feat: pentest onboarding — streaming, browser automation, reports, user cleanup (#16)

Complete pentest feature overhaul: SSE streaming, session-persistent browser tool (CDP), AES-256 credential encryption, auto-screenshots in reports, code-level remediation correlation, SAST triage chunking, context window optimization, test user cleanup (Keycloak/Auth0/Okta), wizard dropdowns, attack chain improvements, architecture docs with Mermaid diagrams.

Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com>
Reviewed-on: #16

compliance-dashboard/src/components/attack_chain/helpers.rs

@@ -118,9 +118,12 @@ pub(crate) fn cat_label(cat: &str) -> &'static str {
     }
 }
 
-/// Phase name heuristic based on depth
-pub(crate) fn phase_name(depth: usize) -> &'static str {
-    match depth {
+/// Maximum number of display phases — deeper iterations are merged into the last.
+const MAX_PHASES: usize = 8;
+
+/// Phase name heuristic based on phase index (not raw BFS depth)
+pub(crate) fn phase_name(phase_idx: usize) -> &'static str {
+    match phase_idx {
         0 => "Reconnaissance",
         1 => "Analysis",
         2 => "Boundary Testing",
@@ -133,8 +136,8 @@ pub(crate) fn phase_name(depth: usize) -> &'static str {
 }
 
 /// Short label for phase rail
-pub(crate) fn phase_short_name(depth: usize) -> &'static str {
-    match depth {
+pub(crate) fn phase_short_name(phase_idx: usize) -> &'static str {
+    match phase_idx {
         0 => "Recon",
         1 => "Analysis",
         2 => "Boundary",
@@ -214,7 +217,14 @@ pub(crate) fn compute_phases(steps: &[serde_json::Value]) -> Vec<Vec<usize>> {
         }
     }
 
-    // Group by depth
+    // Cap depths at MAX_PHASES - 1 so deeper iterations merge into the last phase
+    for d in depths.iter_mut() {
+        if *d >= MAX_PHASES {
+            *d = MAX_PHASES - 1;
+        }
+    }
+
+    // Group by (capped) depth
     let max_depth = depths.iter().copied().max().unwrap_or(0);
     let mut phases: Vec<Vec<usize>> = Vec::new();
     for d in 0..=max_depth {