feat: add @droid security commands

action.yml

@@ -59,6 +59,38 @@ inputs:
     description: "Automatically run the review flow for pull request contexts without requiring an explicit @droid review command. Only supported for PR-related events."
     required: false
     default: "false"
+  automatic_security_review:
+    description: "Automatically run the security review flow for pull request contexts without requiring an explicit @droid security command. Only supported for PR-related events."
+    required: false
+    default: "false"
+  security_model:
+    description: "Override the model used for security review (e.g., 'claude-sonnet-4-5-20250929', 'gpt-5.1-codex'). Only applies to security review flows."
+    required: false
+    default: ""
+  security_severity_threshold:
+    description: "Minimum severity to report in security reviews (critical, high, medium, low). Findings below this threshold will be filtered out."
+    required: false
+    default: "medium"
+  security_block_on_critical:
+    description: "Submit REQUEST_CHANGES review when critical severity findings are detected."
+    required: false
+    default: "true"
+  security_block_on_high:
+    description: "Submit REQUEST_CHANGES review when high severity findings are detected."
+    required: false
+    default: "false"
+  security_notify_team:
+    description: "GitHub team to @mention on critical findings (e.g., '@org/security-team')."
+    required: false
+    default: ""
+  security_scan_schedule:
+    description: "Enable scheduled security scans. Set to 'true' for schedule events to trigger full repository scans."
+    required: false
+    default: "false"
+  security_scan_days:
+    description: "Number of days of commits to scan for scheduled security scans. Only applies when security_scan_schedule is enabled."
+    required: false
+    default: "7"
   review_model:
     description: "Override the model used for code review (e.g., 'claude-sonnet-4-5-20250929', 'gpt-5.1-codex'). Only applies to review flows."
     required: false
@@ -135,6 +167,14 @@ runs:
         DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
         TRACK_PROGRESS: ${{ inputs.track_progress }}
         AUTOMATIC_REVIEW: ${{ inputs.automatic_review }}
+        AUTOMATIC_SECURITY_REVIEW: ${{ inputs.automatic_security_review }}
+        SECURITY_MODEL: ${{ inputs.security_model }}
+        SECURITY_SEVERITY_THRESHOLD: ${{ inputs.security_severity_threshold }}
+        SECURITY_BLOCK_ON_CRITICAL: ${{ inputs.security_block_on_critical }}
+        SECURITY_BLOCK_ON_HIGH: ${{ inputs.security_block_on_high }}
+        SECURITY_NOTIFY_TEAM: ${{ inputs.security_notify_team }}
+        SECURITY_SCAN_SCHEDULE: ${{ inputs.security_scan_schedule }}
+        SECURITY_SCAN_DAYS: ${{ inputs.security_scan_days }}
         REVIEW_MODEL: ${{ inputs.review_model }}
         REASONING_EFFORT: ${{ inputs.reasoning_effort }}
         FILL_MODEL: ${{ inputs.fill_model }}

src/create-prompt/index.ts

@@ -66,7 +66,7 @@ export function buildDisallowedToolsString(
 
 export function prepareContext(
   context: ParsedGitHubContext,
-  droidCommentId: string,
+  droidCommentId?: string,
   baseBranch?: string,
   droidBranch?: string,
   prBranchData?: { headRefName: string; headRefOid: string },
@@ -288,7 +288,7 @@ export type PromptGenerator = (
 
 export type PromptCreationOptions = {
   githubContext: ParsedGitHubContext;
-  commentId: number;
+  commentId?: number;
   baseBranch?: string;
   droidBranch?: string;
   prBranchData?: { headRefName: string; headRefOid: string };
@@ -310,7 +310,7 @@ export async function createPrompt({
   includeActionsTools = false,
 }: PromptCreationOptions) {
   try {
-    const droidCommentId = commentId.toString();
+    const droidCommentId = commentId?.toString();
     const preparedContext = prepareContext(
       githubContext,
       droidCommentId,

src/create-prompt/templates/fill-prompt.ts

@@ -1,8 +1,6 @@
 import type { PreparedContext } from "../types";
 
-export function generateFillPrompt(
-  context: PreparedContext,
-): string {
+export function generateFillPrompt(context: PreparedContext): string {
   const prNumber = context.eventData.isPR
     ? context.eventData.prNumber
     : context.githubContext && "entityNumber" in context.githubContext

src/create-prompt/templates/security-report-prompt.ts

@@ -0,0 +1,210 @@
+import type { PreparedContext } from "../types";
+import type { ScanScope } from "../../tag/commands/security-scan";
+
+export function generateSecurityReportPrompt(
+  context: PreparedContext,
+  scanScope: ScanScope,
+  branchName: string,
+): string {
+  const date = new Date().toISOString().split("T")[0];
+  const repoFullName = context.repository;
+
+  const scopeDescription =
+    scanScope.type === "full"
+      ? "Entire repository"
+      : `Last ${scanScope.days} days of commits`;
+
+  const scanTypeLabel =
+    scanScope.type === "full" ? "Full Repository" : "Weekly Scheduled";
+
+  const scanInstructions =
+    scanScope.type === "full"
+      ? `- Scan all source files in the repository
+- Focus on: TypeScript, JavaScript, Python, Go, Java, Ruby, PHP files
+- Use: \`find . -type f \\( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" -o -name "*.java" -o -name "*.rb" -o -name "*.php" \\) -not -path "./node_modules/*" -not -path "./.git/*"\``
+      : `- Get commits from the last ${scanScope.days} days: \`git log --since="${scanScope.days} days ago" --name-only --pretty=format:""\`
+- Focus analysis on files changed in recent commits
+- Scan each changed file for security vulnerabilities`;
+
+  // Extract security configuration from context
+  const securityConfig = context.githubContext?.inputs;
+  const severityThreshold =
+    securityConfig?.securitySeverityThreshold ?? "medium";
+  const notifyTeam = securityConfig?.securityNotifyTeam ?? "";
+
+  return `You are performing a ${scanTypeLabel.toLowerCase()} security scan for ${repoFullName}.
+The gh CLI is installed and authenticated via GH_TOKEN.
+
+## Scan Configuration
+- Scope: ${scopeDescription}
+- Severity Threshold: ${severityThreshold} (only report findings at or above this level)
+- Output Branch: ${branchName}
+- Report Path: .factory/security/reports/security-report-${date}.md
+
+## Security Skills Available
+
+You have access to these Factory security skills (installed in ~/.factory/skills/):
+
+1. **threat-model-generation** - Generate STRIDE-based threat model for the repository
+2. **commit-security-scan** - Scan code for security vulnerabilities
+3. **vulnerability-validation** - Validate findings, assess exploitability, filter false positives
+4. **security-review** - Comprehensive security review and patch generation
+
+## Workflow
+
+### Step 1: Create Branch
+\`\`\`bash
+git checkout -b ${branchName}
+\`\`\`
+
+### Step 2: Threat Model Check
+- Check if \`.factory/threat-model.md\` exists in the repository
+- If missing: Invoke the **threat-model-generation** skill to create one
+- If exists: Check the file's last modified date
+  - If >90 days old: Regenerate and update the threat model
+  - If current: Use it as context for the security scan
+
+### Step 3: Security Scan
+${scanInstructions}
+
+For each file:
+- Invoke the **commit-security-scan** skill
+- Look for STRIDE vulnerabilities (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
+
+### Step 4: Validate Findings
+- For each finding from Step 3, invoke the **vulnerability-validation** skill
+- Assess:
+  - Reachability: Is the vulnerable code reachable from user input?
+  - Exploitability: How easy is it to exploit?
+  - Impact: What's the potential damage?
+- Filter out false positives and findings below the severity threshold (${severityThreshold})
+
+### Step 5: Generate Patches
+- For each confirmed finding that can be auto-fixed:
+  - Invoke **security-review** skill to generate patches
+  - Apply the patch to the codebase
+  - Commit the fix with message: \`fix(security): [VULN-XXX] Brief description\`
+
+### Step 6: Generate Report
+- Create directory: \`mkdir -p .factory/security/reports\`
+- Write report to: \`.factory/security/reports/security-report-${date}.md\`
+
+### Step 7: Create PR
+\`\`\`bash
+git add .
+git commit -m "fix(security): Security scan report - ${date}"
+git push origin ${branchName}
+gh pr create --title "fix(security): Security scan report - ${date} (N findings)" \\
+  --body "## Security Scan Report
+
+See \`.factory/security/reports/security-report-${date}.md\` for details.
+
+### Summary
+| Severity | Count | Auto-fixed | Manual Required |
+|----------|-------|------------|-----------------|
+| CRITICAL | X | X | X |
+| HIGH | X | X | X |
+| MEDIUM | X | X | X |
+| LOW | X | X | X |
+
+${notifyTeam ? `cc ${notifyTeam}` : ""}"
+\`\`\`
+
+## Report Format
+
+The report file should follow this structure:
+
+\`\`\`markdown
+# Security Scan Report
+
+**Generated:** ${date}
+**Scan Type:** ${scanTypeLabel}
+**Repository:** ${repoFullName}
+**Severity Threshold:** ${severityThreshold}
+
+## Executive Summary
+
+| Severity | Count | Auto-fixed | Manual Required |
+|----------|-------|------------|-----------------|
+| CRITICAL | X | X | X |
+| HIGH | X | X | X |
+| MEDIUM | X | X | X |
+| LOW | X | X | X |
+
+**Total Findings:** X
+**Auto-fixed:** X
+**Manual Review Required:** X
+
+## Critical Findings
+
+### VULN-001: [Vulnerability Title]
+
+| Attribute | Value |
+|-----------|-------|
+| **Severity** | CRITICAL |
+| **STRIDE Category** | [Tampering/Spoofing/etc] |
+| **CWE** | CWE-XXX |
+| **File** | path/to/file.ts:line |
+| **Status** | Patched / Manual fix required |
+
+**Description:**
+[Clear explanation of the vulnerability]
+
+**Evidence:**
+\\\`\\\`\\\`
+[Code snippet showing the vulnerability]
+\\\`\\\`\\\`
+
+**Fix Applied:** (if auto-patched)
+\\\`\\\`\\\`diff
+- vulnerable code
++ secure code
+\\\`\\\`\\\`
+
+**Recommended Fix:** (if manual)
+[Step-by-step remediation guidance]
+
+---
+
+## High Findings
+[Same format as Critical]
+
+## Medium Findings
+[Same format as Critical]
+
+## Low Findings
+[Same format as Critical]
+
+## Appendix
+
+### Threat Model
+- Version: [date or "newly generated"]
+- Location: .factory/threat-model.md
+
+### Scan Metadata
+- ${scanScope.type === "full" ? "Files" : "Commits"} Scanned: N
+- Scan Duration: Xm Ys
+- Skills Used: threat-model-generation, commit-security-scan, vulnerability-validation, security-review
+
+### References
+- [CWE Database](https://cwe.mitre.org/)
+- [STRIDE Threat Model](https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats)
+\`\`\`
+
+## Severity Definitions
+
+| Severity | Criteria | Examples |
+|----------|----------|----------|
+| **CRITICAL** | Immediately exploitable, high impact, no auth required | RCE, hardcoded secrets, auth bypass |
+| **HIGH** | Exploitable with conditions, significant impact | SQL injection, stored XSS, IDOR |
+| **MEDIUM** | Requires specific conditions, moderate impact | CSRF, info disclosure, missing rate limits |
+| **LOW** | Difficult to exploit, low impact | Verbose errors, missing security headers |
+
+## Important Notes
+
+1. **Accuracy**: Only report high-confidence findings. False positives waste developer time.
+2. **Patches**: Test all generated patches before committing. Ensure they don't break functionality.
+3. **PR Description**: Update the PR body with actual finding counts before creating.
+4. **Commit Messages**: Use semantic commit format: \`fix(security): [VULN-XXX] Description\`
+`;
+}