Prevention
Hardening guides — the things you do before an incident so the incident doesn't matter.
New here? Start with the supply-chain attack surface map — it lists every pathway by which external code or data reaches you and points at the right guide for each.
| Topic | Doc |
|---|---|
| Map: every pathway external code/data gets in | supply-chain-attack-surface.md |
Locking down npm install |
npm-hardening.md |
| Hardening CI / GitHub Actions | ci-cd-hardening.md |
| Vetting MCP servers before connecting them | mcp-hygiene.md |
| Where credentials live (and where they shouldn't) | credential-hygiene.md |
| Running agents inside containers/VMs | agent-sandboxing.md |
| 60-second checklist before any new install | package-vetting-checklist.md |
The 6 highest-leverage habits
If you do nothing else from this folder, do these:
npm config set ignore-scripts trueglobally. Re-enable per-project only when you've audited what the postinstall does. → npm-hardening.md- Stop running agents with
--dangerously-skip-permissionson your host. Use a devcontainer, and keep agent allowlists narrow — never auto-approvecurl/installs or echoing a secret. → agent-sandboxing.md - Never paste API keys into a chat window. Use 1Password CLI / env vars from disk. → credential-hygiene.md
- Vet every MCP server before connecting it. Read the source, check the publisher, pin a version. → mcp-hygiene.md
- Verify a package on the registry website before installing what an LLM suggested. 15 seconds, stops most slopsquatting. → package-vetting-checklist.md
- Pin every GitHub Action to a commit SHA, not a tag, and scope
permissions:to the floor. Your CI holds your write token and secrets. → ci-cd-hardening.md