dpnmw/agents
1
0
Fork 0
mirror of https://github.com/wshobson/agents.git synced 2026-03-18 09:37:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: eliminate cross-plugin dependencies and modernize plugin.json across marketplace

Browse Source 
Rewrites 14 commands across 11 plugins to remove all cross-plugin
subagent_type references (e.g., "unit-testing::test-automator"), which
break when plugins are installed standalone. Each command now uses only
local bundled agents or general-purpose with role context in the prompt.

All rewritten commands follow conductor-style patterns:
- CRITICAL BEHAVIORAL RULES with strong directives
- State files for session tracking and resume support
- Phase checkpoints requiring explicit user approval
- File-based context passing between steps

Also fixes 4 plugin.json files missing version/license fields and adds
plugin.json for dotnet-contribution.

Closes #433
This commit is contained in:
Seth Hobson
2026-02-06 19:34:26 -05:00
parent 4820385a31
commit 4d504ed8fa
36 changed files with 7235 additions and 2980 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/security-scanning/.claude-plugin/plugin.json
View File

@@ -1,6 +1,6 @@
{
"name": "security-scanning",
"version": "1.2.3",
"version": "1.3.0",
"description": "SAST analysis, dependency vulnerability scanning, OWASP Top 10 compliance, container security scanning, and automated security hardening",
"author": {
"name": "Seth Hobson",

715
plugins/security-scanning/commands/security-hardening.md
View File

@@ -1,134 +1,653 @@
Implement comprehensive security hardening with defense-in-depth strategy through coordinated multi-agent orchestration:
---
description: "Orchestrate comprehensive security hardening with defense-in-depth strategy across all application layers"
argument-hint: "<target description> [--depth quick|standard|comprehensive] [--compliance owasp,soc2,gdpr,hipaa,pci-dss]"
---
[Extended thinking: This workflow implements a defense-in-depth security strategy across all application layers. It coordinates specialized security agents to perform comprehensive assessments, implement layered security controls, and establish continuous security monitoring. The approach follows modern DevSecOps principles with shift-left security, automated scanning, and compliance validation. Each phase builds upon previous findings to create a resilient security posture that addresses both current vulnerabilities and future threats.]
# Security Hardening Orchestrator
## Phase 1: Comprehensive Security Assessment
## CRITICAL BEHAVIORAL RULES
### 1. Initial Vulnerability Scanning
You MUST follow these rules exactly. Violating any of them is a failure.
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
- Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
- Context: Initial baseline for all remediation efforts
1. **Execute steps in order.** Do NOT skip ahead, reorder, or merge steps.
2. **Write output files.** Each step MUST produce its output file in `.security-hardening/` before the next step begins. Read from prior step files — do NOT rely on context window memory.
3. **Stop at checkpoints.** When you reach a `PHASE CHECKPOINT`, you MUST stop and wait for explicit user approval before continuing. Use the AskUserQuestion tool with clear options.
4. **Halt on failure.** If any step fails (agent error, test failure, missing dependency), STOP immediately. Present the error and ask the user how to proceed. Do NOT silently continue.
5. **Use only local agents.** All `subagent_type` references use agents bundled with this plugin or `general-purpose`. No cross-plugin dependencies.
6. **Never enter plan mode autonomously.** Do NOT use EnterPlanMode. This command IS the plan — execute it.
### 2. Threat Modeling and Risk Analysis
## Pre-flight Checks
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
- Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
- Context: Uses vulnerability scan results to inform threat priorities
Before starting, perform these checks:
### 3. Architecture Security Review
### 1. Check for existing session
- Use Task tool with subagent_type="backend-api-security::backend-architect"
- Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
- Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
- Context: Incorporates threat model to address architectural vulnerabilities
Check if `.security-hardening/state.json` exists:
## Phase 2: Vulnerability Remediation
- If it exists and `status` is `"in_progress"`: Read it, display the current step, and ask the user:
### 4. Critical Vulnerability Fixes
```
Found an in-progress security hardening session:
Target: [target from state]
Current step: [step from state]
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
- Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
- Context: Addresses high-priority items from vulnerability assessment
1. Resume from where we left off
2. Start fresh (archives existing session)
```
### 5. Backend Security Hardening
- If it exists and `status` is `"complete"`: Ask whether to archive and start fresh.
- Use Task tool with subagent_type="backend-api-security::backend-security-coder"
- Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
- Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
- Context: Builds upon vulnerability fixes with preventive controls
### 2. Initialize state
### 6. Frontend Security Implementation
Create `.security-hardening/` directory and `state.json`:
- Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
- Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
- Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
- Context: Complements backend security with client-side protections
```json
{
"target": "$ARGUMENTS",
"status": "in_progress",
"depth": "comprehensive",
"compliance_frameworks": ["owasp"],
"current_step": 1,
"current_phase": 1,
"completed_steps": [],
"files_created": [],
"started_at": "ISO_TIMESTAMP",
"last_updated": "ISO_TIMESTAMP"
}
```
### 7. Mobile Security Hardening
Parse `$ARGUMENTS` for `--depth` and `--compliance` flags. Use defaults if not specified.
- Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
- Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
- Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
- Context: Extends security to mobile platforms if applicable
### 3. Parse target description
## Phase 3: Security Controls Implementation
Extract the target description from `$ARGUMENTS` (everything before the flags). This is referenced as `$TARGET` in prompts below.
### 8. Authentication and Authorization Enhancement
---
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
- Output: Authentication service configuration, MFA implementation, authorization policies, session management system
- Context: Strengthens access controls based on architecture review
## Phase 1: Assessment & Threat Modeling (Steps 13)
### 9. Infrastructure Security Controls
### Step 1: Vulnerability Scanning
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
- Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
- Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
- Context: Implements network-level defenses
Use the Task tool to launch the security auditor agent:
### 10. Secrets Management Implementation
```
Task:
subagent_type: "security-auditor"
description: "Comprehensive vulnerability scan of $TARGET"
prompt: |
Perform a comprehensive security assessment on: $TARGET.
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
- Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
- Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
- Context: Eliminates secrets exposure vulnerabilities
## Instructions
1. Execute SAST analysis (Semgrep/SonarQube patterns)
2. Identify DAST scanning targets (OWASP ZAP patterns)
3. Perform dependency audit (Snyk/Trivy patterns)
4. Run secrets detection (GitLeaks/TruffleHog patterns)
5. Generate SBOM for supply chain analysis
6. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures
7. Assign CVSS scores to all findings
## Phase 4: Validation and Compliance
Provide a detailed vulnerability report with: CVSS scores, exploitability analysis,
attack surface mapping, secrets exposure report, and SBOM inventory.
```
### 11. Penetration Testing and Validation
Save the agent's output to `.security-hardening/01-vulnerability-scan.md`.
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
- Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
- Context: Validates all implemented security measures
Update `state.json`: set `current_step` to 2, add step 1 to `completed_steps`.
### 12. Compliance and Standards Verification
### Step 2: Threat Modeling & Risk Analysis
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
- Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
- Context: Ensures regulatory and industry standard compliance
Read `.security-hardening/01-vulnerability-scan.md` to load vulnerability context.
### 13. Security Monitoring and SIEM Integration
Use the Task tool to launch the threat modeling expert:
- Use Task tool with subagent_type="incident-response::devops-troubleshooter"
- Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
- Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
- Context: Establishes continuous security monitoring
```
Task:
subagent_type: "threat-modeling-expert"
description: "Threat modeling and risk analysis for $TARGET"
prompt: |
Conduct threat modeling using STRIDE methodology for: $TARGET.
## Configuration Options
## Vulnerability Context
[Insert full contents of .security-hardening/01-vulnerability-scan.md]
- scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
- compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
- remediation_priority: "cvss_score" | "exploitability" | "business_impact"
- monitoring_integration: "splunk" | "elastic" | "sentinel" | "custom"
- authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
## Instructions
1. Analyze attack vectors and create attack trees
2. Assess business impact of identified vulnerabilities
3. Map threats to MITRE ATT&CK framework
4. Prioritize risks based on likelihood and impact
5. Use vulnerability scan results to inform threat priorities
Provide: threat model diagrams, risk matrix with prioritized vulnerabilities,
attack scenario documentation, and business impact analysis.
```
Save the agent's output to `.security-hardening/02-threat-model.md`.
Update `state.json`: set `current_step` to 3, add step 2 to `completed_steps`.
### Step 3: Architecture Security Review
Read `.security-hardening/01-vulnerability-scan.md` and `.security-hardening/02-threat-model.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Architecture security review for $TARGET"
prompt: |
You are a backend security architect. Review the architecture for security weaknesses in: $TARGET.
## Vulnerability Scan Results
[Insert contents of .security-hardening/01-vulnerability-scan.md]
## Threat Model
[Insert contents of .security-hardening/02-threat-model.md]
## Instructions
1. Evaluate service boundaries, data flow security, authentication/authorization architecture
2. Review encryption implementation and network segmentation
3. Design zero-trust architecture patterns where applicable
4. Create a data classification matrix
5. Reference the threat model and vulnerability findings in your recommendations
Provide: security architecture assessment, zero-trust design recommendations,
service mesh security requirements, and data classification matrix.
```
Save the agent's output to `.security-hardening/03-architecture-review.md`.
Update `state.json`: set `current_step` to "checkpoint-1", add step 3 to `completed_steps`.
---
## PHASE CHECKPOINT 1 — User Approval Required
You MUST stop here and present the assessment results for review.
Display a summary of findings from `.security-hardening/01-vulnerability-scan.md`, `.security-hardening/02-threat-model.md`, and `.security-hardening/03-architecture-review.md` (critical vulnerabilities count, top threats, key architecture concerns) and ask:
```
Security assessment complete. Please review:
- .security-hardening/01-vulnerability-scan.md
- .security-hardening/02-threat-model.md
- .security-hardening/03-architecture-review.md
Critical vulnerabilities: [count]
High-risk threats: [count]
Architecture concerns: [count]
1. Approve — proceed to vulnerability remediation
2. Request changes — tell me what to adjust
3. Pause — save progress and stop here
```
Do NOT proceed to Phase 2 until the user selects option 1. If they select option 2, revise and re-checkpoint. If option 3, update `state.json` status and stop.
---
## Phase 2: Vulnerability Remediation (Steps 47)
### Step 4: Critical Vulnerability Fixes
Read `.security-hardening/01-vulnerability-scan.md` and `.security-hardening/02-threat-model.md`.
Use the Task tool:
```
Task:
subagent_type: "security-auditor"
description: "Remediate critical vulnerabilities for $TARGET"
prompt: |
Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $TARGET.
## Vulnerability Scan Results
[Insert contents of .security-hardening/01-vulnerability-scan.md]
## Threat Model
[Insert contents of .security-hardening/02-threat-model.md]
## Instructions
1. Fix SQL injections with parameterized queries
2. Fix XSS with output encoding
3. Fix authentication bypasses with secure session management
4. Fix insecure deserialization with input validation
5. Apply security patches for known CVEs
6. Document all changes and regression test requirements
Provide: patched code with vulnerability fixes, security patch documentation,
and regression test requirements.
```
Save the agent's output to `.security-hardening/04-critical-fixes.md`.
Update `state.json`: set `current_step` to 5, add step 4 to `completed_steps`.
### Step 5: Backend Security Hardening
Read `.security-hardening/03-architecture-review.md` and `.security-hardening/04-critical-fixes.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Backend security hardening for $TARGET"
prompt: |
You are a backend security engineer. Implement comprehensive backend security controls for: $TARGET.
## Architecture Review
[Insert contents of .security-hardening/03-architecture-review.md]
## Critical Fixes Applied
[Insert contents of .security-hardening/04-critical-fixes.md]
## Instructions
1. Add input validation with OWASP ESAPI patterns
2. Implement rate limiting and DDoS protection
3. Secure API endpoints with OAuth2/JWT validation
4. Add encryption for data at rest/transit using AES-256/TLS 1.3
5. Implement secure logging without PII exposure
6. Build upon the critical fixes already applied
Provide: hardened API endpoints, validation middleware, encryption implementation,
and secure configuration templates.
```
Save the agent's output to `.security-hardening/05-backend-hardening.md`.
Update `state.json`: set `current_step` to 6, add step 5 to `completed_steps`.
### Step 6: Frontend Security Implementation
Read `.security-hardening/03-architecture-review.md` and `.security-hardening/05-backend-hardening.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Frontend security implementation for $TARGET"
prompt: |
You are a frontend security engineer. Implement frontend security measures for: $TARGET.
## Architecture Review
[Insert contents of .security-hardening/03-architecture-review.md]
## Backend Hardening
[Insert contents of .security-hardening/05-backend-hardening.md]
## Instructions
1. Configure CSP headers with nonce-based policies
2. Implement XSS prevention with DOMPurify
3. Secure authentication flows with PKCE OAuth2
4. Add SRI for external resources
5. Implement secure cookie handling with SameSite/HttpOnly/Secure flags
6. Complement backend security with client-side protections
Provide: secure frontend components, CSP policy configuration,
authentication flow implementation, and security headers configuration.
```
Save the agent's output to `.security-hardening/06-frontend-hardening.md`.
**Note:** If the target has no frontend component (pure backend/API), skip this step — write a brief note in `06-frontend-hardening.md` explaining why it was skipped, and continue.
Update `state.json`: set `current_step` to 7, add step 6 to `completed_steps`.
### Step 7: Mobile Security Hardening
Read `.security-hardening/03-architecture-review.md` and `.security-hardening/05-backend-hardening.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Mobile security hardening for $TARGET"
prompt: |
You are a mobile security engineer. Implement mobile app security for: $TARGET.
## Architecture Review
[Insert contents of .security-hardening/03-architecture-review.md]
## Backend Hardening
[Insert contents of .security-hardening/05-backend-hardening.md]
## Instructions
1. Add certificate pinning
2. Implement biometric authentication
3. Secure local storage with encryption
4. Obfuscate code with ProGuard/R8
5. Implement anti-tampering and root/jailbreak detection
6. Secure IPC communications
Provide: hardened mobile application configuration, security configuration files,
obfuscation rules, and certificate pinning implementation.
```
Save the agent's output to `.security-hardening/07-mobile-hardening.md`.
**Note:** If the target has no mobile component, skip this step — write a brief note in `07-mobile-hardening.md` explaining why it was skipped, and continue.
Update `state.json`: set `current_step` to "checkpoint-2", add step 7 to `completed_steps`.
---
## PHASE CHECKPOINT 2 — User Approval Required
Display a summary of all remediation work from steps 47 and ask:
```
Vulnerability remediation complete. Please review:
- .security-hardening/04-critical-fixes.md
- .security-hardening/05-backend-hardening.md
- .security-hardening/06-frontend-hardening.md
- .security-hardening/07-mobile-hardening.md
Critical fixes applied: [count]
Backend controls added: [summary]
Frontend controls added: [summary]
Mobile controls added: [summary]
1. Approve — proceed to security controls & validation
2. Request changes — tell me what to adjust
3. Pause — save progress and stop here
```
Do NOT proceed to Phase 3 until the user approves.
---
## Phase 3: Security Controls & Infrastructure (Steps 810)
### Step 8: Authentication & Authorization Enhancement
Read `.security-hardening/03-architecture-review.md` and `.security-hardening/05-backend-hardening.md`.
Use the Task tool:
```
Task:
subagent_type: "security-auditor"
description: "Enhance authentication and authorization for $TARGET"
prompt: |
Implement a modern authentication system for: $TARGET.
## Architecture Review
[Insert contents of .security-hardening/03-architecture-review.md]
## Backend Hardening
[Insert contents of .security-hardening/05-backend-hardening.md]
## Instructions
1. Deploy OAuth2/OIDC with PKCE
2. Implement MFA with TOTP/WebAuthn/FIDO2
3. Add risk-based authentication
4. Implement RBAC/ABAC with principle of least privilege
5. Add session management with secure token rotation
6. Strengthen access controls based on architecture review
Provide: authentication service configuration, MFA implementation,
authorization policies, and session management system.
```
Save the agent's output to `.security-hardening/08-auth-enhancement.md`.
Update `state.json`: set `current_step` to 9, add step 8 to `completed_steps`.
### Step 9: Infrastructure Security Controls
Read `.security-hardening/03-architecture-review.md` and `.security-hardening/08-auth-enhancement.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Deploy infrastructure security controls for $TARGET"
prompt: |
You are an infrastructure security engineer. Deploy infrastructure security controls for: $TARGET.
## Architecture Review
[Insert contents of .security-hardening/03-architecture-review.md]
## Auth Enhancement
[Insert contents of .security-hardening/08-auth-enhancement.md]
## Instructions
1. Configure WAF rules for OWASP protection
2. Implement network segmentation with micro-segmentation
3. Deploy IDS/IPS systems
4. Configure cloud security groups and NACLs
5. Implement DDoS protection with rate limiting and geo-blocking
Provide: WAF configuration, network security policies, IDS/IPS rules,
and cloud security configurations.
```
Save the agent's output to `.security-hardening/09-infra-security.md`.
Update `state.json`: set `current_step` to 10, add step 9 to `completed_steps`.
### Step 10: Secrets Management Implementation
Read `.security-hardening/01-vulnerability-scan.md` and `.security-hardening/09-infra-security.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Implement secrets management for $TARGET"
prompt: |
You are a DevOps security engineer. Implement enterprise secrets management for: $TARGET.
## Vulnerability Scan Results
[Insert contents of .security-hardening/01-vulnerability-scan.md]
## Infrastructure Security
[Insert contents of .security-hardening/09-infra-security.md]
## Instructions
1. Deploy HashiCorp Vault or AWS Secrets Manager configuration
2. Implement secret rotation policies
3. Remove hardcoded secrets
4. Configure least-privilege IAM roles
5. Implement encryption key management with HSM support
Provide: secrets management configuration, rotation policies,
IAM role definitions, and key management procedures.
```
Save the agent's output to `.security-hardening/10-secrets-management.md`.
Update `state.json`: set `current_step` to "checkpoint-3", add step 10 to `completed_steps`.
---
## PHASE CHECKPOINT 3 — User Approval Required
Display a summary of security controls from steps 810 and ask:
```
Security controls implementation complete. Please review:
- .security-hardening/08-auth-enhancement.md
- .security-hardening/09-infra-security.md
- .security-hardening/10-secrets-management.md
Auth controls: [summary]
Infrastructure controls: [summary]
Secrets management: [summary]
1. Approve — proceed to validation & compliance
2. Request changes — tell me what to adjust
3. Pause — save progress and stop here
```
Do NOT proceed to Phase 4 until the user approves.
---
## Phase 4: Validation & Compliance (Steps 1113)
### Step 11: Penetration Testing & Validation
Read `.security-hardening/04-critical-fixes.md`, `.security-hardening/05-backend-hardening.md`, and `.security-hardening/08-auth-enhancement.md`.
Use the Task tool:
```
Task:
subagent_type: "security-auditor"
description: "Penetration testing and validation for $TARGET"
prompt: |
Execute comprehensive penetration testing for: $TARGET.
## Critical Fixes Applied
[Insert contents of .security-hardening/04-critical-fixes.md]
## Backend Hardening
[Insert contents of .security-hardening/05-backend-hardening.md]
## Auth Enhancement
[Insert contents of .security-hardening/08-auth-enhancement.md]
## Instructions
1. Perform authenticated and unauthenticated testing
2. Execute API security testing
3. Test business logic vulnerabilities
4. Attempt privilege escalation
5. Validate all security controls effectiveness
6. Use Burp Suite, Metasploit, and custom exploit patterns
Provide: penetration test report, proof-of-concept exploits,
remediation validation, and security control effectiveness metrics.
```
Save the agent's output to `.security-hardening/11-pentest-results.md`.
Update `state.json`: set `current_step` to 12, add step 11 to `completed_steps`.
### Step 12: Compliance & Standards Verification
Read `.security-hardening/11-pentest-results.md`.
Use the Task tool:
```
Task:
subagent_type: "security-auditor"
description: "Compliance verification for $TARGET"
prompt: |
Verify compliance with security frameworks for: $TARGET.
## Penetration Test Results
[Insert contents of .security-hardening/11-pentest-results.md]
## Compliance Frameworks to Validate
[Insert compliance_frameworks from state.json — default: OWASP]
## Instructions
1. Validate against OWASP ASVS Level 2
2. Validate against CIS Benchmarks
3. Check SOC2 Type II requirements if applicable
4. Verify GDPR/CCPA privacy controls if applicable
5. Check HIPAA/PCI-DSS requirements if applicable
6. Generate compliance attestation reports
Provide: compliance assessment report, gap analysis,
remediation requirements, and audit evidence collection.
```
Save the agent's output to `.security-hardening/12-compliance-report.md`.
Update `state.json`: set `current_step` to 13, add step 12 to `completed_steps`.
### Step 13: Security Monitoring & SIEM Integration
Read `.security-hardening/09-infra-security.md` and `.security-hardening/12-compliance-report.md`.
Use the Task tool:
```
Task:
subagent_type: "general-purpose"
description: "Implement security monitoring and SIEM for $TARGET"
prompt: |
You are a security operations engineer specializing in SIEM and incident response.
Implement security monitoring and SIEM integration for: $TARGET.
## Infrastructure Security
[Insert contents of .security-hardening/09-infra-security.md]
## Compliance Report
[Insert contents of .security-hardening/12-compliance-report.md]
## Instructions
1. Deploy SIEM integration (Splunk/ELK/Sentinel configuration)
2. Configure security event correlation rules
3. Implement behavioral analytics for anomaly detection
4. Set up automated incident response playbooks
5. Create security dashboards and alerting
6. Ensure monitoring covers compliance requirements
Provide: SIEM configuration, correlation rules, incident response playbooks,
security dashboards, and alert definitions.
```
Save the agent's output to `.security-hardening/13-monitoring-siem.md`.
Update `state.json`: set `current_step` to "complete", add step 13 to `completed_steps`.
---
## Completion
Update `state.json`:
- Set `status` to `"complete"`
- Set `last_updated` to current timestamp
Present the final summary:
```
Security hardening complete: $TARGET
## Output Files
- .security-hardening/01-vulnerability-scan.md
- .security-hardening/02-threat-model.md
- .security-hardening/03-architecture-review.md
- .security-hardening/04-critical-fixes.md
- .security-hardening/05-backend-hardening.md
- .security-hardening/06-frontend-hardening.md
- .security-hardening/07-mobile-hardening.md
- .security-hardening/08-auth-enhancement.md
- .security-hardening/09-infra-security.md
- .security-hardening/10-secrets-management.md
- .security-hardening/11-pentest-results.md
- .security-hardening/12-compliance-report.md
- .security-hardening/13-monitoring-siem.md
## Summary by Phase
- **Assessment**: [vulnerability count] vulnerabilities found, [threat count] threats modeled
- **Remediation**: [fix count] critical fixes applied, backend/frontend/mobile hardened
- **Controls**: Auth enhanced, infrastructure secured, secrets managed
- **Validation**: Pentest [pass/fail], compliance [frameworks validated]
## Success Criteria
- [ ] All critical vulnerabilities (CVSS 7+) remediated
- [ ] OWASP Top 10 vulnerabilities addressed
- [ ] Zero high-risk findings in penetration testing
- [ ] Compliance frameworks validation passed
- [ ] Security monitoring detecting and alerting on threats
- [ ] All secrets managed through secure vault
- [ ] Authentication implements MFA and secure session management
- [ ] Security tests integrated into CI/CD pipeline
- All critical vulnerabilities (CVSS 7+) remediated
- OWASP Top 10 vulnerabilities addressed
- Zero high-risk findings in penetration testing
- Compliance frameworks validation passed
- Security monitoring detecting and alerting on threats
- Incident response time < 15 minutes for critical alerts
- SBOM generated and vulnerabilities tracked
- All secrets managed through secure vault
- Authentication implements MFA and secure session management
- Security tests integrated into CI/CD pipeline
## Coordination Notes
- Each phase provides detailed findings that inform subsequent phases
- Security-auditor agent coordinates with domain-specific agents for fixes
- All code changes undergo security review before implementation
- Continuous feedback loop between assessment and remediation
- Security findings tracked in centralized vulnerability management system
- Regular security reviews scheduled post-implementation
Security hardening target: $ARGUMENTS
## Next Steps
1. Review all generated security artifacts
2. Run the full security test suite to verify controls
3. Deploy monitoring configuration to production
4. Schedule regular security reviews
```