Submitted to the Build With Gemma 4 track of the Dev.to Google Gemma 4 Challenge. TL;DR: I built neuroguard — a CLI that uses Gemma 4's ThinkingConfig(include_thoughts=True) API to stream the model's full cognitive trace in a split-pane terminal UI while it finds security vulnerabilities and produces a SAST-verified secure rewrite. Install: pip install neuroguard-ai . Full source: github.com/tyy130/neuroguard-ai . The Problem I Kept Running Into security Studies find the majority of AI-generated applications ship to production with OWASP Top 10 vulnerabilities. I've seen it firsthand. The worst cases aren't SQL injections from typos — they're hallucinated bypasses : an AI agent removes authentication middleware to resolve a compilation error, silently stripping the application of its entire security layer. The frustrating thing is that a human reviewer wouldn't make this mistake, because they'd reason about what the code does before deleting it.…