---
name: security:harden
description: Generate Grade A security configuration — settings.json, CLAUDE.md security section, .gitignore additions
allowed-tools: Read, Glob, Grep, Bash, Write, Edit, AskUserQuestion
model: sonnet
---

# /security harden [path] [--apply] [--dry-run]

Generate reference security configuration to achieve Grade A posture. Runs posture scanner, identifies gaps, generates config to close them.

## Step 1: Generate

Run the reference configuration generator:

```
node <this plugin's scanners/reference-config-generator.mjs> [target-path or cwd] [--apply]
```

Default is `--dry-run` (show JSON output, do not write files).

Parse the JSON output. The result contains:
- `projectType`: plugin, monorepo, or standalone
- `posture`: current grade, pass_rate, pass/partial/fail counts
- `recommendations[]`: file, action (create/merge/append/none), content, category
- `summary`: total, actionable, creates, merges, appends

## Step 2: Present Results

```
# Security Harden — [project name]

| Field | Value |
|-------|-------|
| **Current Grade** | [grade] |
| **Project Type** | [type] |
| **Recommendations** | [actionable]/[total] |

## Recommendations

[For each recommendation with action != 'none':]
### [N]. [category] — [file]
- **Action:** [create/merge/append]
- **Content preview:** [first 3 lines or summary]
```

## Step 3: Apply (if --apply or user confirms)

If `$ARGUMENTS` contains `--apply`, the generator already wrote files. Report what was changed.

If `$ARGUMENTS` is `--dry-run` or empty, ask the user:

> "Apply these [N] changes? This will create a backup first."

If confirmed, re-run with `--apply`. Report backup location and files written.

## Step 4: Post-Apply Verification

After applying, re-run posture scanner to verify improvement:

```
node <this plugin's scanners/posture-scanner.mjs> [target-path]
```

Report: "Grade improved from [old] to [new]." or "Grade unchanged at [grade]."

If Grade A not achieved, explain remaining gaps (likely hook-related, which require manual setup or plugin installation).

## Step 5: Closing

- Grade A: "Configuration hardened. All posture checks pass."
- Below A: "Configuration improved. Remaining gaps require [hooks/manual setup]. Run `/security posture` for details."

## Step 6: HTML Report

After producing the markdown harden report above:

1. Compute a temp markdown path:
   ```bash
   node -p "require('path').join(require('os').tmpdir(), 'sec-harden-' + Date.now() + '.md')"
   ```
2. Use the Write tool to save the **entire markdown report you just produced** (Security Harden header + project metadata + Recommendations + Apply summary + post-apply grade + closing) to that temp path. Verbatim.
3. Run the renderer:
   ```bash
   node <plugin-root>/scripts/render-report.mjs harden --in "<temp-md-path>"
   ```
   The CLI writes `reports/harden-<YYYYMMDD-HHmmss>.html` relative to CWD and prints `file:///abs/path.html` on stdout.
4. Append to your response (markdown link, no bare URL):

   > **HTML-rapport:** [Åpne i nettleser](file:///abs/path.html)

If the CLI exits non-zero, mention the error but do not block — the markdown report above is the primary deliverable.