prepare-security-prs

The document is a reasonable, security-aware operational playbook for triaging dependency-update PRs. It aligns actions with intended purpose and includes sensible safety rules (minimize diffs, avoid unrelated changes, --force-with-lease). The main residual risks are operational: misuse or over-privileged GitHub tokens, unsafe force-push/branch rewrite if enabled, and executing repository-local test scripts without sandboxing. Recommended mitigations: enforce least-privilege and ephemeral tokens for automation, require explicit opt-in and human approval for branch rewrites, run tests in isolated runners with limited network access, require multiple identification signals before auto-mutation, and enable audit logging of all automated write actions. There are no direct signs of malware or data-exfiltration in the provided file itself.