Add scheduled security scan workflow

manifest.json

@@ -16,6 +16,17 @@
     "Run the cheapest reliable verification command or document why it could not run.",
     "After pushing workflow-triggering commits, poll Gitea workflow runs until success or a concrete blocker."
   ],
+  "securityAutomation": {
+    "workflow": "files/security-scan-gitea.yml",
+    "target": ".gitea/workflows/security-scan.yml",
+    "schedule": "weekly",
+    "checks": [
+      "stack-specific dependency audit",
+      "suspicious code pattern scan",
+      "secret and config leak scan",
+      "AI instruction injection scan"
+    ]
+  },
   "readmeDivider": {
     "templateName": "section-line",
     "source": "https://raw.githubusercontent.com/andreasbm/readme/master/assets/lines/rainbow.png",
@@ -92,6 +103,11 @@
       "source": "files/build-gitea.yml",
       "target": ".gitea/workflows/build.yml",
       "required": false
+    },
+    {
+      "source": "files/security-scan-gitea.yml",
+      "target": ".gitea/workflows/security-scan.yml",
+      "required": false
     }
   ],
   "placeholders": [