feat: browser session persistence, auto-screenshots, context optimization, user cleanup

Browser tool:
- Session-persistent Chrome tab (same tab reused across all calls in a pentest)
- Auto-screenshot on every navigate and click (stored in attack chain for report)
- Fill uses CDP Input.insertText (fixes WebSocket corruption on special chars)
- Switched from browserless/chromium to chromedp/headless-shell (stable WS)

Context window optimization:
- Strip screenshot_base64 from LLM conversation (kept in DB for report)
- Truncate HTML to 2KB, page text to 1.5KB in LLM messages
- Cap element/link arrays at 15 items
- SAST triage: batch 30 findings per LLM call instead of all at once

Report improvements:
- Auto-embed screenshots in attack chain timeline (navigate + click nodes)
- Cover page shows best app screenshot
- Attack chain phases capped at 8 (no more 20x "Final")

User cleanup:
- TestUserRecord model tracks created test users per session
- cleanup.rs: Keycloak (Admin REST API), Auth0 (Management API), Okta (Users API)
- Auto-cleanup on session completion when cleanup_test_user is enabled
- Env vars: KEYCLOAK_ADMIN_USERNAME, KEYCLOAK_ADMIN_PASSWORD

System prompt:
- Explicit browser usage instructions (navigate → get_content → click → fill)
- SPA auth bypass guidance (check page content, not HTTP status)
- Screenshot instructions for evidence collection

Other:
- Pin mongo:7 in docker-compose (mongo:latest/8 segfaults on kernel 6.19)
- Add deploy/docker-compose.mailserver.yml for Postfix + Dovecot

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/docker-compose.mailserver.yml

@@ -0,0 +1,63 @@
+version: "3.8"
+
+services:
+  mailserver:
+    image: ghcr.io/docker-mailserver/docker-mailserver:14
+    hostname: mail.scanner.meghsakha.com
+    domainname: scanner.meghsakha.com
+    container_name: mailserver
+    ports:
+      - "25:25"      # SMTP (inbound mail)
+      - "143:143"    # IMAP (orchestrator reads mail)
+      - "993:993"    # IMAPS (TLS)
+      - "587:587"    # Submission (outbound, if needed)
+    volumes:
+      - maildata:/var/mail
+      - mailstate:/var/mail-state
+      - maillogs:/var/log/mail
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      # Hostname
+      - OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com
+
+      # Disable features we don't need
+      - ENABLE_SPAMASSASSIN=0
+      - ENABLE_CLAMAV=0
+      - ENABLE_FAIL2BAN=0
+      - ENABLE_POSTGREY=0
+      - ENABLE_AMAVIS=0
+
+      # Enable what we need
+      - ENABLE_IMAP=1
+      - ENABLE_POP3=0
+
+      # Plus-addressing (critical for pentest)
+      - POSTFIX_RECIPIENT_DELIMITER=+
+
+      # SSL (start with no TLS, add Let's Encrypt later)
+      - SSL_TYPE=
+
+      # Accept mail for our domain
+      - PERMIT_DOCKER=none
+
+      # Disable inbound SPF checking — we need to accept verification
+      # emails from Keycloak and other external senders
+      - ENABLE_OPENDKIM=0
+      - ENABLE_OPENDMARC=0
+      - ENABLE_POLICYD_SPF=0
+      - SPOOF_PROTECTION=0
+
+      # One domain
+      - POSTFIX_MYDESTINATION=scanner.meghsakha.com, localhost
+
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "ss", "-tlnp", "|", "grep", "25"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+volumes:
+  maildata:
+  mailstate:
+  maillogs: