feat: add secure code review prompt

.github/copilot-instructions.md

@@ -98,7 +98,6 @@ These instructions guide GitHub Copilot to suggest secure, intentional code patt
 - Do not use insecure hash functions like `md5` or `sha1` for password storage — use a modern password hashing lib.
 - Do not commit `.env` files or hardcode secrets — use secrets management infrastructure.
 
-
 ---
 
 ## 🧠 4. AI-Generated Code Safety

.github/prompts/secure-code-review.prompt.md

@@ -0,0 +1,74 @@
+# 🛡️ Prompt: Secure Code Review
+
+You are a senior software engineer performing a **comprehensive secure code review**.
+
+---
+
+## ✅ Context Instructions
+
+- Start from a **fresh analysis context**.
+- Disregard any previously seen reviews, summaries, or cached content.
+- Re-scan the **entire current codebase** visible in this workspace.
+
+---
+
+## 🔍 Step 1: Project Mapping
+
+- List all visible files and folders.
+- For each, briefly describe its purpose or domain (e.g., "core logic," "auth," "logging utilities").
+
+---
+
+## 🧭 Step 2: Subsystem Discovery
+
+- Identify the key **subsystems or functional domains** in this project.
+- Explain what role each plays (e.g., request routing, encryption, config parsing).
+
+---
+
+🛡️ **Step 3: Deep Review by Subsystem**
+For each subsystem:
+
+- Highlight strengths
+- Identify security observations
+  - Show file paths + relevant code
+- Note code quality or maintainability issues
+
+Quote relevant code snippets or describe logic where needed.
+
+---
+
+## 📄 Final Output Format
+
+Generate a single Markdown file named `REVIEW.MD` with the following structure:
+
+```markdown
+# 📋 Project Secure Code Review
+
+## ✅ Strengths
+- ...
+
+## 🛡️ Security Observations
+### [filename/path]
+- **Issue**: ...
+- **Impact**: ...
+- **Recommendation**: ...
+
+## 🔍 Code Quality Notes
+- ...
+
+## 🧭 Suggested Next Steps
+- ...
+```
+
+## ⚠️ Important
+
+Pay close attention to logic around:
+
+- input validation
+- secrets or config handling
+- logger redaction (e.g. loggerENVCheck, loggerStackCheck)
+- access control
+- environment-specific behavior
+
+Respond only after completing a fresh read of the codebase.

README.md

@@ -44,14 +44,14 @@ Copilot will scan the file using the selected prompt and return flagged issues,
 
 The `tests/` folder contains small, focused files designed to trigger specific security prompts:
 
-| File                           | Targets                                  |
-|--------------------------------|------------------------------------------|
-| `secret-hardcode.js`           | check-for-secrets.md                    |
-| `unvalidated-input.java`       | validate-input-handling.md              |
-| `insecure-api.cs`              | scan-for-insecure-apis.md               |
-| `logs-sensitive-data.go`       | assess-logging.md                       |
-| `weak-auth-flow.ts`            | review-auth-flows.md                    |
-| `overtrusted-genai-snippet.js` | unvalidated-genai-acceptances.md        |
+| File                           | Targets                           |
+|--------------------------------|-----------------------------------|
+| `secret-hardcode.js`           | check-for-secrets.md              |
+| `unvalidated-input.java`       | validate-input-handling.md        |
+| `insecure-api.cs`              | scan-for-insecure-apis.md         |
+| `logs-sensitive-data.go`       | assess-logging.md                 |
+| `weak-auth-flow.ts`            | review-auth-flows.md              |
+| `overtrusted-genai-snippet.js` | unvalidated-genai-acceptances.md  |
 
 To run a test:
 

copilot-instructions.md

@@ -98,7 +98,6 @@ These instructions guide GitHub Copilot to suggest secure, intentional code patt
 - Do not use insecure hash functions like `md5` or `sha1` for password storage — use a modern password hashing lib.
 - Do not commit `.env` files or hardcode secrets — use secrets management infrastructure.
 
-
 ---
 
 ## 🧠 4. AI-Generated Code Safety

prompts/secure-code-review.prompt.md

@@ -0,0 +1,74 @@
+# 🛡️ Prompt: Secure Code Review
+
+You are a senior software engineer performing a **comprehensive secure code review**.
+
+---
+
+## ✅ Context Instructions
+
+- Start from a **fresh analysis context**.
+- Disregard any previously seen reviews, summaries, or cached content.
+- Re-scan the **entire current codebase** visible in this workspace.
+
+---
+
+## 🔍 Step 1: Project Mapping
+
+- List all visible files and folders.
+- For each, briefly describe its purpose or domain (e.g., "core logic," "auth," "logging utilities").
+
+---
+
+## 🧭 Step 2: Subsystem Discovery
+
+- Identify the key **subsystems or functional domains** in this project.
+- Explain what role each plays (e.g., request routing, encryption, config parsing).
+
+---
+
+🛡️ **Step 3: Deep Review by Subsystem**
+For each subsystem:
+
+- Highlight strengths
+- Identify security observations
+  - Show file paths + relevant code
+- Note code quality or maintainability issues
+
+Quote relevant code snippets or describe logic where needed.
+
+---
+
+## 📄 Final Output Format
+
+Generate a single Markdown file named `REVIEW.MD` with the following structure:
+
+```markdown
+# 📋 Project Secure Code Review
+
+## ✅ Strengths
+- ...
+
+## 🛡️ Security Observations
+### [filename/path]
+- **Issue**: ...
+- **Impact**: ...
+- **Recommendation**: ...
+
+## 🔍 Code Quality Notes
+- ...
+
+## 🧭 Suggested Next Steps
+- ...
+```
+
+## ⚠️ Important
+
+Pay close attention to logic around:
+
+- input validation
+- secrets or config handling
+- logger redaction (e.g. loggerENVCheck, loggerStackCheck)
+- access control
+- environment-specific behavior
+
+Respond only after completing a fresh read of the codebase.