// Audit a software project for hardening — security, AI gaps, test coverage, code quality, and decoupling. Use when user wants to harden a project, audit for vulnerabilities, check test coverage, or separate private data from code.
Use when MARVIN is asked to build, fix, debug, review, or ship software. Routes to gstack development workflow skills. Handles gstack bootstrap if not installed. Manages PRD decomposition for large projects. Triggers on: build a feature, fix a bug, review code, implement a PRD, ship this, debug this, create an app/tool/service/CLI/API. Does NOT trigger on: content ideas, event planning, campaigns, meetups, or any non-software intent. If ambiguous, ask.
Start MARVIN session with briefing. Use when user types /start or starts a new session. Loads context, reviews state, gives daily briefing.
| name | harden |
| description | Audit a software project for hardening — security, AI gaps, test coverage, code quality, and decoupling. Use when user wants to harden a project, audit for vulnerabilities, check test coverage, or separate private data from code. |
| license | MIT |
| compatibility | marvin |
| metadata | {"marvin-category":"work","user-invocable":true,"slash-command":"/harden","model":"default","proactive":false} |
Perform a systematic hardening audit of this project. Work through each phase below, exploring the codebase to find real issues — not hypothetical ones. For each finding, explain the risk and suggest a concrete fix.
/hardenBefore scanning, ask these questions to calibrate the audit. The user can answer inline or say "skip" to assume worst-case (strictest ratings).
Use the answers to calibrate severity ratings throughout the audit. For example:
If the user skips, assume: public visibility, shared access, compliance required.
After calibration, state assumptions: Based on the answers, tell the user what this audit covers and what it doesn't. For example:
Tailor the scope assumptions to the project. A web app with a Dockerfile gets different assumptions than a CLI tool. Let the user confirm or adjust before proceeding.
Work through these one at a time. After each scope, summarize findings and ask if the user wants to go deeper or move to the next scope.
except, swallowed exceptions).gitignore coverage for sensitive and generated filesDuring each scope, if you encounter something ambiguous — ask before rating severity. Only ask questions the codebase can't answer.
Examples:
If the codebase can answer it, don't ask. If only the user knows, ask.
Do NOT turn the audit into an interview. The skill's strength is autonomous exploration. Reserve questions for decisions that change severity or skip/prioritize a finding.
After completing all scopes, present a scorecard with letter grades per scope.
Grading formula:
| Grade | Points |
|---|---|
| A | 0 |
| B | 1-4 |
| C | 5-9 |
| D | 10-14 |
| F | 15+ |
Overall grade: Average of scope grades (A=4, B=3, C=2, D=1, F=0), rounded.
Propose batches for fixing the findings.
Batching rules:
After presenting the batch plan, ask: "Ready to create GitHub issues? I'll file them in batch order."
Only create issues after the user reviews and approves the batches.
| Scope | Grade | Findings |
|-------|-------|----------|
| Security | C | 1 critical, 2 high, 1 medium |
| AI | B | 2 high |
| Tests | D | 3 high |
| Code Quality | B | 1 medium, 2 low |
| Decoupling | C | 2 high |
Overall: C
### Batch 1 — [description] ([count] issues)
Resolves: [finding numbers]
Dependency: [what must be done first, or "None — do this first"]
Effort: [Low / Medium / High]
Skill created: 2026-04-06