security fixes

CLAUDE.md

@@ -42,6 +42,13 @@ python -c "import yaml; yaml.safe_load(open('.github/workflows/ai-review.yml'))"
 
 # Test security scanner
 python -c "from security.security_scanner import SecurityScanner; s = SecurityScanner(); print(list(s.scan_content('password = \"secret123\"', 'test.py')))"
+
+# Test webhook sanitization
+cd tools/ai-review
+python -c "from utils.webhook_sanitizer import sanitize_webhook_data; print(sanitize_webhook_data({'user': {'email': 'test@example.com'}}))"
+
+# Test safe dispatch
+python utils/safe_dispatch.py issue_comment owner/repo '{"action": "created", "issue": {"number": 1}, "comment": {"body": "test"}}'
 ```
 
 ## Architecture
@@ -292,14 +299,104 @@ rules:
     recommendation: How to fix it
 ```
 
+## Security Best Practices
+
+**CRITICAL**: Always follow these security guidelines when modifying workflows or handling webhook data.
+
+### Workflow Security Rules
+
+1. **Never pass full webhook data to environment variables**
+   ```yaml
+   # ❌ NEVER DO THIS
+   env:
+     EVENT_DATA: ${{ toJSON(github.event) }}  # Exposes emails, tokens, etc.
+   
+   # ✅ ALWAYS DO THIS
+   run: |
+     EVENT_DATA=$(cat <<EOF
+     {
+       "issue": {"number": ${{ github.event.issue.number }}},
+       "comment": {"body": $(echo '${{ github.event.comment.body }}' | jq -Rs .)}
+     }
+     EOF
+     )
+     python utils/safe_dispatch.py issue_comment "$REPO" "$EVENT_DATA"
+   ```
+
+2. **Always validate repository format**
+   ```bash
+   # Validate before use
+   if ! echo "$REPO" | grep -qE '^[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+$'; then
+       echo "Error: Invalid repository format"
+       exit 1
+   fi
+   ```
+
+3. **Use safe_dispatch.py for webhook processing**
+   ```bash
+   # Instead of inline Python with os.environ, use:
+   python utils/safe_dispatch.py issue_comment owner/repo "$EVENT_JSON"
+   ```
+
+### Input Validation
+
+Always use `webhook_sanitizer.py` utilities:
+
+```python
+from utils.webhook_sanitizer import (
+    sanitize_webhook_data,      # Remove sensitive fields
+    validate_repository_format,  # Validate owner/repo format
+    extract_minimal_context,     # Extract only necessary fields
+)
+
+# Validate repository input
+owner, repo = validate_repository_format(repo_string)  # Raises ValueError if invalid
+
+# Sanitize webhook data
+sanitized = sanitize_webhook_data(raw_event_data)
+
+# Extract minimal context (reduces attack surface)
+minimal = extract_minimal_context(event_type, sanitized)
+```
+
+### Pre-commit Security Scanning
+
+Install pre-commit hooks to catch security issues before commit:
+
+```bash
+# Install pre-commit
+pip install pre-commit
+
+# Install hooks
+pre-commit install
+
+# Run manually
+pre-commit run --all-files
+```
+
+The hooks will:
+- Scan Python files for security vulnerabilities
+- Validate workflow files for security anti-patterns
+- Detect hardcoded secrets
+- Run security scanner on code changes
+
+### Security Resources
+
+- **SECURITY.md** - Complete security guidelines and best practices
+- **tools/ai-review/utils/webhook_sanitizer.py** - Input validation utilities
+- **tools/ai-review/utils/safe_dispatch.py** - Safe webhook dispatch wrapper
+- **.pre-commit-config.yaml** - Pre-commit hook configuration
+
 ## Testing
 
-The test suite (`tests/test_ai_review.py`) covers:
+The test suite covers:
 
-1. **Prompt Formatting** - Ensures prompts don't have unescaped `{}` that break `.format()`
+1. **Prompt Formatting** (`tests/test_ai_review.py`) - Ensures prompts don't have unescaped `{}` that break `.format()`
 2. **Module Imports** - Verifies all modules can be imported
 3. **Security Scanner** - Tests pattern detection and false positive rate
 4. **Agent Context** - Tests dataclass creation and validation
+5. **Security Utilities** (`tests/test_security_utils.py`) - Tests webhook sanitization, validation, and safe dispatch
+6. **Safe Dispatch** (`tests/test_safe_dispatch.py`) - Tests secure event dispatching
 5. **Metrics** - Tests enterprise metrics collection
 
 Run specific test classes: