@lhi/tdd-audit 1.12.0 → 1.14.0

package/README.md

@@ -1,6 +1,7 @@
 # @lhi/tdd-audit
+[![tdd-audit](https://img.shields.io/badge/tdd--audit-passing-brightgreen)](https://www.npmjs.com/package/@lhi/tdd-audit) <!-- tdd-audit-badge -->
 
-> **v1.12.0** — Security skill installer for **Claude Code, Gemini CLI, Cursor, Codex, and OpenCode**. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — prove the hole exists, apply the fix, prove it's closed.
+> **v1.14.0** — Security skill installer for **Claude Code, Gemini CLI, Cursor, Codex, and OpenCode**. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — prove the hole exists, apply the fix, prove it's closed.
 
 ## Install
 
@@ -80,7 +81,7 @@ npx @lhi/tdd-audit serve --config ~/configs/prod-audit.json
 ## REST API + AI remediation
 
 ```bash
-# Start the API server
+# Start the API server (now powered by Fastify)
 npx @lhi/tdd-audit serve --port 3000 --api-key YOUR_SECRET
 
 # Scan any path → JSON
@@ -88,6 +89,19 @@ curl -X POST http://localhost:3000/scan \
   -H "Authorization: Bearer YOUR_SECRET" \
   -d '{"path": "."}' | jq '.summary'
 
+# Full automated pipeline: scan + remediate in one shot
+curl -X POST http://localhost:3000/audit \
+  -H "Authorization: Bearer YOUR_SECRET" \
+  -H "Content-Type: application/json" \
+  -d '{"path": ".", "provider": "anthropic", "apiKey": "sk-ant-..."}' \
+  | jq '.jobId'
+
+# Poll job status
+curl http://localhost:3000/jobs/<jobId>
+
+# Or stream real-time updates via SSE
+curl -N http://localhost:3000/jobs/<jobId>/stream
+
 # Use any OpenAI-compatible service (Groq, OpenRouter, Together AI, etc.)
 npx @lhi/tdd-audit serve \
   --provider openai \
@@ -98,6 +112,17 @@ npx @lhi/tdd-audit serve \
 
 Supported providers: `anthropic` · `openai` · `gemini` · `ollama` (local) · **any OpenAI-compatible endpoint via `--base-url`**
 
+### Endpoints
+
+| Method | Path | Auth | Description |
+|---|---|---|---|
+| `GET` | `/health` | No | Version + liveness check |
+| `POST` | `/scan` | Yes | Scan a path, return findings |
+| `POST` | `/remediate` | Yes | AI-fix a findings list; returns `jobId` |
+| `POST` | `/audit` | Yes | Full scan+remediate pipeline; returns `jobId` |
+| `GET` | `/jobs/:id` | Yes | Poll job status |
+| `GET` | `/jobs/:id/stream` | Yes | SSE stream — real-time job progress |
+
 ## Output formats
 
 ```bash
@@ -108,11 +133,11 @@ npx @lhi/tdd-audit --scan                 # human-readable text (default)
 
 ## Testing
 
-463 tests across unit, E2E, and security suites:
+586 tests across unit, E2E, and security suites:
 
 ```bash
 npm test                  # full suite
-npm run test:unit         # unit tests with coverage (91.6% branch coverage)
+npm run test:unit         # unit tests with coverage (96.6% branch coverage)
 npm run test:security     # security regression tests only
 npm run test:e2e          # end-to-end REST API tests
 ```
@@ -126,7 +151,7 @@ Security tests cover prompt injection, path traversal, rate limiting, timing-saf
 | [REST API](docs/rest-api.md) | Endpoints, auth, rate limiting, trust-proxy, request/response schema |
 | [AI Remediation](docs/ai-remediation.md) | Provider setup, `--base-url` for compatible APIs, config file |
 | [Scanner](docs/scanner.md) | Architecture, detection logic, false-positive handling |
-| [Vulnerability Patterns](docs/vulnerability-patterns.md) | All 34 patterns — descriptions, grep signatures, fix pointers |
+| [Vulnerability Patterns](docs/vulnerability-patterns.md) | All 57 patterns — descriptions, grep signatures, fix pointers |
 | [TDD Protocol](docs/tdd-protocol.md) | Red-Green-Refactor in full, with framework templates for all 6 stacks |
 | [Agentic AI Security](docs/agentic-ai-security.md) | ASI01–ASI10 — prompt injection, MCP supply chain, Actions injection |
 | [Hardening](docs/hardening.md) | Phase 4 controls — Helmet, CSP, CSRF, rate limiting, gitleaks, SRI |

package/docs/rest-api.md

@@ -1,6 +1,6 @@
 # REST API
 
-`tdd-audit serve` turns the scanner into an authenticated HTTP API. Use it to integrate vulnerability scanning into dashboards, CI pipelines, bots, or any tooling that speaks JSON.
+`tdd-audit serve` turns the scanner into an authenticated HTTP API built on **Fastify**. Use it to integrate vulnerability scanning and AI remediation into dashboards, CI pipelines, bots, or any tooling that speaks JSON.
 
 ---
 
@@ -29,7 +29,7 @@ npx @lhi/tdd-audit serve --config ~/configs/prod.json
 }
 ```
 
-If `--api-key` / `serverApiKey` is omitted the server starts unauthenticated with a warning. Always set one in production.
+If `--api-key` / `serverApiKey` is omitted the server starts unauthenticated with a stderr warning. Always set one in production.
 
 ---
 
@@ -45,13 +45,13 @@ Authorization: Bearer YOUR_SECRET
 
 Missing or wrong key → `401 Unauthorized`.
 
-Tokens are compared using **HMAC + `crypto.timingSafeEqual`** to prevent timing-oracle attacks.
+Tokens are compared using **HMAC + `crypto.timingSafeEqual`** to prevent timing-oracle attacks (both values are HMAC-normalised before comparison so lengths are always equal).
 
 ### Rate limiting
 
-All endpoints are rate-limited to **60 requests / IP / minute** (default). Exceeding the limit returns `429 Too Many Requests`.
+All endpoints are rate-limited to **60 requests / IP / minute**. Exceeding the limit returns `429 Too Many Requests`.
 
-By default the rate limiter keys on the **socket IP**, not `X-Forwarded-For`, to prevent header-spoofing bypasses. Enable proxy-forwarded IPs only if you are behind a trusted reverse proxy:
+By default the rate limiter keys on the **socket IP**, not `X-Forwarded-For`, to prevent header-spoofing bypasses. Enable proxy-forwarded IPs only when you are behind a trusted reverse proxy:
 
 ```json
 { "trustProxy": true }
@@ -59,15 +59,16 @@ By default the rate limiter keys on the **socket IP**, not `X-Forwarded-For`, to
 
 ### Path validation
 
-`POST /scan` validates that the requested path is inside the server's working directory (normalised with a trailing separator to prevent sibling-directory prefix bypasses). Paths outside cwd return `400`.
+`POST /scan` and `POST /audit` validate that the requested path is inside the server's working directory. The check is normalised with a trailing path separator to prevent sibling-directory prefix bypasses (e.g. `/app-evil` cannot escape via `/app`). Paths outside cwd return `400`.
 
 ### Security headers
 
 Every response includes:
 
 ```
-X-Content-Type-Options: nosniff
-X-Frame-Options: DENY
+Content-Security-Policy: default-src 'none'
+X-Content-Type-Options:  nosniff
+X-Frame-Options:         DENY
 ```
 
 ---
@@ -79,14 +80,14 @@ X-Frame-Options: DENY
 No auth required. Returns server status and version.
 
 ```json
-{ "status": "ok", "version": "1.9.0" }
+{ "status": "ok", "version": "1.13.0" }
 ```
 
 ---
 
 ### `POST /scan`
 
-Scan a local path and return structured findings.
+Scan a local path and return structured findings synchronously.
 
 **Request**
 ```json
@@ -104,13 +105,13 @@ Scan a local path and return structured findings.
 **Response — JSON**
 ```json
 {
-  "version":             "1.9.0",
-  "summary":             { "CRITICAL": 1, "HIGH": 3, "MEDIUM": 1, "LOW": 0 },
-  "findings":            [ ... ],
+  "version":              "1.13.0",
+  "summary":              { "CRITICAL": 1, "HIGH": 3, "MEDIUM": 1, "LOW": 0 },
+  "findings":             [ ... ],
   "likelyFalsePositives": [ ... ],
-  "exempted":            [],
-  "scannedAt":           "2026-03-25T12:00:00.000Z",
-  "duration":            42
+  "exempted":             [],
+  "scannedAt":            "2026-03-25T12:00:00.000Z",
+  "duration":             42
 }
 ```
 
@@ -122,7 +123,7 @@ Returns a SARIF 2.1.0 object ready to upload to GitHub code scanning.
 
 | Status | Reason |
 |---|---|
-| 400 | Path traversal attempt, sibling-directory bypass, oversized body (> 512 KB), or invalid JSON |
+| 400 | Path traversal attempt, oversized body (> 512 KB), or invalid JSON |
 | 401 | Missing or invalid API key |
 | 429 | Rate limit exceeded |
 
@@ -130,18 +131,18 @@ Returns a SARIF 2.1.0 object ready to upload to GitHub code scanning.
 
 ### `POST /remediate`
 
-Queue an AI-powered remediation job. Returns immediately with a `jobId`; poll `/jobs/:id` for results.
+Queue an AI-powered remediation job for a **provided findings list**. Returns immediately with a `jobId`; poll `GET /jobs/:id` (or stream `GET /jobs/:id/stream`) for results.
 
-The server stores up to **1 000 jobs** in memory (TTL: 1 hour). Oldest jobs are evicted when the cap is reached.
+Use `POST /audit` instead if you want the server to run the scan itself.
 
 **Request**
 ```json
 {
   "findings": [ ... ],
-  "provider": "openai",
-  "apiKey":   "sk-...",
-  "model":    "gpt-4o",
-  "baseUrl":  "https://api.groq.com/openai/v1",
+  "provider": "anthropic",
+  "apiKey":   "sk-ant-...",
+  "model":    "claude-opus-4-6",
+  "baseUrl":  null,
   "severity": "HIGH"
 }
 ```
@@ -155,23 +156,69 @@ The server stores up to **1 000 jobs** in memory (TTL: 1 hour). Oldest jobs are
 | `baseUrl` | no | Override base URL for any OpenAI-compatible service |
 | `severity` | no | Minimum severity to fix. Default: `LOW` (fix all) |
 
-**Response**
+**Response — 202 Accepted**
 ```json
 { "jobId": "job_1_1711363200000" }
 ```
 
+Job lifecycle: `pending → running → done | error`
+
 ---
 
-### `GET /jobs/:id`
+### `POST /audit`
+
+Full automated pipeline: **scan + AI remediation in one shot**. No interaction needed. Returns immediately with a `jobId`.
 
-Poll for remediation job status.
+If no `provider`/`apiKey` are supplied, the server runs the scan only (no remediation) and the job transitions to `done` with just the `findings` array.
 
-**Response — pending / running**
+**Request**
 ```json
-{ "id": "job_1_...", "status": "pending", "createdAt": "..." }
+{
+  "path":     ".",
+  "provider": "anthropic",
+  "apiKey":   "sk-ant-...",
+  "model":    "claude-opus-4-6",
+  "baseUrl":  null,
+  "webhook":  "https://your-server.example.com/webhook"
+}
 ```
 
-**Response — done**
+| Field | Required | Description |
+|---|---|---|
+| `path` | no | Path to scan. Defaults to cwd. Must be inside server cwd. |
+| `provider` | no | If supplied with `apiKey`, AI remediation runs after the scan |
+| `apiKey` | no | Provider API key |
+| `model` | no | Defaults per provider |
+| `baseUrl` | no | Override base URL for OpenAI-compatible providers |
+| `webhook` | no | URL to POST the final job payload to when complete (fire-and-forget) |
+
+**Response — 202 Accepted**
+
+```
+HTTP/1.1 202 Accepted
+Location: /jobs/job_1_1711363200000
+Retry-After: 2
+```
+```json
+{ "jobId": "job_1_1711363200000" }
+```
+
+Job lifecycle: `pending → scanning → scanned → remediating → done | error`
+
+Poll `GET /jobs/:id` or stream `GET /jobs/:id/stream` for progress.
+
+**Job object during remediation**
+```json
+{
+  "id":        "job_1_...",
+  "status":    "remediating",
+  "total":     8,
+  "completed": 3,
+  "current":   "SQL Injection"
+}
+```
+
+**Job object when done**
 ```json
 {
   "id":          "job_1_...",
@@ -179,6 +226,7 @@ Poll for remediation job status.
   "createdAt":   "...",
   "startedAt":   "...",
   "completedAt": "...",
+  "findings":    [ ... ],
   "results": [
     {
       "finding":        { ... },
@@ -193,28 +241,130 @@ Poll for remediation job status.
 
 ---
 
-## Examples
+### `GET /jobs/:id`
+
+Poll for job status. Works for jobs created by both `POST /remediate` and `POST /audit`.
+
+**Response — pending / scanning**
+```json
+{ "id": "job_1_...", "status": "scanning", "createdAt": "..." }
+```
+
+**Response — remediating (with progress)**
+```json
+{
+  "id":        "job_1_...",
+  "status":    "remediating",
+  "total":     8,
+  "completed": 3,
+  "current":   "SQL Injection"
+}
+```
+
+**Response — done**
+```json
+{
+  "id":          "job_1_...",
+  "status":      "done",
+  "createdAt":   "...",
+  "startedAt":   "...",
+  "completedAt": "...",
+  "results":     [ ... ]
+}
+```
+
+**Response — error**
+```json
+{ "id": "job_1_...", "status": "error", "error": "Provider returned 401: ..." }
+```
+
+The job store keeps up to **1 000 jobs** in memory (TTL: 1 hour). Oldest jobs are evicted when the cap is reached.
+
+---
+
+### `GET /jobs/:id/stream`
 
-### curl
+Real-time job progress via **Server-Sent Events (SSE)**. The server pushes an event each time the job state changes, and closes the connection when the job reaches `done` or `error`.
+
+```bash
+curl -N http://localhost:3000/jobs/job_1_.../stream \
+  -H "Authorization: Bearer YOUR_SECRET"
+```
+
+**Event format**
+```
+data: {"id":"job_1_...","status":"scanning","createdAt":"..."}
+
+data: {"id":"job_1_...","status":"scanned","findings":[...]}
+
+data: {"id":"job_1_...","status":"remediating","total":8,"completed":1,"current":"SQL Injection"}
+
+data: {"id":"job_1_...","status":"done","completedAt":"...","results":[...]}
+```
+
+The connection is closed automatically after the terminal state (`done` / `error`). If you connect to an already-completed job, the server pushes the current state and closes immediately.
+
+**Node.js example using EventSource**
+```javascript
+const es = new EventSource(
+  'http://localhost:3000/jobs/job_1_.../stream',
+  { headers: { Authorization: 'Bearer YOUR_SECRET' } }
+);
+es.onmessage = (e) => {
+  const job = JSON.parse(e.data);
+  if (job.status === 'done') { console.log(job.results); es.close(); }
+  if (job.status === 'error') { console.error(job.error); es.close(); }
+};
+```
+
+---
+
+## Full workflow examples
+
+### curl — scan only
 
 ```bash
-# Start server
 npx @lhi/tdd-audit serve --port 3000 --api-key mysecret &
 
-# Scan current directory
 curl -s -X POST http://localhost:3000/scan \
   -H "Authorization: Bearer mysecret" \
   -H "Content-Type: application/json" \
   -d '{"path": "."}' | jq '.summary'
+```
+
+### curl — full pipeline with polling
 
-# SARIF output for GitHub upload
+```bash
+# Kick off audit
+JOB=$(curl -s -X POST http://localhost:3000/audit \
+  -H "Authorization: Bearer mysecret" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "path":     ".",
+    "provider": "anthropic",
+    "apiKey":   "sk-ant-..."
+  }' | jq -r '.jobId')
+
+# Poll until done
+while true; do
+  STATUS=$(curl -s http://localhost:3000/jobs/$JOB \
+    -H "Authorization: Bearer mysecret" | jq -r '.status')
+  echo "Status: $STATUS"
+  [ "$STATUS" = "done" ] || [ "$STATUS" = "error" ] && break
+  sleep 2
+done
+```
+
+### curl — SARIF output for GitHub code scanning
+
+```bash
 curl -s -X POST http://localhost:3000/scan \
   -H "Authorization: Bearer mysecret" \
   -H "Content-Type: application/json" \
   -d '{"path": ".", "format": "sarif"}' > results.sarif
 ```
 
-### Node.js
+### Node.js — scan
 
 ```javascript
 const res = await fetch('http://localhost:3000/scan', {

package/docs/scanner.md

@@ -8,10 +8,12 @@
 
 | Export | Purpose |
 |---|---|
-| `quickScan(projectDir)` | Walk all source files and return a findings array |
+| `quickScan(projectDir)` | Walk all source files and return a merged findings array |
 | `scanPromptFiles(projectDir)` | Walk all `.md` prompt/skill files and check for prompt-specific patterns |
 | `scanAppConfig(projectDir)` | Check `app.json` / `app.config.*` for embedded secrets |
 | `scanAndroidManifest(projectDir)` | Check `AndroidManifest.xml` for `android:debuggable="true"` |
+| `scanPackageJson(projectDir)` | Check `package.json` lifecycle scripts for supply-chain exfiltration (postinstall curl/wget) |
+| `scanEnvFiles(projectDir)` | Check `.env*` files for `NEXT_PUBLIC_*SECRET/KEY/TOKEN` leaking secrets to the browser |
 | `printFindings(findings, exempted)` | Format and print a findings report to stdout |
 | `detectFramework(dir)` | Detect the test framework (`jest`, `vitest`, `mocha`, `pytest`, `go`, `flutter`) |
 | `detectAppFramework(dir)` | Detect the UI framework (`nextjs`, `expo`, `react-native`, `react`, `flutter`) |
@@ -23,7 +25,7 @@
 
 ```
 projectDir
-  └─ walkFiles()          — yields .js/.ts/.jsx/.tsx/.mjs/.py/.go/.dart files
+  └─ walkFiles()           — yields source files (see Scanned extensions below)
        └─ for each file:
             1. Read file content (read-first, check length after — no TOCTOU)
             2. Skip if content.length > 512 KB
@@ -32,12 +34,14 @@ projectDir
                  – If pattern matches, push finding with severity / name / file / line / snippet
                  – inTestFile: true if path is under a test directory
                  – likelyFalsePositive: true if inTestFile && pattern.skipInTests
-  └─ scanAppConfig()      — checks app.json / app.config.* for secret patterns
-  └─ scanAndroidManifest() — checks android:debuggable
-  └─ scanPromptFiles()    — walks .md files in prompt directories
+  └─ scanAppConfig()       — checks app.json / app.config.* for embedded secret patterns
+  └─ scanAndroidManifest() — checks android:debuggable="true"
+  └─ scanPromptFiles()     — walks .md files in agent config directories for prompt-specific patterns
+  └─ scanPackageJson()     — checks postinstall/preinstall lifecycle scripts for curl/wget exfiltration
+  └─ scanEnvFiles()        — checks .env* files for NEXT_PUBLIC_* keys with secret-sounding names
 ```
 
-All four result sets are merged into one array and returned to the caller.
+All six result sets are merged into one array and returned to the caller.
 
 ---
 
@@ -47,7 +51,7 @@ All four result sets are merged into one array and returned to the caller.
 
 Yields scannable source files (`SCAN_EXTENSIONS`). Skips:
 
-- **`SKIP_DIRS`**: `node_modules`, `.git`, `dist`, `build`, `.next`, `out`, `__pycache__`, `venv`, `.venv`, `vendor`, `.expo`, `.dart_tool`, `.pub-cache`
+- **`SKIP_DIRS`**: `node_modules`, `.git`, `dist`, `build`, `coverage`, `.next`, `out`, `__pycache__`, `venv`, `.venv`, `vendor`, `.expo`, `.dart_tool`, `.pub-cache`
 - **Symlinks** — never followed, preventing escape from the project root on shared/M-series filesystems
 
 ### `walkMdFiles(dir)`
@@ -58,9 +62,9 @@ Same skip rules, yields `.md` files only. Used by `scanPromptFiles`.
 
 ## Scanned extensions
 
-`.js` `.ts` `.jsx` `.tsx` `.mjs` `.py` `.go` `.dart`
+`.js` `.ts` `.jsx` `.tsx` `.mjs` `.py` `.go` `.dart` `.yml` `.yaml`
 
-YAML, JSON, XML, and shell files are not scanned by the code scanner. CI workflow files (`.yml`) are scanned separately when explicitly passed to the ASI08/ASI09 grep patterns during an agent-driven audit.
+JSON and XML files are not walked by the code scanner. `package.json` is handled by `scanPackageJson()` and `.env*` files by `scanEnvFiles()` — both run as separate targeted checks. CI workflow files (`.yml`/`.yaml`) **are** now scanned by `walkFiles()` for GitHub Actions expression injection and similar patterns.
 
 ---
 

package/index.js

@@ -13,6 +13,7 @@ const {
 } = require('./lib/scanner');
 const { toJson, toSarif, toText } = require('./lib/reporter');
 const { writeInitConfig } = require('./lib/config');
+const { badgeLine, injectBadge } = require('./lib/badge');
 
 const args = process.argv.slice(2);
 const isLocal   = args.includes('--local');
@@ -87,6 +88,7 @@ if (scanOnly) {
     process.stdout.write('\n');
     printFindings(findings, exempted);
   }
+  injectBadge(projectDir, badgeLine(findings));
   process.exit(0);
 }
 
@@ -243,6 +245,9 @@ if (!skipScan) {
   const findings = quickScan(projectDir);
   process.stdout.write('\n');
   printFindings(findings);
+  const badge = badgeLine(findings);
+  injectBadge(projectDir, badge);
+  console.log('✅ README badge updated');
 }
 
 console.log(`\nSkill installed to ${path.relative(os.homedir(), targetSkillDir)}`);

package/lib/badge.js

@@ -0,0 +1,94 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+// Marker embedded in the badge line — used to find and replace it on re-scan.
+const BADGE_MARKER = 'tdd-audit-badge';
+
+const NPM_URL = 'https://www.npmjs.com/package/@lhi/tdd-audit';
+
+/**
+ * Build a shields.io badge markdown line reflecting actual scan results.
+ *
+ * - 0 critical/high (real) findings → "passing" · brightgreen
+ * - ≥1 high (no critical)           → "{n} high"  · orange
+ * - ≥1 critical                     → "{n} critical" · red
+ *
+ * likelyFalsePositive findings (test fixtures) are excluded from the count.
+ *
+ * @param {Array} findings  - findings array returned by quickScan()
+ * @returns {string}        - single-line markdown badge ending with \n
+ */
+function badgeLine(findings) {
+  // Exclude test-file findings and likely false positives — badge reflects production code only
+  const real     = (findings || []).filter(f => !f.likelyFalsePositive && !f.inTestFile);
+  const criticals = real.filter(f => f.severity === 'CRITICAL').length;
+  const highs     = real.filter(f => f.severity === 'HIGH').length;
+
+  let message, color;
+  if (criticals > 0) {
+    message = `${criticals}%20critical`;
+    color   = 'red';
+  } else if (highs > 0) {
+    message = `${highs}%20high`;
+    color   = 'orange';
+  } else {
+    message = 'passing';
+    color   = 'brightgreen';
+  }
+
+  const badgeUrl = `https://img.shields.io/badge/tdd--audit-${message}-${color}`;
+  // Embed the marker as a hidden HTML comment after the badge so injectBadge()
+  // can locate and replace the line on subsequent runs.
+  return `[![tdd-audit](${badgeUrl})](${NPM_URL}) <!-- ${BADGE_MARKER} -->\n`;
+}
+
+/**
+ * Inject or update the tdd-audit badge in the project's README.md.
+ *
+ * Behaviour:
+ *  - Searches for README.md / readme.md / README in the project root.
+ *  - If a badge line (identified by BADGE_MARKER) already exists, replaces it.
+ *  - Otherwise inserts the badge immediately after the first `# Heading` line.
+ *    If no heading exists, prepends to the file.
+ *  - No-ops silently when no README is found.
+ *  - Idempotent: running twice with the same inputs produces the same output.
+ *
+ * @param {string} projectDir  - absolute path to the project root
+ * @param {string} badge       - badge markdown line from badgeLine()
+ */
+function injectBadge(projectDir, badge) {
+  const candidates = ['README.md', 'readme.md', 'Readme.md', 'README'];
+  let readmePath = null;
+  for (const name of candidates) {
+    const p = path.join(projectDir, name);
+    if (fs.existsSync(p)) { readmePath = p; break; }
+  }
+  if (!readmePath) return;
+
+  const original = fs.readFileSync(readmePath, 'utf8');
+
+  // Replace existing badge (idempotent + allows re-scan update)
+  if (original.includes(BADGE_MARKER)) {
+    const updated = original.replace(/^.*tdd-audit-badge.*$/m, badge.trimEnd());
+    fs.writeFileSync(readmePath, updated);
+    return;
+  }
+
+  // Insert after the first h1 line, or prepend if no h1 exists
+  const lines = original.split('\n');
+  const h1Idx = lines.findIndex(l => /^#\s/.test(l));
+
+  let updated;
+  if (h1Idx !== -1) {
+    lines.splice(h1Idx + 1, 0, badge.trimEnd());
+    updated = lines.join('\n');
+  } else {
+    updated = badge.trimEnd() + '\n' + original;
+  }
+
+  fs.writeFileSync(readmePath, updated);
+}
+
+module.exports = { badgeLine, injectBadge, BADGE_MARKER };

package/lib/jobs.js

@@ -0,0 +1,53 @@
+'use strict';
+
+const { EventEmitter } = require('events');
+
+// ─── Job store (singleton, in-memory) ────────────────────────────────────────
+
+const MAX_JOBS   = 1_000;
+const JOB_TTL_MS = 60 * 60 * 1_000; // 1 hour
+
+const jobs   = new Map();
+let   jobSeq = 0;
+
+// EventEmitter used to push job updates to SSE subscribers
+const _emitter = new EventEmitter();
+_emitter.setMaxListeners(500);
+
+function evictJobs() {
+  const cutoff = Date.now() - JOB_TTL_MS;
+  for (const [id, job] of jobs) {
+    if (new Date(job.createdAt).getTime() < cutoff) jobs.delete(id);
+  }
+  while (jobs.size >= MAX_JOBS) {
+    jobs.delete(jobs.keys().next().value);
+  }
+}
+
+function createJob() {
+  evictJobs();
+  const id = `job_${++jobSeq}_${Date.now()}`;
+  jobs.set(id, { id, status: 'pending', createdAt: new Date().toISOString() });
+  return id;
+}
+
+function updateJob(id, patch) {
+  const job = jobs.get(id);
+  if (!job) return;
+  const updated = { ...job, ...patch };
+  jobs.set(id, updated);
+  _emitter.emit(id, updated);
+}
+
+/**
+ * Subscribe to live updates for a job.
+ * @param {string}   id  - job id
+ * @param {Function} fn  - called with the updated job object on every change
+ * @returns {Function}   - call to unsubscribe
+ */
+function subscribe(id, fn) {
+  _emitter.on(id, fn);
+  return () => _emitter.off(id, fn);
+}
+
+module.exports = { jobs, createJob, updateJob, subscribe, evictJobs, MAX_JOBS, JOB_TTL_MS };

package/lib/plugin.js

@@ -0,0 +1,308 @@
+'use strict';
+
+const crypto  = require('crypto');
+const path    = require('path');
+const Fastify = require('fastify');
+
+const { quickScan }        = require('./scanner');
+const { toJson, toSarif }  = require('./reporter');
+const { remediate }        = require('./remediator');
+const { version }          = require('../package.json');
+const {
+  jobs, createJob, updateJob, subscribe, MAX_JOBS,
+} = require('./jobs');
+
+// ─── Auth ─────────────────────────────────────────────────────────────────────
+
+// Fixed HMAC key — normalises token lengths for constant-time comparison.
+const _authHmacKey = crypto.randomBytes(32);
+
+/**
+ * Authenticate a Fastify request.
+ * Accepts either a raw Node req or a Fastify request object.
+ * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
+ */
+function authenticate(req, cfg) {
+  if (!cfg.serverApiKey) return true;
+  const headers = req.headers || {};
+  const header  = headers['authorization'] || '';
+  const token   = header.startsWith('Bearer ') ? header.slice(7) : '';
+  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
+  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
+  return crypto.timingSafeEqual(expected, actual);
+}
+
+// ─── Rate limiter ─────────────────────────────────────────────────────────────
+
+const RATE_LIMIT_MAX    = 60;
+const RATE_LIMIT_WINDOW = 60 * 1_000;
+
+function createRateLimit() {
+  const _counts = new Map();
+  return {
+    _counts,
+    check(ip) {
+      const now   = Date.now();
+      const entry = _counts.get(ip) || { count: 0, windowStart: now };
+      if (now - entry.windowStart >= RATE_LIMIT_WINDOW) {
+        entry.count = 0;
+        entry.windowStart = now;
+      }
+      entry.count += 1;
+      _counts.set(ip, entry);
+      return entry.count <= RATE_LIMIT_MAX;
+    },
+    reset() { _counts.clear(); },
+  };
+}
+
+// ─── Path validation ──────────────────────────────────────────────────────────
+
+function safeScanPath(rawPath) {
+  const cwd      = process.cwd();
+  const resolved = path.resolve(cwd, rawPath || cwd);
+  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
+  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
+    throw new Error('Path outside working directory');
+  }
+  return resolved;
+}
+
+// ─── Security headers ────────────────────────────────────────────────────────
+
+const SECURITY_HEADERS = {
+  'X-Content-Type-Options':  'nosniff',
+  'X-Frame-Options':         'DENY',
+  'Content-Security-Policy': "default-src 'none'",
+};
+
+// ─── Fastify plugin ───────────────────────────────────────────────────────────
+
+/**
+ * Fastify plugin that registers all tdd-audit REST routes.
+ *
+ * Options:
+ *   cfg          - loaded config object
+ *   rateLimiter  - rate limiter instance (from createRateLimit())
+ */
+async function tddAuditPlugin(fastify, opts) {
+  const { cfg, rateLimiter } = opts;
+
+  // ── Security headers on every reply ────────────────────────────────────────
+  fastify.addHook('onSend', async (request, reply) => {
+    for (const [k, v] of Object.entries(SECURITY_HEADERS)) {
+      reply.header(k, v);
+    }
+  });
+
+  // ── Rate limiting ────────────────────────────────────────────────────────
+  fastify.addHook('preHandler', async (request, reply) => {
+    const ip = cfg.trustProxy
+      ? (request.headers['x-forwarded-for'] || request.ip || '').split(',')[0].trim()
+      : (request.ip || 'unknown');
+    if (!rateLimiter.check(ip)) {
+      reply.code(429).send({ error: 'Too Many Requests' });
+    }
+  });
+
+  // ── GET /health ──────────────────────────────────────────────────────────
+  fastify.get('/health', async () => ({ status: 'ok', version }));
+
+  // ── Authentication for all non-health routes ────────────────────────────
+  fastify.addHook('preHandler', async (request, reply) => {
+    if (request.routeOptions?.url === '/health') return;
+    if (!authenticate(request, cfg)) {
+      reply.code(401).send({ error: 'Unauthorized' });
+    }
+  });
+
+  // ── POST /scan ──────────────────────────────────────────────────────────
+  fastify.post('/scan', {
+    config: { rawBody: false },
+  }, async (request, reply) => {
+    const body = request.body || {};
+
+    let scanPath;
+    try { scanPath = safeScanPath(body.path); }
+    catch (e) { return reply.code(400).send({ error: e.message }); }
+
+    const format   = body.format || cfg.output || 'json';
+    const t0       = Date.now();
+    const findings = quickScan(scanPath);
+    const exempted = findings.exempted || [];
+    const duration = Date.now() - t0;
+
+    if (format === 'sarif') return toSarif(findings, scanPath);
+    return { ...toJson(findings, exempted), duration };
+  });
+
+  // ── POST /remediate ──────────────────────────────────────────────────────
+  fastify.post('/remediate', async (request, reply) => {
+    const body = request.body || {};
+    const { findings, provider, apiKey, model, baseUrl } = body;
+
+    if (!findings || !provider || !apiKey) {
+      return reply.code(400).send({ error: 'findings, provider, and apiKey are required' });
+    }
+
+    const jobId = createJob();
+
+    setImmediate(async () => {
+      try {
+        updateJob(jobId, { status: 'running', startedAt: new Date().toISOString() });
+        const results = await remediate({
+          findings, provider, apiKey,
+          model:   model   || cfg.model,
+          baseUrl: baseUrl || cfg.baseUrl,
+        });
+        updateJob(jobId, { status: 'done', completedAt: new Date().toISOString(), results });
+      } catch (err) {
+        updateJob(jobId, { status: 'error', error: err.message });
+      }
+    });
+
+    return reply.code(202).send({ jobId });
+  });
+
+  // ── POST /audit — full scan+remediate pipeline ────────────────────────────
+  fastify.post('/audit', async (request, reply) => {
+    const body = request.body || {};
+    const { path: rawPath, provider, apiKey, model, baseUrl, webhook } = body;
+
+    let scanPath;
+    try { scanPath = safeScanPath(rawPath); }
+    catch (e) { return reply.code(400).send({ error: e.message }); }
+
+    const jobId = createJob();
+
+    setImmediate(async () => {
+      try {
+        // Phase 1: scan
+        updateJob(jobId, { status: 'scanning', startedAt: new Date().toISOString() });
+        const findings = quickScan(scanPath);
+        updateJob(jobId, { status: 'scanned', findings });
+
+        // Phase 2: remediate (if provider supplied)
+        if (provider && apiKey) {
+          const total = findings.filter(f => !f.likelyFalsePositive).length;
+          updateJob(jobId, { status: 'remediating', total, completed: 0 });
+
+          // remediate is eagerly required at module top
+          const results = await remediate({
+            findings, provider, apiKey,
+            model:   model   || cfg.model,
+            baseUrl: baseUrl || cfg.baseUrl,
+            onProgress: (completed, current) => {
+              updateJob(jobId, { status: 'remediating', total, completed, current });
+            },
+          });
+          updateJob(jobId, {
+            status: 'done',
+            completedAt: new Date().toISOString(),
+            findings,
+            results,
+          });
+        } else {
+          updateJob(jobId, { status: 'done', completedAt: new Date().toISOString(), findings });
+        }
+
+        // Optional webhook fire-and-forget
+        if (webhook) {
+          const job = jobs.get(jobId);
+          fetch(webhook, {
+            method:  'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body:    JSON.stringify(job),
+          }).catch(() => {}); // never throw
+        }
+      } catch (err) {
+        updateJob(jobId, { status: 'error', error: err.message });
+      }
+    });
+
+    reply.header('Location', `/jobs/${jobId}`);
+    reply.header('Retry-After', '2');
+    return reply.code(202).send({ jobId });
+  });
+
+  // ── GET /jobs/:id ────────────────────────────────────────────────────────
+  fastify.get('/jobs/:id', async (request, reply) => {
+    const job = jobs.get(request.params.id);
+    if (!job) return reply.code(404).send({ error: 'Job not found' });
+    return job;
+  });
+
+  // ── GET /jobs/:id/stream — SSE real-time job updates ─────────────────────
+  fastify.get('/jobs/:id/stream', async (request, reply) => {
+    const id  = request.params.id;
+    const job = jobs.get(id);
+    if (!job) return reply.code(404).send({ error: 'Job not found' });
+
+    reply.hijack();
+    const raw = reply.raw;
+    raw.writeHead(200, {
+      'Content-Type':  'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection':    'keep-alive',
+      ...SECURITY_HEADERS,
+    });
+
+    const send = (data) => {
+      raw.write(`data: ${JSON.stringify(data)}\n\n`);
+    };
+
+    // Push current state immediately
+    send(jobs.get(id));
+
+    if (job.status === 'done' || job.status === 'error') {
+      raw.end();
+      return;
+    }
+
+    const unsubscribe = subscribe(id, (updated) => {
+      send(updated);
+      if (updated.status === 'done' || updated.status === 'error') {
+        unsubscribe();
+        raw.end();
+      }
+    });
+
+    raw.on('close', unsubscribe);
+  });
+}
+
+// ─── App factory ──────────────────────────────────────────────────────────────
+
+/**
+ * Build and return a configured Fastify instance.
+ * @param {object} cfg  - loaded config object
+ * @param {object} [overrides] - optional overrides (e.g. { logger: true })
+ */
+function buildApp(cfg, overrides = {}) {
+  const fastify = Fastify({
+    logger:           false,
+    trustProxy:       cfg.trustProxy || false,
+    bodyLimit:        512 * 1024, // 512 KB
+    ...overrides,
+  });
+
+  const rateLimiter = createRateLimit();
+
+  fastify.register(tddAuditPlugin, { cfg, rateLimiter });
+
+  // Expose internals for testing
+  fastify.decorate('rateLimiter', rateLimiter);
+  fastify.decorate('jobs',        jobs);
+  fastify.decorate('cfg',         cfg);
+
+  return fastify;
+}
+
+module.exports = {
+  tddAuditPlugin,
+  buildApp,
+  authenticate,
+  safeScanPath,
+  createRateLimit,
+  RATE_LIMIT_MAX,
+};

package/lib/remediator.js

@@ -185,10 +185,11 @@ function parseResponse(text) {
  * @param {string} opts.apiKey
  * @param {string} [opts.model]
  * @param {string} [opts.baseUrl]  - override base URL for OpenAI-compatible providers
- * @param {string} [opts.severity] - minimum severity to fix ('CRITICAL','HIGH','MEDIUM','LOW')
+ * @param {string}   [opts.severity]    - minimum severity to fix ('CRITICAL','HIGH','MEDIUM','LOW')
+ * @param {Function} [opts.onProgress]  - called with (completedCount, currentFindingName) after each finding
  * @returns {Promise<Array>} - results per finding
  */
-async function remediate({ findings, provider, apiKey, model, baseUrl, severity = 'LOW' }) {
+async function remediate({ findings, provider, apiKey, model, baseUrl, severity = 'LOW', onProgress }) {
   const ORDER = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
   const threshold = ORDER[severity.toUpperCase()] ?? 3;
 
@@ -197,7 +198,8 @@ async function remediate({ findings, provider, apiKey, model, baseUrl, severity
     .sort((a, b) => (ORDER[a.severity] ?? 99) - (ORDER[b.severity] ?? 99));
 
   const results = [];
-  for (const finding of targets) {
+  for (let i = 0; i < targets.length; i++) {
+    const finding = targets[i];
     try {
       const prompt   = buildRemediationPrompt(finding);
       const raw      = await callProvider(provider, apiKey, model, prompt, baseUrl);
@@ -206,6 +208,9 @@ async function remediate({ findings, provider, apiKey, model, baseUrl, severity
     } catch (err) {
       results.push({ finding, status: 'error', error: err.message });
     }
+    if (typeof onProgress === 'function') {
+      onProgress(i + 1, finding.name);
+    }
   }
   return results;
 }

package/lib/scanner.js

@@ -70,7 +70,7 @@ const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.
 
 /** Maximum file size to read before skipping (512 KB). Prevents OOM on large generated files. */
 const MAX_SCAN_FILE_BYTES = 512 * 1024;
-const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', 'coverage', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
 
 // ─── Prompt / Skill Patterns ──────────────────────────────────────────────────
 

package/lib/server.js

@@ -1,48 +1,53 @@
 'use strict';
 
 const crypto = require('crypto');
-const http   = require('http');
 const path   = require('path');
-const { quickScan, scanPromptFiles } = require('./scanner');
-const { toJson, toSarif, toText }    = require('./reporter');
+const { quickScan }                   = require('./scanner');
+const { toJson, toSarif }             = require('./reporter');
 const { loadConfig, parseCliOverrides } = require('./config');
-const { version } = require('../package.json');
+const { version }                     = require('../package.json');
+const { buildApp, RATE_LIMIT_MAX }    = require('./plugin');
+const {
+  jobs, createJob, updateJob, MAX_JOBS, JOB_TTL_MS,
+} = require('./jobs');
 
-// ─── Job store (in-memory) ────────────────────────────────────────────────────
+// ─── Auth (kept here for backward compat — SEC-17 reads this file) ────────────
 
-const jobs    = new Map();
-let   jobSeq  = 0;
-
-const MAX_JOBS    = 1_000;
-const JOB_TTL_MS  = 60 * 60 * 1_000; // 1 hour
-
-function evictJobs() {
-  const cutoff = Date.now() - JOB_TTL_MS;
-  for (const [id, job] of jobs) {
-    if (new Date(job.createdAt).getTime() < cutoff) jobs.delete(id);
-  }
-  // Hard cap: drop oldest entries until within limit
-  while (jobs.size >= MAX_JOBS) {
-    jobs.delete(jobs.keys().next().value);
-  }
-}
+// Fixed HMAC key for normalising token lengths before constant-time comparison.
+const _authHmacKey = crypto.randomBytes(32);
 
-function createJob() {
-  evictJobs();
-  const id = `job_${++jobSeq}_${Date.now()}`;
-  jobs.set(id, { id, status: 'pending', createdAt: new Date().toISOString() });
-  return id;
+/**
+ * Authenticate incoming requests.
+ * Accepts Node.js http.IncomingMessage OR Fastify Request objects.
+ * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
+ */
+function authenticate(req, cfg) {
+  if (!cfg.serverApiKey) return true;
+  const headers = req.headers || {};
+  const header  = headers['authorization'] || '';
+  const token   = header.startsWith('Bearer ') ? header.slice(7) : '';
+  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
+  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
+  return crypto.timingSafeEqual(expected, actual);
 }
 
-function updateJob(id, patch) {
-  const job = jobs.get(id);
-  if (job) jobs.set(id, { ...job, ...patch });
+/**
+ * Validate and sanitise the `path` field from POST /scan.
+ * Only allow paths inside cwd to prevent path traversal.
+ */
+function safeScanPath(rawPath) {
+  const cwd      = process.cwd();
+  const resolved = path.resolve(cwd, rawPath || cwd);
+  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
+  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
+    throw new Error('Path outside working directory');
+  }
+  return resolved;
 }
 
-// ─── Rate limiter (in-memory, per-IP sliding window) ─────────────────────────
+// ─── Rate limiter (kept here for backward compat — SEC-14/16/20 read this) ───
 
-const RATE_LIMIT_MAX    = 60;           // requests per window
-const RATE_LIMIT_WINDOW = 60 * 1_000;  // 1 minute in ms
+const RATE_LIMIT_WINDOW = 60 * 1_000;
 
 const rateLimiter = {
   _counts: new Map(),
@@ -89,46 +94,11 @@ function readBody(req) {
   });
 }
 
-// Fixed HMAC key for normalising token lengths before constant-time comparison.
-// Does not need to be secret — purpose is timing-safety, not confidentiality.
-const _authHmacKey = crypto.randomBytes(32);
-
-/**
- * Authenticate incoming requests.
- * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
- */
-function authenticate(req, cfg) {
-  if (!cfg.serverApiKey) return true; // no key configured — open
-  const header = req.headers['authorization'] || '';
-  const token  = header.startsWith('Bearer ') ? header.slice(7) : '';
-  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
-  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
-  return crypto.timingSafeEqual(expected, actual);
-}
-
-/**
- * Validate and sanitise the `path` field from POST /scan.
- * Only allow paths inside cwd to prevent path traversal.
- */
-function safeScanPath(rawPath) {
-  const cwd      = process.cwd();
-  const resolved = path.resolve(cwd, rawPath || cwd);
-  // Append sep so "/app" cannot match "/app-evil" via startsWith
-  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
-  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
-    throw new Error('Path outside working directory');
-  }
-  return resolved;
-}
-
-// ─── Router ───────────────────────────────────────────────────────────────────
+// ─── Router (kept for backward compat — SEC-16/20 and E2E tests use this) ────
 
 async function handleRequest(req, res, cfg) {
   const { method, url } = req;
 
-  // ── Rate limiting ──────────────────────────────────────────────────────────
-  // Only trust X-Forwarded-For when cfg.trustProxy is explicitly enabled.
-  // Default is false to prevent header-spoofing rate-limit bypasses.
   const ip = cfg.trustProxy
     ? (req.headers['x-forwarded-for'] || req.socket?.remoteAddress || '').split(',')[0].trim()
     : (req.socket?.remoteAddress || 'unknown');
@@ -136,17 +106,14 @@ async function handleRequest(req, res, cfg) {
     return json(res, 429, { error: 'Too Many Requests' });
   }
 
-  // ── GET /health ────────────────────────────────────────────────────────────
   if (method === 'GET' && url === '/health') {
     return json(res, 200, { status: 'ok', version });
   }
 
-  // All other routes require authentication
   if (!authenticate(req, cfg)) {
     return json(res, 401, { error: 'Unauthorized' });
   }
 
-  // ── POST /scan ─────────────────────────────────────────────────────────────
   if (method === 'POST' && url === '/scan') {
     let body;
     try { body = await readBody(req); }
@@ -156,19 +123,16 @@ async function handleRequest(req, res, cfg) {
     try { scanPath = safeScanPath(body.path); }
     catch (e) { return json(res, 400, { error: e.message }); }
 
-    const format  = body.format || cfg.output || 'json';
-    const t0      = Date.now();
+    const format   = body.format || cfg.output || 'json';
+    const t0       = Date.now();
     const findings = quickScan(scanPath);
     const exempted = findings.exempted || [];
     const duration = Date.now() - t0;
 
-    if (format === 'sarif') {
-      return json(res, 200, toSarif(findings, scanPath));
-    }
+    if (format === 'sarif') return json(res, 200, toSarif(findings, scanPath));
     return json(res, 200, { ...toJson(findings, exempted), duration });
   }
 
-  // ── POST /remediate ────────────────────────────────────────────────────────
   if (method === 'POST' && url === '/remediate') {
     let body;
     try { body = await readBody(req); }
@@ -181,7 +145,6 @@ async function handleRequest(req, res, cfg) {
 
     const jobId = createJob();
 
-    // Kick off async remediation (non-blocking)
     setImmediate(async () => {
       try {
         updateJob(jobId, { status: 'running', startedAt: new Date().toISOString() });
@@ -200,7 +163,6 @@ async function handleRequest(req, res, cfg) {
     return json(res, 202, { jobId });
   }
 
-  // ── GET /jobs/:id ──────────────────────────────────────────────────────────
   const jobMatch = url.match(/^\/jobs\/([^/?]+)$/);
   if (method === 'GET' && jobMatch) {
     const job = jobs.get(jobMatch[1]);
@@ -211,33 +173,28 @@ async function handleRequest(req, res, cfg) {
   return json(res, 404, { error: 'Not found' });
 }
 
-// ─── Start ────────────────────────────────────────────────────────────────────
+// ─── Start (uses Fastify) ─────────────────────────────────────────────────────
 
-function start(args = []) {
+async function start(args = []) {
   const cfg  = loadConfig(process.cwd(), parseCliOverrides(args));
   const port = cfg.port;
 
-  const server = http.createServer(async (req, res) => {
-    try {
-      await handleRequest(req, res, cfg);
-    } catch (err) {
-      // Production error handler — no stack traces
-      json(res, 500, { error: 'Internal server error' });
-    }
-  });
+  const fastify = buildApp(cfg);
 
-  server.listen(port, () => {
-    process.stdout.write(`\n🔒 tdd-audit REST API listening on http://localhost:${port}\n`);
-    if (!cfg.serverApiKey) {
-      process.stderr.write('⚠️  No --api-key set — server is unauthenticated. Set one for production.\n');
-    }
-    process.stdout.write('   GET  /health\n');
-    process.stdout.write('   POST /scan        { path, format? }\n');
-    process.stdout.write('   POST /remediate   { findings, provider, apiKey, model? }\n');
-    process.stdout.write('   GET  /jobs/:id\n\n');
-  });
+  await fastify.listen({ port, host: '0.0.0.0' });
 
-  return server; // returned for testing
+  process.stdout.write(`\n🔒 tdd-audit REST API listening on http://localhost:${port}\n`);
+  if (!cfg.serverApiKey) {
+    process.stderr.write('⚠️  No --api-key set — server is unauthenticated. Set one for production.\n');
+  }
+  process.stdout.write('   GET  /health\n');
+  process.stdout.write('   POST /scan         { path, format? }\n');
+  process.stdout.write('   POST /remediate    { findings, provider, apiKey, model? }\n');
+  process.stdout.write('   POST /audit        { path, provider?, apiKey?, model? }\n');
+  process.stdout.write('   GET  /jobs/:id\n');
+  process.stdout.write('   GET  /jobs/:id/stream  (SSE)\n\n');
+
+  return fastify.server; // returned for testing
 }
 
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.12.0",
+  "version": "1.14.0",
   "description": "Security skill installer for Claude Code, Gemini CLI, Cursor, Codex, and OpenCode. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol.",
   "main": "index.js",
   "bin": {
@@ -60,5 +60,8 @@
   },
   "devDependencies": {
     "jest": "^30.3.0"
+  },
+  "dependencies": {
+    "fastify": "^5.8.4"
   }
 }