feat(security-firm): multi-agent repo scanner (#6)

* feat(security-firm): add multi-agent repo scanner — 4 agents, 1M tokens each

New module src/firm/security_firm/ with:
- 4 agents: claude-opus-4.6 (director), gpt-5.4 (scanner), gpt-5.3-codex (analyzer), gemini-3.1-pro (reporter)
- All via copilot-pro provider, 1M token budget each
- FindingsDB: SQLite-backed with SHA-256 dedup
- 10 repo scanning tools (tree, grep_secrets, dependency_audit, config_scan, semgrep, git_history, etc.)
- 4-phase pipeline: Map → Scan (3 agents parallel) → Triage → Report
- Markdown report generator with risk scoring + CWE links
- 56 tests passing (agents, findings, tools, report, pipeline, factory)
- Zero ruff lint errors

* chore: remove AI disclaimers from security_firm module

Author: romainsantoli-web

docs/TUTORIAL.md

@@ -782,7 +782,7 @@ cto = create_llm_agent(firm, "CTO", provider_name="copilot-pro",
 
 # Dev senior = GPT-5.3 — dernière gen, très performant
 senior = create_llm_agent(firm, "Senior", provider_name="copilot-pro",
-                          model="gpt-5.3", authority=0.7)
+                          model="gpt-5.4", authority=0.7)
 
 # Reviewer = Claude Sonnet 4.6 — rapide et précis pour la review
 reviewer = create_llm_agent(firm, "Reviewer", provider_name="copilot-pro",
@@ -811,7 +811,6 @@ for agent in [cto, senior, reviewer, junior, coder, architect]:
 ```
 CTO        | copilot-pro  | claude-opus-4.6
 Senior     | copilot-pro  | gpt-5.4
-Senior     | copilot-pro  | gpt-5.3
 Reviewer   | copilot-pro  | claude-sonnet-4.6
 Junior     | copilot-pro  | claude-haiku-4.5
 Coder      | copilot-pro  | gpt-5.3-codex
@@ -820,18 +819,18 @@ Architect  | copilot-pro  | gemini-3.1-pro
 
 ### Récapitulatif : quel provider choisir ?
 
-| Situation                                  | Provider recommandé | Modèle                                      | Coût                     |
-| ------------------------------------------ | -------------------: | -------------------------------------------- | ------------------------- |
-| **Copilot Pro** — tâches complexes |      `copilot-pro` | `claude-opus-4.6`                          | Inclus dans l'abo         |
-| **Copilot Pro** — usage général   |      `copilot-pro` | `claude-sonnet-4.6` ou `gpt-5.3/gpt-5.4` | Inclus                    |
-| **Copilot Pro** — code intensif     |      `copilot-pro` | `gpt-5.3-codex`                            | Inclus                    |
-| **Copilot Pro** — tâches simples   |      `copilot-pro` | `claude-haiku-4.5` ou `gpt-5-mini`       | Inclus                    |
-| **Copilot Pro** — Google AI         |      `copilot-pro` | `gemini-3.1-pro`                           | Inclus                    |
-| Clé**Anthropic** directe            |           `claude` | `claude-sonnet-4`                          | $3 / $15 par 1M tokens    |
-| Clé**OpenAI** directe               |              `gpt` | `gpt-4o`                                   | $2.5 / $10 par 1M tokens  |
-| **Gratuit** (Google)                 |           `gemini` | `gemini-2.5-pro`                           | Gratuit (rate-limited)    |
-| **Gratuit** (GitHub)                 |          `copilot` | `gpt-4o`                                   | Gratuit (rate-limited)    |
-| Budget serré                              |          `mistral` | `mistral-small-latest`                     | $0.2 / $0.6 par 1M tokens |
+| Situation                                  | Provider recommandé | Modèle                                | Coût                     |
+| ------------------------------------------ | -------------------: | -------------------------------------- | ------------------------- |
+| **Copilot Pro** — tâches complexes |      `copilot-pro` | `claude-opus-4.6`                    | Inclus dans l'abo         |
+| **Copilot Pro** — usage général   |      `copilot-pro` | `claude-sonnet-4.6` ou `gpt-5.4`   | Inclus                    |
+| **Copilot Pro** — code intensif     |      `copilot-pro` | `gpt-5.3-codex`                      | Inclus                    |
+| **Copilot Pro** — tâches simples   |      `copilot-pro` | `claude-haiku-4.5` ou `gpt-5-mini` | Inclus                    |
+| **Copilot Pro** — Google AI         |      `copilot-pro` | `gemini-3.1-pro`                     | Inclus                    |
+| Clé**Anthropic** directe            |           `claude` | `claude-sonnet-4`                    | $3 / $15 par 1M tokens    |
+| Clé**OpenAI** directe               |              `gpt` | `gpt-4o`                             | $2.5 / $10 par 1M tokens  |
+| **Gratuit** (Google)                 |           `gemini` | `gemini-2.5-pro`                     | Gratuit (rate-limited)    |
+| **Gratuit** (GitHub)                 |          `copilot` | `gpt-4o`                             | Gratuit (rate-limited)    |
+| Budget serré                              |          `mistral` | `mistral-small-latest`               | $0.2 / $0.6 par 1M tokens |
 
 ---
 
@@ -1374,14 +1373,14 @@ else:
 
 Le bridge MCP a été testé **sur ce repository** (`firm-protocol/src/firm`) :
 
-| Étape | Résultat | Statut |
-|-------|----------|--------|
-| **Connexion MCP** | `143 outils` découverts via JSON-RPC | ✅ |
-| **Création Firm** | Organisation `test-mcp-bridge` initialisée | ✅ |
-| **ToolKit Security** | `10 outils` chargés (scan, sandbox, secrets…) | ✅ |
-| **Appel MCP réel** | `firm_security_scan` → **45 fichiers scannés**, 4 vulnérabilités HIGH dans `reputation.py` | ✅ |
-| **Filtrage catégories** | memory (10) · a2a (8) · compliance (14) · delivery (6) | ✅ |
-| **Extension agent** | `20 outils MCP` ajoutés au CTO (security + memory) | ✅ |
+| Étape                         | Résultat                                                                                                | Statut |
+| ------------------------------ | -------------------------------------------------------------------------------------------------------- | ------ |
+| **Connexion MCP**        | `143 outils` découverts via JSON-RPC                                                                  | ✅     |
+| **Création Firm**       | Organisation `test-mcp-bridge` initialisée                                                            | ✅     |
+| **ToolKit Security**     | `10 outils` chargés (scan, sandbox, secrets…)                                                        | ✅     |
+| **Appel MCP réel**      | `firm_security_scan` → **45 fichiers scannés**, 4 vulnérabilités HIGH dans `reputation.py` | ✅     |
+| **Filtrage catégories** | memory (10) · a2a (8) · compliance (14) · delivery (6)                                                | ✅     |
+| **Extension agent**      | `20 outils MCP` ajoutés au CTO (security + memory)                                                    | ✅     |
 
 > **Conclusion :** Un agent FIRM connecté via `extend_agent_with_mcp(cto)` peut appeler
 > nativement les 143 outils de l'écosystème MCP dans le cadre du système d'autorité FIRM.

examples/security_firm_demo.py

@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+"""Security Firm demo — scan a repository with 4 AI agents.
+
+Usage:
+    python examples/security_firm_demo.py /path/to/repo
+    python examples/security_firm_demo.py https://github.com/org/repo
+
+The script will:
+  1. Clone (if URL) or open the repo
+  2. Spin up 4 agents: security-director, code-scanner, static-analyzer,
+     report-synthesizer
+  3. Scan in parallel (code review + static analysis + architecture mapping)
+  4. Triage and deduplicate findings
+  5. Generate a Markdown report → saved to security-report-{name}.md
+
+Requirements:
+  - Copilot Pro JWT (COPILOT_JWT env var or cached token)
+  - MCP server at http://127.0.0.1:8012 (optional but recommended)
+"""
+
+from __future__ import annotations
+
+import logging
+import sys
+import time
+from pathlib import Path
+
+# ── Logging ─────────────────────────────────────────────────────────────────
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s [%(levelname)s] %(name)s — %(message)s",
+    datefmt="%H:%M:%S",
+)
+logger = logging.getLogger("security-firm")
+
+
+def main(repo_path: str) -> None:
+    from firm.security_firm import create_security_firm
+
+    print("=" * 70)
+    print("  FIRM Security Firm — Multi-Agent Repository Scanner")
+    print("=" * 70)
+    print()
+    print(f"  Target:  {repo_path}")
+    print(f"  Agents:  4 (copilot-pro)")
+    print(f"  Models:  claude-opus-4.6, gpt-5.4, gpt-5.3-codex, gemini-3.1-pro")
+    print(f"  Budget:  1,000,000 tokens per agent")
+    print()
+
+    start = time.time()
+
+    # Create and run the pipeline
+    ctx = create_security_firm(
+        repo_path=repo_path,
+        use_mcp=True,
+        max_workers=3,
+    )
+
+    pipeline = ctx["pipeline"]
+    report = pipeline.run()
+
+    elapsed = time.time() - start
+
+    # Save report
+    repo_name = Path(repo_path.rstrip("/")).name
+    report_file = f"security-report-{repo_name}.md"
+    Path(report_file).write_text(report)
+
+    # Print summary
+    stats = pipeline.stats
+    print()
+    print("=" * 70)
+    print("  SCAN COMPLETE")
+    print("=" * 70)
+    print()
+    print(f"  Duration:    {int(elapsed // 60)}m {int(elapsed % 60)}s")
+    print(f"  Findings:    {stats['unique']} unique ({stats['duplicates']} duplicates filtered)")
+    print(f"  Critical:    {stats['by_severity'].get('critical', 0)}")
+    print(f"  High:        {stats['by_severity'].get('high', 0)}")
+    print(f"  Medium:      {stats['by_severity'].get('medium', 0)}")
+    print(f"  Low:         {stats['by_severity'].get('low', 0)}")
+    print(f"  Info:        {stats['by_severity'].get('info', 0)}")
+    print()
+    print(f"  Report saved to: {report_file}")
+    print()
+
+    # Print agent stats
+    for name, agent in pipeline.agents.items():
+        s = agent.get_stats()
+        print(f"  [{name}] model={s['model']} tokens={s['total_tokens']:,} "
+              f"tasks={s['tasks_executed']} success={s['success_rate']:.0%}")
+
+    print()
+
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print("Usage: python examples/security_firm_demo.py <repo_path_or_url>")
+        print()
+        print("Examples:")
+        print("  python examples/security_firm_demo.py /tmp/my-project")
+        print("  python examples/security_firm_demo.py https://github.com/org/repo")
+        sys.exit(1)
+
+    main(sys.argv[1])

src/firm/security_firm/__init__.py

@@ -0,0 +1,55 @@
+"""FIRM Security Firm — Multi-agent repository security scanner.
+
+Orchestrates 4 specialised LLM agents through FIRM Protocol to scan
+Git repositories for vulnerabilities, misconfigurations, and secrets.
+
+Agents:
+  - security-director  (claude-opus-4.6)   — orchestrates + triages
+  - code-scanner       (gpt-5.4)           — code review
+  - static-analyzer    (gpt-5.3-codex)     — semgrep + deps + secrets
+  - report-synthesizer (gemini-3.1-pro)    — final report
+
+All agents run via copilot-pro (zero API cost), with 1M tokens each.
+
+Usage::
+
+    from firm.security_firm import create_security_firm
+
+    ctx = create_security_firm("/path/to/repo")
+    report = ctx["pipeline"].run()
+    print(report)
+"""
+
+__version__ = "0.1.0"
+
+from firm.security_firm.agents import SECURITY_AGENTS, AgentSpec, get_role_def
+from firm.security_firm.factory import create_security_firm
+from firm.security_firm.findings import (
+    Finding,
+    FindingsDB,
+    FindingStatus,
+    Severity,
+)
+from firm.security_firm.pipeline import SecurityPipeline
+from firm.security_firm.report import ReportGenerator
+from firm.security_firm.tools.repo_scanner import make_repo_tools
+
+__all__ = [
+    # Factory
+    "create_security_firm",
+    # Pipeline
+    "SecurityPipeline",
+    # Agents
+    "SECURITY_AGENTS",
+    "AgentSpec",
+    "get_role_def",
+    # Findings
+    "Finding",
+    "FindingsDB",
+    "FindingStatus",
+    "Severity",
+    # Report
+    "ReportGenerator",
+    # Tools
+    "make_repo_tools",
+]