Run PR security scans with Superagent

[homanp]

Summary

• Replace the delegated PR scan API with an in-app Superagent scanner powered by Flue, Daytona, Azure-hosted Kimi, and the checked-in CI/CD security skill.
• Report PR security concerns as inline review comments while keeping contributor trust separate and locally scored.
• Update Railway/Docker startup so the GitHub app runs alongside a prebuilt internal Flue service, and rebrand visible checks/links to Superagent.

Test plan

• bunx --bun tsc --noEmit
• bunx --bun vitest run src/services/__tests__/prScan.test.ts src/services/__tests__/prScanner.test.ts src/services/__tests__/comments.test.ts src/services/__tests__/config.test.ts src/lib/__tests__/policy.test.ts src/lib/__tests__/azureKimi.test.ts
• bunx --bun flue build --target node --output .flue-dist
• docker build -t brin-github-flue-daytona-test .
• Live-tested against Grok CLI PRs: benign PRs passed with 0 inline comments; malicious PRs failed with inline review comments.

[superagent-security]

Brin PR Security Scan

This PR has findings that should be reviewed.

• Score: 36/100
• Verdict: suspicious

Findings:

• security_sabotage: Security tooling config modified: .gitignore

_{Analyzed by Brin}

[homanp]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 53428f7. Configure here.}