Added vault audit workflows

[russell-stern]

Vault Audit Integration

Adds automated vault security auditing to PRs that touch vault files. The audit is powered by a Claude-based skill in a private repo and surfaces findings as inline review comments with a merge-blocking commit status.

---

How it works

Triggering the audit

The audit does not run automatically on every PR. An authorized reviewer (anyone with write or admin access to this repo) triggers it by commenting /vault-audit on the PR. This keeps costs down and avoids noise on PRs that don't actually change vault files.

What the audit checks

The skill diffs the vault files between the PR's base and head SHA, then runs a set of security specialists against the changed files. Each finding is classified as either blocking (CRITICAL / MUST FIX) or informational. The full report is posted as a PR comment; each individual finding also appears as an inline review comment on the relevant line.

Merge gate

A vault-audit commit status is set to failure when there are blocking findings and success when there are none (or all have been addressed). You can add this as a required status check in branch protection to enforce it.

Resolving findings

Each blocking finding thread has the instruction: reply /resolved <reason> directly on this thread to address it. When an authorized reviewer does so, the workflow checks whether all other blocking threads also have a /resolved reply. If yes, the commit status flips to success. If not, it posts a summary showing how many remain.

This means each finding must be individually acknowledged with a reason — there is no single "approve all" shortcut. The reasons are preserved in the thread history for audit purposes.

Skipping the audit

If the changes are intentional and an audit is not needed, an authorized reviewer can comment /vault-audit skip <reason> on the PR. This sets the commit status to success immediately and records the reason in a PR comment. The skip only applies to the current HEAD SHA — pushing new vault file changes will require a fresh audit.

Re-running

Commenting /vault-audit again re-runs the full audit. The previous set of inline comments and the summary comment are automatically deleted before the new results are posted, so there is always exactly one active set of findings on the PR.

---

Files added

File	Purpose
.github/workflows/vault-audit-gate.yml	Blocks merge if the vault-audit status is absent or failing
.github/workflows/vault-audit-commands.yml	Handles /vault-audit and /vault-audit skip <reason> PR comments
.github/workflows/vault-audit-thread-commands.yml	Handles /resolved <reason> replies on individual finding threads

The audit itself runs in the private repo as a reusable workflow and is called from vault-audit-commands.yml.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[chainchad]

Since this repo isn't public, you won't be able to this resuable workflow.