feat: extract pipeline core for library consumption (#282)

* feat: extract pipeline core for library consumption

* fix: chmod workspace directory for container write access

* fix: resolve playwright output dir relative to deliverables parent

* feat: add multi-provider LLM support via ProviderConfig

* fix: resolve model overrides via options.model, remove unused model env passthrough

* fix: use ANTHROPIC_AUTH_TOKEN for custom base URL and router auth

* fix: skip env-based credential validation when providerConfig is present

* fix: support large UID/GID values for AD/LDAP users in container

apps/worker/src/interfaces/checkpoint-provider.ts

@@ -0,0 +1,26 @@
+/**
+ * CheckpointProvider — injectable interface for external state persistence.
+ *
+ * Called after each agent completes to allow external progress tracking.
+ * During the concurrent vulnerability-exploitation phase, 5 pipelines run
+ * in parallel — onAgentComplete fires per-agent for granular progress.
+ *
+ * Default: no-op.
+ */
+
+import type { PipelineState } from '../temporal/shared.js';
+
+export interface CheckpointProvider {
+  onAgentComplete(
+    agentName: string,
+    phase: string,
+    state: PipelineState,
+  ): Promise<void>;
+}
+
+/** Default no-op implementation — no external checkpointing. */
+export class NoOpCheckpointProvider implements CheckpointProvider {
+  async onAgentComplete(): Promise<void> {
+    // No-op
+  }
+}

apps/worker/src/interfaces/findings-provider.ts

@@ -0,0 +1,26 @@
+/**
+ * FindingsProvider — injectable interface for external findings integration.
+ *
+ * Allows external security data (SAST, SCA, secrets, etc.) to be merged
+ * into the exploitation pipeline between vulnerability analysis and exploitation.
+ *
+ * Default: no-op returning { mergedCount: 0 }.
+ */
+
+import type { ActivityInput } from '../temporal/activities.js';
+import type { VulnType } from '../types/agents.js';
+
+export interface FindingsProvider {
+  mergeFindingsIntoQueue(
+    repoPath: string,
+    vulnType: VulnType,
+    input: ActivityInput,
+  ): Promise<{ mergedCount: number }>;
+}
+
+/** Default no-op implementation — no external findings to merge. */
+export class NoOpFindingsProvider implements FindingsProvider {
+  async mergeFindingsIntoQueue(): Promise<{ mergedCount: number }> {
+    return { mergedCount: 0 };
+  }
+}

apps/worker/src/interfaces/index.ts

@@ -0,0 +1,11 @@
+/**
+ * Injectable interfaces for extending the pentest pipeline.
+ *
+ * All interfaces have default no-op implementations.
+ * Consumers can provide alternate implementations via the DI container.
+ */
+
+export type { CheckpointProvider } from './checkpoint-provider.js';
+export { NoOpCheckpointProvider } from './checkpoint-provider.js';
+export type { FindingsProvider } from './findings-provider.js';
+export { NoOpFindingsProvider } from './findings-provider.js';