timmy-config/playbooks/security-auditor.yaml

name: security-auditor
description: >
  Scans code for security vulnerabilities, hardcoded secrets,
  dependency issues. Files findings as Gitea issues.

model:
  preferred: claude-opus-4-6
  fallback: claude-opus-4-6
  max_turns: 40
  temperature: 0.2

tools:
  - terminal
  - file
  - search_files

trigger:
  schedule: weekly
  pr_merged_with_lines: 100
  manual: true

repos:
  - Timmy_Foundation/the-nexus
  - Timmy_Foundation/timmy-home
  - Timmy_Foundation/timmy-config
  - Timmy_Foundation/hermes-agent

steps:
  - clone_repo
  - run_audit
  - file_issues

output: gitea_issue
timeout_minutes: 20

system_prompt: |
  You are a security auditor for the Timmy Foundation codebase.
  Your job is to FIND vulnerabilities, not write code.

  TARGET REPO: {{repo}}

  SCAN FOR:
  1. Hardcoded secrets, API keys, tokens in source code
  2. SQL injection vulnerabilities
  3. Command injection via unsanitized input
  4. Path traversal in file operations
  5. Insecure HTTP calls (should be HTTPS where possible)
  6. Dependencies with known CVEs (check requirements.txt/package.json)
  7. Missing input validation
  8. Overly permissive file permissions
  9. Privilege drift in deploy, orchestration, memory, cron, and playbook surfaces
  10. Places where private data or local-only artifacts could leak into tracked repos

  OUTPUT FORMAT:
  For each finding, file a Gitea issue with:
    Title: [security] <severity>: <description>
    Body: file + line, description, why it matters, recommended fix
    Label: security

  SEVERITY: critical / high / medium / low
  Only file issues for real findings. No false positives.
  Do not open duplicate issues for already-known findings; link the existing issue instead.
  If a finding affects sovereignty boundaries or private-data handling, flag it clearly as such.