@lhi/tdd-audit 1.11.0 → 1.14.0

package/README.md

@@ -1,6 +1,7 @@
 # @lhi/tdd-audit
+[![tdd-audit](https://img.shields.io/badge/tdd--audit-passing-brightgreen)](https://www.npmjs.com/package/@lhi/tdd-audit) <!-- tdd-audit-badge -->
 
-> **v1.10.0** — Security skill installer for **Claude Code, Gemini CLI, Cursor, Codex, and OpenCode**. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — prove the hole exists, apply the fix, prove it's closed.
+> **v1.14.0** — Security skill installer for **Claude Code, Gemini CLI, Cursor, Codex, and OpenCode**. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — prove the hole exists, apply the fix, prove it's closed.
 
 ## Install
 
@@ -10,7 +11,7 @@ npx @lhi/tdd-audit
 
 On first run the installer:
 
-1. Scans your codebase for **34 vulnerability patterns** and prints a severity-ranked report
+1. Scans your codebase for **57 vulnerability patterns** across 6 scanner modules and prints a severity-ranked report
 2. Scaffolds `__tests__/security/` with a framework-matched exploit test boilerplate
 3. Adds `test:security` to `package.json`
 4. Creates `.github/workflows/security-tests.yml` with SHA-pinned actions and `npm audit`
@@ -80,7 +81,7 @@ npx @lhi/tdd-audit serve --config ~/configs/prod-audit.json
 ## REST API + AI remediation
 
 ```bash
-# Start the API server
+# Start the API server (now powered by Fastify)
 npx @lhi/tdd-audit serve --port 3000 --api-key YOUR_SECRET
 
 # Scan any path → JSON
@@ -88,6 +89,19 @@ curl -X POST http://localhost:3000/scan \
   -H "Authorization: Bearer YOUR_SECRET" \
   -d '{"path": "."}' | jq '.summary'
 
+# Full automated pipeline: scan + remediate in one shot
+curl -X POST http://localhost:3000/audit \
+  -H "Authorization: Bearer YOUR_SECRET" \
+  -H "Content-Type: application/json" \
+  -d '{"path": ".", "provider": "anthropic", "apiKey": "sk-ant-..."}' \
+  | jq '.jobId'
+
+# Poll job status
+curl http://localhost:3000/jobs/<jobId>
+
+# Or stream real-time updates via SSE
+curl -N http://localhost:3000/jobs/<jobId>/stream
+
 # Use any OpenAI-compatible service (Groq, OpenRouter, Together AI, etc.)
 npx @lhi/tdd-audit serve \
   --provider openai \
@@ -98,6 +112,17 @@ npx @lhi/tdd-audit serve \
 
 Supported providers: `anthropic` · `openai` · `gemini` · `ollama` (local) · **any OpenAI-compatible endpoint via `--base-url`**
 
+### Endpoints
+
+| Method | Path | Auth | Description |
+|---|---|---|---|
+| `GET` | `/health` | No | Version + liveness check |
+| `POST` | `/scan` | Yes | Scan a path, return findings |
+| `POST` | `/remediate` | Yes | AI-fix a findings list; returns `jobId` |
+| `POST` | `/audit` | Yes | Full scan+remediate pipeline; returns `jobId` |
+| `GET` | `/jobs/:id` | Yes | Poll job status |
+| `GET` | `/jobs/:id/stream` | Yes | SSE stream — real-time job progress |
+
 ## Output formats
 
 ```bash
@@ -108,15 +133,16 @@ npx @lhi/tdd-audit --scan                 # human-readable text (default)
 
 ## Testing
 
-323 tests across unit, integration, and security suites:
+586 tests across unit, E2E, and security suites:
 
 ```bash
 npm test                  # full suite
-npm run test:unit         # unit tests with coverage
+npm run test:unit         # unit tests with coverage (96.6% branch coverage)
 npm run test:security     # security regression tests only
+npm run test:e2e          # end-to-end REST API tests
 ```
 
-Security tests cover prompt injection, path traversal, rate limiting, timing-safe auth, job store bounds, SARIF schema, and more. See [`__tests__/security/`](__tests__/security/) for all 17 regression tests.
+Security tests cover prompt injection, path traversal, rate limiting, timing-safe auth, job store bounds, SARIF schema, and more. See [__tests__/security/](__tests__/security/) for all 22 regression tests.
 
 ## Documentation
 
@@ -125,7 +151,7 @@ Security tests cover prompt injection, path traversal, rate limiting, timing-saf
 | [REST API](docs/rest-api.md) | Endpoints, auth, rate limiting, trust-proxy, request/response schema |
 | [AI Remediation](docs/ai-remediation.md) | Provider setup, `--base-url` for compatible APIs, config file |
 | [Scanner](docs/scanner.md) | Architecture, detection logic, false-positive handling |
-| [Vulnerability Patterns](docs/vulnerability-patterns.md) | All 34 patterns — descriptions, grep signatures, fix pointers |
+| [Vulnerability Patterns](docs/vulnerability-patterns.md) | All 57 patterns — descriptions, grep signatures, fix pointers |
 | [TDD Protocol](docs/tdd-protocol.md) | Red-Green-Refactor in full, with framework templates for all 6 stacks |
 | [Agentic AI Security](docs/agentic-ai-security.md) | ASI01–ASI10 — prompt injection, MCP supply chain, Actions injection |
 | [Hardening](docs/hardening.md) | Phase 4 controls — Helmet, CSP, CSRF, rate limiting, gitleaks, SRI |

package/docs/rest-api.md

@@ -1,6 +1,6 @@
 # REST API
 
-`tdd-audit serve` turns the scanner into an authenticated HTTP API. Use it to integrate vulnerability scanning into dashboards, CI pipelines, bots, or any tooling that speaks JSON.
+`tdd-audit serve` turns the scanner into an authenticated HTTP API built on **Fastify**. Use it to integrate vulnerability scanning and AI remediation into dashboards, CI pipelines, bots, or any tooling that speaks JSON.
 
 ---
 
@@ -29,7 +29,7 @@ npx @lhi/tdd-audit serve --config ~/configs/prod.json
 }
 ```
 
-If `--api-key` / `serverApiKey` is omitted the server starts unauthenticated with a warning. Always set one in production.
+If `--api-key` / `serverApiKey` is omitted the server starts unauthenticated with a stderr warning. Always set one in production.
 
 ---
 
@@ -45,13 +45,13 @@ Authorization: Bearer YOUR_SECRET
 
 Missing or wrong key → `401 Unauthorized`.
 
-Tokens are compared using **HMAC + `crypto.timingSafeEqual`** to prevent timing-oracle attacks.
+Tokens are compared using **HMAC + `crypto.timingSafeEqual`** to prevent timing-oracle attacks (both values are HMAC-normalised before comparison so lengths are always equal).
 
 ### Rate limiting
 
-All endpoints are rate-limited to **60 requests / IP / minute** (default). Exceeding the limit returns `429 Too Many Requests`.
+All endpoints are rate-limited to **60 requests / IP / minute**. Exceeding the limit returns `429 Too Many Requests`.
 
-By default the rate limiter keys on the **socket IP**, not `X-Forwarded-For`, to prevent header-spoofing bypasses. Enable proxy-forwarded IPs only if you are behind a trusted reverse proxy:
+By default the rate limiter keys on the **socket IP**, not `X-Forwarded-For`, to prevent header-spoofing bypasses. Enable proxy-forwarded IPs only when you are behind a trusted reverse proxy:
 
 ```json
 { "trustProxy": true }
@@ -59,15 +59,16 @@ By default the rate limiter keys on the **socket IP**, not `X-Forwarded-For`, to
 
 ### Path validation
 
-`POST /scan` validates that the requested path is inside the server's working directory (normalised with a trailing separator to prevent sibling-directory prefix bypasses). Paths outside cwd return `400`.
+`POST /scan` and `POST /audit` validate that the requested path is inside the server's working directory. The check is normalised with a trailing path separator to prevent sibling-directory prefix bypasses (e.g. `/app-evil` cannot escape via `/app`). Paths outside cwd return `400`.
 
 ### Security headers
 
 Every response includes:
 
 ```
-X-Content-Type-Options: nosniff
-X-Frame-Options: DENY
+Content-Security-Policy: default-src 'none'
+X-Content-Type-Options:  nosniff
+X-Frame-Options:         DENY
 ```
 
 ---
@@ -79,14 +80,14 @@ X-Frame-Options: DENY
 No auth required. Returns server status and version.
 
 ```json
-{ "status": "ok", "version": "1.9.0" }
+{ "status": "ok", "version": "1.13.0" }
 ```
 
 ---
 
 ### `POST /scan`
 
-Scan a local path and return structured findings.
+Scan a local path and return structured findings synchronously.
 
 **Request**
 ```json
@@ -104,13 +105,13 @@ Scan a local path and return structured findings.
 **Response — JSON**
 ```json
 {
-  "version":             "1.9.0",
-  "summary":             { "CRITICAL": 1, "HIGH": 3, "MEDIUM": 1, "LOW": 0 },
-  "findings":            [ ... ],
+  "version":              "1.13.0",
+  "summary":              { "CRITICAL": 1, "HIGH": 3, "MEDIUM": 1, "LOW": 0 },
+  "findings":             [ ... ],
   "likelyFalsePositives": [ ... ],
-  "exempted":            [],
-  "scannedAt":           "2026-03-25T12:00:00.000Z",
-  "duration":            42
+  "exempted":             [],
+  "scannedAt":            "2026-03-25T12:00:00.000Z",
+  "duration":             42
 }
 ```
 
@@ -122,7 +123,7 @@ Returns a SARIF 2.1.0 object ready to upload to GitHub code scanning.
 
 | Status | Reason |
 |---|---|
-| 400 | Path traversal attempt, sibling-directory bypass, oversized body (> 512 KB), or invalid JSON |
+| 400 | Path traversal attempt, oversized body (> 512 KB), or invalid JSON |
 | 401 | Missing or invalid API key |
 | 429 | Rate limit exceeded |
 
@@ -130,18 +131,18 @@ Returns a SARIF 2.1.0 object ready to upload to GitHub code scanning.
 
 ### `POST /remediate`
 
-Queue an AI-powered remediation job. Returns immediately with a `jobId`; poll `/jobs/:id` for results.
+Queue an AI-powered remediation job for a **provided findings list**. Returns immediately with a `jobId`; poll `GET /jobs/:id` (or stream `GET /jobs/:id/stream`) for results.
 
-The server stores up to **1 000 jobs** in memory (TTL: 1 hour). Oldest jobs are evicted when the cap is reached.
+Use `POST /audit` instead if you want the server to run the scan itself.
 
 **Request**
 ```json
 {
   "findings": [ ... ],
-  "provider": "openai",
-  "apiKey":   "sk-...",
-  "model":    "gpt-4o",
-  "baseUrl":  "https://api.groq.com/openai/v1",
+  "provider": "anthropic",
+  "apiKey":   "sk-ant-...",
+  "model":    "claude-opus-4-6",
+  "baseUrl":  null,
   "severity": "HIGH"
 }
 ```
@@ -155,23 +156,69 @@ The server stores up to **1 000 jobs** in memory (TTL: 1 hour). Oldest jobs are
 | `baseUrl` | no | Override base URL for any OpenAI-compatible service |
 | `severity` | no | Minimum severity to fix. Default: `LOW` (fix all) |
 
-**Response**
+**Response — 202 Accepted**
 ```json
 { "jobId": "job_1_1711363200000" }
 ```
 
+Job lifecycle: `pending → running → done | error`
+
 ---
 
-### `GET /jobs/:id`
+### `POST /audit`
+
+Full automated pipeline: **scan + AI remediation in one shot**. No interaction needed. Returns immediately with a `jobId`.
 
-Poll for remediation job status.
+If no `provider`/`apiKey` are supplied, the server runs the scan only (no remediation) and the job transitions to `done` with just the `findings` array.
 
-**Response — pending / running**
+**Request**
 ```json
-{ "id": "job_1_...", "status": "pending", "createdAt": "..." }
+{
+  "path":     ".",
+  "provider": "anthropic",
+  "apiKey":   "sk-ant-...",
+  "model":    "claude-opus-4-6",
+  "baseUrl":  null,
+  "webhook":  "https://your-server.example.com/webhook"
+}
 ```
 
-**Response — done**
+| Field | Required | Description |
+|---|---|---|
+| `path` | no | Path to scan. Defaults to cwd. Must be inside server cwd. |
+| `provider` | no | If supplied with `apiKey`, AI remediation runs after the scan |
+| `apiKey` | no | Provider API key |
+| `model` | no | Defaults per provider |
+| `baseUrl` | no | Override base URL for OpenAI-compatible providers |
+| `webhook` | no | URL to POST the final job payload to when complete (fire-and-forget) |
+
+**Response — 202 Accepted**
+
+```
+HTTP/1.1 202 Accepted
+Location: /jobs/job_1_1711363200000
+Retry-After: 2
+```
+```json
+{ "jobId": "job_1_1711363200000" }
+```
+
+Job lifecycle: `pending → scanning → scanned → remediating → done | error`
+
+Poll `GET /jobs/:id` or stream `GET /jobs/:id/stream` for progress.
+
+**Job object during remediation**
+```json
+{
+  "id":        "job_1_...",
+  "status":    "remediating",
+  "total":     8,
+  "completed": 3,
+  "current":   "SQL Injection"
+}
+```
+
+**Job object when done**
 ```json
 {
   "id":          "job_1_...",
@@ -179,6 +226,7 @@ Poll for remediation job status.
   "createdAt":   "...",
   "startedAt":   "...",
   "completedAt": "...",
+  "findings":    [ ... ],
   "results": [
     {
       "finding":        { ... },
@@ -193,28 +241,130 @@ Poll for remediation job status.
 
 ---
 
-## Examples
+### `GET /jobs/:id`
+
+Poll for job status. Works for jobs created by both `POST /remediate` and `POST /audit`.
+
+**Response — pending / scanning**
+```json
+{ "id": "job_1_...", "status": "scanning", "createdAt": "..." }
+```
+
+**Response — remediating (with progress)**
+```json
+{
+  "id":        "job_1_...",
+  "status":    "remediating",
+  "total":     8,
+  "completed": 3,
+  "current":   "SQL Injection"
+}
+```
+
+**Response — done**
+```json
+{
+  "id":          "job_1_...",
+  "status":      "done",
+  "createdAt":   "...",
+  "startedAt":   "...",
+  "completedAt": "...",
+  "results":     [ ... ]
+}
+```
+
+**Response — error**
+```json
+{ "id": "job_1_...", "status": "error", "error": "Provider returned 401: ..." }
+```
+
+The job store keeps up to **1 000 jobs** in memory (TTL: 1 hour). Oldest jobs are evicted when the cap is reached.
+
+---
+
+### `GET /jobs/:id/stream`
 
-### curl
+Real-time job progress via **Server-Sent Events (SSE)**. The server pushes an event each time the job state changes, and closes the connection when the job reaches `done` or `error`.
+
+```bash
+curl -N http://localhost:3000/jobs/job_1_.../stream \
+  -H "Authorization: Bearer YOUR_SECRET"
+```
+
+**Event format**
+```
+data: {"id":"job_1_...","status":"scanning","createdAt":"..."}
+
+data: {"id":"job_1_...","status":"scanned","findings":[...]}
+
+data: {"id":"job_1_...","status":"remediating","total":8,"completed":1,"current":"SQL Injection"}
+
+data: {"id":"job_1_...","status":"done","completedAt":"...","results":[...]}
+```
+
+The connection is closed automatically after the terminal state (`done` / `error`). If you connect to an already-completed job, the server pushes the current state and closes immediately.
+
+**Node.js example using EventSource**
+```javascript
+const es = new EventSource(
+  'http://localhost:3000/jobs/job_1_.../stream',
+  { headers: { Authorization: 'Bearer YOUR_SECRET' } }
+);
+es.onmessage = (e) => {
+  const job = JSON.parse(e.data);
+  if (job.status === 'done') { console.log(job.results); es.close(); }
+  if (job.status === 'error') { console.error(job.error); es.close(); }
+};
+```
+
+---
+
+## Full workflow examples
+
+### curl — scan only
 
 ```bash
-# Start server
 npx @lhi/tdd-audit serve --port 3000 --api-key mysecret &
 
-# Scan current directory
 curl -s -X POST http://localhost:3000/scan \
   -H "Authorization: Bearer mysecret" \
   -H "Content-Type: application/json" \
   -d '{"path": "."}' | jq '.summary'
+```
+
+### curl — full pipeline with polling
 
-# SARIF output for GitHub upload
+```bash
+# Kick off audit
+JOB=$(curl -s -X POST http://localhost:3000/audit \
+  -H "Authorization: Bearer mysecret" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "path":     ".",
+    "provider": "anthropic",
+    "apiKey":   "sk-ant-..."
+  }' | jq -r '.jobId')
+
+# Poll until done
+while true; do
+  STATUS=$(curl -s http://localhost:3000/jobs/$JOB \
+    -H "Authorization: Bearer mysecret" | jq -r '.status')
+  echo "Status: $STATUS"
+  [ "$STATUS" = "done" ] || [ "$STATUS" = "error" ] && break
+  sleep 2
+done
+```
+
+### curl — SARIF output for GitHub code scanning
+
+```bash
 curl -s -X POST http://localhost:3000/scan \
   -H "Authorization: Bearer mysecret" \
   -H "Content-Type: application/json" \
   -d '{"path": ".", "format": "sarif"}' > results.sarif
 ```
 
-### Node.js
+### Node.js — scan
 
 ```javascript
 const res = await fetch('http://localhost:3000/scan', {

package/docs/scanner.md

@@ -8,10 +8,12 @@
 
 | Export | Purpose |
 |---|---|
-| `quickScan(projectDir)` | Walk all source files and return a findings array |
+| `quickScan(projectDir)` | Walk all source files and return a merged findings array |
 | `scanPromptFiles(projectDir)` | Walk all `.md` prompt/skill files and check for prompt-specific patterns |
 | `scanAppConfig(projectDir)` | Check `app.json` / `app.config.*` for embedded secrets |
 | `scanAndroidManifest(projectDir)` | Check `AndroidManifest.xml` for `android:debuggable="true"` |
+| `scanPackageJson(projectDir)` | Check `package.json` lifecycle scripts for supply-chain exfiltration (postinstall curl/wget) |
+| `scanEnvFiles(projectDir)` | Check `.env*` files for `NEXT_PUBLIC_*SECRET/KEY/TOKEN` leaking secrets to the browser |
 | `printFindings(findings, exempted)` | Format and print a findings report to stdout |
 | `detectFramework(dir)` | Detect the test framework (`jest`, `vitest`, `mocha`, `pytest`, `go`, `flutter`) |
 | `detectAppFramework(dir)` | Detect the UI framework (`nextjs`, `expo`, `react-native`, `react`, `flutter`) |
@@ -23,7 +25,7 @@
 
 ```
 projectDir
-  └─ walkFiles()          — yields .js/.ts/.jsx/.tsx/.mjs/.py/.go/.dart files
+  └─ walkFiles()           — yields source files (see Scanned extensions below)
        └─ for each file:
             1. Read file content (read-first, check length after — no TOCTOU)
             2. Skip if content.length > 512 KB
@@ -32,12 +34,14 @@ projectDir
                  – If pattern matches, push finding with severity / name / file / line / snippet
                  – inTestFile: true if path is under a test directory
                  – likelyFalsePositive: true if inTestFile && pattern.skipInTests
-  └─ scanAppConfig()      — checks app.json / app.config.* for secret patterns
-  └─ scanAndroidManifest() — checks android:debuggable
-  └─ scanPromptFiles()    — walks .md files in prompt directories
+  └─ scanAppConfig()       — checks app.json / app.config.* for embedded secret patterns
+  └─ scanAndroidManifest() — checks android:debuggable="true"
+  └─ scanPromptFiles()     — walks .md files in agent config directories for prompt-specific patterns
+  └─ scanPackageJson()     — checks postinstall/preinstall lifecycle scripts for curl/wget exfiltration
+  └─ scanEnvFiles()        — checks .env* files for NEXT_PUBLIC_* keys with secret-sounding names
 ```
 
-All four result sets are merged into one array and returned to the caller.
+All six result sets are merged into one array and returned to the caller.
 
 ---
 
@@ -47,7 +51,7 @@ All four result sets are merged into one array and returned to the caller.
 
 Yields scannable source files (`SCAN_EXTENSIONS`). Skips:
 
-- **`SKIP_DIRS`**: `node_modules`, `.git`, `dist`, `build`, `.next`, `out`, `__pycache__`, `venv`, `.venv`, `vendor`, `.expo`, `.dart_tool`, `.pub-cache`
+- **`SKIP_DIRS`**: `node_modules`, `.git`, `dist`, `build`, `coverage`, `.next`, `out`, `__pycache__`, `venv`, `.venv`, `vendor`, `.expo`, `.dart_tool`, `.pub-cache`
 - **Symlinks** — never followed, preventing escape from the project root on shared/M-series filesystems
 
 ### `walkMdFiles(dir)`
@@ -58,9 +62,9 @@ Same skip rules, yields `.md` files only. Used by `scanPromptFiles`.
 
 ## Scanned extensions
 
-`.js` `.ts` `.jsx` `.tsx` `.mjs` `.py` `.go` `.dart`
+`.js` `.ts` `.jsx` `.tsx` `.mjs` `.py` `.go` `.dart` `.yml` `.yaml`
 
-YAML, JSON, XML, and shell files are not scanned by the code scanner. CI workflow files (`.yml`) are scanned separately when explicitly passed to the ASI08/ASI09 grep patterns during an agent-driven audit.
+JSON and XML files are not walked by the code scanner. `package.json` is handled by `scanPackageJson()` and `.env*` files by `scanEnvFiles()` — both run as separate targeted checks. CI workflow files (`.yml`/`.yaml`) **are** now scanned by `walkFiles()` for GitHub Actions expression injection and similar patterns.
 
 ---
 

package/docs/vulnerability-patterns.md

@@ -1,6 +1,6 @@
 # Vulnerability Patterns Reference
 
-All 34 patterns detected by `@lhi/tdd-audit`. Patterns are checked against every scannable source file line-by-line. Prompt/skill patterns are checked separately against `.md` files in agent configuration directories.
+All 57 patterns detected by `@lhi/tdd-audit` across 6 scanner modules. Source patterns are checked against `.js`, `.ts`, `.jsx`, `.tsx`, `.mjs`, `.py`, `.go`, `.dart`, `.yml`, and `.yaml` files line-by-line. Prompt/skill patterns are checked separately against `.md` files in agent configuration directories. Supply-chain patterns check `package.json`. NEXT_PUBLIC secret patterns also check `.env*` files.
 
 ---
 
@@ -198,3 +198,139 @@ These patterns are checked against `.md` files in `prompts/`, `skills/`, `.claud
 **Grep signature:** `android:debuggable="true"`
 **Why it matters:** Debug builds expose the app to `adb` inspection and arbitrary code injection on the device.
 **Fix:** Remove `android:debuggable` from `AndroidManifest.xml` (the build system sets it correctly per variant).
+
+---
+
+## AI / LLM Security (CRITICAL)
+
+### LLM Prompt Injection (CRITICAL)
+**Grep signature:** `{ role: "user", content: req.body... }`, `messages.push(req.body|query|params)`
+**Why it matters:** Untrusted user input injected directly into LLM messages enables attackers to hijack model behavior, exfiltrate data, or bypass safety controls.
+**Fix:** Sanitize and validate user input before insertion. Use a system-prompt separation layer. Never concatenate raw request data into the messages array.
+
+### LLM Output Execution (CRITICAL)
+**Grep signature:** `eval(response)`, `eval(result)`, `eval(output)`, `eval(completion)`
+**Why it matters:** Executing model-generated code gives an attacker who controls the model's context (or poisons its training) arbitrary code execution on your server.
+**Fix:** Never `eval()` LLM output. Use a sandboxed interpreter (Pyodide, isolated subprocess) or structured output schemas.
+
+### LangChain ShellTool (CRITICAL)
+**Grep signature:** `ShellTool()`, `LLMMathChain.from_llm(`, `PALChain.from_llm(`
+**Why it matters:** These tools execute shell commands or `eval()` LLM-generated Python on the host system. A malicious prompt achieves full RCE (CVE-2023-29374, CVSS 9.8).
+**Fix:** Remove `ShellTool` from agent toolkits. Replace `LLMMathChain`/`PALChain` with `numexpr` or sandboxed math evaluators.
+
+### Dynamic Require (CRITICAL)
+**Grep signature:** `require(req.query.`, `require(req.body.`, `require(req.params.`
+**Why it matters:** Attacker controls which Node.js module is loaded — can load `child_process`, `fs`, or custom malicious modules.
+**Fix:** Use a static map of allowed modules. Never pass user input to `require()`.
+
+### VM Code Injection (CRITICAL)
+**Grep signature:** `vm.runInNewContext(req.body`, `vm.runInContext(req.query`
+**Why it matters:** Node.js's `vm` module is not a security boundary — sandbox escape is possible with crafted prototypes. Attacker achieves full RCE.
+**Fix:** Use a proper sandbox (isolated-vm, Deno subprocess) for user-supplied code execution.
+
+### node-serialize RCE (CRITICAL)
+**Grep signature:** `require('node-serialize')`
+**Why it matters:** `node-serialize` is known to be vulnerable to remote code execution via IIFE injection in serialized strings. Any use is an immediate CRITICAL risk.
+**Fix:** Uninstall `node-serialize`. Use `JSON.parse()` / `JSON.stringify()` with schema validation.
+
+### Hardcoded OpenAI Key (CRITICAL)
+**Grep signature:** `'sk-proj-...'`, `'sk-...T3BlbkFJ...'` (≥60 chars)
+**Note:** `skipInTests: true`
+**Why it matters:** A committed API key gives anyone with repo access unlimited access to your OpenAI account and budget.
+**Fix:** Use `process.env.OPENAI_API_KEY`. Rotate the key immediately. Run `gitleaks` on git history.
+
+### Hardcoded Anthropic Key (CRITICAL)
+**Grep signature:** `'sk-ant-api03-...'`
+**Note:** `skipInTests: true`
+**Why it matters:** Committed Anthropic API key leaks billing access and all Claude API capabilities.
+**Fix:** Use environment variables. Rotate immediately via the Anthropic console.
+
+### GitHub Actions Injection (CRITICAL)
+**Files checked:** `.yml` and `.yaml` workflow files
+**Grep signature:** `${{ github.event.pull_request.title }}`, `${{ github.head_ref }}`, `${{ github.event.issue.body }}`
+**Why it matters:** These GitHub context values are attacker-controlled (PR title, branch name, issue body). Interpolating them into a `run:` step enables arbitrary command execution in your CI pipeline.
+**Fix:** Use an intermediate environment variable: `env: TITLE: ${{ github.event.pull_request.title }}` then reference `$TITLE` in the shell script.
+
+---
+
+## Electron / Desktop Security
+
+### Electron nodeIntegration (CRITICAL)
+**Grep signature:** `nodeIntegration: true`
+**Why it matters:** Enables Node.js APIs in the renderer process. Any XSS in a web page loaded by the app achieves full system compromise.
+**Fix:** Set `nodeIntegration: false` (default). Use `contextBridge` to expose specific APIs.
+
+### Electron webSecurity Off (CRITICAL)
+**Grep signature:** `webSecurity: false`
+**Why it matters:** Disables the same-origin policy in the renderer, allowing cross-origin reads and mixed-content loads.
+**Fix:** Never disable `webSecurity`. Fix CORS configuration on the server instead.
+
+### Electron contextIsolation Off (HIGH)
+**Grep signature:** `contextIsolation: false`
+**Why it matters:** When context isolation is off, the renderer's JavaScript shares a prototype chain with the preload script, enabling prototype pollution attacks from web content.
+**Fix:** Set `contextIsolation: true` (default since Electron 12). Use `contextBridge.exposeInMainWorld` for IPC.
+
+---
+
+## AI / LLM Security (HIGH)
+
+### Header Injection (HIGH)
+**Grep signature:** `res.setHeader(x, req.body|query|params)`, `res.set(x, req.body|query|params)`
+**Why it matters:** Attacker can inject HTTP response headers, enabling cache poisoning, CORS bypass, or CSP override.
+**Fix:** Validate and allowlist header values before passing to `res.setHeader()`.
+
+### XPath Injection (HIGH)
+**Grep signature:** `xpath.select(req.query|body|params`, `xpath.evaluate(req.`
+**Why it matters:** Attacker can manipulate XPath queries to bypass authentication or extract arbitrary XML data.
+**Fix:** Never concatenate user input into XPath expressions. Use parameterized XPath if your library supports it.
+
+### Insecure Cookie (HIGH)
+**Grep signature:** `httpOnly: false`
+**Why it matters:** Cookies without `httpOnly` are readable via JavaScript, enabling session theft through XSS.
+**Fix:** Set `httpOnly: true` on all session and auth cookies. Use `secure: true` in production.
+
+### Credentials in AI Prompt (HIGH)
+**Grep signature:** `system_prompt = "...mongodb://user:pass@..."`, `prompt += "...postgresql://...@..."`
+**Why it matters:** Database connection strings with embedded passwords sent to external AI APIs expose credentials to the provider and any prompt logs.
+**Fix:** Never include connection strings or credentials in prompts. Pass only sanitized, context-free data.
+
+### LangChain Experimental (HIGH)
+**Grep signature:** `from langchain_experimental`, `from 'langchain/experimental'`
+**Why it matters:** The `langchain_experimental` package contains agents and chains with known RCE risk (PALChain, SQLDatabaseChain without sandboxing). It explicitly carries an "experimental" security disclaimer.
+**Fix:** Audit each class imported from `langchain_experimental`. Replace PALChain/LLMMathChain with safe alternatives.
+
+### Hardcoded HuggingFace Token (HIGH)
+**Grep signature:** `'hf_...'` (≥30 chars)
+**Note:** `skipInTests: true`
+**Why it matters:** A committed HuggingFace token grants write access to model repos and private datasets.
+**Fix:** Use `process.env.HF_TOKEN`. Rotate via huggingface.co/settings/tokens.
+
+### NEXT_PUBLIC Secret (HIGH)
+**Grep signature:** `NEXT_PUBLIC_SECRET_KEY`, `NEXT_PUBLIC_API_KEY`, `NEXT_PUBLIC_TOKEN`, etc. in code and `.env*` files
+**Note:** `skipInTests: true`; also checked in `.env`, `.env.local`, `.env.production`, `.env.development`
+**Why it matters:** Variables prefixed with `NEXT_PUBLIC_` are inlined into the client-side JavaScript bundle at build time. Any secret with this prefix is shipped to every browser.
+**Fix:** Remove `NEXT_PUBLIC_` prefix from secret variables. Access them only server-side via `getServerSideProps` or API routes.
+
+### Trojan Source (HIGH)
+**Grep signature:** Unicode bidi control characters (U+202A–U+202E, U+2066–U+2069) in source code
+**Why it matters:** CVE-2021-42574 — bidi control characters cause the code displayed in editors/diffs to differ from what the compiler executes, hiding malicious logic in plain sight.
+**Fix:** Configure your editor and linter to detect and reject bidi characters in source files.
+
+---
+
+## Prompt / Skill / Agent Patterns (expanded)
+
+### MCP Tool Poisoning (HIGH)
+**Grep signature:** `"description": "ignore previous instructions..."`, `"description": "override instructions..."`
+**Why it matters:** Malicious MCP servers embed instructions in tool description fields. When an AI agent reads the tool list, it executes the injected instructions — redirecting actions, exfiltrating data, or bypassing safety checks.
+**Fix:** Audit all MCP server tool descriptions. Use only servers from trusted sources. Pin MCP servers to verified commits.
+
+---
+
+## Supply Chain / Package Patterns
+
+### Supply Chain Exfiltration (CRITICAL)
+**Files checked:** `package.json` `scripts.postinstall` / `scripts.preinstall`
+**Grep signature:** `"postinstall": "curl https://..."`, `"preinstall": "wget http://..."`
+**Why it matters:** A postinstall script that shells out to `curl`/`wget` can silently exfiltrate environment variables, `.env` files, or SSH keys to an attacker's server the moment anyone installs your package or its parent.
+**Fix:** Remove network calls from lifecycle scripts. If data collection is needed, make it explicit and user-consented, never automatic on install.

package/index.js

@@ -13,6 +13,7 @@ const {
 } = require('./lib/scanner');
 const { toJson, toSarif, toText } = require('./lib/reporter');
 const { writeInitConfig } = require('./lib/config');
+const { badgeLine, injectBadge } = require('./lib/badge');
 
 const args = process.argv.slice(2);
 const isLocal   = args.includes('--local');
@@ -87,6 +88,7 @@ if (scanOnly) {
     process.stdout.write('\n');
     printFindings(findings, exempted);
   }
+  injectBadge(projectDir, badgeLine(findings));
   process.exit(0);
 }
 
@@ -243,6 +245,9 @@ if (!skipScan) {
   const findings = quickScan(projectDir);
   process.stdout.write('\n');
   printFindings(findings);
+  const badge = badgeLine(findings);
+  injectBadge(projectDir, badge);
+  console.log('✅ README badge updated');
 }
 
 console.log(`\nSkill installed to ${path.relative(os.homedir(), targetSkillDir)}`);