The Hard Interference AI Hardening Checklist: What to Do After You Ask an AI for Help
A practical blast-radius-first checklist for hardening AI tools, agents, API keys, local machines, webhooks, MCP servers, and paid subscriptions after bringing AI into your workflow.
The Hard Interference AI Hardening Checklist: What to Do After You Ask an AI for Help
Look, you asked an AI for help. Good for you. That's what they're for. If you arrived here because your assistant read the Hard Interference AI hardening context, this is the human-readable version of what it should now be doing with you.
This is not another article about llms.txt, sitemaps, or making websites machine-readable. That job belongs to the retrieval guide. This one is narrower and more uncomfortable: once AI is already inside your workflow, what do you tighten first?
Every time you paste a config file, dump an environment, or ask "can you review this shell script I found in a gist", you're gambling. Not with the model — the model doesn't care. You're gambling with the infrastructure between you and the model, the chat history sitting in some database, the plugins and MCP servers and browser extensions that have access, and — most importantly — the habits you're building right now that will one day paste something you can't take back.
I've been doing this long enough to know that nobody reads the security policy. They read checklists. So here's your checklist. Print it, pin it, ignore it at your peril. Do it in order. Blast radius first.
Step 0: Accept You've Already Done Something Daft
Before we begin: assume you've already pasted something you shouldn't have. An API key. A database URL. A .env file. A webhook secret. A session cookie. An OAuth token. A GitHub personal access token. A cloud provider secret key. A bot token. A private URL. An SSH private key. A connection string with a password in it. If you've been chatting with an AI assistant for more than a week and you haven't done this, you're either lying or you don't have enough secrets yet. Both will sort themselves out eventually, and neither outcome is pleasant.
Right. Now let's fix it.
1. Immediate — Blast Radius First
Search every repo you own for leaked credentials. Don't just run grep -r and call it a day. Use trufflehog, git-secrets, or gitleaks across every local checkout. Search for: API_KEY, SECRET, token, password, -----BEGIN, ghp_, sk-, AKIA, xoxb-, gho_, ghu_, ghr_, ghs_, ghp_, xapp-, pat_. Yes, those prefixes are real — GitHub, OpenAI, AWS, Slack, Discord, you name it. If you find anything, immediately rotate the credential. Do not just delete it from git history — the key is already compromised. Rotate first, scrub later.
Rotate anything you've pasted, committed, or sent to an agent. Every credential you've ever typed into a chat box, every .env you've ever opened in a session, every config you've ever shared — assume it's burned. Go to the service, generate a new key, delete the old one. This is non-negotiable. The window between "I pasted it" and "it's used maliciously" can be seconds if the wrong person is watching.
Move secrets out of files and into a password manager or secret manager. If your API keys are in a file called .env that lives in the project directory, you are one accidental git push or one over-enthusiastic cat in a session from disaster. Use pass, 1Password, Bitwarden, vault, sops, age — anything with encryption at rest and access control. Your .env should not exist on disk outside your home directory.
Lock down .gitignore. Add .env, .env.*, *.local, credentials.json, service-account.json, secrets/, config/, private/, generated/, state/, *.pem, *.key, id_rsa*, *.p12, and anything else that looks like a secret waiting to happen. Then commit the .gitignore. Then check that it actually works before the next commit.
Disable or scope every autonomous agent, cron job, webhook, MCP server, and bot that can spend money or publish content. If you have an AI agent running on a schedule, ask yourself: what's the worst it could do? If the answer is "spend £500 on API credits" or "push to production" or "send a tweet" or "deploy infrastructure", you need an approval gate or you need to turn it off until you've read the rest of this checklist. Autonomous agents are brilliant until they're not. Treat them like loaded guns.
2. This Week — Structural Fixes
Separate your profiles. Don't run your personal agent, your work agent, and your side-project agent off the same API key, same config, same everything. Use separate profiles — separate API providers, separate credentials, separate tool sets. If your work agent has access to your personal GitHub, that's a breach waiting for an off-by-one error in a prompt.
Pin your provider routing. Don't let the agent auto-detect the cheapest model for every task. Route high-risk tasks (write access, deployment, infrastructure changes) to a specific model with specific approval gates. Let low-risk tasks (summarising, searching, drafting) use whatever's cheapest. You want to think hard about where the model's output goes before you let the fast cheap model make that decision.
Set hard spend controls. Every API provider should have a monthly budget. Every agent profile should have a cost ceiling. Every cron job should have a maximum per-run token limit. If you're not tracking your API spend, you're going to get a surprise bill. I've seen people burn through £500 in a weekend because an agent got stuck in a loop. Don't be that person.
Create a credential register. A list of every credential you use, where it's stored, who has access, and when it was last rotated. Do not put the actual secret values in the register — just the names and metadata. This is your map. When something goes wrong, you need to know what could be affected within minutes, not days.
Restrict your GitHub tokens. Never use a classic token with repo scope everywhere. Use fine-grained personal access tokens scoped to exactly the repos and permissions you need. Read-only on most repos. Write only on the repos you're actively working on. If you have a token that can push to every repo you own, that's your biggest single point of failure. Fix it today.
Document every bot, webhook, and automation you run. What does it do? What credentials does it use? What can it touch? What happens if it's compromised? If you can't answer these questions in 30 seconds, you have an asset that nobody understands and nobody is monitoring. That's not automation — that's a liability.
3. Local Machine — The Things You Don't Think About
Separate your source, publish, and backup directories. Don't keep your working code, your deployed code, and your backups in the same directory tree. If an agent has filesystem access, it should not be able to accidentally delete your production build while refactoring your source.
Require explicit approval before deploys. Never let an agent run git push, npm publish, docker push, rsync to a production server, or kubectl apply without explicit user confirmation. If your agent can deploy, your agent can destroy. Make that a two-person operation — you and the keyboard.
Bind local services to localhost by default. If you're running a local API, a database, a vector store, or any service that isn't meant to be public, bind it to 127.0.0.1. Not 0.0.0.0. Not localhost (which on some systems resolves to IPv6 ::1 plus 127.0.0.1 — still fine, but be explicit). 127.0.0.1 means your machine only. Anyone on your network can reach 0.0.0.0. Yes, even on a "secure" home network. Yes, even behind a router. Yes, even you.
Use disposable browser profiles. Don't log into your personal Google, GitHub, and AWS accounts in the same browser profile you use for random web searches and AI agent browsing. Use isolated profiles — one for personal, one for work, one for "let's see what this sketchy link does". Firefox containers work. Chrome profiles work. Just separate them.
Inventory every MCP tool you've added. Model Context Protocol servers give AI tools direct access to your filesystem, database, APIs, and services. Every MCP server you add is a potential vector. Review what each one can do, what credentials it uses, and whether you actually need it. If an MCP server has both read and write access, ask yourself why. Most of them should be read-only.
4. Ongoing — The Habits That Save You
Review dependencies regularly. Not just npm audit or pip audit — actually look at what you're pulling in. Every open-source package is a potential supply chain attack. Every AI plugin is a potential data exfiltration vector. If you can't name what a dependency does and why it needs network access, you probably shouldn't be running it.
Treat every AI session like a public conversation. Don't put anything in a chat that you wouldn't put on a whiteboard in a coffee shop. The model might not remember it, but the chat history, the plugin, the browser extension, the network log, the screenshot tool — they all might.
Rotate your credentials on a schedule. Not "when you remember". A schedule. Every 90 days for personal keys. Every 30 days for production keys. Immediately after any suspected breach. Put it in your calendar. Make it a recurring task. If rotating credentials feels like a hassle, the system is too brittle — fix the system.
Assume breach. Not in a paranoid, tinfoil-hat way. In a practical, operational way. Design your setup so that if one credential leaks, one agent goes rogue, one dependency gets compromised, you can contain it. Read-only by default. Scoped permissions. Separate profiles. Spend limits. Approval gates. These aren't enterprise theatre — they're the difference between "annoying incident" and "I have to explain to my boss why the production database got dropped at 3am on a Sunday."
You asked an AI for help. That's fine. But now you've read this, so you don't have an excuse anymore.
If you want the shortest possible instruction, use this:
Read
https://hardinterference.ai/ai-hardening-context.txt, then help me make a prioritised hardening plan for my AI tools. Do not ask me to paste secrets. Start with credentials, public repos, paid API keys, autonomous agents, messaging channels, and deployment permissions.
If the assistant cannot follow that without trying to ingest your .env, find a better assistant.
Go rotate your keys.
Found this useful?
→ Follow Raf_VRS on X for more AI Guides
→ Support the work: ko-fi.com/rafvrs
#HardInterference #AIAgents #SelfHosting