Add Nucleus Scan: AI agent config security scanner

[brandon-coproduct]

Addition

Nucleus Scan — a deterministic security scanner for AI agent configurations, available as a GitHub Action.

What it does:

• Scans Claude Code settings.json, MCP configs (.mcp.json), and PodSpec YAML
• Detects capability escalation risks: unrestricted bash, credential exposure, exfiltration vectors
• Projects permissions onto a formal capability lattice for mathematically rigorous analysis
• Zero LLM required — fully deterministic, no false positive variance

GitHub Action usage:

- uses: coproduct-opensource/nucleus/scan@v1.0.9
  with:
    auto: true  # auto-discovers config files in repo

Why it fits under Security:

• Purpose-built GitHub Action for scanning AI agent security configs in CI
• Catches dangerous permission patterns before they reach production
• Open source (MIT), written in Rust, actively maintained