ccc-hardenlisted

# /ccc-harden — Production Hardening Audit Audit a site across **11 hardening pillars** to confirm it's safe to ship. Read-only by default. Apply safe auto-fixes with `--fix`. ## What it checks | Pillar | What it verifies | |--------|-----------------| | **1. Vercel** | Project link, env vars, deploy headers, deploy protection, domain | | **2. GitHub Linkage** | Remote URL, branch tracking, .gitignore coverage, working tree clean | | **3. GitHub Org** | Branch protection on main, Dependabot enabled, secret scanning, CODEOWNERS | | **4. Sentry** | SDK installed, DSN set, source maps uploading, alert rules, sample rate | | **5. PostHog** | SDK installed, env vars set, autocapture config, event whitelist | | **6. Plausible** | Script present, site ID, goals, funnels, recent traffic | | **7. Clarity** | Script presence, project ID | | **8. Google** | GA4, Search Console verified, sitemap submitted, Tag Manager | | **9. Stripe** | Keys present, webhook configured, test/live separation | | **10. Secrets & PII** | gitleaks scan, CSP/HSTS/X-Frame headers, .env audit, log scrubbing | | **11. Cloudflare** | DNS health, TLS/SSL, bot management, caching, HTTP/3, WAF | ## When to use ✅ **Use when:** - Pre-launch checklist for a new site - Before a security review or compliance audit - Periodic monthly/quarterly health check - After a major refactor that touched config files - When you suspect a leaked secret 🚫 **Don't use when:** - Project is pre-MVP / local-only (overkill) - Quick