feat: upgrade agent team with browser, MCP, CLI tools, rules, and hooks

- Add Chrome browser access to 6 visual agents (18 tools each)
- Add Playwright access to 2 testing agents (22 tools each)
- Add 4 MCP servers: Postgres Pro, Redis, Lighthouse, Docker (.mcp.json)
- Add 3 new rules: testing.md, security.md, remotion-service.md
- Add Context7 library references to all domain agents
- Add CLI tool instructions per agent (curl, ffprobe, k6, semgrep, etc.)
- Update team protocol with new capabilities column
- Add orchestrator dispatch guidance for new agent capabilities
- Init git repo tracking docs + Claude config only

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/rules/security.md

@@ -0,0 +1,27 @@
+# Security Conventions
+
+## Authentication
+- JWT tokens via get_current_user dependency injection
+- Passwords: bcrypt hash, never plain text
+- Token refresh: handled by users module
+
+## File Uploads
+- Validated by extension + MIME type in files module
+- Upload via uploadFile() from @shared/api/uploadFile — never raw FormData
+- Endpoint: /api/files/upload/
+
+## Secrets Management
+- All config via get_settings() (cached @lru_cache) — never hardcode
+- S3/MinIO credentials: env vars only, never in code or commits
+- JWT secret: env var, never in code
+
+## Data Protection
+- Soft deletes: is_deleted flag — ensure deleted records never leak through API responses
+- CORS: configured in main.py — restrict to frontend origin in production
+- SQL injection: prevented by SQLAlchemy parameterized queries — never use raw SQL strings
+- XSS: React auto-escapes — never use dangerouslySetInnerHTML
+
+## Scanning Tools (for Security Auditor agent)
+- Python SAST: semgrep + bandit (via uv run --group tools)
+- Dependency CVEs: pip-audit (via uv run --group tools)
+- Secret detection: gitleaks (via brew)