lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/.claude/skills/harden/SKILL.md
Dorian 7b56927c3c feat: complete AIUI integration — all 31 overnight tasks 
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00

2.1 KiB
Raw Blame History

name, description, disable-model-invocation, allowed-tools, argument-hint
name description disable-model-invocation allowed-tools argument-hint
harden Security hardening review and fixes for Archipelago code and infrastructure true Read, Edit, Write, Glob, Grep, Bash [area: backend|frontend|containers|scripts|all]

Perform a security hardening pass on $ARGUMENTS (default: all).

Backend Hardening (Rust)

  • No hardcoded credentials — check for Base64-encoded auth strings, passwords in source
  • Secrets use core/security/secrets_manager.rs — verify encryption is implemented (not plaintext)
  • All RPC endpoints validate inputs before processing
  • No unwrap() on user-supplied data — handle errors gracefully
  • Rate limiting on auth endpoints (login, password change)
  • Session tokens have proper expiry and rotation
  • File permissions: keys at 0o600, dirs at 0o700
  • Tracing never logs secrets, passwords, keys, or tokens

Frontend Hardening (Vue/TypeScript)

  • No secrets in source (API keys, passwords, tokens)
  • No eval() or innerHTML with untrusted content
  • XSS prevention — sanitize all user inputs
  • CSRF protection on state-changing requests
  • Credentials use credentials: 'include' not localStorage tokens
  • No sensitive data in console.log statements

Container Hardening

  • All manifests: readonly_root: true (unless documented exception)
  • All manifests: capabilities dropped, only required ones added
  • All manifests: non-root user (UID > 1000)
  • All manifests: no-new-privileges: true
  • All images pinned to specific versions (no :latest)
  • Network isolation — no host network unless required and documented
  • AppArmor profiles defined and enforced

Script Hardening

  • All scripts use set -euo pipefail
  • No hardcoded passwords (use deploy-config.sh or env vars)
  • SSH uses proper key-based auth where possible
  • No chmod 777 or overly permissive permissions
  • Temp files use mktemp not predictable paths

Report all findings with file paths and line numbers. Fix issues directly where safe to do so. Flag anything that needs discussion.