feat: sin security — Integrate SIN-Code-Security-Bundle (production ready)

[Delqhi]

Description

Integrate the SIN-Code-Security-Bundle (v1.3.0, production ready) as sin security subcommand.

Current State

• SIN-Code-Security-Bundle exists at OpenSIN-Code/SIN-Code-Security-Bundle
• Has Go CLI (sin-security) + Python MCP server (8 tools)
• Orchestrates 8 security tools: Secrets, SAST, SCA, SBOM, Container, IaC, License, DAST
• 8 compliance frameworks: CIS, NIST, SOC2, ISO27001, GDPR, HIPAA, PCI, OWASP
• 44 tests, CI/CD, v1.3.0 tag, 6 commits
• NOT integrated into sin CLI at all

Required Integration

1. Add sin security top-level command wrapping sin-security binary
2. Add sin code security to sin code hub
3. Register MCP server in sin serve / opencode.json
4. Add to sin status detection

Commands to Expose

sin security scan . --compliance cis,nist --fail-on high
sin security sca .
sin security container .
sin security iac .
sin security license .
sin security dast --target-url https://app.example.com
sin security sast .
sin security secrets .
sin security sbom .
sin security openafd . --url https://openafd.example.com
sin security list-tools
sin security list-frameworks

MCP Tools (8) to Register

• sin_security_full_scan
• sin_security_blast_radius
• sin_security_remediation_plan
• sin_security_compliance_report
• sin_security_executive_summary
• sin_security_technical_report
• sin_security_html_dashboard
• sin_security_list_tools
• sin_security_list_compliance_frameworks

Acceptance Criteria

• sin security --help shows all subcommands
• sin security scan . runs full orchestration
• sin code security works in hub
• MCP server registered and accessible via sin serve
• sin status shows "Security Bundle: v1.3.0 ✅"
• Works with external tools (trivy, checkov, nuclei, scancode) or falls back gracefully

Priority

HIGH — Production-ready security orchestration sitting unused; biggest missing feature

[Delqhi]

Not addressed in v3.0.0–v3.2.0 (focus was on the agent loop, verification gate, hooks, slash commands). Remaining work for future release train.

[Delqhi]

Status (2026-06-12, post-v3.5.0)

Priority: LOW — superseded by in-tree security tools.

Current state

• ✅ SIN-Code-Security-Bundle is ARCHIVED (Phase 1 cleanup)
• ✅ In-tree security tools exist (internal/security, in cmd/sin-code):
  • security subcommand (SAST/SCA auto-detect)
  • sbom subcommand (SPDX/CycloneDX)
  • SIN-Code-SAST-Tool (sin-code-sast)
  • SIN-Code-SCA-Tool-Go (sin-code-sca)
  • SIN-Code-Secrets-Scanner (sin-code-secrets)
  • SIN-Code-SBOM-Generator (sin-code-sbom)
• ❌ These in-tree tools are NOT in mcpclient/registry.go as MCP skills

Recommendation

Either:

• (a) Wire the in-tree security tools as MCP skills (add to
  registry.go with security__* prefix) and update permission_defaults
• (b) Leave them CLI-only and document the sin-code security
  command as the canonical entry point

Option (a) is more consistent with the v3.5.0 ecosystem approach.

Cross-refs

• cmd/sin-code/internal/security (existing, CLI-only)
• ECOSYSTEM.md (Security-Bundle marked ARCHIVED)
• Sister-issue: nothing