@lhi/tdd-audit 1.15.0 → 1.16.0

package/index.js

@@ -12,7 +12,7 @@ const {
   printFindings,
 } = require('./lib/scanner');
 const { toJson, toSarif, toText } = require('./lib/reporter');
-const { writeInitConfig } = require('./lib/config');
+const { writeInitConfig, loadConfig, parseCliOverrides } = require('./lib/config');
 const { badgeLine, injectBadge } = require('./lib/badge');
 
 const args = process.argv.slice(2);
@@ -35,6 +35,7 @@ const outputFormat = args.includes('--json') ? 'json'
 const agentBaseDir = isLocal ? process.cwd() : os.homedir();
 const agentDirName = isClaude ? '.claude' : '.agents';
 const projectDir = process.cwd();
+const config = loadConfig(projectDir, parseCliOverrides(args));
 
 const targetSkillDir = path.join(agentBaseDir, agentDirName, 'skills', 'tdd-remediation');
 const targetWorkflowDir = isClaude
@@ -88,7 +89,7 @@ if (scanOnly) {
     process.stdout.write('\n');
     printFindings(findings, exempted);
   }
-  injectBadge(projectDir, badgeLine(findings));
+  injectBadge(projectDir, badgeLine(findings, config.tdd_site));
   process.exit(0);
 }
 
@@ -245,7 +246,7 @@ if (!skipScan) {
   const findings = quickScan(projectDir);
   process.stdout.write('\n');
   printFindings(findings);
-  const badge = badgeLine(findings);
+  const badge = badgeLine(findings, config.tdd_site);
   injectBadge(projectDir, badge);
   console.log('✅ README badge updated');
 }

package/lib/badge.js

@@ -17,10 +17,16 @@ const NPM_URL = 'https://www.npmjs.com/package/@lhi/tdd-audit';
  *
  * likelyFalsePositive findings (test fixtures) are excluded from the count.
  *
- * @param {Array} findings  - findings array returned by quickScan()
- * @returns {string}        - single-line markdown badge ending with \n
+ * The badge links to `siteUrl` when provided (set via `tdd_site` in
+ * .tdd-audit.json). When absent — including all skill-mode invocations where
+ * no config file exists — the link falls back to the @lhi/tdd-audit npm page
+ * so readers always know where the security tooling came from.
+ *
+ * @param {Array}  findings  - findings array returned by quickScan()
+ * @param {string} [siteUrl] - optional override link (from config.tdd_site)
+ * @returns {string}         - single-line markdown badge ending with \n
  */
-function badgeLine(findings) {
+function badgeLine(findings, siteUrl) {
   // Exclude test-file findings and likely false positives — badge reflects production code only
   const real     = (findings || []).filter(f => !f.likelyFalsePositive && !f.inTestFile);
   const criticals = real.filter(f => f.severity === 'CRITICAL').length;
@@ -38,10 +44,11 @@ function badgeLine(findings) {
     color   = 'brightgreen';
   }
 
-  const badgeUrl = `https://img.shields.io/badge/tdd--audit-${message}-${color}`;
+  const badgeUrl  = `https://img.shields.io/badge/tdd--audit-${message}-${color}`;
+  const targetUrl = (siteUrl && siteUrl.trim()) ? siteUrl.trim() : NPM_URL;
   // Embed the marker as a hidden HTML comment after the badge so injectBadge()
   // can locate and replace the line on subsequent runs.
-  return `[![tdd-audit](${badgeUrl})](${NPM_URL}) <!-- ${BADGE_MARKER} -->\n`;
+  return `[![tdd-audit](${badgeUrl})](${targetUrl}) <!-- ${BADGE_MARKER} -->\n`;
 }
 
 /**

package/lib/config.js

@@ -17,6 +17,7 @@ const DEFAULTS = {
   apiKeyEnv:         null,      // env var name to read the key from
   serverApiKey:      null,      // key required on REST API calls
   trustProxy:        false,     // trust X-Forwarded-For for rate limiting
+  tdd_site:          null,      // custom URL for the README badge link; falls back to npm page
 };
 
 // Provider-specific defaults for `tdd-audit init --provider <name>`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.15.0",
+  "version": "1.16.0",
   "description": "Security skill installer for Claude Code, Gemini CLI, Cursor, Codex, and OpenCode. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol.",
   "main": "index.js",
   "bin": {