feat: add comprehensive security scanning and hardening tools

Implements 11 new security MCP tools across 4 categories:

## Vulnerability Scanning
- scan_container_vulnerabilities: Scan Docker images with Trivy/Grype
- scan_filesystem_vulnerabilities: Scan filesystems for CVEs (LXC containers)

## Secrets Detection
- scan_secrets_in_file: Detect exposed credentials in config files
- scan_secrets_in_directory: Recursive secrets scanning
- scan_docker_config_secrets: Check Docker registry credentials

Detects 16+ secret patterns:
- Cloud credentials (AWS, GitHub, Slack, Stripe, Twilio, etc.)
- Private keys (RSA, DSA, EC, OpenSSH)
- Database connection strings
- JWT tokens, Docker auth, NPM tokens

## Firewall Management
- get_firewall_status: View firewall state (UFW/iptables)
- list_firewall_rules: List all rules with numbers
- add_firewall_rule: Add allow/deny rules
- delete_firewall_rule: Remove rules by number

Supports UFW (Ubuntu/Debian) and iptables fallback.

## CIS Benchmarks
- run_cis_benchmark: Security posture assessment

Profiles: basic (10+ checks), intermediate (15+ checks), comprehensive (20+ checks)

Check categories:
- Filesystem permissions (passwd, shadow, SSH config)
- SSH security (root login, password auth, empty passwords)
- Network hardening (IP forwarding, ICMP redirects)
- System auditing (auditd)
- User account security (UID 0, password complexity)
- Firewall configuration

Returns security score with remediation steps.

## Infrastructure
- New scopes: security:read, security:scan, security:write, security:admin
- Risk levels: low (scanning), moderate (filesystem), critical (firewall changes)
- Approval gates for firewall modifications
- Comprehensive tests with unit and integration coverage

Files:
- src/services/security_scanner.py (Trivy/Grype integration)
- src/services/secrets_scanner.py (16+ regex patterns)
- src/services/firewall_manager.py (UFW/iptables)
- src/services/cis_checker.py (Linux hardening checks)
- src/tools/security_tools.py (11 MCP tools)
- src/auth/scopes.py (security scopes)
- tests/test_security_tools.py (test coverage)

Author: claude

src/auth/scopes.py

@@ -37,7 +37,13 @@ class Scope(str, Enum):
     CONTAINER_ADMIN = "container:admin"   # Update containers, pull images
     SYSTEM_ADMIN = "system:admin"        # Install packages, system updates
     DOCKER_ADMIN = "docker:admin"        # Full Docker access
-    
+
+    # Security scopes
+    SECURITY_READ = "security:read"      # View security scans, assessments
+    SECURITY_SCAN = "security:scan"      # Run vulnerability scans
+    SECURITY_WRITE = "security:write"    # Modify firewall rules (high risk)
+    SECURITY_ADMIN = "security:admin"    # Full security management
+
     # Meta scopes
     ADMIN = "admin"                      # All permissions
     READ_ONLY = "readonly"               # All read permissions
@@ -210,6 +216,84 @@ class ToolScopeRequirement:
         requires_approval=True,
         description="Install system packages (code execution risk)"
     ),
+
+    # Security Tools - Vulnerability Scanning
+    "scan_container_vulnerabilities": ToolScopeRequirement(
+        tool_name="scan_container_vulnerabilities",
+        required_scopes=[Scope.SECURITY_SCAN],
+        risk_level="low",
+        description="Scan containers for vulnerabilities"
+    ),
+    "scan_filesystem_vulnerabilities": ToolScopeRequirement(
+        tool_name="scan_filesystem_vulnerabilities",
+        required_scopes=[Scope.SECURITY_SCAN],
+        risk_level="moderate",
+        description="Scan filesystem for vulnerabilities"
+    ),
+
+    # Security Tools - Secrets Scanning
+    "scan_secrets_in_file": ToolScopeRequirement(
+        tool_name="scan_secrets_in_file",
+        required_scopes=[Scope.SECURITY_SCAN],
+        risk_level="moderate",
+        description="Scan file for exposed secrets"
+    ),
+    "scan_secrets_in_directory": ToolScopeRequirement(
+        tool_name="scan_secrets_in_directory",
+        required_scopes=[Scope.SECURITY_SCAN],
+        risk_level="moderate",
+        description="Scan directory for exposed secrets"
+    ),
+    "scan_docker_config_secrets": ToolScopeRequirement(
+        tool_name="scan_docker_config_secrets",
+        required_scopes=[Scope.SECURITY_SCAN],
+        risk_level="moderate",
+        description="Scan Docker config for credentials"
+    ),
+
+    # Security Tools - Firewall Management
+    "get_firewall_status": ToolScopeRequirement(
+        tool_name="get_firewall_status",
+        required_scopes=[Scope.SECURITY_READ],
+        risk_level="low",
+        description="View firewall status"
+    ),
+    "list_firewall_rules": ToolScopeRequirement(
+        tool_name="list_firewall_rules",
+        required_scopes=[Scope.SECURITY_READ],
+        risk_level="low",
+        description="List firewall rules"
+    ),
+    "add_firewall_rule": ToolScopeRequirement(
+        tool_name="add_firewall_rule",
+        required_scopes=[Scope.SECURITY_WRITE],
+        risk_level="critical",
+        requires_approval=True,
+        description="Add firewall rule (can lock out access)"
+    ),
+    "delete_firewall_rule": ToolScopeRequirement(
+        tool_name="delete_firewall_rule",
+        required_scopes=[Scope.SECURITY_WRITE],
+        risk_level="critical",
+        requires_approval=True,
+        description="Delete firewall rule (can expose services)"
+    ),
+
+    # Security Tools - CIS Benchmarks
+    "run_cis_benchmark": ToolScopeRequirement(
+        tool_name="run_cis_benchmark",
+        required_scopes=[Scope.SECURITY_READ],
+        risk_level="low",
+        description="Run CIS security assessment"
+    ),
+
+    # Security Tools - Utility
+    "get_security_scanner_info": ToolScopeRequirement(
+        tool_name="get_security_scanner_info",
+        required_scopes=[Scope.SECURITY_READ],
+        risk_level="low",
+        description="Get security scanner availability"
+    ),
 }
 
 
@@ -235,6 +319,7 @@ def expand_scopes(scopes: List[str]) -> Set[str]:
             Scope.NETWORK_READ,
             Scope.CONTAINER_READ,
             Scope.FILE_READ,
+            Scope.SECURITY_READ,
         ])
 
     return expanded