feat: Autonomous Bounty-Hunting Agent — proper self-contained implementation

Complete rewrite: the agent is now fully self-contained with zero external
system dependencies. No OpenClaw, no Semgrep, no Python — just Node.js + npm.

Key changes:
- Self-contained agent with Anthropic Claude SDK for AI orchestration
- Octokit for all GitHub operations (discover, audit, submit)
- SKILL.md for Claude Code integration
- Zero system dependencies — works anywhere with Node.js 18+
- 11 security patterns in pure regex (no Semgrep needed)
- AI fix generation with Claude (Anthropic) + SiliconFlow fallback

Closes #861

Author: lloyd-c137

agents/spike/.env.example

@@ -0,0 +1,3 @@
+GITHUB_TOKEN=ghp_your_token_here
+ANTHROPIC_API_KEY=sk-ant_your_key_here
+SILICONFLOW_KEY=sk-your_key_here

agents/spike/README.md

@@ -0,0 +1,7 @@
+# Spike 🎯
+
+Autonomous Bounty-Hunting Agent for SolFoundry.
+
+```bash
+npm install && spike pipeline
+```

agents/spike/SKILL.md

@@ -0,0 +1,32 @@
+# Spike — Autonomous Bounty-Hunting Agent
+
+> "You're gonna carry that weight." — Spike Spiegel
+
+## Description
+An autonomous AI agent that discovers open-source security bounties, audits repositories for vulnerabilities, generates AI-powered fixes, and submits PRs. Built for SolFoundry's bounty ecosystem.
+
+## Commands
+- `/spike discover` — Scan Algora, GitHub issues, and Security Advisories for bounty opportunities
+- `/spike scan <owner/repo>` — Perform deep security audit on a repository
+- `/spike pipeline` — End-to-end: discover → audit → generate fixes → report
+
+## Requirements
+- Node.js 18+
+- GITHUB_TOKEN (GitHub API)
+- ANTHROPIC_API_KEY (for AI fix generation via Claude)
+
+## Architecture
+Four-agent orchestration:
+1. **Discovery Agent** — Finds bounty opportunities across platforms
+2. **Audit Agent** — Static analysis with 11 security patterns (zero dependencies)
+3. **Fix Agent** — AI-powered fix generation via Anthropic Claude + SiliconFlow fallback
+4. **Submit Agent** — GitHub API integration for PR submission
+
+## Example
+```bash
+export GITHUB_TOKEN=ghp_...
+export ANTHROPIC_API_KEY=sk-ant_...
+npx spike discover
+npx spike scan expressjs/express
+npx spike pipeline
+```

agents/spike/bin/spike

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require('../src/agent.js');

agents/spike/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "spike",
+  "version": "1.0.0",
+  "description": "Autonomous bounty-hunting agent",
+  "main": "src/agent.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.95.2",
+    "@octokit/rest": "^22.0.1",
+    "dotenv": "^17.4.2"
+  },
+  "bin": {
+    "spike": "./bin/spike"
+  }
+}