v2.9.2

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 ---
+## [2.9.2] - 2026-04-30
+
+### Added 
+- Small HTML Docstring with project info
+
+### Changed
+- **CSV Formula Injection Mitigation**: Cells starting with formula characters are now prefixed with a tab character (\t) and wrapped in double quotes instead of just the single quote prefix that was used previously
+
+## [2.9.1] - 2026-02-28
+
+### Added
+- **Function index generator**: Added `scripts/generate-function-index.py` to auto-generate `docs/FUNCTION_INDEX.generated.md` from runtime source function declarations.
+- **Generated function inventory**: Added `docs/FUNCTION_INDEX.generated.md` as a machine-generated reference for maintainers.
+
+### Changed
+- **Updated Documentation**: `DOCUMENTATION.md` has been simplified & updated to v2.9.0.
+- **Documentation cross-linking**: Added references to curated and generated function indexes in `README.md` and `DOCUMENTATION.md`.
+- **Release regeneration workflow**: `scripts/regenerate-release.sh` now regenerates `docs/FUNCTION_INDEX.generated.md` before rebuilding `release/` artifacts.
 
 ## [2.9.0] - 2026-02-22
 
@@ -815,7 +833,7 @@ handleDrop(event, phaseKey)       // Performs assignment
 
 ---
 
-## Development Notes for AI Agents
+## Development Notes
 
 ### File Structure Understanding
 ```

CONTRIBUTING.md

@@ -26,6 +26,11 @@ Contributions are welcome. Please read the following guidelines before submittin
 - Follow existing code style and naming conventions
 - Keep functions focused and well-documented
 - Test drag-and-drop, import/export, and metadata editing
+- Keep docs in sync with shipped behavior:
+	- Update `CHANGELOG.md` for user-visible and security-relevant changes
+	- Update `README.md` when setup, usage, or feature surface changes
+	- Update `DOCUMENTATION.md` for architecture/runtime behavior changes
+	- Update `docs/FUNCTION_INDEX.md` and regenerate `docs/FUNCTION_INDEX.generated.md` when function surfaces change
 
 ## Data Updates
 

README.md

@@ -1,10 +1,10 @@
 # ![](favicon.ico) AttackFlow - Kill Chain Editor & Visualizer
 
-An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE ATT&CK, CAPEC, CWE & STIX 2.1 objects to the Unified Kill Chain framework and enriching phase parts with additional data. Visualize and assess complex attack scenarios easily by combining flexible TTPs with atomic IOCs and forensic data.
+An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE ATT&CK, CAPEC, CWE, and STIX 2.1 objects to the Unified Kill Chain framework, and enriching phase entries with additional metadata. Visualize and assess complex attack scenarios by combining flexible TTP mappings with atomic observables, CVE/CVSS context, and STIX intelligence objects.
 
 ### Work in progress 
 
-![Version](https://img.shields.io/badge/version-2.9.0-blue)
+![Version](https://img.shields.io/badge/version-2.9.2-blue)
 [![MITRE ATT&CK® 18](https://img.shields.io/badge/MITRE%20ATT%26CK®-v18-red)](https://attack.mitre.org/versions/v18/)
 ![License](https://img.shields.io/badge/license-Apache%202.0-green)
 ![Dependencies](https://img.shields.io/badge/dependencies-none-brightgreen)
@@ -18,8 +18,8 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
 - **Offline Operation** 
     - No CDN or remote runtime requests; module dependencies are vendored locally and modules can be disabled.
     - Can be used offline in a browser by opening the `index.html` file. 
-    - Offline module communication is achieved via hardened IPC channels only allowed in `file://` protocol context. Disabled by default in `config.js`. See [Local iframe IPC](#Local-iframe-IPC) for detailed information.
-    - In case the IPC Bridge is disabled or fails to initialise the application falls back to manual import of the `resources` directory
+    - Offline module communication uses a hardened iframe IPC bridge (`MessageChannel`, nonce binding, allowlisted payloads) in `file://` mode. Disabled by default in `config.js`. See [Local iframe IPC](#local-iframe-ipc).
+    - If the IPC bridge is disabled or unavailable, AttackFlow falls back to local resource selection for required JSON datasets.
 - **STIX Visualizer Module** — Modular Visualization of STIX Bundles
     - Visualizer Module can be disabled via `config.js` flag. See [STIX Visualizer Toggle](#STIX-Visualizer-Toggle)
     - For a list of bundled runtime dependencies used by the visualizer see: [STIX Visualizer Dependencies](#Bundled-STIX-Visualizer-Dependencies)
@@ -30,7 +30,7 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
 - **Unified Kill Chain** — Map entities to IN → THROUGH → OUT phases
 - **Multi-Domain ATT&CK** — 898 techniques across Enterprise, Mobile, and ICS
 - **CAPEC/CWE Integration** — Link attack patterns and weaknesses
-- **STIX 2.1 Objects** — Create and manage all 18 SDO types plus custom objects
+- **STIX 2.1 Objects** — Create and manage all 19 configured SDO types (including `x-custom`)
 
 ### Import & Sharing
 - **Import/Export** — JSON sharing, CSV exports (with mitigation rows), and STIX 2.1 bundle exports (with mitigations and relationships)
@@ -54,7 +54,7 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
 ![Relations View](/docs/images/relations.png)
 
 ### Relationship Explorer 
-- **Integrated Resource Corpus Explorer** Explore & search the complete corpus of related ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigations patterns
+- **Integrated Resource Corpus Explorer** — Explore and search the complete ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigation corpus
 - **Technique Cross-References** — Item relationships & techniques referenced by ID in descriptions link to the Relationship Explorer
 
 ![Explorer View](/docs/images/explorer.png)
@@ -79,7 +79,13 @@ The Relationship Explorer is a second main view that lets you investigate ATT&CK
 10. Enable compact mode for dense layouts when needed
 11. Export your attack chain as JSON, CSV, or STIX Bundle
 
-## Usecases
+### Quick Start (Local `file://` mode)
+
+1. Optionally enable local iframe IPC via `CONFIG.ConfigIframeIPC.enableLocalIframeIPC = true`.
+2. Open `index.html` directly in a browser.
+3. If prompted, select your local `resources/*.json` files (or the full resources directory) to populate the corpus.
+
+## Use Cases
 
 See the usecases [README](docs/Usecases/README.md) for details.
 
@@ -180,7 +186,7 @@ Please do not hesitate to create an issue / pull request or contact me directly
 
 - **Input Blocking** — Dangerous characters (`` < > [ ] { } " ' ; -- ` ``) blocked at input level
 - **Output Encoding** — All user-supplied values HTML-encoded before rendering
-- **DOM-Safe Rendering** — Uses `textContent` and DOM APIs instead of `innerHTML`
+- **Defensive Rendering** — Dynamic template rendering is output-encoded and sanitized before insertion
 - **Import Validation** — File size, item count, and pattern validation on imports
 - **Sanitized Data** — Source data cleaned of embedded markup during extraction
 - **XXE Protection** — Secure XML parsing with entity expansion disabled
@@ -227,6 +233,10 @@ Configuration in `config.js`:
 
 See [IPC API DOCS](docs/IPC_API-DOCS.md) for concise architecture and threat-model documentation.
 
+For a complete maintainer-oriented function inventory across runtime files, see [Function Index](docs/FUNCTION_INDEX.md).
+
+For the auto-generated declaration inventory, see [Generated Function Index](docs/FUNCTION_INDEX.generated.md).
+
 ### STIX Visualizer Toggle
 
 The integrated STIX visualizer can be fully disabled via config:
@@ -280,8 +290,8 @@ python3 scripts/extract-data.py      # Parse CAPEC/CWE
 - Just drop the files on a webserver, (optionally) set CSP headers and navigate to index.html.
 
 ### For local use (in a browser):
-1. Set `CONFIG.ConfigIframeIPC.enableLocalIframeIPC` to `true` and open the `index.html` file in a web browser.
-2. Upload the `resources/` directory as instructed to populate the framework database and use all application features.
+1. Optionally set `CONFIG.ConfigIframeIPC.enableLocalIframeIPC` to `true` and open `index.html` in a browser.
+2. When prompted in `file://` mode, select local `resources/*.json` files (or the full resources directory) to populate the framework dataset.
 
 ## Contributing & Reporting Issues
 

config.js

@@ -7,7 +7,7 @@
 
 const CONFIG = {
     // Application info
-    version: '2.9.0',
+    version: '2.9.2',
     changelogUrl: 'CHANGELOG.md',
 
     // Framework source files (for extraction scripts)