--- name: harden description: Security hardening review and fixes for Archipelago code and infrastructure disable-model-invocation: true allowed-tools: Read, Edit, Write, Glob, Grep, Bash argument-hint: "[area: backend|frontend|containers|scripts|all]" --- Perform a security hardening pass on $ARGUMENTS (default: all). ## Backend Hardening (Rust) - [ ] No hardcoded credentials — check for Base64-encoded auth strings, passwords in source - [ ] Secrets use `core/security/secrets_manager.rs` — verify encryption is implemented (not plaintext) - [ ] All RPC endpoints validate inputs before processing - [ ] No `unwrap()` on user-supplied data — handle errors gracefully - [ ] Rate limiting on auth endpoints (login, password change) - [ ] Session tokens have proper expiry and rotation - [ ] File permissions: keys at 0o600, dirs at 0o700 - [ ] Tracing never logs secrets, passwords, keys, or tokens ## Frontend Hardening (Vue/TypeScript) - [ ] No secrets in source (API keys, passwords, tokens) - [ ] No `eval()` or `innerHTML` with untrusted content - [ ] XSS prevention — sanitize all user inputs - [ ] CSRF protection on state-changing requests - [ ] Credentials use `credentials: 'include'` not localStorage tokens - [ ] No sensitive data in console.log statements ## Container Hardening - [ ] All manifests: `readonly_root: true` (unless documented exception) - [ ] All manifests: capabilities dropped, only required ones added - [ ] All manifests: non-root user (UID > 1000) - [ ] All manifests: `no-new-privileges: true` - [ ] All images pinned to specific versions (no `:latest`) - [ ] Network isolation — no `host` network unless required and documented - [ ] AppArmor profiles defined and enforced ## Script Hardening - [ ] All scripts use `set -euo pipefail` - [ ] No hardcoded passwords (use deploy-config.sh or env vars) - [ ] SSH uses proper key-based auth where possible - [ ] No `chmod 777` or overly permissive permissions - [ ] Temp files use `mktemp` not predictable paths Report all findings with file paths and line numbers. Fix issues directly where safe to do so. Flag anything that needs discussion.