feat: security review github action

[shashank-factory]

Summary

Introduces a new security-focused code review capability to the Droid GitHub Action. This feature enables automated security analysis of pull request changes, identifying high-severity vulnerabilities and leaving inline comments directly on the diff.

Changes

New Features

• automatic_security_review input: New action input to automatically run security review for pull request contexts without requiring an explicit command
• @droid security-review command: New command that users can invoke to trigger a security-focused review
• Security review prompt template: Specialized prompt (src/create-prompt/templates/security-review-prompt.ts) that guides Droid to focus on security issues including:
  • Authentication/authorization boundary mistakes
  • Injection risks (SQL, command, template)
  • SSRF/open redirects
  • Path traversal and unsafe file handling
  • Unsafe deserialization and prototype pollution
  • Secrets handling and sensitive data exposure
  • Crypto misuse and insecure defaults

Implementation

• src/tag/commands/security-review.ts: New command handler for security review mode with appropriate MCP tool configuration
• src/github/utils/command-parser.ts: Extended to recognize security-review as a valid command
• src/github/context.ts: Added automaticSecurityReview flag to context inputs
• src/github/validation/trigger.ts: Updated trigger detection to include security-review command
• action.yml: Added automatic_security_review input with environment variable passthrough

Code Quality

• Applied Prettier formatting across multiple files (whitespace and formatting only)
• Minor README formatting fixes (bullet style consistency)

Testing

• Added comprehensive test suite for security review functionality:
  • test/create-prompt/templates/security-review-prompt.test.ts: Tests for prompt generation
  • test/modes/tag/security-review-command.test.ts: Tests for command handling
  • Updated existing tests to include automaticSecurityReview context field
  • Integration tests cover mutual exclusivity with automatic_review

Breaking Changes

None. This is an additive feature that does not affect existing fill or review functionality.

Related Issues

[To be filled by author]

[factory-droid]

Droid finished @shashank-factory's task —— View job

---

✅ Code review completed

I reviewed the PR changes, focusing on correctness bugs, boundary errors, missing validation, concurrency hazards, and security implications.

Summary:
No high-severity issues found. The PR adds a new security-review feature that follows existing patterns correctly:

• Proper validation preventing simultaneous automatic_review and automatic_security_review
• Appropriate PR context validation
• Consistent tool configuration with the existing review mode
• Good test coverage for the new functionality

The remaining changes are formatting/style improvements (whitespace, quote consistency) that don't affect behavior.

[factory-droid]

Droid finished @shashank-factory's task —— View job

---