docs: add CI/CD security pipeline documentation

[abdelsfane]

Summary

• Add docs/security/ci-security-pipeline.md documenting all 16+ automated checks across 4 workflow files (CI, security audit, AI code review, release pipeline)
• Update docs/security/index.md with a card linking to the new page

Test plan

• Verify all workflow file references match actual .github/workflows/ files
• Confirm index page card links correctly to the new page
• If mkdocs is configured, verify the page renders in the nav

[github-actions]

Claude finished @abdelsfane's task —— View job

---

Security Review Complete ✅

Tasks

• Read changed files
• Analyze for security vulnerabilities
• Verify workflow file references
• Post comprehensive review

---

Security Analysis Results

I've completed a thorough security-focused review of this documentation PR. The changes add comprehensive CI/CD security pipeline documentation without introducing any security vulnerabilities.

File Analysis

docs/security/ci-security-pipeline.md (343 lines added)

• ✅ No hardcoded credentials or secrets - Only mentions that secrets exist (PYPI_API_TOKEN) without exposing values
• ✅ No code injection risks - Pure documentation with ASCII diagrams and markdown tables
• ✅ No insecure deserialization - No code examples using pickle, eval, or exec
• ✅ No SSRF/redirect risks - Links are to trusted domains (github.com)
• ✅ Workflow references verified - All 4 mentioned workflow files exist in .github/workflows/:
  • ci.yml ✓
  • security.yml ✓
  • claude-review.yml ✓
  • publish.yml ✓

docs/security/index.md (8 lines added)

• ✅ No security issues - Adds a material design card with icon and internal link
• ✅ Link validation - References ci-security-pipeline.md correctly

Security Observations

Positive security aspects documented:

1. Documents 16+ automated security checks (Bandit, pip-audit, crypto audit, format validation)
2. Describes branch protection and required reviews
3. Details protected paths preventing auto-merge of sensitive changes
4. Documents auto-merge safety gates (size limits, security finding thresholds)
5. Explains SARIF upload to GitHub Security tab for vulnerability tracking
6. Describes false positive suppressions to reduce alert fatigue

No security anti-patterns found:

• No weak cryptographic recommendations
• No unsafe code examples
• No exposed secrets or keys
• No SQL injection patterns (all mentions are in detection context)
• No authentication/authorization bypasses described

Documentation Quality

The documentation accurately describes defense-in-depth security practices including:

• Multi-stage security gates
• Cryptographic correctness validation
• Static analysis (Bandit) with appropriate severity thresholds
• Dependency vulnerability scanning (pip-audit)
• License compliance checks
• Wire format regression testing

---

FINDINGS_COUNT=0

No security issues found. This PR safely documents existing security controls without introducing vulnerabilities.

---

[github-actions]

Manual review required. This PR did not meet auto-merge criteria:

• Security review found issues (findings: unknown)
• PR author 'abdelsfane' is not in the trusted auto-merge list
• Too many lines changed (351 > 200)
• PR is too new (1 min < 5 min minimum)