feat: AI-driven automated penetration testing system

Add a complete AI pentest system where Claude autonomously drives security
testing via tool-calling. The LLM selects from 16 tools, chains results,
and builds an attack chain DAG.

Core:
- PentestTool trait (dyn-compatible) with PentestToolContext/Result
- PentestSession, AttackChainNode, PentestMessage, PentestEvent models
- 10 new DastVulnType variants (DNS, DMARC, TLS, cookies, CSP, CORS, etc.)
- LLM client chat_with_tools() for OpenAI-compatible tool calling

Tools (16 total):
- 5 agent wrappers: SQL injection, XSS, auth bypass, SSRF, API fuzzer
- 11 new infra tools: DNS checker, DMARC checker, TLS analyzer,
  security headers, cookie analyzer, CSP analyzer, rate limit tester,
  console log detector, CORS checker, OpenAPI parser, recon
- ToolRegistry for tool lookup and LLM definition generation

Orchestrator:
- PentestOrchestrator with iterative tool-calling loop (max 50 rounds)
- Attack chain node recording per tool invocation
- SSE event broadcasting for real-time progress
- Strategy-aware system prompts (quick/comprehensive/targeted/aggressive/stealth)

API (9 endpoints):
- POST/GET /pentest/sessions, GET /pentest/sessions/:id
- POST /pentest/sessions/:id/chat, GET /pentest/sessions/:id/stream
- GET /pentest/sessions/:id/attack-chain, messages, findings
- GET /pentest/stats

Dashboard:
- Pentest dashboard with stat cards, severity distribution, session list
- Chat-based session page with split layout (chat + findings/attack chain)
- Inline tool execution indicators, auto-polling, new session modal
- Sidebar navigation item

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-agent/src/database.rs

@@ -166,6 +166,38 @@ impl Database {
             )
             .await?;
 
+        // pentest_sessions: compound (target_id, started_at DESC)
+        self.pentest_sessions()
+            .create_index(
+                IndexModel::builder()
+                    .keys(doc! { "target_id": 1, "started_at": -1 })
+                    .build(),
+            )
+            .await?;
+
+        // pentest_sessions: status index
+        self.pentest_sessions()
+            .create_index(IndexModel::builder().keys(doc! { "status": 1 }).build())
+            .await?;
+
+        // attack_chain_nodes: compound (session_id, node_id)
+        self.attack_chain_nodes()
+            .create_index(
+                IndexModel::builder()
+                    .keys(doc! { "session_id": 1, "node_id": 1 })
+                    .build(),
+            )
+            .await?;
+
+        // pentest_messages: compound (session_id, created_at)
+        self.pentest_messages()
+            .create_index(
+                IndexModel::builder()
+                    .keys(doc! { "session_id": 1, "created_at": 1 })
+                    .build(),
+            )
+            .await?;
+
         tracing::info!("Database indexes ensured");
         Ok(())
     }
@@ -235,6 +267,19 @@ impl Database {
         self.inner.collection("embedding_builds")
     }
 
+    // Pentest collections
+    pub fn pentest_sessions(&self) -> Collection<PentestSession> {
+        self.inner.collection("pentest_sessions")
+    }
+
+    pub fn attack_chain_nodes(&self) -> Collection<AttackChainNode> {
+        self.inner.collection("attack_chain_nodes")
+    }
+
+    pub fn pentest_messages(&self) -> Collection<PentestMessage> {
+        self.inner.collection("pentest_messages")
+    }
+
     #[allow(dead_code)]
     pub fn raw_collection(&self, name: &str) -> Collection<mongodb::bson::Document> {
         self.inner.collection(name)