Design — /lockdown supply-chain skill

Goal

Ship a Claude Code skill (/lockdown) that audits any repository for supply-chain attack surface and provides guided, low-risk auto-hardening. Designed for a single operator (Jack) maintaining multiple repos — some published to PyPI/npm, some handling PHI — and avoids creating cross-repo dependency conflicts. Targeting the attack patterns proven in 2024–2026: maintainer-account takeover (Shai-Hulud, axios 1.14.1), action-tag-mutation (tj-actions, trivy-action TeamPCP), dependency confusion (Birsan), and slow-roll maintainer compromise (xz-utils).

Architecture

Entry points

• jacked/data/commands/lockdown.md — the single source of truth for audit logic, ~ 600 lines of structured instructions Claude follows when the user invokes /lockdown.
• jacked/data/skills/lockdown/SKILL.md — an 8-line router. When user prompts contain phrases like "lock down deps", "supply chain audit", "is this repo secure", "harden actions", etc., the skill triggers and delegates to the command.

This mirrors the /cso convention in the same repo. Skill content lives in one place; the SKILL.md exists purely to map conversational triggers to the command file.

Modes

Mode	Behavior	Writes to repo?
audit (default)	Read-only audit. Detects ecosystems, runs scanners, scores, generates an HTML report under docs/lockdown/.	Only the report file
fix	Re-runs audit, shows auto-fixable findings, confirms with user, applies all accepted fixes in a single commit (per user redirect).	CI configs, .gitignore, dependabot, pre-commit — never dep versions
verify	One-screen pass/fail against the baseline checklist. No HTML report. Suitable for CI gating.	No
baseline	Generates ongoing CI workflow + Dependabot + pre-commit configs. Single commit.	Adds .github/workflows/lockdown.yml, .github/dependabot.yml, .pre-commit-config.yaml

Scope flags

• --ecosystem=python|node|actions|docker — limit to one ecosystem
• --paranoid — opt-in (per user redirect — was default, flipped to opt-in). Adds checks like internal mirror registries, ephemeral runners, FIDO2-required, environment-scoped secrets
• --workspace=PATH — scan sibling repos in PATH (default ~/Github) to warn of cross-repo blast radius when CVE upgrades are suggested
• --phi — force HIPAA mapping table in the report even if PHI handling isn't detected

Audit phases (16)

1. Ecosystem detection
2. Lockfile integrity (hash pinning, frozen-install in CI)
3. Known-CVE scan (pip-audit + osv-scanner + npm audit signatures)
4. Malware/typosquat (Socket, install-script heuristics)
5. Install-script hardening (--ignore-scripts, pnpm onlyBuiltDependencies, wheel-only Python)
6. GitHub Actions hardening (SHA pinning, permissions block, persist-credentials, harden-runner, zizmor)
7. Secrets in git (gitleaks/trufflehog, .gitignore coverage, hardcoded patterns)
8. Provenance & signing (PyPI Trusted Publishers, PEP 740, npm provenance, cosign, SBOM)
9. Container hardening (distroless/Chainguard base, USER directive, Trivy)
10. OpenSSF Scorecard run
11. Release-tarball-vs-git diff (xz-utils backdoor lesson — binary fixtures in tarball but not git)
12. Pre-commit / local hardening
13. Score + report (HTML)
14. Fix mode (interactive auto-hardening)
15. Verify mode (one-screen pass/fail)
16. Baseline mode (install ongoing CI monitoring)

Scoring

Strict (CSO/CTO recommendation per user redirect):

• Start at 100
• −20 per CRITICAL
• −10 per HIGH (cap −60)
• −3 per MEDIUM (cap −20)
• −1 per LOW (cap −10)

Bands: 90+ Hardened, 70+ Solid baseline, 50+ Critical gaps, <50 Significant exposure.

Per user redirect: report also includes a category breakdown table showing pass/warn/fail status per area (CVE state, lockfile integrity, CI hardening, secrets hygiene, provenance/signing) so the user can see where to act, not just the overall number.

Cross-repo safety (user-raised concern)

This guarantees that locking down repo A cannot break repo B by forcing a version conflict — because A's lockfile is never edited.

CVE-finding flow:

1. Scanner reports CVE in package foo
2. /lockdown outputs the suggested command (uv add foo@1.2.4) in the report and terminal
3. Cross-repo scan (if --workspace=PATH set or ~/Github contains 2+ sibling repos): grep sibling repos' pyproject.toml/requirements*.txt/package.json for the same package name. Output: "If you apply this upgrade, also check: jack-cli (uses requests==2.31.0), hank-codesets (uses requests==2.33.0)"
4. Human applies + tests + commits

Auto-fix scope (per user redirect: ONE commit per fix-mode invocation)

When the user runs /lockdown fix and accepts a set of findings, all changes are bundled into a single commit:

chore(lockdown): apply hardening batch

- pin pypa/gh-action-pypi-publish to SHA (was @release/v1) — SCSC-001
- pin actions/* to SHAs — SCSC-002
- move id-token: write to publish job only — SCSC-003
- add harden-runner audit mode — SCSC-004
- add persist-credentials: false to checkout — SCSC-005
- add CycloneDX SBOM generation — SCSC-006
- create .github/dependabot.yml with 7d cooldown — SCSC-007
- create .pre-commit-config.yaml — SCSC-008

Refs: docs/lockdown/2026-05-20-{repo}-lockdown.html

HTML report contents

Each report under docs/lockdown/YYYY-MM-DD-{repo}-lockdown.html contains:

1. Executive Summary (what's good, what's the urgent fix)
2. Score & Posture card
3. Category breakdown table (CVEs / lockfile / CI / secrets / provenance) per user redirect
4. Ecosystem inventory (what was scanned, which scanners ran, which were missing)
5. Findings (one card per finding: severity, evidence, risk, fix, auto-fixable bool)
6. Remediation plan (auto-fixable checklist + manual verification checklist)
7. Manual verification (org/repo settings requiring gh admin scope)
8. HIPAA mapping table (shown when PHI detected or --phi set)
9. Sources (cited incident reports + tool docs)

HIPAA mapping

For PHI-handling repos, the report includes a table mapping each HIPAA Security Rule technical safeguard (§ 164.312) and admin safeguard (§ 164.308) to the supply-chain control that satisfies it, with per-row status (ok/partial/missing). Ends with a count: "X of 12 safeguards have full supply-chain coverage in this repo."

Distribution

Lives in the claude-jacked repo at jacked/data/commands/lockdown.md + jacked/data/skills/lockdown/SKILL.md. Auto-installed to ~/.claude/commands/ + ~/.claude/skills/lockdown/ when the user runs jacked install. A behavioral rule in jacked/data/rules/jacked_behaviors.md suggests /lockdown after dependency upgrades, before publishing, after CI changes, or quarterly.

Out of scope

• Application-code security analysis (that's /cso's job — OWASP/STRIDE)
• Threat modeling of business logic
• Pen-testing / fuzzing
• Cross-repo refactoring (e.g., merging to workspace lockfile)
• Org-level GitHub settings (output as a manual checklist, not auto-applied)
• Cloud OIDC trust policy design

Success criteria

1. Run /lockdown on any of Jack's repos with one command — no per-repo setup
2. HTML report produced under 60 seconds for typical Python/Node/Actions repos
3. Auto-fix mode reduces score by ≥ 30 points on a fresh-cloned typical repo without breaking anything
4. Self-test on claude-jacked repo passes (already done: scored 27, auto-fix path identified for ~8 findings)
5. Zero side effects on sibling repos when run in one repo
6. HIPAA mapping coverage tracked: count of safeguards satisfied increases as hardening is applied