From ec416a762bf595d7ca62597b067e6e5e83c0e0ac Mon Sep 17 00:00:00 2001
From: Shashank Sharma <shashank@factory.ai>
Date: Tue, 31 Mar 2026 13:29:48 -0700
Subject: [PATCH] security review plugins

---
 src/create-prompt/templates/security-review-prompt.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/create-prompt/templates/security-review-prompt.ts b/src/create-prompt/templates/security-review-prompt.ts
index b375099..089df9b 100644
--- a/src/create-prompt/templates/security-review-prompt.ts
+++ b/src/create-prompt/templates/security-review-prompt.ts
@@ -49,8 +49,9 @@ You have access to security skills from the security-engineer plugin (security-e
 
 ### Step 1: Threat Model Check
 - Check if \`.factory/threat-model.md\` exists in the repository
-- If missing: Note this in the summary (threat model generation is done separately, not during PR review)
-- If exists: Use it as context for the security scan
+- If missing: Invoke the **threat-model-generation** skill to generate one, then use it as context
+- If exists but older than 90 days: Note it may be stale, but proceed with existing
+- If exists and current: Use it as context for the security scan
 
 ### Step 2: Security Scan
 - Invoke the **commit-security-scan** skill on the PR diff