@lhi/tdd-audit 1.1.2 → 1.2.0

package/SKILL.md

@@ -9,7 +9,12 @@ Applying Test-Driven Development (TDD) to code that has already been generated r
 
 ## Autonomous Audit Mode
 If the user asks you to "Run the TDD Remediation Auto-Audit" or asks you to implement this on your own:
-1. **Explore**: Proactively use `Glob`, `Grep`, and `Read` to scan the repository. Focus on `controllers/`, `routes/`, `api/`, `middleware/`, and database files. Search for anti-patterns: unparameterized SQL queries, missing ownership checks, unsafe HTML rendering, and command injection sinks. Full search patterns are in [auto-audit.md](./prompts/auto-audit.md).
+1. **Explore**: Proactively use `Glob`, `Grep`, and `Read` to scan the repository. Focus on:
+   - **Backend/API**: `controllers/`, `routes/`, `api/`, `handlers/`, `middleware/`, `services/`, `models/`
+   - **React / Next.js**: `pages/api/`, `app/api/`, `components/`, `hooks/`, `context/`, `store/`
+   - **React Native / Expo**: `screens/`, `navigation/`, `app/`, `app.json`, `app.config.js`
+   - **Flutter / Dart**: `lib/screens/`, `lib/services/`, `lib/api/`, `lib/repositories/`, `pubspec.yaml`
+   Search for anti-patterns: unparameterized SQL queries, missing ownership checks, unsafe HTML rendering, command injection sinks, sensitive data in storage, TLS bypasses, hardcoded secrets. Full search patterns are in [auto-audit.md](./prompts/auto-audit.md).
 2. **Plan**: Present a structured list of vulnerabilities (grouped by severity: CRITICAL / HIGH / MEDIUM / LOW) and get confirmation before making any changes.
 3. **Self-Implement**: For *each* confirmed vulnerability, autonomously execute the complete 3-phase protocol:
    - **[Phase 1 (Red)](./prompts/red-phase.md)**: Write the exploit test ensuring it fails.

package/index.js

@@ -23,6 +23,9 @@ const targetWorkflowDir = isClaude
 // ─── 1. Framework Detection ──────────────────────────────────────────────────
 
 function detectFramework() {
+  // Flutter / Dart — check before package.json since a Flutter project may have both
+  if (fs.existsSync(path.join(projectDir, 'pubspec.yaml'))) return 'flutter';
+
   const pkgPath = path.join(projectDir, 'package.json');
   if (fs.existsSync(pkgPath)) {
     try {
@@ -43,6 +46,25 @@ function detectFramework() {
   return 'jest';
 }
 
+// Detect the UI framework for richer scan context (React, Next.js, RN, Expo, Flutter)
+function detectAppFramework() {
+  if (fs.existsSync(path.join(projectDir, 'pubspec.yaml'))) return 'flutter';
+  const pkgPath = path.join(projectDir, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+      if (deps.expo) return 'expo';
+      if (deps['react-native']) return 'react-native';
+      if (deps.next) return 'nextjs';
+      if (deps.react) return 'react';
+    } catch {}
+  }
+  return null;
+}
+
+const appFramework = detectAppFramework();
+
 const framework = detectFramework();
 
 // ─── 2. Test Directory Detection ─────────────────────────────────────────────
@@ -71,10 +93,19 @@ const VULN_PATTERNS = [
   { name: 'XSS',               severity: 'HIGH',     pattern: /[^/]innerHTML\s*=(?!=)|dangerouslySetInnerHTML\s*=\s*\{\{|document\.write\s*\(|res\.send\s*\(`[^`]*\$\{req\./i },
   { name: 'Path Traversal',    severity: 'HIGH',     pattern: /(readFile|sendFile|createReadStream|open)\s*\(.*req\.(params|body|query)|path\.join\s*\([^)]*req\.(params|body|query)/i },
   { name: 'Broken Auth',       severity: 'HIGH',     pattern: /jwt\.decode\s*\((?![^;]*\.verify)|verify\s*:\s*false|secret\s*=\s*['"][a-z0-9]{1,20}['"]/i },
+  // Vibecoding / mobile stacks
+  { name: 'Sensitive Storage', severity: 'HIGH',     pattern: /(localStorage|AsyncStorage)\.setItem\s*\(\s*['"](token|password|secret|auth|jwt|api.?key)['"]/i },
+  { name: 'TLS Bypass',        severity: 'CRITICAL', pattern: /badCertificateCallback[^;]*=\s*true|rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0/i },
+  { name: 'Hardcoded Secret',  severity: 'CRITICAL', skipInTests: true,  pattern: /(?:const|final|var|let|static)\s+(?:API_KEY|PRIVATE_KEY|SECRET_KEY|ACCESS_TOKEN|CLIENT_SECRET)\s*=\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i },
+  { name: 'eval() Injection',  severity: 'HIGH',     pattern: /\beval\s*\([^)]*(?:route\.params|searchParams\.get|req\.(query|body)|params\[)/i },
+  // Common vibecoding anti-patterns
+  { name: 'Insecure Random',   severity: 'HIGH',     pattern: /(?:token|sessionId|nonce|secret|csrf)\w*\s*=.*Math\.random\(\)|Math\.random\(\).*(?:token|session|nonce|secret)/i },
+  { name: 'Sensitive Log',     severity: 'MEDIUM',   skipInTests: true,  pattern: /console\.(log|info|debug)\([^)]*(?:token|password|secret|jwt|authorization|apiKey|api_key)/i },
+  { name: 'Secret Fallback',   severity: 'HIGH',     pattern: /process\.env\.\w+\s*\|\|\s*['"][A-Za-z0-9+/=_\-]{10,}['"]/i },
 ];
 
-const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go']);
-const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor']);
+const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
 
 function* walkFiles(dir) {
   let entries;
@@ -87,9 +118,43 @@ function* walkFiles(dir) {
   }
 }
 
+// Returns true for test/spec files — used to down-weight false-positive-prone patterns
+function isTestFile(filePath) {
+  const rel = path.relative(projectDir, filePath).replace(/\\/g, '/');
+  return /[._-]test\.[a-z]+$|[._-]spec\.[a-z]+$|_test\.dart$|\/tests?\/|\/spec\/|\/test_/.test(rel);
+}
+
+// Scan app.json / app.config.* for embedded secrets (common Expo vibecoding issue)
+function scanAppConfig() {
+  const findings = [];
+  const configCandidates = ['app.json', 'app.config.js', 'app.config.ts'];
+  const secretPattern = /['"]?(?:apiKey|api_key|secret|privateKey|accessToken|clientSecret)['"]?\s*[:=]\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i;
+
+  for (const name of configCandidates) {
+    const filePath = path.join(projectDir, name);
+    if (!fs.existsSync(filePath)) continue;
+    let lines;
+    try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
+    for (let i = 0; i < lines.length; i++) {
+      if (secretPattern.test(lines[i])) {
+        findings.push({
+          severity: 'CRITICAL',
+          name: 'Config Secret',
+          file: name,
+          line: i + 1,
+          snippet: lines[i].trim().slice(0, 80),
+          inTestFile: false,
+        });
+      }
+    }
+  }
+  return findings;
+}
+
 function quickScan() {
   const findings = [];
   for (const filePath of walkFiles(projectDir)) {
+    const inTest = isTestFile(filePath);
     let lines;
     try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
     for (let i = 0; i < lines.length; i++) {
@@ -101,13 +166,15 @@ function quickScan() {
             file: path.relative(projectDir, filePath),
             line: i + 1,
             snippet: lines[i].trim().slice(0, 80),
+            inTestFile: inTest,
+            likelyFalsePositive: inTest && !!vuln.skipInTests,
           });
           break; // one finding per line
         }
       }
     }
   }
-  return findings;
+  return [...findings, ...scanAppConfig()];
 }
 
 function printFindings(findings) {
@@ -115,18 +182,30 @@ function printFindings(findings) {
     console.log('   ✅ No obvious vulnerability patterns detected.\n');
     return;
   }
+  const real = findings.filter(f => !f.likelyFalsePositive);
+  const noisy = findings.filter(f => f.likelyFalsePositive);
+
   const bySeverity = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [] };
-  for (const f of findings) (bySeverity[f.severity] || bySeverity.LOW).push(f);
+  for (const f of real) (bySeverity[f.severity] || bySeverity.LOW).push(f);
   const icons = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
 
-  console.log(`\n   Found ${findings.length} potential issue(s):\n`);
+  console.log(`\n   Found ${real.length} potential issue(s)${noisy.length ? ` (+${noisy.length} in test files — see below)` : ''}:\n`);
   for (const [sev, list] of Object.entries(bySeverity)) {
     if (!list.length) continue;
     for (const f of list) {
-      console.log(`   ${icons[sev]} [${sev}] ${f.name} — ${f.file}:${f.line}`);
+      const testBadge = f.inTestFile ? ' [test file]' : '';
+      console.log(`   ${icons[sev]} [${sev}] ${f.name} — ${f.file}:${f.line}${testBadge}`);
       console.log(`         ${f.snippet}`);
     }
   }
+
+  if (noisy.length) {
+    console.log('\n   ⚪ Likely intentional (in test files — verify manually):');
+    for (const f of noisy) {
+      console.log(`      ${f.name} — ${f.file}:${f.line}`);
+    }
+  }
+
   console.log('\n   Run /tdd-audit in your agent to remediate.\n');
 }
 
@@ -142,7 +221,8 @@ if (scanOnly) {
 
 // ─── 5. Install Skill Files ───────────────────────────────────────────────────
 
-console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework}, test dir: ${testBaseDir}/)...\n`);
+const appLabel = appFramework ? `, app: ${appFramework}` : '';
+console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework}${appLabel}, test dir: ${testBaseDir}/)...\n`);
 
 if (!fs.existsSync(targetSkillDir)) fs.mkdirSync(targetSkillDir, { recursive: true });
 
@@ -160,11 +240,12 @@ if (!fs.existsSync(targetTestDir)) {
 }
 
 const testTemplateMap = {
-  jest:   'sample.exploit.test.js',
-  vitest: 'sample.exploit.test.vitest.js',
-  mocha:  'sample.exploit.test.js',
-  pytest: 'sample.exploit.test.pytest.py',
-  go:     'sample.exploit.test.go',
+  jest:    'sample.exploit.test.js',
+  vitest:  'sample.exploit.test.vitest.js',
+  mocha:   'sample.exploit.test.js',
+  pytest:  'sample.exploit.test.pytest.py',
+  go:      'sample.exploit.test.go',
+  flutter: 'sample.exploit.test.dart',
 };
 
 const testTemplateName = testTemplateMap[framework];
@@ -217,11 +298,12 @@ const ciWorkflowPath = path.join(ciWorkflowDir, 'security-tests.yml');
 
 if (!fs.existsSync(ciWorkflowPath)) {
   const ciTemplateMap = {
-    jest:   'security-tests.node.yml',
-    vitest: 'security-tests.node.yml',
-    mocha:  'security-tests.node.yml',
-    pytest: 'security-tests.python.yml',
-    go:     'security-tests.go.yml',
+    jest:    'security-tests.node.yml',
+    vitest:  'security-tests.node.yml',
+    mocha:   'security-tests.node.yml',
+    pytest:  'security-tests.python.yml',
+    go:      'security-tests.go.yml',
+    flutter: 'security-tests.flutter.yml',
   };
   const ciTemplatePath = path.join(__dirname, 'templates', 'workflows', ciTemplateMap[framework]);
   if (fs.existsSync(ciTemplatePath)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "Anti-Gravity Skill for TDD Remediation. Patches security vulnerabilities using a Red-Green-Refactor protocol with automated exploit tests.",
   "main": "index.js",
   "bin": {
@@ -31,7 +31,14 @@
     "audit",
     "claude",
     "ai-agent",
-    "skill"
+    "skill",
+    "react",
+    "nextjs",
+    "react-native",
+    "expo",
+    "flutter",
+    "mobile-security",
+    "vibecoding"
   ],
   "engines": {
     "node": ">=16.7.0"

package/prompts/auto-audit.md

@@ -6,11 +6,29 @@ When invoked in Auto-Audit mode, proactively secure the user's entire repository
 
 ### 0a. Explore the Architecture
 Use `Glob` and `Read` to understand the project structure. Focus on:
+
+**Backend / API**
 - `controllers/`, `routes/`, `api/`, `handlers/` — request entry points
 - `services/`, `models/`, `db/`, `repositories/` — data access
 - `middleware/`, `utils/`, `helpers/`, `lib/` — shared utilities
 - Config files: `*.env`, `config.js`, `settings.py` — secrets and security settings
 
+**React / Next.js**
+- `pages/api/`, `app/api/` — Next.js API routes (check for missing auth)
+- `components/`, `app/`, `pages/` — UI components (check for `dangerouslySetInnerHTML`, `eval`)
+- `hooks/`, `context/`, `store/` — state management (check for sensitive data leakage)
+
+**React Native / Expo**
+- `screens/`, `navigation/`, `app/` — screen components (check `route.params` usage)
+- `services/`, `api/`, `utils/` — API calls (check TLS config, token storage)
+- `app.json`, `app.config.js` — Expo config (check for embedded keys)
+
+**Flutter / Dart**
+- `lib/screens/`, `lib/pages/`, `lib/views/` — UI layer
+- `lib/services/`, `lib/api/`, `lib/repositories/` — data layer (check HTTP client config)
+- `lib/utils/`, `lib/helpers/` — shared utilities
+- `pubspec.yaml` — dependency audit
+
 ### 0b. Search for Anti-Patterns
 Use `Grep` with the following patterns to surface candidates. Read the matched files to confirm before reporting.
 
@@ -71,6 +89,51 @@ router\.(post|put|delete)  # mutation routes (check for rate-limit middleware)
 app\.post\(           # POST handlers (check for rate-limit middleware)
 ```
 
+**Sensitive Storage (React / React Native / Expo)**
+```
+AsyncStorage\.setItem.*token    # token stored in unencrypted AsyncStorage
+localStorage\.setItem.*token    # token stored in localStorage (XSS-accessible)
+AsyncStorage\.setItem.*password # password stored in plain AsyncStorage
+SecureStore vs AsyncStorage     # confirm sensitive values use expo-secure-store
+```
+
+**TLS / Certificate Bypass**
+```
+rejectUnauthorized.*false       # Node.js TLS verification disabled
+badCertificateCallback.*true    # Dart/Flutter TLS bypass
+NODE_TLS_REJECT_UNAUTHORIZED=0  # env-level TLS disable
+```
+
+**Hardcoded Secrets (vibecoded apps)**
+```
+API_KEY\s*=\s*['"][A-Za-z0-9]{20,}   # hardcoded API key in source
+PRIVATE_KEY\s*=\s*['"]               # private key in source
+SECRET_KEY\s*=\s*['"]                # secret embedded in code
+process\.env\.\w+\s*\|\|\s*['"]      # env var with hardcoded fallback
+```
+
+**Next.js API Route Auth**
+```
+export.*async.*handler             # Next.js API route — check for missing auth guard
+export default.*req.*res           # pages/api handler — verify authentication
+getServerSideProps.*params         # SSR with params — check for injection
+```
+
+**React Native / Expo Navigation Injection**
+```
+route\.params\.\w+.*query          # route param passed to DB/API query
+route\.params\.\w+.*fetch          # route param used in fetch URL
+navigation\.navigate.*params       # user-controlled navigation params
+```
+
+**Flutter / Dart**
+```
+http\.get\(                         # raw http call — check for TLS config
+http\.post\(                        # raw http call — check for TLS config
+SharedPreferences.*setString.*token # token in unencrypted SharedPreferences
+Platform\.environment\[            # env access in Flutter — check for secrets
+```
+
 ### 0c. Present Findings
 Before touching any code, output a structured **Audit Report** with this format:
 

package/prompts/green-phase.md

@@ -208,3 +208,167 @@ function requireAuth(req, res, next) {
   }
 }
 ```
+
+---
+
+### React: XSS via dangerouslySetInnerHTML
+
+**Root cause:** User-generated content is passed directly to `dangerouslySetInnerHTML` without sanitization.
+
+**Fix:** Sanitize with DOMPurify before rendering. Never pass raw user input to `dangerouslySetInnerHTML`.
+
+```tsx
+// BEFORE (vulnerable)
+<div dangerouslySetInnerHTML={{ __html: userContent }} />
+
+// AFTER
+import DOMPurify from 'dompurify';
+
+const clean = DOMPurify.sanitize(userContent, {
+  ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
+  ALLOWED_ATTR: ['href'],
+});
+<div dangerouslySetInnerHTML={{ __html: clean }} />
+```
+
+**Install:** `npm install dompurify @types/dompurify`
+For SSR (Next.js): `npm install isomorphic-dompurify` instead.
+
+---
+
+### Next.js: Missing Auth on API Routes
+
+**Root cause:** API route handlers in `pages/api/` or `app/api/` are publicly accessible with no authentication check.
+
+**Fix — Option A (per-route wrapper):**
+```typescript
+// lib/withAuth.ts
+import jwt from 'jsonwebtoken';
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next';
+
+export function withAuth(handler: NextApiHandler): NextApiHandler {
+  return async (req: NextApiRequest, res: NextApiResponse) => {
+    const token = req.headers.authorization?.split(' ')[1];
+    if (!token) return res.status(401).json({ error: 'Unauthorized' });
+    try {
+      (req as any).user = jwt.verify(token, process.env.JWT_SECRET!);
+      return handler(req, res);
+    } catch {
+      return res.status(401).json({ error: 'Invalid token' });
+    }
+  };
+}
+
+// pages/api/user.ts
+import { withAuth } from '../../lib/withAuth';
+export default withAuth((req, res) => res.json({ user: (req as any).user }));
+```
+
+**Fix — Option B (global middleware, preferred for App Router):**
+```typescript
+// middleware.ts (root of project — protects all /api routes)
+import { NextResponse, type NextRequest } from 'next/server';
+import { jwtVerify } from 'jose';
+
+export async function middleware(request: NextRequest) {
+  const token = request.headers.get('authorization')?.split(' ')[1];
+  if (!token) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  try {
+    await jwtVerify(token, new TextEncoder().encode(process.env.JWT_SECRET!));
+    return NextResponse.next();
+  } catch {
+    return NextResponse.json({ error: 'Invalid token' }, { status: 401 });
+  }
+}
+
+export const config = { matcher: '/api/:path*' };
+```
+
+---
+
+### React Native / Expo: Sensitive Storage Migration
+
+**Root cause:** Auth tokens stored in `AsyncStorage` are unencrypted and readable on rooted/jailbroken devices.
+
+**Fix:** Replace with `expo-secure-store`, which uses iOS Keychain and Android EncryptedSharedPreferences.
+
+```javascript
+// BEFORE (vulnerable)
+import AsyncStorage from '@react-native-async-storage/async-storage';
+await AsyncStorage.setItem('token', userToken);
+const token = await AsyncStorage.getItem('token');
+
+// AFTER
+import * as SecureStore from 'expo-secure-store';
+await SecureStore.setItemAsync('token', userToken);
+const token = await SecureStore.getItemAsync('token');
+// On logout:
+await SecureStore.deleteItemAsync('token');
+```
+
+**Install:** `npx expo install expo-secure-store`
+**Note:** `SecureStore` is device-bound and not available in Expo Go web preview — check `SecureStore.isAvailableAsync()` for web fallbacks.
+
+---
+
+### Flutter: Sensitive Storage Migration
+
+**Root cause:** Auth tokens stored in `SharedPreferences` are plain text in app storage — readable on rooted/jailbroken devices.
+
+**Fix:** Replace with `flutter_secure_storage`, which uses iOS Keychain and Android EncryptedSharedPreferences.
+
+```dart
+// BEFORE (vulnerable)
+final prefs = await SharedPreferences.getInstance();
+await prefs.setString('token', userToken);
+final token = prefs.getString('token');
+
+// AFTER
+import 'package:flutter_secure_storage/flutter_secure_storage.dart';
+
+const _storage = FlutterSecureStorage();
+await _storage.write(key: 'token', value: userToken);
+final token = await _storage.read(key: 'token');
+// On logout:
+await _storage.delete(key: 'token');
+```
+
+**pubspec.yaml:**
+```yaml
+dependencies:
+  flutter_secure_storage: ^9.0.0
+```
+
+---
+
+### TLS Bypass Fix (Node.js + Flutter/Dart)
+
+**Root cause:** TLS certificate verification is explicitly disabled, allowing man-in-the-middle attacks.
+
+**Fix:** Remove the bypass entirely. For internal CAs, provide the cert — don't disable verification.
+
+```javascript
+// BEFORE (vulnerable — Node.js)
+const https = require('https');
+const agent = new https.Agent({ rejectUnauthorized: false }); // ❌
+
+// AFTER — remove the override; default is rejectUnauthorized: true ✅
+const agent = new https.Agent();
+
+// For internal/self-signed CAs in staging environments:
+// NODE_EXTRA_CA_CERTS=/path/to/internal-ca.crt node server.js
+```
+
+```dart
+// BEFORE (vulnerable — Flutter/Dart)
+final client = HttpClient()
+  ..badCertificateCallback = (cert, host, port) => true; // ❌
+
+// AFTER — remove the callback (default validates certs) ✅
+final client = HttpClient();
+
+// For a private CA in integration tests only:
+final context = SecurityContext()
+  ..setTrustedCertificates('test/certs/ca.crt');
+final client = HttpClient(context: context);
+```

package/prompts/red-phase.md

@@ -120,3 +120,73 @@ def test_vuln_type_exploit(client, attacker_token):
     )
     assert response.status_code == 403  # currently 200 — RED
 ```
+
+### React / Next.js (Vitest + Testing Library)
+```typescript
+// Sensitive storage: token must NOT land in localStorage
+import { render, fireEvent, waitFor } from '@testing-library/react';
+import LoginForm from '../../components/LoginForm';
+
+test('SHOULD NOT store auth token in localStorage', async () => {
+  render(<LoginForm />);
+  fireEvent.submit(screen.getByRole('form'));
+  await waitFor(() => {
+    expect(localStorage.getItem('token')).toBeNull(); // currently set — RED
+  });
+});
+
+// XSS: dangerouslySetInnerHTML must not accept unsanitized input
+test('SHOULD sanitize user content before rendering', () => {
+  const xssPayload = '<script>alert(1)</script>';
+  const { container } = render(<CommentBody content={xssPayload} />);
+  expect(container.innerHTML).not.toContain('<script>'); // currently reflected — RED
+});
+```
+
+### React Native / Expo (Jest)
+```javascript
+// Route param injection: params must be validated before API use
+import { renderRouter, screen } from 'expo-router/testing-library';
+
+test('SHOULD NOT pass raw route params to API query', async () => {
+  const maliciousParam = "1 UNION SELECT * FROM users";
+  // Render the screen with a crafted route param
+  renderRouter({ initialUrl: `/item/${encodeURIComponent(maliciousParam)}` });
+  // Assert the API was NOT called with the raw param
+  expect(mockApiClient.getItem).not.toHaveBeenCalledWith(maliciousParam); // currently called — RED
+});
+
+// Sensitive storage: tokens must use SecureStore, not AsyncStorage
+import AsyncStorage from '@react-native-async-storage/async-storage';
+
+test('SHOULD NOT store token in plain AsyncStorage', async () => {
+  await simulateLogin({ username: 'user', password: 'pass' });
+  const stored = await AsyncStorage.getItem('token');
+  expect(stored).toBeNull(); // currently stored in plain AsyncStorage — RED
+});
+```
+
+### Flutter / Dart (flutter_test)
+```dart
+import 'package:flutter_test/flutter_test.dart';
+import 'package:shared_preferences/shared_preferences.dart';
+
+void main() {
+  // Sensitive storage: token must NOT be in unencrypted SharedPreferences
+  test('SHOULD NOT store auth token in SharedPreferences', () async {
+    SharedPreferences.setMockInitialValues({});
+    await simulateLogin(username: 'user', password: 'password');
+    final prefs = await SharedPreferences.getInstance();
+    expect(prefs.getString('token'), isNull,
+        reason: 'Tokens must not be in unencrypted SharedPreferences — use flutter_secure_storage'); // currently stored — RED
+  });
+
+  // TLS bypass: HTTP client must not disable certificate validation
+  test('SHOULD enforce TLS certificate verification', () {
+    final client = buildHttpClient(); // the app's HTTP client factory
+    // Inspect that no badCertificateCallback bypasses verification
+    expect(client.badCertificateCallback, isNull,
+        reason: 'badCertificateCallback must not be set to bypass TLS'); // currently bypassed — RED
+  });
+}
+```

package/prompts/refactor-phase.md

@@ -22,6 +22,22 @@ Go through this checklist before closing the vulnerability:
 - [ ] **Performance acceptable** — the patch doesn't add unbounded DB queries or blocking I/O
 - [ ] **No secrets in code** — patch doesn't hardcode keys, tokens, or credentials
 
+**React / Next.js additions:**
+- [ ] **`dangerouslySetInnerHTML` removed or wrapped** — confirm DOMPurify is imported and called before all remaining usages
+- [ ] **Next.js middleware matcher is correct** — `/api/:path*` or tighter; public routes (health checks, webhooks) still reachable
+- [ ] **`app.json` / `.env.local` clean** — no API keys or secrets committed; `*.env` is in `.gitignore`
+
+**React Native / Expo additions:**
+- [ ] **`AsyncStorage` fully migrated** — no remaining `setItem('token', ...)` calls; `expo-secure-store` in `package.json`
+- [ ] **Offline token refresh still works** — `SecureStore.getItemAsync` is called in the right lifecycle (not before `SecureStore.isAvailableAsync()` on web)
+- [ ] **Deep link params validated** — any `route.params` passed to API calls are sanitized or type-checked
+
+**Flutter additions:**
+- [ ] **`flutter_secure_storage` in `pubspec.yaml`** — dependency present and `flutter pub get` ran
+- [ ] **No remaining `SharedPreferences` calls for sensitive keys** — grep for `prefs.getString('token')`, `prefs.setString('password', ...)`
+- [ ] **TLS `badCertificateCallback` fully removed** — grep the entire `lib/` directory for `badCertificateCallback`
+- [ ] **iOS entitlements updated if needed** — `flutter_secure_storage` requires Keychain Sharing capability on iOS
+
 ### Step 3: Clean the patch
 - Remove any debugging `console.log` or `print` statements added during patching
 - Extract reusable security logic into middleware or utility functions if it appears in more than one place

package/templates/sample.exploit.test.dart

@@ -0,0 +1,52 @@
+/// TDD Remediation: Red Phase Sample Test (Flutter / Dart)
+///
+/// Replace the boilerplate below with the specific exploit you are verifying.
+/// This test MUST fail initially (Red Phase). Once you apply the fix, it MUST pass (Green Phase).
+///
+/// Run with: flutter test test/security/
+
+import 'package:flutter_test/flutter_test.dart';
+// import 'package:shared_preferences/shared_preferences.dart';
+// import 'package:flutter_secure_storage/flutter_secure_storage.dart';
+// import '../../lib/services/auth_service.dart'; // update with your auth service path
+
+void main() {
+  group('Security Vulnerability Remediation - Red Phase', () {
+
+    // ── Example 1: Sensitive Storage ─────────────────────────────────────────
+    // test('SHOULD NOT store auth token in plain SharedPreferences', () async {
+    //   SharedPreferences.setMockInitialValues({});
+    //
+    //   // Act: simulate what the app does after login
+    //   // await AuthService().login(username: 'user', password: 'pass');
+    //
+    //   // Assert: token must NOT be in unencrypted SharedPreferences
+    //   final prefs = await SharedPreferences.getInstance();
+    //   expect(prefs.getString('token'), isNull,
+    //       reason: 'Use flutter_secure_storage instead');  // currently stored — RED
+    // });
+
+    // ── Example 2: TLS Bypass ─────────────────────────────────────────────────
+    // test('SHOULD enforce TLS certificate verification', () {
+    //   final client = buildHttpClient(); // your app's HTTP client factory
+    //   expect(client.badCertificateCallback, isNull,
+    //       reason: 'badCertificateCallback must not bypass TLS');  // currently bypassed — RED
+    // });
+
+    // ── Example 3: Navigation Param Injection ─────────────────────────────────
+    // test('SHOULD NOT use raw route params in API calls', () async {
+    //   const maliciousId = "1; DROP TABLE users";
+    //   // Simulate screen loading with a crafted route argument
+    //   // final result = await ItemService().fetchItem(id: maliciousId);
+    //   //
+    //   // Assert the input was validated / rejected
+    //   // expect(result, isNull);  // currently fetches — RED
+    // });
+
+    test('PLACEHOLDER — replace with your exploit assertion', () {
+      // Remove this placeholder and uncomment one of the examples above.
+      expect(true, isTrue);
+    });
+
+  });
+}

package/templates/sample.exploit.test.react.tsx

@@ -0,0 +1,59 @@
+/**
+ * TDD Remediation: Red Phase Sample Test (React / Next.js — Testing Library + Vitest)
+ *
+ * For UI-layer security tests: XSS via dangerouslySetInnerHTML, sensitive data
+ * rendering, unauthenticated route access, client-side auth bypass, etc.
+ *
+ * Replace the boilerplate below with the specific exploit you are verifying.
+ * This test MUST fail initially (Red Phase). Once you apply the fix, it MUST pass (Green Phase).
+ *
+ * Run with: vitest run __tests__/security/
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor } from '@testing-library/react';
+// import ComponentUnderTest from '../../components/ComponentUnderTest'; // update path
+
+describe('Security Vulnerability Remediation - Red Phase (UI)', () => {
+
+  // ── Example 1: XSS via dangerouslySetInnerHTML ───────────────────────────
+  // it('SHOULD sanitize user content before rendering as HTML', () => {
+  //   const xssPayload = '<script>window.__xss = true</script>';
+  //   render(<CommentBody content={xssPayload} />);
+  //
+  //   // Script tag must not be injected into the DOM
+  //   expect(document.querySelector('script')).toBeNull(); // currently rendered — RED
+  //   expect((window as any).__xss).toBeUndefined();
+  // });
+
+  // ── Example 2: Sensitive data must not appear in rendered output ─────────
+  // it('SHOULD NOT expose auth token in the DOM', () => {
+  //   render(<UserProfile token="super-secret-jwt" />);
+  //   expect(screen.queryByText('super-secret-jwt')).toBeNull(); // currently visible — RED
+  // });
+
+  // ── Example 3: Protected route must reject unauthenticated users ─────────
+  // it('SHOULD NOT render protected content without a valid session', () => {
+  //   render(<ProtectedPage />, { wrapper: UnauthenticatedProvider });
+  //   expect(screen.queryByRole('main')).toBeNull();       // currently renders — RED
+  //   expect(screen.getByText(/sign in/i)).toBeInTheDocument();
+  // });
+
+  // ── Example 4: Form input must be sanitized before submission ────────────
+  // it('SHOULD strip script tags from form input before submit', async () => {
+  //   const user = userEvent.setup();
+  //   render(<CommentForm onSubmit={mockSubmit} />);
+  //   await user.type(screen.getByRole('textbox'), '<script>alert(1)</script>');
+  //   await user.click(screen.getByRole('button', { name: /submit/i }));
+  //
+  //   expect(mockSubmit).toHaveBeenCalledWith(
+  //     expect.not.objectContaining({ body: expect.stringContaining('<script>') })
+  //   ); // currently passes raw payload — RED
+  // });
+
+  it('PLACEHOLDER — replace with your exploit assertion', () => {
+    // Remove this placeholder and uncomment one of the examples above.
+    expect(true).toBe(true);
+  });
+
+});

package/templates/workflows/security-tests.flutter.yml

@@ -0,0 +1,26 @@
+name: Security Tests
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  security-tests:
+    name: Exploit Test Suite
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: subosito/flutter-action@v2
+        with:
+          flutter-version: 'stable'
+          cache: true
+
+      - name: Install dependencies
+        run: flutter pub get
+
+      - name: Run security exploit tests
+        run: flutter test test/security/