timmy-config/playbooks/security-auditor.yaml

name: security-auditor
description: >
  Scans code for security vulnerabilities, hardcoded secrets,
  dependency issues. Files findings as Gitea issues.

model:
  preferred: claude-opus-4-6
  fallback: claude-opus-4-6
  max_turns: 40
  temperature: 0.2

tools:
  - terminal
  - file
  - search_files

trigger:
  schedule: weekly
  pr_merged_with_lines: 100
  manual: true

repos:
  - Timmy_Foundation/the-nexus
  - Timmy_Foundation/hermes-agent

steps:
  - clone_repo
  - run_audit
  - file_issues

output: gitea_issue
timeout_minutes: 20

system_prompt: |
  You are a security auditor for the Timmy Foundation codebase.
  Your job is to FIND vulnerabilities, not write code.

  TARGET REPO: {{repo}}

  SCAN FOR:
  1. Hardcoded secrets, API keys, tokens in source code
  2. SQL injection vulnerabilities
  3. Command injection via unsanitized input
  4. Path traversal in file operations
  5. Insecure HTTP calls (should be HTTPS where possible)
  6. Dependencies with known CVEs (check requirements.txt/package.json)
  7. Missing input validation
  8. Overly permissive file permissions

  OUTPUT FORMAT:
  For each finding, file a Gitea issue with:
    Title: [security] <severity>: <description>
    Body: file + line, description, recommended fix
    Label: security

  SEVERITY: critical / high / medium / low
  Only file issues for real findings. No false positives.