action.yml

name: 'Argus Security'
description: 'The All-Seeing AI Security Platform: Multi-agent security analysis with 5 specialized AI personas, 9 security scanners, Claude/OpenAI triage, and intelligent false positive reduction'
author: 'Argus Security Team'

inputs:
  # Pipeline Mode Selection
  pipeline-mode:
    description: 'Pipeline mode: "fast" uses run_ai_audit.py (AI code review, 2-3 LLM calls), "full" uses hybrid_analyzer.py (6-phase pipeline with Semgrep+Trivy+Checkov+TruffleHog+AI enrichment)'
    required: false
    default: 'fast'

  review-type:
    description: 'Type of review to run (audit, security, review) — used in fast mode'
    required: false
    default: 'audit'
  project-path:
    description: 'Path to the project to review'
    required: false
    default: '.'
  project-type:
    description: 'Project type (backend-api, dashboard-ui, data-pipeline, infrastructure, or auto) — used in fast mode'
    required: false
    default: 'auto'
  fail-on-blockers:
    description: 'Fail the workflow if merge blockers are found'
    required: false
    default: 'true'
  fail-on:
    description: 'Granular fail conditions (e.g., "security:high,security:critical,test:critical")'
    required: false
    default: ''
  comment-on-pr:
    description: 'Comment on PR with review results'
    required: false
    default: 'true'
  upload-reports:
    description: 'Upload review reports as artifacts'
    required: false
    default: 'true'
  # AI Provider Configuration
  ai-provider:
    description: 'AI provider to use: anthropic, openai, openrouter, ollama, or auto'
    required: false
    default: 'auto'
  anthropic-api-key:
    description: 'Anthropic API key for Claude AI analysis'
    required: false
    default: ''
  openai-api-key:
    description: 'OpenAI API key for GPT-4 analysis'
    required: false
    default: ''
  openrouter-api-key:
    description: 'OpenRouter API key for DeepSeek/Qwen/200+ models'
    required: false
    default: ''
  openrouter-model:
    description: 'OpenRouter model ID (e.g., deepseek/deepseek-v3.2, qwen/qwen3-235b-a22b)'
    required: false
    default: 'deepseek/deepseek-v3.2'
  semgrep-enabled:
    description: 'Enable Semgrep SAST scanning with 2,000+ security rules'
    required: false
    default: 'true'
  ollama-endpoint:
    description: 'Ollama endpoint URL for local LLM (e.g., http://localhost:11434)'
    required: false
    default: ''
  model:
    description: 'AI model to use (e.g., claude-sonnet-4, gpt-4, llama3)'
    required: false
    default: 'auto'

  # Multi-Agent Configuration
  multi-agent-mode:
    description: 'Enable multi-agent mode: single, sequential, or parallel'
    required: false
    default: 'single'

  enable-multi-agent:
    description: 'Enable specialized agent personas (SecretHunter, ArchitectureReviewer, ExploitAssessor, FalsePositiveFilter, ThreatModeler) for collaborative security analysis'
    required: false
    default: 'true'

  enable-spontaneous-discovery:
    description: 'Enable agents to find security issues beyond scanner rules (15-20% more findings): missing controls, architectural flaws, implicit trust issues, config mistakes, supply chain risks'
    required: false
    default: 'true'

  enable-collaborative-reasoning:
    description: 'Enable multi-agent collaboration and discussion for consensus-based decisions (30-40% fewer false positives, but 40% higher cost)'
    required: false
    default: 'false'

  # Security Feature Toggles
  enable-api-security:
    description: 'Enable OWASP API Top 10 testing for REST/GraphQL/gRPC endpoints (BOLA, broken auth, SSRF, misconfigurations)'
    required: false
    default: 'true'

  enable-dast:
    description: 'Enable DAST scanning with Nuclei (4000+ templates) - Requires dast-target-url parameter'
    required: false
    default: 'false'

  dast-target-url:
    description: 'Target URL for DAST scanning (e.g., https://staging.example.com)'
    required: false
    default: ''

  enable-sandbox:
    description: 'Enable Docker sandbox validation for exploit verification (Phase 4) — requires Docker, full mode only'
    required: false
    default: 'false'

  enable-proof-by-exploitation:
    description: 'Enable LLM-powered proof-of-concept exploit generation + sandbox validation — requires Docker + LLM credits, full mode only'
    required: false
    default: 'false'

  enable-supply-chain:
    description: 'Enable supply chain attack detection (typosquatting, malicious packages, compromised dependencies)'
    required: false
    default: 'true'

  enable-fuzzing:
    description: 'Enable AI-guided fuzzing with 60+ payloads for APIs, functions, and file parsers'
    required: false
    default: 'false'

  fuzzing-duration:
    description: 'Fuzzing duration in seconds (default: 300)'
    required: false
    default: '300'

  enable-threat-intel:
    description: 'Enable threat intelligence enrichment (CISA KEV, EPSS, NVD, exploit databases, real-time threat context)'
    required: false
    default: 'true'

  enable-remediation:
    description: 'Enable AI-powered vulnerability fix generation with code patches and testing guidance'
    required: false
    default: 'true'

  enable-runtime-security:
    description: 'Enable container runtime security monitoring with Falco (requires Docker)'
    required: false
    default: 'false'

  runtime-monitoring-duration:
    description: 'Runtime monitoring duration in seconds (default: 60)'
    required: false
    default: '60'

  enable-regression-testing:
    description: 'Enable security regression test generation to ensure fixed vulnerabilities stay fixed'
    required: false
    default: 'true'

  enable-iris:
    description: 'Enable IRIS semantic analysis for research-proven 2x improvement in vulnerability detection (arXiv 2405.17238)'
    required: false
    default: 'true'

  severity-filter:
    description: 'Comma-separated severity levels to include in reports (e.g., critical,high,medium). Empty means all severities.'
    required: false
    default: ''

  # Exploit Analysis Configuration (Aardvark Mode)
  enable-exploit-analysis:
    description: '✅ PRODUCTION: Enable exploit chain analysis and exploitability assessment (Aardvark mode) - Working in sequential mode'
    required: false
    default: 'true'

  generate-security-tests:
    description: '✅ PRODUCTION: Auto-generate security tests for discovered vulnerabilities - Working in sequential mode'
    required: false
    default: 'true'

  exploitability-threshold:
    description: 'Block merge if exploitability is at this level or higher (trivial, moderate, complex, theoretical, none)'
    required: false
    default: 'trivial'

  # Cost/Latency Guardrails
  only-changed:
    description: 'Only analyze changed files (PR mode)'
    required: false
    default: 'false'
  include-paths:
    description: 'Glob patterns to include (comma-separated)'
    required: false
    default: ''
  exclude-paths:
    description: 'Glob patterns to exclude (comma-separated)'
    required: false
    default: '.github/**,node_modules/**,*.lock,package-lock.json'
  max-file-size:
    description: 'Max file size in bytes'
    required: false
    default: '50000'
  max-files:
    description: 'Max files to analyze'
    required: false
    default: '50'
  max-tokens:
    description: 'Max tokens per LLM call'
    required: false
    default: '8000'
  cost-limit:
    description: 'Max cost in USD per run'
    required: false
    default: '1.0'

  # Phase 2.7: Deep Analysis Configuration
  deep-analysis-mode:
    description: 'Phase 2.7 Deep Analysis mode (off, semantic-only, conservative, full)'
    required: false
    default: 'off'

  max-files-deep-analysis:
    description: 'Maximum files for Phase 2.7 Deep Analysis'
    required: false
    default: '50'

  deep-analysis-cost-ceiling:
    description: 'Cost ceiling in USD for Phase 2.7'
    required: false
    default: '5.0'

  deep-analysis-timeout:
    description: 'Timeout in seconds for Phase 2.7'
    required: false
    default: '300'

  benchmark:
    description: 'Enable benchmark reporting'
    required: false
    default: 'false'

outputs:
  review-completed:
    description: 'Whether the review completed successfully'
    value: ${{ steps.code-review.outputs.completed || steps.run-pipeline.outputs.completed }}
  blockers-found:
    description: 'Number of merge blockers found'
    value: ${{ steps.code-review.outputs.blockers || steps.run-pipeline.outputs.blockers || '0' }}
  suggestions-found:
    description: 'Number of suggestions found'
    value: ${{ steps.code-review.outputs.suggestions || steps.run-pipeline.outputs.suggestions || '0' }}
  report-path:
    description: 'Path to the generated report'
    value: ${{ steps.code-review.outputs.report-path || steps.run-pipeline.outputs.report-path }}
  sarif-path:
    description: 'Path to SARIF file for Code Scanning'
    value: ${{ steps.code-review.outputs.sarif-path || steps.run-pipeline.outputs.sarif-path }}
  json-path:
    description: 'Path to structured JSON results'
    value: ${{ steps.code-review.outputs.json-path || steps.run-pipeline.outputs.json-path }}
  cost-estimate:
    description: 'Estimated cost in USD'
    value: ${{ steps.code-review.outputs.cost-estimate || steps.run-pipeline.outputs.cost-estimate || '0.00' }}
  files-analyzed:
    description: 'Number of files analyzed'
    value: ${{ steps.code-review.outputs.files-analyzed || steps.run-pipeline.outputs.files-analyzed || '0' }}
  duration-seconds:
    description: 'Analysis duration in seconds'
    value: ${{ steps.code-review.outputs.duration-seconds || steps.run-pipeline.outputs.duration-seconds || '0' }}

  # Exploit Analysis Outputs (Aardvark Mode)
  exploitability-trivial:
    description: 'Number of trivially exploitable vulnerabilities found'
    value: ${{ steps.code-review.outputs.exploitability-trivial || steps.run-pipeline.outputs.exploitability-trivial || '0' }}

  exploitability-moderate:
    description: 'Number of moderately exploitable vulnerabilities found'
    value: ${{ steps.code-review.outputs.exploitability-moderate || steps.run-pipeline.outputs.exploitability-moderate || '0' }}

  exploitability-complex:
    description: 'Number of complex exploitability vulnerabilities found'
    value: ${{ steps.code-review.outputs.exploitability-complex || steps.run-pipeline.outputs.exploitability-complex || '0' }}

  exploit-chains-found:
    description: 'Number of exploit chains identified'
    value: ${{ steps.code-review.outputs.exploit-chains-found || steps.run-pipeline.outputs.exploit-chains-found || '0' }}

  tests-generated:
    description: 'Number of security test files generated'
    value: ${{ steps.code-review.outputs.tests-generated || steps.run-pipeline.outputs.tests-generated || '0' }}

  # Full Pipeline Outputs (hybrid_analyzer.py)
  pipeline-mode-used:
    description: 'Which pipeline mode was used (fast or full)'
    value: ${{ steps.run-pipeline.outputs.pipeline-mode-used || 'fast' }}
  total-findings:
    description: 'Total findings from full pipeline scan'
    value: ${{ steps.run-pipeline.outputs.total-findings || '0' }}
  scanners-used:
    description: 'Comma-separated list of scanners that ran'
    value: ${{ steps.run-pipeline.outputs.scanners-used || '' }}
  scan-duration-seconds:
    description: 'Full pipeline scan duration in seconds'
    value: ${{ steps.run-pipeline.outputs.scan-duration-seconds || '0' }}

runs:
  using: 'composite'
  steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        # Cache disabled - repositories may not have lock files

    - name: Install Argus
      shell: bash
      run: |
        echo "Setting up Argus Code Reviewer system..."
        
        # Create Argus directory structure
        mkdir -p $HOME/.argus/{scripts,profiles,standards}
        
        # Copy our scripts from the action repository to the Argus directory
        if [ -d "$GITHUB_ACTION_PATH/scripts" ]; then
          cp -r $GITHUB_ACTION_PATH/scripts/* $HOME/.argus/scripts/ 2>/dev/null || echo "Note: No scripts to copy"
          echo "Scripts copied from action repository"
        fi
        
        if [ -d "$GITHUB_ACTION_PATH/profiles" ]; then
          cp -r $GITHUB_ACTION_PATH/profiles/* $HOME/.argus/profiles/ 2>/dev/null || echo "Note: No profiles to copy"
          echo "Profiles copied from action repository"
        fi
        
        # Make scripts executable
        chmod +x $HOME/.argus/scripts/*.sh 2>/dev/null || true
        chmod +x $HOME/.argus/scripts/*.py 2>/dev/null || true
        
        # Verify installation
        if [ ! -d "$HOME/.argus" ]; then
          echo "❌ Argus installation failed - directory not created"
          exit 1
        fi
        
        if [ ! -d "$HOME/.argus/scripts" ]; then
          echo "⚠️  Warning: scripts directory not found"
        fi
        
        echo "✅ Argus Code Reviewer system installed successfully"

    - name: Install Code Reviewer System
      shell: bash
      run: |
        echo "Installing code reviewer system..."
        
        # Create directories
        mkdir -p $HOME/.argus/profiles/default/agents
        mkdir -p $HOME/.argus/profiles/default/workflows/review
        mkdir -p $HOME/.argus/profiles/default/standards/review
        mkdir -p $HOME/.argus/profiles/default/commands/audit-codebase/multi-agent
        mkdir -p $HOME/.argus/profiles/default/commands/review-changes/multi-agent
        mkdir -p $HOME/.argus/profiles/default/commands/security-scan/multi-agent
        mkdir -p $HOME/.argus/profiles/default/roles
        
        # Copy code reviewer files from this repository
        if [ -d "$GITHUB_ACTION_PATH/profiles/default/agents" ]; then
          cp -r $GITHUB_ACTION_PATH/profiles/default/agents/* $HOME/.argus/profiles/default/agents/
          echo "Agents copied successfully"
        fi
        
        if [ -d "$GITHUB_ACTION_PATH/profiles/default/workflows/review" ]; then
          cp -r $GITHUB_ACTION_PATH/profiles/default/workflows/review $HOME/.argus/profiles/default/workflows/
          echo "Workflows copied successfully"
        fi
        
        if [ -d "$GITHUB_ACTION_PATH/profiles/default/standards/review" ]; then
          cp -r $GITHUB_ACTION_PATH/profiles/default/standards/review $HOME/.argus/profiles/default/standards/
          echo "Standards copied successfully"
        fi
        
        if [ -d "$GITHUB_ACTION_PATH/profiles/default/commands" ]; then
          cp -r $GITHUB_ACTION_PATH/profiles/default/commands/audit-codebase $HOME/.argus/profiles/default/commands/
          cp -r $GITHUB_ACTION_PATH/profiles/default/commands/review-changes $HOME/.argus/profiles/default/commands/
          cp -r $GITHUB_ACTION_PATH/profiles/default/commands/security-scan $HOME/.argus/profiles/default/commands/
          echo "Commands copied successfully"
        fi
        
        # Copy AI audit script (fast mode)
        if [ -f "$GITHUB_ACTION_PATH/scripts/run_ai_audit.py" ]; then
          mkdir -p $HOME/.argus/scripts
          cp $GITHUB_ACTION_PATH/scripts/run_ai_audit.py $HOME/.argus/scripts/
          chmod +x $HOME/.argus/scripts/run_ai_audit.py
          echo "AI audit script copied successfully"
        else
          echo "Warning: AI audit script not found at $GITHUB_ACTION_PATH/scripts/run_ai_audit.py"
        fi

        # Copy hybrid analyzer and supporting modules (full mode)
        if [ -f "$GITHUB_ACTION_PATH/scripts/hybrid_analyzer.py" ]; then
          cp $GITHUB_ACTION_PATH/scripts/hybrid_analyzer.py $HOME/.argus/scripts/
          chmod +x $HOME/.argus/scripts/hybrid_analyzer.py
          echo "Hybrid analyzer script copied successfully"
        fi

        # Copy all Python modules needed by hybrid_analyzer
        for module in config_loader.py agent_personas.py sandbox_validator.py \
                       heuristic_scanner.py remediation_engine.py epss_scorer.py \
                       fix_version_tracker.py vex_processor.py vuln_deduplicator.py \
                       advanced_suppression.py compliance_mapper.py license_risk_scorer.py \
                       phase_gate.py audit_trail.py error_classifier.py; do
          if [ -f "$GITHUB_ACTION_PATH/scripts/$module" ]; then
            cp "$GITHUB_ACTION_PATH/scripts/$module" $HOME/.argus/scripts/
          fi
        done

        # Copy hybrid sub-package if it exists
        if [ -d "$GITHUB_ACTION_PATH/scripts/hybrid" ]; then
          cp -r "$GITHUB_ACTION_PATH/scripts/hybrid" $HOME/.argus/scripts/
          echo "Hybrid sub-package copied successfully"
        fi

        # Copy install_security_tools.sh
        if [ -f "$GITHUB_ACTION_PATH/scripts/install_security_tools.sh" ]; then
          cp "$GITHUB_ACTION_PATH/scripts/install_security_tools.sh" $HOME/.argus/scripts/
          chmod +x $HOME/.argus/scripts/install_security_tools.sh
          echo "Security tools installer copied successfully"
        fi
        
        if [ -f "$GITHUB_ACTION_PATH/profiles/default/roles/reviewers.yml" ]; then
          cp $GITHUB_ACTION_PATH/profiles/default/roles/reviewers.yml $HOME/.argus/profiles/default/roles/
          echo "Roles copied successfully"
        fi
        
        echo "Code reviewer system installed successfully"

    - name: Install Argus to Project
      shell: bash
      env:
        INPUT_PROJECT_PATH: ${{ inputs.project-path }}
      run: |
        echo "Setting up Argus in project directory..."
        cd "$INPUT_PROJECT_PATH"
        
        # Create project-level Argus directory
        mkdir -p .argus/{config,reports}
        
        # Copy configuration files
        cp -r $HOME/.argus/profiles/default/standards .argus/ 2>/dev/null || true
        
        echo "Project Argus setup completed"

    - name: Detect Project Type
      id: detect-type
      shell: bash
      env:
        INPUT_PROJECT_PATH: ${{ inputs.project-path }}
        INPUT_PROJECT_TYPE: ${{ inputs.project-type }}
      run: |
        echo "Detecting project type..."
        cd "$INPUT_PROJECT_PATH"

        if [ "$INPUT_PROJECT_TYPE" = "auto" ]; then
          # Fallback to backend-api if detection script doesn't exist
          if [ -f "$HOME/.argus/scripts/detect-project-type.sh" ]; then
            PROJECT_TYPE=$($HOME/.argus/scripts/detect-project-type.sh .)
            echo "Auto-detected project type: $PROJECT_TYPE"
          else
            PROJECT_TYPE="backend-api"
            echo "Detection script not found, defaulting to: $PROJECT_TYPE"
          fi
        else
          PROJECT_TYPE="$INPUT_PROJECT_TYPE"
          echo "Using manual project type: $PROJECT_TYPE"
        fi
        
        echo "project-type=$PROJECT_TYPE" >> $GITHUB_OUTPUT
        echo "Detected project type: $PROJECT_TYPE"

    - name: Install Security Tools (Full Pipeline)
      if: ${{ inputs.pipeline-mode == 'full' }}
      shell: bash
      env:
        INPUT_PROJECT_PATH: ${{ inputs.project-path }}
        INPUT_ENABLE_SANDBOX: ${{ inputs.enable-sandbox }}
        INPUT_ENABLE_PROOF: ${{ inputs.enable-proof-by-exploitation }}
      run: |
        echo "Installing security tools for full 6-phase pipeline..."
        cd "$INPUT_PROJECT_PATH"

        # Install Python dependencies for hybrid analyzer
        echo "Installing Python dependencies..."
        pip install -q anthropic openai tenacity pyyaml requests urllib3 certifi cryptography semgrep pydantic rich networkx defusedxml 2>/dev/null || \
          pip install -q anthropic openai tenacity pyyaml requests semgrep pydantic rich

        # Install Trivy, Semgrep via the bundled installer
        if [ -f "$HOME/.argus/scripts/install_security_tools.sh" ]; then
          echo "Running security tools installer..."
          bash "$HOME/.argus/scripts/install_security_tools.sh" || echo "Warning: Some security tools may not have installed"
        else
          # Fallback: install tools directly
          echo "Installing Semgrep..."
          pip install -q semgrep || true

          echo "Installing Trivy..."
          TRIVY_VERSION="0.58.2"
          TRIVY_SHA256="aa2c0ed6932ae70171b4f0f3fdb0403e29d9ce7e6fddad0ea08d440fdd695742"
          curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -o /tmp/trivy.tar.gz \
            && echo "${TRIVY_SHA256}  /tmp/trivy.tar.gz" | sha256sum --check \
            && tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
            && rm /tmp/trivy.tar.gz \
            || echo "Warning: Trivy installation failed"
        fi

        # Install Checkov (IaC scanning)
        echo "Installing Checkov..."
        pip install -q checkov 2>/dev/null || echo "Warning: Checkov installation failed (optional)"

        # Install Docker SDK (for sandbox validation)
        if [ "$INPUT_ENABLE_SANDBOX" = "true" ] || [ "$INPUT_ENABLE_PROOF" = "true" ]; then
          echo "Installing Docker SDK for sandbox validation..."
          pip install -q docker || echo "Warning: Docker SDK installation failed"
        fi

        echo "Security tools installation completed"

    - name: Run Code Review
      id: code-review
      if: ${{ inputs.pipeline-mode == 'fast' }}
      shell: bash
      env:
        INPUT_AI_PROVIDER: ${{ inputs.ai-provider }}
        ANTHROPIC_API_KEY: ${{ inputs.anthropic-api-key }}
        OPENAI_API_KEY: ${{ inputs.openai-api-key }}
        OPENROUTER_API_KEY: ${{ inputs.openrouter-api-key }}
        OPENROUTER_MODEL: ${{ inputs.openrouter-model }}
        SEMGREP_ENABLED: ${{ inputs.semgrep-enabled }}
        OLLAMA_ENDPOINT: ${{ inputs.ollama-endpoint }}
        INPUT_MODEL: ${{ inputs.model }}
        INPUT_MULTI_AGENT_MODE: ${{ inputs.multi-agent-mode }}
        ENABLE_MULTI_AGENT: ${{ inputs.enable-multi-agent }}
        ENABLE_SPONTANEOUS_DISCOVERY: ${{ inputs.enable-spontaneous-discovery }}
        ENABLE_COLLABORATIVE_REASONING: ${{ inputs.enable-collaborative-reasoning }}
        INPUT_ONLY_CHANGED: ${{ inputs.only-changed }}
        INPUT_INCLUDE_PATHS: ${{ inputs.include-paths }}
        INPUT_EXCLUDE_PATHS: ${{ inputs.exclude-paths }}
        INPUT_MAX_FILE_SIZE: ${{ inputs.max-file-size }}
        INPUT_MAX_FILES: ${{ inputs.max-files }}
        INPUT_MAX_TOKENS: ${{ inputs.max-tokens }}
        INPUT_COST_LIMIT: ${{ inputs.cost-limit }}
        INPUT_FAIL_ON: ${{ inputs.fail-on }}
        # Security Feature Toggles
        ENABLE_API_SECURITY: ${{ inputs.enable-api-security }}
        ENABLE_DAST: ${{ inputs.enable-dast }}
        DAST_TARGET_URL: ${{ inputs.dast-target-url }}
        ENABLE_SUPPLY_CHAIN: ${{ inputs.enable-supply-chain }}
        ENABLE_FUZZING: ${{ inputs.enable-fuzzing }}
        FUZZING_DURATION: ${{ inputs.fuzzing-duration }}
        ENABLE_THREAT_INTEL: ${{ inputs.enable-threat-intel }}
        ENABLE_REMEDIATION: ${{ inputs.enable-remediation }}
        ENABLE_RUNTIME_SECURITY: ${{ inputs.enable-runtime-security }}
        RUNTIME_MONITORING_DURATION: ${{ inputs.runtime-monitoring-duration }}
        ENABLE_REGRESSION_TESTING: ${{ inputs.enable-regression-testing }}
        ENABLE_IRIS: ${{ inputs.enable-iris }}
        SEVERITY_FILTER: ${{ inputs.severity-filter }}
        # Exploit Analysis Configuration (Aardvark Mode)
        ENABLE_EXPLOIT_ANALYSIS: ${{ inputs.enable-exploit-analysis }}
        GENERATE_SECURITY_TESTS: ${{ inputs.generate-security-tests }}
        EXPLOITABILITY_THRESHOLD: ${{ inputs.exploitability-threshold }}
        # NEW: Phase 1 feature flags
        ENABLE_THREAT_MODELING: 'true'
        ENABLE_SANDBOX_VALIDATION: 'true'
        # Phase 2.7: Deep Analysis Configuration
        DEEP_ANALYSIS_MODE: ${{ inputs.deep-analysis-mode }}
        MAX_FILES_DEEP_ANALYSIS: ${{ inputs.max-files-deep-analysis }}
        DEEP_ANALYSIS_COST_CEILING: ${{ inputs.deep-analysis-cost-ceiling }}
        DEEP_ANALYSIS_TIMEOUT: ${{ inputs.deep-analysis-timeout }}
        BENCHMARK: ${{ inputs.benchmark }}
        ARGUS_REVIEW_TYPE: ${{ inputs.review-type }}
        INPUT_PROJECT_PATH: ${{ inputs.project-path }}
      run: |
        echo "🤖 Running AI-Powered Code Review..."
        cd "$INPUT_PROJECT_PATH"
        
        # Create reviews directory
        mkdir -p .argus/reviews
        
        # Install Python dependencies
        echo "📦 Installing dependencies..."
        pip install -q anthropic openai tenacity

        # Install Semgrep if enabled
        if [ "$SEMGREP_ENABLED" = "true" ]; then
          echo "📦 Installing Semgrep SAST scanner..."
          pip install -q semgrep
        fi

        # Run AI-powered audit with guardrails
        echo "🧠 Analyzing codebase with AI..."
        echo "⚙️  Configuration:"
        echo "   - Only changed: $INPUT_ONLY_CHANGED"
        echo "   - Max files: $INPUT_MAX_FILES"
        echo "   - Cost limit: \$$INPUT_COST_LIMIT"
        
        # Build args array safely — no eval, no string concat
        AUDIT_ARGS=("$(pwd)" "$ARGUS_REVIEW_TYPE")

        if [ "$DEEP_ANALYSIS_MODE" != "off" ]; then
          AUDIT_ARGS+=(--deep-analysis-mode "$DEEP_ANALYSIS_MODE")
          AUDIT_ARGS+=(--max-files-deep-analysis "$MAX_FILES_DEEP_ANALYSIS")
          AUDIT_ARGS+=(--deep-analysis-cost-ceiling "$DEEP_ANALYSIS_COST_CEILING")
          AUDIT_ARGS+=(--deep-analysis-timeout "$DEEP_ANALYSIS_TIMEOUT")
        fi

        if [ "$BENCHMARK" = "true" ]; then
          AUDIT_ARGS+=(--benchmark)
        fi

        python3 "$HOME/.argus/scripts/run_ai_audit.py" "${AUDIT_ARGS[@]}"
        
        # Check if analysis succeeded
        REPORT_FILE=".argus/reviews/${ARGUS_REVIEW_TYPE}-report.md"
        SARIF_FILE=".argus/reviews/results.sarif"
        JSON_FILE=".argus/reviews/results.json"
        METRICS_FILE=".argus/reviews/metrics.json"
        
        if [ ! -f "$REPORT_FILE" ]; then
          echo "❌ AI analysis failed - no report generated"
          exit 2
        fi
        
        # Extract metrics from JSON files
        if [ -f "$METRICS_FILE" ]; then
          COST=$(jq -r '.cost_usd' "$METRICS_FILE" 2>/dev/null || echo "0.00")
          FILES=$(jq -r '.files_reviewed' "$METRICS_FILE" 2>/dev/null || echo "0")
          DURATION=$(jq -r '.duration_seconds' "$METRICS_FILE" 2>/dev/null || echo "0")
          BLOCKERS=$(jq -r '.findings.critical + .findings.high' "$METRICS_FILE" 2>/dev/null || echo "0")
          SUGGESTIONS=$(jq -r '.findings.medium + .findings.low' "$METRICS_FILE" 2>/dev/null || echo "0")
          # Extract Aardvark mode metrics
          EXPLOIT_TRIVIAL=$(jq -r '.exploitability.trivial' "$METRICS_FILE" 2>/dev/null || echo "0")
          EXPLOIT_MODERATE=$(jq -r '.exploitability.moderate' "$METRICS_FILE" 2>/dev/null || echo "0")
          EXPLOIT_COMPLEX=$(jq -r '.exploitability.complex' "$METRICS_FILE" 2>/dev/null || echo "0")
          EXPLOIT_CHAINS=$(jq -r '.exploit_chains_found' "$METRICS_FILE" 2>/dev/null || echo "0")
          TESTS_GENERATED=$(jq -r '.tests_generated' "$METRICS_FILE" 2>/dev/null || echo "0")
        else
          # Fallback: count from report
          BLOCKERS=$(grep -c "\[CRITICAL\]\|\[BLOCKER\]" "$REPORT_FILE" || echo "0")
          SUGGESTIONS=$(grep -c "\[HIGH\]\|\[MEDIUM\]\|\[SUGGESTION\]" "$REPORT_FILE" || echo "0")
          COST="0.00"
          FILES="0"
          DURATION="0"
          EXPLOIT_TRIVIAL="0"
          EXPLOIT_MODERATE="0"
          EXPLOIT_COMPLEX="0"
          EXPLOIT_CHAINS="0"
          TESTS_GENERATED="0"
        fi

        # Ensure all variables have valid values (prevent empty strings that cause format errors)
        BLOCKERS="${BLOCKERS:-0}"
        SUGGESTIONS="${SUGGESTIONS:-0}"
        COST="${COST:-0.00}"
        FILES="${FILES:-0}"
        DURATION="${DURATION:-0}"
        EXPLOIT_TRIVIAL="${EXPLOIT_TRIVIAL:-0}"
        EXPLOIT_MODERATE="${EXPLOIT_MODERATE:-0}"
        EXPLOIT_COMPLEX="${EXPLOIT_COMPLEX:-0}"
        EXPLOIT_CHAINS="${EXPLOIT_CHAINS:-0}"
        TESTS_GENERATED="${TESTS_GENERATED:-0}"

        # Write all outputs atomically to prevent format errors
        {
          echo "completed=true"
          echo "blockers=$BLOCKERS"
          echo "suggestions=$SUGGESTIONS"
          echo "report-path=$REPORT_FILE"
          echo "sarif-path=$SARIF_FILE"
          echo "json-path=$JSON_FILE"
          echo "cost-estimate=$COST"
          echo "files-analyzed=$FILES"
          echo "duration-seconds=$DURATION"
          echo "exploitability-trivial=$EXPLOIT_TRIVIAL"
          echo "exploitability-moderate=$EXPLOIT_MODERATE"
          echo "exploitability-complex=$EXPLOIT_COMPLEX"
          echo "exploit-chains-found=$EXPLOIT_CHAINS"
          echo "tests-generated=$TESTS_GENERATED"
        } >> $GITHUB_OUTPUT

        echo "✅ Code review completed successfully (fast mode)"

    # ── Full Pipeline Mode (hybrid_analyzer.py) ────────────────────────────
    - name: Run Full Pipeline
      id: run-pipeline
      if: ${{ inputs.pipeline-mode == 'full' }}
      shell: bash
      env:
        INPUT_AI_PROVIDER: ${{ inputs.ai-provider }}
        ANTHROPIC_API_KEY: ${{ inputs.anthropic-api-key }}
        OPENAI_API_KEY: ${{ inputs.openai-api-key }}
        OPENROUTER_API_KEY: ${{ inputs.openrouter-api-key }}
        OPENROUTER_MODEL: ${{ inputs.openrouter-model }}
        OLLAMA_ENDPOINT: ${{ inputs.ollama-endpoint }}
        INPUT_MODEL: ${{ inputs.model }}
        # Scanner toggles (read by hybrid_analyzer via env vars)
        ENABLE_SEMGREP: ${{ inputs.semgrep-enabled }}
        ENABLE_TRIVY: 'true'
        ENABLE_CHECKOV: 'true'
        ENABLE_TRUFFLEHOG: 'true'
        # Feature toggles
        ENABLE_MULTI_AGENT: ${{ inputs.enable-multi-agent }}
        ENABLE_SPONTANEOUS_DISCOVERY: ${{ inputs.enable-spontaneous-discovery }}
        ENABLE_COLLABORATIVE_REASONING: ${{ inputs.enable-collaborative-reasoning }}
        ENABLE_API_SECURITY: ${{ inputs.enable-api-security }}
        ENABLE_DAST: ${{ inputs.enable-dast }}
        DAST_TARGET_URL: ${{ inputs.dast-target-url }}
        ENABLE_SUPPLY_CHAIN: ${{ inputs.enable-supply-chain }}
        ENABLE_FUZZING: ${{ inputs.enable-fuzzing }}
        FUZZING_DURATION: ${{ inputs.fuzzing-duration }}
        ENABLE_THREAT_INTEL: ${{ inputs.enable-threat-intel }}
        ENABLE_REMEDIATION: ${{ inputs.enable-remediation }}
        ENABLE_RUNTIME_SECURITY: ${{ inputs.enable-runtime-security }}
        RUNTIME_MONITORING_DURATION: ${{ inputs.runtime-monitoring-duration }}
        ENABLE_REGRESSION_TESTING: ${{ inputs.enable-regression-testing }}
        ENABLE_IRIS: ${{ inputs.enable-iris }}
        SEVERITY_FILTER: ${{ inputs.severity-filter }}
        ENABLE_SANDBOX_VALIDATION: ${{ inputs.enable-sandbox }}
        ENABLE_PROOF_BY_EXPLOITATION: ${{ inputs.enable-proof-by-exploitation }}
        ENABLE_AI_ENRICHMENT: 'true'
        # Cost/Latency Guardrails
        INPUT_COST_LIMIT: ${{ inputs.cost-limit }}
        INPUT_MAX_FILES: ${{ inputs.max-files }}
        INPUT_PROJECT_PATH: ${{ inputs.project-path }}
      run: |
        echo "Running Full 6-Phase Security Pipeline (hybrid_analyzer.py)..."
        cd "$INPUT_PROJECT_PATH"

        # Create results directory
        mkdir -p .argus/hybrid-results

        echo "Configuration:"
        echo "   - Pipeline mode: full"
        echo "   - AI provider: $INPUT_AI_PROVIDER"
        echo "   - DAST enabled: $ENABLE_DAST"
        echo "   - Sandbox enabled: $ENABLE_SANDBOX_VALIDATION"
        echo "   - Cost limit: \$$INPUT_COST_LIMIT"

        # Build args array safely
        PIPELINE_ARGS=("$(pwd)")
        PIPELINE_ARGS+=(--output-dir ".argus/hybrid-results")

        # Severity filter
        if [ -n "$SEVERITY_FILTER" ]; then
          PIPELINE_ARGS+=(--severity-filter "$SEVERITY_FILTER")
        fi

        # AI provider
        if [ -n "$INPUT_AI_PROVIDER" ] && [ "$INPUT_AI_PROVIDER" != "auto" ]; then
          PIPELINE_ARGS+=(--ai-provider "$INPUT_AI_PROVIDER")
        fi

        # DAST target URL
        if [ "$ENABLE_DAST" = "true" ] && [ -n "$DAST_TARGET_URL" ]; then
          PIPELINE_ARGS+=(--enable-dast --dast-target-url "$DAST_TARGET_URL")
        fi

        # Fuzzing duration
        if [ "$ENABLE_FUZZING" = "true" ]; then
          PIPELINE_ARGS+=(--enable-fuzzing --fuzzing-duration "$FUZZING_DURATION")
        fi

        # Runtime monitoring duration
        if [ "$ENABLE_RUNTIME_SECURITY" = "true" ]; then
          PIPELINE_ARGS+=(--enable-runtime-security --runtime-monitoring-duration "$RUNTIME_MONITORING_DURATION")
        fi

        # Run the hybrid analyzer
        # Add scripts dir to PYTHONPATH so hybrid_analyzer can find its modules
        export PYTHONPATH="$HOME/.argus/scripts:$PYTHONPATH"

        set +e
        python3 "$HOME/.argus/scripts/hybrid_analyzer.py" "${PIPELINE_ARGS[@]}"
        PIPELINE_EXIT=$?
        set -e

        echo "pipeline-mode-used=full" >> $GITHUB_OUTPUT

        # Parse results from the hybrid output
        RESULTS_DIR=".argus/hybrid-results"
        JSON_FILE=$(ls -t "$RESULTS_DIR"/*.json 2>/dev/null | head -1 || true)
        SARIF_FILE=$(ls -t "$RESULTS_DIR"/*.sarif 2>/dev/null | head -1 || true)

        if [ -n "$JSON_FILE" ] && [ -f "$JSON_FILE" ]; then
          CRITICAL=$(jq -r '.findings_by_severity.critical // 0' "$JSON_FILE" 2>/dev/null || echo "0")
          HIGH=$(jq -r '.findings_by_severity.high // 0' "$JSON_FILE" 2>/dev/null || echo "0")
          MEDIUM=$(jq -r '.findings_by_severity.medium // 0' "$JSON_FILE" 2>/dev/null || echo "0")
          LOW=$(jq -r '.findings_by_severity.low // 0' "$JSON_FILE" 2>/dev/null || echo "0")
          TOTAL=$(jq -r '.total_findings // 0' "$JSON_FILE" 2>/dev/null || echo "0")
          DURATION=$(jq -r '.scan_duration_seconds // 0' "$JSON_FILE" 2>/dev/null || echo "0")
          COST=$(jq -r '.cost_usd // 0' "$JSON_FILE" 2>/dev/null || echo "0.00")
          SCANNERS=$(jq -r '.scanners_used // [] | join(",")' "$JSON_FILE" 2>/dev/null || echo "")
        else
          CRITICAL="0"
          HIGH="0"
          MEDIUM="0"
          LOW="0"
          TOTAL="0"
          DURATION="0"
          COST="0.00"
          SCANNERS=""
        fi

        BLOCKERS=$(( ${CRITICAL:-0} + ${HIGH:-0} ))
        SUGGESTIONS=$(( ${MEDIUM:-0} + ${LOW:-0} ))

        # Write outputs (compatible with fast-mode output names for downstream steps)
        {
          echo "completed=true"
          echo "blockers=$BLOCKERS"
          echo "suggestions=$SUGGESTIONS"
          echo "report-path=${RESULTS_DIR}"
          echo "sarif-path=${SARIF_FILE:-}"
          echo "json-path=${JSON_FILE:-}"
          echo "cost-estimate=${COST}"
          echo "files-analyzed=0"
          echo "duration-seconds=${DURATION}"
          echo "total-findings=${TOTAL}"
          echo "scanners-used=${SCANNERS}"
          echo "scan-duration-seconds=${DURATION}"
          echo "exploitability-trivial=0"
          echo "exploitability-moderate=0"
          echo "exploitability-complex=0"
          echo "exploit-chains-found=0"
          echo "tests-generated=0"
        } >> $GITHUB_OUTPUT

        echo "Full pipeline completed with exit code: $PIPELINE_EXIT"
        echo "  Critical: $CRITICAL | High: $HIGH | Medium: $MEDIUM | Low: $LOW"

        # Exit with pipeline exit code (non-zero if critical/high findings)
        if [ "$PIPELINE_EXIT" -ne 0 ]; then
          echo "Full pipeline found critical/high severity issues"
        fi

        echo "Full 6-phase pipeline completed successfully"

    # Upload SARIF from full pipeline to GitHub Security tab
    - name: Upload SARIF (Full Pipeline)
      if: ${{ inputs.pipeline-mode == 'full' && always() }}
      uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a  # v3
      continue-on-error: true
      with:
        sarif_file: ${{ inputs.project-path }}/.argus/hybrid-results/
        category: argus-full-pipeline
      env:
        GITHUB_TOKEN: ${{ github.token }}

    # ── Shared Steps (both modes) ──────────────────────────────────────────

    # Upload artifacts - pinned by SHA
    - name: Upload Review Reports (Fast Mode)
      if: ${{ inputs.upload-reports == 'true' && inputs.pipeline-mode == 'fast' }}
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
      with:
        name: code-review-reports-${{ github.run_id }}-${{ github.run_attempt }}
        path: ${{ inputs.project-path }}/.argus/reviews/
        retention-days: 30

    - name: Upload Pipeline Reports (Full Mode)
      if: ${{ inputs.upload-reports == 'true' && inputs.pipeline-mode == 'full' }}
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
      with:
        name: full-pipeline-reports-${{ github.run_id }}-${{ github.run_attempt }}
        path: ${{ inputs.project-path }}/.argus/hybrid-results/
        retention-days: 90

    # Create PR - pinned by SHA
    - name: Create PR with Audit Findings
      if: ${{ github.event_name != 'pull_request' && (steps.code-review.outputs.blockers > 0 || steps.run-pipeline.outputs.blockers > 0) }}
      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
      env:
        GITHUB_TOKEN: ${{ github.token }}
        BLOCKER_COUNT: ${{ steps.code-review.outputs.blockers || steps.run-pipeline.outputs.blockers || '0' }}
        SUGGESTION_COUNT: ${{ steps.code-review.outputs.suggestions || steps.run-pipeline.outputs.suggestions || '0' }}
        REVIEW_TYPE: ${{ inputs.review-type }}
        PROJECT_PATH: ${{ inputs.project-path }}
        PIPELINE_MODE: ${{ inputs.pipeline-mode }}
      with:
        script: |
          const fs = require('fs');
          const path = require('path');

          // Read the audit report
          const reportPath = `${process.env.PROJECT_PATH || '.'}/.argus/reviews/${process.env.REVIEW_TYPE || 'audit'}-report.md`;
          let reportContent = '';

          if (fs.existsSync(reportPath)) {
            reportContent = fs.readFileSync(reportPath, 'utf8');
          } else {
            console.log('No report found at:', reportPath);
            return;
          }

          // Extract key findings for PR title and description
          const blockerCount = parseInt(process.env.BLOCKER_COUNT || '0', 10);
          const suggestionCount = parseInt(process.env.SUGGESTION_COUNT || '0', 10);
          
          // Generate branch name with timestamp
          const timestamp = new Date().toISOString().split('T')[0].replace(/-/g, '');
          const branchName = `audit/code-review-findings-${timestamp}`;
          
          // Check for existing PRs with similar findings
          const { data: existingPRs } = await github.rest.pulls.list({
            owner: context.repo.owner,
            repo: context.repo.repo,
            state: 'open',
            head: `${context.repo.owner}:${branchName}`
          });
          
          // Also check for any open audit PRs
          const { data: allOpenPRs } = await github.rest.pulls.list({
            owner: context.repo.owner,
            repo: context.repo.repo,
            state: 'open'
          });
          
          const auditPRs = allOpenPRs.filter(pr => 
            pr.head.ref.startsWith('audit/') && 
            pr.title.includes('Code Review Findings')
          );
          
          // If there's an existing OPEN audit PR, update it instead of creating a new one
          if (auditPRs.length > 0) {
            console.log(`Found ${auditPRs.length} existing OPEN audit PR(s). Updating the most recent one...`);
            
            // Update the most recent audit PR
            const latestPR = auditPRs[0];
            
            // Add a comment with new findings
            const updateBody = [
              '## 🔄 Updated Code Review Findings',
              '',
              `**Run Date:** ${new Date().toISOString()}`,
              `**Commit:** ${context.sha}`,
              `**Blockers Found:** ${blockerCount}`,
              `**Suggestions:** ${suggestionCount}`,
              '',
              '---',
              '',
              reportContent,
              '',
              '---',
              '',
              '**Note:** This is an automated update from the latest code review run.',
              `**Artifact:** code-review-reports-${context.runId}-${context.runAttempt}`,
              `**Run URL:** ${context.payload.repository.html_url}/actions/runs/${context.runId}`
            ].join('\n');
            
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: latestPR.number,
              body: updateBody
            });
            
            console.log(`✅ Updated existing PR #${latestPR.number} with new findings`);
            return; // Exit early - don't create a new PR
          }
          
          // No existing OPEN PR found, create a new one
          console.log('No existing OPEN audit PR found. Creating new PR...');
          
          // Get current branch
          const currentBranch = context.ref.replace('refs/heads/', '');
          
          // Get current commit
          const { data: refData } = await github.rest.git.getRef({
            owner: context.repo.owner,
            repo: context.repo.repo,
            ref: `heads/${currentBranch}`
          });
          
          // Create a commit with the audit report
          const reportFileName = `audit-reports/code-review-${timestamp}.md`;
          const reportContentBase64 = Buffer.from(reportContent).toString('base64');
          
          // Create a blob for the report
          const { data: blob } = await github.rest.git.createBlob({
            owner: context.repo.owner,
            repo: context.repo.repo,
            content: reportContentBase64,
            encoding: 'base64'
          });
          
          // Get the current tree
          const { data: currentCommit } = await github.rest.git.getCommit({
            owner: context.repo.owner,
            repo: context.repo.repo,
            commit_sha: refData.object.sha
          });
          
          // Create a new tree with the report file
          const { data: newTree } = await github.rest.git.createTree({
            owner: context.repo.owner,
            repo: context.repo.repo,
            base_tree: currentCommit.tree.sha,
            tree: [
              {
                path: reportFileName,
                mode: '100644',
                type: 'blob',
                sha: blob.sha
              }
            ]
          });
          
          // Create a new commit
          const { data: newCommit } = await github.rest.git.createCommit({
            owner: context.repo.owner,
            repo: context.repo.repo,
            message: `Add automated code review findings\n\nBlockers: ${blockerCount}\nSuggestions: ${suggestionCount}\n\nGenerated by Argus Code Reviewer`,
            tree: newTree.sha,
            parents: [refData.object.sha]
          });
          
          // Create or update branch pointing to the new commit
          try {
            await github.rest.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: `refs/heads/${branchName}`,
              sha: newCommit.sha
            });
          } catch (error) {
            if (error.status === 422) {
              // Branch already exists, update it
              await github.rest.git.updateRef({
                owner: context.repo.owner,
                repo: context.repo.repo,
                ref: `heads/${branchName}`,
                sha: newCommit.sha,
                force: true
              });
            } else {
              throw error;
            }
          }
          
          // Check if PR already exists for this branch
          const { data: existingBranchPRs } = await github.rest.pulls.list({
            owner: context.repo.owner,
            repo: context.repo.repo,
            state: 'open',
            head: `${context.repo.owner}:${branchName}`,
            base: currentBranch
          });
          
          if (existingBranchPRs.length > 0) {
            console.log(`PR already exists for branch ${branchName}. Updating it...`);
            const existingPR = existingBranchPRs[0];
            
            // Add a comment with new findings
            const updateBody = [
              '## 🔄 Updated Code Review Findings',
              '',
              `**Run Date:** ${new Date().toISOString()}`,
              `**Commit:** ${newCommit.sha}`,
              `**Blockers Found:** ${blockerCount}`,
              `**Suggestions:** ${suggestionCount}`,
              '',
              '---',
              '',
              reportContent,
              '',
              '---',
              '',
              '**Note:** This is an automated update from the latest code review run.',
              `**Artifact:** code-review-reports-${context.runNumber}`,
              `**Run URL:** ${context.payload.repository.html_url}/actions/runs/${context.runId}`
            ].join('\n');
            
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: existingPR.number,
              body: updateBody
            });
            
            console.log(`Updated existing PR #${existingPR.number}`);
            return;
          }
          
          // Create new PR
          const prTitle = `🔍 Code Review Findings: ${blockerCount} Blocker(s), ${suggestionCount} Suggestion(s)`;
          const prBody = [
            '## 📊 Automated Code Review Report',
            '',
            `**Review Date:** ${new Date().toISOString()}`,
            `**Repository:** ${context.repo.owner}/${context.repo.repo}`,
            `**Branch:** ${currentBranch}`,
            `**Commit:** ${newCommit.sha}`,
            `**Review Type:** ${process.env.REVIEW_TYPE}`,
            '',
            '### 📈 Summary',
            `- **Merge Blockers:** ${blockerCount} (Must fix before merge)`,
            `- **Suggestions:** ${suggestionCount} (Recommended improvements)`,
            '',
            '---',
            '',
            reportContent,
            '',
            '---',
            '',
            '### 📁 Artifacts',
            `- **Report Artifact:** code-review-reports-${context.runNumber}`,
            `- **Run URL:** ${context.payload.repository.html_url}/actions/runs/${context.runId}`,
            '',
            '### 🤖 Automated Review',
            'This PR was automatically created by the Argus Code Reviewer system.',
            'Please review the findings and address the merge blockers before merging.',
            '',
            '**Note:** If you fix the issues, this PR will be automatically updated on the next review run.'
          ].join('\n');
          
          const { data: pr } = await github.rest.pulls.create({
            owner: context.repo.owner,
            repo: context.repo.repo,
            title: prTitle,
            head: branchName,
            base: currentBranch,
            body: prBody
          });
          
          console.log(`Created PR #${pr.number}: ${pr.html_url}`);
          
          // Add labels
          await github.rest.issues.addLabels({
            owner: context.repo.owner,
            repo: context.repo.repo,
            issue_number: pr.number,
            labels: ['automated-review', 'code-quality', 'security']
          });

    # Comment on PR - pinned by SHA
    - name: Comment on PR
      if: ${{ github.event_name == 'pull_request' && inputs.comment-on-pr == 'true' }}
      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
      with:
        script: |
          const fs = require('fs');
          const path = require('path');
          
          // Read the review report
          const reportPath = '${{ inputs.project-path }}/.argus/reviews/review-report.md';
          let reportContent = '';
          
          if (fs.existsSync(reportPath)) {
            reportContent = fs.readFileSync(reportPath, 'utf8');
          } else {
            reportContent = '## Code Review Report\n\nReview completed successfully. Please check the artifacts for detailed reports.';
          }
          
          // Create PR comment
          const comment = `## 🔍 Code Review Report
          
          ${reportContent}
          
          ---
          
          **Review completed by:** Code Reviewer System
          **Review date:** ${new Date().toISOString()}
          **Repository:** ${context.repo.owner}/${context.repo.repo}
          **Branch:** ${context.ref.replace('refs/heads/', '')}
          **Commit:** ${context.sha}
          
          📁 **Detailed reports available in artifacts:** code-review-reports-${context.runNumber}`;
          
          // Post comment
          await github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: comment
          });

    - name: Fail on Blockers (Fast Mode)
      if: ${{ inputs.fail-on-blockers == 'true' && inputs.pipeline-mode == 'fast' && steps.code-review.outputs.blockers > 0 }}
      shell: bash
      run: |
        echo "Merge blockers found: ${{ steps.code-review.outputs.blockers }}"
        echo "Please fix all merge blockers before merging."
        exit 1

    - name: Fail on Blockers (Full Pipeline)
      if: ${{ inputs.fail-on-blockers == 'true' && inputs.pipeline-mode == 'full' && steps.run-pipeline.outputs.blockers > 0 }}
      shell: bash
      run: |
        echo "Full pipeline found blockers: ${{ steps.run-pipeline.outputs.blockers }}"
        echo "Scanners used: ${{ steps.run-pipeline.outputs.scanners-used }}"
        echo "Total findings: ${{ steps.run-pipeline.outputs.total-findings }}"
        echo "Please fix all critical/high severity issues before merging."
        exit 1