feat(worker): new vuln agents — CORS, info-disclosure, open-redirects

[JonathanVD43]

Parent

#360

What to build

Add three new vulnerability agents to the parallel vuln phase: cors-vuln, info-disclosure-vuln, and open-redirects-vuln. These cover common P3/P4 bug bounty finding classes that the existing five agents do not address.

End-to-end path:

• Register all three in AGENTS (session-manager), ALL_AGENTS and AgentName (types/agents.ts)
• Write prompt templates: vuln-cors.txt, vuln-info-disclosure.txt, vuln-open-redirects.txt
• Each has recon as its only prerequisite and runs in the existing parallel vuln phase (8 total agents)
• Register thin activity wrappers in activities.ts and wire into workflows.ts
• No exploit agents for these types in this iteration — findings feed into reporting only

CORS agent: wildcard origins, credentialed cross-origin requests, CORS on sensitive endpoints.
Info-disclosure agent: exposed API keys, stack traces, debug endpoints, .env paths, verbose error messages.
Open-redirects agent: URL parameter-based redirects, next/redirect/url params, header injection vectors.

Acceptance criteria

• Three new agents appear in the parallel vuln phase during a scan
• Each produces a deliverable file (e.g. cors_analysis_deliverable.md)
• Prompt templates cover the relevant finding classes with concrete test steps
• ALL_AGENTS and AgentName types updated; TypeScript compiles cleanly
• assembleFinalReport in reporting.ts includes findings from new agents

Blocked by

None — can start immediately