# Security Harden — DFT marketplace

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | harden |
| **Target** | ~/repos/dft-marketplace |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | Grade A reference config |
| **Frameworks** | OWASP LLM Top 10 |
| **Triggered by** | /security harden |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Current Grade** | C |
| **Project Type** | monorepo |
| **Recommendations** | 6/8 |
| **Mode** | dry-run |

---

## Posture Snapshot

| Metric | Before |
|--------|-------:|
| Pass | 8 |
| Partial | 3 |
| Fail | 1 |
| N-A | 4 |
| Pass rate | 67% |

---

## Recommendations

### 1. Logging & Audit — `.llm-security/policy.json`

- **Action:** create
- **Category:** Logging & Audit
- **Content preview:**
  ```json
  {
    "audit": {
      "log_path": "~/.claude/llm-security-audit.jsonl",
      "format": "jsonl"
    }
  }
  ```

### 2. Permission Hygiene — `.claude/settings.json`

- **Action:** merge
- **Category:** Permission Hygiene
- **Content preview:**
  Replace `"Bash(*)"` with `"Bash(git:*, npm:*, node:*, jq:*)"`. Adds explicit allow-list.

### 3. Memory Hygiene — `CLAUDE.md`

- **Action:** append
- **Category:** Memory Hygiene
- **Content preview:** Add Security Boundaries section with 4 rules.

### 4. Hook Coverage — `.claude/settings.json`

- **Action:** merge
- **Category:** Hook Coverage
- **Content preview:** Add `precompact` hook reference (currently missing).

### 5. EU AI Act — `CLAUDE.md`

- **Action:** append
- **Category:** Compliance
- **Content preview:** Add AI Act risk classification stub: `risk_level: not-applicable (developer-tool)`.

### 6. Documentation — `SECURITY.md`

- **Action:** create
- **Category:** Documentation
- **Content preview:** Disclosure policy template (7-day ack, 14-day triage).

### 7. (skipped) Supply-Chain Defense

- **Action:** none
- **Reason:** Already at Grade A.

### 8. (skipped) Plugin Trust

- **Action:** none
- **Reason:** No third-party plugins installed.

---

## Diff Summary

| File | Action | Lines |
|------|--------|------:|
| `.llm-security/policy.json` | + create | +12 |
| `.claude/settings.json` | ~ merge | ~3 |
| `CLAUDE.md` | + append | +18 |
| `SECURITY.md` | + create | +47 |
| **Total** | | **+80 / ~3** |

---

## Apply Confirmation

Run `/security harden . --apply` to apply these 6 changes. Backup will be created at `~/.cache/llm-security/backups/2026-05-05/`.

**Estimated outcome:** Grade C → A after apply + posture re-scan.

---

*Harden complete. 6 actionable recommendations, dry-run.*