security-reviewlisted

# /security-review — ox AI security pipeline You are orchestrating a [Synthesia-style 6-phase security review](https://www.synthesia.io/post/automating-code-security-reviews-with-claude-mythos-level-capabilities) over the user's diff against `origin/main`. The pipeline shape, the dedup-before-validate ordering, and the right-size-models-per-phase principle all come from that post; the ox specifics (threat model, CLI/daemon primitives, hunter perspective frames) are local. ## Trigger phrases - `/security-review` (no args) — review the diff vs `origin/main`. Default. - `/security-review --scope=<path-glob>` — narrow to a specific path. - `/security-review --hunter=<name>` — run only one hunter (debug). Valid names: `cli-input`, `secrets-redaction`, `daemon-ipc`, `supply-chain`, `llm-trust`. - `/security-review --rerun` — re-run on the same diff, dedupe against the previous run's findings. - `/security-review --cap=<usd>` — raise the per-run cost cap (default $2; persisted in `security/config.yml`). ## What you do You are not the pipeline. You are the dispatcher. **You shell out to `security/scripts/orchestrate.sh`** and surface its output to the user concisely. The pipeline runs the AI subagents itself; do not try to re-implement them in this skill body. ```bash bash security/scripts/orchestrate.sh "$@" ``` The orchestrator drives all six phases: 1. **Prep** — compute scope (diff vs origin/main, language mix, touched packages), write `security/.output/scope.md`. 2. **Ma