@lhi/tdd-audit 1.3.0 → 1.4.1

package/index.js

@@ -4,6 +4,14 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
+const {
+  detectFramework,
+  detectAppFramework,
+  detectTestBaseDir,
+  quickScan,
+  printFindings,
+} = require('./lib/scanner');
+
 const args = process.argv.slice(2);
 const isLocal = args.includes('--local');
 const isClaude = args.includes('--claude');
@@ -20,245 +28,22 @@ const targetWorkflowDir = isClaude
   ? path.join(agentBaseDir, agentDirName, 'commands')
   : path.join(agentBaseDir, agentDirName, 'workflows');
 
-// ─── 1. Framework Detection ──────────────────────────────────────────────────
-
-function detectFramework() {
-  // Flutter / Dart — check before package.json since a Flutter project may have both
-  if (fs.existsSync(path.join(projectDir, 'pubspec.yaml'))) return 'flutter';
-
-  const pkgPath = path.join(projectDir, 'package.json');
-  if (fs.existsSync(pkgPath)) {
-    try {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-      const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-      if (deps.vitest) return 'vitest';
-      if (deps.jest || deps.supertest) return 'jest';
-      if (deps.mocha) return 'mocha';
-    } catch {}
-  }
-  if (
-    fs.existsSync(path.join(projectDir, 'pytest.ini')) ||
-    fs.existsSync(path.join(projectDir, 'pyproject.toml')) ||
-    fs.existsSync(path.join(projectDir, 'setup.py')) ||
-    fs.existsSync(path.join(projectDir, 'requirements.txt'))
-  ) return 'pytest';
-  if (fs.existsSync(path.join(projectDir, 'go.mod'))) return 'go';
-  return 'jest';
-}
-
-// Detect the UI framework for richer scan context (React, Next.js, RN, Expo, Flutter)
-function detectAppFramework() {
-  if (fs.existsSync(path.join(projectDir, 'pubspec.yaml'))) return 'flutter';
-  const pkgPath = path.join(projectDir, 'package.json');
-  if (fs.existsSync(pkgPath)) {
-    try {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-      const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-      if (deps.expo) return 'expo';
-      if (deps['react-native']) return 'react-native';
-      if (deps.next) return 'nextjs';
-      if (deps.react) return 'react';
-    } catch {}
-  }
-  return null;
-}
-
-const appFramework = detectAppFramework();
-
-const framework = detectFramework();
-
-// ─── 2. Test Directory Detection ─────────────────────────────────────────────
-
-function detectTestBaseDir() {
-  // Respect an existing convention before inventing one
-  const candidates = ['__tests__', 'tests', 'test', 'spec'];
-  for (const dir of candidates) {
-    if (fs.existsSync(path.join(projectDir, dir))) return dir;
-  }
-  // Framework-informed defaults when no directory exists yet
-  if (framework === 'pytest') return 'tests';
-  if (framework === 'go') return 'test';
-  return '__tests__';
-}
-
-const testBaseDir = detectTestBaseDir();
+const appFramework = detectAppFramework(projectDir);
+const framework = detectFramework(projectDir);
+const testBaseDir = detectTestBaseDir(projectDir, framework);
 const targetTestDir = path.join(projectDir, testBaseDir, 'security');
 
-// ─── 3. Quick Scan ───────────────────────────────────────────────────────────
-
-const VULN_PATTERNS = [
-  { name: 'SQL Injection',     severity: 'CRITICAL', pattern: /(`SELECT[^`]*\$\{|"SELECT[^"]*"\s*\+|execute\(f"|cursor\.execute\(.*%s|\.query\(`[^`]*\$\{)/i },
-  { name: 'Command Injection', severity: 'CRITICAL', pattern: /\bexec(Sync)?\s*\(.*req\.(params|body|query)|subprocess\.(run|Popen|call)\([^)]*shell\s*=\s*True/i },
-  { name: 'IDOR',              severity: 'HIGH',     pattern: /findById\s*\(\s*req\.(params|body|query)\.|findOne\s*\(\s*\{[^}]*id\s*:\s*req\.(params|body|query)/i },
-  { name: 'XSS',               severity: 'HIGH',     pattern: /[^/]innerHTML\s*=(?!=)|dangerouslySetInnerHTML\s*=\s*\{\{|document\.write\s*\(|res\.send\s*\(`[^`]*\$\{req\./i },
-  { name: 'Path Traversal',    severity: 'HIGH',     pattern: /(readFile|sendFile|createReadStream|open)\s*\(.*req\.(params|body|query)|path\.join\s*\([^)]*req\.(params|body|query)/i },
-  { name: 'Broken Auth',       severity: 'HIGH',     pattern: /jwt\.decode\s*\((?![^;]*\.verify)|verify\s*:\s*false|secret\s*=\s*['"][a-z0-9]{1,20}['"]/i },
-  // Vibecoding / mobile stacks
-  { name: 'Sensitive Storage', severity: 'HIGH',     pattern: /(localStorage|AsyncStorage)\.setItem\s*\(\s*['"](token|password|secret|auth|jwt|api.?key)['"]/i },
-  { name: 'TLS Bypass',        severity: 'CRITICAL', pattern: /badCertificateCallback[^;]*=\s*true|rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0/i },
-  { name: 'Hardcoded Secret',  severity: 'CRITICAL', skipInTests: true,  pattern: /(?:const|final|var|let|static)\s+(?:API_KEY|PRIVATE_KEY|SECRET_KEY|ACCESS_TOKEN|CLIENT_SECRET)\s*=\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i },
-  { name: 'eval() Injection',  severity: 'HIGH',     pattern: /\beval\s*\([^)]*(?:route\.params|searchParams\.get|req\.(query|body)|params\[)/i },
-  // Common vibecoding anti-patterns
-  { name: 'Insecure Random',   severity: 'HIGH',     pattern: /(?:token|sessionId|nonce|secret|csrf)\w*\s*=.*Math\.random\(\)|Math\.random\(\).*(?:token|session|nonce|secret)/i },
-  { name: 'Sensitive Log',     severity: 'MEDIUM',   skipInTests: true,  pattern: /console\.(log|info|debug)\([^)]*(?:token|password|secret|jwt|authorization|apiKey|api_key)/i },
-  { name: 'Secret Fallback',   severity: 'HIGH',     pattern: /process\.env\.\w+\s*\|\|\s*['"][A-Za-z0-9+/=_\-]{10,}['"]/i },
-  // SSRF, redirects, injection
-  { name: 'SSRF',                    severity: 'CRITICAL', pattern: /\b(?:fetch|axios\.(?:get|post|put|patch|delete|request)|got|https?\.get)\s*\(\s*req\.(?:query|body|params)\./i },
-  { name: 'Open Redirect',           severity: 'HIGH',     pattern: /res\.redirect\s*\(\s*req\.(?:query|body|params)\.|window\.location(?:\.href)?\s*=\s*(?:params\.|route\.params\.|searchParams\.get)/i },
-  { name: 'NoSQL Injection',         severity: 'HIGH',     pattern: /\.(?:find|findOne|findById|updateOne|deleteOne)\s*\(\s*req\.(?:body|query|params)\b|\$where\s*:\s*['"`]/i },
-  { name: 'Template Injection',      severity: 'HIGH',     pattern: /res\.render\s*\(\s*req\.(?:params|body|query)\.|(?:ejs|pug|nunjucks|handlebars)\.render(?:File)?\s*\([^)]*req\.(?:body|params|query)/i },
-  { name: 'Insecure Deserialization',severity: 'CRITICAL', pattern: /\.unserialize\s*\(.*req\.|__proto__\s*[=:][^=]|Object\.setPrototypeOf\s*\([^,]+,\s*req\./i },
-  // Assignment / pollution
-  { name: 'Mass Assignment',         severity: 'HIGH',     pattern: /new\s+\w+\s*\(\s*req\.body\b|\.create\s*\(\s*req\.body\b|\.update(?:One)?\s*\(\s*\{[^}]*\},\s*req\.body\b/i },
-  { name: 'Prototype Pollution',     severity: 'HIGH',     pattern: /(?:_\.merge|lodash\.merge|deepmerge|hoek\.merge)\s*\([^)]*req\.(?:body|query|params)/i },
-  // Crypto / config
-  { name: 'Weak Crypto',             severity: 'HIGH',     pattern: /createHash\s*\(\s*['"](?:md5|sha1)['"]\)|(?:md5|sha1)\s*\(\s*(?:password|passwd|pwd|secret)/i },
-  { name: 'CORS Wildcard',           severity: 'MEDIUM',   pattern: /cors\s*\(\s*\{\s*origin\s*:\s*['"]?\*['"]?|'Access-Control-Allow-Origin',\s*['"]?\*/i },
-  { name: 'Cleartext Traffic',       severity: 'MEDIUM',   skipInTests: true, pattern: /(?:baseURL|apiUrl|API_URL|endpoint|baseUrl)\s*[:=]\s*['"]http:\/\/(?!localhost|127\.0\.0\.1)/i },
-  { name: 'XXE',                     severity: 'HIGH',     pattern: /noent\s*:\s*true|expand_entities\s*=\s*True|resolve_entities\s*=\s*True/i },
-  // Mobile / WebView
-  { name: 'WebView JS Bridge',       severity: 'HIGH',     pattern: /addJavascriptInterface\s*\(|javaScriptEnabled\s*:\s*true|allowFileAccess\s*:\s*true|allowUniversalAccessFromFileURLs\s*:\s*true/i },
-  { name: 'Deep Link Injection',     severity: 'MEDIUM',   pattern: /Linking\.getInitialURL\s*\(\)|Linking\.addEventListener\s*\(\s*['"]url['"]/i },
-];
-
-const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
-const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
-
-function* walkFiles(dir) {
-  let entries;
-  try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
-  for (const entry of entries) {
-    if (SKIP_DIRS.has(entry.name)) continue;
-    const fullPath = path.join(dir, entry.name);
-    if (entry.isDirectory()) yield* walkFiles(fullPath);
-    else if (SCAN_EXTENSIONS.has(path.extname(entry.name))) yield fullPath;
-  }
-}
-
-// Returns true for test/spec files — used to down-weight false-positive-prone patterns
-function isTestFile(filePath) {
-  const rel = path.relative(projectDir, filePath).replace(/\\/g, '/');
-  return /[._-]test\.[a-z]+$|[._-]spec\.[a-z]+$|_test\.dart$|\/tests?\/|\/spec\/|\/test_/.test(rel);
-}
-
-// Scan app.json / app.config.* for embedded secrets (common Expo vibecoding issue)
-function scanAppConfig() {
-  const findings = [];
-  const configCandidates = ['app.json', 'app.config.js', 'app.config.ts'];
-  const secretPattern = /['"]?(?:apiKey|api_key|secret|privateKey|accessToken|clientSecret)['"]?\s*[:=]\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i;
-
-  for (const name of configCandidates) {
-    const filePath = path.join(projectDir, name);
-    if (!fs.existsSync(filePath)) continue;
-    let lines;
-    try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
-    for (let i = 0; i < lines.length; i++) {
-      if (secretPattern.test(lines[i])) {
-        findings.push({
-          severity: 'CRITICAL',
-          name: 'Config Secret',
-          file: name,
-          line: i + 1,
-          snippet: lines[i].trim().slice(0, 80),
-          inTestFile: false,
-        });
-      }
-    }
-  }
-  return findings;
-}
-
-function scanAndroidManifest() {
-  const findings = [];
-  const manifestPath = path.join(projectDir, 'android', 'app', 'src', 'main', 'AndroidManifest.xml');
-  if (!fs.existsSync(manifestPath)) return findings;
-  let lines;
-  try { lines = fs.readFileSync(manifestPath, 'utf8').split('\n'); } catch { return findings; }
-  for (let i = 0; i < lines.length; i++) {
-    if (/android:debuggable\s*=\s*["']true["']/i.test(lines[i])) {
-      findings.push({
-        severity: 'HIGH',
-        name: 'Android Debuggable',
-        file: 'android/app/src/main/AndroidManifest.xml',
-        line: i + 1,
-        snippet: lines[i].trim().slice(0, 80),
-        inTestFile: false,
-        likelyFalsePositive: false,
-      });
-    }
-  }
-  return findings;
-}
-
-function quickScan() {
-  const findings = [];
-  for (const filePath of walkFiles(projectDir)) {
-    const inTest = isTestFile(filePath);
-    let lines;
-    try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
-    for (let i = 0; i < lines.length; i++) {
-      for (const vuln of VULN_PATTERNS) {
-        if (vuln.pattern.test(lines[i])) {
-          findings.push({
-            severity: vuln.severity,
-            name: vuln.name,
-            file: path.relative(projectDir, filePath),
-            line: i + 1,
-            snippet: lines[i].trim().slice(0, 80),
-            inTestFile: inTest,
-            likelyFalsePositive: inTest && !!vuln.skipInTests,
-          });
-          break; // one finding per line
-        }
-      }
-    }
-  }
-  return [...findings, ...scanAppConfig(), ...scanAndroidManifest()];
-}
-
-function printFindings(findings) {
-  if (findings.length === 0) {
-    console.log('   ✅ No obvious vulnerability patterns detected.\n');
-    return;
-  }
-  const real = findings.filter(f => !f.likelyFalsePositive);
-  const noisy = findings.filter(f => f.likelyFalsePositive);
-
-  const bySeverity = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [] };
-  for (const f of real) (bySeverity[f.severity] || bySeverity.LOW).push(f);
-  const icons = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
-
-  console.log(`\n   Found ${real.length} potential issue(s)${noisy.length ? ` (+${noisy.length} in test files — see below)` : ''}:\n`);
-  for (const [sev, list] of Object.entries(bySeverity)) {
-    if (!list.length) continue;
-    for (const f of list) {
-      const testBadge = f.inTestFile ? ' [test file]' : '';
-      console.log(`   ${icons[sev]} [${sev}] ${f.name} — ${f.file}:${f.line}${testBadge}`);
-      console.log(`         ${f.snippet}`);
-    }
-  }
-
-  if (noisy.length) {
-    console.log('\n   ⚪ Likely intentional (in test files — verify manually):');
-    for (const f of noisy) {
-      console.log(`      ${f.name} — ${f.file}:${f.line}`);
-    }
-  }
-
-  console.log('\n   Run /tdd-audit in your agent to remediate.\n');
-}
-
-// ─── 4. Scan-only early exit ──────────────────────────────────────────────────
+// ─── Scan-only early exit ─────────────────────────────────────────────────────
 
 if (scanOnly) {
   process.stdout.write('\n🔍 Scanning for vulnerability patterns...');
-  const findings = quickScan();
+  const findings = quickScan(projectDir);
   process.stdout.write('\n');
   printFindings(findings);
   process.exit(0);
 }
 
-// ─── 5. Install Skill Files ───────────────────────────────────────────────────
+// ─── Install Skill Files ──────────────────────────────────────────────────────
 
 const appLabel = appFramework ? `, app: ${appFramework}` : '';
 console.log(`\nInstalling TDD Remediation Skill (${isLocal ? 'local' : 'global'}, framework: ${framework}${appLabel}, test dir: ${testBaseDir}/)...\n`);
@@ -271,7 +56,7 @@ for (const item of ['SKILL.md', 'prompts', 'templates']) {
   if (fs.existsSync(src)) fs.cpSync(src, dest, { recursive: true });
 }
 
-// ─── 5. Scaffold Security Test Boilerplate ────────────────────────────────────
+// ─── Scaffold Security Test Boilerplate ───────────────────────────────────────
 
 if (!fs.existsSync(targetTestDir)) {
   fs.mkdirSync(targetTestDir, { recursive: true });
@@ -296,7 +81,7 @@ if (!fs.existsSync(destTest) && fs.existsSync(srcTest)) {
   console.log(`✅ Scaffolded ${path.relative(projectDir, destTest)}`);
 }
 
-// ─── 6. Install Workflow Shortcode ────────────────────────────────────────────
+// ─── Install Workflow Shortcode ───────────────────────────────────────────────
 
 if (!fs.existsSync(targetWorkflowDir)) fs.mkdirSync(targetWorkflowDir, { recursive: true });
 const srcWorkflow = path.join(__dirname, 'workflows', 'tdd-audit.md');
@@ -306,7 +91,7 @@ if (fs.existsSync(srcWorkflow)) {
   console.log(`✅ Installed /tdd-audit workflow shortcode`);
 }
 
-// ─── 7. Inject test:security into package.json ────────────────────────────────
+// ─── Inject test:security into package.json ───────────────────────────────────
 
 const pkgPath = path.join(projectDir, 'package.json');
 if (framework !== 'pytest' && framework !== 'go' && fs.existsSync(pkgPath)) {
@@ -316,10 +101,10 @@ if (framework !== 'pytest' && framework !== 'go' && fs.existsSync(pkgPath)) {
       pkg.scripts = pkg.scripts || {};
       const secDir = `${testBaseDir}/security`;
       pkg.scripts['test:security'] = {
-        jest:   `jest --testPathPattern=${secDir} --forceExit`,
+        jest:   `jest --testPathPatterns=${secDir} --forceExit`,
         vitest: `vitest run ${secDir}`,
         mocha:  `mocha '${secDir}/**/*.spec.js'`,
-      }[framework] || `jest --testPathPattern=${secDir} --forceExit`;
+      }[framework] || `jest --testPathPatterns=${secDir} --forceExit`;
       fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
       console.log(`✅ Added "test:security" script to package.json`);
     } else {
@@ -330,31 +115,43 @@ if (framework !== 'pytest' && framework !== 'go' && fs.existsSync(pkgPath)) {
   }
 }
 
-// ─── 8. Scaffold CI Workflow ─────────────────────────────────────────────────
+// ─── Scaffold CI Workflows ────────────────────────────────────────────────────
 
 const ciWorkflowDir = path.join(projectDir, '.github', 'workflows');
-const ciWorkflowPath = path.join(ciWorkflowDir, 'security-tests.yml');
-
-if (!fs.existsSync(ciWorkflowPath)) {
-  const ciTemplateMap = {
-    jest:    'security-tests.node.yml',
-    vitest:  'security-tests.node.yml',
-    mocha:   'security-tests.node.yml',
-    pytest:  'security-tests.python.yml',
-    go:      'security-tests.go.yml',
-    flutter: 'security-tests.flutter.yml',
-  };
-  const ciTemplatePath = path.join(__dirname, 'templates', 'workflows', ciTemplateMap[framework]);
-  if (fs.existsSync(ciTemplatePath)) {
-    fs.mkdirSync(ciWorkflowDir, { recursive: true });
-    fs.copyFileSync(ciTemplatePath, ciWorkflowPath);
-    console.log(`✅ Scaffolded .github/workflows/security-tests.yml`);
+fs.mkdirSync(ciWorkflowDir, { recursive: true });
+
+const ciWorkflows = [
+  {
+    destName: 'security-tests.yml',
+    templateMap: {
+      jest: 'security-tests.node.yml', vitest: 'security-tests.node.yml',
+      mocha: 'security-tests.node.yml', pytest: 'security-tests.python.yml',
+      go: 'security-tests.go.yml', flutter: 'security-tests.flutter.yml',
+    },
+  },
+  {
+    destName: 'ci.yml',
+    templateMap: {
+      jest: 'ci.node.yml', vitest: 'ci.node.yml', mocha: 'ci.node.yml',
+      pytest: 'ci.python.yml', go: 'ci.go.yml', flutter: 'ci.flutter.yml',
+    },
+  },
+];
+
+for (const { destName, templateMap } of ciWorkflows) {
+  const destPath = path.join(ciWorkflowDir, destName);
+  if (!fs.existsSync(destPath)) {
+    const srcPath = path.join(__dirname, 'templates', 'workflows', templateMap[framework]);
+    if (fs.existsSync(srcPath)) {
+      fs.copyFileSync(srcPath, destPath);
+      console.log(`✅ Scaffolded .github/workflows/${destName}`);
+    }
+  } else {
+    console.log(`   .github/workflows/${destName} already exists — skipped`);
   }
-} else {
-  console.log(`   .github/workflows/security-tests.yml already exists — skipped`);
 }
 
-// ─── 9. Pre-commit Hook (opt-in) ─────────────────────────────────────────────
+// ─── Pre-commit Hook (opt-in) ─────────────────────────────────────────────────
 
 if (withHooks) {
   const gitDir = path.join(projectDir, '.git');
@@ -392,11 +189,11 @@ if (withHooks) {
   }
 }
 
-// ─── 10. Quick Scan ──────────────────────────────────────────────────────────
+// ─── Quick Scan ───────────────────────────────────────────────────────────────
 
 if (!skipScan) {
   process.stdout.write('\n🔍 Scanning for vulnerability patterns...');
-  const findings = quickScan();
+  const findings = quickScan(projectDir);
   process.stdout.write('\n');
   printFindings(findings);
 }

package/lib/scanner.js

@@ -0,0 +1,309 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+// ─── Vulnerability Patterns ───────────────────────────────────────────────────
+
+const VULN_PATTERNS = [
+  { name: 'SQL Injection',     severity: 'CRITICAL', pattern: /(`SELECT[^`]*\$\{|"SELECT[^"]*"\s*\+|execute\(f"|cursor\.execute\(.*%s|\.query\(`[^`]*\$\{)/i },
+  { name: 'Command Injection', severity: 'CRITICAL', pattern: /\bexec(Sync)?\s*\(.*req\.(params|body|query)|subprocess\.(run|Popen|call)\([^)]*shell\s*=\s*True/i },
+  { name: 'IDOR',              severity: 'HIGH',     pattern: /findById\s*\(\s*req\.(params|body|query)\.|findOne\s*\(\s*\{[^}]*id\s*:\s*req\.(params|body|query)/i },
+  { name: 'XSS',               severity: 'HIGH',     pattern: /[^/]innerHTML\s*=(?!=)|dangerouslySetInnerHTML\s*=\s*\{\{|document\.write\s*\(|res\.send\s*\(`[^`]*\$\{req\./i },
+  { name: 'Path Traversal',    severity: 'HIGH',     pattern: /(readFile|sendFile|createReadStream|open)\s*\(.*req\.(params|body|query)|path\.join\s*\([^)]*req\.(params|body|query)/i },
+  { name: 'Broken Auth',       severity: 'HIGH',     pattern: /jwt\.decode\s*\((?![^;]*\.verify)|verify\s*:\s*false|secret\s*=\s*['"][a-z0-9]{1,20}['"]/i },
+  // Vibecoding / mobile stacks
+  { name: 'Sensitive Storage', severity: 'HIGH',     pattern: /(localStorage|AsyncStorage)\.setItem\s*\(\s*['"](token|password|secret|auth|jwt|api.?key)['"]/i },
+  { name: 'TLS Bypass',        severity: 'CRITICAL', pattern: /badCertificateCallback[^;]*=\s*true|rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0/i },
+  { name: 'Hardcoded Secret',  severity: 'CRITICAL', skipInTests: true,  pattern: /(?:const|final|var|let|static)\s+(?:API_KEY|PRIVATE_KEY|SECRET_KEY|ACCESS_TOKEN|CLIENT_SECRET)\s*=\s*['"][A-Za-z0-9+/=_\-]{20,}['"]/i },
+  { name: 'eval() Injection',  severity: 'HIGH',     pattern: /\beval\s*\([^)]*(?:route\.params|searchParams\.get|req\.(query|body)|params\[)/i },
+  // Common vibecoding anti-patterns
+  { name: 'Insecure Random',   severity: 'HIGH',     pattern: /(?:token|sessionId|nonce|secret|csrf)\w*\s*=.*Math\.random\(\)|Math\.random\(\).*(?:token|session|nonce|secret)/i },
+  { name: 'Sensitive Log',     severity: 'MEDIUM',   skipInTests: true,  pattern: /console\.(log|info|debug)\([^)]*(?:token|password|secret|jwt|authorization|apiKey|api_key)/i },
+  { name: 'Secret Fallback',   severity: 'HIGH',     pattern: /process\.env\.\w+\s*\|\|\s*['"][A-Za-z0-9+/=_\-]{10,}['"]/i },
+  // SSRF, redirects, injection
+  { name: 'SSRF',                    severity: 'CRITICAL', pattern: /\b(?:fetch|axios\.(?:get|post|put|patch|delete|request)|got|https?\.get)\s*\(\s*req\.(?:query|body|params)\./i },
+  { name: 'Open Redirect',           severity: 'HIGH',     pattern: /res\.redirect\s*\(\s*req\.(?:query|body|params)\.|window\.location(?:\.href)?\s*=\s*(?:params\.|route\.params\.|searchParams\.get)/i },
+  { name: 'NoSQL Injection',         severity: 'HIGH',     pattern: /\.(?:find|findOne|findById|updateOne|deleteOne)\s*\(\s*req\.(?:body|query|params)\b|\$where\s*:\s*['"`]/i },
+  { name: 'Template Injection',      severity: 'HIGH',     pattern: /res\.render\s*\(\s*req\.(?:params|body|query)\.|(?:ejs|pug|nunjucks|handlebars)\.render(?:File)?\s*\([^)]*req\.(?:body|params|query)/i },
+  { name: 'Insecure Deserialization',severity: 'CRITICAL', pattern: /\.unserialize\s*\(.*req\.|__proto__\s*[=:][^=]|Object\.setPrototypeOf\s*\([^,]+,\s*req\./i },
+  // Assignment / pollution
+  { name: 'Mass Assignment',         severity: 'HIGH',     pattern: /new\s+\w+\s*\(\s*req\.body\b|\.create\s*\(\s*req\.body\b|\.update(?:One)?\s*\(\s*\{[^}]*\},\s*req\.body\b/i },
+  { name: 'Prototype Pollution',     severity: 'HIGH',     pattern: /(?:_\.merge|lodash\.merge|deepmerge|hoek\.merge)\s*\([^)]*req\.(?:body|query|params)/i },
+  // Crypto / config
+  { name: 'Weak Crypto',             severity: 'HIGH',     pattern: /createHash\s*\(\s*['"](?:md5|sha1)['"]\)|(?:md5|sha1)\s*\(\s*(?:password|passwd|pwd|secret)/i },
+  { name: 'CORS Wildcard',           severity: 'MEDIUM',   pattern: /cors\s*\(\s*\{\s*origin\s*:\s*['"]?\*['"]?|['"]Access-Control-Allow-Origin['"]\s*,\s*['"]?\*/i },
+  { name: 'Cleartext Traffic',       severity: 'MEDIUM',   skipInTests: true, pattern: /(?:baseURL|apiUrl|API_URL|endpoint|baseUrl)\s*[:=]\s*['"]http:\/\/(?!localhost|127\.0\.0\.1)/i },
+  { name: 'XXE',                     severity: 'HIGH',     pattern: /noent\s*:\s*true|expand_entities\s*=\s*True|resolve_entities\s*=\s*True/i },
+  // Mobile / WebView
+  { name: 'WebView JS Bridge',       severity: 'HIGH',     pattern: /addJavascriptInterface\s*\(|javaScriptEnabled\s*:\s*true|allowFileAccess\s*:\s*true|allowUniversalAccessFromFileURLs\s*:\s*true/i },
+  { name: 'Deep Link Injection',     severity: 'MEDIUM',   pattern: /Linking\.getInitialURL\s*\(\)|Linking\.addEventListener\s*\(\s*['"]url['"]/i },
+];
+
+const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'out', '__pycache__', 'venv', '.venv', 'vendor', '.expo', '.dart_tool', '.pub-cache']);
+
+// ─── Framework Detection ──────────────────────────────────────────────────────
+
+/**
+ * Detect the test framework used in the given project directory.
+ * @param {string} dir - absolute path to the project root
+ * @returns {'flutter'|'vitest'|'jest'|'mocha'|'pytest'|'go'}
+ */
+function detectFramework(dir) {
+  // Flutter / Dart — check before package.json since a Flutter project may have both
+  if (fs.existsSync(path.join(dir, 'pubspec.yaml'))) return 'flutter';
+
+  const pkgPath = path.join(dir, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+      if (deps.vitest) return 'vitest';
+      if (deps.jest || deps.supertest) return 'jest';
+      if (deps.mocha) return 'mocha';
+    } catch {}
+  }
+  if (
+    fs.existsSync(path.join(dir, 'pytest.ini')) ||
+    fs.existsSync(path.join(dir, 'pyproject.toml')) ||
+    fs.existsSync(path.join(dir, 'setup.py')) ||
+    fs.existsSync(path.join(dir, 'requirements.txt'))
+  ) return 'pytest';
+  if (fs.existsSync(path.join(dir, 'go.mod'))) return 'go';
+  return 'jest';
+}
+
+/**
+ * Detect the UI/app framework used in the given project directory.
+ * @param {string} dir - absolute path to the project root
+ * @returns {'flutter'|'expo'|'react-native'|'nextjs'|'react'|null}
+ */
+function detectAppFramework(dir) {
+  if (fs.existsSync(path.join(dir, 'pubspec.yaml'))) return 'flutter';
+  const pkgPath = path.join(dir, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+      if (deps.expo) return 'expo';
+      if (deps['react-native']) return 'react-native';
+      if (deps.next) return 'nextjs';
+      if (deps.react) return 'react';
+    } catch {}
+  }
+  return null;
+}
+
+// ─── Test Directory Detection ─────────────────────────────────────────────────
+
+/**
+ * Detect the test base directory convention used in the given project.
+ * @param {string} dir - absolute path to the project root
+ * @param {string} framework - test framework (from detectFramework)
+ * @returns {string} - relative directory name, e.g. '__tests__'
+ */
+function detectTestBaseDir(dir, framework) {
+  const candidates = ['__tests__', 'tests', 'test', 'spec'];
+  for (const candidate of candidates) {
+    if (fs.existsSync(path.join(dir, candidate))) return candidate;
+  }
+  if (framework === 'pytest') return 'tests';
+  if (framework === 'go') return 'test';
+  return '__tests__';
+}
+
+// ─── File Walking ─────────────────────────────────────────────────────────────
+
+/**
+ * Generator that yields all scannable file paths under dir, skipping
+ * known noise dirs and symlinks (to avoid escaping the project root).
+ * @param {string} dir - directory to walk
+ */
+function* walkFiles(dir) {
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+  for (const entry of entries) {
+    if (SKIP_DIRS.has(entry.name)) continue;
+    // Skip symlinks — they can escape the project root (M2 fix)
+    if (entry.isSymbolicLink()) continue;
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) yield* walkFiles(fullPath);
+    else if (SCAN_EXTENSIONS.has(path.extname(entry.name))) yield fullPath;
+  }
+}
+
+// ─── Test-file detection ──────────────────────────────────────────────────────
+
+/**
+ * Returns true if the file is a test/spec file.
+ * @param {string} filePath - absolute path
+ * @param {string} projectDir - absolute project root (used for relative path calc)
+ */
+function isTestFile(filePath, projectDir) {
+  const rel = path.relative(projectDir, filePath).replace(/\\/g, '/');
+  return (
+    /[._-]test\.[a-z]+$/.test(rel) ||      // *.test.js / *.test.ts
+    /[._-]spec\.[a-z]+$/.test(rel) ||      // *.spec.js / *.spec.ts
+    /_test\.dart$/.test(rel) ||            // *_test.dart (Flutter)
+    /(^|\/)(__tests__|tests?)\//.test(rel) || // __tests__/ or tests/ at any depth
+    /(^|\/)spec\//.test(rel) ||            // spec/ at any depth
+    /(^|\/)test_/.test(rel)               // test_helpers.js style
+  );
+}
+
+// ─── Config / Manifest Scanners ───────────────────────────────────────────────
+
+/**
+ * Scan app.json / app.config.* for embedded secrets.
+ * @param {string} projectDir - project root
+ * @returns {Array}
+ */
+function scanAppConfig(projectDir) {
+  const findings = [];
+  const configCandidates = ['app.json', 'app.config.js', 'app.config.ts'];
+  // Match quoted string values AND template-literal fallback secrets (L2 fix)
+  const secretPattern = /['"]?(?:apiKey|api_key|secret|privateKey|accessToken|clientSecret)['"]?\s*[:=]\s*(?:['"][A-Za-z0-9+/=_\-]{20,}['"]|`[^`]*['"][A-Za-z0-9+/=_\-]{10,}['"][^`]*`)/i;
+
+  for (const name of configCandidates) {
+    const filePath = path.join(projectDir, name);
+    if (!fs.existsSync(filePath)) continue;
+    let lines;
+    try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { continue; }
+    for (let i = 0; i < lines.length; i++) {
+      if (secretPattern.test(lines[i])) {
+        findings.push({
+          severity: 'CRITICAL',
+          name: 'Config Secret',
+          file: name,
+          line: i + 1,
+          snippet: lines[i].trim().slice(0, 80),
+          inTestFile: false,
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+/**
+ * Scan AndroidManifest.xml for android:debuggable="true".
+ * @param {string} projectDir - project root
+ * @returns {Array}
+ */
+function scanAndroidManifest(projectDir) {
+  const findings = [];
+  const manifestPath = path.join(projectDir, 'android', 'app', 'src', 'main', 'AndroidManifest.xml');
+  if (!fs.existsSync(manifestPath)) return findings;
+  let lines;
+  try { lines = fs.readFileSync(manifestPath, 'utf8').split('\n'); } catch { return findings; }
+  for (let i = 0; i < lines.length; i++) {
+    if (/android:debuggable\s*=\s*["']true["']/i.test(lines[i])) {
+      findings.push({
+        severity: 'HIGH',
+        name: 'Android Debuggable',
+        file: 'android/app/src/main/AndroidManifest.xml',
+        line: i + 1,
+        snippet: lines[i].trim().slice(0, 80),
+        inTestFile: false,
+        likelyFalsePositive: false,
+      });
+    }
+  }
+  return findings;
+}
+
+// ─── Quick Scan ───────────────────────────────────────────────────────────────
+
+/**
+ * Scan all source files in projectDir for known vulnerability patterns.
+ * @param {string} projectDir - project root to scan
+ * @returns {Array} findings
+ */
+function quickScan(projectDir) {
+  const findings = [];
+  for (const filePath of walkFiles(projectDir)) {
+    const inTest = isTestFile(filePath, projectDir);
+    let content;
+    // L1 fix: guard against binary / non-UTF-8 files
+    try {
+      content = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue;
+    }
+    // Skip files that contain null bytes — likely binary
+    if (content.includes('\0')) continue;
+
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      // M3 fix: collect ALL matching patterns per line (no break)
+      for (const vuln of VULN_PATTERNS) {
+        if (vuln.pattern.test(lines[i])) {
+          findings.push({
+            severity: vuln.severity,
+            name: vuln.name,
+            file: path.relative(projectDir, filePath),
+            line: i + 1,
+            snippet: lines[i].trim().slice(0, 80),
+            inTestFile: inTest,
+            likelyFalsePositive: inTest && !!vuln.skipInTests,
+          });
+        }
+      }
+    }
+  }
+  return [...findings, ...scanAppConfig(projectDir), ...scanAndroidManifest(projectDir)];
+}
+
+// ─── Print Findings ───────────────────────────────────────────────────────────
+
+/**
+ * Print a human-readable findings report to stdout.
+ * @param {Array} findings
+ */
+function printFindings(findings) {
+  if (findings.length === 0) {
+    console.log('   ✅ No obvious vulnerability patterns detected.\n');
+    return;
+  }
+  const real = findings.filter(f => !f.likelyFalsePositive);
+  const noisy = findings.filter(f => f.likelyFalsePositive);
+
+  const bySeverity = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [] };
+  for (const f of real) (bySeverity[f.severity] || bySeverity.LOW).push(f);
+  const icons = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
+
+  console.log(`\n   Found ${real.length} potential issue(s)${noisy.length ? ` (+${noisy.length} in test files — see below)` : ''}:\n`);
+  for (const [sev, list] of Object.entries(bySeverity)) {
+    if (!list.length) continue;
+    for (const f of list) {
+      const testBadge = f.inTestFile ? ' [test file]' : '';
+      console.log(`   ${icons[sev]} [${sev}] ${f.name} — ${f.file}:${f.line}${testBadge}`);
+      console.log(`         ${f.snippet}`);
+    }
+  }
+
+  if (noisy.length) {
+    console.log('\n   ⚪ Likely intentional (in test files — verify manually):');
+    for (const f of noisy) {
+      console.log(`      ${f.name} — ${f.file}:${f.line}`);
+    }
+  }
+
+  console.log('\n   Run /tdd-audit in your agent to remediate.\n');
+}
+
+module.exports = {
+  VULN_PATTERNS,
+  SCAN_EXTENSIONS,
+  SKIP_DIRS,
+  detectFramework,
+  detectAppFramework,
+  detectTestBaseDir,
+  walkFiles,
+  isTestFile,
+  scanAppConfig,
+  scanAndroidManifest,
+  quickScan,
+  printFindings,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "description": "Anti-Gravity Skill for TDD Remediation. Patches security vulnerabilities using a Red-Green-Refactor protocol with automated exploit tests.",
   "main": "index.js",
   "bin": {
@@ -8,6 +8,7 @@
   },
   "files": [
     "index.js",
+    "lib/",
     "SKILL.md",
     "prompts/",
     "templates/",
@@ -16,8 +17,10 @@
     "LICENSE"
   ],
   "scripts": {
-    "test": "node index.js --local --skip-scan && echo 'Smoke test passed'",
-    "test:security": "jest --testPathPattern=__tests__/security --forceExit"
+    "test": "jest --forceExit",
+    "test:unit": "jest --testPathPatterns=__tests__/unit --forceExit --coverage",
+    "test:security": "jest --testPathPatterns=__tests__/security --forceExit",
+    "test:smoke": "node index.js --local --skip-scan && echo 'Smoke test passed'"
   },
   "keywords": [
     "security",
@@ -44,5 +47,8 @@
     "node": ">=16.7.0"
   },
   "author": "Kyra Lee",
-  "license": "MIT"
+  "license": "MIT",
+  "devDependencies": {
+    "jest": "^30.3.0"
+  }
 }

package/prompts/red-phase.md

@@ -99,8 +99,12 @@ const request = require('supertest');
 const app = require('../../app');
 
 describe('[VulnType] - Red Phase', () => {
+  let server;
+  beforeAll(() => { server = app.listen(0); });
+  afterAll(() => server.close());
+
   it('SHOULD block [exploit description]', async () => {
-    const res = await request(app)
+    const res = await request(server)
       .post('/api/vulnerable-endpoint')
       .send({ input: '<exploit payload>' });
 

package/templates/workflows/ci.flutter.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  test:
+    name: Test & Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Flutter
+        uses: subosito/flutter-action@v2
+        with:
+          flutter-version: stable
+          cache: true
+
+      - name: Install dependencies
+        run: flutter pub get
+
+      - name: Analyze (dart analyze)
+        run: dart analyze --fatal-infos
+
+      - name: Format check
+        run: dart format --output=none --set-exit-if-changed .
+
+      - name: Unit tests with coverage
+        run: flutter test --coverage
+
+      - name: Security tests
+        run: flutter test test/security/
+
+      - name: Upload coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage/lcov.info
+          retention-days: 7

package/templates/workflows/ci.go.yml

@@ -0,0 +1,45 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  test:
+    name: Test & Lint
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        go-version: ["1.21", "1.22", "1.23"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+          cache: true
+
+      - name: Lint (staticcheck)
+        uses: dominikh/staticcheck-action@v1
+        with:
+          version: latest
+          install-go: false
+
+      - name: Run tests with coverage
+        run: go test ./... -coverprofile=coverage.out -covermode=atomic -v
+
+      - name: Security tests
+        run: go test ./security/... -v
+
+      - name: Upload coverage
+        if: matrix.go-version == '1.22'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.out
+          retention-days: 7

package/templates/workflows/ci.node.yml

@@ -0,0 +1,45 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  test:
+    name: Test & Lint
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint --if-present
+
+      - name: Unit tests
+        run: npm test
+
+      - name: Security tests
+        run: npm run test:security --if-present
+
+      - name: Upload coverage
+        if: matrix.node-version == '20.x'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage/
+          retention-days: 7

package/templates/workflows/ci.python.yml

@@ -0,0 +1,48 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  test:
+    name: Test & Lint
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install pytest pytest-cov ruff
+
+      - name: Lint (ruff)
+        run: ruff check .
+
+      - name: Unit tests with coverage
+        run: pytest --cov=. --cov-report=xml -v
+
+      - name: Security tests
+        run: pytest tests/security/ -v
+
+      - name: Upload coverage
+        if: matrix.python-version == '3.11'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.xml
+          retention-days: 7