create-merlin-brain 3.7.2 → 3.8.0-beta.0

package/files/loop/workflows/security-audit.json

@@ -0,0 +1,65 @@
+{
+  "id": "security-audit",
+  "name": "Security Audit",
+  "description": "Run a full security sweep. Get fixes and a clean report.",
+  "version": "1.0",
+  "steps": [
+    {
+      "id": "scan",
+      "label": "Security Scan",
+      "agent_hint": "security",
+      "agent_override": "merlin-security",
+      "input_template": "Perform a comprehensive security audit of:\n\n{{task}}\n\nCheck for:\n- SQL injection, XSS, CSRF\n- Authentication and authorization bypasses\n- Secrets exposure (API keys, tokens in code)\n- Input validation gaps\n- Rate limiting absence\n- Dependency vulnerabilities\n- Insecure configurations\n\nProduce a findings report sorted by severity (CRITICAL > HIGH > MEDIUM > LOW).\n\nOutput SCAN_COMPLETE with findings.",
+      "expects": "SCAN_COMPLETE",
+      "output_file": "security-findings.md",
+      "retry": 1
+    },
+    {
+      "id": "prioritize",
+      "label": "Prioritize Findings",
+      "agent_hint": "architect",
+      "input_template": "Review and prioritize security findings:\n\n{{security-findings.md}}\n\nPrevious context:\n{{handoff}}\n\nFor each finding:\n1. Confirm it's a real vulnerability (not false positive)\n2. Assess exploitability\n3. Determine fix complexity\n4. Create prioritized fix plan (CRITICAL first)\n\nOutput PRIORITIZED with fix plan.",
+      "expects": "PRIORITIZED",
+      "output_file": "fix-plan.md",
+      "retry": 1
+    },
+    {
+      "id": "fix",
+      "label": "Apply Security Fixes",
+      "agent_hint": "security",
+      "input_template": "Apply security fixes according to this plan:\n\n{{fix-plan.md}}\n\nPrevious context:\n{{handoff}}\n\nFix all CRITICAL and HIGH issues. Document any MEDIUM issues deferred.\nCommit each fix atomically with descriptive messages.\n\nOutput FIXES_APPLIED when done.",
+      "expects": "FIXES_APPLIED",
+      "retry": 2,
+      "blend": true
+    },
+    {
+      "id": "verify",
+      "label": "Independent Security Review",
+      "agent_hint": "security",
+      "agent_override": "merlin-security",
+      "input_template": "Independent verification of security fixes.\n\nDO NOT read the original findings. Re-scan the codebase fresh.\nCompare your findings against the fix list in the handoff.\n\nContext:\n{{handoff}}\n\nOutput VERIFIED if all CRITICAL/HIGH issues are resolved.",
+      "expects": "VERIFIED",
+      "independent": true,
+      "retry": 1
+    },
+    {
+      "id": "test",
+      "label": "Security Tests",
+      "agent_hint": "test",
+      "input_template": "Write security-focused tests:\n- Auth bypass attempts\n- Input fuzzing for injection\n- Permission boundary tests\n- Rate limit verification\n\nContext:\n{{handoff}}\n\nOutput TESTS_PASS when all security tests pass.",
+      "expects": "TESTS_PASS",
+      "retry": 2
+    },
+    {
+      "id": "pr",
+      "label": "Security PR",
+      "agent_hint": "impl",
+      "input_template": "Create a PR for security fixes.\n\nContext:\n{{handoff}}\n\nPR should:\n- NOT expose vulnerability details in title\n- Include summary of fixes in private description\n- Tag as security-related\n\nOutput PR_CREATED when done.",
+      "expects": "PR_CREATED",
+      "action": "gh_pr_create",
+      "retry": 1
+    }
+  ],
+  "on_failure": "pause",
+  "on_complete": "notify"
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-merlin-brain",
-  "version": "3.7.2",
+  "version": "3.8.0-beta.0",
   "description": "Merlin - The Ultimate AI Brain for Claude Code. One install: workflows, agents, loop, and Sights MCP server.",
   "type": "module",
   "main": "./dist/server/index.js",