@lhi/tdd-audit 1.2.0 → 1.3.0

package/SKILL.md

@@ -14,12 +14,13 @@ If the user asks you to "Run the TDD Remediation Auto-Audit" or asks you to impl
    - **React / Next.js**: `pages/api/`, `app/api/`, `components/`, `hooks/`, `context/`, `store/`
    - **React Native / Expo**: `screens/`, `navigation/`, `app/`, `app.json`, `app.config.js`
    - **Flutter / Dart**: `lib/screens/`, `lib/services/`, `lib/api/`, `lib/repositories/`, `pubspec.yaml`
-   Search for anti-patterns: unparameterized SQL queries, missing ownership checks, unsafe HTML rendering, command injection sinks, sensitive data in storage, TLS bypasses, hardcoded secrets. Full search patterns are in [auto-audit.md](./prompts/auto-audit.md).
+   Search for anti-patterns across the full vulnerability surface: SQL/NoSQL/Template injection, IDOR, XSS, command injection, path traversal, SSRF, open redirects, broken auth, mass assignment, prototype pollution, weak crypto, sensitive storage, TLS bypasses, hardcoded secrets, missing rate limiting, missing security headers, CORS wildcards, XXE, insecure deserialization, WebView JS bridge exposure. Full search patterns are in [auto-audit.md](./prompts/auto-audit.md).
 2. **Plan**: Present a structured list of vulnerabilities (grouped by severity: CRITICAL / HIGH / MEDIUM / LOW) and get confirmation before making any changes.
 3. **Self-Implement**: For *each* confirmed vulnerability, autonomously execute the complete 3-phase protocol:
    - **[Phase 1 (Red)](./prompts/red-phase.md)**: Write the exploit test ensuring it fails.
    - **[Phase 2 (Green)](./prompts/green-phase.md)**: Write the security patch ensuring the test passes.
    - **[Phase 3 (Refactor)](./prompts/refactor-phase.md)**: Run the full test suite and ensure no business logic broke.
+4. **[Phase 4 (Hardening)](./prompts/hardening-phase.md)**: After all vulnerabilities are remediated, apply proactive defense-in-depth controls: security headers (Helmet), CSP, CSRF protection, rate limiting audit, dependency vulnerability scan, secret history scan, production error handling, and SRI for third-party scripts.
 Move methodically through vulnerabilities one by one, CRITICAL-first. Do not advance until the current vulnerability is fully remediated.
 
 ---

package/index.js

@@ -102,6 +102,23 @@ const VULN_PATTERNS = [
   { name: 'Insecure Random',   severity: 'HIGH',     pattern: /(?:token|sessionId|nonce|secret|csrf)\w*\s*=.*Math\.random\(\)|Math\.random\(\).*(?:token|session|nonce|secret)/i },
   { name: 'Sensitive Log',     severity: 'MEDIUM',   skipInTests: true,  pattern: /console\.(log|info|debug)\([^)]*(?:token|password|secret|jwt|authorization|apiKey|api_key)/i },
   { name: 'Secret Fallback',   severity: 'HIGH',     pattern: /process\.env\.\w+\s*\|\|\s*['"][A-Za-z0-9+/=_\-]{10,}['"]/i },
+  // SSRF, redirects, injection
+  { name: 'SSRF',                    severity: 'CRITICAL', pattern: /\b(?:fetch|axios\.(?:get|post|put|patch|delete|request)|got|https?\.get)\s*\(\s*req\.(?:query|body|params)\./i },
+  { name: 'Open Redirect',           severity: 'HIGH',     pattern: /res\.redirect\s*\(\s*req\.(?:query|body|params)\.|window\.location(?:\.href)?\s*=\s*(?:params\.|route\.params\.|searchParams\.get)/i },
+  { name: 'NoSQL Injection',         severity: 'HIGH',     pattern: /\.(?:find|findOne|findById|updateOne|deleteOne)\s*\(\s*req\.(?:body|query|params)\b|\$where\s*:\s*['"`]/i },
+  { name: 'Template Injection',      severity: 'HIGH',     pattern: /res\.render\s*\(\s*req\.(?:params|body|query)\.|(?:ejs|pug|nunjucks|handlebars)\.render(?:File)?\s*\([^)]*req\.(?:body|params|query)/i },
+  { name: 'Insecure Deserialization',severity: 'CRITICAL', pattern: /\.unserialize\s*\(.*req\.|__proto__\s*[=:][^=]|Object\.setPrototypeOf\s*\([^,]+,\s*req\./i },
+  // Assignment / pollution
+  { name: 'Mass Assignment',         severity: 'HIGH',     pattern: /new\s+\w+\s*\(\s*req\.body\b|\.create\s*\(\s*req\.body\b|\.update(?:One)?\s*\(\s*\{[^}]*\},\s*req\.body\b/i },
+  { name: 'Prototype Pollution',     severity: 'HIGH',     pattern: /(?:_\.merge|lodash\.merge|deepmerge|hoek\.merge)\s*\([^)]*req\.(?:body|query|params)/i },
+  // Crypto / config
+  { name: 'Weak Crypto',             severity: 'HIGH',     pattern: /createHash\s*\(\s*['"](?:md5|sha1)['"]\)|(?:md5|sha1)\s*\(\s*(?:password|passwd|pwd|secret)/i },
+  { name: 'CORS Wildcard',           severity: 'MEDIUM',   pattern: /cors\s*\(\s*\{\s*origin\s*:\s*['"]?\*['"]?|'Access-Control-Allow-Origin',\s*['"]?\*/i },
+  { name: 'Cleartext Traffic',       severity: 'MEDIUM',   skipInTests: true, pattern: /(?:baseURL|apiUrl|API_URL|endpoint|baseUrl)\s*[:=]\s*['"]http:\/\/(?!localhost|127\.0\.0\.1)/i },
+  { name: 'XXE',                     severity: 'HIGH',     pattern: /noent\s*:\s*true|expand_entities\s*=\s*True|resolve_entities\s*=\s*True/i },
+  // Mobile / WebView
+  { name: 'WebView JS Bridge',       severity: 'HIGH',     pattern: /addJavascriptInterface\s*\(|javaScriptEnabled\s*:\s*true|allowFileAccess\s*:\s*true|allowUniversalAccessFromFileURLs\s*:\s*true/i },
+  { name: 'Deep Link Injection',     severity: 'MEDIUM',   pattern: /Linking\.getInitialURL\s*\(\)|Linking\.addEventListener\s*\(\s*['"]url['"]/i },
 ];
 
 const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
@@ -151,6 +168,28 @@ function scanAppConfig() {
   return findings;
 }
 
+function scanAndroidManifest() {
+  const findings = [];
+  const manifestPath = path.join(projectDir, 'android', 'app', 'src', 'main', 'AndroidManifest.xml');
+  if (!fs.existsSync(manifestPath)) return findings;
+  let lines;
+  try { lines = fs.readFileSync(manifestPath, 'utf8').split('\n'); } catch { return findings; }
+  for (let i = 0; i < lines.length; i++) {
+    if (/android:debuggable\s*=\s*["']true["']/i.test(lines[i])) {
+      findings.push({
+        severity: 'HIGH',
+        name: 'Android Debuggable',
+        file: 'android/app/src/main/AndroidManifest.xml',
+        line: i + 1,
+        snippet: lines[i].trim().slice(0, 80),
+        inTestFile: false,
+        likelyFalsePositive: false,
+      });
+    }
+  }
+  return findings;
+}
+
 function quickScan() {
   const findings = [];
   for (const filePath of walkFiles(projectDir)) {
@@ -174,7 +213,7 @@ function quickScan() {
       }
     }
   }
-  return [...findings, ...scanAppConfig()];
+  return [...findings, ...scanAppConfig(), ...scanAndroidManifest()];
 }
 
 function printFindings(findings) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Anti-Gravity Skill for TDD Remediation. Patches security vulnerabilities using a Red-Green-Refactor protocol with automated exploit tests.",
   "main": "index.js",
   "bin": {

package/prompts/auto-audit.md

@@ -134,6 +134,86 @@ SharedPreferences.*setString.*token # token in unencrypted SharedPreferences
 Platform\.environment\[            # env access in Flutter — check for secrets
 ```
 
+**SSRF (Server-Side Request Forgery)**
+```
+fetch\(.*req\.(query|body|params)   # fetch with user-controlled URL
+axios\.(get|post)\(.*req\.body      # axios with user-controlled target
+got\(.*req\.(query|params)          # got with user-controlled URL
+```
+
+**Open Redirect**
+```
+res\.redirect\(.*req\.(query|body)  # redirecting to user-supplied URL
+window\.location.*=.*params\.       # client-side redirect from route params
+router\.push\(.*searchParams        # Next.js/RN push with user param
+```
+
+**NoSQL Injection**
+```
+\.find\(\s*req\.(body|query)        # MongoDB find with raw request object
+\.findOne\(\s*req\.(body|query)     # MongoDB findOne with raw request object
+\$where.*:                          # $where operator (executes JS in Mongo)
+```
+
+**Mass Assignment**
+```
+new.*Model\(.*req\.body             # passing full req.body to constructor
+\.create\(.*req\.body               # ORM create with unsanitized body
+\.update.*req\.body                 # ORM update with unsanitized body
+```
+
+**Prototype Pollution**
+```
+_\.merge\(.*req\.(body|query)       # lodash merge with user input
+deepmerge\(.*req\.(body|query)      # deepmerge with user input
+Object\.assign\(\{\}.*req\.body     # Object.assign from user input
+```
+
+**Weak Cryptography**
+```
+createHash\(['"]md5['"]             # MD5 for anything security-related
+createHash\(['"]sha1['"]            # SHA1 for anything security-related
+md5\(.*password                     # MD5-hashed password
+sha1\(.*password                    # SHA1-hashed password
+```
+
+**Missing Security Headers / Rate Limiting**
+```
+app\.(use|listen)                   # check: is helmet() present before routes?
+router\.(post|put|delete)           # mutation routes — check for rateLimit middleware
+app\.post\('/login                  # login route — must have rate limit
+app\.post\('/register               # register route — must have rate limit
+```
+
+**CORS Misconfiguration**
+```
+cors\(\{.*origin.*\*                # wildcard CORS origin
+Access-Control-Allow-Origin.*\*     # wildcard CORS header
+```
+
+**Template Injection**
+```
+res\.render\(.*req\.(params|query)  # user-controlled template name
+ejs\.render\(.*req\.body            # ejs render with user input
+pug\.render\(.*req\.body            # pug render with user input
+```
+
+**Cleartext Traffic / XXE**
+```
+baseURL.*=.*['"]http://(?!localhost) # non-HTTPS API base URL
+noent.*:.*true                      # XML entity expansion enabled
+resolve_entities.*True              # Python lxml entity expansion
+```
+
+**Dependency Audit**
+```
+# Run manually — not grep-based:
+# npm audit --audit-level=high
+# pip-audit
+# govulncheck ./...
+# bundle audit
+```
+
 ### 0c. Present Findings
 Before touching any code, output a structured **Audit Report** with this format:
 

package/prompts/green-phase.md

@@ -341,6 +341,277 @@ dependencies:
 
 ---
 
+### SSRF (Server-Side Request Forgery)
+
+**Root cause:** The server makes outbound HTTP requests to a URL supplied by the user without validation.
+
+**Fix:** Validate the URL against an explicit allowlist of allowed hostnames. Never make requests to private/internal IP ranges.
+
+```javascript
+const { URL } = require('url');
+
+const ALLOWED_ORIGINS = new Set(['api.trusted.com', 'cdn.example.com']);
+
+function validateExternalUrl(rawUrl) {
+  let parsed;
+  try { parsed = new URL(rawUrl); } catch { throw new Error('Invalid URL'); }
+  if (!['http:', 'https:'].includes(parsed.protocol)) throw new Error('Protocol not allowed');
+  if (!ALLOWED_ORIGINS.has(parsed.hostname)) throw new Error('Host not allowed');
+  return parsed.toString();
+}
+
+// In the route handler:
+const safeUrl = validateExternalUrl(req.body.url); // throws on violation
+const response = await fetch(safeUrl);
+```
+
+**Libraries:** No extra library needed; use the built-in `URL` class.
+
+---
+
+### Open Redirect
+
+**Root cause:** The server redirects the user to a URL supplied in a query parameter without validating the destination.
+
+**Fix:** Only allow relative paths or explicitly allowlisted origins.
+
+```javascript
+function safeRedirect(res, destination) {
+  // Allow only relative paths (no scheme, no host)
+  if (/^https?:\/\//i.test(destination)) {
+    return res.status(400).json({ error: 'External redirects not allowed' });
+  }
+  // Prevent protocol-relative URLs (//evil.com)
+  if (destination.startsWith('//')) {
+    return res.status(400).json({ error: 'Invalid redirect destination' });
+  }
+  return res.redirect(destination.startsWith('/') ? destination : `/${destination}`);
+}
+
+// Usage:
+safeRedirect(res, req.query.redirect || '/dashboard');
+```
+
+---
+
+### NoSQL Injection
+
+**Root cause:** A user-supplied value that should be a string is passed directly to MongoDB, allowing operator injection (`{ $gt: '' }`).
+
+**Fix:** Enforce that query values are primitive strings. Reject objects from user input in query fields.
+
+```javascript
+// Middleware: sanitize mongo-operator injection
+function sanitizeBody(req, res, next) {
+  const hasDollar = (obj) =>
+    Object.keys(obj || {}).some(k => k.startsWith('$') || (typeof obj[k] === 'object' && hasDollar(obj[k])));
+  if (hasDollar(req.body) || hasDollar(req.query)) {
+    return res.status(400).json({ error: 'Invalid input' });
+  }
+  next();
+}
+
+app.use(sanitizeBody);
+```
+
+**Library alternative:** `express-mongo-sanitize` strips `$` and `.` from user input automatically.
+```javascript
+const mongoSanitize = require('express-mongo-sanitize');
+app.use(mongoSanitize());
+```
+
+---
+
+### Mass Assignment
+
+**Root cause:** `req.body` is passed directly to an ORM constructor or update method, allowing users to set any field including privileged ones.
+
+**Fix:** Always destructure and explicitly allowlist the fields you accept from the user.
+
+```javascript
+// BEFORE (vulnerable)
+const user = await User.create(req.body);
+
+// AFTER — explicit allowlist
+const { username, email, password } = req.body;
+const user = await User.create({ username, email, password });
+
+// For updates:
+const { displayName, bio } = req.body; // only fields users can change
+await User.updateOne({ _id: req.user.id }, { displayName, bio });
+```
+
+```python
+# FastAPI — use a Pydantic schema with only allowed fields
+class UserCreate(BaseModel):
+    username: str
+    email: EmailStr
+    password: str
+    # isAdmin NOT here — cannot be set by users
+
+@app.post('/users')
+async def create_user(data: UserCreate):
+    user = User(**data.dict())  # safe: Pydantic strips unlisted fields
+```
+
+---
+
+### Prototype Pollution
+
+**Root cause:** A recursive merge function applied to user-supplied input can overwrite `Object.prototype` properties.
+
+**Fix:** Use a null-prototype target for merges, or sanitize `__proto__` / `constructor` keys before merging.
+
+```javascript
+// Option A: sanitize keys before merge (drop __proto__, constructor, prototype)
+function safeMerge(target, source) {
+  const clean = JSON.parse(
+    JSON.stringify(source, (key, val) =>
+      ['__proto__', 'constructor', 'prototype'].includes(key) ? undefined : val
+    )
+  );
+  return Object.assign(target, clean);
+}
+
+// Option B: use Object.create(null) as the target so there is no prototype to pollute
+const settings = safeMerge(Object.create(null), req.body);
+```
+
+**Library:** `lodash` ≥ 4.17.21 has this patched. If using `deepmerge`, pass `{ clone: true }` and pre-sanitize keys.
+
+---
+
+### Weak Cryptography (Password Hashing)
+
+**Root cause:** Passwords are hashed with MD5 or SHA1 — fast algorithms that are trivially brute-forced.
+
+**Fix:** Use `bcrypt` or `argon2`. Never use MD5/SHA1/SHA256 directly for passwords.
+
+```javascript
+// BEFORE (vulnerable)
+const crypto = require('crypto');
+const hash = crypto.createHash('md5').update(password).digest('hex');
+
+// AFTER — bcrypt
+const bcrypt = require('bcrypt');
+const SALT_ROUNDS = 12; // increase over time as hardware improves
+
+// On registration:
+const passwordHash = await bcrypt.hash(password, SALT_ROUNDS);
+await User.create({ email, passwordHash });
+
+// On login:
+const valid = await bcrypt.compare(req.body.password, user.passwordHash);
+if (!valid) return res.status(401).json({ error: 'Invalid credentials' });
+```
+
+```python
+# AFTER — bcrypt (Python)
+import bcrypt
+
+# Hash on registration:
+hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
+
+# Verify on login:
+if not bcrypt.checkpw(password.encode(), stored_hash):
+    raise HTTPException(status_code=401, detail="Invalid credentials")
+```
+
+**Install:** `npm install bcrypt` / `pip install bcrypt`
+
+---
+
+### Missing Rate Limiting
+
+**Root cause:** Authentication and sensitive mutation endpoints have no throttle, enabling brute-force and credential-stuffing attacks.
+
+**Fix:** Apply `express-rate-limit` (Node.js) to auth routes. Use a stricter window on login than on general API routes.
+
+```javascript
+const rateLimit = require('express-rate-limit');
+
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,  // 15 minutes
+  max: 10,                    // 10 attempts per window per IP
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many login attempts. Try again in 15 minutes.' },
+});
+
+const apiLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 100,
+});
+
+app.use('/api/', apiLimiter);
+app.post('/api/auth/login', loginLimiter, loginHandler);
+app.post('/api/auth/register', loginLimiter, registerHandler);
+```
+
+```python
+# FastAPI — slowapi
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+
+limiter = Limiter(key_func=get_remote_address)
+
+@app.post('/auth/login')
+@limiter.limit('10/15minutes')
+async def login(request: Request, data: LoginRequest):
+    ...
+```
+
+**Install:** `npm install express-rate-limit` / `pip install slowapi`
+
+---
+
+### Missing Security Headers
+
+**Root cause:** Responses lack HTTP security headers, leaving browsers unprotected against clickjacking, MIME-sniffing, and other attacks.
+
+**Fix:** Install `helmet` as the first middleware. Configure CSP explicitly.
+
+```javascript
+const helmet = require('helmet');
+
+// Minimal (all helmet defaults — good for most apps)
+app.use(helmet());
+
+// With explicit CSP:
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"], // tighten further if possible
+        imgSrc: ["'self'", 'data:', 'https:'],
+        connectSrc: ["'self'"],
+        fontSrc: ["'self'"],
+        objectSrc: ["'none'"],
+        upgradeInsecureRequests: [],
+      },
+    },
+  })
+);
+```
+
+```python
+# FastAPI — secure
+from secure import Secure
+secure_headers = Secure()
+
+@app.middleware('http')
+async def set_secure_headers(request, call_next):
+    response = await call_next(request)
+    secure_headers.framework.fastapi(response)
+    return response
+```
+
+**Install:** `npm install helmet` / `pip install secure`
+
+---
+
 ### TLS Bypass Fix (Node.js + Flutter/Dart)
 
 **Root cause:** TLS certificate verification is explicitly disabled, allowing man-in-the-middle attacks.

package/prompts/hardening-phase.md

@@ -0,0 +1,243 @@
+# TDD Remediation: Proactive Hardening (Phase 4)
+
+Once all known vulnerabilities are remediated, Phase 4 goes beyond patching holes to building layers of defense that make future vulnerabilities harder to introduce and easier to catch.
+
+This phase is **additive and non-breaking** — apply each control independently, confirm the test suite remains green after each.
+
+---
+
+## 4a. Security Headers (Helmet)
+
+If `helmet` is not already installed:
+
+```bash
+npm install helmet
+```
+
+Apply as the **first** middleware in your Express/Fastify app:
+
+```javascript
+const helmet = require('helmet');
+app.use(helmet()); // sets X-Content-Type-Options, X-Frame-Options, HSTS, and more
+```
+
+For Next.js, add headers in `next.config.js`:
+
+```javascript
+const securityHeaders = [
+  { key: 'X-Content-Type-Options', value: 'nosniff' },
+  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
+  { key: 'X-XSS-Protection', value: '1; mode=block' },
+  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
+];
+
+module.exports = {
+  async headers() {
+    return [{ source: '/(.*)', headers: securityHeaders }];
+  },
+};
+```
+
+**Verify:** `curl -I https://localhost:3000/` — confirm headers are present.
+
+---
+
+## 4b. Content Security Policy (CSP)
+
+A strict CSP is the most effective mitigation against XSS — even if a sanitization step is bypassed.
+
+```javascript
+app.use(
+  helmet.contentSecurityPolicy({
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],            // no 'unsafe-inline' — use nonces for inline scripts
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
+      connectSrc: ["'self'"],
+      fontSrc: ["'self'"],
+      objectSrc: ["'none'"],
+      frameAncestors: ["'none'"],       // equivalent to X-Frame-Options: DENY
+      upgradeInsecureRequests: [],
+    },
+  })
+);
+```
+
+**Test:** Use `https://csp-evaluator.withgoogle.com/` to score your policy.
+
+---
+
+## 4c. CSRF Protection
+
+For any app that uses cookie-based sessions (not pure JWT/Authorization header flows):
+
+```javascript
+// Express — csurf (or csrf for ESM)
+const csrf = require('csurf');
+const csrfProtection = csrf({ cookie: true });
+
+app.use(csrfProtection);
+app.get('/form', (req, res) => res.render('form', { csrfToken: req.csrfToken() }));
+
+// In the HTML form:
+// <input type="hidden" name="_csrf" value="<%= csrfToken %>" />
+```
+
+For single-page apps using `fetch`, use the double-submit cookie pattern or a same-site cookie with `SameSite=Strict`.
+
+```javascript
+// SameSite cookies (simple and effective for modern browsers)
+res.cookie('session', token, {
+  httpOnly: true,
+  secure: true,
+  sameSite: 'strict',
+});
+```
+
+---
+
+## 4d. Rate Limiting Audit
+
+Verify these route categories all have rate limiting applied:
+
+| Route type | Recommended limit |
+|---|---|
+| `/login`, `/register`, `/forgot-password` | 10 requests / 15 min / IP |
+| `/api/` general endpoints | 100 requests / 1 min / IP |
+| File upload endpoints | 5 requests / 1 min / IP |
+| Password reset confirmation | 5 requests / 15 min / IP |
+
+```bash
+# Quick check — grep for unprotected POST routes
+grep -rn "app\.post\|router\.post" src/ --include="*.js" | grep -v "limiter\|rateLimit"
+```
+
+---
+
+## 4e. Dependency Vulnerability Audit
+
+Run your ecosystem's audit tool and fix HIGH/CRITICAL findings:
+
+```bash
+# Node.js
+npm audit --audit-level=high
+npm audit fix  # auto-fix where safe
+
+# Python
+pip install pip-audit
+pip-audit
+
+# Go
+go install golang.org/x/vuln/cmd/govulncheck@latest
+govulncheck ./...
+
+# Ruby
+gem install bundler-audit
+bundle audit check --update
+
+# Dart / Flutter
+flutter pub outdated
+dart pub deps  # review transitive deps
+```
+
+Add dependency audits to CI so new vulnerabilities are caught on every PR:
+
+```yaml
+# .github/workflows/security-tests.yml (add this step)
+- name: Dependency Audit
+  run: npm audit --audit-level=high
+```
+
+---
+
+## 4f. Secrets in Git History
+
+Scan for secrets that were committed and then removed — they still exist in git history.
+
+```bash
+# Using trufflehog (recommended)
+npx trufflehog git file://. --only-verified
+
+# Using gitleaks
+brew install gitleaks   # or download from github.com/gitleaks/gitleaks
+gitleaks detect --source . -v
+```
+
+If secrets are found in history:
+1. **Rotate the secret immediately** — treat it as compromised.
+2. Use `git filter-repo` (not `filter-branch`) to rewrite history.
+3. Force-push and notify all team members to re-clone.
+
+Add a pre-commit hook to prevent future secret commits:
+
+```bash
+# .git/hooks/pre-commit (or use the --with-hooks flag when installing tdd-audit)
+npx gitleaks protect --staged -v
+```
+
+---
+
+## 4g. Error Handling Hardening
+
+Production error responses must never reveal stack traces, file paths, or internal state.
+
+```javascript
+// Express — production error handler (place last, after all routes)
+app.use((err, req, res, next) => {
+  const isDev = process.env.NODE_ENV !== 'production';
+  console.error(err); // log internally — never expose to client
+  res.status(err.status || 500).json({
+    error: isDev ? err.message : 'Internal server error',
+    ...(isDev && { stack: err.stack }),
+  });
+});
+```
+
+```python
+# FastAPI
+from fastapi.responses import JSONResponse
+from fastapi.exceptions import RequestValidationError
+
+@app.exception_handler(Exception)
+async def generic_exception_handler(request, exc):
+    # Log internally
+    logger.error(f"Unhandled exception: {exc}", exc_info=True)
+    return JSONResponse(status_code=500, content={"error": "Internal server error"})
+```
+
+---
+
+## 4h. Subresource Integrity (SRI)
+
+For any third-party scripts or stylesheets loaded via CDN, add integrity hashes to prevent supply-chain injection:
+
+```html
+<!-- Generate hash: openssl dgst -sha384 -binary script.js | openssl base64 -A -->
+<script
+  src="https://cdn.example.com/lib.min.js"
+  integrity="sha384-<hash>"
+  crossorigin="anonymous"
+></script>
+```
+
+**Tool:** https://www.srihash.org/ generates the integrity attribute from any public URL.
+
+---
+
+## 4i. Hardening Verification Checklist
+
+After Phase 4, confirm all of the following:
+
+- [ ] `helmet()` applied before all routes; `X-Content-Type-Options: nosniff` in every response
+- [ ] CSP header present; validated with csp-evaluator
+- [ ] CSRF protection on all state-mutating routes (or SameSite=Strict cookies)
+- [ ] Rate limiting on auth routes (429 returned after threshold — covered by red-phase test)
+- [ ] `npm audit` / `pip-audit` / `govulncheck` shows 0 HIGH/CRITICAL issues
+- [ ] `gitleaks` or `trufflehog` shows no verified secrets in history
+- [ ] Production error handler returns generic messages; no stack traces in 5xx responses
+- [ ] SRI hashes on all third-party CDN resources
+- [ ] `*.env` files in `.gitignore`; no `.env` committed to git
+- [ ] All cookies use `httpOnly: true`, `secure: true`, `sameSite: 'strict'` or `'lax'`

package/prompts/red-phase.md

@@ -166,6 +166,90 @@ test('SHOULD NOT store token in plain AsyncStorage', async () => {
 });
 ```
 
+### SSRF (Server-Side Request Forgery)
+Supply a user-controlled URL pointing to an internal resource (e.g., `http://169.254.169.254/` AWS metadata).
+Assert a 400 or 403 — not a 200 proxying internal content.
+```javascript
+const res = await request(app)
+  .post('/api/fetch-preview')
+  .send({ url: 'http://169.254.169.254/latest/meta-data/' });
+expect(res.status).toBe(400); // currently fetches and returns internal data — RED
+```
+
+### Open Redirect
+Supply a fully external URL as the redirect destination.
+Assert a 400 or that the redirect stays within the same origin.
+```javascript
+const res = await request(app)
+  .get('/auth/callback')
+  .query({ redirect: 'https://evil.com/steal-token' });
+expect(res.status).toBe(400); // currently 302 to attacker site — RED
+// OR assert Location header is relative:
+expect(res.headers.location).not.toMatch(/^https?:\/\//);
+```
+
+### NoSQL Injection
+Supply a MongoDB operator object instead of a plain string value.
+Assert the query is rejected or returns no data.
+```javascript
+const res = await request(app)
+  .post('/api/login')
+  .send({ username: { $gt: '' }, password: { $gt: '' } });
+expect(res.status).toBe(400); // currently returns first user record — RED
+```
+
+### Mass Assignment
+Submit extra fields that should not be user-settable (e.g., `isAdmin`, `role`).
+Assert the privileged field was ignored.
+```javascript
+const res = await request(app)
+  .post('/api/users/register')
+  .send({ username: 'attacker', password: 'pass', isAdmin: true });
+expect(res.status).toBe(201);
+const user = await User.findOne({ username: 'attacker' });
+expect(user.isAdmin).toBe(false); // currently set to true — RED
+```
+
+### Prototype Pollution
+Submit a payload that sets `__proto__` to inject properties into Object.prototype.
+Assert the injected property is not visible on a fresh `{}`.
+```javascript
+const res = await request(app)
+  .post('/api/settings/merge')
+  .send({ '__proto__': { polluted: true } });
+expect(res.status).toBe(200);
+expect({}.polluted).toBeUndefined(); // currently true — RED
+```
+
+### Weak Crypto (Password Hashing)
+Hash a known password and assert the resulting hash is not a raw MD5/SHA1 hex string.
+```javascript
+const bcrypt = require('bcrypt');
+const user = await User.create({ email: 'x@x.com', password: 'mypassword' });
+// An MD5 hash of 'mypassword' is 34819d7beeabb9260a5c854bc85b3e44
+expect(user.passwordHash).not.toBe('34819d7beeabb9260a5c854bc85b3e44');
+// A proper bcrypt hash starts with $2b$
+expect(user.passwordHash).toMatch(/^\$2[aby]\$/); // currently fails — RED
+```
+
+### Missing Rate Limiting
+Send 10 rapid login attempts; assert the 11th is throttled (429).
+```javascript
+for (let i = 0; i < 10; i++) {
+  await request(app).post('/api/auth/login').send({ email: 'x@x.com', password: 'wrong' });
+}
+const res = await request(app).post('/api/auth/login').send({ email: 'x@x.com', password: 'wrong' });
+expect(res.status).toBe(429); // currently 401 — rate limit not enforced — RED
+```
+
+### Missing Security Headers
+Assert a response includes the `X-Content-Type-Options` and `X-Frame-Options` headers set by Helmet.
+```javascript
+const res = await request(app).get('/');
+expect(res.headers['x-content-type-options']).toBe('nosniff'); // currently absent — RED
+expect(res.headers['x-frame-options']).toBeDefined(); // currently absent — RED
+```
+
 ### Flutter / Dart (flutter_test)
 ```dart
 import 'package:flutter_test/flutter_test.dart';

package/prompts/refactor-phase.md

@@ -32,6 +32,16 @@ Go through this checklist before closing the vulnerability:
 - [ ] **Offline token refresh still works** — `SecureStore.getItemAsync` is called in the right lifecycle (not before `SecureStore.isAvailableAsync()` on web)
 - [ ] **Deep link params validated** — any `route.params` passed to API calls are sanitized or type-checked
 
+**New vulnerability class additions:**
+- [ ] **SSRF allowlist verified** — `validateExternalUrl` throws on internal IPs and non-allowlisted hosts; confirm `169.254.x.x` and `10.x.x.x` are blocked
+- [ ] **Open redirect uses relative-only check** — `/^https?:\/\//` and `//` prefix both rejected; confirm legitimate in-app redirects still work
+- [ ] **NoSQL injection sanitized** — `express-mongo-sanitize` or equivalent applied globally; confirm `{ $gt: '' }` payloads return 400
+- [ ] **Mass assignment uses field allowlist** — no `req.body` passed directly to ORM; confirm privileged fields (`isAdmin`, `role`) cannot be set by user
+- [ ] **Prototype pollution sanitizes keys** — `__proto__`, `constructor`, `prototype` keys stripped before any merge; confirm `{}.polluted` is still `undefined` after merge
+- [ ] **Passwords use bcrypt/argon2** — no `createHash('md5')` or `createHash('sha1')` for passwords; `bcrypt.compare` used on login
+- [ ] **Rate limiting active on auth routes** — `/login` and `/register` return 429 after threshold; general API routes have a broader limit
+- [ ] **Helmet applied before all routes** — `X-Content-Type-Options: nosniff` and `X-Frame-Options` present in response; CSP header present
+
 **Flutter additions:**
 - [ ] **`flutter_secure_storage` in `pubspec.yaml`** — dependency present and `flutter pub get` ran
 - [ ] **No remaining `SharedPreferences` calls for sensitive keys** — grep for `prefs.getString('token')`, `prefs.setString('password', ...)`

package/workflows/tdd-audit.md

@@ -11,6 +11,13 @@ Follow the full Auto-Audit protocol from `auto-audit.md`:
    - Write the exploit test (Red — must fail)
    - Apply the patch (Green — test must pass)
    - Run the full suite (Refactor — no regressions)
-4. **Report** a final Remediation Summary table when all issues are addressed.
+4. **Harden** the codebase proactively after all vulnerabilities are patched:
+   - Security headers (Helmet / CSP)
+   - Rate limiting on auth routes
+   - Dependency vulnerability audit (npm audit / pip-audit / govulncheck)
+   - Secret history scan (gitleaks / trufflehog)
+   - Production error handling (no stack traces)
+   - CSRF protection and secure cookie flags
+5. **Report** a final Remediation Summary table when all issues are addressed.
 
 Do not skip steps. Do not advance to the next vulnerability until the current one is fully proven closed by a passing test.