harden

Name: harden
Author: Soul-Brews-Studio/arra-oracle-skills-cli

$npx mdskill add Soul-Brews-Studio/arra-oracle-skills-cli/harden

Audit Oracle configurations for safety, governance, and hardening.

Detects misconfigurations before they become operational incidents.
Integrates with git repositories and CLAUDE.md files.
Executes secrets scans, rule compliance checks, and auto-fixes.
Reports findings through structured command-line output.

SKILL.md

.github/skills/hardenView on GitHub ↗

---
name: harden
description: 'Audit Oracle configuration for safety, governance, and hardening. Use when user says "harden", "audit", "security check", "governance", or wants to verify oracle setup.'
argument-hint: "[--full | --secrets | --rules | --fix]"

---

# /harden — Oracle Governance Audit

> Sharp instruments need safe sheaths. The Whetstone hardens what it sharpens.

Audit an Oracle's configuration for safety, governance compliance, and operational hardening. Catches misconfigurations before they become incidents.

## Usage

```
/harden                # Quick audit — check all, report issues
/harden --full         # Deep audit — check all + suggest fixes
/harden --secrets      # Secrets scan only — .env, keys, tokens
/harden --rules        # Golden rules compliance check
/harden --fix          # Auto-fix safe issues (with confirmation)
```

---

## Step 0: Detect Oracle Root

```bash
date "+🕐 %H:%M %Z (%A %d %B %Y)" && ORACLE_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
if [ -n "$ORACLE_ROOT" ] && [ -f "$ORACLE_ROOT/CLAUDE.md" ] && { [ -d "$ORACLE_ROOT/ψ" ] || [ -L "$ORACLE_ROOT/ψ" ]; }; then
  PSI="$ORACLE_ROOT/ψ"
  echo "✅ Oracle root: $ORACLE_ROOT"
else
  echo "❌ Not in an oracle repo. /harden requires CLAUDE.md + ψ/ directory."
  exit 1
fi
```

---

## Step 1: Secrets Scan

Check for leaked secrets in tracked files:

```bash
# Check for common secret patterns in git-tracked files
cd "$ORACLE_ROOT"

echo "🔍 Scanning for secrets..."

# .env files that shouldn't be tracked
git ls-files | grep -E '\.env($|\.)' | grep -v '\.example' | while read f; do
  echo "🚨 CRITICAL: $f is tracked by git!"
done

# Common secret patterns in tracked files (excluding binary)
git ls-files | xargs grep -l -E '(PRIVATE_KEY|API_KEY|SECRET_KEY|password|token|Bearer [a-zA-Z0-9]|sk-[a-zA-Z0-9]{20,})' 2>/dev/null | grep -v -E '(node_modules|\.lock|SKILL\.md|CLAUDE\.md)' | while read f; do
  echo "⚠️ Possible secret in: $f"
done
```

### .gitignore Checks

```bash
# Essential ignores for oracle repos
MISSING_IGNORES=""
for pattern in ".env" "node_modules/" ".DS_Store" "ψ/active/" "ψ/memory/logs/"; do
  if ! grep -qF "$pattern" "$ORACLE_ROOT/.gitignore" 2>/dev/null; then
    MISSING_IGNORES="$MISSING_IGNORES\n  ❌ Missing: $pattern"
  fi
done

if [ -n "$MISSING_IGNORES" ]; then
  echo "📋 .gitignore gaps:$MISSING_IGNORES"
else
  echo "✅ .gitignore covers essentials"
fi
```

---

## Step 2: Golden Rules Compliance

Read CLAUDE.md and verify the 5 Principles + Rule 6 are present:

```bash
echo "📜 Checking Golden Rules..."
CLAUDE_MD="$ORACLE_ROOT/CLAUDE.md"
```

Check for:

| Rule | Search Pattern | Required |
|------|---------------|----------|
| Nothing is Deleted | `Nothing is Deleted` | Yes |
| Patterns Over Intentions | `Patterns Over Intentions` | Yes |
| External Brain | `External Brain` | Yes |
| Curiosity Creates | `Curiosity Creates` | Yes |
| Form and Formless | `Form and Formless` | Yes |
| Rule 6 (Transparency) | `Oracle Never Pretends` | Yes |
| No force push | `force` or `--force` in golden rules | Yes |
| No rm -rf | `rm -rf` in golden rules | Yes |
| No secrets | `secrets` or `.env` in golden rules | Yes |

Report missing principles as warnings.

---

## Step 3: Brain Structure Audit

Verify ψ/ directory structure:

```bash
echo "🧠 Checking brain structure..."
PSI_REAL=$(readlink -f "$PSI" 2>/dev/null || echo "$PSI")

for dir in inbox memory writing lab learn active archive outbox; do
  if [ -d "$PSI_REAL/$dir" ]; then
    COUNT=$(find "$PSI_REAL/$dir" -type f 2>/dev/null | wc -l)
    echo "  ✅ ψ/$dir/ ($COUNT files)"
  else
    echo "  ⚠️ ψ/$dir/ missing"
  fi
done
```

### ψ/ Symlink Check

```bash
if [ -L "$ORACLE_ROOT/ψ" ]; then
  TARGET=$(readlink "$ORACLE_ROOT/ψ")
  echo "  🔗 ψ → $TARGET"
  if [ ! -d "$TARGET" ]; then
    echo "  🚨 Symlink target doesn't exist!"
  fi
else
  echo "  📁 ψ/ is a regular directory"
fi
```

---

## Step 4: Identity Verification

Check CLAUDE.md has required identity fields:

```bash
echo "🪪 Checking identity..."
```

| Field | Pattern | Required |
|-------|---------|----------|
| Name | `I am` or `name:` | Yes |
| Human | `Human:` | Yes |
| Purpose | `Purpose:` | Yes |
| Born | `Born:` | Recommended |
| Theme | `Theme:` | Recommended |
| Node | `Node:` | For fleet oracles |

---

## Step 5: Operational Checks

### Git Config

```bash
echo "⚙️ Checking git config..."
# Verify git user is set (not default)
GIT_USER=$(git config user.name 2>/dev/null)
GIT_EMAIL=$(git config user.email 2>/dev/null)
echo "  User: $GIT_USER <$GIT_EMAIL>"

# Check for dangerous aliases
git config --get-regexp alias 2>/dev/null | grep -E '(force|reset.*hard|clean.*-f)' && echo "  ⚠️ Dangerous git aliases found"
```

### Installed Skills Check

```bash
echo "🔧 Checking installed skills..."
if [ -d "$ORACLE_ROOT/.claude/settings" ] || [ -f "$ORACLE_ROOT/.claude/settings.json" ]; then
  echo "  ✅ Claude settings present"
else
  echo "  ⚠️ No Claude settings — skills may not be installed"
fi
```

### Contacts (if fleet oracle)

```bash
if [ -f "$PSI/contacts.json" ]; then
  CONTACT_COUNT=$(python3 -c "import json; print(len(json.load(open('$PSI/contacts.json')).get('contacts',{})))" 2>/dev/null || echo "?")
  echo "  📇 $CONTACT_COUNT contacts registered"
fi
```

---

## Step 6: Report

Output a summary table:

```
🛡️ /harden Audit Report — [oracle-name]

  Category         Status    Issues
  ──────────────── ───────── ──────
  Secrets          ✅ Clean   0
  Golden Rules     ⚠️ Gaps    2 missing
  Brain Structure  ✅ Complete 0
  Identity         ✅ Valid   0
  Operations       ⚠️ Check   1 warning
  .gitignore       ✅ Good    0

  Score: 4/6 ✅ | 2/6 ⚠️ | 0/6 🚨

  💡 Run /harden --fix to auto-fix safe issues
  💡 Run /harden --full for detailed recommendations
```

---

## Step 7: Auto-Fix (`--fix` mode)

**WAIT for user confirmation before any fix.**

Safe auto-fixes:
- Add missing .gitignore patterns
- Create missing ψ/ subdirectories
- Add missing identity fields to CLAUDE.md (with placeholder values)

Unsafe (manual only):
- Removing tracked secrets (requires `git rm` + history rewrite)
- Modifying golden rules
- Changing git config

---

## Rules

1. **Read-only by default** — never modify without `--fix` + confirmation
2. **Oracle root required** — refuse to run outside oracle repos
3. **No false positives on SKILL.md** — skill files legitimately contain words like "secret", "token", "key"
4. **Score honestly** — don't inflate for morale
5. **Actionable output** — every warning must include how to fix

---

ARGUMENTS: $ARGUMENTS

More from Soul-Brews-Studio/arra-oracle-skills-cli

Skill	Description
about-oracle	What is Oracle — told by the AI itself. Origin story, stats, family count, ecosystem overview. Use when someone asks "what is oracle", "about oracle", "tell me about this project", or wants the origin story. Do NOT trigger for "who are you" (use /who-are-you), "philosophy" (use /philosophy), or session status questions.
alpha-feature	Full skill development pipeline — create, compile, test, commit, install. Use when user says "new skill", "create skill", "alpha-feature", or wants to build a skill end-to-end.
auto-retrospective	Configure auto-rrr and auto-forward triggers based on context window usage. Use when user says "auto rrr", "auto-scale", "configure auto triggers", "change rrr interval", "toggle auto", or wants to adjust when /rrr and /forward auto-trigger. Do NOT trigger for running /rrr manually (use /rrr) or creating handoffs (use /forward).
awaken	Guided Oracle birth and awakening ritual. Default is Soul Sync (~20min), or --fast (~5min). Use when creating a new Oracle in a fresh repo, when user says 'awaken', 'birth oracle', 'create oracle', 'new oracle', or wants to set up Oracle identity in an empty repository. Do NOT trigger for general repo setup, git init, or project scaffolding without Oracle context.
bampenpien	บำเพ็ญเพียร — diligent practice. A guided conversation between human and Oracle about doing hard things without knowing why. Like /awaken but repeatable — a practice, not a birth. Use when user says 'bampenpien', 'บำเพ็ญเพียร', 'why am I doing this', 'hard work', 'keep going', 'what am I building', or needs to reconnect with purpose through difficulty.
birth	Prepare Oracle birth props for a new repo — Issue #1, MCP thread, identity data. Use when user says "birth", "new oracle", "prepare repo", or wants to bootstrap a new Oracle before /awaken.
bud	Create a new oracle via maw bud — yeast-colony reproduction. Use when user says "bud", "new oracle", "create oracle", "spawn oracle", or wants to create a new permanent oracle from the current one.
create-shortcut	Create local skills as shortcuts — makes real /commands in .claude/skills/. Use when user says "create shortcut", "create skill", "make a command for", "add shortcut", or wants a quick custom /slash-command. Also lists and deletes local skills. ALSO triggers on "Unknown skill", "skill not found", or any unrecognized /slash-command — auto-creates it on the fly.
dig	Mine Claude Code sessions — timeline, gaps, repo attribution, session history. Use when user says "dig", "sessions", "past sessions", "timeline", "what did I work on", or wants to see session history. Do NOT trigger for finding code/projects (use /trace), exploring repos (use /learn), or current session status (use /recap).
feel	Capture how the system feels — energy, momentum, burnout, breakthrough. Emotional intelligence for Oracle-human collaboration. Use when user says 'feel', 'how are we', 'energy check', 'burnout', 'momentum', or wants emotional awareness of the work.