docs: add security scope restriction info to AGENTS.md (#301)

* Initial plan

* docs: add security scope restriction info to AGENTS.md

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

Author: Copilot

AGENTS.md

@@ -90,8 +90,10 @@ This downloads artifacts to `./artifacts-run-$RUN_ID` for local examination. Req
 - PR descriptions should be 1-2 sentences max
 
 **Allowed scopes for PR titles:** `cli`, `docker`, `squid`, `proxy`, `ci`, `deps`
-- Using scopes not in this list will cause the PR Title Check to fail
-- If unsure, omit the scope entirely (e.g., `test: add new tests` instead of `test(security): add new tests`)
+- Using scopes not in this list will cause the PR Title Check to fail with an error like:
+  `Error: Unknown scope "security" found in pull request title. Scope must match one of: cli, docker, squid, proxy, ci, deps.`
+- Common invalid scopes: `security`, `test`, `docs`, `core` - these are NOT allowed as scopes
+- If unsure, omit the scope entirely (e.g., `fix: replace .* regex with safer patterns` instead of `fix(security): replace .* regex with safer patterns`)
 
 **Common types:**
 - `feat`: New feature
@@ -107,9 +109,11 @@ This downloads artifacts to `./artifacts-run-$RUN_ID` for local examination. Req
 - ✅ `docs(template): fix duplicate heading in release template`
 - ✅ `feat: add new domain whitelist option`
 - ✅ `fix(cleanup): resolve container cleanup race condition`
+- ✅ `fix: replace .* regex with safer patterns` (no scope - preferred for security fixes)
 - ✅ `test: add NET_ADMIN capability verification tests`
 - ❌ `Fix bug` (missing type)
 - ❌ `docs: Fix template.` (uppercase subject, period at end)
+- ❌ `fix(security): replace .* regex with safer patterns` (scope `security` not in allowed list)
 - ❌ `test(security): add new tests` (scope `security` not in allowed list for PR titles)
 
 ## Development Commands