ci: add automated Claude security review on PRs

[lxcong]

Summary

Adds .github/workflows/claude-pr-review.yml — an automated security + convention reviewer that posts a single PR comment with findings on every PR event.

What it does

On pull_request: [opened, synchronize, reopened, ready_for_review], Claude (via anthropics/claude-code-action@v1) runs against the PR diff and posts exactly ONE top-level comment categorizing findings as:

• 🚨 Critical — security issues (credential leaks, command injection, supply-chain risks)
• ⚠️ Convention — violations of project rules (Conventional Commits title, archive/ immutability, release-please-managed files, repo-name invariants in installer scripts)
• 💡 Suggestion — nice-to-haves

Clean PRs get a one-line ✅ confirmation.

Key design choices

• Event trigger (not cron): near-real-time, event-driven
• Skip drafts + bot authors: release-please's Release PRs won't trigger a review (both because release-please[bot] is type Bot and the content is already validated CI)
• Concurrency cancel-in-progress: newer push on same PR cancels running review — saves tokens, user sees review on the latest commit only
• One-comment discipline: HEAD-SHA marker in comment header lets the reviewer detect "already reviewed this SHA, skip"
• --max-turns 8: caps runaway conversations; a single PR review should need ~3–5 turns
• --allowedTools "Bash,Read,Grep,Glob": Claude cannot write/edit files (read-only review), cannot spawn subagents
• Permissions: only contents: read + pull-requests: write + issues: write — minimum needed

⚠️ Required setup (maintainer, one-time)

This workflow requires a repo secret ANTHROPIC_API_KEY to work. Without it, every PR will fail this workflow (noisy but non-blocking — branch protection doesn't require this check).

Steps:

1. Get API key from https://console.anthropic.com (Settings → API Keys → Create Key)
2. gh secret set ANTHROPIC_API_KEY --repo chainbase-labs/agentkey and paste

Optional: install https://github.com/apps/claude for nicer comment attribution.

Fork PR limitation

pull_request event on a public repo does not expose secrets to PRs from forks — this is a GitHub security measure. This means Claude review won't run on fork PRs.

Mitigations:

• Maintainer can gh pr checkout <N> && git push origin head:review/<N> to trigger a same-repo branch, getting a review
• Or we later add a workflow_run pattern if external PRs become common. Not doing that now because there's attack surface there.

Cost

Per-review cost is roughly token-proportional to diff size. For typical PRs (<500 lines), expect $0.10–$0.50 per review. Large refactor PRs can hit $2+. Tune --max-turns or add a max-diff-size gate if costs get out of hand.

Test plan

• YAML parses (python3 -c "import yaml; yaml.safe_load(...)")
• PR title is conventional (ci: ...); commitlint should pass
• Post-merge + secret set: opening a new test PR triggers this workflow; comment appears within a few minutes
• A clearly-bad PR (e.g., adding API_KEY="sk-ant-fake123..." to a file) gets flagged as 🚨 Critical
• Release-please Release PR does NOT get reviewed (author is Bot)