test(security-review): verify /security-review path against fix-fork-secrets

[tejaskash]

Throwaway PR for testing — do not merge, do not review.

Base = fix-fork-secrets (PR #1310's branch) so the security review workflow that runs on this PR is the new one with bundled-slash-command + honest summary + cancel-in-progress=false. Verifies the inline-comment posting path before #1310 merges.

The diff adds a single file with two deliberate findings the bundled /security-review skill should flag (hardcoded AWS creds + command injection via exec).

Will close once verified.

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)

[agentcore-cli-automation]

Per the PR description, this is a throwaway smoke-test PR not intended to be reviewed or merged — skipping a substantive code review.

One meta-observation since I'm here: the bundled /security-review run on this PR posted "no high-confidence findings" (run), even though scripts/__sec_review_smoketest.mjs contains two deliberate HIGH-severity issues (hardcoded AWS credential pattern + exec() command injection from an unvalidated HTTP query param). That's the opposite of what this PR was designed to verify — worth confirming whether the skill is correctly skipping AWS example credentials / test fixtures (in which case the smoketest needs more realistic-looking findings), or whether the inline-comment posting path is silently failing. Either way, the verification goal of this PR doesn't appear to have been met yet.

[agentcore-devx-automation]

Claude Security Review: no high-confidence findings. (run)

[tejaskash]

Closing — base-branch testing strategy doesn't work for pull_request_target (workflow always reads from default branch). Will verify the fixes in #1310 on a real PR after that merges.