| Version | Supported |
|---|---|
| 0.1.x | ✅ |
angular-generator-agent is a local CLI tool that reads PRD files and generates Angular application code via LLM providers. It is not a server and does not accept inbound network connections.
- User provides a PRD file on disk
- CLI reads the PRD and sends content to the configured LLM provider (Ollama / OpenAI / Anthropic)
- LLM responses are parsed and written to the local
.workspace/directory - No data is stored externally beyond what the LLM provider retains per their own policy
| Control | Implementation |
|---|---|
| API key source | Environment variables only — never hardcoded |
| Log redaction | Winston redacts patterns: sk-*, sk-ant-*, key-*, known fields |
| Workspace output | No credentials are written to generated code or workspace files |
.env excluded from git |
.gitignore blocks all .env* files (except .env.example) |
| No post-install scripts | package.json contains no lifecycle hooks that execute code |
| Dependencies pinned | bun.lock ensures reproducible installs |
All secrets are loaded from environment variables and validated at startup via Zod schemas in src/config/env.mts. If a required key is missing or malformed, the process exits immediately with a descriptive error — it never falls through to a default or empty string.
- Angular source code is written to
.workspace/<runId>/output/ - Generated code may contain API base URLs from the PRD but never credentials
- No credentials or API keys are embedded in output files
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email: [security contact — update with your email]
- Include: description, reproduction steps, and impact assessment
- Expected response time: 48 hours
- All dependencies are declared in
package.jsonand locked viabun.lock - Dependabot is configured to monitor for vulnerable dependencies
- CodeQL scanning is enabled via GitHub Actions