Add dedicated security review action

[monkut]

Context

None of the current askcc actions explicitly check for security issues. The pipeline has no security review step between develop and pr-review.

Proposal

Add a security-review action that can be run against a linked PR:

askcc security-review --github-issue-url <url>

The security review agent would check:

• OWASP Top 10 vulnerabilities in the diff
• Exposed secrets or credentials
• SQL/command injection vectors
• Unsafe input handling
• Dependency vulnerabilities (if lockfile changed)
• Authentication/authorization gaps

The review would be posted as a PR comment or review.

Alternative (lower effort)

Instead of a dedicated action, add a security checklist to the existing REVIEWPR_AGENT_PROMPT as part of the Definition of Done. This is partially addressed by the "expand DEVELOP prompt" sibling issue which adds a security checklist to the develop phase.

Rationale

Research shows security review as standard practice in mature frameworks:

• gstack: /cso runs STRIDE threat modeling + OWASP Top 10
• agent-skills: security-and-hardening skill with three-tier boundary system
• Everything Claude Code: AgentShield scanner with 102 detection rules

Priority

Low — the security checklist in the DEVELOP prompt (sibling issue) provides baseline coverage. A dedicated action is warranted for security-sensitive projects.