@lhi/tdd-audit 1.11.0 → 1.14.0

package/lib/badge.js

@@ -0,0 +1,94 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+// Marker embedded in the badge line — used to find and replace it on re-scan.
+const BADGE_MARKER = 'tdd-audit-badge';
+
+const NPM_URL = 'https://www.npmjs.com/package/@lhi/tdd-audit';
+
+/**
+ * Build a shields.io badge markdown line reflecting actual scan results.
+ *
+ * - 0 critical/high (real) findings → "passing" · brightgreen
+ * - ≥1 high (no critical)           → "{n} high"  · orange
+ * - ≥1 critical                     → "{n} critical" · red
+ *
+ * likelyFalsePositive findings (test fixtures) are excluded from the count.
+ *
+ * @param {Array} findings  - findings array returned by quickScan()
+ * @returns {string}        - single-line markdown badge ending with \n
+ */
+function badgeLine(findings) {
+  // Exclude test-file findings and likely false positives — badge reflects production code only
+  const real     = (findings || []).filter(f => !f.likelyFalsePositive && !f.inTestFile);
+  const criticals = real.filter(f => f.severity === 'CRITICAL').length;
+  const highs     = real.filter(f => f.severity === 'HIGH').length;
+
+  let message, color;
+  if (criticals > 0) {
+    message = `${criticals}%20critical`;
+    color   = 'red';
+  } else if (highs > 0) {
+    message = `${highs}%20high`;
+    color   = 'orange';
+  } else {
+    message = 'passing';
+    color   = 'brightgreen';
+  }
+
+  const badgeUrl = `https://img.shields.io/badge/tdd--audit-${message}-${color}`;
+  // Embed the marker as a hidden HTML comment after the badge so injectBadge()
+  // can locate and replace the line on subsequent runs.
+  return `[![tdd-audit](${badgeUrl})](${NPM_URL}) <!-- ${BADGE_MARKER} -->\n`;
+}
+
+/**
+ * Inject or update the tdd-audit badge in the project's README.md.
+ *
+ * Behaviour:
+ *  - Searches for README.md / readme.md / README in the project root.
+ *  - If a badge line (identified by BADGE_MARKER) already exists, replaces it.
+ *  - Otherwise inserts the badge immediately after the first `# Heading` line.
+ *    If no heading exists, prepends to the file.
+ *  - No-ops silently when no README is found.
+ *  - Idempotent: running twice with the same inputs produces the same output.
+ *
+ * @param {string} projectDir  - absolute path to the project root
+ * @param {string} badge       - badge markdown line from badgeLine()
+ */
+function injectBadge(projectDir, badge) {
+  const candidates = ['README.md', 'readme.md', 'Readme.md', 'README'];
+  let readmePath = null;
+  for (const name of candidates) {
+    const p = path.join(projectDir, name);
+    if (fs.existsSync(p)) { readmePath = p; break; }
+  }
+  if (!readmePath) return;
+
+  const original = fs.readFileSync(readmePath, 'utf8');
+
+  // Replace existing badge (idempotent + allows re-scan update)
+  if (original.includes(BADGE_MARKER)) {
+    const updated = original.replace(/^.*tdd-audit-badge.*$/m, badge.trimEnd());
+    fs.writeFileSync(readmePath, updated);
+    return;
+  }
+
+  // Insert after the first h1 line, or prepend if no h1 exists
+  const lines = original.split('\n');
+  const h1Idx = lines.findIndex(l => /^#\s/.test(l));
+
+  let updated;
+  if (h1Idx !== -1) {
+    lines.splice(h1Idx + 1, 0, badge.trimEnd());
+    updated = lines.join('\n');
+  } else {
+    updated = badge.trimEnd() + '\n' + original;
+  }
+
+  fs.writeFileSync(readmePath, updated);
+}
+
+module.exports = { badgeLine, injectBadge, BADGE_MARKER };

package/lib/jobs.js

@@ -0,0 +1,53 @@
+'use strict';
+
+const { EventEmitter } = require('events');
+
+// ─── Job store (singleton, in-memory) ────────────────────────────────────────
+
+const MAX_JOBS   = 1_000;
+const JOB_TTL_MS = 60 * 60 * 1_000; // 1 hour
+
+const jobs   = new Map();
+let   jobSeq = 0;
+
+// EventEmitter used to push job updates to SSE subscribers
+const _emitter = new EventEmitter();
+_emitter.setMaxListeners(500);
+
+function evictJobs() {
+  const cutoff = Date.now() - JOB_TTL_MS;
+  for (const [id, job] of jobs) {
+    if (new Date(job.createdAt).getTime() < cutoff) jobs.delete(id);
+  }
+  while (jobs.size >= MAX_JOBS) {
+    jobs.delete(jobs.keys().next().value);
+  }
+}
+
+function createJob() {
+  evictJobs();
+  const id = `job_${++jobSeq}_${Date.now()}`;
+  jobs.set(id, { id, status: 'pending', createdAt: new Date().toISOString() });
+  return id;
+}
+
+function updateJob(id, patch) {
+  const job = jobs.get(id);
+  if (!job) return;
+  const updated = { ...job, ...patch };
+  jobs.set(id, updated);
+  _emitter.emit(id, updated);
+}
+
+/**
+ * Subscribe to live updates for a job.
+ * @param {string}   id  - job id
+ * @param {Function} fn  - called with the updated job object on every change
+ * @returns {Function}   - call to unsubscribe
+ */
+function subscribe(id, fn) {
+  _emitter.on(id, fn);
+  return () => _emitter.off(id, fn);
+}
+
+module.exports = { jobs, createJob, updateJob, subscribe, evictJobs, MAX_JOBS, JOB_TTL_MS };

package/lib/plugin.js

@@ -0,0 +1,308 @@
+'use strict';
+
+const crypto  = require('crypto');
+const path    = require('path');
+const Fastify = require('fastify');
+
+const { quickScan }        = require('./scanner');
+const { toJson, toSarif }  = require('./reporter');
+const { remediate }        = require('./remediator');
+const { version }          = require('../package.json');
+const {
+  jobs, createJob, updateJob, subscribe, MAX_JOBS,
+} = require('./jobs');
+
+// ─── Auth ─────────────────────────────────────────────────────────────────────
+
+// Fixed HMAC key — normalises token lengths for constant-time comparison.
+const _authHmacKey = crypto.randomBytes(32);
+
+/**
+ * Authenticate a Fastify request.
+ * Accepts either a raw Node req or a Fastify request object.
+ * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
+ */
+function authenticate(req, cfg) {
+  if (!cfg.serverApiKey) return true;
+  const headers = req.headers || {};
+  const header  = headers['authorization'] || '';
+  const token   = header.startsWith('Bearer ') ? header.slice(7) : '';
+  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
+  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
+  return crypto.timingSafeEqual(expected, actual);
+}
+
+// ─── Rate limiter ─────────────────────────────────────────────────────────────
+
+const RATE_LIMIT_MAX    = 60;
+const RATE_LIMIT_WINDOW = 60 * 1_000;
+
+function createRateLimit() {
+  const _counts = new Map();
+  return {
+    _counts,
+    check(ip) {
+      const now   = Date.now();
+      const entry = _counts.get(ip) || { count: 0, windowStart: now };
+      if (now - entry.windowStart >= RATE_LIMIT_WINDOW) {
+        entry.count = 0;
+        entry.windowStart = now;
+      }
+      entry.count += 1;
+      _counts.set(ip, entry);
+      return entry.count <= RATE_LIMIT_MAX;
+    },
+    reset() { _counts.clear(); },
+  };
+}
+
+// ─── Path validation ──────────────────────────────────────────────────────────
+
+function safeScanPath(rawPath) {
+  const cwd      = process.cwd();
+  const resolved = path.resolve(cwd, rawPath || cwd);
+  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
+  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
+    throw new Error('Path outside working directory');
+  }
+  return resolved;
+}
+
+// ─── Security headers ────────────────────────────────────────────────────────
+
+const SECURITY_HEADERS = {
+  'X-Content-Type-Options':  'nosniff',
+  'X-Frame-Options':         'DENY',
+  'Content-Security-Policy': "default-src 'none'",
+};
+
+// ─── Fastify plugin ───────────────────────────────────────────────────────────
+
+/**
+ * Fastify plugin that registers all tdd-audit REST routes.
+ *
+ * Options:
+ *   cfg          - loaded config object
+ *   rateLimiter  - rate limiter instance (from createRateLimit())
+ */
+async function tddAuditPlugin(fastify, opts) {
+  const { cfg, rateLimiter } = opts;
+
+  // ── Security headers on every reply ────────────────────────────────────────
+  fastify.addHook('onSend', async (request, reply) => {
+    for (const [k, v] of Object.entries(SECURITY_HEADERS)) {
+      reply.header(k, v);
+    }
+  });
+
+  // ── Rate limiting ────────────────────────────────────────────────────────
+  fastify.addHook('preHandler', async (request, reply) => {
+    const ip = cfg.trustProxy
+      ? (request.headers['x-forwarded-for'] || request.ip || '').split(',')[0].trim()
+      : (request.ip || 'unknown');
+    if (!rateLimiter.check(ip)) {
+      reply.code(429).send({ error: 'Too Many Requests' });
+    }
+  });
+
+  // ── GET /health ──────────────────────────────────────────────────────────
+  fastify.get('/health', async () => ({ status: 'ok', version }));
+
+  // ── Authentication for all non-health routes ────────────────────────────
+  fastify.addHook('preHandler', async (request, reply) => {
+    if (request.routeOptions?.url === '/health') return;
+    if (!authenticate(request, cfg)) {
+      reply.code(401).send({ error: 'Unauthorized' });
+    }
+  });
+
+  // ── POST /scan ──────────────────────────────────────────────────────────
+  fastify.post('/scan', {
+    config: { rawBody: false },
+  }, async (request, reply) => {
+    const body = request.body || {};
+
+    let scanPath;
+    try { scanPath = safeScanPath(body.path); }
+    catch (e) { return reply.code(400).send({ error: e.message }); }
+
+    const format   = body.format || cfg.output || 'json';
+    const t0       = Date.now();
+    const findings = quickScan(scanPath);
+    const exempted = findings.exempted || [];
+    const duration = Date.now() - t0;
+
+    if (format === 'sarif') return toSarif(findings, scanPath);
+    return { ...toJson(findings, exempted), duration };
+  });
+
+  // ── POST /remediate ──────────────────────────────────────────────────────
+  fastify.post('/remediate', async (request, reply) => {
+    const body = request.body || {};
+    const { findings, provider, apiKey, model, baseUrl } = body;
+
+    if (!findings || !provider || !apiKey) {
+      return reply.code(400).send({ error: 'findings, provider, and apiKey are required' });
+    }
+
+    const jobId = createJob();
+
+    setImmediate(async () => {
+      try {
+        updateJob(jobId, { status: 'running', startedAt: new Date().toISOString() });
+        const results = await remediate({
+          findings, provider, apiKey,
+          model:   model   || cfg.model,
+          baseUrl: baseUrl || cfg.baseUrl,
+        });
+        updateJob(jobId, { status: 'done', completedAt: new Date().toISOString(), results });
+      } catch (err) {
+        updateJob(jobId, { status: 'error', error: err.message });
+      }
+    });
+
+    return reply.code(202).send({ jobId });
+  });
+
+  // ── POST /audit — full scan+remediate pipeline ────────────────────────────
+  fastify.post('/audit', async (request, reply) => {
+    const body = request.body || {};
+    const { path: rawPath, provider, apiKey, model, baseUrl, webhook } = body;
+
+    let scanPath;
+    try { scanPath = safeScanPath(rawPath); }
+    catch (e) { return reply.code(400).send({ error: e.message }); }
+
+    const jobId = createJob();
+
+    setImmediate(async () => {
+      try {
+        // Phase 1: scan
+        updateJob(jobId, { status: 'scanning', startedAt: new Date().toISOString() });
+        const findings = quickScan(scanPath);
+        updateJob(jobId, { status: 'scanned', findings });
+
+        // Phase 2: remediate (if provider supplied)
+        if (provider && apiKey) {
+          const total = findings.filter(f => !f.likelyFalsePositive).length;
+          updateJob(jobId, { status: 'remediating', total, completed: 0 });
+
+          // remediate is eagerly required at module top
+          const results = await remediate({
+            findings, provider, apiKey,
+            model:   model   || cfg.model,
+            baseUrl: baseUrl || cfg.baseUrl,
+            onProgress: (completed, current) => {
+              updateJob(jobId, { status: 'remediating', total, completed, current });
+            },
+          });
+          updateJob(jobId, {
+            status: 'done',
+            completedAt: new Date().toISOString(),
+            findings,
+            results,
+          });
+        } else {
+          updateJob(jobId, { status: 'done', completedAt: new Date().toISOString(), findings });
+        }
+
+        // Optional webhook fire-and-forget
+        if (webhook) {
+          const job = jobs.get(jobId);
+          fetch(webhook, {
+            method:  'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body:    JSON.stringify(job),
+          }).catch(() => {}); // never throw
+        }
+      } catch (err) {
+        updateJob(jobId, { status: 'error', error: err.message });
+      }
+    });
+
+    reply.header('Location', `/jobs/${jobId}`);
+    reply.header('Retry-After', '2');
+    return reply.code(202).send({ jobId });
+  });
+
+  // ── GET /jobs/:id ────────────────────────────────────────────────────────
+  fastify.get('/jobs/:id', async (request, reply) => {
+    const job = jobs.get(request.params.id);
+    if (!job) return reply.code(404).send({ error: 'Job not found' });
+    return job;
+  });
+
+  // ── GET /jobs/:id/stream — SSE real-time job updates ─────────────────────
+  fastify.get('/jobs/:id/stream', async (request, reply) => {
+    const id  = request.params.id;
+    const job = jobs.get(id);
+    if (!job) return reply.code(404).send({ error: 'Job not found' });
+
+    reply.hijack();
+    const raw = reply.raw;
+    raw.writeHead(200, {
+      'Content-Type':  'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection':    'keep-alive',
+      ...SECURITY_HEADERS,
+    });
+
+    const send = (data) => {
+      raw.write(`data: ${JSON.stringify(data)}\n\n`);
+    };
+
+    // Push current state immediately
+    send(jobs.get(id));
+
+    if (job.status === 'done' || job.status === 'error') {
+      raw.end();
+      return;
+    }
+
+    const unsubscribe = subscribe(id, (updated) => {
+      send(updated);
+      if (updated.status === 'done' || updated.status === 'error') {
+        unsubscribe();
+        raw.end();
+      }
+    });
+
+    raw.on('close', unsubscribe);
+  });
+}
+
+// ─── App factory ──────────────────────────────────────────────────────────────
+
+/**
+ * Build and return a configured Fastify instance.
+ * @param {object} cfg  - loaded config object
+ * @param {object} [overrides] - optional overrides (e.g. { logger: true })
+ */
+function buildApp(cfg, overrides = {}) {
+  const fastify = Fastify({
+    logger:           false,
+    trustProxy:       cfg.trustProxy || false,
+    bodyLimit:        512 * 1024, // 512 KB
+    ...overrides,
+  });
+
+  const rateLimiter = createRateLimit();
+
+  fastify.register(tddAuditPlugin, { cfg, rateLimiter });
+
+  // Expose internals for testing
+  fastify.decorate('rateLimiter', rateLimiter);
+  fastify.decorate('jobs',        jobs);
+  fastify.decorate('cfg',         cfg);
+
+  return fastify;
+}
+
+module.exports = {
+  tddAuditPlugin,
+  buildApp,
+  authenticate,
+  safeScanPath,
+  createRateLimit,
+  RATE_LIMIT_MAX,
+};

package/lib/remediator.js

@@ -185,10 +185,11 @@ function parseResponse(text) {
  * @param {string} opts.apiKey
  * @param {string} [opts.model]
  * @param {string} [opts.baseUrl]  - override base URL for OpenAI-compatible providers
- * @param {string} [opts.severity] - minimum severity to fix ('CRITICAL','HIGH','MEDIUM','LOW')
+ * @param {string}   [opts.severity]    - minimum severity to fix ('CRITICAL','HIGH','MEDIUM','LOW')
+ * @param {Function} [opts.onProgress]  - called with (completedCount, currentFindingName) after each finding
  * @returns {Promise<Array>} - results per finding
  */
-async function remediate({ findings, provider, apiKey, model, baseUrl, severity = 'LOW' }) {
+async function remediate({ findings, provider, apiKey, model, baseUrl, severity = 'LOW', onProgress }) {
   const ORDER = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
   const threshold = ORDER[severity.toUpperCase()] ?? 3;
 
@@ -197,7 +198,8 @@ async function remediate({ findings, provider, apiKey, model, baseUrl, severity
     .sort((a, b) => (ORDER[a.severity] ?? 99) - (ORDER[b.severity] ?? 99));
 
   const results = [];
-  for (const finding of targets) {
+  for (let i = 0; i < targets.length; i++) {
+    const finding = targets[i];
     try {
       const prompt   = buildRemediationPrompt(finding);
       const raw      = await callProvider(provider, apiKey, model, prompt, baseUrl);
@@ -206,6 +208,9 @@ async function remediate({ findings, provider, apiKey, model, baseUrl, severity
     } catch (err) {
       results.push({ finding, status: 'error', error: err.message });
     }
+    if (typeof onProgress === 'function') {
+      onProgress(i + 1, finding.name);
+    }
   }
   return results;
 }

package/lib/scanner.js

@@ -42,19 +42,42 @@ const VULN_PATTERNS = [
   { name: 'JWT Alg None',            severity: 'CRITICAL', pattern: /algorithm\s*:\s*['"]none['"]/i },
   { name: 'Timing-Unsafe Comparison',severity: 'HIGH',     pattern: /\b(?:token|password|secret|hash|digest|hmac|signature|api.?key)\w*\s*={2,3}\s*\w|(?:req\.(?:headers?|body|query|params)\.\w+)\s*={2,3}/i },
   { name: 'ReDoS',                   severity: 'HIGH',     pattern: /new\s+RegExp\s*\(\s*req\.(?:query|body|params)\./i },
+  // ── AI / LLM Security ───────────────────────────────────────────────────────
+  { name: 'LLM Prompt Injection',       severity: 'CRITICAL', pattern: /\{\s*role\s*:\s*['"](?:user|system)['"]\s*,\s*content\s*:\s*req\.(body|query|params)|messages\b[^;\n]{0,100}push\s*\([^)]*req\.(body|query|params)/i },
+  { name: 'LLM Output Execution',       severity: 'CRITICAL', pattern: /\beval\s*\(\s*(?:await\s+)?(?:response|result|output|completion|generated|llmResult|aiResult)\b/i },
+  { name: 'LangChain ShellTool',        severity: 'CRITICAL', pattern: /\bShellTool\s*\(\)|LLMMathChain\.from_llm\s*\(|PALChain\.from_llm\s*\(/i },
+  { name: 'Dynamic Require',            severity: 'CRITICAL', pattern: /\brequire\s*\(\s*req\.(query|body|params)\./i },
+  { name: 'VM Code Injection',          severity: 'CRITICAL', pattern: /\bvm\.(runInNewContext|runInContext|runInThisContext)\s*\(\s*req\.(body|query|params)/i },
+  { name: 'node-serialize RCE',         severity: 'CRITICAL', pattern: /require\s*\(\s*['"]node-serialize['"]\s*\)/ },
+  { name: 'Electron nodeIntegration',   severity: 'CRITICAL', pattern: /\bnodeIntegration\s*:\s*true\b/ },
+  { name: 'Electron webSecurity Off',   severity: 'CRITICAL', pattern: /\bwebSecurity\s*:\s*false\b/ },
+  { name: 'GitHub Actions Injection',   severity: 'CRITICAL', pattern: /\$\{\{\s*github\.(event\.(pull_request\.(title|body)|issue\.(title|body)|comment\.body|review\.body)|head_ref)\s*\}\}/ },
+  { name: 'Hardcoded OpenAI Key',       severity: 'CRITICAL', skipInTests: true, pattern: /['"]sk-(?:proj-[A-Za-z0-9_\-]{40,}|[A-Za-z0-9]{20}T3BlbkFJ[A-Za-z0-9_\-]{20,})['"]/ },
+  { name: 'Hardcoded Anthropic Key',    severity: 'CRITICAL', skipInTests: true, pattern: /['"]sk-ant-api03-[A-Za-z0-9_\-]{10,}['"]/ },
+  // ── HIGH — web / protocol / AI ──────────────────────────────────────────────
+  { name: 'Header Injection',           severity: 'HIGH',     pattern: /res\.(?:setHeader|set)\s*\([^,]+,\s*req\.(body|query|params)\b/i },
+  { name: 'XPath Injection',            severity: 'HIGH',     pattern: /xpath\.(?:select|evaluate|selectNodes?)\s*\([^)]*req\.(query|body|params)/i },
+  { name: 'Insecure Cookie',            severity: 'HIGH',     pattern: /\bhttpOnly\s*:\s*false\b/ },
+  { name: 'Credentials in AI Prompt',   severity: 'HIGH',     pattern: /(?:system_prompt|systemPrompt|system|prompt|instruction)\s*[=:+][^;\n]{0,120}(?:mongodb(?:\+srv)?|postgresql?|mysql|redis):\/\/[a-zA-Z0-9_\-]+:[^@\s]{3,}@/ },
+  { name: 'LangChain Experimental',     severity: 'HIGH',     pattern: /from\s+langchain_experimental\b|from\s+['"]langchain\/experimental['"]/i },
+  { name: 'Hardcoded HuggingFace Token',severity: 'HIGH',     skipInTests: true, pattern: /['"]hf_[A-Za-z0-9]{30,}['"]/ },
+  { name: 'NEXT_PUBLIC Secret',         severity: 'HIGH',     skipInTests: true, pattern: /\bNEXT_PUBLIC_\w*(?:SECRET|PRIVATE|API_KEY|TOKEN|PASSWORD|CREDENTIAL)\w*/i },
+  { name: 'Electron contextIsolation Off', severity: 'HIGH',  pattern: /\bcontextIsolation\s*:\s*false\b/ },
+  { name: 'Trojan Source',              severity: 'HIGH',     pattern: /[\u202A-\u202E\u2066-\u2069]/ },
 ];
 
-const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
+const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart', '.yml', '.yaml']);
 
 /** Maximum file size to read before skipping (512 KB). Prevents OOM on large generated files. */
 const MAX_SCAN_FILE_BYTES = 512 * 1024;
-const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', 'coverage', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
 
 // ─── Prompt / Skill Patterns ──────────────────────────────────────────────────
 
 const PROMPT_PATTERNS = [
   { name: 'Deprecated CSRF Package',  severity: 'CRITICAL', pattern: /\bcsurf\b/,               skipCommentLine: true },
   { name: 'Unpinned npx MCP Server',  severity: 'HIGH',     pattern: /"command"\s*:\s*"npx"/ },
+  { name: 'MCP Tool Poisoning',       severity: 'HIGH',     pattern: /"description"\s*:\s*"[^"]*(?:ignore (?:previous|all)|override (?:previous )?instructions?|disregard|forget (?:all )?(?:previous )?instructions?|you are now|new instructions?)/i },
   { name: 'Cleartext URL in Prompt',  severity: 'MEDIUM',   pattern: /\bhttp:\/\/(?!localhost|127\.0\.0\.1|169\.254\.)[a-zA-Z0-9]/ },
 ];
 
@@ -355,6 +378,74 @@ function scanAndroidManifest(projectDir) {
   return findings;
 }
 
+/**
+ * Scan package.json for supply-chain exfiltration: postinstall/preinstall scripts
+ * that shell out to curl/wget, which can silently steal data at install time.
+ * @param {string} projectDir - project root
+ * @returns {Array}
+ */
+function scanPackageJson(projectDir) {
+  const findings = [];
+  const filePath = path.join(projectDir, 'package.json');
+  if (!fs.existsSync(filePath)) return findings;
+  let lines;
+  try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { return findings; }
+  const supplyChainRe = /["'](?:postinstall|preinstall)["']\s*:\s*["'][^"']*(?:curl|wget)\s+https?:\/\//i;
+  for (let i = 0; i < lines.length; i++) {
+    if (supplyChainRe.test(lines[i])) {
+      findings.push({
+        severity: 'CRITICAL',
+        name: 'Supply Chain Exfiltration',
+        file: 'package.json',
+        line: i + 1,
+        snippet: lines[i].trim().slice(0, 80),
+        inTestFile: false,
+        likelyFalsePositive: false,
+      });
+    }
+  }
+  return findings;
+}
+
+/**
+ * Scan .env files for NEXT_PUBLIC_ variables containing secrets.
+ * NEXT_PUBLIC_ variables are inlined into the client-side JS bundle at build
+ * time, so any secret stored with this prefix is exposed to all browsers.
+ * @param {string} projectDir - project root
+ * @returns {Array}
+ */
+function scanEnvFiles(projectDir) {
+  const findings = [];
+  const candidates = ['.env', '.env.local', '.env.development', '.env.production', '.env.test', '.env.staging'];
+  const nextPublicSecretRe = /^NEXT_PUBLIC_\w*(?:SECRET|PRIVATE|API_KEY|TOKEN|PASSWORD|CREDENTIAL)\w*\s*=/i;
+  for (const name of candidates) {
+    const filePath = path.join(projectDir, name);
+    if (!fs.existsSync(filePath)) continue;
+    let content;
+    try {
+      content = fs.readFileSync(filePath, 'utf8');
+      if (content.length > MAX_SCAN_FILE_BYTES) continue;
+    } catch { continue; }
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!line.trim() || line.trim().startsWith('#')) continue;
+      if (nextPublicSecretRe.test(line)) {
+        findings.push({
+          severity: 'HIGH',
+          name: 'NEXT_PUBLIC Secret',
+          file: name,
+          line: i + 1,
+          snippet: line.trim().slice(0, 80),
+          inTestFile: false,
+          likelyFalsePositive: false,
+        });
+      }
+    }
+  }
+  return findings;
+}
+
 // ─── Quick Scan ───────────────────────────────────────────────────────────────
 
 /**
@@ -396,7 +487,7 @@ function quickScan(projectDir) {
       }
     }
   }
-  return [...findings, ...scanAppConfig(projectDir), ...scanAndroidManifest(projectDir), ...scanPromptFiles(projectDir)];
+  return [...findings, ...scanAppConfig(projectDir), ...scanAndroidManifest(projectDir), ...scanPromptFiles(projectDir), ...scanPackageJson(projectDir), ...scanEnvFiles(projectDir)];
 }
 
 // ─── Print Findings ───────────────────────────────────────────────────────────
@@ -462,6 +553,8 @@ module.exports = {
   hasSafeAuditStatus,
   scanAppConfig,
   scanAndroidManifest,
+  scanPackageJson,
+  scanEnvFiles,
   scanPromptFiles,
   quickScan,
   printFindings,