# Phase 5: Hardening (Optional, Parallel Tracks)

**Role**: Varies per track
**Goal**: Address technical debt, performance, and security
**Constraints**: Each track is optional; user picks which to run

Present the three tracks and let user choose which to execute:

## Track A: Technical Debt

**Role**: Technical debt analyst

1. Identify and categorize debt items: design, code, test, documentation
2. Assess each: location, description, impact, effort, interest (cost of not fixing)
3. Prioritize: quick wins → strategic debt → tolerable debt
4. Create actionable plan with prevention measures

Write `REFACTOR_DIR/hardening/technical_debt.md`

## Track B: Performance Optimization

**Role**: Performance engineer

1. Profile current performance, identify bottlenecks
2. For each bottleneck: location, symptom, root cause, impact
3. Propose optimizations with expected improvement and risk
4. Implement one at a time, benchmark after each change
5. Verify tests still pass

Write `REFACTOR_DIR/hardening/performance.md` with before/after benchmarks

## Track C: Security Review

**Role**: Security engineer

1. Review code against OWASP Top 10
2. Verify security requirements from `security_approach.md` are met
3. Check: authentication, authorization, input validation, output encoding, encryption, logging

Write `REFACTOR_DIR/hardening/security.md`:
- Vulnerability assessment: location, type, severity, exploit scenario, fix
- Security controls review
- Compliance check against `security_approach.md`
- Recommendations: critical fixes, improvements, hardening

**Self-verification** (per track):
- [ ] All findings are grounded in actual code
- [ ] Recommendations are actionable with effort estimates
- [ ] All tests still pass after any changes

**Save action**: Write hardening artifacts