plugins/code-modernization/commands/modernize-harden.md

---
description: Security vulnerability scan with a reviewable remediation patch — OWASP, CWE, CVE, secrets, injection
argument-hint: <system-dir>
---

Run a **security hardening pass** on `legacy/$1`: find vulnerabilities, rank
them, and produce a reviewable patch for the critical ones.

This command never edits `legacy/` — it writes findings and a proposed patch
to `analysis/$1/`. The user reviews and applies (or not).

## Scan

Spawn the **security-auditor** subagent:

"Adversarially audit legacy/$1 for security vulnerabilities. Cover what's
relevant to the stack: injection (SQL/NoSQL/OS command/template), broken
auth, sensitive data exposure, access control gaps, insecure deserialization,
hardcoded secrets, vulnerable dependency versions, missing input validation,
path traversal. For each finding return: CWE ID, severity
(Critical/High/Med/Low), file:line, one-sentence exploit scenario, and
recommended fix. Run any available SAST tooling (npm audit, pip-audit,
OWASP dependency-check) and include its raw output."

## Triage

Write `analysis/$1/SECURITY_FINDINGS.md`:
- Summary scorecard (count by severity, top CWE categories)
- Findings table sorted by severity
- Dependency CVE table (package, installed version, CVE, fixed version)

## Remediate

For each **Critical** and **High** finding, draft a minimal, targeted fix.
Do **not** edit `legacy/` — write all fixes as a single unified diff to
`analysis/$1/security_remediation.patch`, with a comment line above each
hunk citing the finding ID it addresses (`# SEC-001: parameterize the query`).

Add a **Remediation Log** section to SECURITY_FINDINGS.md mapping each
finding ID → one-line summary of the proposed fix and the patch hunk that
implements it.

## Verify

Spawn the **security-auditor** again to **review the patch** against the
original code:

"Review analysis/$1/security_remediation.patch against legacy/$1. For each
hunk: does it fully remediate the cited finding? Does it introduce new
vulnerabilities or change behavior beyond the fix? Return one verdict per
hunk: RESOLVES / PARTIAL / INTRODUCES-RISK, with a one-line reason."

Add a **Patch Review** section to SECURITY_FINDINGS.md with the verdicts.
If any hunk is PARTIAL or INTRODUCES-RISK, revise the patch and re-review.

## Present

Tell the user the artifacts are ready:
- `analysis/$1/SECURITY_FINDINGS.md` — findings, remediation log, patch review
- `analysis/$1/security_remediation.patch` — review, then apply if appropriate
  with `git -C legacy/$1 apply ../../analysis/$1/security_remediation.patch`
- Re-run `/modernize-harden $1` after applying to confirm resolution

Suggest: `glow -p analysis/$1/SECURITY_FINDINGS.md`
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00			`---`
code-modernization: harden writes a patch instead of editing legacy; make map/security guidance language-agnostic - modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow. 2026-05-11 16:46:03 -07:00			`description: Security vulnerability scan with a reviewable remediation patch — OWASP, CWE, CVE, secrets, injection`
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00			`argument-hint: <system-dir>`
			`---`

			Run a security hardening pass on `legacy/$1`: find vulnerabilities, rank
code-modernization: harden writes a patch instead of editing legacy; make map/security guidance language-agnostic - modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow. 2026-05-11 16:46:03 -07:00			`them, and produce a reviewable patch for the critical ones.`

			This command never edits `legacy/` — it writes findings and a proposed patch
			to `analysis/$1/`. The user reviews and applies (or not).
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00
			`## Scan`

			`Spawn the security-auditor subagent:`

code-modernization: harden writes a patch instead of editing legacy; make map/security guidance language-agnostic - modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow. 2026-05-11 16:46:03 -07:00			`"Adversarially audit legacy/$1 for security vulnerabilities. Cover what's`
			`relevant to the stack: injection (SQL/NoSQL/OS command/template), broken`
			`auth, sensitive data exposure, access control gaps, insecure deserialization,`
			`hardcoded secrets, vulnerable dependency versions, missing input validation,`
			`path traversal. For each finding return: CWE ID, severity`
			`(Critical/High/Med/Low), file:line, one-sentence exploit scenario, and`
			`recommended fix. Run any available SAST tooling (npm audit, pip-audit,`
			`OWASP dependency-check) and include its raw output."`
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00
			`## Triage`

			Write `analysis/$1/SECURITY_FINDINGS.md`:
			`- Summary scorecard (count by severity, top CWE categories)`
			`- Findings table sorted by severity`
			`- Dependency CVE table (package, installed version, CVE, fixed version)`

			`## Remediate`

code-modernization: harden writes a patch instead of editing legacy; make map/security guidance language-agnostic - modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow. 2026-05-11 16:46:03 -07:00			`For each Critical and High finding, draft a minimal, targeted fix.`
			Do not edit `legacy/` — write all fixes as a single unified diff to
			`analysis/$1/security_remediation.patch`, with a comment line above each
			hunk citing the finding ID it addresses (`# SEC-001: parameterize the query`).
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00
code-modernization: harden writes a patch instead of editing legacy; make map/security guidance language-agnostic - modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow. 2026-05-11 16:46:03 -07:00			`Add a Remediation Log section to SECURITY_FINDINGS.md mapping each`
			`finding ID → one-line summary of the proposed fix and the patch hunk that`
			`implements it.`
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00
			`## Verify`

code-modernization: harden writes a patch instead of editing legacy; make map/security guidance language-agnostic - modernize-harden: never edits legacy/ anymore. Writes findings plus a reviewed unified diff to analysis/<system>/security_remediation.patch. A second security-auditor pass reviews each hunk (RESOLVES / PARTIAL / INTRODUCES-RISK) before presenting. The user reviews and applies the patch deliberately, then re-runs to verify. This makes every command consistent with the recommended deny Edit(legacy/**) workspace setting, so the README's exception note is gone. - modernize-map: restructure the parse-target list around three stack- agnostic principles (dispatcher targets are variables; code-storage joins live in config; entry points live in deployment descriptors), with COBOL/Java/web/CLI examples on equal footing rather than COBOL-dominant. Same protections against false dead-code findings, less stack-specific. - security-auditor agent: rephrase coverage items in stack-neutral terms (record layouts/temp datasets, resource ACLs, deployment scripts/job definitions, batch input records) so the checklist reads naturally for COBOL, Java EE, .NET, and web targets alike. - README: drop the harden exception note; describe the patch workflow. 2026-05-11 16:46:03 -07:00			`Spawn the security-auditor again to review the patch against the`
			`original code:`

			`"Review analysis/$1/security_remediation.patch against legacy/$1. For each`
			`hunk: does it fully remediate the cited finding? Does it introduce new`
			`vulnerabilities or change behavior beyond the fix? Return one verdict per`
			`hunk: RESOLVES / PARTIAL / INTRODUCES-RISK, with a one-line reason."`

			`Add a Patch Review section to SECURITY_FINDINGS.md with the verdicts.`
			`If any hunk is PARTIAL or INTRODUCES-RISK, revise the patch and re-review.`

			`## Present`

			`Tell the user the artifacts are ready:`
			- `analysis/$1/SECURITY_FINDINGS.md` — findings, remediation log, patch review
			- `analysis/$1/security_remediation.patch` — review, then apply if appropriate
			with `git -C legacy/$1 apply ../../analysis/$1/security_remediation.patch`
			- Re-run `/modernize-harden $1` after applying to confirm resolution
Add code-modernization plugin Structured workflow (assess → map → extract-rules → reimagine → transform → harden) and specialist agents (legacy-analyst, business-rules-extractor, architecture-critic, security-auditor, test-engineer) for modernizing legacy codebases into current stacks. 2026-04-24 19:44:52 +00:00
			Suggest: `glow -p analysis/$1/SECURITY_FINDINGS.md`