security: Complete comprehensive security vulnerability assessment

[devin-ai-integration]

Description

This PR completes a comprehensive security vulnerability assessment across all 6 Teal Agents repository components using pip-audit. The key finding is that no security vulnerabilities exist in project dependencies - all components already have safe dependency versions.

The assessment also identified and fixed a configuration issue in workflow-orchestrator where the Python version requirement was misaligned with ska-utils dependencies.

Changes

Security Assessment & Documentation

• Added comprehensive security assessment report (SECURITY_ASSESSMENT.md) documenting findings across all components
• Created security scanning documentation (docs/security/SCANNING.md) with methodology and best practices
• Added automation script (scripts/scan_security.sh) for future security scans
• All components found to have safe aiohttp versions (3.12.15 >= required 3.12.14)

Configuration Fix

• Fixed workflow-orchestrator Python version requirement from >=3.11 to >=3.12 in pyproject.toml
• Updated .python-version from 3.11 to 3.12.8 to align with ska-utils dependency requirements
• Regenerated uv.lock with Python 3.12.8 compatibility (verified successful uv sync)

Key Security Findings

• ✅ No vulnerabilities found in any project dependencies
• ✅ aiohttp 3.12.15 already installed (safe version, fix needed 3.12.14)
• ⚠️ pip vulnerability is system-level only, not a project dependency
• 🔍 Initial false positives were due to pip-audit scanning system Python instead of uv environments

Type of Change

• Documentation
• Bugfix (workflow-orchestrator configuration)
• New feature
• Refactor
• Other

Testing Performed

• ✅ workflow-orchestrator syncs successfully with Python 3.12.8
• ✅ ska_utils tests pass (68 tests)
• ✅ sk-agents tests pass (162 tests)
• ✅ Security scanning automation script is executable
• ✅ All components verified to have safe dependency versions

Human Review Checklist

Critical Items:

• Verify workflow-orchestrator functionality - ensure Python 3.12.8 doesn't break existing functionality
• Review uv.lock changes - the file was 85% rewritten, check for unexpected dependency changes
• Validate security conclusions - confirm that no vulnerabilities actually exist by spot-checking key components
• Test automation script - verify scripts/scan_security.sh works correctly in your environment

Secondary Items:

• Review security assessment methodology for accuracy
• Confirm documentation is clear and actionable
• Verify all test suites still pass in CI

Additional Comments

Link to Devin run: https://app.devin.ai/sessions/72d12039b2594d93b370a5b5b9188426
Requested by: @thepollari

Important: The initial pip-audit scans reported false positives because they scanned system Python instead of uv-managed virtual environments. The corrected methodology using uv pip freeze + pip-audit --requirement shows all components are secure.

The workflow-orchestrator configuration fix was necessary because it required Python >=3.11 while ska-utils (a dependency) requires >=3.12, preventing proper dependency resolution.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring