@lhi/tdd-audit 1.1.0 → 1.1.2

package/README.md

@@ -34,6 +34,7 @@ node index.js
 | `--claude` | Use `.claude/` instead of `.agents/` as the skill directory |
 | `--with-hooks` | Install a pre-commit hook that blocks commits if security tests fail |
 | `--skip-scan` | Skip the automatic vulnerability scan on install |
+| `--scan-only` | Run the vulnerability scan without installing anything |
 
 **Install to a Claude Code project with pre-commit protection:**
 ```bash

package/index.js

@@ -9,14 +9,16 @@ const isLocal = args.includes('--local');
 const isClaude = args.includes('--claude');
 const withHooks = args.includes('--with-hooks');
 const skipScan = args.includes('--skip-scan');
+const scanOnly = args.includes('--scan-only');
 
 const agentBaseDir = isLocal ? process.cwd() : os.homedir();
 const agentDirName = isClaude ? '.claude' : '.agents';
 const projectDir = process.cwd();
 
 const targetSkillDir = path.join(agentBaseDir, agentDirName, 'skills', 'tdd-remediation');
-const targetWorkflowDir = path.join(agentBaseDir, agentDirName, 'workflows');
-const targetTestDir = path.join(projectDir, '__tests__', 'security');
+const targetWorkflowDir = isClaude
+  ? path.join(agentBaseDir, agentDirName, 'commands')
+  : path.join(agentBaseDir, agentDirName, 'workflows');
 
 // ─── 1. Framework Detection ──────────────────────────────────────────────────
 
@@ -43,7 +45,24 @@ function detectFramework() {
 
 const framework = detectFramework();
 
-// ─── 2. Quick Scan ───────────────────────────────────────────────────────────
+// ─── 2. Test Directory Detection ─────────────────────────────────────────────
+
+function detectTestBaseDir() {
+  // Respect an existing convention before inventing one
+  const candidates = ['__tests__', 'tests', 'test', 'spec'];
+  for (const dir of candidates) {
+    if (fs.existsSync(path.join(projectDir, dir))) return dir;
+  }
+  // Framework-informed defaults when no directory exists yet
+  if (framework === 'pytest') return 'tests';
+  if (framework === 'go') return 'test';
+  return '__tests__';
+}
+
+const testBaseDir = detectTestBaseDir();
+const targetTestDir = path.join(projectDir, testBaseDir, 'security');
+
+// ─── 3. Quick Scan ───────────────────────────────────────────────────────────
 
 const VULN_PATTERNS = [
   { name: 'SQL Injection',     severity: 'CRITICAL', pattern: /(`SELECT[^`]*\$\{|"SELECT[^"]*"\s*\+|execute\(f"|cursor\.execute\(.*%s|\.query\(`[^`]*\$\{)/i },
@@ -111,9 +130,19 @@ function printFindings(findings) {
   console.log('\n   Run /tdd-audit in your agent to remediate.\n');
 }
 
-// ─── 3. Install Skill Files ───────────────────────────────────────────────────
+// ─── 4. Scan-only early exit ──────────────────────────────────────────────────
+
+if (scanOnly) {
+  process.stdout.write('\n🔍 Scanning for vulnerability patterns...');
+  const findings = quickScan();
+  process.stdout.write('\n');
+  printFindings(findings);
+  process.exit(0);
+}
+
+// ─── 5. Install Skill Files ───────────────────────────────────────────────────
 
-console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework})...\n`);
+console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework}, test dir: ${testBaseDir}/)...\n`);
 
 if (!fs.existsSync(targetSkillDir)) fs.mkdirSync(targetSkillDir, { recursive: true });
 
@@ -123,7 +152,7 @@ for (const item of ['SKILL.md', 'prompts', 'templates']) {
   if (fs.existsSync(src)) fs.cpSync(src, dest, { recursive: true });
 }
 
-// ─── 4. Scaffold Security Test Boilerplate ────────────────────────────────────
+// ─── 5. Scaffold Security Test Boilerplate ────────────────────────────────────
 
 if (!fs.existsSync(targetTestDir)) {
   fs.mkdirSync(targetTestDir, { recursive: true });
@@ -147,7 +176,7 @@ if (!fs.existsSync(destTest) && fs.existsSync(srcTest)) {
   console.log(`✅ Scaffolded ${path.relative(projectDir, destTest)}`);
 }
 
-// ─── 5. Install Workflow Shortcode ────────────────────────────────────────────
+// ─── 6. Install Workflow Shortcode ────────────────────────────────────────────
 
 if (!fs.existsSync(targetWorkflowDir)) fs.mkdirSync(targetWorkflowDir, { recursive: true });
 const srcWorkflow = path.join(__dirname, 'workflows', 'tdd-audit.md');
@@ -157,7 +186,7 @@ if (fs.existsSync(srcWorkflow)) {
   console.log(`✅ Installed /tdd-audit workflow shortcode`);
 }
 
-// ─── 6. Inject test:security into package.json ────────────────────────────────
+// ─── 7. Inject test:security into package.json ────────────────────────────────
 
 const pkgPath = path.join(projectDir, 'package.json');
 if (framework !== 'pytest' && framework !== 'go' && fs.existsSync(pkgPath)) {
@@ -165,11 +194,12 @@ if (framework !== 'pytest' && framework !== 'go' && fs.existsSync(pkgPath)) {
     const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
     if (!pkg.scripts?.['test:security']) {
       pkg.scripts = pkg.scripts || {};
+      const secDir = `${testBaseDir}/security`;
       pkg.scripts['test:security'] = {
-        jest:   'jest --testPathPattern=__tests__/security --forceExit',
-        vitest: 'vitest run __tests__/security',
-        mocha:  "mocha '__tests__/security/**/*.spec.js'",
-      }[framework] || 'jest --testPathPattern=__tests__/security --forceExit';
+        jest:   `jest --testPathPattern=${secDir} --forceExit`,
+        vitest: `vitest run ${secDir}`,
+        mocha:  `mocha '${secDir}/**/*.spec.js'`,
+      }[framework] || `jest --testPathPattern=${secDir} --forceExit`;
       fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
       console.log(`✅ Added "test:security" script to package.json`);
     } else {
@@ -180,7 +210,7 @@ if (framework !== 'pytest' && framework !== 'go' && fs.existsSync(pkgPath)) {
   }
 }
 
-// ─── 7. Scaffold CI Workflow ─────────────────────────────────────────────────
+// ─── 8. Scaffold CI Workflow ─────────────────────────────────────────────────
 
 const ciWorkflowDir = path.join(projectDir, '.github', 'workflows');
 const ciWorkflowPath = path.join(ciWorkflowDir, 'security-tests.yml');
@@ -203,7 +233,7 @@ if (!fs.existsSync(ciWorkflowPath)) {
   console.log(`   .github/workflows/security-tests.yml already exists — skipped`);
 }
 
-// ─── 8. Pre-commit Hook (opt-in) ─────────────────────────────────────────────
+// ─── 9. Pre-commit Hook (opt-in) ─────────────────────────────────────────────
 
 if (withHooks) {
   const gitDir = path.join(projectDir, '.git');
@@ -241,7 +271,7 @@ if (withHooks) {
   }
 }
 
-// ─── 9. Quick Scan ───────────────────────────────────────────────────────────
+// ─── 10. Quick Scan ──────────────────────────────────────────────────────────
 
 if (!skipScan) {
   process.stdout.write('\n🔍 Scanning for vulnerability patterns...');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Anti-Gravity Skill for TDD Remediation. Patches security vulnerabilities using a Red-Green-Refactor protocol with automated exploit tests.",
   "main": "index.js",
   "bin": {

package/prompts/auto-audit.md

@@ -101,7 +101,7 @@ Ask the user to confirm the list before beginning remediation. If they say "fix
 
 For **each** confirmed vulnerability, rigorously apply the RED-GREEN-REFACTOR protocol in order:
 
-1. **[RED](./red-phase.md)**: Write the exploit test in `__tests__/security/` and run it to prove the vulnerability exists (test must fail).
+1. **[RED](./red-phase.md)**: Write the exploit test in the project's security test directory (e.g., `tests/security/`, `__tests__/security/`, `test/security/` — wherever the installer scaffolded the boilerplate) and run it to prove the vulnerability exists (test must fail).
 2. **[GREEN](./green-phase.md)**: Apply the targeted patch. Run the exploit test — it must now pass.
 3. **[REFACTOR](./refactor-phase.md)**: Run the full test suite. All tests must be green before moving on.