feat: AI-driven automated penetration testing system

Add a complete AI pentest system where Claude autonomously drives security
testing via tool-calling. The LLM selects from 16 tools, chains results,
and builds an attack chain DAG.

Core:
- PentestTool trait (dyn-compatible) with PentestToolContext/Result
- PentestSession, AttackChainNode, PentestMessage, PentestEvent models
- 10 new DastVulnType variants (DNS, DMARC, TLS, cookies, CSP, CORS, etc.)
- LLM client chat_with_tools() for OpenAI-compatible tool calling

Tools (16 total):
- 5 agent wrappers: SQL injection, XSS, auth bypass, SSRF, API fuzzer
- 11 new infra tools: DNS checker, DMARC checker, TLS analyzer,
  security headers, cookie analyzer, CSP analyzer, rate limit tester,
  console log detector, CORS checker, OpenAPI parser, recon
- ToolRegistry for tool lookup and LLM definition generation

Orchestrator:
- PentestOrchestrator with iterative tool-calling loop (max 50 rounds)
- Attack chain node recording per tool invocation
- SSE event broadcasting for real-time progress
- Strategy-aware system prompts (quick/comprehensive/targeted/aggressive/stealth)

API (9 endpoints):
- POST/GET /pentest/sessions, GET /pentest/sessions/:id
- POST /pentest/sessions/:id/chat, GET /pentest/sessions/:id/stream
- GET /pentest/sessions/:id/attack-chain, messages, findings
- GET /pentest/stats

Dashboard:
- Pentest dashboard with stat cards, severity distribution, session list
- Chat-based session page with split layout (chat + findings/attack chain)
- Inline tool execution indicators, auto-polling, new session modal
- Sidebar navigation item

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-dast/src/tools/mod.rs

@@ -0,0 +1,141 @@
+pub mod api_fuzzer;
+pub mod auth_bypass;
+pub mod console_log_detector;
+pub mod cookie_analyzer;
+pub mod cors_checker;
+pub mod csp_analyzer;
+pub mod dmarc_checker;
+pub mod dns_checker;
+pub mod openapi_parser;
+pub mod rate_limit_tester;
+pub mod recon;
+pub mod security_headers;
+pub mod sql_injection;
+pub mod ssrf;
+pub mod tls_analyzer;
+pub mod xss;
+
+use std::collections::HashMap;
+
+use compliance_core::traits::pentest_tool::PentestTool;
+
+/// A definition describing a tool for LLM tool_use registration.
+#[derive(Debug, Clone)]
+pub struct ToolDefinition {
+    pub name: String,
+    pub description: String,
+    pub input_schema: serde_json::Value,
+}
+
+/// Registry that holds all available pentest tools and provides
+/// look-up by name.
+pub struct ToolRegistry {
+    tools: HashMap<String, Box<dyn PentestTool>>,
+}
+
+impl ToolRegistry {
+    /// Create a new registry with all built-in tools pre-registered.
+    pub fn new() -> Self {
+        let http = reqwest::Client::builder()
+            .danger_accept_invalid_certs(true)
+            .timeout(std::time::Duration::from_secs(30))
+            .redirect(reqwest::redirect::Policy::limited(5))
+            .build()
+            .expect("failed to build HTTP client");
+
+        let mut tools: HashMap<String, Box<dyn PentestTool>> = HashMap::new();
+
+        // Agent-wrapping tools
+        let register = |tools: &mut HashMap<String, Box<dyn PentestTool>>,
+                        tool: Box<dyn PentestTool>| {
+            tools.insert(tool.name().to_string(), tool);
+        };
+
+        register(
+            &mut tools,
+            Box::new(sql_injection::SqlInjectionTool::new(http.clone())),
+        );
+        register(&mut tools, Box::new(xss::XssTool::new(http.clone())));
+        register(
+            &mut tools,
+            Box::new(auth_bypass::AuthBypassTool::new(http.clone())),
+        );
+        register(&mut tools, Box::new(ssrf::SsrfTool::new(http.clone())));
+        register(
+            &mut tools,
+            Box::new(api_fuzzer::ApiFuzzerTool::new(http.clone())),
+        );
+
+        // New infrastructure / analysis tools
+        register(
+            &mut tools,
+            Box::new(dns_checker::DnsCheckerTool::new()),
+        );
+        register(
+            &mut tools,
+            Box::new(dmarc_checker::DmarcCheckerTool::new()),
+        );
+        register(
+            &mut tools,
+            Box::new(tls_analyzer::TlsAnalyzerTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(security_headers::SecurityHeadersTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(cookie_analyzer::CookieAnalyzerTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(csp_analyzer::CspAnalyzerTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(rate_limit_tester::RateLimitTesterTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(console_log_detector::ConsoleLogDetectorTool::new(
+                http.clone(),
+            )),
+        );
+        register(
+            &mut tools,
+            Box::new(cors_checker::CorsCheckerTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(openapi_parser::OpenApiParserTool::new(http.clone())),
+        );
+        register(
+            &mut tools,
+            Box::new(recon::ReconTool::new(http)),
+        );
+
+        Self { tools }
+    }
+
+    /// Look up a tool by name.
+    pub fn get(&self, name: &str) -> Option<&dyn PentestTool> {
+        self.tools.get(name).map(|b| b.as_ref())
+    }
+
+    /// Return definitions for every registered tool.
+    pub fn all_definitions(&self) -> Vec<ToolDefinition> {
+        self.tools
+            .values()
+            .map(|t| ToolDefinition {
+                name: t.name().to_string(),
+                description: t.description().to_string(),
+                input_schema: t.input_schema(),
+            })
+            .collect()
+    }
+
+    /// Return the names of all registered tools.
+    pub fn list_names(&self) -> Vec<String> {
+        self.tools.keys().cloned().collect()
+    }
+}