Security fixes:
- Path traversal guard in include: local: — paths with ../ that escape
the repo root are rejected instead of reading arbitrary host files
- HTTP timeout (30 s) on all fetcher requests to prevent indefinite hangs
- Response size cap (10 MiB) via io.LimitReader to prevent memory exhaustion
- Cache directory and file permissions tightened to 0700/0600
- LSP Content-Length cap (64 MiB) to guard against DoS from a malicious client
New feature:
- --proxy flag on check, graph, and lsp subcommands; also proxy: key in
.glint.yml; overrides system HTTP_PROXY / HTTPS_PROXY env vars when set;
cmdGraph and cmdLSP now also load .glint.yml for proxy/token/url fallbacks
New lint rule:
- GL045 (Warning): include: remote: using plain http:// instead of https://
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New internal/lsp package implements a minimal JSON-RPC 2.0 LSP server
over stdin/stdout with Content-Length framing. Supported lifecycle:
initialize → initialized → shutdown → exit. Document sync: Full (sends
complete text on every change). Handles textDocument/didOpen,
didChange, didSave, didClose; publishes textDocument/publishDiagnostics
after every change. Rule IDs surface as the diagnostic `code` field
with `"glint"` as source. Parse errors produce an Error diagnostic at
the top of the document. Include resolution is best-effort (GITLAB_TOKEN
env var; ~/.cache/glint default cache). CLI: glint lsp [--token]
[--gitlab-url] [--cache-dir] [--offline].
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>