feat: add SAST/SCA Security Analyzer agent and audit-integrity skill

docs/README.agents.md

@@ -187,6 +187,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-agents) for guidelines on how to
 | [Salesforce Flow Development](../agents/salesforce-flow.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsalesforce-flow.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsalesforce-flow.agent.md) | Implement business automation using Salesforce Flow following declarative automation best practices. |  |
 | [Salesforce UI Development (Aura & LWC)](../agents/salesforce-aura-lwc.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsalesforce-aura-lwc.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsalesforce-aura-lwc.agent.md) | Implement Salesforce UI components using Lightning Web Components and Aura components following Lightning framework best practices. |  |
 | [Salesforce Visualforce Development](../agents/salesforce-visualforce.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsalesforce-visualforce.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsalesforce-visualforce.agent.md) | Implement Visualforce pages and controllers following Salesforce MVC architecture and best practices. |  |
+| [SAST/SCA Security Analyzer](../agents/sast-sca-security-analyzer.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsast-sca-security-analyzer.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsast-sca-security-analyzer.agent.md) | Use when: performing SAST (Static Application Security Testing), SCA (Software Composition Analysis), scanning source code or binaries for security flaws, auditing third-party dependency vulnerabilities, checking policy compliance, generating structured security reports, identifying CWE-mapped flaws with file/line precision, reviewing open-source license risk, or producing CI/CD-gate security findings. |  |
 | [Scientific Paper Research](../agents/scientific-paper-research.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fscientific-paper-research.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fscientific-paper-research.agent.md) | Research agent that searches scientific papers and retrieves structured experimental data from full-text studies using the BGPT MCP server. | bgpt<br />[![Install MCP](https://img.shields.io/badge/Install-VS_Code-0098FF?style=flat-square)](https://aka.ms/awesome-copilot/install/mcp-vscode?name=bgpt&config=%7B%22command%22%3A%22%22%2C%22args%22%3A%5B%5D%2C%22env%22%3A%7B%7D%7D)<br />[![Install MCP](https://img.shields.io/badge/Install-VS_Code_Insiders-24bfa5?style=flat-square)](https://aka.ms/awesome-copilot/install/mcp-vscodeinsiders?name=bgpt&config=%7B%22command%22%3A%22%22%2C%22args%22%3A%5B%5D%2C%22env%22%3A%7B%7D%7D)<br />[![Install MCP](https://img.shields.io/badge/Install-Visual_Studio-C16FDE?style=flat-square)](https://aka.ms/awesome-copilot/install/mcp-visualstudio/mcp-install?%7B%22command%22%3A%22%22%2C%22args%22%3A%5B%5D%2C%22env%22%3A%7B%7D%7D) |
 | [SE: Architect](../agents/se-system-architecture-reviewer.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-system-architecture-reviewer.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-system-architecture-reviewer.agent.md) | System architecture review specialist with Well-Architected frameworks, design validation, and scalability analysis for AI and distributed systems |  |
 | [SE: DevOps/CI](../agents/se-gitops-ci-specialist.agent.md)<br />[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-gitops-ci-specialist.agent.md)<br />[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-gitops-ci-specialist.agent.md) | DevOps specialist for CI/CD pipelines, deployment debugging, and GitOps workflows focused on making deployments boring and reliable |  |

docs/README.skills.md

@@ -49,6 +49,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [arize-trace](../skills/arize-trace/SKILL.md) | INVOKE THIS SKILL when downloading or exporting Arize traces and spans. Covers exporting traces by ID, sessions by ID, and debugging LLM application issues using the ax CLI. | `references/ax-profiles.md`<br />`references/ax-setup.md` |
 | [aspire](../skills/aspire/SKILL.md) | Aspire skill covering the Aspire CLI, AppHost orchestration, service discovery, integrations, MCP server, VS Code extension, Dev Containers, GitHub Codespaces, templates, dashboard, and deployment. Use when the user asks to create, run, debug, configure, deploy, or troubleshoot an Aspire distributed application. | `references/architecture.md`<br />`references/cli-reference.md`<br />`references/dashboard.md`<br />`references/deployment.md`<br />`references/integrations-catalog.md`<br />`references/mcp-server.md`<br />`references/polyglot-apis.md`<br />`references/testing.md`<br />`references/troubleshooting.md` |
 | [aspnet-minimal-api-openapi](../skills/aspnet-minimal-api-openapi/SKILL.md) | Create ASP.NET Minimal API endpoints with proper OpenAPI documentation | None |
+| [audit-integrity](../skills/audit-integrity/SKILL.md) | Shared audit integrity framework for all AppSec agents — enforces output quality, intellectual honesty, and continuous improvement through anti-rationalization guards, self-critique loops, retry protocols, non-negotiable behaviors, self-reflection quality gates (1-10 scoring, ≥8 threshold), and a self-learning system with lesson/memory governance for security analysis agents. | `references/anti-rationalization-guard.md`<br />`references/clarification-protocol.md`<br />`references/non-negotiable-behaviors.md`<br />`references/retry-protocol.md`<br />`references/self-critique-loop.md`<br />`references/self-learning-system.md`<br />`references/self-reflection-quality-gate.md` |
 | [automate-this](../skills/automate-this/SKILL.md) | Analyze a screen recording of a manual process and produce targeted, working automation scripts. Extracts frames and audio narration from video files, reconstructs the step-by-step workflow, and proposes automation at multiple complexity levels using tools already installed on the user machine. | None |
 | [autoresearch](../skills/autoresearch/SKILL.md) | Autonomous iterative experimentation loop for any programming task. Guides the user through defining goals, measurable metrics, and scope constraints, then runs an autonomous loop of code changes, testing, measuring, and keeping/discarding results. Inspired by Karpathy's autoresearch. USE FOR: autonomous improvement, iterative optimization, experiment loop, auto research, performance tuning, automated experimentation, hill climbing, try things automatically, optimize code, run experiments, autonomous coding loop. DO NOT USE FOR: one-shot tasks, simple bug fixes, code review, or tasks without a measurable metric. | None |
 | [aws-cdk-python-setup](../skills/aws-cdk-python-setup/SKILL.md) | Setup and initialization guide for developing AWS CDK (Cloud Development Kit) applications in Python. This skill enables users to configure environment prerequisites, create new CDK projects, manage dependencies, and deploy to AWS. | None |

skills/audit-integrity/SKILL.md

@@ -0,0 +1,50 @@
+---
+name: 'audit-integrity'
+description: 'Shared audit integrity framework for all AppSec agents — enforces output quality, intellectual honesty, and continuous improvement through anti-rationalization guards, self-critique loops, retry protocols, non-negotiable behaviors, self-reflection quality gates (1-10 scoring, ≥8 threshold), and a self-learning system with lesson/memory governance for security analysis agents.'
+compatibility: 'Cross-platform. Works with any language or framework analyzed by AppSec agents.'
+metadata:
+  version: '1.0'
+---
+
+# Audit Integrity Skill
+
+Enforces output quality, intellectual honesty, and continuous improvement across all AppSec agents.
+
+## When to Use
+
+- Every security analysis, code review, threat model, or quality scan agent run
+- Applied automatically as a post-analysis quality gate
+- Applicable to any agent performing SAST, SCA, threat modeling, or code quality analysis
+
+## Components
+
+This skill provides 7 reusable capabilities. Agents apply all 7 unless their scope excludes a specific component.
+
+| Component | Reference File | Purpose |
+|-----------|---------------|---------|
+| Clarification Protocol | [clarification-protocol.md](references/clarification-protocol.md) | Ask ≤2 targeted questions before analysis when scope is ambiguous |
+| Anti-Rationalization Guard | [anti-rationalization-guard.md](references/anti-rationalization-guard.md) | Table of prohibited rationalizations with mandatory responses |
+| Self-Critique Loop | [self-critique-loop.md](references/self-critique-loop.md) | Mandatory second-pass review after initial analysis |
+| Retry Protocol | [retry-protocol.md](references/retry-protocol.md) | Tool failure handling — retry once, then document |
+| Non-Negotiable Behaviors | [non-negotiable-behaviors.md](references/non-negotiable-behaviors.md) | Hard rules: never fabricate, always cite evidence, report gaps |
+| Self-Reflection Quality Gate | [self-reflection-quality-gate.md](references/self-reflection-quality-gate.md) | 1–10 scoring rubric with ≥8 threshold per category |
+| Self-Learning System | [self-learning-system.md](references/self-learning-system.md) | Lesson/Memory templates and governance rules |
+
+## Execution Flow
+
+1. **Before analysis**: Apply Clarification Protocol if scope is ambiguous
+2. **During analysis**: Apply Anti-Rationalization Guard at every decision point
+3. **After initial pass**: Execute Self-Critique Loop (mandatory second pass)
+4. **On tool failure**: Apply Retry Protocol
+5. **Before delivery**: Run Self-Reflection Quality Gate (all categories must score ≥8)
+6. **After delivery**: Create Lessons/Memories for novel findings, false positives, or methodology gaps (see Self-Learning System)
+
+## Agent-Specific Adaptation
+
+Each agent customizes the **Self-Critique Loop** checklist and **Self-Reflection Quality Gate** categories to match its domain. The reference files provide the base templates; agents extend them with domain-specific items.
+
+### Example extensions per agent type
+- **SAST/SCA agents**: Add taint trace completeness and manifest coverage checks
+- **SonarQube-style agents**: Add rating sanity check (A–E consistency with findings)
+- **Threat modeling agents**: Add STRIDE category completeness per trust boundary
+- **Code review agents**: Add trust boundary audit with data flow tracing

skills/audit-integrity/references/anti-rationalization-guard.md

@@ -0,0 +1,38 @@
+# Anti-Rationalization Guard
+
+These rationalizations are **never** valid justifications for skipping, omitting, or downgrading findings:
+
+## Universal Rationalizations (All Agents)
+
+| If you think...                          | Mandatory response                                                                                                          |
+| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| "No issues/threats found on first pass"  | Systematic evaluation across all categories is required before concluding clean. Expand scope and complete the full matrix. |
+| "This looks fine, skip deep analysis"    | "Looks fine" is not evidence. Evidence = code trace, architecture reference, or rule match. Run checks.                     |
+| "The risk is probably lower in practice" | Risk level is based on impact × likelihood (CVSS/exploitability). Justify any downgrade with explicit evidence.             |
+| "This is a false positive"               | Flag it as a potential false positive but include it — do not silently suppress. Document the rationale for human review.   |
+| "This is outside scope"                  | State explicitly why, with a reference to the declared scope or assessment boundary.                                        |
+| "No controls/mitigations needed here"    | State "No gap identified — rationale: [X]" explicitly. Silence is not assurance.                                            |
+
+## SAST/SCA-Specific
+
+| If you think...                          | Mandatory response                                                                                                |
+| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| "SCA CVE isn't exploitable here"         | Include the CVE with a documented context note — do not silently suppress.                                        |
+| "This phase can be skipped"              | All phases are mandatory. Document any phase that genuinely cannot be completed due to missing inputs.            |
+| "Severity should be lower given context" | Severity is based on CVSS/exploitability. Justify any downgrade with explicit evidence. Document, don't suppress. |
+
+## Code Quality-Specific
+
+| If you think...                            | Mandatory response                                                                                   |
+| ------------------------------------------ | ---------------------------------------------------------------------------------------------------- |
+| "The team will refactor this later"        | Technical debt still counts toward the debt ratio today. Document it accurately.                     |
+| "Quality Gate failure is a false positive" | Include it as a finding, document the suspected false positive rationale, and mark for human review. |
+
+## Threat Modeling-Specific
+
+| If you think...                                | Mandatory response                                                                                               |
+| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
+| "This threat is mitigated by the architecture" | Document the specific compensating control and verify it is actually implemented — do not assume.                |
+| "This category has no applicable threats here" | State "No applicable threats identified — rationale: [X]" explicitly. Do not silently omit.                      |
+| "Lateral movement is unlikely here"            | Document the specific architectural control that prevents pivoting and verify it is implemented — do not assume. |
+| "This threat actor wouldn't target this"       | Document the basis for that exclusion. Insider threats and supply chain actors must always be considered.        |

skills/audit-integrity/references/clarification-protocol.md

@@ -0,0 +1,15 @@
+# Clarification Protocol
+
+Before beginning analysis, pause and ask the user at most **2 targeted questions** when:
+
+- The system scope, asset boundary, or target module is ambiguous and cannot be inferred from the provided context
+- A critical trust boundary, privilege tier, or authentication zone is undefined and the analysis would significantly change depending on the interpretation
+- The business context required for impact prioritization or compliance framework selection is entirely absent
+- The language or framework cannot be auto-detected from the workspace
+
+**Rules:**
+
+1. State your working assumptions explicitly, then proceed
+2. Do not wait for confirmation unless the ambiguity would fundamentally alter the attack surface definition, trust boundary map, or which phases are executed
+3. Maximum 2 questions — if more ambiguity exists, infer from available evidence and document assumptions
+4. If no ambiguity exists, proceed directly without questions