security: harden GitHub Actions workflows against exploitation

Critical:
- Remove `pip install -e ".[dev]"` from review.yml — untrusted PR code
  could exfiltrate secrets via build hooks. Install only ruff/mypy directly.

High:
- Fix script injection: use env var for base.ref instead of direct
  interpolation in shell commands (review.yml)
- Add scoped app token to claude.yml (was using default GITHUB_TOKEN
  with write permissions)
- Add --allowedTools to claude.yml (was unrestricted — could run any
  bash command including curl for data exfiltration)
- Add branch filter to review.yml (was triggering on PRs to any branch)

Medium:
- Security sweep creates PR instead of pushing directly to main
- Reduce sweep permissions to contents:read (uses app token for writes)

Author: Arnold Cartagena

.github/workflows/claude.yml

@@ -40,12 +40,20 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Run Claude Code
         id: claude
         uses: anthropics/claude-code-action@9469d113c6afd29550c402740f22d1a97dd1209b # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           model: claude-sonnet-4-6
-          claude_args: '--max-turns 30'
+          claude_args: '--max-turns 30 --allowedTools "Bash(git:*),Bash(gh:*),Bash(pytest:*),Bash(python3:*),Bash(ruff:*),Bash(mypy:*),Bash(pnpm:*),Read,Glob,Grep,Write,Edit"'
           additional_permissions: |
             actions: read

.github/workflows/review.yml

@@ -2,6 +2,7 @@ name: Code Review
 
 on:
   pull_request:
+    branches: [main]
     types: [opened, synchronize, ready_for_review, reopened]
 
 concurrency:
@@ -29,12 +30,14 @@ jobs:
       # not the PR branch. A malicious PR could modify CLAUDE.md to inject
       # instructions into the reviewer agent.
       - name: Extract governance files from base branch
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           mkdir -p /tmp/governance
-          git show origin/${{ github.event.pull_request.base.ref }}:CLAUDE.md > /tmp/governance/CLAUDE.md 2>/dev/null || true
-          git show origin/${{ github.event.pull_request.base.ref }}:.claude/agents/code-reviewer.md > /tmp/governance/code-reviewer.md 2>/dev/null || true
-          git show origin/${{ github.event.pull_request.base.ref }}:.github/review-instructions.md > /tmp/governance/review-instructions.md 2>/dev/null || true
-          git show origin/${{ github.event.pull_request.base.ref }}:.github/review-template.md > /tmp/governance/review-template.md 2>/dev/null || true
+          git show "origin/${BASE_REF}:CLAUDE.md" > /tmp/governance/CLAUDE.md 2>/dev/null || true
+          git show "origin/${BASE_REF}:.claude/agents/code-reviewer.md" > /tmp/governance/code-reviewer.md 2>/dev/null || true
+          git show "origin/${BASE_REF}:.github/review-instructions.md" > /tmp/governance/review-instructions.md 2>/dev/null || true
+          git show "origin/${BASE_REF}:.github/review-template.md" > /tmp/governance/review-template.md 2>/dev/null || true
 
       - name: Generate app token
         id: app-token
@@ -43,13 +46,16 @@ jobs:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
+      # SECURITY: Do NOT run `pip install -e ".[dev]"` here.
+      # The PR branch's pyproject.toml is untrusted — build hooks could
+      # exfiltrate secrets. Install only the tools Claude needs directly.
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
 
-      - name: Install dependencies
-        run: pip install -e ".[dev]"
+      - name: Install review tools (NOT the project)
+        run: pip install ruff mypy
 
       - name: Run Code Review
         id: review
@@ -58,7 +64,7 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           github_token: ${{ steps.app-token.outputs.token }}
           model: claude-sonnet-4-6
-          claude_args: '--max-turns 30 --allowedTools "Bash(git diff:*),Bash(git log:*),Bash(gh pr comment:*),Bash(gh api:*),Bash(cat:*),Bash(pytest:*),Bash(python:*),Bash(ruff:*),Bash(mypy:*),Read,Glob,Grep,Write"'
+          claude_args: '--max-turns 30 --allowedTools "Bash(git diff:*),Bash(git log:*),Bash(gh pr comment:*),Bash(gh api:*),Bash(cat:*),Bash(ruff:*),Bash(mypy:*),Read,Glob,Grep,Write"'
           prompt: |
             You are an adversarial code reviewer for Edictum Console — a **security product** (self-hostable agent operations console). A single vulnerability destroys the credibility of a startup that sells trust. Think like an attacker first, reviewer second.
 

.github/workflows/security-sweep.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
-      contents: write
+      contents: read
       issues: write
       id-token: write
 
@@ -216,11 +216,13 @@ jobs:
             python3 security/manage-baseline.py add <ID> --severity <level> --file <path> --description "<desc>"
             ```
 
-            If baseline.json was modified, commit and push:
+            If baseline.json was modified, create a PR (never push directly to main):
             ```bash
+            git checkout -b chore/security-sweep-$(date +%Y%m%d)
             git add security/baseline.json
             git commit -m "chore: update security baseline from weekly sweep"
-            git push
+            git push -u origin HEAD
+            gh pr create --title "chore: update security baseline" --body "Automated update from weekly security sweep." --label "security"
             ```
 
             ## Rules