Garry Tan e2ab41502e fix: adversarial review fixes for ux-audit and heatmap ...

Security:
- Remove live form value extraction from ux-audit (leaked input field values)
- Add ux-audit to PAGE_CONTENT_COMMANDS (untrusted content wrapping)

Correctness:
- Scope youAreHere selector to nav containers (was matching animation classes)
- Validate heatmap JSON is a plain object (string/array/null produced garbage)
- Use textContent instead of innerText for word count (avoids layout computation)
- Remove dead url variable and unused LINK_CAP constant

Found by Codex + Claude adversarial review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 09:08:57 -07:00

..

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)

2026-03-19 18:20:50 -07:00

scripts

fix: Windows support — Node.js server fallback for Playwright (#255)

2026-03-20 12:22:11 -07:00

src

fix: adversarial review fixes for ux-audit and heatmap

2026-04-14 09:08:57 -07:00

test

fix: security wave 3 — 12 fixes, 7 contributors (v0.16.4.0) (#988)

2026-04-13 07:49:37 -10:00

PLAN-snapshot-dropdown-interactive.md

fix: snapshot -i auto-detects dropdown/popover interactive elements (#845)

2026-04-05 22:57:45 -07:00

SKILL.md

feat: $B ux-audit command + snapshot --heatmap flag

2026-04-14 08:35:14 -07:00

SKILL.md.tmpl

feat: sidebar CSS inspector + per-tab agents (v0.13.9.0) (#650)

2026-03-30 12:51:05 -06:00