release/v1.4.3 — multi-hop @flows, quoted refs, opt-in evidence redaction

.clinerules

@@ -1,17 +1,18 @@
 <!-- guardlink:begin -->
 # GuardLink Security Annotations
 
-This project uses GuardLink annotations in source code comments or standalone .gal files.
+This project uses GuardLink annotations in source code comments.
 
 ## Core Requirement
 Every time you write or modify code that touches security-relevant behavior, you MUST add GuardLink annotations in the same change. This includes: new endpoints, auth logic, data validation, database queries, file I/O, external API calls, crypto, process spawning, user input handling, config parsing. Do NOT annotate pure business logic, formatting utilities, UI components, or helpers that never touch security boundaries.
 
 ## Key Rules
 - ANNOTATE NEW CODE. When you add a function or endpoint that handles user input, accesses data, or crosses a trust boundary — add @exposes, @mitigates, @flows, @handles, or at minimum @comment. This is not optional.
 - NEVER write @accepts — that is a human-only governance decision. For risks with no mitigation: write @exposes + @audit + @comment suggesting potential controls.
+- Use @confirmed for verified exploits. When pentest/scanning/manual reproduction proves a threat is exploitable: @confirmed #threat on Asset [severity] -- "evidence". Distinct from @exposes (theoretical) — @confirmed means real, verified, no false positives.
 - Preserve existing annotations — do not delete or mangle them.
 - Definitions (@asset, @threat, @control with (#id)) live in .guardlink/definitions.ts. Reuse IDs — never redefine. Add new definitions there first, then reference in source files.
-- Relationship annotations use verbs: @mitigates, @exposes, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers.
+- Source files use relationship verbs: @mitigates, @exposes, @confirmed, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers, @feature.
 - Write coupled annotation blocks: risk + control (or audit) + data flow + context note.
 - Avoid @shield unless a human explicitly asks to hide code from AI.
 
@@ -30,6 +31,8 @@ Every time you write or modify code that touches security-relevant behavior, you
 - @handles pii on App.API -- "Processes email, token"
 - @validates #prepared-stmts for App.API -- "CI test ensures placeholders"
 - @audit App.API -- "Token rotation review"
+- @confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param"
+- @feature "SSO Login" -- "Single sign-on authentication flow"
 - @owns security-team for App.API -- "Team responsible"
 - @comment -- "Rate limit: 100 req/15min"
 
@@ -43,49 +46,55 @@ Every time you write or modify code that touches security-relevant behavior, you
 
 ### Open Exposures (need @mitigates or @audit)
 
-- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
-- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
 - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
 - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
 - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
-- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
-- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
-- #init exposed to #data-exposure [low] (src/init/index.ts:12)
+- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10)
+- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
+- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
+- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33)
+- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16)
 - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
 - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
 - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34)
 - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16)
+- #init exposed to #data-exposure [low] (src/init/index.ts:12)
 - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8)
 - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11)
 - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15)
 
 ### Existing Data Flows (extend, don't duplicate)
 
-- ThreatModel -> #llm-client via serializeModel
-- ProjectFiles -> #llm-client via readFileSync
-- #llm-client -> ReportFile via writeFileSync
-- LLMConfig -> #llm-client via chatCompletion
-- #llm-client -> LLMProvider via fetch
-- LLMProvider -> #llm-client via response
-- LLMToolCall -> #llm-client via createToolExecutor
-- #llm-client -> NVD via fetch
-- ProjectFiles -> #llm-client via readFileSync
 - EnvVars -> #agent-launcher via process.env
 - ConfigFile -> #agent-launcher via readFileSync
 - #agent-launcher -> ConfigFile via writeFileSync
 - UserPrompt -> #agent-launcher via launchAgent
 - #agent-launcher -> AgentProcess via spawn
 - AgentProcess -> #agent-launcher via stdout
 - UserPrompt -> #agent-launcher via buildAnnotatePrompt
+- UserPrompt -> #agent-launcher via buildTranslatePrompt
+- UserPrompt -> #agent-launcher via buildAskPrompt
 - ThreatModel -> #agent-launcher via model
 - #agent-launcher -> AgentPrompt via return
-- ThreatModel -> #dashboard via computeStats
-- SourceFiles -> #dashboard via readFileSync
-- ... and 48 more
+- ThreatModel -> #llm-client via serializeModel
+- ProjectFiles -> #llm-client via readFileSync
+- #llm-client -> ReportFile via writeFileSync
+- PentestFindings -> #llm-client via readFileSync
+- LLMConfig -> #llm-client via chatCompletion
+- #llm-client -> LLMProvider via fetch
+- LLMProvider -> #llm-client via response
+- LLMToolCall -> #llm-client via createToolExecutor
+- #llm-client -> NVD via fetch
+- ... and 55 more
+
+### Features (filter with `--feature`)
+
+- "Dashboard"
+- "MCP Integration"
 
 ### Model Stats
 
-289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
+310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features
 
 <!-- guardlink:end -->
 
@@ -106,6 +115,16 @@ Every time you write or modify code that touches security-relevant behavior, you
 
 
 
+
+
+
+
+
+
+
+
+
+
 
 
 

.cursor/rules/guardlink.mdc

@@ -6,17 +6,18 @@ alwaysApply: true
 
 # GuardLink Security Annotations
 
-This project uses GuardLink annotations in source code comments or standalone .gal files.
+This project uses GuardLink annotations in source code comments.
 
 ## Core Requirement
 Every time you write or modify code that touches security-relevant behavior, you MUST add GuardLink annotations in the same change. This includes: new endpoints, auth logic, data validation, database queries, file I/O, external API calls, crypto, process spawning, user input handling, config parsing. Do NOT annotate pure business logic, formatting utilities, UI components, or helpers that never touch security boundaries.
 
 ## Key Rules
 - ANNOTATE NEW CODE. When you add a function or endpoint that handles user input, accesses data, or crosses a trust boundary — add @exposes, @mitigates, @flows, @handles, or at minimum @comment. This is not optional.
 - NEVER write @accepts — that is a human-only governance decision. For risks with no mitigation: write @exposes + @audit + @comment suggesting potential controls.
+- Use @confirmed for verified exploits. When pentest/scanning/manual reproduction proves a threat is exploitable: @confirmed #threat on Asset [severity] -- "evidence". Distinct from @exposes (theoretical) — @confirmed means real, verified, no false positives.
 - Preserve existing annotations — do not delete or mangle them.
 - Definitions (@asset, @threat, @control with (#id)) live in .guardlink/definitions.ts. Reuse IDs — never redefine. Add new definitions there first, then reference in source files.
-- Relationship annotations use verbs: @mitigates, @exposes, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers.
+- Source files use relationship verbs: @mitigates, @exposes, @confirmed, @flows, @handles, @boundary, @comment, @validates, @audit, @owns, @assumes, @transfers, @feature.
 - Write coupled annotation blocks: risk + control (or audit) + data flow + context note.
 - Avoid @shield unless a human explicitly asks to hide code from AI.
 
@@ -35,6 +36,8 @@ Every time you write or modify code that touches security-relevant behavior, you
 - @handles pii on App.API -- "Processes email, token"
 - @validates #prepared-stmts for App.API -- "CI test ensures placeholders"
 - @audit App.API -- "Token rotation review"
+- @confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param"
+- @feature "SSO Login" -- "Single sign-on authentication flow"
 - @owns security-team for App.API -- "Team responsible"
 - @comment -- "Rate limit: 100 req/15min"
 
@@ -48,46 +51,52 @@ Every time you write or modify code that touches security-relevant behavior, you
 
 ### Open Exposures (need @mitigates or @audit)
 
-- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
-- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
 - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
 - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
 - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
-- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
-- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
-- #init exposed to #data-exposure [low] (src/init/index.ts:12)
+- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10)
+- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
+- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
+- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33)
+- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16)
 - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
 - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
 - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34)
 - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16)
+- #init exposed to #data-exposure [low] (src/init/index.ts:12)
 - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8)
 - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11)
 - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15)
 
 ### Existing Data Flows (extend, don't duplicate)
 
-- ThreatModel -> #llm-client via serializeModel
-- ProjectFiles -> #llm-client via readFileSync
-- #llm-client -> ReportFile via writeFileSync
-- LLMConfig -> #llm-client via chatCompletion
-- #llm-client -> LLMProvider via fetch
-- LLMProvider -> #llm-client via response
-- LLMToolCall -> #llm-client via createToolExecutor
-- #llm-client -> NVD via fetch
-- ProjectFiles -> #llm-client via readFileSync
 - EnvVars -> #agent-launcher via process.env
 - ConfigFile -> #agent-launcher via readFileSync
 - #agent-launcher -> ConfigFile via writeFileSync
 - UserPrompt -> #agent-launcher via launchAgent
 - #agent-launcher -> AgentProcess via spawn
 - AgentProcess -> #agent-launcher via stdout
 - UserPrompt -> #agent-launcher via buildAnnotatePrompt
+- UserPrompt -> #agent-launcher via buildTranslatePrompt
+- UserPrompt -> #agent-launcher via buildAskPrompt
 - ThreatModel -> #agent-launcher via model
 - #agent-launcher -> AgentPrompt via return
-- ThreatModel -> #dashboard via computeStats
-- SourceFiles -> #dashboard via readFileSync
-- ... and 48 more
+- ThreatModel -> #llm-client via serializeModel
+- ProjectFiles -> #llm-client via readFileSync
+- #llm-client -> ReportFile via writeFileSync
+- PentestFindings -> #llm-client via readFileSync
+- LLMConfig -> #llm-client via chatCompletion
+- #llm-client -> LLMProvider via fetch
+- LLMProvider -> #llm-client via response
+- LLMToolCall -> #llm-client via createToolExecutor
+- #llm-client -> NVD via fetch
+- ... and 55 more
+
+### Features (filter with `--feature`)
+
+- "Dashboard"
+- "MCP Integration"
 
 ### Model Stats
 
-289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
+310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features

.gemini/GEMINI.md

@@ -3,7 +3,7 @@
 <!-- guardlink:begin -->
 ## GuardLink — Security Annotations (Required)
 
-This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments or standalone `.gal` files.
+This project uses [GuardLink](https://guardlink.bugb.io) annotations in source code comments.
 **Full reference: `docs/GUARDLINK_REFERENCE.md`**
 
 ### Core Requirement
@@ -14,11 +14,12 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c
 
 1. **Annotate new code.** When you add a function, endpoint, or module that handles user input, accesses data, crosses a trust boundary, or could fail in a security-relevant way — add `@exposes`, `@mitigates`, `@flows`, `@handles`, or at minimum `@comment` annotations. This is not optional.
 2. **NEVER write `@accepts`.** That is a human-only governance decision. When you find a risk with no mitigation in code, write `@exposes` to document the risk + `@audit` to flag it for human review + `@comment` to suggest potential controls.
-3. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model.
-4. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files.
-5. Relationship annotations use verbs like: `@mitigates`, `@exposes`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`.
-6. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up.
-7. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots.
+3. **Use `@confirmed` for verified exploits.** When a pentest, CXG scan, or manual reproduction proves a threat is exploitable, mark it with `@confirmed #threat on Asset [severity] -- "evidence"`. This is distinct from `@exposes` (theoretical) — `@confirmed` means real, verified, not a false positive. Include severity based on actual observed impact.
+4. Do not delete or mangle existing annotations. Treat them as part of the code. Edit only when intentionally changing the threat model.
+5. Definitions (`@asset`, `@threat`, `@control` with `(#id)`) live in `.guardlink/definitions.ts`. Reuse existing `#id`s — never redefine. If you need a new asset or threat, add the definition there first, then reference it in source files.
+6. Source files use relationship verbs only: `@mitigates`, `@exposes`, `@confirmed`, `@flows`, `@handles`, `@boundary`, `@comment`, `@validates`, `@audit`, `@owns`, `@assumes`, `@transfers`, `@feature`.
+7. Write coupled annotation blocks that tell a complete story: risk + control (or audit) + data flow + context note. Never write a lone `@exposes` without follow-up.
+8. Avoid `@shield` unless a human explicitly asks to hide code from AI — it creates blind spots.
 
 ### Workflow (while coding)
 
@@ -43,6 +44,8 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c
 @handles pii on App.API -- "Processes email and session token"
 @validates #prepared-stmts for App.API -- "sqlInjectionTest.ts ensures placeholders used"
 @audit App.API -- "Token rotation logic needs crypto review"
+@confirmed #sqli on App.API [critical] cwe:CWE-89 -- "Pentest verified: raw SQL injection via email param"
+@feature "SSO Login" -- "Single sign-on authentication flow"
 @owns security-team for App.API -- "Team responsible for reviews"
 @comment -- "Rate limit: 100 req/15min via express-rate-limit"
 ```
@@ -57,49 +60,55 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c
 
 ### Open Exposures (need @mitigates or @audit)
 
-- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
-- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
 - #agent-launcher exposed to #prompt-injection [medium] (src/agents/launcher.ts:13)
 - #agent-launcher exposed to #dos [low] (src/agents/launcher.ts:15)
 - #agent-launcher exposed to #prompt-injection [high] (src/agents/prompts.ts:6)
-- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:15)
-- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:31)
-- #init exposed to #data-exposure [low] (src/init/index.ts:12)
+- #agent-launcher exposed to #config-tamper [medium] (src/agents/prompts.ts:10)
+- #llm-client exposed to #data-exposure [low] (src/analyze/index.ts:12)
+- #llm-client exposed to #prompt-injection [medium] (src/analyze/llm.ts:17)
+- #cli exposed to #cmd-injection [critical] (src/cli/index.ts:33)
+- #sarif exposed to #data-exposure [low] (src/analyzer/sarif.ts:16)
 - #mcp exposed to #cmd-injection [high] (src/mcp/index.ts:4)
 - #mcp exposed to #prompt-injection [medium] (src/mcp/server.ts:30)
 - #mcp exposed to #data-exposure [medium] (src/mcp/server.ts:34)
 - #suggest exposed to #dos [low] (src/mcp/suggest.ts:16)
+- #init exposed to #data-exposure [low] (src/init/index.ts:12)
 - #parser exposed to #arbitrary-write [high] (src/parser/clear.ts:8)
 - #tui exposed to #cmd-injection [high] (src/tui/commands.ts:11)
 - #tui exposed to #prompt-injection [medium] (src/tui/commands.ts:15)
 
 ### Existing Data Flows (extend, don't duplicate)
 
-- ThreatModel -> #llm-client via serializeModel
-- ProjectFiles -> #llm-client via readFileSync
-- #llm-client -> ReportFile via writeFileSync
-- LLMConfig -> #llm-client via chatCompletion
-- #llm-client -> LLMProvider via fetch
-- LLMProvider -> #llm-client via response
-- LLMToolCall -> #llm-client via createToolExecutor
-- #llm-client -> NVD via fetch
-- ProjectFiles -> #llm-client via readFileSync
 - EnvVars -> #agent-launcher via process.env
 - ConfigFile -> #agent-launcher via readFileSync
 - #agent-launcher -> ConfigFile via writeFileSync
 - UserPrompt -> #agent-launcher via launchAgent
 - #agent-launcher -> AgentProcess via spawn
 - AgentProcess -> #agent-launcher via stdout
 - UserPrompt -> #agent-launcher via buildAnnotatePrompt
+- UserPrompt -> #agent-launcher via buildTranslatePrompt
+- UserPrompt -> #agent-launcher via buildAskPrompt
 - ThreatModel -> #agent-launcher via model
 - #agent-launcher -> AgentPrompt via return
-- ThreatModel -> #dashboard via computeStats
-- SourceFiles -> #dashboard via readFileSync
-- ... and 48 more
+- ThreatModel -> #llm-client via serializeModel
+- ProjectFiles -> #llm-client via readFileSync
+- #llm-client -> ReportFile via writeFileSync
+- PentestFindings -> #llm-client via readFileSync
+- LLMConfig -> #llm-client via chatCompletion
+- #llm-client -> LLMProvider via fetch
+- LLMProvider -> #llm-client via response
+- LLMToolCall -> #llm-client via createToolExecutor
+- #llm-client -> NVD via fetch
+- ... and 55 more
+
+### Features (filter with `--feature`)
+
+- "Dashboard"
+- "MCP Integration"
 
 ### Model Stats
 
-289 annotations, 16 assets, 15 threats, 12 controls, 60 exposures, 44 mitigations, 68 flows
+310 annotations, 16 assets, 15 threats, 12 controls, 61 exposures, 0 confirmed, 48 mitigations, 75 flows, 2 features
 
 > **Note:** This section is auto-generated. Run `guardlink sync` to update after code changes.
 > Any coding agent (Cursor, Claude, Copilot, Windsurf, etc.) should reference these IDs
@@ -124,6 +133,16 @@ This project uses [GuardLink](https://guardlink.bugb.io) annotations in source c
 
 
 
+
+
+
+
+
+
+
+
+
+