Docs: list remaining bypass gaps as known limitations (#203)

[twschiller]

Summary

• Audits the Audit: rule-bypass findings (red-team pass) #203 red-team checklist against merged fixes and surfaces the four items that won't be closed in code as documented limitations.
• Rule-specific gaps are collocated with their rules; cross-cutting extension-presence note lives under Coverage scope.
• Phrasing stays abstract per repo convention — no injection examples, no roadmap language.

Gaps documented

• Coverage scope — extension presence is observable. Sites that fingerprint ABS artifacts (placeholders, landmarks, chips, neutralized labels) can cloak content; counter-cloaking from a content script is out of scope. (Audit ci: workflow-driven CalVer release for the extension #17.)
• prompt-injection-redact — closed pattern bundle. Catalog is finite; novel framings pass through. Limitation propagates to the five rules sharing the bundle (meta-injection-strip, attribute-injection-sanitize, json-ld-sanitize, html-comment-strip, svg-text-strip). (Audit docs: scaffold Astro Starlight documentation site #8.)
• countdown-timer-redact — reset-on-tick and canvas timers. Snapshot-and-confirm needs a parseable text representation whose value strictly decreases. (Audit docs: add rules reference page #20.)
• confirmshame-sanitize — English-only, text-only. Phrase set ships in English; icon-only buttons with no accessible name are out of scope. (Audit docs: show sidebar on homepage and drop alpha warning #22.)

Items #1–#7, #9–#16, #18, #19, #21 are already closed by merged PRs.

Test plan

• CI: Pre-commit hooks (mdformat / markdown lint) pass.
• Spot-check rendered output on the Starlight site — new paragraphs render under Coverage scope and under the three rule subsections.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-browser-shield-demo-site	Ready	Preview, Comment	Jun 7, 2026 10:11pm