feat: add security review team for PR review (#543) (#730)

* feat: add security review team for PR review (#543) Adds a security team that automatically reviews every PR for security issues (injection, credential leaks, unsafe patterns, macOS compat) and sends Slack notifications to #spawn when concerns are found. - security.sh: dual-mode cycle script (PR review + scheduled scan) - security.yml: GitHub Actions workflow on pull_request events - start-security.sh: gitignored wrapper with secrets (deployed) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: expand security team with hygiene, scan modes + auto-merge clean PRs - PR mode: 2-agent team (code-reviewer + test-verifier) reviews PRs. If zero findings, auto-approves AND merges. If concerns, requests changes and sends Slack notification to #spawn. - Hygiene mode (every 6h): pr-triager + branch-cleaner close stale PRs, file follow-up issues, delete orphan branches. - Scan mode (daily): shell-auditor + code-auditor + drift-detector perform full repo security audit, file GitHub issues for findings. - All modes use Claude Code agent teams (TeamCreate, parallel teammates via Task tool, SendMessage coordination, TaskList monitoring). - Workflow updated with schedule triggers and workflow_dispatch inputs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: upgrade all security auditor agents to Opus model All security-critical roles (code-reviewer, pr-triager, shell-auditor, code-auditor) now use Opus. Helper roles (test-verifier, branch-cleaner, drift-detector) remain on Haiku. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: auto-merge PRs with MEDIUM/LOW or no findings Only CRITICAL/HIGH findings block a PR. MEDIUM/LOW are informational notes included in the approving review — PR still gets merged. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Sprite <noreply@sprites.dev> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-29 12:29:31 +00:00 · 2026-02-12 14:04:38 -08:00 · 2026-02-12 14:04:38 -08:00 · 56ba47109c
commit 56ba47109c
parent d961947983
2 changed files with 726 additions and 0 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -0,0 +1,97 @@
+name: Security Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  schedule:
+    # Full repo security scan — daily at 06:00 UTC
+    - cron: '0 6 * * *'
+    # PR hygiene (stale PR cleanup) — every 6 hours
+    - cron: '0 */6 * * *'
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: 'Run mode: pr (needs PR number), hygiene, or scan'
+        required: false
+        default: 'scan'
+        type: choice
+        options:
+          - scan
+          - hygiene
+      pr_number:
+        description: 'PR number (only for pr mode via workflow_dispatch)'
+        required: false
+        type: string
+
+concurrency:
+  group: security-${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || github.event_name == 'schedule' && github.event.schedule || 'manual' }}
+  cancel-in-progress: true
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Trigger security review
+        env:
+          SPRITE_URL: ${{ secrets.SECURITY_SPRITE_URL }}
+          TRIGGER_SECRET: ${{ secrets.SECURITY_TRIGGER_SECRET }}
+        run: |
+          if [ -z "$SPRITE_URL" ] || [ -z "$TRIGGER_SECRET" ]; then
+            echo "Security review secrets not configured — skipping"
+            exit 0
+          fi
+
+          # Determine reason and issue/PR number based on trigger type
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            REASON="pull_request"
+            PR_NUM="${{ github.event.pull_request.number }}"
+          elif [ "${{ github.event_name }}" = "schedule" ]; then
+            # Distinguish between cron schedules:
+            # '0 6 * * *' = daily scan, '0 */6 * * *' = hygiene every 6h
+            CRON="${{ github.event.schedule }}"
+            if [ "$CRON" = "0 6 * * *" ]; then
+              REASON="schedule"
+            else
+              REASON="hygiene"
+            fi
+            PR_NUM=""
+          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            MODE="${{ github.event.inputs.mode || 'scan' }}"
+            PR_NUM="${{ github.event.inputs.pr_number || '' }}"
+            if [ -n "$PR_NUM" ]; then
+              REASON="pull_request"
+            elif [ "$MODE" = "hygiene" ]; then
+              REASON="hygiene"
+            else
+              REASON="schedule"
+            fi
+          else
+            REASON="schedule"
+            PR_NUM=""
+          fi
+
+          echo "Mode: reason=$REASON, pr=$PR_NUM"
+
+          set +e
+          # --fail-with-body: exit 22 on HTTP errors but still print the body
+          # -N: no output buffering (stream chunks in real-time)
+          # --max-time: hard cap matching the Sprite's cycle timeout + grace
+          curl -sSN --http1.1 --fail-with-body --max-time 2700 -X POST \
+            "${SPRITE_URL}/trigger?reason=${REASON}&issue=${PR_NUM}" \
+            -H "Authorization: Bearer ${TRIGGER_SECRET}"
+          CURL_EXIT=$?
+          set -e
+
+          if [ "$CURL_EXIT" -eq 0 ]; then
+            echo ""
+            echo "=== Security review completed ==="
+          elif [ "$CURL_EXIT" -eq 22 ]; then
+            # HTTP error — body was already printed above (429 = already running, 409 = dedup, etc.)
+            echo ""
+            echo "=== Trigger returned HTTP error (see output above) ==="
+          else
+            echo ""
+            echo "=== curl failed (exit=$CURL_EXIT) ==="
+            exit 1
+          fi