review-security — security audit on touched files

review-security looks at the PR's diff and asks: did this change open a door that was closed? Did it leave a secret in the repo? Did it ship a dependency with a known CVE? Did it skip an authorization check on a route that needs one?

It runs the project's vulnerability tooling, walks each touched file through a focused checklist, and emits findings in the finding-format.md schema. Never edits files. To act on the findings, call /drive-change — the orchestrator's sensitivity gate (see references/sensitivity-paths.md) routes auth/crypto/IPC packets to Opus fix-appliers regardless of severity.

Phase 0 — Scope

Scope from gh pr diff --name-only, git diff --name-only HEAD, or an explicit user list. Dependency scans always cover the whole project.

Phase 1 — Detect the toolchain