feat(prompts): add security review prompts (`security-review`, `security-review-web`, `security-review-llm`)

[katriendg]

Create three prompt files under .github/prompts/security/ that serve as user-facing entry points for security reviews. Each prompt delegates to the Security Reviewer agent with appropriate scope configuration. The main prompt supports three modes via argument: audit (full codebase), diff (changed files relative to the default branch), and plan (implementation plan risk assessment). Two specialization prompts bypass the standard profiling pipeline with hard-coded skill routing.

Note

Updated after Security Reviewer agent merge (PR #1008). The original issue specified 5 prompts, but -diff and -plan are redundant with the main prompt's mode argument. Reduced to 3 prompts: the main orchestrator plus two specialization prompts that introduce genuinely distinct routing (-web skips profiling via fast-path, -llm overrides skill selection).

Acceptance Criteria

• .github/prompts/security/security-review.prompt.md exists
  • name: security-review, agent: Security Reviewer
  • description ends with - Brought to you by microsoft/hve-core
  • argument-hint: "[scope=path/to/dir] [mode={audit|diff|plan}] [targetSkill={owasp-top-10|owasp-llm|owasp-agentic}]"
  • Inputs: ${input:mode:audit}, ${input:targetSkill}, ${input:scope}, ${input:plan} (all camelCase)
  • Body: Instructions for agent to classify the codebase and auto-select applicable OWASP skills; defaults to audit mode when mode is not specified
  • Requirements section contains only delta-from-agent content (input routing rules), not full mode descriptions
• .github/prompts/security/security-review-web.prompt.md exists
  • name: security-review-web, agent: Security Reviewer
  • description ends with - Brought to you by microsoft/hve-core
  • argument-hint: "[scope=path/to/component]"
  • Input: ${input:scope} (camelCase, aligned with main prompt)
  • Body: Instructions to skip classification and apply owasp-top-10 directly using the target-skill fast-path (bypasses codebase profiling entirely)
• .github/prompts/security/security-review-llm.prompt.md exists
  • name: security-review-llm, agent: Security Reviewer
  • description ends with - Brought to you by microsoft/hve-core
  • argument-hint: "[scope=path/to/component]"
  • Input: ${input:scope} (camelCase, aligned with main prompt)
  • Body: Instructions to override skill selection with owasp-llm and owasp-agentic (profiler still runs to supply codebase context)
• [!CAUTION] disclaimer added to Security Reviewer agent (security-reviewer.agent.md) instead of duplicating across prompt files
• All three prompts registered in collections/security.collection.yml and collections/hve-core-all.collection.yml with kind: prompt and maturity: experimental
• Plugin outputs regenerated via npm run plugin:generate after collection registration
• Documentation updated:
  • .github/prompts/README.md — add the 3 new prompts to the "Azure Operations" or a new "Security" section under "Available Prompts", and add entries to the "Quick Start" numbered list

Prompt Summary

Prompt	Mode	Invocation Style	Skills Applied
security-review	audit (default), diff, plan	Auto-classify, all signals; mode selectable via argument	All applicable (or targetSkill override)
security-review-web	audit	target-skill fast-path (no profiling)	owasp-top-10 only
security-review-llm	audit	skills: override (profiling runs for context)	owasp-llm + owasp-agentic

Dependencies

Depends on security-reviewer agent (PR #1008) for execution, which has been merged and is available in main.