Add security agent auto-analysis queue system

Cloudflare Worker that automatically triages and analyzes security
findings via a queue-based pipeline. Dispatches due owners on a cron
schedule, claims queued findings per-owner with pessimistic locking,
runs LLM triage to filter noise, then launches full analysis sessions
via cloud-agent-next.

Uses @kilocode/db with Drizzle ORM for all database access through
Hyperdrive, matching the cloudflare-security-sync reference pattern.
Includes DB migration for security_analysis_queue and
security_analysis_owner_state tables, plus indexes on
security_findings for in-flight analysis tracking.

Author: jeanduplessis

.github/workflows/ci.yml

@@ -17,6 +17,7 @@ jobs:
       cloud_agent: ${{ steps.filter.outputs.cloud_agent }}
       cloud_agent_next: ${{ steps.filter.outputs.cloud_agent_next }}
       webhook_agent: ${{ steps.filter.outputs.webhook_agent }}
+      security_auto_analysis: ${{ steps.filter.outputs.security_auto_analysis }}
       kiloclaw: ${{ steps.filter.outputs.kiloclaw }}
       app_builder: ${{ steps.filter.outputs.app_builder }}
     steps:
@@ -35,6 +36,8 @@ jobs:
               - 'cloud-agent-next/**'
             webhook_agent:
               - 'cloudflare-webhook-agent-ingest/**'
+            security_auto_analysis:
+              - 'cloudflare-security-auto-analysis/**'
             kiloclaw:
               - 'kiloclaw/**'
             app_builder:
@@ -265,6 +268,36 @@ jobs:
       - name: Run webhook-agent-ingest tests
         run: pnpm --filter cloudflare-webhook-agent-ingest test
 
+  security-auto-analysis:
+    needs: changes
+    if: needs.changes.outputs.security_auto_analysis == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: latest
+          run_install: false
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck (security-auto-analysis)
+        run: pnpm --filter cloudflare-security-auto-analysis typecheck
+
+      - name: Run security-auto-analysis tests
+        run: pnpm --filter cloudflare-security-auto-analysis test
+
   kiloclaw:
     needs: changes
     if: needs.changes.outputs.kiloclaw == 'true'

.github/workflows/deploy-production.yml

@@ -355,6 +355,30 @@ jobs:
     if: needs.check-security-sync-changes.outputs.changed == 'true'
     uses: ./.github/workflows/deploy-security-sync.yml
     secrets: inherit
+
+  check-security-auto-analysis-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.changes.outputs['security-auto-analysis'] }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for security-auto-analysis changes
+        uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            security-auto-analysis:
+              - 'cloudflare-security-auto-analysis/**'
+
+  deploy-security-auto-analysis:
+    needs: [check-security-auto-analysis-changes]
+    if: needs.check-security-auto-analysis-changes.outputs.changed == 'true'
+    uses: ./.github/workflows/deploy-security-auto-analysis.yml
+    secrets: inherit
     with:
       environment: prod
 

.github/workflows/deploy-security-auto-analysis.yml

@@ -0,0 +1,50 @@
+name: Deploy Security Auto Analysis
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Choose an environment to deploy to: dev or prod'
+        required: true
+        default: 'prod'
+        type: choice
+        options:
+          - dev
+          - prod
+  workflow_call:
+    inputs:
+      environment:
+        description: 'Choose an environment to deploy to: dev or prod'
+        required: false
+        default: 'prod'
+        type: string
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy Security Auto Analysis
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: latest
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Install dependencies
+        working-directory: cloudflare-security-auto-analysis
+        run: pnpm install --frozen-lockfile
+
+      - name: Deploy to Cloudflare Workers
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          workingDirectory: cloudflare-security-auto-analysis
+          command: ${{ inputs.environment == 'dev' && 'deploy --env dev' || 'deploy' }}

cloudflare-ai-attribution/src/ai-attribution.worker.ts

@@ -30,7 +30,6 @@ export type HonoContext = {
 
 const app = new Hono<HonoContext>();
 
-// @ts-expect-error workers-tagged-logger returns Handler typed against an older hono; incompatible with hono 4.12+
 app.use('*', useWorkersLogger('ai-attribution'));
 
 // Health check endpoint (no auth required)

cloudflare-security-auto-analysis/.gitignore

@@ -0,0 +1,2 @@
+node_modules
+.wrangler

cloudflare-security-auto-analysis/eslint.config.mjs

@@ -0,0 +1,8 @@
+import { dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { defineConfig } from 'eslint/config';
+import baseConfig from '@kilocode/eslint-config';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export default defineConfig([...baseConfig(__dirname)]);

cloudflare-security-auto-analysis/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "cloudflare-security-auto-analysis",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "deploy:prod": "wrangler deploy",
+    "deploy:dev": "wrangler deploy --env dev",
+    "dev": "wrangler dev --env dev",
+    "lint": "eslint --config eslint.config.mjs --cache 'src/**/*.ts'",
+    "typecheck": "tsc --noEmit",
+    "types": "wrangler types --env-interface CloudflareEnv worker-configuration.d.ts",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@kilocode/db": "workspace:*",
+    "drizzle-orm": "catalog:",
+    "workers-tagged-logger": "catalog:",
+    "zod": "catalog:"
+  },
+  "devDependencies": {
+    "@kilocode/eslint-config": "workspace:*",
+    "@types/node": "^22",
+    "typescript": "catalog:",
+    "vitest": "^3.2.4",
+    "wrangler": "catalog:"
+  }
+}