Enhance security auditing capabilities by introducing a comprehensive 5-phase OWASP-based security audit process, including dependency scanning, static analysis, and a consolidated report with severity-ranked findings. Update autopilot workflows to incorporate an optional security audit step before deployment, and refine documentation across related skills for clarity and usability.

.cursor/skills/autopilot/flows/existing-code.md

@@ -14,6 +14,7 @@ Workflow for projects with an existing codebase. Starts with documentation, prod
 | 2f   | New Task                | new-task/SKILL.md               | Steps 1–8 (loop)                      |
 | 2g   | Implement               | implement/SKILL.md              | (batch-driven, no fixed sub-steps)    |
 | 2h   | Run Tests               | (autopilot-managed)             | Unit tests → Integration/blackbox tests |
+| 2hb  | Security Audit          | security/SKILL.md               | Phase 1–5 (optional)                  |
 | 2i   | Deploy                  | deploy/SKILL.md                 | Steps 1–7                             |
 
 After Step 2i, the existing-code workflow is complete.
@@ -119,7 +120,7 @@ Action: Run the full test suite to verify the implementation before deployment.
 2. **Integration / blackbox tests**: if `docker-compose.test.yml` or an equivalent test environment exists, spin it up and run the integration test suite
 3. **Report results**: present a summary of passed/failed/skipped tests
 
-If all tests pass → auto-chain to Step 2i (Deploy).
+If all tests pass → auto-chain to Step 2hb (Security Audit).
 
 If tests fail → present using Choose format:
 
@@ -137,8 +138,29 @@ If tests fail → present using Choose format:
 
 ---
 
+**Step 2hb — Security Audit (optional)**
+Condition: the autopilot state shows Step 2h (Run Tests) is completed AND the autopilot state does NOT show Step 2hb (Security Audit) as completed or skipped AND (`_docs/04_deploy/` does not exist or is incomplete)
+
+Action: Present using Choose format:
+
+```
+══════════════════════════════════════
+ DECISION REQUIRED: Run security audit before deploy?
+══════════════════════════════════════
+ A) Run security audit (recommended for production deployments)
+ B) Skip — proceed directly to deploy
+══════════════════════════════════════
+ Recommendation: A — catches vulnerabilities before production
+══════════════════════════════════════
+```
+
+- If user picks A → Read and execute `.cursor/skills/security/SKILL.md`. After completion, auto-chain to Step 2i (Deploy).
+- If user picks B → Mark Step 2hb as `skipped` in the state file, auto-chain to Step 2i (Deploy).
+
+---
+
 **Step 2i — Deploy**
-Condition: the autopilot state shows Step 2h (Run Tests) is completed AND (`_docs/04_deploy/` does not exist or is incomplete)
+Condition: the autopilot state shows Step 2h (Run Tests) is completed AND (Step 2hb is completed or skipped) AND (`_docs/04_deploy/` does not exist or is incomplete)
 
 Action: Read and execute `.cursor/skills/deploy/SKILL.md`
 
@@ -177,5 +199,6 @@ Action: The project completed a full cycle. Present status and loop back to New
 | Refactor (Step 2e) | Auto-chain → New Task (Step 2f) |
 | New Task (Step 2f) | **Session boundary** — suggest new conversation before Implement |
 | Implement (Step 2g) | Auto-chain → Run Tests (Step 2h) |
-| Run Tests (Step 2h, all pass) | Auto-chain → Deploy (Step 2i) |
+| Run Tests (Step 2h, all pass) | Auto-chain → Security Audit choice (Step 2hb) |
+| Security Audit (Step 2hb, done or skipped) | Auto-chain → Deploy (Step 2i) |
 | Deploy (Step 2i) | **Workflow complete** — existing-code flow done |