blindpaylabs · alvseven · Nov 26, 2025 · Nov 20, 2025 · Nov 20, 2025 · Nov 21, 2025
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,4 +1,5 @@
 name: Lint Check
+
 on:
   workflow_call:
 

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -1,4 +1,5 @@
 name: Main
+
 on:
   pull_request:
   push:
@@ -24,3 +25,9 @@ jobs:
     name: Tests
     needs: [lint, typecheck]
     uses: ./.github/workflows/tests.yaml
+
+  snyk:
+    name: Snyk
+    needs: [lint, typecheck, tests]
+    uses: ./.github/workflows/snyk.yaml
+    secrets: inherit
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
@@ -0,0 +1,19 @@
+name: Snyk Security Scan
+
+on: 
+    workflow_call:
+      secrets:
+        SNYK_TOKEN:
+          required: true
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -1,4 +1,5 @@
 name: Tests
+
 on:
   workflow_call:
 

diff --git a/.github/workflows/typecheck.yaml b/.github/workflows/typecheck.yaml
@@ -1,4 +1,5 @@
 name: Type Check
+
 on:
   workflow_call:
 

diff --git a/.gitignore b/.gitignore
@@ -143,3 +143,6 @@ cython_debug/
 
 # uv
 .uv/
+
+# Snyk Security Extension - AI Rules (auto-generated)
+.cursor/rules/snyk_rules.mdc
-Original file line number
+Diff line change
@@ Expand Up / @@ -143,3 +143,6 @@ cython_debug/ @@
     # uv
     .uv/
+    # Snyk Security Extension - AI Rules (auto-generated)
+    .cursor/rules/snyk_rules.mdc