feat(worker): scope validator + Vitest setup

[JonathanVD43]

Parent

#360

What to build

A post-scan scope validator that reads every URL visited during a bounty scan from the audit log, checks each against the program's in_scope_domains using wildcard hostname matching, and returns a list of violations. Wired into the pipeline before the report activity. Also sets up Vitest as the project test runner with a unit test suite for the validator.

End-to-end path:

• apps/worker/src/services/scope-validator.ts — public interface: validateScope(visitedUrls: string[], inScopeDomains: string[]): ScopeViolation[] where ScopeViolation = { url: string; agent: string; timestamp: number }
• Wildcard hostname matching: *.shopify.com matches accounts.shopify.com but not evil.com; exact entries match exactly; URL normalised to hostname-only before matching (path/query/fragment stripped)
• Called from activities.ts after the vuln phase completes; violations passed into both the executive report context and the HackerOne reporter
• Vitest added as a dev dependency; test script added to root package.json
• Unit test suite covers: exact domain match, wildcard subdomain match, wildcard does not match unrelated domain, multiple violations returned, empty violations when all URLs in scope, path stripped before matching, port handling

Acceptance criteria

• validateScope correctly implements wildcard hostname matching for all test cases
• pnpm test runs the suite and all tests pass
• Scope violations logged to the audit trail during a bounty scan
• Non-bounty scans are unaffected (validator not called when bountyConfig absent)

Blocked by

#365