hardenlisted

Run the toolkit's security commands in order to surface secrets, MCP supply-chain issues, install drift, release provenance gaps, and untrusted-code risks before shipping. Use before opening a PR, after adding a dependency, or whenever the security posture needs a fresh check.
dshakes/compass · ★ 9 · AI & Automation · score 79

Install: claude install-skill dshakes/compass

# Harden — security sweep in five ordered steps Run each command in sequence. Stop on a non-zero exit and fix the finding before proceeding. All five must pass before the branch is considered hardened. ## Steps ### 1 · Secrets — `compass scan --staged` Scan the staged diff for secrets at the commit boundary. ``` compass scan --staged ``` Exits 0 (clean) or 1 (secrets found). Fix: remove the secret, rotate the credential, then re-stage. Add an `# allowlist secret` comment ONLY for confirmed test fixtures — never real credentials. ### 2 · MCP supply-chain pins — `scripts/check-mcp.sh` Verify every auto-installed MCP server is pinned to an exact version and that no `@latest` float or shell-injection marker has crept in. ``` bash scripts/check-mcp.sh ``` Exits 0 (pinned + clean) or non-zero (floating version or injection marker). Fix: pin the version in `mcp/servers.json` and re-run. (`setup-mcp.sh` runs this same audit as a pre-flight, and `compass doctor` includes it.) ### 3 · Install fidelity — `compass drift` Check that the installed `~/.claude` config still matches this repo's source. Catches hand-edited copies, stale hooks, and non-executable guardrail scripts. ``` compass drift ``` Exits 0 (in sync) or non-zero (drift detected). Fix: re-run `quickstart.sh` or remove the hand-edited file and let the install re-link it. ### 4 · Release provenance — `compass verify` Verify the latest release tarball's keyless SLSA attestation. Requires `gh`. ``` compass verify ``