Security Model Harden

Context

• Target path: {{SC_ARGS}}

Your spawn_agent

STEP 1: Initialize comprehensive security hardening session with threat modeling

• CREATE session state: /tmp/harden-session-$SESSION_ID.json
• ANALYZE target scope from Context section
• DETERMINE security complexity based on project structure
• VALIDATE required security tools availability

# Initialize hardening session state
echo '{
  "sessionId": "'$SESSION_ID'",
  "targetPath": "'{{SC_ARGS}}'",
  "projectType": "auto-detect",
  "hardeningLevel": "strict",
  "threatsIdentified": [],
  "mitigationsApplied": [],
  "complianceTarget": "general"
}' > /tmp/harden-session-$SESSION_ID.json

STEP 2: Multi-layer threat assessment with parallel security analysis

IF complex_infrastructure_detected OR kubernetes_manifests_found:

LAUNCH parallel sub-agents for comprehensive security assessment:

• Agent 1: Container Security Assessment: Analyze Dockerfiles and container configurations

  • Focus: Base image vulnerabilities, privilege escalation, filesystem security
  • Tools: Docker security scanning, distroless alternatives, multi-stage optimization
  • Output: Container hardening recommendations and secure Dockerfile templates

• Agent 2: Kubernetes Security Analysis: Evaluate K8s manifests and Pod Security Standards

  • Focus: RBAC policies, network policies, security contexts, admission controllers
  • Tools: kubectl security validation, OPA Gatekeeper policies, PSS compliance
  • Output: Secure manifest templates and policy enforcement rules

• Agent 3: Application Code Security: Scan source code for security anti-patterns

  • Focus: Input validation, authentication, authorization, cryptographic usage
  • Tools: Static analysis, dependency scanning, secret detection
  • Output: Code-level security improvements and secure coding patterns

• Agent 4: Infrastructure Security: Analyze deployment and networking security

  • Focus: Network segmentation, service mesh security, ingress/egress controls
  • Tools: Network policy generation, TLS configuration, certificate management
  • Output: Infrastructure security policies and network hardening

• Agent 5: Compliance Assessment: Evaluate against security frameworks

  • Focus: SOC 2, PCI DSS, HIPAA, CIS benchmarks compliance requirements
  • Tools: Compliance mapping, audit trail generation, policy documentation
  • Output: Compliance gap analysis and remediation roadmap

ELSE:

EXECUTE targeted single-layer hardening based on detected project type

STEP 3: Programmatic security hardening implementation with error handling

TRY:

CASE project_complexity: WHEN "dockerfile_only":

• APPLY container security hardening patterns
• IMPLEMENT distroless base images and non-root execution
• ADD security scanning and vulnerability management
• GENERATE secure multi-stage build configurations

WHEN "kubernetes_deployment":

• ENFORCE Pod Security Standards (restricted profile)
• IMPLEMENT network policies for micro-segmentation
• CONFIGURE RBAC with principle of least privilege
• ADD security contexts and resource constraints

WHEN "application_code":

• INJECT security middleware and headers
• IMPLEMENT input validation and sanitization
• ADD authentication and authorization frameworks
• CONFIGURE secure session management

WHEN "full_stack_application":

• COORDINATE multi-layer security implementation
• APPLY defense-in-depth strategies
• IMPLEMENT comprehensive logging and monitoring
• CONFIGURE incident response procedures

Security Hardening Patterns:

# Container Security Implementation
if fd "Dockerfile" . | head -1 >/dev/null; then
  echo "🐳 Applying container security hardening..."
  # Multi-stage builds with distroless images
  # Non-root user execution
  # Read-only root filesystem
  # Dropped capabilities
fi

# Kubernetes Security Implementation  
if fd "\.ya?ml$" . | rg -l "kind: (Deployment|Pod)" | head -1 >/dev/null; then
  echo "☸️ Implementing Kubernetes security policies..."
  # Pod Security Standards enforcement
  # Network policy generation
  # RBAC configuration
  # Security context hardening
fi

# Application Security Implementation
project_lang=$(fd "(package\.json|Cargo\.toml|go\.mod|pom\.xml)" . | head -1)
if [[ -n "$project_lang" ]]; then
  echo "🔒 Applying application-level security patterns..."
  # Security headers middleware
  # Input validation frameworks
  # Authentication/authorization
  # Secure configuration management
fi

CATCH (hardening_failed):

• LOG detailed error information to session state
• PROVIDE alternative hardening strategies
• SUGGEST manual security review steps
• GENERATE partial security improvements

echo "⚠️ Security hardening encountered issues:"
echo "- Check tool availability and permissions"
echo "- Validate target path accessibility"
echo "- Review project structure compatibility"
echo "- Consider manual security review process"

STEP 4: Compliance validation and security documentation generation

FOR EACH security_layer IN ["container", "kubernetes", "application", "infrastructure"]:

• VALIDATE applied security controls
• GENERATE compliance documentation
• CREATE security policy templates
• IMPLEMENT monitoring and alerting

Security Documentation Generation:

# Generate comprehensive security documentation
mkdir -p security/{policies,procedures,compliance}

# Security policy documentation
echo "📋 Generating security documentation suite..."
echo "  - SECURITY.md: Security policy and procedures"
echo "  - threat-model.md: Application threat analysis"
echo "  - compliance/: Framework-specific compliance documentation"
echo "  - incident-response/: Security incident procedures"

STEP 5: Session state management and continuous security monitoring

Update Hardening Session State:

# Update session with applied mitigations
jq --arg timestamp "$(gdate -Iseconds 2>/dev/null || date -Iseconds)" \
   --argjson mitigations '["container_hardening", "k8s_policies", "app_security"]' '
  .lastUpdated = $timestamp |
  .mitigationsApplied += $mitigations |
  .hardeningStatus = "completed"
' /tmp/harden-session-$SESSION_ID.json > /tmp/harden-session-$SESSION_ID.tmp && \
mv /tmp/harden-session-$SESSION_ID.tmp /tmp/harden-session-$SESSION_ID.json

Security Monitoring Setup:

echo "🔍 Security hardening completed successfully"
echo "📊 Session: $SESSION_ID"
echo "🎯 Target: {{SC_ARGS}}"
echo "🛡️ Applied mitigations: $(jq -r '.mitigationsApplied | join(", ")' /tmp/harden-session-$SESSION_ID.json)"
echo "📁 Security documentation: security/ directory"
echo "⚡ Next steps: Review generated policies and implement monitoring"

FINALLY:

• SAVE complete hardening state for audit trail
• PROVIDE security monitoring recommendations
• SUGGEST periodic security review schedule
• CLEAN up temporary session files

Security Implementation Levels

Description

This command systematically reduces your application's attack surface by implementing security hardening across multiple layers. Unlike audit-focused tools, /harden makes actual security improvements to your code and infrastructure.

Security Layers

1. Container Security (Dockerfile)

Transforms Docker images to follow security best practices:

Before:

FROM node:18
COPY . /app
WORKDIR /app
RUN npm install
USER root
CMD ["npm", "start"]

After:

# Multi-stage build with distroless final image
FROM node:18-alpine AS builder
WORKDIR /build
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force

FROM gcr.io/distroless/nodejs18-debian11:nonroot
COPY --from=builder /build/node_modules /app/node_modules
COPY --from=builder --chown=nonroot:nonroot /build/src /app/src

# Security hardening
USER nonroot
WORKDIR /app

# Read-only root filesystem
COPY --chmod=444 package.json ./
ENV NODE_ENV=production

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD node healthcheck.js

EXPOSE 3000
CMD ["node", "src/index.js"]

Applied Hardening:

• Distroless or minimal base images (Alpine, scratch)
• Non-root user execution with proper UID/GID
• Read-only root filesystem where possible
• Dropped unnecessary capabilities
• Multi-stage builds to reduce image size
• Dependency vulnerability scanning integration

2. Kubernetes Security

Implements Pod Security Standards and network policies:

Generated Pod Security Context:

apiVersion: apps/v1