Agent Skill: Simplify & Harden

Install

npx skills add pskoett/pskoett-ai-skills/skills/simplify-and-harden

For CI-only execution, use:

npx skills add pskoett/pskoett-ai-skills/skills/simplify-and-harden-ci

Metadata

Field	Value
Skill ID	simplify-and-harden
Version	0.1.0
Trigger	Post-completion hook
Author	Peter Skøtt Pedersen
Category	Code Quality / Security
Priority	Recommended

Rationale and Philosophy

When a coding agent completes a task, it holds peak contextual understanding of the problem, the solution, and the tradeoffs it made along the way. This context degrades immediately -- the next task wipes the slate. Simplify & Harden exploits that peak context window to perform two focused review passes before the agent moves on.

Most agents solve the ticket and stop. This skill turns "done" into "done well."

The operating philosophy is a deliberate "fresh eyes" self-review before moving on: carefully re-read all newly written code and all existing code modified in the task, and look hard for obvious bugs, errors, confusing logic, brittle assumptions, naming issues, and missed hardening opportunities. The goal is not to expand scope or rewrite the solution -- it is to use peak context to perform a disciplined first review pass while the agent still remembers the intent behind every change.

Best Use with Independent Review

This skill is a post-completion self-pass and does not replace an independent review pass.

Recommended flow:

1. Implement the task.
2. Run Simplify & Harden to clean, harden, and document non-obvious decisions.
3. Run an independent review pass for severity-ordered findings.
4. Merge only after both passes are addressed.

If the two disagree, treat the independent review findings as the external gate and either fix or explicitly waive findings.

Trigger Conditions

The skill activates automatically when ALL of the following are true:

• The agent has completed its primary coding task
• The agent signals task completion (exit code 0, PR ready, or equivalent)
• The diff contains a non-trivial code change (see definition below)
• The skill has not already run on this task (no re-entry loops)

Non-trivial code change definition

Treat a diff as non-trivial when it satisfies BOTH of the following:

1. It touches at least one executable source file (for example: *.ts, *.tsx, *.js, *.jsx, *.py, *.go, *.rs, *.java, *.cs, *.rb, *.php, *.swift, *.kt, *.scala, *.sh).
2. It includes either:
   • At least 10 changed non-comment, non-whitespace lines in executable source files, OR
   • At least one high-impact logic change (auth/authz checks, input validation, data access/query logic, external command execution, file path handling, network request handling, or concurrency control).

Treat the diff as non-trivial = false when it is docs-only, config-only, comments-only, formatting-only, generated artifacts only, or tests-only.

The skill does NOT activate when:

• The agent failed or was interrupted
• The change is documentation-only
• The change is tests-only
• The change is a generated file (lockfiles, build artifacts)
• The user explicitly skips it via --no-review or equivalent flag

Scope Constraints

Hard rule: Only touch code modified in this task.

The agent MUST NOT:

• Refactor adjacent code it did not modify
• Pursue "while I'm here" improvements outside the diff
• Introduce new dependencies or architectural changes
• Make speculative fixes based on patterns it noticed elsewhere

The agent SHOULD flag out-of-scope concerns in the summary output rather than acting on them.

Budget limits:

• Maximum additional changes: 20% of the original diff size (measured in lines changed)
• Maximum execution time: 60 seconds (configurable)
• If either limit is hit, the agent stops and outputs what it has with a budget_exceeded flag

Pass 1: Simplify

Objective: Reduce unnecessary complexity introduced during implementation.

Default posture: simplify, don't restructure. The primary goal of this pass is lightweight cleanup -- removing noise, tightening naming, killing dead code. The agent should bias heavily toward cosmetic fixes that make the code cleaner without changing its structure. Refactoring is the exception, not the rule.

Fresh-eyes start (mandatory): Before making any edits in this pass, re-read all code added or modified in this task with "fresh eyes" and actively look for obvious bugs, errors, confusing logic, brittle assumptions, naming issues, and missed hardening opportunities.

The agent reviews its own work and asks:

"Now that I understand the full solution, is there a simpler way to express this?"

Review Checklist

1. Dead code and scaffolding -- Did I leave behind debug logs, commented-out attempts, unused imports, or temporary variables from my iteration loop? Remove them.

2. Naming clarity -- Do function names, variables, and parameters make sense when read fresh? Names that made sense mid-implementation often read poorly after the fact. Rename them.

3. Control flow -- Can any nested conditionals be flattened? Can early returns replace deep nesting? Are there boolean expressions that could be simplified? Tighten them.

4. API surface -- Did I expose more than necessary? Could any public methods/functions be private? Reduce visibility.

5. Over-abstraction -- Did I create classes, interfaces, or wrapper functions that aren't justified by the current scope? Agents tend to over-engineer. Flag it, but don't restructure unless the win is significant.

6. Consolidation opportunities -- Did I spread logic across multiple functions or files when it could live in one place? Flag it, but only propose a refactor if the duplication is egregious and the consolidation is clean.

Simplify Actions

For each finding, the agent categorizes it as:

• Cosmetic fix (dead code removal, unused imports, naming, control flow tightening, visibility reduction) -- applied automatically if within budget. This is the bread and butter of the skill.
• Refactor (consolidation, restructuring, abstraction changes) -- proposed ONLY when the agent determines it is genuinely necessary or the benefit is substantial. A refactor is not the default action. The bar is: "Would a senior engineer look at this and say the current state is clearly wrong, not just imperfect?"

Refactor Stop Hook (mandatory):

Any change the agent classifies as a refactor triggers an interactive prompt. The agent MUST:

1. Describe what it wants to change and why
2. Show the before/after (or a clear description of the structural change)
3. Wait for explicit human approval before applying

The agent does not batch refactor proposals. Each refactor is presented individually so the human can approve, reject, or modify on a case-by-case basis.

[simplify-and-harden] Refactor proposal (1 of 2):

  I want to merge duplicated validation logic from handleCreate() and 
  handleUpdate() into a shared validatePayload() function.

  Why: Both functions validate the same fields with identical rules.
  The duplication was introduced because I built handleUpdate as a 
  copy of handleCreate during implementation.

  Files affected: src/api/handler.ts (lines 34-67)
  Estimated diff: -22 lines, +14 lines

  [approve] [reject] [show diff] [skip all refactors]

If the human selects skip all refactors, the agent skips remaining refactor proposals and moves to the Harden pass. Skipped refactors still appear in the output summary as flagged with status skipped_by_user.

Cosmetic fixes do not trigger the stop hook. They are applied silently (and reported in the output summary). The rationale: removing an unused import is not a judgment call. Restructuring code is.

Pass 2: Harden

Objective: Close security and resilience gaps while the agent still understands the code's intent.

The agent reviews its own work and asks:

"If someone malicious saw this code, what would they try?"

Review Checklist

1. Input validation -- Are all external inputs (user input, API params, file paths, environment variables) validated before use? Check for type coercion issues, missing bounds checks, and unconstrained string lengths.

2. Error handling -- Are catch blocks specific? Are errors logged with context but without leaking sensitive data? Are there any swallowed exceptions?

3. Injection vectors -- Check for SQL injection, XSS, command injection, path traversal, and template injection in any code that builds strings from external input.

4. Authentication and authorization -- Do new endpoints or functions enforce auth? Are permission checks present and correct? Is there any privilege escalation risk?

5. Secrets and credentials -- Are there hardcoded secrets, API keys, tokens, or passwords? Are connection strings parameterized? Check for credentials in log output.

6. Data exposure -- Does error output, logging, or API responses leak internal state, stack traces, database schemas, or PII?

7. Dependency risk -- Did the agent introduce new dependencies? If so, are they well-maintained, properly versioned, and free of known vulnerabilities?

8. Race conditions and state -- For concurrent code: are shared resources properly synchronized? Are there TOCTOU (time-of-check-to-time-of-use) vulnerabilities?

Harden Actions

For each finding, the agent categorizes it as:

• Patch (adding a validation check, escaping output, removing a hardcoded secret) -- applied automatically if within budget
• Security refactor (restructuring auth flow, replacing a vulnerable pattern with a new approach, changing data handling architecture) -- ALWAYS requires human approval before proceeding

The same Refactor Stop Hook from the Simplify pass applies here. Security refactors are presented individually with the added context of severity and attack vector:

[simplify-and-harden] Security refactor proposal:

  The new /admin/export endpoint inherits base authentication but has 
  no role-based access check. Any authenticated user can trigger a 
  full data export.

  Severity: HIGH
  Vector: Privilege escalation
  
  Proposed fix: Add role guard requiring 'admin' role before the 
  handler executes. This changes the middleware chain for this route.

  Files affected: src/api/routes/admin.ts (line 12)
  Estimated diff: +8 lines

  [approve] [reject] [show diff] [skip all security refactors]

• Flagged as critical -- findings the agent cannot safely patch without human input (noted in output regardless of approval)
• Flagged as advisory -- hardening opportunities that are not active vulnerabilities

Security patches (not refactors) are prioritized over simplification changes when budget is constrained.

Pass 3: Document (Micro-pass)

Objective: Capture non-obvious decisions while the agent still remembers why it made them.

This is deliberately lightweight -- not a documentation pass, just decision capture.

Rules

• For any logic that requires more than 5 seconds of "why does this exist?" thought: add a single-line comment explaining the decision
• For any workaround or hack: add a comment with context and ideally a TODO with conditions for removal
• For any performance-sensitive choice: note why the current approach was chosen over the obvious alternative
• Maximum: 5 comments added per task. This is not a documentation sprint.

Output Schema

The skill produces a structured summary appended to the task output:

simplify_and_harden:
  version: "0.1.0"
  task_id: "<original task ID>"
  execution:
    mode: "interactive"
    mode_source: "auto_detected"  # "auto_detected", "config", "env_override"
    human_present: true
  scope:
    files_reviewed: ["src/api/handler.ts", "src/utils/validate.ts"]
    original_diff_lines: 142
    additional_changes_lines: 18
    budget_exceeded: false

  simplify:
    applied:
      - file: "src/api/handler.ts"
        line: 45
        type: "consolidation"
        category: "refactor"
        approval: "approved_by_user"
        description: "Merged duplicated validation logic from handleCreate and handleUpdate into shared validatePayload function"
    flagged:
      - file: "src/utils/validate.ts"
        type: "over-abstraction"
        category: "refactor"
        approval: "skipped_by_user"
        description: "ValidationStrategy interface may be unnecessary -- only one implementation exists. Consider inlining if no additional strategies are planned."
        confidence: "medium"
    cosmetic_applied:
      - file: "src/api/handler.ts"
        line: 12
        type: "dead_code"
        description: "Removed unused import of deprecated AuthHelper"

  harden:
    applied:
      - file: "src/api/handler.ts"
        line: 62
        type: "input_validation"
        severity: "high"
        description: "Added bounds check on pageSize parameter -- previously accepted arbitrary integers"
    flagged_critical:
      - file: "src/api/handler.ts"
        type: "authorization"
        description: "New /admin/export endpoint inherits base auth but no role check -- any authenticated user can access it. Requires human decision on role policy."
    flagged_advisory:
      - file: "src/utils/validate.ts"
        type: "error_handling"
        description: "Catch block on L31 logs full request body which may contain PII in production"

  document:
    comments_added: 2
    locations: