Add scheduled security scan workflow

agent-quickstart.md

@@ -9,6 +9,7 @@ Read manifest.json first.
 Use its copyMap for file destinations.
 Use new-repository.md or existing-project.md as the task workflow.
 Use matching profiles/*.md guidance after detecting the stack.
+For releasable projects, add or preserve scheduled security automation.
 Check git status before editing.
 Preserve unrelated user changes.
 Replace all applicable placeholders and remove non-applicable placeholder sections.
@@ -74,6 +75,10 @@ Does the project have CI?
   yes -> patch existing workflow
   no  -> add .gitea/workflows/build.yml only when commands are known
 
+Is the project releasable or does it process user/secrets/config data?
+  yes -> add .gitea/workflows/security-scan.yml or preserve equivalent scheduled security automation
+  no  -> document why scheduled security automation is not needed
+
 Are commands unknown?
   yes -> document PENDING in .codex/project.md
   no  -> wire commands into AGENTS.md and CI
@@ -123,6 +128,7 @@ docs/release-checklist.md
 docs/security-review.md
 docs/agent-handoff.md
 .gitea/workflows/build.yml
+.gitea/workflows/security-scan.yml
 ```
 
 For README-generator projects: