NUNA/.jules/sentinel.md

## 2025-02-12 - CSV Formula Injection
**Vulnerability:** Unsanitized CSV input converted to XLSX allowed Excel Formula Injection (e.g. `=cmd|' /C calc'!A0`).
**Learning:** `openpyxl` does not automatically sanitize strings starting with `=`, `+`, `-`, `@`. It writes them as cell values, which Excel interprets as formulas.
**Prevention:** Explicitly check for these prefixes and prepend `'` to force Excel to treat them as text.
Initial commit 2026-02-03 06:17:08 +00:00			`## 2025-02-12 - CSV Formula Injection`
			Vulnerability: Unsanitized CSV input converted to XLSX allowed Excel Formula Injection (e.g. `=cmd\|' /C calc'!A0`).
			Learning: `openpyxl` does not automatically sanitize strings starting with `=`, `+`, `-`, `@`. It writes them as cell values, which Excel interprets as formulas.
			Prevention: Explicitly check for these prefixes and prepend `'` to force Excel to treat them as text.