 │   22 │ import chalk from 'chalk';  23 │ 

       

-      

+      

         

           L19
           comment
@@ -5215,7 +6784,7 @@ 
unknown

       

     

   

-  

+  

     

       src/workspace/index.ts
       
@@ -5225,7 +6794,7 @@ 
unknown

     

     

       
-      

+      

         

           L4
           comment
@@ -5236,7 +6805,7 @@ 
unknown

       

     

   

-  

+  

     

       src/workspace/link.ts
       
@@ -5246,7 +6815,7 @@ 
unknown

     

     

       
-      

+      

         

           L7
           asset
@@ -5255,7 +6824,7 @@ 
unknown

         
Multi-repo workspace linking setup

         
   2 │  * GuardLink Workspace — link-project command logic.   3 │  *   4 │  * Scaffolds workspace.yaml in each repo and updates agent instruction   5 │  * files with workspace context so agents write cross-repo-aware annotations.   6 │  *   7 │  * @asset Workspace.Link (#workspace-link) -- "Multi-repo workspace linking setup"   8 │  * @flows UserArgs -> #workspace-link via linkProject -- "CLI args to workspace scaffolding"   9 │  * @flows #workspace-link -> AgentFiles via updateAgentWorkspaceContext -- "Inject workspace context"  10 │  */  11 │   12 │ import { existsSync, readFileSync, mkdirSync, readdirSync, statSync, unlinkSync } from 'node:fs';

       

-      

+      

         

           L8
           flow
@@ -5264,7 +6833,7 @@ 
unknown

         
CLI args to workspace scaffolding

         
   3 │  *   4 │  * Scaffolds workspace.yaml in each repo and updates agent instruction   5 │  * files with workspace context so agents write cross-repo-aware annotations.   6 │  *   7 │  * @asset Workspace.Link (#workspace-link) -- "Multi-repo workspace linking setup"   8 │  * @flows UserArgs -> #workspace-link via linkProject -- "CLI args to workspace scaffolding"   9 │  * @flows #workspace-link -> AgentFiles via updateAgentWorkspaceContext -- "Inject workspace context"  10 │  */  11 │   12 │ import { existsSync, readFileSync, mkdirSync, readdirSync, statSync, unlinkSync } from 'node:fs';  13 │ import { writeFileSync } from 'node:fs';

       

-      

+      

         

           L9
           flow
@@ -5275,7 +6844,7 @@ 
unknown

       

     

   

-  

+  

     

       src/workspace/merge.ts
       
@@ -5285,7 +6854,7 @@ 
unknown

     

     

       
-      

+      

         

           L7
           asset
@@ -5294,7 +6863,7 @@ 
unknown

         
Cross-repo threat model unification

         
   2 │  * GuardLink Workspace — Merge engine for multi-repo reports.   3 │  *   4 │  * Takes N per-repo report JSONs and produces a unified MergedReport   5 │  * with cross-repo tag resolution, warning detection, and aggregated stats.   6 │  *   7 │  * @asset Workspace.Merge (#merge-engine) -- "Cross-repo threat model unification"   8 │  * @threat Tag_Collision (#tag-collision) [medium] -- "Duplicate tag definitions across repos"   9 │  * @mitigates #merge-engine against #tag-collision using #prefix-ownership -- "Tag prefix determines owning repo"  10 │  * @flows ReportJSON -> #merge-engine via mergeReports -- "Per-repo reports feed into merge"  11 │  * @flows #merge-engine -> MergedReport via mergeReports -- "Unified output"  12 │  */

       

-      

+      

         

           L8
           threat
@@ -5303,7 +6872,7 @@ 
unknown

         
Duplicate tag definitions across repos

         
   3 │  *   4 │  * Takes N per-repo report JSONs and produces a unified MergedReport   5 │  * with cross-repo tag resolution, warning detection, and aggregated stats.   6 │  *   7 │  * @asset Workspace.Merge (#merge-engine) -- "Cross-repo threat model unification"   8 │  * @threat Tag_Collision (#tag-collision) [medium] -- "Duplicate tag definitions across repos"   9 │  * @mitigates #merge-engine against #tag-collision using #prefix-ownership -- "Tag prefix determines owning repo"  10 │  * @flows ReportJSON -> #merge-engine via mergeReports -- "Per-repo reports feed into merge"  11 │  * @flows #merge-engine -> MergedReport via mergeReports -- "Unified output"  12 │  */  13 │ 

       

-      

+      

         

           L9
           mitigates
@@ -5312,7 +6881,7 @@ 
unknown

         
Tag prefix determines owning repo

         
   4 │  * Takes N per-repo report JSONs and produces a unified MergedReport   5 │  * with cross-repo tag resolution, warning detection, and aggregated stats.   6 │  *   7 │  * @asset Workspace.Merge (#merge-engine) -- "Cross-repo threat model unification"   8 │  * @threat Tag_Collision (#tag-collision) [medium] -- "Duplicate tag definitions across repos"   9 │  * @mitigates #merge-engine against #tag-collision using #prefix-ownership -- "Tag prefix determines owning repo"  10 │  * @flows ReportJSON -> #merge-engine via mergeReports -- "Per-repo reports feed into merge"  11 │  * @flows #merge-engine -> MergedReport via mergeReports -- "Unified output"  12 │  */  13 │   14 │ import { readFile } from 'node:fs/promises';

       

-      

+      

         

           L10
           flow
@@ -5321,7 +6890,7 @@ 
unknown

         
Per-repo reports feed into merge

         
   5 │  * with cross-repo tag resolution, warning detection, and aggregated stats.   6 │  *   7 │  * @asset Workspace.Merge (#merge-engine) -- "Cross-repo threat model unification"   8 │  * @threat Tag_Collision (#tag-collision) [medium] -- "Duplicate tag definitions across repos"   9 │  * @mitigates #merge-engine against #tag-collision using #prefix-ownership -- "Tag prefix determines owning repo"  10 │  * @flows ReportJSON -> #merge-engine via mergeReports -- "Per-repo reports feed into merge"  11 │  * @flows #merge-engine -> MergedReport via mergeReports -- "Unified output"  12 │  */  13 │   14 │ import { readFile } from 'node:fs/promises';  15 │ import { basename } from 'node:path';

       

-      

+      

         

           L11
           flow
@@ -5332,7 +6901,7 @@ 
unknown

       

     

   

-  

+  

     

       src/workspace/metadata.ts
       
@@ -5342,7 +6911,7 @@ 
unknown

     

     

       
-      

+      

         

           L7
           asset
@@ -5351,7 +6920,7 @@ 
unknown

         
Report provenance data

         
   2 │  * GuardLink Workspace — Report metadata population.   3 │  *   4 │  * Enriches a ThreatModel with provenance metadata (git SHA, branch,   5 │  * workspace info) for the report JSON contract.   6 │  *   7 │  * @asset Workspace.Metadata (#report-metadata) -- "Report provenance data"   8 │  * @flows GitRepo -> #report-metadata via execSync -- "Git info extraction"   9 │  * @flows #report-metadata -> ThreatModel via populateMetadata -- "Metadata injection"  10 │  */  11 │   12 │ import { execSync } from 'node:child_process';

       

-      

+      

         

           L8
           flow
@@ -5360,7 +6929,7 @@ 
unknown

         
Git info extraction

         
   3 │  *   4 │  * Enriches a ThreatModel with provenance metadata (git SHA, branch,   5 │  * workspace info) for the report JSON contract.   6 │  *   7 │  * @asset Workspace.Metadata (#report-metadata) -- "Report provenance data"   8 │  * @flows GitRepo -> #report-metadata via execSync -- "Git info extraction"   9 │  * @flows #report-metadata -> ThreatModel via populateMetadata -- "Metadata injection"  10 │  */  11 │   12 │ import { execSync } from 'node:child_process';  13 │ import { readFileSync, existsSync } from 'node:fs';

       

-      

+      

         

           L9
           flow
@@ -5371,7 +6940,7 @@ 
unknown

       

     

   

-  

+  

     

       src/workspace/types.ts
       
@@ -5381,7 +6950,7 @@ 
unknown

     

     

       
-      

+      

         

           L7
           asset
@@ -5390,7 +6959,7 @@ 
unknown

         
Multi-repo workspace definition

         
   2 │  * GuardLink Workspace — Types for multi-repo linking.   3 │  *   4 │  * workspace.yaml lives in each repo's .guardlink/ directory.   5 │  * It declares membership in a workspace and lists sibling repos.   6 │  *   7 │  * @asset Workspace.Config (#workspace-config) -- "Multi-repo workspace definition"   8 │  * @threat Config_Tampering (#config-tamper) [medium] cwe:CWE-15 -- "Malicious workspace.yaml could misdirect agent annotations"   9 │  * @mitigates #workspace-config against #config-tamper using #yaml-validation -- "Schema validation on load"  10 │  */  11 │   12 │ import type { ThreatModel, Severity, ExternalRef } from '../types/index.js';

       

-      

+      

         

           L8
           threat
@@ -5399,7 +6968,7 @@ 
unknown

         
Malicious workspace.yaml could misdirect agent annotations

         
   3 │  *   4 │  * workspace.yaml lives in each repo's .guardlink/ directory.   5 │  * It declares membership in a workspace and lists sibling repos.   6 │  *   7 │  * @asset Workspace.Config (#workspace-config) -- "Multi-repo workspace definition"   8 │  * @threat Config_Tampering (#config-tamper) [medium] cwe:CWE-15 -- "Malicious workspace.yaml could misdirect agent annotations"   9 │  * @mitigates #workspace-config against #config-tamper using #yaml-validation -- "Schema validation on load"  10 │  */  11 │   12 │ import type { ThreatModel, Severity, ExternalRef } from '../types/index.js';  13 │ 

       

-      

+      

         

           L9
           mitigates
@@ -5414,18 +6983,18 @@ 
unknown

   
   
File Coverage

   

-    38 of 60 files
+    43 of 67 files
     have GuardLink annotations
   

-  

+  

 
   
-  
⚠ Unannotated Files (22)

+  
⚠ Unannotated Files (24)

   

     Source files with no GuardLink annotations. Not all files need annotations — only those touching security boundaries.
   

   

-    
.github/ISSUE_TEMPLATE/bug_report.yml
.github/ISSUE_TEMPLATE/config.yml
.github/ISSUE_TEMPLATE/feature_request.yml
.github/workflows/ci.yml
.github/workflows/release.yml
examples/ci/per-repo-report.yml
examples/ci/workspace-merge.yml
examples/github-action.yml
src/dashboard/data.ts
src/dashboard/diagrams.ts
src/diff/engine.ts
src/diff/format.ts
src/index.ts
src/init/picker.ts
src/init/templates.ts
src/parser/comment-strip.ts
src/parser/index.ts
src/parser/normalize.ts
src/parser/validate.ts
src/report/mermaid.ts
src/tui/format.ts
src/types/index.ts

+    
.github/ISSUE_TEMPLATE/bug_report.yml
.github/ISSUE_TEMPLATE/config.yml
.github/ISSUE_TEMPLATE/feature_request.yml
.github/workflows/ci.yml
.github/workflows/release.yml
docs/examples/guardlink-pentest.html
docs/examples/threat-dashboard.html
examples/ci/per-repo-report.yml
examples/ci/workspace-merge.yml
examples/github-action.yml
src/analyze/format.ts
src/dashboard/data.ts
src/diff/engine.ts
src/diff/format.ts
src/index.ts
src/init/picker.ts
src/init/templates.ts
src/parser/comment-strip.ts
src/parser/format.ts
src/parser/index.ts
src/parser/normalize.ts
src/report/mermaid.ts
src/tui/format.ts
src/types/index.ts

   

 

 
@@ -5438,63 +7007,63 @@ 
unknown

     

     
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
@@ -5510,79 +7079,85 @@ 
unknown

     
-    
+    
-    
+    
-      
+      
-    
+    
-    
+    
+      
+      
+      
+      
+    
+    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
@@ -5596,102 +7171,107 @@ 
unknown

   
 
   
-  
Audit Items (19)

+  
Audit Items (20)

     
StatusAssetThreatSeverityDescriptionLocation

     

       Mitigated
       #agent-launcher
       #api-key-exposure
       API keys loaded from env vars, files; stored in config.json
       src/agents/config.ts:13
     

       Mitigated
       #agent-launcher
       #path-traversal
       Config paths resolved from root and homedir
       src/agents/config.ts:15
     

       Mitigated
       #agent-launcher
       #arbitrary-write
       saveProjectConfig writes to .guardlink/config.json
       src/agents/config.ts:17
     

       Mitigated
       #agent-launcher
       #child-proc-injection
       spawn/spawnSync execute external binaries
       src/agents/launcher.ts:10
     

       Open
       #agent-launcher
       #prompt-injection
       User prompt passed to agent CLI as argument
       src/agents/launcher.ts:13
     

       Open
       #agent-launcher
       #dos
       No timeout on foreground spawn; agent controls duration
       src/agents/launcher.ts:15
     

       Open
       #agent-launcher
       #prompt-injection
       User prompt concatenated into agent instruction text
       src/agents/prompts.ts:6
     

       Mitigated
       #agent-launcher
       #path-traversal
       Reads reference docs from root-relative paths
       src/agents/prompts.ts:8
     
Open#agent-launcher#config-tampermediumTranslate prompt may read CXG reference paths from environment overridessrc/agents/prompts.ts:10

       Mitigated
       #llm-client
       #path-traversal
       buildProjectContext reads files from root-relative paths
       src/analyze/index.ts:8
     

       Mitigated
       #llm-client
       #arbitrary-write
       writeFileSync saves threat reports to .guardlink/
       src/analyze/index.ts:10
     

       Open
       #llm-client
       #data-exposure
       Serializes full threat model and code snippets for LLM
       src/analyze/index.ts:12
     

       Mitigated
       #llm-client
       #ssrf
       fetch() calls external LLM API endpoints
       src/analyze/llm.ts:13
     

       Mitigated
       #llm-client
       #api-key-exposure
       API keys passed in Authorization headers
       src/analyze/llm.ts:15
     

       Open
       #llm-client
       #prompt-injection
       User prompts sent to LLM API
       src/analyze/llm.ts:17
     

       Mitigated
       #llm-client
       #ssrf
       lookupCve fetches from NVD API with user-controlled CVE ID
       src/analyze/tools.ts:9
     

       Mitigated
       #llm-client
       #path-traversal
       searchCodebase reads files from project root
       src/analyze/tools.ts:11
     

       Mitigated
       #llm-client
       #dos
       searchCodebase reads many files; bounded by maxResults
       src/analyze/tools.ts:13
     

       Open
       #sarif
       #data-exposure
       low
       Exposes threat model findings to SARIF consumerssrc/analyzer/sarif.ts:15src/analyzer/sarif.ts:16
     

       Mitigated
       #cli
       #path-traversal
       high
       User-supplied dir argument resolved via path.resolvesrc/cli/index.ts:25src/cli/index.ts:27
     

       Mitigated
       #cli
       #arbitrary-write
       high
       init/report/sarif/dashboard write files to user-specified pathssrc/cli/index.ts:27src/cli/index.ts:29
     

       Mitigated
       #cli
       #api-key-exposure
       high
       API keys handled in config set/show commandssrc/cli/index.ts:29src/cli/index.ts:31
     

       Open
       #cli
       #cmd-injection
       critical
       Agent launcher spawns child processessrc/cli/index.ts:31src/cli/index.ts:33
     

       Mitigated
       #dashboard
       #xss
       Generates HTML with user-controlled threat model data
       src/dashboard/generate.ts:8
     

       Mitigated
       #dashboard
       #path-traversal
       readFileSync reads code files for annotation context
       src/dashboard/generate.ts:10
     

       Mitigated
       #dashboard
       #xss
       Generates HTML with threat model data
       src/dashboard/index.ts:4
     

       Mitigated
       #diff
       #cmd-injection
       execSync runs git commands with ref argument
       src/diff/git.ts:6
     

       Mitigated
       #diff
       #arbitrary-write
       writeFileSync creates files in temp directory
       src/diff/git.ts:8
     

       Mitigated
       #diff
       #path-traversal
       git show extracts files based on ls-tree output
       src/diff/git.ts:10
     

       Mitigated
       #diff
       #cmd-injection
       git.ts uses execSync with ref argument
       src/diff/index.ts:4
     

       Mitigated
       #init
       #path-traversal
       Reads package.json, pyproject.toml, etc. from root
       src/init/detect.ts:5
     

       Mitigated
       #init
       #arbitrary-write
       Creates/modifies files: .guardlink/, CLAUDE.md, .cursorrules, etc.
       src/init/index.ts:8
     

       Mitigated
       #init
       #path-traversal
       Reads/writes files based on root argument
       src/init/index.ts:10
     

       Open
       #init
       #data-exposure
       Writes API key config to .guardlink/config.json
       src/init/index.ts:12
     

       Open
       #mcp
       #cmd-injection
       Accepts tool calls from external MCP clients
       src/mcp/index.ts:4
     

       Mitigated
       #mcp
       #redos
       low
       Regex patterns applied to query stringssrc/mcp/lookup.ts:16src/mcp/lookup.ts:17
     

       Mitigated
       #mcp
       #path-traversal
       Tool arguments include 'root' directory path from external client
       src/mcp/server.ts:26
     

       Mitigated
       #mcp
       #arbitrary-write
       report, dashboard, sarif tools write files
       src/mcp/server.ts:28
     

       Open
       #mcp
       #prompt-injection
       annotate and threat_report tools pass user prompts to LLM
       src/mcp/server.ts:30
     

       Mitigated
       #mcp
       #api-key-exposure
       threat_report tool uses API keys from environment
       src/mcp/server.ts:32
     

       Open
       #mcp
       #data-exposure
       Resources expose full threat model to MCP clients
       src/mcp/server.ts:34
     

       Mitigated
       #suggest
       #path-traversal
       File path from MCP client joined with root
       src/mcp/suggest.ts:12
     

       Mitigated
       #suggest
       #redos
       Complex regex patterns applied to source code
       src/mcp/suggest.ts:14
     

       Open
       #suggest
       #dos
       Large files loaded into memory for pattern scanning
       src/mcp/suggest.ts:16
     

       Open
       #parser
       #arbitrary-write
       high
       Writes modified content back to discovered filessrc/parser/clear.ts:7src/parser/clear.ts:8
     

       Mitigated
       #parser
       #path-traversal
       high
       Glob patterns determine which files are modifiedsrc/parser/clear.ts:8src/parser/clear.ts:9
     

       Mitigated
       #parser
       #path-traversal
       high
       File path from caller read via readFile; no validation heresrc/parser/parse-file.ts:5src/parser/parse-file.ts:6
     

       Mitigated
       #parser
       #dos
       medium
       Large files loaded entirely into memorysrc/parser/parse-file.ts:6src/parser/parse-file.ts:7
     

       Mitigated
       #parser
       #redos
       Complex regex patterns applied to annotation text
       src/parser/parse-line.ts:5
     

       Mitigated
       #parser
       #path-traversal
       Glob patterns could escape root directory
       src/parser/parse-project.ts:5
     

       Mitigated
       #parser
       #dos
       Large projects with many files could exhaust memory
       src/parser/parse-project.ts:7
     

       Mitigated
       #cli
       #arbitrary-write
       Writes @accepts/@audit annotations into source files
       src/review/index.ts:10
     

       Mitigated
       #tui
       #path-traversal
       File paths from user args in /view, /sarif -o
       src/tui/commands.ts:7
     

       Mitigated
       #tui
       #arbitrary-write
       /report, /sarif, /dashboard write files
       src/tui/commands.ts:9
     

       Open
       #tui
       #cmd-injection
       /annotate and /threat-report spawn child processes
       src/tui/commands.ts:11
     

       Mitigated
       #tui
       #api-key-exposure
       /model handles API key input and storage
       src/tui/commands.ts:13
     

       Open
       #tui
       #prompt-injection
       Freeform chat sends user text to LLM
       src/tui/commands.ts:15
     

       Mitigated
       #tui
       #api-key-exposure
       API keys loaded from and saved to config files
       src/tui/config.ts:7
     

       Mitigated
       #tui
       #path-traversal
       User-supplied dir argument resolved via path.resolve
       src/tui/index.ts:9
     

       Mitigated
       #tui
       #api-key-exposure
       API keys displayed in banner via resolveLLMConfig
       src/tui/index.ts:11
     

       Mitigated
       #tui
       #dos
 
 
 
 
 
   
   
Side ASide BDescriptionLocation

     

       #agent-launcher
       
       AgentProcess
       Trust boundary at process spawn
       src/agents/launcher.ts:20
     

       #llm-client
       
       LLMProvider
       Trust boundary at external API call
       src/analyze/llm.ts:22
     

       #llm-client
       
       NVD
       Trust boundary at external API
       src/analyze/tools.ts:18
     

       #cli
       
       UserInput
       Trust boundary at CLI argument parsingsrc/cli/index.ts:35src/cli/index.ts:37
     

       #diff
       
       GitRepo
       Trust boundary at git command execution
       src/diff/git.ts:15
     

       #mcp
       
       MCPClient
       Trust boundary at MCP protocol
       src/mcp/index.ts:7
     

       #mcp
       
       MCPClient
       Trust boundary at tool argument parsing
       src/mcp/server.ts:40
     

       #parser
       
       FileSystem
       Trust boundary between parser and disk I/Osrc/parser/parse-project.ts:11src/parser/parse-project.ts:12
     

       #tui
       
       UserInput
     
ClassificationAssetDescriptionLocation

     

       secrets
       #agent-launcher
       Processes and stores LLM API keys
       src/agents/config.ts:22
     

       internal
       #agent-launcher
       Serializes threat model IDs and flows into promptsrc/agents/prompts.ts:13src/agents/prompts.ts:17
     

       internal
       #llm-client
       Processes project dependencies, env examples, code snippets
       src/analyze/index.ts:17
     
internal#llm-clientProcesses pentest scan output (JSON/SARIF)src/analyze/index.ts:689

       secrets
       #llm-client
       Processes API keys for authentication
       src/analyze/llm.ts:23
     

       secrets
       #cli
       Processes API keys via config commandssrc/cli/index.ts:36src/cli/index.ts:38
     

       internal
       #dashboard
       Processes and displays threat model datasrc/dashboard/generate.ts:15src/dashboard/generate.ts:17
     

       internal
       #init
       Generates definitions and agent instruction content
       src/init/index.ts:17
     

       internal
       #mcp
       Processes project annotations and threat model data
       src/mcp/server.ts:41
     

       internal
       #parser
       Operates on project source files onlysrc/parser/clear.ts:13src/parser/clear.ts:14
     

       internal
       #cli
       Processes exposure metadata and user justification text
       src/review/index.ts:15
     

       secrets
       #tui
       Processes and stores API keys via /model
       src/tui/commands.ts:21
     

       secrets
       #tui
       API keys stored in .guardlink/config.json
       src/tui/config.ts:11
     

       secrets
       #tui
       Displays LLM config including masked API keys
   

     
-    
+    
-    
+    
-    
+    
-    
+    
+      
+      
+      
+    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-    
+    
-    
+    
-    
+    
@@ -5702,154 +7282,170 @@ 
unknown

   
 
   
-  
Shielded Regions (16)

+  
Shielded Regions (14)
Code regions where annotations are intentionally suppressed via @shield.

     
AssetDescriptionLocation

     

       #agent-launcher
       Prompt content is opaque to agent binary; injection risk depends on agent implementation
       src/agents/launcher.ts:14
     

       #agent-launcher
       Timeout intentionally omitted for interactive sessions; inline mode has implicit control
       src/agents/launcher.ts:16
     

       #agent-launcher
       Prompt injection mitigated by agent's own safety measures; GuardLink prompt is read-only context
       src/agents/prompts.ts:7
     
#agent-launcherEnvironment override paths are optional convenience; verify trusted local paths in CIsrc/agents/prompts.ts:11

       #llm-client
       Threat model data intentionally sent to LLM for analysis
       src/analyze/index.ts:13
     

       #llm-client
       Prompt injection mitigated by LLM provider safety; local code is read-only
       src/analyze/llm.ts:18
     

       #sarif
       SARIF output intentionally reveals security findings for CI/CD integrationsrc/analyzer/sarif.ts:16src/analyzer/sarif.ts:17
     

       #cli
       Child process spawning delegated to agents/launcher.ts with explicit argssrc/cli/index.ts:32src/cli/index.ts:34
     

       #diff
       Git commands use execSync; ref is validated with rev-parse before use
       src/diff/index.ts:5
     

       #init
       Config file may contain API keys; .gitignore entry added automatically
       src/init/index.ts:13
     

       #mcp
       All tool calls validated by server.ts before execution
       src/mcp/index.ts:5
     

       #mcp
       User prompts passed to LLM; model context is read-only
       src/mcp/server.ts:31
     

       #mcp
       Threat model data intentionally exposed to connected agents
       src/mcp/server.ts:35
     

       #suggest
       File size is bounded by project scope; production use involves reasonable file sizes
       src/mcp/suggest.ts:17
     

       #parser
       Destructive operation requires explicit user confirmation via dryRun flagsrc/parser/clear.ts:10src/parser/clear.ts:11
     

       #parser
       Path validation delegated to callers (CLI/MCP validate root)src/parser/parse-file.ts:7src/parser/parse-file.ts:8
     

       #cli
       Review decisions require human justification; no empty accepts allowed
       src/review/index.ts:12
     

       #tui
       Child process spawning delegated to agents/launcher.ts
       src/tui/commands.ts:12
     

       #tui
       User freeform text passed to LLM via cmdChat; model context is read-only
       src/tui/commands.ts:16
     

       #tui
       API keys masked via maskKey() in banner display
       src/tui/index.ts:12
   
   

     
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
-    
-    
-      
-      
+      
-    
-      
-      
-    
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      
-    
+    
-      
+      

     
ReasonLocation

     

       Example annotation block for reference, excluded from parsingsrc/agents/prompts.ts:148src/agents/prompts.ts:204
     

       No reason providedsrc/agents/prompts.ts:161src/agents/prompts.ts:217
     

       Description examples, excluded from parsingsrc/agents/prompts.ts:168src/agents/prompts.ts:224
     

       No reason providedsrc/agents/prompts.ts:178src/agents/prompts.ts:234
     

       Flow examples, excluded from parsingsrc/agents/prompts.ts:185src/agents/prompts.ts:241
     

       No reason providedsrc/agents/prompts.ts:194src/agents/prompts.ts:250
     

       Boundary examples, excluded from parsingsrc/agents/prompts.ts:201src/agents/prompts.ts:257
     

       No reason providedsrc/agents/prompts.ts:207
Placement examples, excluded from parsingsrc/agents/prompts.ts:214src/agents/prompts.ts:263
     
No reason providedsrc/agents/prompts.ts:223

       @accepts alternative examples, excluded from parsingsrc/agents/prompts.ts:250src/agents/prompts.ts:322
     

       No reason providedsrc/agents/prompts.ts:260src/agents/prompts.ts:332
     

       Definition syntax examples, excluded from parsingsrc/agents/prompts.ts:277src/agents/prompts.ts:359
     

       No reason providedsrc/agents/prompts.ts:281src/agents/prompts.ts:363
     

       Relationship syntax examples, excluded from parsingsrc/agents/prompts.ts:286src/agents/prompts.ts:368
     

       No reason providedsrc/agents/prompts.ts:299src/agents/prompts.ts:383
     

     
   

 
   
-  
Developer Comments (18)

+  
Developer Comments (24)

   
     
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-    
+    
-      
+      
+    
+    
+      
+      
-    
+    
-    
+    
-    
+    
+      
+      
+    
+    
-      
+      
-    
+    
-    
+    
+      
+      
+    
+    
-    
+    
+      
+      
+    
+    
+      
+      
+    
+    
-    
+    
-    
+    
-    
+    
-    
+    
+      
+      
+    
+    
-    
+    
@@ -5865,17 +7461,17 @@ 
unknown

     
-    

-      
#mcp

+    

+      
#agent-launcher

       

-        ⚠ 7
-        🛡 4
-        ↔ 6
+        ⚠ 9
+        🛡 6
+        ↔ 12
       

-      
internal

+      
secretsinternal

     

-    

-      
#parser

+    

+      
#mcp

       

         ⚠ 7
         🛡 4
@@ -5883,7 +7479,7 @@ 
unknown

       

       
internal

     

-    

+    

       
#tui

       

         ⚠ 9
@@ -5892,25 +7488,25 @@ 
unknown

       

       
secretssecretssecrets

     

-    

-      
#agent-launcher

+    

+      
#parser

       

-        ⚠ 8
-        🛡 6
-        ↔ 10
+        ⚠ 7
+        🛡 5
+        ↔ 6
       

-      
secretsinternal

+      
internal

     

-    

+    

       
#llm-client

       

         ⚠ 9
-        🛡 7
-        ↔ 11
+        🛡 8
+        ↔ 12
       

-      
internalsecrets

+      
internalinternalsecrets

     

-    

+    

       
#sarif

       

         ⚠ 1
@@ -5919,7 +7515,7 @@ 
unknown

       

       
     

-    

+    

       
#cli

       

         ⚠ 5
@@ -5928,7 +7524,7 @@ 
unknown

       

       
secretsinternal

     

-    

+    

       
#diff

       

         ⚠ 4
@@ -5937,7 +7533,7 @@ 
unknown

       

       
     

-    

+    

       
#init

       

         ⚠ 4
@@ -5946,7 +7542,7 @@ 
unknown

       

       
internal

     

-    

+    

       
#suggest

       

         ⚠ 3
@@ -5955,16 +7551,16 @@ 
unknown

       

       
     

-    

+    

       
#dashboard

       

         ⚠ 3
-        🛡 3
-        ↔ 4
+        🛡 5
+        ↔ 7
       

       
internal

     

-    

+    

       
GuardLink.Parser

       

         ⚠ 0
@@ -5973,7 +7569,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.CLI

       

         ⚠ 0
@@ -5982,7 +7578,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.TUI

       

         ⚠ 0
@@ -5991,7 +7587,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.MCP

       

         ⚠ 0
@@ -6000,7 +7596,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.LLM_Client

       

         ⚠ 0
@@ -6009,7 +7605,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.Dashboard

       

         ⚠ 0
@@ -6018,7 +7614,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.Init

       

         ⚠ 0
@@ -6027,7 +7623,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.Agent_Launcher

       

         ⚠ 0
@@ -6036,7 +7632,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.Diff

       

         ⚠ 0
@@ -6045,7 +7641,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.Report

       

         ⚠ 0
@@ -6054,7 +7650,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.SARIF

       

         ⚠ 0
@@ -6063,7 +7659,7 @@ 
unknown

       

       
     

-    

+    

       
GuardLink.Suggest

       

         ⚠ 0
@@ -6072,7 +7668,7 @@ 
unknown

       

       
     

-    

+    

       
Workspace.Link

       

         ⚠ 0
@@ -6081,7 +7677,7 @@ 
unknown

       

       
     

-    

+    

       
Workspace.Merge

       

         ⚠ 0
@@ -6090,7 +7686,7 @@ 
unknown

       

       
     

-    

+    

       
Workspace.Metadata

       

         ⚠ 0
@@ -6099,7 +7695,7 @@ 
unknown

       

       
     

-    

+    

       
Workspace.Config

       

         ⚠ 0
@@ -6108,7 +7704,7 @@ 
unknown

       

       
     

-    

+    

       
#merge-engine

       

         ⚠ 0
@@ -6117,7 +7713,7 @@ 
unknown

       

       
     

-    

+    

       
#workspace-config

       

         ⚠ 0
@@ -6126,7 +7722,7 @@ 
unknown

       

       
     

-    

+    

       
EnvVars

       

         ⚠ 0
@@ -6135,7 +7731,7 @@ 
unknown

       

       
     

-    

+    

       
ConfigFile

       

         ⚠ 0
@@ -6144,16 +7740,16 @@ 
unknown

       

       
     

-    

+    

       
UserPrompt

       

         ⚠ 0
         🛡 0
-        ↔ 2
+        ↔ 4
       

       
     

-    

+    

       
AgentProcess

       

         ⚠ 0
@@ -6162,16 +7758,16 @@ 
unknown

       

       
     

-    

+    

       
ThreatModel

       

         ⚠ 0
         🛡 0
-        ↔ 10
+        ↔ 14
       

       
     

-    

+    

       
AgentPrompt

       

         ⚠ 0
@@ -6180,7 +7776,7 @@ 
unknown

       

       
     

-    

+    

       
ProjectFiles

       

         ⚠ 0
@@ -6189,7 +7785,7 @@ 
unknown

       

       
     

-    

+    

       
ReportFile

       

         ⚠ 0
@@ -6198,7 +7794,16 @@ 
unknown

       

       
     

-    

+    

+      
PentestFindings

+      

+        ⚠ 0
+        🛡 0
+        ↔ 1
+      

+      
+    

+    

       
LLMConfig

       

         ⚠ 0
@@ -6207,7 +7812,7 @@ 
unknown

       

       
     

-    

+    

       
LLMProvider

       

         ⚠ 0
@@ -6216,7 +7821,7 @@ 
unknown

       

       
     

-    

+    

       
LLMToolCall

       

         ⚠ 0
@@ -6225,7 +7830,7 @@ 
unknown

       

       
     

-    

+    

       
NVD

       

         ⚠ 0
@@ -6234,7 +7839,7 @@ 
unknown

       

       
     

-    

+    

       
SarifLog

       

         ⚠ 0
@@ -6243,7 +7848,7 @@ 
unknown

       

       
     

-    

+    

       
UserArgs

       

         ⚠ 0
@@ -6252,7 +7857,7 @@ 
unknown

       

       
     

-    

+    

       
FileSystem

       

         ⚠ 0
@@ -6261,7 +7866,7 @@ 
unknown

       

       
     

-    

+    

       
SourceFiles

       

         ⚠ 0
@@ -6270,7 +7875,7 @@ 
unknown

       

       
     

-    

+    

       
HTML

       

         ⚠ 0
@@ -6279,7 +7884,7 @@ 
unknown

       

       
     

-    

+    

       
GitRef

       

         ⚠ 0
@@ -6288,7 +7893,7 @@ 
unknown

       

       
     

-    

+    

       
TempDir

       

         ⚠ 0
@@ -6297,7 +7902,7 @@ 
unknown

       

       
     

-    

+    

       
ProjectRoot

       

         ⚠ 0
@@ -6306,7 +7911,7 @@ 
unknown

       

       
     

-    

+    

       
AgentFiles

       

         ⚠ 0
@@ -6315,7 +7920,7 @@ 
unknown

       

       
     

-    

+    

       
MCPClient

       

         ⚠ 0
@@ -6324,7 +7929,7 @@ 
unknown

       

       
     

-    

+    

       
QueryString

       

         ⚠ 0
@@ -6333,7 +7938,7 @@ 
unknown

       

       
     

-    

+    

       
FilePath

       

         ⚠ 0
@@ -6342,7 +7947,7 @@ 
unknown

       

       
     

-    

+    

       
Suggestions

       

         ⚠ 0
@@ -6351,7 +7956,7 @@ 
unknown

       

       
     

-    

+    

       
Annotations

       

         ⚠ 0
@@ -6360,16 +7965,16 @@ 
unknown

       

       
     

-    

+    

       
#report

       

         ⚠ 0
         🛡 0
-        ↔ 2
+        ↔ 3
       

       
     

-    

+    

       
Markdown

       

         ⚠ 0
@@ -6378,7 +7983,7 @@ 
unknown

       

       
     

-    

+    

       
UserInput

       

         ⚠ 0
@@ -6387,7 +7992,7 @@ 
unknown

       

       
     

-    

+    

       
Commands

       

         ⚠ 0
@@ -6396,7 +8001,7 @@ 
unknown

       

       
     

-    

+    

       
RawStdin

       

         ⚠ 0
@@ -6405,7 +8010,7 @@ 
unknown

       

       
     

-    

+    

       
Terminal

       

         ⚠ 0
@@ -6414,7 +8019,7 @@ 
unknown

       

       
     

-    

+    

       
#workspace-link

       

         ⚠ 0
@@ -6423,7 +8028,7 @@ 
unknown

       

       
     

-    

+    

       
ReportJSON

       

         ⚠ 0
@@ -6432,7 +8037,7 @@ 
unknown

       

       
     

-    

+    

       
MergedReport

       

         ⚠ 0
@@ -6441,7 +8046,7 @@ 
unknown

       

       
     

-    

+    

       
GitRepo

       

         ⚠ 0
@@ -6450,7 +8055,7 @@ 
unknown

       

       
     

-    

+    

       
#report-metadata

       

         ⚠ 0
@@ -6477,12 +8082,15 @@ 
Details

 
 

     
CommentLocation

     

       Agent binaries are hardcoded; no user-controlled binary names
       src/agents/index.ts:7
     

       parseAgentFlag extracts flags from args; no injection risk
       src/agents/index.ts:8
     

       Prompt templates are static; no user input interpolation in system prompts
       src/analyze/prompts.ts:7
     

       customPrompt is appended to user message, not system prompt — bounded injection risk
       src/analyze/prompts.ts:8
     

       SARIF generation is pure transformation; no I/O in this module
       src/analyzer/index.ts:4
     

       File writes handled by CLI/MCP callers
       src/analyzer/index.ts:5
     

       Pure function: transforms ThreatModel to SARIF JSON; no I/Osrc/analyzer/sarif.ts:17src/analyzer/sarif.ts:18
Alias map collapses #id / name / path-joined ref forms so Mermaid and D3 views agree on identitysrc/dashboard/diagrams.ts:18
     

       Self-contained HTML; no external data injection after generation
       src/dashboard/index.ts:7
     

       Detection is read-only; no file writes
       src/init/detect.ts:8
     
Migrations should never modify existing user files. Only create missing ones.src/init/migrate.ts:9

       Pure function; no I/O; operates on in-memory ThreatModelsrc/mcp/lookup.ts:19src/mcp/lookup.ts:20
     

       Skips node_modules and .guardlink directories
       src/mcp/suggest.ts:20
     
Pure filtering utility; no I/Osrc/parser/feature-filter.ts:9

       Regex patterns designed with bounded quantifiers and explicit structure
       src/parser/parse-line.ts:7
     
Scans standalone .gal files in addition to comment-based source annotationssrc/parser/parse-project.ts:11
@confirmed refs validated same as @exposes for asset and threatsrc/parser/validate.ts:8

       Report generation is pure transformation; no I/O in this module
       src/report/index.ts:4
     

       File writes handled by CLI/MCP callers
       src/report/index.ts:5
     

       Pure function: transforms ThreatModel to markdown string
       src/report/report.ts:6
     

       No file I/O; caller (CLI/MCP) handles write
       src/report/report.ts:7
     
Pure function: transforms ThreatModel flows to Mermaid sequence diagramsrc/report/sequence.ts:6

       Raw mode enables full keystroke control for command palette
       src/tui/input.ts:19
     

       Workspace module: config loading, merge engine, link-project setup
       src/workspace/index.ts:4