add static analysis + deliberation pipeline

tests/fixtures/conflict-security-complexity.diff

@@ -0,0 +1,57 @@
+diff --git a/src/validator.py b/src/validator.py
+index 1234567..abcdefg 100644
+--- a/src/validator.py
++++ b/src/validator.py
+@@ -1,10 +1,45 @@
+ """Input validation module."""
+
+ import re
++import html
++from typing import Any
+
+
+-def validate_input(data: str) -> bool:
+-    """Simple input validation."""
+-    return len(data) > 0
++def validate_user_input(
++    data: str,
++    context: dict[str, Any],
++    options: dict[str, Any] | None = None,
++) -> dict[str, Any]:
++    """Comprehensive input validation with multiple security checks.
++
++    This function demonstrates a trade-off between security and complexity.
++    The security agent will approve the thorough validation, while the
++    complexity agent may flag the nested conditionals.
++    """
++    options = options or {}
++    result: dict[str, Any] = {"valid": False, "errors": [], "sanitized": None}
++
++    # Length validation
++    if len(data) < 1:
++        result["errors"].append("Input cannot be empty")
++        return result
++
++    if len(data) > options.get("max_length", 10000):
++        result["errors"].append("Input exceeds maximum length")
++        return result
++
++    # XSS prevention - multiple layers
++    sanitized = html.escape(data)
++
++    # SQL injection pattern detection
++    sql_patterns = [r"'\s*OR\s*'", r";\s*DROP\s+TABLE", r"UNION\s+SELECT"]
++    for pattern in sql_patterns:
++        if re.search(pattern, data, re.IGNORECASE):
++            result["errors"].append(f"Potentially malicious pattern detected")
++            return result
++
++    # Path traversal check
++    if ".." in data or data.startswith("/"):
++        if not options.get("allow_paths", False):
++            result["errors"].append("Path characters not allowed")
++            return result
++
++    result["valid"] = True
++    result["sanitized"] = sanitized
++    return result