feat: add Security module and Factory Model for scale

Major additions to the framework:

Security Module (core/security/):
- Secure code generation with OWASP-aware prompts
- Security gates (SAST, secrets, dependencies)
- Supply chain security for AI pipelines
- Audit trail for AI-generated code

Factory Model (core/factory-model/):
- Multi-agent orchestration
- Batch pipeline for overnight generation
- Automated pre-review gates
- Metrics dashboard

Author: laugiov

README.md

@@ -1,125 +1,195 @@
-# AI-Driven Development Framework
+# Agentic Development Framework
 
 [![Documentation](https://img.shields.io/badge/docs-99%20files-blue)](./DOCUMENTATION_INDEX.md)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
 
-> A **technology-agnostic framework** for autonomous AI-driven software delivery — from Issue to PR with human oversight at defined checkpoints.
+> **A methodology framework for AI-assisted software development.** Structure your AI coding workflow with checkpoints, escalation rules, and human oversight to ship quality code faster.
 
 ---
 
-## What This Repo Is
+## What Problem This Solves
 
-1. **An agentic development framework** for autonomous Issue→PR workflows where AI agents plan, implement, test, and deliver with human oversight at defined checkpoints.
+AI coding assistants can generate code fast, but without structure:
+- Developers spend too much time validating AI output
+- Quality is inconsistent across sessions
+- Security issues slip through
+- No clear process for when to trust vs. verify
 
-2. **A methodology** for writing unambiguous, security-by-design documentation that enables AI coding assistants to implement systems without drifting from standards.
+This framework provides **guardrails** that make AI-assisted development predictable, secure, and scalable.
 
-3. **A complete example** demonstrating the methodology applied to a real-world platform (PHP/Symfony/Kubernetes).
+---
 
-## What This Repo Is NOT
+## What This Framework Provides
 
-- Not tied to any specific technology stack
-- Not a prompt library or "magic" AI coding tricks
-- Not autonomous execution without human supervision
+| Component | Purpose |
+|-----------|---------|
+| **Checkpoints** (C0→C3) | Structured workflow: Scope → Plan → Implement → PR |
+| **Escalation Rules** | When AI must stop and ask the human |
+| **Quality Gates** | Automated + human verification at each stage |
+| **Security Module** | DevSecOps for AI-generated code |
+| **Factory Model** | Scale to multiple agents and batch processing |
 
 ---
 
 ## Start Here
 
 | Your Goal | Start With |
 |-----------|------------|
-| **Apply to your own project** | [BOOTSTRAP_NEW_PROJECT.md](runtime/golden-path/BOOTSTRAP_NEW_PROJECT.md) |
-| Explore agentic workflows | [core/README.md](core/README.md) |
-| Understand the methodology | [METHODOLOGY.md](METHODOLOGY.md) |
-| See a complete example | [examples/php-symfony-k8s/](examples/php-symfony-k8s/) |
-| Find your path by profile | [REPO_MAP.md](REPO_MAP.md) |
+| **Apply to your project** | [Bootstrap Guide](runtime/golden-path/BOOTSTRAP_NEW_PROJECT.md) |
+| Learn the workflow | [Agent Quickstart](runtime/golden-path/QUICKSTART_AGENT.md) |
+| Understand checkpoints | [Checkpoints Spec](core/spec/CHECKPOINTS.md) |
+| See real examples | [Case Studies](case-studies/) |
+| Scale to teams | [Factory Model](core/factory-model/) |
+| Secure AI code | [Security Module](core/security/) |
 
 ---
 
-## Repository Structure
+## The Core Workflow
 
 ```
-├── [Framework]
-│   ├── core/                  Agent operating model, checkpoints, templates
-│   ├── runtime/               Quickstarts, prompts, quality gates
-│   ├── bench/                 10 benchmark tasks, scoring, runner
-│   └── tools/                 Validation utilities
-│
-├── [Examples]
-│   └── php-symfony-k8s/       Complete reference implementation
-│
-├── [Methodology]              README, METHODOLOGY, GLOSSARY
-├── [Case Studies]             case-studies/
-└── [Supporting]               LICENSE, CONTRIBUTING, .github/
+┌─────────────────────────────────────────────────────────────┐
+│                    BEFORE ANY WORK                          │
+│   Check Escalation Triggers → If any apply → STOP → Ask     │
+└─────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────┐
+│ C0: SCOPE                                                    │
+│ • Understand the task                                       │
+│ • Define what's in/out of scope                             │
+│ • Identify affected files                                   │
+└─────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────┐
+│ C1: PLAN (for non-trivial tasks)                            │
+│ • Document approach                                         │
+│ • Identify risks                                            │
+│ • Get human validation if needed                            │
+└─────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────┐
+│ C2: IMPLEMENT                                                │
+│ • Write code following plan                                 │
+│ • Run tests                                                 │
+│ • Pass automated gates                                      │
+└─────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────┐
+│ C3: PR & PROOFS                                              │
+│ • Document what was done                                    │
+│ • Provide evidence (tests, screenshots)                     │
+│ • Human reviews and approves                                │
+└─────────────────────────────────────────────────────────────┘
 ```
 
-Full index: [DOCUMENTATION_INDEX.md](DOCUMENTATION_INDEX.md)
-
 ---
 
-## The Framework
+## Escalation Rules — The Highest Value Component
+
+AI agents must **stop and ask** when:
 
-### Agent Operating Model
+| Trigger | Example |
+|---------|---------|
+| Architecture decisions | New service, schema change, new dependency |
+| Security concerns | Auth changes, crypto, access control |
+| Data handling | PII, migrations, retention policies |
+| Breaking changes | API changes, deprecations |
+| Uncertainty | Multiple valid approaches, unclear requirements |
 
-Defines how AI agents work autonomously within boundaries:
-- **5 Roles**: Manager, Planner, Implementer, Tester, Reviewer
-- **Workflow**: Plan → Act → Observe → Fix
-- **Checkpoints**: C0 (scope) → C1 (plan) → C2 (implement) → C3 (PR)
+See [ESCALATION_RULES.md](core/agent-operating-model/ESCALATION_RULES.md)
 
-See [core/agent-operating-model/](core/agent-operating-model/)
+---
 
-### Escalation Rules
+## Task Size → Workflow
 
-When agents must pause and request human input:
-- Architecture decisions
-- Security concerns
-- Multiple valid approaches
-- Iteration limits reached
+Not every task needs the full workflow:
 
-See [core/agent-operating-model/ESCALATION_RULES.md](core/agent-operating-model/ESCALATION_RULES.md)
+| Size | Lines | Workflow |
+|------|-------|----------|
+| **Trivial** | < 10 | Fast Path (C0 + C3 only) |
+| **Small** | 10-50 | Lite (C0 + C2 + C3) |
+| **Medium** | 50-200 | Full (C0 → C1 → C2 → C3) |
+| **Large** | > 200 | Full + Extra Review |
 
-### Quality Gates
+---
 
-Definition of Done by change type:
-- Documentation, code, configuration, schema changes
-- Machine-checkable and human-judgment criteria
+## Repository Structure
 
-See [runtime/quality-gates/](runtime/quality-gates/)
+```
+├── core/
+│   ├── agent-operating-model/   Roles, escalation, golden rules
+│   ├── spec/                    Checkpoints, templates
+│   ├── security/                DevSecOps for AI code
+│   └── factory-model/           Scale: multi-agent, batch, metrics
+│
+├── runtime/
+│   ├── golden-path/             Quickstarts, bootstrap
+│   ├── prompts/                 System prompts for agents
+│   └── quality-gates/           Definition of done
+│
+├── case-studies/                Real workflow examples
+├── bench/                       Benchmark tasks
+├── examples/php-symfony-k8s/    Complete reference implementation
+└── tools/                       Validation utilities
+```
 
 ---
 
-## Key Principles
+## Security Module — Your Competitive Edge
 
-### Explicit Over Implicit
-Every decision includes justification. AI agents follow documented reasoning, not guesses.
+AI-generated code needs additional security controls:
 
-### Validation Checkpoints
-Every workflow stage includes verification criteria for self-validation.
+| Component | Purpose |
+|-----------|---------|
+| [Secure Code Generation](core/security/SECURE_CODE_GENERATION.md) | Security-aware prompts, OWASP rules |
+| [Security Gates](core/security/SECURITY_GATES.md) | SAST, secrets detection, dependency scanning |
+| [Supply Chain Security](core/security/SUPPLY_CHAIN_SECURITY.md) | Dependencies, AI model trust |
+| [Audit Trail](core/security/AUDIT_TRAIL.md) | Traceability for all AI-generated code |
 
-### Human at the Checkpoints
-Autonomous execution within bounds; escalation and approval at defined gates.
+---
+
+## Factory Model — Scale to Teams
+
+When you need more than 1 developer + 1 AI:
 
-### Technology Agnostic
-The framework applies to any stack. Adapt checkpoints and prompts to your tools.
+| Component | Purpose |
+|-----------|---------|
+| [Multi-Agent Orchestration](core/factory-model/MULTI_AGENT_ORCHESTRATION.md) | Coordinate N agents on M tasks |
+| [Batch Pipeline](core/factory-model/BATCH_PIPELINE.md) | Overnight code generation |
+| [Automated Gates](core/factory-model/AUTOMATED_GATES.md) | Pre-review quality checks |
+| [Metrics Dashboard](core/factory-model/METRICS_DASHBOARD.md) | Track and optimize |
 
 ---
 
-## Examples
+## Adoption Levels
 
-### PHP/Symfony/Kubernetes
+| Level | Files | Time to Start |
+|-------|-------|---------------|
+| **Micro** | 2 files | 10 minutes |
+| **Minimal** | 6 files | 30 minutes |
+| **Full** | Complete framework | 2 hours |
+| **Factory** | + Scale modules | 1 week |
 
-A complete reference implementation with documentation files:
+See [Bootstrap Guide](runtime/golden-path/BOOTSTRAP_NEW_PROJECT.md)
+
+---
+
+## Key Principles
+
+### Human at the Checkpoints
+AI executes autonomously within bounds. Humans approve at defined gates.
 
-| Area | Content |
-|------|---------|
-| Architecture | Hexagonal, DDD, microservices |
-| Security | Zero Trust, OAuth2, Vault |
-| Infrastructure | Kubernetes, Istio, observability |
-| Development | Coding standards, testing, APIs |
-| Operations | Monitoring, incident response, DR |
+### Escalation Over Assumption
+When in doubt, the AI asks. It's faster to clarify than to fix bad code.
 
-See [examples/php-symfony-k8s/](examples/php-symfony-k8s/)
+### Proportional Process
+Trivial tasks get fast path. Complex tasks get full workflow.
 
-*More examples welcome via contributions.*
+### Security by Default
+Every line of AI-generated code goes through security gates.
 
 ---
 
@@ -137,4 +207,4 @@ MIT License — See [LICENSE](LICENSE) for details.
 
 ---
 
-*A technology-agnostic framework for AI-driven software delivery.*
+*A methodology framework for AI-assisted software development — ship quality code faster with human oversight.*