fix(cli): Security review plugins prompt update

[shashank-factory]

Summary

Updates the security review plugin prompt to automatically generate a threat model when one is missing, instead of simply noting its absence, and adds handling for stale threat models.

Changes

• Auto-generate missing threat models: When .factory/threat-model.md does not exist, the prompt now instructs Droid to invoke the threat-model-generation skill to create one and use it as context, rather than deferring generation to a separate process.
• Stale threat model handling: Added a new condition for threat models older than 90 days — the prompt notes them as potentially stale but proceeds with the existing file.
• Clarified existing model path: The "exists and current" case is now explicitly labeled for clarity.

Implementation Details

Single file change in src/create-prompt/templates/security-review-prompt.ts, modifying the "Step 1: Threat Model Check" section of the security review prompt template (+3 / −2 lines).

Testing

[To be filled by author]

Related Issues

[To be filled by author]

[factory-droid]

Droid finished @shashank-factory's task —— View job

---

[factory-droid]

Droid finished @shashank-factory's task —— View job

---

[factory-droid]

This PR updates the security review prompt to generate a threat model when missing and to flag potentially stale ones. No high-confidence correctness or security issues were found in the change.