--- name: security:harden description: Generate Grade A security configuration — settings.json, CLAUDE.md security section, .gitignore additions allowed-tools: Read, Glob, Grep, Bash, Write, Edit, AskUserQuestion model: sonnet --- # /security harden [path] [--apply] [--dry-run] Generate reference security configuration to achieve Grade A posture. Runs posture scanner, identifies gaps, generates config to close them. ## Step 1: Generate Run the reference configuration generator: ``` node [target-path or cwd] [--apply] ``` Default is `--dry-run` (show JSON output, do not write files). Parse the JSON output. The result contains: - `projectType`: plugin, monorepo, or standalone - `posture`: current grade, pass_rate, pass/partial/fail counts - `recommendations[]`: file, action (create/merge/append/none), content, category - `summary`: total, actionable, creates, merges, appends ## Step 2: Present Results ``` # Security Harden — [project name] | Field | Value | |-------|-------| | **Current Grade** | [grade] | | **Project Type** | [type] | | **Recommendations** | [actionable]/[total] | ## Recommendations [For each recommendation with action != 'none':] ### [N]. [category] — [file] - **Action:** [create/merge/append] - **Content preview:** [first 3 lines or summary] ``` ## Step 3: Apply (if --apply or user confirms) If `$ARGUMENTS` contains `--apply`, the generator already wrote files. Report what was changed. If `$ARGUMENTS` is `--dry-run` or empty, ask the user: > "Apply these [N] changes? This will create a backup first." If confirmed, re-run with `--apply`. Report backup location and files written. ## Step 4: Post-Apply Verification After applying, re-run posture scanner to verify improvement: ``` node [target-path] ``` Report: "Grade improved from [old] to [new]." or "Grade unchanged at [grade]." If Grade A not achieved, explain remaining gaps (likely hook-related, which require manual setup or plugin installation). ## Step 5: Closing - Grade A: "Configuration hardened. All posture checks pass." - Below A: "Configuration improved. Remaining gaps require [hooks/manual setup]. Run `/security posture` for details."