Symphony / Security timed job

Daily security agent

A report-only agent route for the last 24h of commits, lightweight vulnerability scanning, threat-model drift, and ownership risk. It turns concrete findings into focused Linear tickets without changing code.

Cadence daily delta + weekly auditMode inspect and reportScope commits, scans, drift, ownershipOutput Linear + Slack
systemd timer->Linear report issue->Codex security run->actionable tickets
00

Operating model

The job should behave like the existing Sentry and E2E report routes. A systemd timer creates a dated Linear issue, Symphony picks it up through a dedicated label, Codex runs read-only checks, and the run completes with a report. The only writes are follow-up tickets for confirmed findings, one report comment, and a compact Slack summary.

24h
Commit window
fixed at run start
0
Code edits
inspect and report only
4
Analysis tracks
delta / system / drift / ownership
1
Report issue
idempotent per date
KEYKeep the daily run narrow

Daily security should catch newly introduced risk quickly. Broad threat-model and ownership graph refreshes are valuable, but they belong in a weekly audit or in a triggered follow-up when the daily run detects drift.

01

System shape

This is a thin timed-job layer on top of the existing Symphony workflow. It uses the same timed issue pattern as Sentry triage and local E2E, then routes the issue into a report-only security policy. Click any node to trace the run.

report-only route boundarysystemd timer04:00 dailyIssue seederidempotent shell scriptLinear issuereport:security-agentSymphony routereport-only policyFresh workspaceHEAD + 24h windowSecurity checksdelta + system scanThreat drifttrigger weekly refreshOwnership risksensitive filesReport outputsLinear + Slack
02

Cadence design

The right split is a fast daily delta plus a slower weekly audit. Use the control to compare the run contract.

Daily delta

Fast loop: catch new risk quickly

The daily run is intentionally narrow. It checks what changed in the last completed 24h, then adds lightweight whole-system scanners so obvious vulnerabilities are not missed.

  • Review commits merged in the fixed 24h UTC window.
  • Run dependency audit, secret scan, focused Semgrep, and workflow lint.
  • Create Linear bugs only for actionable, reproducible findings.
  • Post one report comment and one Slack summary.
Daily confidence threshold82%

Daily run remains focused. Below 75%, the report should create a weekly-audit follow-up instead of pretending the daily pass is complete.

03

Analysis tracks

Four tracks make the job understandable. The first two run daily. The last two are daily drift detectors with heavier weekly refreshes.

Last completed 24h

New commits

Review merged commits and changed files first. The job looks for security-sensitive surfaces instead of reading every file with equal weight.

Inputs
  • git log window
  • changed files
  • PR metadata when available
Outputs
  • high-risk commit list
  • review notes
  • follow-up tickets for concrete bugs
04

Commit risk map

The delta review should rank changed paths by risk before spending agent time. This keeps the report readable and makes the review bias explicit.

auth / sessionsidentity, cookies, roles, tenant scope
96
secrets / configtokens, env vars, deploy policy
92
database queriesSQL construction, RLS, migrations
84
uploads / parsersfile handling, deserialization, validation
78
CI / workflowstokens, deploy steps, third-party actions
74
frontend renderingXSS, unsafe HTML, client-side auth assumptions
58
Dependabot or generated commits should not be ignored automatically. They should be reviewed through dependency audit and lockfile diffing, then summarized separately so the report does not mix human code risk with package drift.
05

Finding rubric

The agent should not create tickets for vague concern. It creates tickets for confirmed, actionable findings with deterministic idempotency labels.

High findings

Use for likely-reachable high-impact vulnerabilities or weakened protection on sensitive paths.

  • reachable critical CVE
  • missing authorization check
  • unsafe file upload
  • SQL injection risk
security-finding:<hash>
cve:<CVE-ID>
secret-scan:<hash>
semgrep:<rule-id>:<hash>
06

Run contract

The Linear issue description should carry the contract and the workpad. Completion is gated on concrete evidence, not a prose summary.

Issue seed

Timed issue

Title: Daily security agent - YYYY-MM-DD. Labels: report:security-agent, security, observability.

Allowed writes

Report-only route

No code edits, commits, pushes, PRs, deploys, or Sentry mutations. Allowed writes are Linear follow-up bugs, one report comment, and one Slack summary.

Code HEAD: <sha>
Security window UTC: <start>..<end>
Commits reviewed: <count>
Security-sensitive commits: <count>
Dependency audit: passed | findings | blocked
Secret scan: passed | findings | blocked
SAST scan: passed | findings | blocked
Threat-model drift: none | findings
Ownership risk: none | findings
New Linear findings: <ids or none>
Slack summary: <url/timestamp or stdout fallback>
07

Scanner plan

Start with portable checks that can degrade cleanly. A missing tool should be recorded as a coverage gap, not reported as a clean pass.

Commit windowgit log --since="$WINDOW_START" --until="$WINDOW_END" --name-only --format=fuller
Dependency auditnpm audit --audit-level=high || true
Secret scangitleaks detect --source . --redact --no-git || true
SASTsemgrep scan --config auto --error --timeout 120 || true
Workflow lint./scripts/lint-workflows.sh || actionlint
!Do not hide blind spots

If Semgrep, gitleaks, npm auth, package manager state, or repo hydration is unavailable, the run should finish with a degraded result and a clear unblock action. A silent skip is worse than a failed check.

08

Rollout path

1

Dry run locally no writes

Generate the report issue body and scanner plan with --dry-run. Confirm labels, title, and workpad rows.

2

Enable daily report writes gated

Create only the report issue and Slack summary. Hold follow-up bug creation behind a config flag for the first week.

3

Allow focused bug tickets idempotent

Turn on bug creation for Urgent and High findings first, then expand to Normal once duplicate suppression is proven.

4

Add weekly audit slow loop

Regenerate ownership maps and threat-model reports weekly, using daily drift notes as the input queue.

AgencyCore / Symphony / Daily security agentDesign draft / 2026-06-12