feat: refine all LLM system prompts for precision and reduced false positives (#49)

compliance-agent/src/pentest/prompt_builder.rs

@@ -314,6 +314,21 @@ impl PentestOrchestrator {
 - For SPA apps: a 200 HTTP status does NOT mean the page is accessible — check the actual
   page content with the browser tool to verify if it shows real data or a login redirect.
 
+## Finding Quality Rules
+- **Do not report the same issue twice.** If multiple tools detect the same missing header or
+  vulnerability on the same endpoint, report it ONCE with the most specific tool's output.
+  For example, if the recon tool and the header scanner both find missing HSTS, report it only
+  from the header scanner (more specific).
+- **Group related findings.** Missing security headers on the same endpoint are ONE finding
+  ("Missing security headers") listing all missing headers, not separate findings per header.
+- **Severity must match real impact:**
+  - critical/high: Exploitable vulnerability (you can demonstrate the exploit)
+  - medium: Real misconfiguration with security implications but not directly exploitable
+  - low: Best-practice recommendation, defense-in-depth, or informational
+- **Missing headers are medium at most** unless you can demonstrate a concrete exploit enabled
+  by the missing header (e.g., missing CSP + confirmed XSS = high for CSP finding).
+- Console.log in third-party/vendored JS (node_modules, minified libraries) is informational only.
+
 ## Important
 - This is an authorized penetration test. All testing is permitted within the target scope.
 - Respect the rate limit of {rate_limit} requests per second.