Your feedback is valuable and correct, I'll extract the library into /core in the repo and also manually verify all the citations. I'll read into the prompt injection literature more deeply and turn this from a shower thought project into something more mature
Yes, to be completely honest this is a vibe coded project and I'm by no means a security expert. This was more of a fun, side project/experiment based on a shower thought. I admit it's not good/disingenuous to imply security knowledge, but for what it's worth, I just prompted Claude to research the latest papers on prompt injection and it made the claims on its own. Again this should not be an excuse for not reviewing the AI's output more carefully, so in the future I'll be more careful with LLM output and also present it as a vibe-coded project. Apologies, I'm just a noob in prompt injection security who doesn't know what he's doing :(
There's absolutely no problem with not knowing what you're doing! Just, you know, own it.
Part of what I find exhausting about projects like this is I can't see any evidence of the person who ostensibly created it. No human touch whatsoever - it's a real drag to read this stuff.
By all means, vibe code things, but put your personal stamp on it if you want people to take notice.
MDX is not secure by default, you'd be executing arbitrary JS code potentially sent by untrustworthy sources, which is advised against in the MDX website.
this actually uses web components under the hood! the dsl is more secure and easier to write (at least in my opinion). For v2 I'll make the whole design/architecture more polished and web-component oriented, possibly with some sort of verifier/editor support???
