@lhi/tdd-audit 1.12.0 → 1.15.0

package/lib/plugin.js

@@ -0,0 +1,308 @@
+'use strict';
+
+const crypto  = require('crypto');
+const path    = require('path');
+const Fastify = require('fastify');
+
+const { quickScan }        = require('./scanner');
+const { toJson, toSarif }  = require('./reporter');
+const { remediate }        = require('./remediator');
+const { version }          = require('../package.json');
+const {
+  jobs, createJob, updateJob, subscribe, MAX_JOBS,
+} = require('./jobs');
+
+// ─── Auth ─────────────────────────────────────────────────────────────────────
+
+// Fixed HMAC key — normalises token lengths for constant-time comparison.
+const _authHmacKey = crypto.randomBytes(32);
+
+/**
+ * Authenticate a Fastify request.
+ * Accepts either a raw Node req or a Fastify request object.
+ * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
+ */
+function authenticate(req, cfg) {
+  if (!cfg.serverApiKey) return true;
+  const headers = req.headers || {};
+  const header  = headers['authorization'] || '';
+  const token   = header.startsWith('Bearer ') ? header.slice(7) : '';
+  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
+  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
+  return crypto.timingSafeEqual(expected, actual);
+}
+
+// ─── Rate limiter ─────────────────────────────────────────────────────────────
+
+const RATE_LIMIT_MAX    = 60;
+const RATE_LIMIT_WINDOW = 60 * 1_000;
+
+function createRateLimit() {
+  const _counts = new Map();
+  return {
+    _counts,
+    check(ip) {
+      const now   = Date.now();
+      const entry = _counts.get(ip) || { count: 0, windowStart: now };
+      if (now - entry.windowStart >= RATE_LIMIT_WINDOW) {
+        entry.count = 0;
+        entry.windowStart = now;
+      }
+      entry.count += 1;
+      _counts.set(ip, entry);
+      return entry.count <= RATE_LIMIT_MAX;
+    },
+    reset() { _counts.clear(); },
+  };
+}
+
+// ─── Path validation ──────────────────────────────────────────────────────────
+
+function safeScanPath(rawPath) {
+  const cwd      = process.cwd();
+  const resolved = path.resolve(cwd, rawPath || cwd);
+  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
+  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
+    throw new Error('Path outside working directory');
+  }
+  return resolved;
+}
+
+// ─── Security headers ────────────────────────────────────────────────────────
+
+const SECURITY_HEADERS = {
+  'X-Content-Type-Options':  'nosniff',
+  'X-Frame-Options':         'DENY',
+  'Content-Security-Policy': "default-src 'none'",
+};
+
+// ─── Fastify plugin ───────────────────────────────────────────────────────────
+
+/**
+ * Fastify plugin that registers all tdd-audit REST routes.
+ *
+ * Options:
+ *   cfg          - loaded config object
+ *   rateLimiter  - rate limiter instance (from createRateLimit())
+ */
+async function tddAuditPlugin(fastify, opts) {
+  const { cfg, rateLimiter } = opts;
+
+  // ── Security headers on every reply ────────────────────────────────────────
+  fastify.addHook('onSend', async (request, reply) => {
+    for (const [k, v] of Object.entries(SECURITY_HEADERS)) {
+      reply.header(k, v);
+    }
+  });
+
+  // ── Rate limiting ────────────────────────────────────────────────────────
+  fastify.addHook('preHandler', async (request, reply) => {
+    const ip = cfg.trustProxy
+      ? (request.headers['x-forwarded-for'] || request.ip || '').split(',')[0].trim()
+      : (request.ip || 'unknown');
+    if (!rateLimiter.check(ip)) {
+      reply.code(429).send({ error: 'Too Many Requests' });
+    }
+  });
+
+  // ── GET /health ──────────────────────────────────────────────────────────
+  fastify.get('/health', async () => ({ status: 'ok', version }));
+
+  // ── Authentication for all non-health routes ────────────────────────────
+  fastify.addHook('preHandler', async (request, reply) => {
+    if (request.routeOptions?.url === '/health') return;
+    if (!authenticate(request, cfg)) {
+      reply.code(401).send({ error: 'Unauthorized' });
+    }
+  });
+
+  // ── POST /scan ──────────────────────────────────────────────────────────
+  fastify.post('/scan', {
+    config: { rawBody: false },
+  }, async (request, reply) => {
+    const body = request.body || {};
+
+    let scanPath;
+    try { scanPath = safeScanPath(body.path); }
+    catch (e) { return reply.code(400).send({ error: e.message }); }
+
+    const format   = body.format || cfg.output || 'json';
+    const t0       = Date.now();
+    const findings = quickScan(scanPath);
+    const exempted = findings.exempted || [];
+    const duration = Date.now() - t0;
+
+    if (format === 'sarif') return toSarif(findings, scanPath);
+    return { ...toJson(findings, exempted), duration };
+  });
+
+  // ── POST /remediate ──────────────────────────────────────────────────────
+  fastify.post('/remediate', async (request, reply) => {
+    const body = request.body || {};
+    const { findings, provider, apiKey, model, baseUrl } = body;
+
+    if (!findings || !provider || !apiKey) {
+      return reply.code(400).send({ error: 'findings, provider, and apiKey are required' });
+    }
+
+    const jobId = createJob();
+
+    setImmediate(async () => {
+      try {
+        updateJob(jobId, { status: 'running', startedAt: new Date().toISOString() });
+        const results = await remediate({
+          findings, provider, apiKey,
+          model:   model   || cfg.model,
+          baseUrl: baseUrl || cfg.baseUrl,
+        });
+        updateJob(jobId, { status: 'done', completedAt: new Date().toISOString(), results });
+      } catch (err) {
+        updateJob(jobId, { status: 'error', error: err.message });
+      }
+    });
+
+    return reply.code(202).send({ jobId });
+  });
+
+  // ── POST /audit — full scan+remediate pipeline ────────────────────────────
+  fastify.post('/audit', async (request, reply) => {
+    const body = request.body || {};
+    const { path: rawPath, provider, apiKey, model, baseUrl, webhook } = body;
+
+    let scanPath;
+    try { scanPath = safeScanPath(rawPath); }
+    catch (e) { return reply.code(400).send({ error: e.message }); }
+
+    const jobId = createJob();
+
+    setImmediate(async () => {
+      try {
+        // Phase 1: scan
+        updateJob(jobId, { status: 'scanning', startedAt: new Date().toISOString() });
+        const findings = quickScan(scanPath);
+        updateJob(jobId, { status: 'scanned', findings });
+
+        // Phase 2: remediate (if provider supplied)
+        if (provider && apiKey) {
+          const total = findings.filter(f => !f.likelyFalsePositive).length;
+          updateJob(jobId, { status: 'remediating', total, completed: 0 });
+
+          // remediate is eagerly required at module top
+          const results = await remediate({
+            findings, provider, apiKey,
+            model:   model   || cfg.model,
+            baseUrl: baseUrl || cfg.baseUrl,
+            onProgress: (completed, current) => {
+              updateJob(jobId, { status: 'remediating', total, completed, current });
+            },
+          });
+          updateJob(jobId, {
+            status: 'done',
+            completedAt: new Date().toISOString(),
+            findings,
+            results,
+          });
+        } else {
+          updateJob(jobId, { status: 'done', completedAt: new Date().toISOString(), findings });
+        }
+
+        // Optional webhook fire-and-forget
+        if (webhook) {
+          const job = jobs.get(jobId);
+          fetch(webhook, {
+            method:  'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body:    JSON.stringify(job),
+          }).catch(() => {}); // never throw
+        }
+      } catch (err) {
+        updateJob(jobId, { status: 'error', error: err.message });
+      }
+    });
+
+    reply.header('Location', `/jobs/${jobId}`);
+    reply.header('Retry-After', '2');
+    return reply.code(202).send({ jobId });
+  });
+
+  // ── GET /jobs/:id ────────────────────────────────────────────────────────
+  fastify.get('/jobs/:id', async (request, reply) => {
+    const job = jobs.get(request.params.id);
+    if (!job) return reply.code(404).send({ error: 'Job not found' });
+    return job;
+  });
+
+  // ── GET /jobs/:id/stream — SSE real-time job updates ─────────────────────
+  fastify.get('/jobs/:id/stream', async (request, reply) => {
+    const id  = request.params.id;
+    const job = jobs.get(id);
+    if (!job) return reply.code(404).send({ error: 'Job not found' });
+
+    reply.hijack();
+    const raw = reply.raw;
+    raw.writeHead(200, {
+      'Content-Type':  'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection':    'keep-alive',
+      ...SECURITY_HEADERS,
+    });
+
+    const send = (data) => {
+      raw.write(`data: ${JSON.stringify(data)}\n\n`);
+    };
+
+    // Push current state immediately
+    send(jobs.get(id));
+
+    if (job.status === 'done' || job.status === 'error') {
+      raw.end();
+      return;
+    }
+
+    const unsubscribe = subscribe(id, (updated) => {
+      send(updated);
+      if (updated.status === 'done' || updated.status === 'error') {
+        unsubscribe();
+        raw.end();
+      }
+    });
+
+    raw.on('close', unsubscribe);
+  });
+}
+
+// ─── App factory ──────────────────────────────────────────────────────────────
+
+/**
+ * Build and return a configured Fastify instance.
+ * @param {object} cfg  - loaded config object
+ * @param {object} [overrides] - optional overrides (e.g. { logger: true })
+ */
+function buildApp(cfg, overrides = {}) {
+  const fastify = Fastify({
+    logger:           false,
+    trustProxy:       cfg.trustProxy || false,
+    bodyLimit:        512 * 1024, // 512 KB
+    ...overrides,
+  });
+
+  const rateLimiter = createRateLimit();
+
+  fastify.register(tddAuditPlugin, { cfg, rateLimiter });
+
+  // Expose internals for testing
+  fastify.decorate('rateLimiter', rateLimiter);
+  fastify.decorate('jobs',        jobs);
+  fastify.decorate('cfg',         cfg);
+
+  return fastify;
+}
+
+module.exports = {
+  tddAuditPlugin,
+  buildApp,
+  authenticate,
+  safeScanPath,
+  createRateLimit,
+  RATE_LIMIT_MAX,
+};

package/lib/remediator.js

@@ -185,10 +185,11 @@ function parseResponse(text) {
  * @param {string} opts.apiKey
  * @param {string} [opts.model]
  * @param {string} [opts.baseUrl]  - override base URL for OpenAI-compatible providers
- * @param {string} [opts.severity] - minimum severity to fix ('CRITICAL','HIGH','MEDIUM','LOW')
+ * @param {string}   [opts.severity]    - minimum severity to fix ('CRITICAL','HIGH','MEDIUM','LOW')
+ * @param {Function} [opts.onProgress]  - called with (completedCount, currentFindingName) after each finding
  * @returns {Promise<Array>} - results per finding
  */
-async function remediate({ findings, provider, apiKey, model, baseUrl, severity = 'LOW' }) {
+async function remediate({ findings, provider, apiKey, model, baseUrl, severity = 'LOW', onProgress }) {
   const ORDER = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
   const threshold = ORDER[severity.toUpperCase()] ?? 3;
 
@@ -197,7 +198,8 @@ async function remediate({ findings, provider, apiKey, model, baseUrl, severity
     .sort((a, b) => (ORDER[a.severity] ?? 99) - (ORDER[b.severity] ?? 99));
 
   const results = [];
-  for (const finding of targets) {
+  for (let i = 0; i < targets.length; i++) {
+    const finding = targets[i];
     try {
       const prompt   = buildRemediationPrompt(finding);
       const raw      = await callProvider(provider, apiKey, model, prompt, baseUrl);
@@ -206,6 +208,9 @@ async function remediate({ findings, provider, apiKey, model, baseUrl, severity
     } catch (err) {
       results.push({ finding, status: 'error', error: err.message });
     }
+    if (typeof onProgress === 'function') {
+      onProgress(i + 1, finding.name);
+    }
   }
   return results;
 }

package/lib/scanner.js

@@ -70,7 +70,7 @@ const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.
 
 /** Maximum file size to read before skipping (512 KB). Prevents OOM on large generated files. */
 const MAX_SCAN_FILE_BYTES = 512 * 1024;
-const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', 'coverage', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
 
 // ─── Prompt / Skill Patterns ──────────────────────────────────────────────────
 

package/lib/server.js

@@ -1,48 +1,53 @@
 'use strict';
 
 const crypto = require('crypto');
-const http   = require('http');
 const path   = require('path');
-const { quickScan, scanPromptFiles } = require('./scanner');
-const { toJson, toSarif, toText }    = require('./reporter');
+const { quickScan }                   = require('./scanner');
+const { toJson, toSarif }             = require('./reporter');
 const { loadConfig, parseCliOverrides } = require('./config');
-const { version } = require('../package.json');
+const { version }                     = require('../package.json');
+const { buildApp, RATE_LIMIT_MAX }    = require('./plugin');
+const {
+  jobs, createJob, updateJob, MAX_JOBS, JOB_TTL_MS,
+} = require('./jobs');
 
-// ─── Job store (in-memory) ────────────────────────────────────────────────────
+// ─── Auth (kept here for backward compat — SEC-17 reads this file) ────────────
 
-const jobs    = new Map();
-let   jobSeq  = 0;
-
-const MAX_JOBS    = 1_000;
-const JOB_TTL_MS  = 60 * 60 * 1_000; // 1 hour
-
-function evictJobs() {
-  const cutoff = Date.now() - JOB_TTL_MS;
-  for (const [id, job] of jobs) {
-    if (new Date(job.createdAt).getTime() < cutoff) jobs.delete(id);
-  }
-  // Hard cap: drop oldest entries until within limit
-  while (jobs.size >= MAX_JOBS) {
-    jobs.delete(jobs.keys().next().value);
-  }
-}
+// Fixed HMAC key for normalising token lengths before constant-time comparison.
+const _authHmacKey = crypto.randomBytes(32);
 
-function createJob() {
-  evictJobs();
-  const id = `job_${++jobSeq}_${Date.now()}`;
-  jobs.set(id, { id, status: 'pending', createdAt: new Date().toISOString() });
-  return id;
+/**
+ * Authenticate incoming requests.
+ * Accepts Node.js http.IncomingMessage OR Fastify Request objects.
+ * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
+ */
+function authenticate(req, cfg) {
+  if (!cfg.serverApiKey) return true;
+  const headers = req.headers || {};
+  const header  = headers['authorization'] || '';
+  const token   = header.startsWith('Bearer ') ? header.slice(7) : '';
+  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
+  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
+  return crypto.timingSafeEqual(expected, actual);
 }
 
-function updateJob(id, patch) {
-  const job = jobs.get(id);
-  if (job) jobs.set(id, { ...job, ...patch });
+/**
+ * Validate and sanitise the `path` field from POST /scan.
+ * Only allow paths inside cwd to prevent path traversal.
+ */
+function safeScanPath(rawPath) {
+  const cwd      = process.cwd();
+  const resolved = path.resolve(cwd, rawPath || cwd);
+  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
+  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
+    throw new Error('Path outside working directory');
+  }
+  return resolved;
 }
 
-// ─── Rate limiter (in-memory, per-IP sliding window) ─────────────────────────
+// ─── Rate limiter (kept here for backward compat — SEC-14/16/20 read this) ───
 
-const RATE_LIMIT_MAX    = 60;           // requests per window
-const RATE_LIMIT_WINDOW = 60 * 1_000;  // 1 minute in ms
+const RATE_LIMIT_WINDOW = 60 * 1_000;
 
 const rateLimiter = {
   _counts: new Map(),
@@ -89,46 +94,11 @@ function readBody(req) {
   });
 }
 
-// Fixed HMAC key for normalising token lengths before constant-time comparison.
-// Does not need to be secret — purpose is timing-safety, not confidentiality.
-const _authHmacKey = crypto.randomBytes(32);
-
-/**
- * Authenticate incoming requests.
- * Uses HMAC + timingSafeEqual to prevent timing-oracle attacks.
- */
-function authenticate(req, cfg) {
-  if (!cfg.serverApiKey) return true; // no key configured — open
-  const header = req.headers['authorization'] || '';
-  const token  = header.startsWith('Bearer ') ? header.slice(7) : '';
-  const expected = crypto.createHmac('sha256', _authHmacKey).update(cfg.serverApiKey).digest();
-  const actual   = crypto.createHmac('sha256', _authHmacKey).update(token).digest();
-  return crypto.timingSafeEqual(expected, actual);
-}
-
-/**
- * Validate and sanitise the `path` field from POST /scan.
- * Only allow paths inside cwd to prevent path traversal.
- */
-function safeScanPath(rawPath) {
-  const cwd      = process.cwd();
-  const resolved = path.resolve(cwd, rawPath || cwd);
-  // Append sep so "/app" cannot match "/app-evil" via startsWith
-  const cwdNorm  = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
-  if (resolved !== cwd && !resolved.startsWith(cwdNorm)) {
-    throw new Error('Path outside working directory');
-  }
-  return resolved;
-}
-
-// ─── Router ───────────────────────────────────────────────────────────────────
+// ─── Router (kept for backward compat — SEC-16/20 and E2E tests use this) ────
 
 async function handleRequest(req, res, cfg) {
   const { method, url } = req;
 
-  // ── Rate limiting ──────────────────────────────────────────────────────────
-  // Only trust X-Forwarded-For when cfg.trustProxy is explicitly enabled.
-  // Default is false to prevent header-spoofing rate-limit bypasses.
   const ip = cfg.trustProxy
     ? (req.headers['x-forwarded-for'] || req.socket?.remoteAddress || '').split(',')[0].trim()
     : (req.socket?.remoteAddress || 'unknown');
@@ -136,17 +106,14 @@ async function handleRequest(req, res, cfg) {
     return json(res, 429, { error: 'Too Many Requests' });
   }
 
-  // ── GET /health ────────────────────────────────────────────────────────────
   if (method === 'GET' && url === '/health') {
     return json(res, 200, { status: 'ok', version });
   }
 
-  // All other routes require authentication
   if (!authenticate(req, cfg)) {
     return json(res, 401, { error: 'Unauthorized' });
   }
 
-  // ── POST /scan ─────────────────────────────────────────────────────────────
   if (method === 'POST' && url === '/scan') {
     let body;
     try { body = await readBody(req); }
@@ -156,19 +123,16 @@ async function handleRequest(req, res, cfg) {
     try { scanPath = safeScanPath(body.path); }
     catch (e) { return json(res, 400, { error: e.message }); }
 
-    const format  = body.format || cfg.output || 'json';
-    const t0      = Date.now();
+    const format   = body.format || cfg.output || 'json';
+    const t0       = Date.now();
     const findings = quickScan(scanPath);
     const exempted = findings.exempted || [];
     const duration = Date.now() - t0;
 
-    if (format === 'sarif') {
-      return json(res, 200, toSarif(findings, scanPath));
-    }
+    if (format === 'sarif') return json(res, 200, toSarif(findings, scanPath));
     return json(res, 200, { ...toJson(findings, exempted), duration });
   }
 
-  // ── POST /remediate ────────────────────────────────────────────────────────
   if (method === 'POST' && url === '/remediate') {
     let body;
     try { body = await readBody(req); }
@@ -181,7 +145,6 @@ async function handleRequest(req, res, cfg) {
 
     const jobId = createJob();
 
-    // Kick off async remediation (non-blocking)
     setImmediate(async () => {
       try {
         updateJob(jobId, { status: 'running', startedAt: new Date().toISOString() });
@@ -200,7 +163,6 @@ async function handleRequest(req, res, cfg) {
     return json(res, 202, { jobId });
   }
 
-  // ── GET /jobs/:id ──────────────────────────────────────────────────────────
   const jobMatch = url.match(/^\/jobs\/([^/?]+)$/);
   if (method === 'GET' && jobMatch) {
     const job = jobs.get(jobMatch[1]);
@@ -211,33 +173,28 @@ async function handleRequest(req, res, cfg) {
   return json(res, 404, { error: 'Not found' });
 }
 
-// ─── Start ────────────────────────────────────────────────────────────────────
+// ─── Start (uses Fastify) ─────────────────────────────────────────────────────
 
-function start(args = []) {
+async function start(args = []) {
   const cfg  = loadConfig(process.cwd(), parseCliOverrides(args));
   const port = cfg.port;
 
-  const server = http.createServer(async (req, res) => {
-    try {
-      await handleRequest(req, res, cfg);
-    } catch (err) {
-      // Production error handler — no stack traces
-      json(res, 500, { error: 'Internal server error' });
-    }
-  });
+  const fastify = buildApp(cfg);
 
-  server.listen(port, () => {
-    process.stdout.write(`\n🔒 tdd-audit REST API listening on http://localhost:${port}\n`);
-    if (!cfg.serverApiKey) {
-      process.stderr.write('⚠️  No --api-key set — server is unauthenticated. Set one for production.\n');
-    }
-    process.stdout.write('   GET  /health\n');
-    process.stdout.write('   POST /scan        { path, format? }\n');
-    process.stdout.write('   POST /remediate   { findings, provider, apiKey, model? }\n');
-    process.stdout.write('   GET  /jobs/:id\n\n');
-  });
+  await fastify.listen({ port, host: '0.0.0.0' });
 
-  return server; // returned for testing
+  process.stdout.write(`\n🔒 tdd-audit REST API listening on http://localhost:${port}\n`);
+  if (!cfg.serverApiKey) {
+    process.stderr.write('⚠️  No --api-key set — server is unauthenticated. Set one for production.\n');
+  }
+  process.stdout.write('   GET  /health\n');
+  process.stdout.write('   POST /scan         { path, format? }\n');
+  process.stdout.write('   POST /remediate    { findings, provider, apiKey, model? }\n');
+  process.stdout.write('   POST /audit        { path, provider?, apiKey?, model? }\n');
+  process.stdout.write('   GET  /jobs/:id\n');
+  process.stdout.write('   GET  /jobs/:id/stream  (SSE)\n\n');
+
+  return fastify.server; // returned for testing
 }
 
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.12.0",
+  "version": "1.15.0",
   "description": "Security skill installer for Claude Code, Gemini CLI, Cursor, Codex, and OpenCode. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol.",
   "main": "index.js",
   "bin": {
@@ -60,5 +60,8 @@
   },
   "devDependencies": {
     "jest": "^30.3.0"
+  },
+  "dependencies": {
+    "fastify": "^5.8.4"
   }
 }