feat: add code-sentinel plugin for security scanning and refactoring

Adds security scanning via PreToolUse hooks + refactoring commands:
- PreToolUse hook catches security issues before code is written
- /security-scan command for comprehensive security audit
- /refactor command to apply refactoring patterns
- /refactor-dry command to preview refactoring opportunities
- security-reviewer agent for vulnerability analysis
- refactor-advisor agent for code structure improvements
- security-patterns skill for vulnerability detection rules

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

plugins/code-sentinel/commands/refactor-dry.md

@@ -0,0 +1,57 @@
+---
+description: Preview refactoring changes without applying them
+---
+
+# Refactor Dry Run
+
+Analyze and preview refactoring opportunities without making changes.
+
+## Usage
+```
+/refactor-dry <target> [--all]
+```
+
+**Target:** File path, function name, or "." for current file
+**--all:** Show all opportunities, not just recommended
+
+## Process
+
+1. **Scan Target**
+   Analyze code for refactoring opportunities.
+
+2. **Score Opportunities**
+   Each opportunity rated by:
+   - Impact (how much it improves code)
+   - Risk (likelihood of breaking something)
+   - Effort (complexity of the refactoring)
+
+3. **Output**
+```
+## Refactoring Opportunities: src/handlers.py
+
+### Recommended (High Impact, Low Risk)
+
+1. **extract-method** at lines 45-67
+   - Extract order validation logic
+   - Impact: High (reduces complexity from 12 to 4)
+   - Risk: Low (pure function, no side effects)
+   - Run: `/refactor src/handlers.py:45 --pattern=extract-method`
+
+2. **use-dataclass** for OrderInput class
+   - Convert to dataclass with validation
+   - Impact: Medium (reduces boilerplate)
+   - Risk: Low
+   - Run: `/refactor src/models.py:OrderInput --pattern=use-dataclass`
+
+### Optional (Consider Later)
+
+3. **use-fstring** at 12 locations
+   - Modernize string formatting
+   - Impact: Low (readability only)
+   - Risk: None
+
+### Summary
+- 2 recommended refactorings
+- 1 optional improvement
+- Estimated complexity reduction: 35%
+```

plugins/code-sentinel/commands/refactor.md

@@ -0,0 +1,81 @@
+---
+description: Apply refactoring patterns to improve code structure and maintainability
+---
+
+# Refactor
+
+Apply refactoring transformations to specified code.
+
+## Usage
+```
+/refactor <target> [--pattern=<pattern>]
+```
+
+**Target:** File path, function name, or "." for current context
+**Pattern:** Specific refactoring pattern (optional)
+
+## Available Patterns
+
+### Structure
+| Pattern | Description |
+|---------|-------------|
+| `extract-method` | Extract code block into named function |
+| `extract-class` | Move related methods to new class |
+| `inline` | Inline trivial function/variable |
+| `rename` | Rename with all references updated |
+| `move` | Move function/class to different module |
+
+### Simplification
+| Pattern | Description |
+|---------|-------------|
+| `simplify-conditional` | Flatten nested if/else |
+| `remove-dead-code` | Delete unreachable code |
+| `consolidate-duplicate` | Merge duplicate code blocks |
+| `decompose-conditional` | Break complex conditions into named parts |
+
+### Modernization
+| Pattern | Description |
+|---------|-------------|
+| `use-comprehension` | Convert loops to list/dict comprehensions |
+| `use-pathlib` | Replace os.path with pathlib |
+| `use-fstring` | Convert .format() to f-strings |
+| `use-typing` | Add type hints |
+| `use-dataclass` | Convert class to dataclass |
+
+## Process
+
+1. **Analyze Target**
+   - Parse code structure
+   - Identify refactoring opportunities
+   - Check for side effects and dependencies
+
+2. **Propose Changes**
+   - Show before/after diff
+   - Explain the improvement
+   - List affected files/references
+
+3. **Apply (with confirmation)**
+   - Make changes
+   - Update all references
+   - Run existing tests if available
+
+4. **Output**
+```
+## Refactoring: extract-method
+
+### Target
+src/handlers.py:create_order (lines 45-89)
+
+### Changes
+- Extracted validation logic → validate_order_input()
+- Extracted pricing logic → calculate_order_total()
+- Original function now 15 lines (was 44)
+
+### Files Modified
+- src/handlers.py
+- tests/test_handlers.py (updated calls)
+
+### Metrics
+- Cyclomatic complexity: 12 → 4
+- Function length: 44 → 15 lines
+```

plugins/code-sentinel/commands/security-scan.md

@@ -0,0 +1,64 @@
+---
+description: Full security audit of codebase - scans all files for vulnerability patterns
+---
+
+# Security Scan
+
+Comprehensive security audit of the project.
+
+## Process
+
+1. **File Discovery**
+   Scan all code files: .py, .js, .ts, .jsx, .tsx, .go, .rs, .java, .rb, .php, .sh
+
+2. **Pattern Detection**
+
+   ### Critical Vulnerabilities
+   | Pattern | Risk | Detection |
+   |---------|------|-----------|
+   | SQL Injection | High | String concat in SQL queries |
+   | Command Injection | High | shell=True, os.system with vars |
+   | XSS | High | innerHTML with user input |
+   | Code Injection | Critical | eval/exec with external input |
+   | Deserialization | Critical | pickle.loads, yaml.load unsafe |
+   | Path Traversal | High | File ops without sanitization |
+   | Hardcoded Secrets | High | API keys, passwords in code |
+   | SSRF | Medium | URL from user input in requests |
+
+   ### Code Quality Issues
+   | Pattern | Risk | Detection |
+   |---------|------|-----------|
+   | Broad Exceptions | Low | `except:` or `except Exception:` |
+   | Debug Statements | Low | print/console.log with data |
+   | TODO/FIXME Security | Medium | Comments mentioning security |
+   | Deprecated Functions | Medium | Known insecure functions |
+
+3. **Output Format**
+```
+## Security Scan Report
+
+### Critical (Immediate Action Required)
+🔴 src/db.py:45 - SQL Injection
+   Code: `f"SELECT * FROM users WHERE id = {user_id}"`
+   Fix: Use parameterized query: `cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))`
+
+### High
+🟠 config.py:12 - Hardcoded Secret
+   Code: `API_KEY = "sk-1234..."`
+   Fix: Use environment variable: `API_KEY = os.environ.get("API_KEY")`
+
+### Medium
+🟡 utils.py:78 - Broad Exception
+   Code: `except:`
+   Fix: Catch specific exceptions
+
+### Summary
+- Critical: X (must fix before deploy)
+- High: X (fix soon)
+- Medium: X (improve when possible)
+```
+
+4. **Exit Code Guidance**
+   - Critical findings: Recommend blocking merge/deploy
+   - High findings: Recommend fixing before release
+   - Medium/Low: Informational