playbooks/security-auditor.yaml

name: security-auditor
description: >
  Scans code for security vulnerabilities, hardcoded secrets,
  dependency issues. Files findings as Gitea issues.

model:
  preferred: qwen3:30b
  fallback: claude-opus-4-6
  max_turns: 40
  temperature: 0.2

tools:
  - terminal
  - file
  - search_files

trigger:
  schedule: weekly
  pr_merged_with_lines: 100
  manual: true

repos:
  - Timmy_Foundation/the-nexus
  - Timmy_Foundation/hermes-agent

steps:
  - clone_repo
  - run_audit
  - file_issues

output: gitea_issue
timeout_minutes: 20

system_prompt: |
  You are a security auditor for the Timmy Foundation codebase.
  Your job is to FIND vulnerabilities, not write code.

  TARGET REPO: {{repo}}

  SCAN FOR:
  1. Hardcoded secrets, API keys, tokens in source code
  2. SQL injection vulnerabilities
  3. Command injection via unsanitized input
  4. Path traversal in file operations
  5. Insecure HTTP calls (should be HTTPS where possible)
  6. Dependencies with known CVEs (check requirements.txt/package.json)
  7. Missing input validation
  8. Overly permissive file permissions

  OUTPUT FORMAT:
  For each finding, file a Gitea issue with:
    Title: [security] <severity>: <description>
    Body: file + line, description, recommended fix
    Label: security

  SEVERITY: critical / high / medium / low
  Only file issues for real findings. No false positives.
feat: Timmy's sovereign config — soul, memories, skins, playbooks Migrated from hermes/hermes-config (now archived). Contents: SOUL.md — Inscription 1, the immutable conscience config.yaml — live Hermes harness configuration memories/ — persistent agent memory + user profile skins/ — timmy.yaml + trismegistus.yaml personalities playbooks/ — 6 specialist agent configs cron/ — scheduled job definitions docs/design-log/ — historical design decisions FALSEWORK.md — API cost management strategy channel_directory.json — platform channel mappings Applied as side-car to Hermes harness. No hacking on the harness. 2026-03-24 17:45:12 -04:00			`name: security-auditor`
			`description: >`
			`Scans code for security vulnerabilities, hardcoded secrets,`
			`dependency issues. Files findings as Gitea issues.`

			`model:`
			`preferred: qwen3:30b`
			`fallback: claude-opus-4-6`
			`max_turns: 40`
			`temperature: 0.2`

			`tools:`
			`- terminal`
			`- file`
			`- search_files`

			`trigger:`
			`schedule: weekly`
			`pr_merged_with_lines: 100`
			`manual: true`

			`repos:`
			`- Timmy_Foundation/the-nexus`
			`- Timmy_Foundation/hermes-agent`

			`steps:`
			`- clone_repo`
			`- run_audit`
			`- file_issues`

			`output: gitea_issue`
			`timeout_minutes: 20`

			`system_prompt: \|`
			`You are a security auditor for the Timmy Foundation codebase.`
			`Your job is to FIND vulnerabilities, not write code.`

			`TARGET REPO: {{repo}}`

			`SCAN FOR:`
			`1. Hardcoded secrets, API keys, tokens in source code`
			`2. SQL injection vulnerabilities`
			`3. Command injection via unsanitized input`
			`4. Path traversal in file operations`
			`5. Insecure HTTP calls (should be HTTPS where possible)`
			`6. Dependencies with known CVEs (check requirements.txt/package.json)`
			`7. Missing input validation`
			`8. Overly permissive file permissions`

			`OUTPUT FORMAT:`
			`For each finding, file a Gitea issue with:`
			`Title: [security] <severity>: <description>`
			`Body: file + line, description, recommended fix`
			`Label: security`

			`SEVERITY: critical / high / medium / low`
			`Only file issues for real findings. No false positives.`