Add security scanning workflows

.bun-version

@@ -0,0 +1 @@
+1.3.0

.github/actions/build-package/action.yml

@@ -0,0 +1,33 @@
+name: Build and package (Bun -> single zip)
+description: Build with Bun (Turbo) and package a single distributable archive
+outputs:
+  archive_path:
+    description: Absolute path to the archive
+    value: ${{ steps.pkg.outputs.archive_path }}
+runs:
+  using: composite
+  steps:
+    - name: Setup Bun (from .bun-version)
+      uses: ./.github/actions/setup-bun
+
+    - name: Build (Turbo)
+      shell: bash
+      run: bunx turbo run build
+
+    - name: Ensure zip is available
+      shell: bash
+      run: sudo apt-get update -y && sudo apt-get install -y zip
+
+    - name: Package single file
+      id: pkg
+      shell: bash
+      run: |
+        set -e
+        mkdir -p bundle
+        if [ -d dist ]; then SRC=dist; elif [ -d build ]; then SRC=build; else SRC=.; fi
+        if [ "$SRC" = "." ]; then
+          zip -r bundle/opencode.zip . -x '.git/*' '.github/*' 'node_modules/*'
+        else
+          (cd "$SRC" && zip -r ../bundle/opencode.zip .)
+        fi
+        echo "archive_path=$(pwd)/bundle/opencode.zip" >> "$GITHUB_OUTPUT"

.github/actions/setup-bun/action.yml

@@ -1,20 +1,43 @@
-name: "Setup Bun"
-description: "Setup Bun with caching and install dependencies"
+name: setup-bun
+description: Setup Bun from .bun-version (or input) and install workspace deps
+inputs:
+  bun-version:
+    description: Fallback Bun version if .bun-version is absent
+    required: false
+    default: '1.3.0'
+outputs:
+  resolved-version:
+    description: The Bun version that was installed
+    value: ${{ steps.ver.outputs.version }}
 runs:
-  using: "composite"
+  using: composite
   steps:
-    - name: Setup Bun
-      uses: oven-sh/setup-bun@v2
+    - name: Resolve Bun version (prefer .bun-version)
+      id: ver
+      shell: bash
+      run: |
+        if [ -f .bun-version ]; then
+          ver=$(tr -d '[:space:]' < .bun-version)
+        else
+          ver='${{ inputs.bun-version }}'
+        fi
+        echo "version=$ver" >> "$GITHUB_OUTPUT"
+        echo "Resolved Bun version: $ver"
 
-    - name: Cache ~/.bun
-      id: cache-bun
-      uses: actions/cache@v4
+    - name: Setup Bun (no tool-cache, exact version)
+      uses: oven-sh/setup-bun@v2
       with:
-        path: ~/.bun
-        key: ${{ runner.os }}-bun-${{ hashFiles('bun.lockb', 'bun.lock') }}
-        restore-keys: |
-          ${{ runner.os }}-bun-
+        bun-version: ${{ steps.ver.outputs.version }}
+        no-cache: true
+
+    - name: Verify Bun version
+      shell: bash
+      run: |
+        set -e
+        echo "bun version: $(bun --version)"
+        test "$(bun --version | awk '{print $1}')" = "${{ steps.ver.outputs.version }}"
 
-    - name: Install dependencies
-      run: bun install
+    # Historical behavior: run bun install during setup
+    - name: Install workspace dependencies
       shell: bash
+      run: bun install --frozen-lockfile || bun install

.github/workflows/bun-audit.yml

@@ -0,0 +1,35 @@
+name: Bun Audit
+
+on:
+  push:
+  pull_request:
+  workflow_call:
+
+jobs:
+  bun-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Bun
+        uses: oven-sh/setup-bun@v1
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run bun audit
+        run: bun audit --audit-level=high --json > bun-audit.json
+
+      - name: Count advisories
+        run: jq '.advisories | length' bun-audit.json
+
+      - name: Fail on findings
+        run: test "$(jq '.advisories | length' bun-audit.json)" = "0"
+
+      - name: Upload audit report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bun-audit-report
+          path: bun-audit.json

.github/workflows/clam-av.yml

@@ -0,0 +1,59 @@
+name: av-clamav
+on:
+  pull_request:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  clamav:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the right ref
+      - name: Checkout (release tag)
+        if: github.event_name == 'release'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+      - name: Checkout (PR/default)
+        if: github.event_name != 'release'
+        uses: actions/checkout@v4
+
+      # Single source-of-truth build -> one file
+      - name: Build and package
+        id: build
+        uses: ./.github/actions/build-package
+
+      # Install fresh ClamAV DB
+      - name: Install & update ClamAV DB
+        run: |
+          set -e
+          sudo apt-get update
+          sudo apt-get install -y clamav clamav-freshclam unzip
+          sudo systemctl stop clamav-freshclam || true
+          sudo mkdir -p /var/lib/clamav
+          sudo chown -R clamav:clamav /var/lib/clamav
+          sudo freshclam --verbose
+          ls -lh /var/lib/clamav
+
+      # Scan extracted bundle so counts reflect actual files
+      - name: Extract bundle and scan
+        run: |
+          set -e
+          rm -rf scan && mkdir -p scan
+          unzip -q bundle/opencode.zip -d scan
+          echo "File count in payload: $(find scan -type f | wc -l)"
+          clamscan -ri --scan-archive=yes scan | tee clamav.log
+          ! grep -q 'Infected files: [1-9]' clamav.log
+
+      - name: Upload scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: clamav-scan-results
+          path: |
+            clamav.log
+            bundle/opencode.zip

.github/workflows/odc.yml

@@ -0,0 +1,33 @@
+name: OWASP Dependency-Check
+
+on:
+  push:
+  pull_request:
+  workflow_call:
+
+jobs:
+  odc:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Generate temporary npm lockfile
+        run: |
+          corepack enable
+          npm install --package-lock-only
+
+      - name: Run Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@main
+        with:
+          project: ${{ github.repository }}
+          path: package-lock.json
+          format: 'HTML,JSON'
+          out: reports
+
+      - name: Upload Dependency-Check reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: odc-reports
+          path: reports

.github/workflows/osv-scan.yml

@@ -0,0 +1,28 @@
+name: OSV Scan
+
+on:
+  push:
+  pull_request:
+  workflow_call:
+
+jobs:
+  osv:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run OSV Scanner
+        uses: google/osv-scanner-action@v1
+        with:
+          scan-args: --lockfile bun.lock --recursive .
+
+      - name: Upload OSV report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: osv-report
+          path: osv-scanner-results.sarif

.github/workflows/owasp-scan.yml

@@ -0,0 +1,66 @@
+name: owasp-dependency-check
+on:
+  pull_request:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  depcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (release tag)
+        if: github.event_name == 'release'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+      - name: Checkout (PR/default)
+        if: github.event_name != 'release'
+        uses: actions/checkout@v4
+
+      - name: Setup Bun (repo action)
+        uses: ./.github/actions/setup-bun
+
+      - name: Install workspace deps (Bun)
+        run: bun install --frozen-lockfile || bun install
+
+      - name: Ensure per-package node_modules (symlink to root)
+        run: |
+          set -e
+          root_nm="$(pwd)/node_modules"
+          if [ ! -d "$root_nm" ]; then echo 'No root node_modules after bun install' >&2; exit 1; fi
+          # create a node_modules symlink in every workspace package that lacks one
+          git ls-files -z | tr '\0' '\n' | grep -E '(^|/)package.json$' | while read -r pj; do
+            pkgdir="$(dirname "$pj")"
+            [ "$pkgdir" = ".github/actions/setup-bun" ] && continue
+            if [ ! -d "$pkgdir/node_modules" ]; then
+              echo "linking $pkgdir/node_modules -> $root_nm"
+              ln -s "$root_nm" "$pkgdir/node_modules" || true
+            fi
+          done
+
+      - name: Cache dependency-check data
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data/
+          key: depcheck-data-${{ runner.os }}-v2
+          restore-keys: |
+            depcheck-data-${{ runner.os }}-
+
+      - name: Run OWASP Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@1.1.0
+        with:
+          project: OpenCode
+          path: .
+          format: ALL
+          args: --enableExperimental
+
+      - name: Upload reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-depcheck-report
+          path: reports/**

.github/workflows/security-suite.yml

@@ -0,0 +1,20 @@
+name: Security Suite
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  bun-audit:
+    uses: ./.github/workflows/bun-audit.yml
+
+  osv:
+    needs: bun-audit
+    uses: ./.github/workflows/osv-scan.yml
+
+  owasp-dc:
+    needs: osv
+    uses: ./.github/workflows/odc.yml