feat: security skills scanner and enhanced code reviewer

Add Python security_skills module (10 checks) and enhanced TS reviewer
(7 new rules) based on patterns from external security report findings.

New security skill checks (SKILL-001 through SKILL-010):
- Stub security functions (verify/validate always returning True)
- Unsafe pickle deserialization without HMAC
- Hardcoded security deny-lists discoverable by attackers
- Unbounded collections enabling memory DoS
- SSRF-vulnerable URL handling
- Missing circuit breakers on external calls
- ReDoS-susceptible regex patterns
- Hardcoded secrets/API keys in source
- Trust decisions without cryptographic verification
- Exception details leaking internals to callers

New TS reviewer rules (8-14):
- stub-security-implementation (CRITICAL)
- hardcoded-security-denylist (HIGH)
- unsafe-deserialization (CRITICAL)
- unbounded-collection (MEDIUM)
- missing-circuit-breaker (MEDIUM)
- ssrf-vulnerable-url (HIGH)
- no-behavior-monitoring (MEDIUM)

SDLC integration:
- scripts/security_scan.py — CLI for pre-commit and CI use
- .github/workflows/security-scan.yml — PR security scanning
- 41 tests covering all skill checks with positive/negative cases

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

.github/workflows/security-scan.yml

@@ -0,0 +1,38 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  security-skills-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.11"
+      - name: Run security skills scan
+        run: |
+          python scripts/security_scan.py packages/ \
+            --exclude-tests \
+            --min-severity high \
+            --format text
+      - name: Generate JSON report
+        if: always()
+        run: |
+          python scripts/security_scan.py packages/ \
+            --exclude-tests \
+            --format json > security-scan-results.json
+      - name: Upload scan results
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: security-scan-results
+          path: security-scan-results.json
+          retention-days: 30