feat(cloud-shared): rebrand-ready agent base domain config (waifu.fun → elizacloud.ai prep) #2879

	name: Security Review

	on:
	pull_request:
	types: [opened, synchronize, reopened]
	# Focus on code changes that could introduce vulnerabilities
	paths:
	- "*/.ts"
	- "*/.tsx"
	- "*/.js"
	- "*/.jsx"
	- "*/.json"
	- "*/.yml"
	- "*/.yaml"
	- "**/Dockerfile"
	- "**/.env.example"

	# Allow manual security scans
	workflow_dispatch:

	# Cancel previous runs for the same PR
	concurrency:
	group: security-review-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: true

	# Default to least privilege. Override per-job where needed.
	permissions:
	contents: read

	jobs:
	security:
	# Skip for draft PRs, [skip-security] in title, or bot-triggered
	if: \|
	github.event.pull_request.draft != true &&
	!contains(github.event.pull_request.title, '[skip-security]') &&
	github.actor != 'cursor[bot]' &&
	github.actor != 'dependabot[bot]'

	runs-on: ubuntu-latest
	timeout-minutes: 15
	permissions:
	contents: read
	pull-requests: write
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha \|\| github.sha }}
	fetch-depth: 2

	- name: Run Claude Security Review
	# Note: Using @main as no stable version tag exists yet
	uses: anthropics/claude-code-security-review@main
	with:
	claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
	comment-pr: true
	upload-results: true
	claudecode-timeout: 30

	# Exclude non-critical directories
	exclude-directories: "node_modules,dist,coverage,.turbo,.next,docs"

	# Use Opus 4.5 for deeper security analysis
	claude-model: claude-opus-4-7

Provide feedback