@lhi/tdd-audit 1.1.2 → 1.3.0

package/SKILL.md

@@ -9,12 +9,18 @@ Applying Test-Driven Development (TDD) to code that has already been generated r
 
 ## Autonomous Audit Mode
 If the user asks you to "Run the TDD Remediation Auto-Audit" or asks you to implement this on your own:
-1. **Explore**: Proactively use `Glob`, `Grep`, and `Read` to scan the repository. Focus on `controllers/`, `routes/`, `api/`, `middleware/`, and database files. Search for anti-patterns: unparameterized SQL queries, missing ownership checks, unsafe HTML rendering, and command injection sinks. Full search patterns are in [auto-audit.md](./prompts/auto-audit.md).
+1. **Explore**: Proactively use `Glob`, `Grep`, and `Read` to scan the repository. Focus on:
+   - **Backend/API**: `controllers/`, `routes/`, `api/`, `handlers/`, `middleware/`, `services/`, `models/`
+   - **React / Next.js**: `pages/api/`, `app/api/`, `components/`, `hooks/`, `context/`, `store/`
+   - **React Native / Expo**: `screens/`, `navigation/`, `app/`, `app.json`, `app.config.js`
+   - **Flutter / Dart**: `lib/screens/`, `lib/services/`, `lib/api/`, `lib/repositories/`, `pubspec.yaml`
+   Search for anti-patterns across the full vulnerability surface: SQL/NoSQL/Template injection, IDOR, XSS, command injection, path traversal, SSRF, open redirects, broken auth, mass assignment, prototype pollution, weak crypto, sensitive storage, TLS bypasses, hardcoded secrets, missing rate limiting, missing security headers, CORS wildcards, XXE, insecure deserialization, WebView JS bridge exposure. Full search patterns are in [auto-audit.md](./prompts/auto-audit.md).
 2. **Plan**: Present a structured list of vulnerabilities (grouped by severity: CRITICAL / HIGH / MEDIUM / LOW) and get confirmation before making any changes.
 3. **Self-Implement**: For *each* confirmed vulnerability, autonomously execute the complete 3-phase protocol:
    - **[Phase 1 (Red)](./prompts/red-phase.md)**: Write the exploit test ensuring it fails.
    - **[Phase 2 (Green)](./prompts/green-phase.md)**: Write the security patch ensuring the test passes.
    - **[Phase 3 (Refactor)](./prompts/refactor-phase.md)**: Run the full test suite and ensure no business logic broke.
+4. **[Phase 4 (Hardening)](./prompts/hardening-phase.md)**: After all vulnerabilities are remediated, apply proactive defense-in-depth controls: security headers (Helmet), CSP, CSRF protection, rate limiting audit, dependency vulnerability scan, secret history scan, production error handling, and SRI for third-party scripts.
 Move methodically through vulnerabilities one by one, CRITICAL-first. Do not advance until the current vulnerability is fully remediated.
 
 ---

package/index.js

@@ -23,6 +23,9 @@ const targetWorkflowDir = isClaude
 // ─── 1. Framework Detection ──────────────────────────────────────────────────
 
 function detectFramework() {
+  // Flutter / Dart — check before package.json since a Flutter project may have both
+  if (fs.existsSync(path.join(projectDir, 'pubspec.yaml'))) return 'flutter';
+
   const pkgPath = path.join(projectDir, 'package.json');
   if (fs.existsSync(pkgPath)) {
     try {
@@ -43,6 +46,25 @@ function detectFramework() {
   return 'jest';
 }
 
+// Detect the UI framework for richer scan context (React, Next.js, RN, Expo, Flutter)
+function detectAppFramework() {
+  if (fs.existsSync(path.join(projectDir, 'pubspec.yaml'))) return 'flutter';
+  const pkgPath = path.join(projectDir, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+      if (deps.expo) return 'expo';
+      if (deps['react-native']) return 'react-native';
+      if (deps.next) return 'nextjs';
+      if (deps.react) return 'react';
+    } catch {}
+  }
+  return null;
+}
+
+const appFramework = detectAppFramework();
+
 const framework = detectFramework();
 
 // ─── 2. Test Directory Detection ─────────────────────────────────────────────
@@ -71,10 +93,36 @@ const VULN_PATTERNS = [
   { name: 'XSS',               severity: 'HIGH',     pattern: /[^/]innerHTML\s*=(?!=)|dangerouslySetInnerHTML\s*=\s*\{\{|document\.write\s*\(|res\.send\s*\(`[^`]*\$\{req\./i },
   { name: 'Path Traversal',    severity: 'HIGH',     pattern: /(readFile|sendFile|createReadStream|open)\s*\(.*req\.(params|body|query)|path\.join\s*\([^)]*req\.(params|body|query)/i },
   { name: 'Broken Auth',       severity: 'HIGH',     pattern: /jwt\.decode\s*\((?![^;]*\.verify)|verify\s*:\s*false|secret\s*=\s*['"][a-z0-9]{1,20}['"]/i },
+  // Vibecoding / mobile stacks
+  { name: 'Sensitive Storage', severity: 'HIGH',     pattern: /(localStorage|AsyncStorage)\.setItem\s*\(\s*['"](token|password|secret|auth|jwt|api.?key)['"]/i },
+  { name: 'TLS Bypass',        severity: 'CRITICAL', pattern: /badCertificateCallback[^;]*=\s*true|rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0/i },
+  { name: 'Hardcoded Secret',  severity: 'CRITICAL', skipInTests: true,  pattern: /(?:const|final|var|let|static)\s+(?:API_KEY|PRIVATE_KEY|SECRET_KEY|ACCESS_TOKEN|CLIENT_SECRET)\s*=\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i },
+  { name: 'eval() Injection',  severity: 'HIGH',     pattern: /\beval\s*\([^)]*(?:route\.params|searchParams\.get|req\.(query|body)|params\[)/i },
+  // Common vibecoding anti-patterns
+  { name: 'Insecure Random',   severity: 'HIGH',     pattern: /(?:token|sessionId|nonce|secret|csrf)\w*\s*=.*Math\.random\(\)|Math\.random\(\).*(?:token|session|nonce|secret)/i },
+  { name: 'Sensitive Log',     severity: 'MEDIUM',   skipInTests: true,  pattern: /console\.(log|info|debug)\([^)]*(?:token|password|secret|jwt|authorization|apiKey|api_key)/i },
+  { name: 'Secret Fallback',   severity: 'HIGH',     pattern: /process\.env\.\w+\s*\|\|\s*['"][A-Za-z0-9+/=_\-]{10,}['"]/i },
+  // SSRF, redirects, injection
+  { name: 'SSRF',                    severity: 'CRITICAL', pattern: /\b(?:fetch|axios\.(?:get|post|put|patch|delete|request)|got|https?\.get)\s*\(\s*req\.(?:query|body|params)\./i },
+  { name: 'Open Redirect',           severity: 'HIGH',     pattern: /res\.redirect\s*\(\s*req\.(?:query|body|params)\.|window\.location(?:\.href)?\s*=\s*(?:params\.|route\.params\.|searchParams\.get)/i },
+  { name: 'NoSQL Injection',         severity: 'HIGH',     pattern: /\.(?:find|findOne|findById|updateOne|deleteOne)\s*\(\s*req\.(?:body|query|params)\b|\$where\s*:\s*['"`]/i },
+  { name: 'Template Injection',      severity: 'HIGH',     pattern: /res\.render\s*\(\s*req\.(?:params|body|query)\.|(?:ejs|pug|nunjucks|handlebars)\.render(?:File)?\s*\([^)]*req\.(?:body|params|query)/i },
+  { name: 'Insecure Deserialization',severity: 'CRITICAL', pattern: /\.unserialize\s*\(.*req\.|__proto__\s*[=:][^=]|Object\.setPrototypeOf\s*\([^,]+,\s*req\./i },
+  // Assignment / pollution
+  { name: 'Mass Assignment',         severity: 'HIGH',     pattern: /new\s+\w+\s*\(\s*req\.body\b|\.create\s*\(\s*req\.body\b|\.update(?:One)?\s*\(\s*\{[^}]*\},\s*req\.body\b/i },
+  { name: 'Prototype Pollution',     severity: 'HIGH',     pattern: /(?:_\.merge|lodash\.merge|deepmerge|hoek\.merge)\s*\([^)]*req\.(?:body|query|params)/i },
+  // Crypto / config
+  { name: 'Weak Crypto',             severity: 'HIGH',     pattern: /createHash\s*\(\s*['"](?:md5|sha1)['"]\)|(?:md5|sha1)\s*\(\s*(?:password|passwd|pwd|secret)/i },
+  { name: 'CORS Wildcard',           severity: 'MEDIUM',   pattern: /cors\s*\(\s*\{\s*origin\s*:\s*['"]?\*['"]?|'Access-Control-Allow-Origin',\s*['"]?\*/i },
+  { name: 'Cleartext Traffic',       severity: 'MEDIUM',   skipInTests: true, pattern: /(?:baseURL|apiUrl|API_URL|endpoint|baseUrl)\s*[:=]\s*['"]http:\/\/(?!localhost|127\.0\.0\.1)/i },
+  { name: 'XXE',                     severity: 'HIGH',     pattern: /noent\s*:\s*true|expand_entities\s*=\s*True|resolve_entities\s*=\s*True/i },
+  // Mobile / WebView
+  { name: 'WebView JS Bridge',       severity: 'HIGH',     pattern: /addJavascriptInterface\s*\(|javaScriptEnabled\s*:\s*true|allowFileAccess\s*:\s*true|allowUniversalAccessFromFileURLs\s*:\s*true/i },
+  { name: 'Deep Link Injection',     severity: 'MEDIUM',   pattern: /Linking\.getInitialURL\s*\(\)|Linking\.addEventListener\s*\(\s*['"]url['"]/i },
 ];
 
-const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go']);
-const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor']);
+const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
 
 function* walkFiles(dir) {
   let entries;
@@ -87,9 +135,65 @@ function* walkFiles(dir) {
   }
 }
 
+// Returns true for test/spec files — used to down-weight false-positive-prone patterns
+function isTestFile(filePath) {
+  const rel = path.relative(projectDir, filePath).replace(/\\/g, '/');
+  return /[._-]test\.[a-z]+$|[._-]spec\.[a-z]+$|_test\.dart$|\/tests?\/|\/spec\/|\/test_/.test(rel);
+}
+
+// Scan app.json / app.config.* for embedded secrets (common Expo vibecoding issue)
+function scanAppConfig() {
+  const findings = [];
+  const configCandidates = ['app.json', 'app.config.js', 'app.config.ts'];
+  const secretPattern = /['"]?(?:apiKey|api_key|secret|privateKey|accessToken|clientSecret)['"]?\s*[:=]\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i;
+
+  for (const name of configCandidates) {
+    const filePath = path.join(projectDir, name);
+    if (!fs.existsSync(filePath)) continue;
+    let lines;
+    try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
+    for (let i = 0; i < lines.length; i++) {
+      if (secretPattern.test(lines[i])) {
+        findings.push({
+          severity: 'CRITICAL',
+          name: 'Config Secret',
+          file: name,
+          line: i + 1,
+          snippet: lines[i].trim().slice(0, 80),
+          inTestFile: false,
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function scanAndroidManifest() {
+  const findings = [];
+  const manifestPath = path.join(projectDir, 'android', 'app', 'src', 'main', 'AndroidManifest.xml');
+  if (!fs.existsSync(manifestPath)) return findings;
+  let lines;
+  try { lines = fs.readFileSync(manifestPath, 'utf8').split('\n'); } catch { return findings; }
+  for (let i = 0; i < lines.length; i++) {
+    if (/android:debuggable\s*=\s*["']true["']/i.test(lines[i])) {
+      findings.push({
+        severity: 'HIGH',
+        name: 'Android Debuggable',
+        file: 'android/app/src/main/AndroidManifest.xml',
+        line: i + 1,
+        snippet: lines[i].trim().slice(0, 80),
+        inTestFile: false,
+        likelyFalsePositive: false,
+      });
+    }
+  }
+  return findings;
+}
+
 function quickScan() {
   const findings = [];
   for (const filePath of walkFiles(projectDir)) {
+    const inTest = isTestFile(filePath);
     let lines;
     try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
     for (let i = 0; i < lines.length; i++) {
@@ -101,13 +205,15 @@ function quickScan() {
             file: path.relative(projectDir, filePath),
             line: i + 1,
             snippet: lines[i].trim().slice(0, 80),
+            inTestFile: inTest,
+            likelyFalsePositive: inTest && !!vuln.skipInTests,
           });
           break; // one finding per line
         }
       }
     }
   }
-  return findings;
+  return [...findings, ...scanAppConfig(), ...scanAndroidManifest()];
 }
 
 function printFindings(findings) {
@@ -115,18 +221,30 @@ function printFindings(findings) {
     console.log('   ✅ No obvious vulnerability patterns detected.\n');
     return;
   }
+  const real = findings.filter(f => !f.likelyFalsePositive);
+  const noisy = findings.filter(f => f.likelyFalsePositive);
+
   const bySeverity = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [] };
-  for (const f of findings) (bySeverity[f.severity] || bySeverity.LOW).push(f);
+  for (const f of real) (bySeverity[f.severity] || bySeverity.LOW).push(f);
   const icons = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
 
-  console.log(`\n   Found ${findings.length} potential issue(s):\n`);
+  console.log(`\n   Found ${real.length} potential issue(s)${noisy.length ? ` (+${noisy.length} in test files — see below)` : ''}:\n`);
   for (const [sev, list] of Object.entries(bySeverity)) {
     if (!list.length) continue;
     for (const f of list) {
-      console.log(`   ${icons[sev]} [${sev}] ${f.name} — ${f.file}:${f.line}`);
+      const testBadge = f.inTestFile ? ' [test file]' : '';
+      console.log(`   ${icons[sev]} [${sev}] ${f.name} — ${f.file}:${f.line}${testBadge}`);
       console.log(`         ${f.snippet}`);
     }
   }
+
+  if (noisy.length) {
+    console.log('\n   ⚪ Likely intentional (in test files — verify manually):');
+    for (const f of noisy) {
+      console.log(`      ${f.name} — ${f.file}:${f.line}`);
+    }
+  }
+
   console.log('\n   Run /tdd-audit in your agent to remediate.\n');
 }
 
@@ -142,7 +260,8 @@ if (scanOnly) {
 
 // ─── 5. Install Skill Files ───────────────────────────────────────────────────
 
-console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework}, test dir: ${testBaseDir}/)...\n`);
+const appLabel = appFramework ? `, app: ${appFramework}` : '';
+console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework}${appLabel}, test dir: ${testBaseDir}/)...\n`);
 
 if (!fs.existsSync(targetSkillDir)) fs.mkdirSync(targetSkillDir, { recursive: true });
 
@@ -160,11 +279,12 @@ if (!fs.existsSync(targetTestDir)) {
 }
 
 const testTemplateMap = {
-  jest:   'sample.exploit.test.js',
-  vitest: 'sample.exploit.test.vitest.js',
-  mocha:  'sample.exploit.test.js',
-  pytest: 'sample.exploit.test.pytest.py',
-  go:     'sample.exploit.test.go',
+  jest:    'sample.exploit.test.js',
+  vitest:  'sample.exploit.test.vitest.js',
+  mocha:   'sample.exploit.test.js',
+  pytest:  'sample.exploit.test.pytest.py',
+  go:      'sample.exploit.test.go',
+  flutter: 'sample.exploit.test.dart',
 };
 
 const testTemplateName = testTemplateMap[framework];
@@ -217,11 +337,12 @@ const ciWorkflowPath = path.join(ciWorkflowDir, 'security-tests.yml');
 
 if (!fs.existsSync(ciWorkflowPath)) {
   const ciTemplateMap = {
-    jest:   'security-tests.node.yml',
-    vitest: 'security-tests.node.yml',
-    mocha:  'security-tests.node.yml',
-    pytest: 'security-tests.python.yml',
-    go:     'security-tests.go.yml',
+    jest:    'security-tests.node.yml',
+    vitest:  'security-tests.node.yml',
+    mocha:   'security-tests.node.yml',
+    pytest:  'security-tests.python.yml',
+    go:      'security-tests.go.yml',
+    flutter: 'security-tests.flutter.yml',
   };
   const ciTemplatePath = path.join(__dirname, 'templates', 'workflows', ciTemplateMap[framework]);
   if (fs.existsSync(ciTemplatePath)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.1.2",
+  "version": "1.3.0",
   "description": "Anti-Gravity Skill for TDD Remediation. Patches security vulnerabilities using a Red-Green-Refactor protocol with automated exploit tests.",
   "main": "index.js",
   "bin": {
@@ -31,7 +31,14 @@
     "audit",
     "claude",
     "ai-agent",
-    "skill"
+    "skill",
+    "react",
+    "nextjs",
+    "react-native",
+    "expo",
+    "flutter",
+    "mobile-security",
+    "vibecoding"
   ],
   "engines": {
     "node": ">=16.7.0"

package/prompts/auto-audit.md

@@ -6,11 +6,29 @@ When invoked in Auto-Audit mode, proactively secure the user's entire repository
 
 ### 0a. Explore the Architecture
 Use `Glob` and `Read` to understand the project structure. Focus on:
+
+**Backend / API**
 - `controllers/`, `routes/`, `api/`, `handlers/` — request entry points
 - `services/`, `models/`, `db/`, `repositories/` — data access
 - `middleware/`, `utils/`, `helpers/`, `lib/` — shared utilities
 - Config files: `*.env`, `config.js`, `settings.py` — secrets and security settings
 
+**React / Next.js**
+- `pages/api/`, `app/api/` — Next.js API routes (check for missing auth)
+- `components/`, `app/`, `pages/` — UI components (check for `dangerouslySetInnerHTML`, `eval`)
+- `hooks/`, `context/`, `store/` — state management (check for sensitive data leakage)
+
+**React Native / Expo**
+- `screens/`, `navigation/`, `app/` — screen components (check `route.params` usage)
+- `services/`, `api/`, `utils/` — API calls (check TLS config, token storage)
+- `app.json`, `app.config.js` — Expo config (check for embedded keys)
+
+**Flutter / Dart**
+- `lib/screens/`, `lib/pages/`, `lib/views/` — UI layer
+- `lib/services/`, `lib/api/`, `lib/repositories/` — data layer (check HTTP client config)
+- `lib/utils/`, `lib/helpers/` — shared utilities
+- `pubspec.yaml` — dependency audit
+
 ### 0b. Search for Anti-Patterns
 Use `Grep` with the following patterns to surface candidates. Read the matched files to confirm before reporting.
 
@@ -71,6 +89,131 @@ router\.(post|put|delete)  # mutation routes (check for rate-limit middleware)
 app\.post\(           # POST handlers (check for rate-limit middleware)
 ```
 
+**Sensitive Storage (React / React Native / Expo)**
+```
+AsyncStorage\.setItem.*token    # token stored in unencrypted AsyncStorage
+localStorage\.setItem.*token    # token stored in localStorage (XSS-accessible)
+AsyncStorage\.setItem.*password # password stored in plain AsyncStorage
+SecureStore vs AsyncStorage     # confirm sensitive values use expo-secure-store
+```
+
+**TLS / Certificate Bypass**
+```
+rejectUnauthorized.*false       # Node.js TLS verification disabled
+badCertificateCallback.*true    # Dart/Flutter TLS bypass
+NODE_TLS_REJECT_UNAUTHORIZED=0  # env-level TLS disable
+```
+
+**Hardcoded Secrets (vibecoded apps)**
+```
+API_KEY\s*=\s*['"][A-Za-z0-9]{20,}   # hardcoded API key in source
+PRIVATE_KEY\s*=\s*['"]               # private key in source
+SECRET_KEY\s*=\s*['"]                # secret embedded in code
+process\.env\.\w+\s*\|\|\s*['"]      # env var with hardcoded fallback
+```
+
+**Next.js API Route Auth**
+```
+export.*async.*handler             # Next.js API route — check for missing auth guard
+export default.*req.*res           # pages/api handler — verify authentication
+getServerSideProps.*params         # SSR with params — check for injection
+```
+
+**React Native / Expo Navigation Injection**
+```
+route\.params\.\w+.*query          # route param passed to DB/API query
+route\.params\.\w+.*fetch          # route param used in fetch URL
+navigation\.navigate.*params       # user-controlled navigation params
+```
+
+**Flutter / Dart**
+```
+http\.get\(                         # raw http call — check for TLS config
+http\.post\(                        # raw http call — check for TLS config
+SharedPreferences.*setString.*token # token in unencrypted SharedPreferences
+Platform\.environment\[            # env access in Flutter — check for secrets
+```
+
+**SSRF (Server-Side Request Forgery)**
+```
+fetch\(.*req\.(query|body|params)   # fetch with user-controlled URL
+axios\.(get|post)\(.*req\.body      # axios with user-controlled target
+got\(.*req\.(query|params)          # got with user-controlled URL
+```
+
+**Open Redirect**
+```
+res\.redirect\(.*req\.(query|body)  # redirecting to user-supplied URL
+window\.location.*=.*params\.       # client-side redirect from route params
+router\.push\(.*searchParams        # Next.js/RN push with user param
+```
+
+**NoSQL Injection**
+```
+\.find\(\s*req\.(body|query)        # MongoDB find with raw request object
+\.findOne\(\s*req\.(body|query)     # MongoDB findOne with raw request object
+\$where.*:                          # $where operator (executes JS in Mongo)
+```
+
+**Mass Assignment**
+```
+new.*Model\(.*req\.body             # passing full req.body to constructor
+\.create\(.*req\.body               # ORM create with unsanitized body
+\.update.*req\.body                 # ORM update with unsanitized body
+```
+
+**Prototype Pollution**
+```
+_\.merge\(.*req\.(body|query)       # lodash merge with user input
+deepmerge\(.*req\.(body|query)      # deepmerge with user input
+Object\.assign\(\{\}.*req\.body     # Object.assign from user input
+```
+
+**Weak Cryptography**
+```
+createHash\(['"]md5['"]             # MD5 for anything security-related
+createHash\(['"]sha1['"]            # SHA1 for anything security-related
+md5\(.*password                     # MD5-hashed password
+sha1\(.*password                    # SHA1-hashed password
+```
+
+**Missing Security Headers / Rate Limiting**
+```
+app\.(use|listen)                   # check: is helmet() present before routes?
+router\.(post|put|delete)           # mutation routes — check for rateLimit middleware
+app\.post\('/login                  # login route — must have rate limit
+app\.post\('/register               # register route — must have rate limit
+```
+
+**CORS Misconfiguration**
+```
+cors\(\{.*origin.*\*                # wildcard CORS origin
+Access-Control-Allow-Origin.*\*     # wildcard CORS header
+```
+
+**Template Injection**
+```
+res\.render\(.*req\.(params|query)  # user-controlled template name
+ejs\.render\(.*req\.body            # ejs render with user input
+pug\.render\(.*req\.body            # pug render with user input
+```
+
+**Cleartext Traffic / XXE**
+```
+baseURL.*=.*['"]http://(?!localhost) # non-HTTPS API base URL
+noent.*:.*true                      # XML entity expansion enabled
+resolve_entities.*True              # Python lxml entity expansion
+```
+
+**Dependency Audit**
+```
+# Run manually — not grep-based:
+# npm audit --audit-level=high
+# pip-audit
+# govulncheck ./...
+# bundle audit
+```
+
 ### 0c. Present Findings
 Before touching any code, output a structured **Audit Report** with this format: