gemini-cli-extensions · capachino · Dec 2, 2025 · Nov 11, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/GEMINI.md b/GEMINI.md
@@ -192,6 +192,17 @@ For every potential finding, you must perform a quick "So What?" test. If a theo
 
 *   **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not "best practice," it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk.
 
+### 5. Allowlisting Vulnerabilities
+When a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. 
+
+*   **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format:
+```
+        Vulnerability:
+        Location:
+        Line Content:
+        Justification:
+```
+
 ---
 ### Your Final Review Filter
 Before you add a vulnerability to your final report, it must pass every question on this checklist:

@@ -40,6 +40,8 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s
     *   **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. 
     *   **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it.
     *   **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`.
+    *   **Action"** Prep yourself using the following possible notes files under `.gemini_security/`. If they do not exist, skip them.
+        *   `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan.
 
 2.  **Phase 1: Dynamic Execution & Planning**
     *   **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis.

@@ -50,6 +50,50 @@ server.tool(
   }
 );
 
+server.registerPrompt(
+  'security:note-adder',
+  {
+    title: 'Note Adder',
+    description: 'Creates a new note file or adds a new entry to an existing one, ensuring content consistency.',
+    argsSchema: {
+      notePath: z.string().describe('The path to the note file.'),
+      content: z.string().describe('The content of the note entry to add.'),
+    },
+  },
+  ({ notePath, content }) => ({
+    messages: [
+      {
+        role: 'user',
+        content: {
+          type: 'text',
+          text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the notes file at '.gemini_security/${notePath}'.
+
+You MUST use the 'ReadFile' and 'WriteFile' tools.
+
+**Workflow:**
+
+1.  **Read the file:** First, you MUST attempt to read the file at '.gemini_security/${notePath}' using the 'ReadFile' tool.
+
+2.  **Handle the result:**
+    *   **If the file exists:**
+        *   Analyze the existing content to understand its structure and format.
+        *   **Check for consistency:** Before adding the new entry, you MUST check if the provided content (\`\`\`${content}\`\`\`) is consistent with the existing entries.
+        *   **If it is not consistent:** You MUST ask the user for clarification. Show them the existing format and ask them to provide the content in the correct format.
+        *   Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format.
+        *   Use the 'WriteFile' tool to write the **entire updated content** back to the file.
+    *   **If the file does NOT exist (ReadFile returns an error):**
+        *   First, if the '.gemini_security' directory doesn't exist, create it. 
+        *   This is a new note. You MUST ask the user to define a template for this note.
+        *   Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry.
+        *   Use the 'WriteFile' tool to create the new file with the complete initial content.
+
+Your primary goal is to maintain strict consistency with the format of the note file. Do not introduce any formatting changes.`,
+        },
+      },
+    ],
+  }),
+);
+
 async function startServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);