@lhi/tdd-audit 1.12.0 → 1.15.0

package/prompts/auto-audit.md

@@ -400,6 +400,115 @@ After all vulnerabilities are addressed, output a final **Remediation Summary**:
 
 ---
 
+## Phase 4: Coverage Gate (≥ 95%)
+
+After all vulnerabilities are patched and the hardening checklist is complete, measure test coverage and drive it to **≥ 95% line and branch coverage**.
+
+```bash
+# Node.js / Jest
+npx jest --coverage --coverageReporters=text
+
+# Python
+pytest --cov=. --cov-report=term-missing
+
+# Go
+go test ./... -coverprofile=coverage.out && go tool cover -func=coverage.out
+```
+
+1. Run the coverage report.
+2. Identify every uncovered line or branch.
+3. For each gap: write a test (Red — must fail without the code path), confirm it passes (Green), re-run coverage.
+4. Repeat until the overall line **and** branch coverage both reach ≥ 95%.
+5. If a file is intentionally excluded (e.g., generated code, migration stubs), add it to the coverage exclusion config and note the reason.
+
+Do **not** write empty or trivially-true tests to inflate numbers. Every test must assert real behavior.
+
+---
+
+## Phase 5: Badge README
+
+Once coverage is ≥ 95%, add a coverage badge to `README.md`.
+
+- If `README.md` does not exist, create a minimal one with the project name and badge.
+- The badge must appear at the **top of the file**, before any other content.
+- Use a static Shields.io badge that reflects the actual measured value:
+
+```markdown
+![Coverage](https://img.shields.io/badge/coverage-95%25-brightgreen)
+```
+
+**Colour tiers:**
+
+| Coverage | Colour |
+|---|---|
+| ≥ 90% | `brightgreen` |
+| 75–89% | `yellow` |
+| < 75% | `red` |
+
+Adjust the percentage in the badge URL to match the real number (e.g., `97%25` for 97%).
+
+---
+
+## Phase 6: SECURITY.md
+
+Check whether a `SECURITY.md` exists at the repo root.
+
+- **If it exists** — do not overwrite it. Read it and confirm it has a vulnerability reporting contact. If missing, append one.
+- **If it does not exist** — create it following the GitHub Security Advisory format:
+
+```markdown
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---|---|
+| latest | ✅ |
+| < latest | ❌ |
+
+## Reporting a Vulnerability
+
+Please **do not** open a public GitHub issue for security vulnerabilities.
+
+Report vulnerabilities privately via:
+- **GitHub**: Use [GitHub's private vulnerability reporting](../../security/advisories/new)
+- **Email**: security@example.com *(replace with project contact)*
+
+Expect acknowledgement within **48 hours** and a patch or mitigation plan within **14 days** for verified HIGH/CRITICAL issues. Reporters are credited in release notes unless anonymity is requested.
+
+## Security Hardening
+
+This repository is maintained with the following controls:
+
+- HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Rate limiting on all state-mutating and authentication routes
+- Dependencies audited on every CI run (`npm audit --audit-level=high`)
+- No secrets committed to git history (verified with gitleaks / trufflehog)
+- ≥ 95% test coverage enforced via CI coverage gate
+- Vulnerabilities remediated using a Red-Green-Refactor exploit-test protocol
+```
+
+Replace placeholder email and version table with the project's real information.
+
+---
+
+## Final Report
+
+After Phases 4–6 complete, append to the Remediation Summary:
+
+```
+## Coverage & Documentation
+
+| Item | Status | Detail |
+|---|---|---|
+| Line coverage   | ✅ | 96.4% |
+| Branch coverage | ✅ | 95.1% |
+| README badge    | ✅ | Updated to 96% (brightgreen) |
+| SECURITY.md     | ✅ | Created at repo root |
+```
+
+---
+
 ## Agentic AI Security (ASI01–ASI10)
 
 When the project contains AI agent code, MCP configurations, CLAUDE.md files, or tool-calling patterns, also scan for agentic-specific vulnerabilities. These can be harder to spot than traditional web vulns but carry severe consequences (data exfiltration via tool abuse, agent hijacking, supply chain via MCP).

package/prompts/hardening-phase.md

@@ -321,6 +321,94 @@ If this project contains AI agent code, MCP configurations, or CLAUDE.md files,
 
 ---
 
+## 4l. Coverage Gate (≥ 95%)
+
+After hardening is complete, measure test coverage and drive it to **≥ 95% line and branch coverage** before closing the audit.
+
+```bash
+# Node.js / Jest
+npx jest --coverage --coverageReporters=text
+
+# Python
+pytest --cov=. --cov-report=term-missing
+
+# Go
+go test ./... -coverprofile=coverage.out && go tool cover -func=coverage.out
+```
+
+1. Run the coverage report and note every uncovered line or branch.
+2. For each gap: write a failing test (Red), make it pass (Green), re-run coverage.
+3. Repeat until line **and** branch coverage both reach ≥ 95%.
+4. Files that are intentionally excluded (generated code, migration stubs) must be listed in the coverage config with a reason.
+
+Do **not** write trivially-true tests to inflate numbers — every test must assert real behavior.
+
+---
+
+## 4m. Badge README
+
+Once coverage is ≥ 95%, add (or update) a coverage badge in `README.md`. If no `README.md` exists, create a minimal one.
+
+The badge must appear at the **top of the file**, before any other content:
+
+```markdown
+![Coverage](https://img.shields.io/badge/coverage-95%25-brightgreen)
+```
+
+**Colour tiers:**
+
+| Coverage | Colour |
+|---|---|
+| ≥ 90% | `brightgreen` |
+| 75–89% | `yellow` |
+| < 75% | `red` |
+
+Adjust the percentage to match the actual measured value (e.g., `97%25` for 97%). Do not overwrite other existing badges — add the coverage badge as the first badge on the line.
+
+---
+
+## 4n. SECURITY.md
+
+Check whether a `SECURITY.md` exists at the repo root. **Do not overwrite an existing file.**
+
+If absent, create one following the GitHub Security Advisory format:
+
+```markdown
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---|---|
+| latest | ✅ |
+| < latest | ❌ |
+
+## Reporting a Vulnerability
+
+Please **do not** open a public GitHub issue for security vulnerabilities.
+
+Report privately via:
+- **GitHub**: Use [GitHub's private vulnerability reporting](../../security/advisories/new)
+- **Email**: security@example.com *(replace with project contact)*
+
+Expect acknowledgement within **48 hours** and a patch or mitigation plan within **14 days** for verified HIGH/CRITICAL issues. Reporters are credited in release notes unless anonymity is requested.
+
+## Security Hardening
+
+This repository is maintained with the following controls:
+
+- HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Rate limiting on all state-mutating and authentication routes
+- Dependencies audited on every CI run (`npm audit --audit-level=high`)
+- No secrets committed to git history (verified with gitleaks / trufflehog)
+- ≥ 95% test coverage enforced via CI coverage gate
+- Vulnerabilities remediated using a Red-Green-Refactor exploit-test protocol
+```
+
+Replace placeholder email and version table with the project's real information.
+
+---
+
 ## 4k. Hardening Verification Checklist
 
 After Phase 4, confirm all of the following:
@@ -341,3 +429,6 @@ After Phase 4, confirm all of the following:
 - [ ] `CLAUDE.md` in version control and reviewed; no user-supplied content
 - [ ] MCP servers pinned to exact versions or local installs
 - [ ] Agent tool permissions scoped to minimum required
+- [ ] Test coverage ≥ 95% line and branch (4l)
+- [ ] `README.md` has a coverage badge at the top reflecting the actual % (4m)
+- [ ] `SECURITY.md` exists at repo root with a private vulnerability reporting contact (4n)