fix: address P1 issues from security commands code review

- Fix SECURITY_SCAN_DAYS to avoid NaN (clamp to positive integer, default 7)
- Remove instructions to commit threat model to PR branch during review
- Remove instructions to commit patches to PR branch
- Align security review with JSON output pattern (no direct inline comments)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: shashank-factory

src/create-prompt/templates/security-review-prompt.ts

@@ -49,10 +49,8 @@ You have access to these Factory security skills (installed in ~/.factory/skills
 
 ### Step 1: Threat Model Check
 - Check if \`.factory/threat-model.md\` exists in the repository
-- If missing: Invoke the **threat-model-generation** skill to create one, then commit it to the PR branch
-- If exists: Check the file's last modified date
-  - If >90 days old: Post a warning comment suggesting regeneration, but proceed with scan
-  - If current: Use it as context for the security scan
+- If missing: Note this in the summary (threat model generation is done separately, not during PR review)
+- If exists: Use it as context for the security scan
 
 ### Step 2: Security Scan
 - Invoke the **commit-security-scan** skill on the PR diff
@@ -71,12 +69,11 @@ You have access to these Factory security skills (installed in ~/.factory/skills
   - Impact: What's the potential damage?
 - Filter out false positives and findings below the severity threshold (${severityThreshold})
 
-### Step 4: Report & Patch
+### Step 4: Report Findings
 - For each confirmed finding at or above ${severityThreshold} severity:
-  - Post inline comment using \`github_inline_comment___create_inline_comment\`
+  - Record in the JSON output file
   - Include: severity, STRIDE category, CWE ID, clear explanation, suggested fix
-- For auto-fixable issues: Invoke **security-review** skill to generate patches
-- Commit any generated patches to the PR branch
+- For auto-fixable issues: Include the suggested patch in the finding's suggestion field
 
 ## Security Scope (STRIDE Categories)
 

src/github/context.ts

@@ -157,7 +157,7 @@ export function parseGitHubContext(): GitHubContext {
       securityBlockOnHigh: process.env.SECURITY_BLOCK_ON_HIGH === "true",
       securityNotifyTeam: process.env.SECURITY_NOTIFY_TEAM ?? "",
       securityScanSchedule: process.env.SECURITY_SCAN_SCHEDULE === "true",
-      securityScanDays: parseInt(process.env.SECURITY_SCAN_DAYS ?? "7", 10),
+      securityScanDays: Math.max(1, parseInt(process.env.SECURITY_SCAN_DAYS ?? "7", 10) || 7),
     },
   };