---
name: security-audit
description: Automated security audit of the .claude configuration and system posture. Checks env vars, hooks, credentials, WSL, SSH, Tailscale, and reports pass/fail with recommendations.
allowed-tools: Bash, Read, Grep, Glob
---

# /security-audit — CoM Configuration Security Audit

Comprehensive automated audit of this admin node's security posture.

## Checks (run all):

### 1. Environment Variables
Verify required env vars are set:
- `GITHUB_TOKEN` — GitHub MCP
- `SLACK_BOT_TOKEN` — Slack MCP
- `BRAVE_API_KEY` — Brave Search MCP
Report: set/missing for each.

### 2. Credential Exposure Scan
Scan these files for plaintext secrets:
- `~/.claude/settings.json`
- `~/.claude/settings.local.json`
- `~/.claude/config.json`
Flag any API keys, tokens, or passwords stored in plaintext.

### 3. Hook Validation
Verify all hooks are active:
- `~/.claude/hooks/pre-tool-validate.sh` exists and is executable
- `~/.claude/hooks/post-download-scan.sh` exists and is executable
- `~/.claude/hooks/session-cleanup.sh` exists and is executable
- settings.json references all 4 hook events (SessionStart, PreToolUse, PostToolUse, Stop)

### 4. Permission Deny List
Verify the deny list in settings.json blocks:
- rm -rf, format, del /s /q
- PowerShell Remove-Item recursive
- Registry deletion, boot config modification
- Pipe-to-shell patterns
- .env and .key file writes

### 5. Network Security
- Tailscale status: `tailscale status` — connected nodes, health
- SSH server: port, key-auth only, password disabled
- RDP: NLA enabled, firewall rule restricted
- Open ports: `netstat -an | grep LISTEN`

### 6. WSL Security
- WSL version (should be 2)
- Distro state (running/stopped)
- Check for exposed SSH from WSL to host

### 7. Constitution Compliance
Verify A2A files exist:
- `~/.claude/a2a/agent-cards.json`
- `~/.claude/a2a/constitution.md`
Verify 5 non-negotiables are documented.

## Output Format
```
SECURITY AUDIT REPORT — [date]
═══════════════════════════
[PASS] Environment: 3/3 vars set
[WARN] Credentials: API key in config.json (rotate recommended)
[PASS] Hooks: 3/3 scripts active, 4/4 events configured
[PASS] Permissions: 13 deny rules active
[PASS] Network: Tailscale connected, SSH key-only
[PASS] WSL: v2, Kali running
[PASS] Constitution: A2A governance active
═══════════════════════════
Overall: 6 PASS, 1 WARN, 0 FAIL
```