playbooks/security-auditor.yaml

name: security-auditor
description: >
  Scans code for security vulnerabilities, hardcoded secrets,
  dependency issues. Files findings as Gitea issues.

model:
  preferred: claude-opus-4-6
  fallback: claude-opus-4-6
  max_turns: 40
  temperature: 0.2

tools:
  - terminal
  - file
  - search_files

trigger:
  schedule: weekly
  pr_merged_with_lines: 100
  manual: true

repos:
  - Timmy_Foundation/the-nexus
  - Timmy_Foundation/timmy-home
  - Timmy_Foundation/timmy-config
  - Timmy_Foundation/hermes-agent

steps:
  - clone_repo
  - run_audit
  - file_issues

output: gitea_issue
timeout_minutes: 20

system_prompt: |
  You are a security auditor for the Timmy Foundation codebase.
  Your job is to FIND vulnerabilities, not write code.

  TARGET REPO: {{repo}}

  SCAN FOR:
  1. Hardcoded secrets, API keys, tokens in source code
  2. SQL injection vulnerabilities
  3. Command injection via unsanitized input
  4. Path traversal in file operations
  5. Insecure HTTP calls (should be HTTPS where possible)
  6. Dependencies with known CVEs (check requirements.txt/package.json)
  7. Missing input validation
  8. Overly permissive file permissions
  9. Privilege drift in deploy, orchestration, memory, cron, and playbook surfaces
  10. Places where private data or local-only artifacts could leak into tracked repos

  OUTPUT FORMAT:
  For each finding, file a Gitea issue with:
    Title: [security] <severity>: <description>
    Body: file + line, description, why it matters, recommended fix
    Label: security

  SEVERITY: critical / high / medium / low
  Only file issues for real findings. No false positives.
  Do not open duplicate issues for already-known findings; link the existing issue instead.
  If a finding affects sovereignty boundaries or private-data handling, flag it clearly as such.
feat: Timmy's sovereign config — soul, memories, skins, playbooks Migrated from hermes/hermes-config (now archived). Contents: SOUL.md — Inscription 1, the immutable conscience config.yaml — live Hermes harness configuration memories/ — persistent agent memory + user profile skins/ — timmy.yaml + trismegistus.yaml personalities playbooks/ — 6 specialist agent configs cron/ — scheduled job definitions docs/design-log/ — historical design decisions FALSEWORK.md — API cost management strategy channel_directory.json — platform channel mappings Applied as side-car to Hermes harness. No hacking on the harness. 2026-03-24 17:45:12 -04:00			`name: security-auditor`
			`description: >`
			`Scans code for security vulnerabilities, hardcoded secrets,`
			`dependency issues. Files findings as Gitea issues.`

			`model:`
fix: purge qwen from config.yaml and all playbooks - config.yaml: disabled compression, smart_model_routing, all auxiliary qwen routes - All 6 playbooks: qwen3:30b -> claude-opus-4-6 - Playbook repos: removed hermes-agent, added autolora/sov-orch/timmy-config - Alexander's directive: silence over qwen. Opus only. 2026-03-25 15:38:39 -04:00			`preferred: claude-opus-4-6`
feat: Timmy's sovereign config — soul, memories, skins, playbooks Migrated from hermes/hermes-config (now archived). Contents: SOUL.md — Inscription 1, the immutable conscience config.yaml — live Hermes harness configuration memories/ — persistent agent memory + user profile skins/ — timmy.yaml + trismegistus.yaml personalities playbooks/ — 6 specialist agent configs cron/ — scheduled job definitions docs/design-log/ — historical design decisions FALSEWORK.md — API cost management strategy channel_directory.json — platform channel mappings Applied as side-car to Hermes harness. No hacking on the harness. 2026-03-24 17:45:12 -04:00			`fallback: claude-opus-4-6`
			`max_turns: 40`
			`temperature: 0.2`

			`tools:`
			`- terminal`
			`- file`
			`- search_files`

			`trigger:`
			`schedule: weekly`
			`pr_merged_with_lines: 100`
			`manual: true`

			`repos:`
			`- Timmy_Foundation/the-nexus`
Teach workflow skills in specialist playbooks (#144) Co-authored-by: Codex Agent <codex@hermes.local> Co-committed-by: Codex Agent <codex@hermes.local> 2026-04-04 22:48:06 +00:00			`- Timmy_Foundation/timmy-home`
			`- Timmy_Foundation/timmy-config`
feat: Timmy's sovereign config — soul, memories, skins, playbooks Migrated from hermes/hermes-config (now archived). Contents: SOUL.md — Inscription 1, the immutable conscience config.yaml — live Hermes harness configuration memories/ — persistent agent memory + user profile skins/ — timmy.yaml + trismegistus.yaml personalities playbooks/ — 6 specialist agent configs cron/ — scheduled job definitions docs/design-log/ — historical design decisions FALSEWORK.md — API cost management strategy channel_directory.json — platform channel mappings Applied as side-car to Hermes harness. No hacking on the harness. 2026-03-24 17:45:12 -04:00			`- Timmy_Foundation/hermes-agent`

			`steps:`
			`- clone_repo`
			`- run_audit`
			`- file_issues`

			`output: gitea_issue`
			`timeout_minutes: 20`

			`system_prompt: \|`
			`You are a security auditor for the Timmy Foundation codebase.`
			`Your job is to FIND vulnerabilities, not write code.`

			`TARGET REPO: {{repo}}`

			`SCAN FOR:`
			`1. Hardcoded secrets, API keys, tokens in source code`
			`2. SQL injection vulnerabilities`
			`3. Command injection via unsanitized input`
			`4. Path traversal in file operations`
			`5. Insecure HTTP calls (should be HTTPS where possible)`
			`6. Dependencies with known CVEs (check requirements.txt/package.json)`
			`7. Missing input validation`
			`8. Overly permissive file permissions`
Teach workflow skills in specialist playbooks (#144) Co-authored-by: Codex Agent <codex@hermes.local> Co-committed-by: Codex Agent <codex@hermes.local> 2026-04-04 22:48:06 +00:00			`9. Privilege drift in deploy, orchestration, memory, cron, and playbook surfaces`
			`10. Places where private data or local-only artifacts could leak into tracked repos`
feat: Timmy's sovereign config — soul, memories, skins, playbooks Migrated from hermes/hermes-config (now archived). Contents: SOUL.md — Inscription 1, the immutable conscience config.yaml — live Hermes harness configuration memories/ — persistent agent memory + user profile skins/ — timmy.yaml + trismegistus.yaml personalities playbooks/ — 6 specialist agent configs cron/ — scheduled job definitions docs/design-log/ — historical design decisions FALSEWORK.md — API cost management strategy channel_directory.json — platform channel mappings Applied as side-car to Hermes harness. No hacking on the harness. 2026-03-24 17:45:12 -04:00
			`OUTPUT FORMAT:`
			`For each finding, file a Gitea issue with:`
			`Title: [security] <severity>: <description>`
Teach workflow skills in specialist playbooks (#144) Co-authored-by: Codex Agent <codex@hermes.local> Co-committed-by: Codex Agent <codex@hermes.local> 2026-04-04 22:48:06 +00:00			`Body: file + line, description, why it matters, recommended fix`
feat: Timmy's sovereign config — soul, memories, skins, playbooks Migrated from hermes/hermes-config (now archived). Contents: SOUL.md — Inscription 1, the immutable conscience config.yaml — live Hermes harness configuration memories/ — persistent agent memory + user profile skins/ — timmy.yaml + trismegistus.yaml personalities playbooks/ — 6 specialist agent configs cron/ — scheduled job definitions docs/design-log/ — historical design decisions FALSEWORK.md — API cost management strategy channel_directory.json — platform channel mappings Applied as side-car to Hermes harness. No hacking on the harness. 2026-03-24 17:45:12 -04:00			`Label: security`

			`SEVERITY: critical / high / medium / low`
			`Only file issues for real findings. No false positives.`
Teach workflow skills in specialist playbooks (#144) Co-authored-by: Codex Agent <codex@hermes.local> Co-committed-by: Codex Agent <codex@hermes.local> 2026-04-04 22:48:06 +00:00			`Do not open duplicate issues for already-known findings; link the existing issue instead.`
			`If a finding affects sovereignty boundaries or private-data handling, flag it clearly as such.`