feat: backport config-driven run scoping and report filtering

Cherry-pick of upstream Shannon PR #326. Adds vuln_classes subset
selection, exploit toggle, code_path avoid enforcement via SDK deny
rules, deterministic findings rendering when exploit is disabled,
report filtering (min_severity, min_confidence, guidance), and
rules_of_engagement config field.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/worker/configs/example-config.yaml

@@ -4,6 +4,27 @@
 # Description of the target environment (optional, max 500 chars)
 description: "Next.js e-commerce app on PostgreSQL. Local dev environment — .env files contain local-only credentials, not deployed to production."
 
+# Limit which vulnerability classes run end-to-end (optional, default: all five)
+# vuln_classes: [injection, xss, auth, authz, ssrf]
+
+# Skip the exploitation phase (optional, default: "true")
+# exploit: "false"
+
+# Free-form engagement rules applied to analysis and exploitation agents (optional).
+# Example below is illustrative; edit, remove, or add sections as needed.
+# rules_of_engagement: |
+#   Forbidden techniques:
+#   - No password brute-force or credential stuffing. Cap login attempts at 5 per account.
+#   - ...
+#
+#   Operational:
+#   - Throttle to under 5 requests per second per endpoint. Back off 60 seconds on any 429 response.
+#   - ...
+#
+#   Data handling:
+#   - Do not include actual values in deliverables — use placeholders like [order_id] or [user_email].
+#   - ...
+
 authentication:
   login_type: form  # Options: 'form' or 'sso'
   login_url: "https://example.com/login"
@@ -25,27 +46,55 @@ authentication:
     value: "/dashboard"
 
 rules:
+  # Supported types: url_path, subdomain, domain, method, header, parameter, code_path
   avoid:
     - description: "Do not test the marketing site subdomain"
       type: subdomain
-      url_path: "www"
+      value: "www"
     
     - description: "Skip logout functionality"
-      type: path
-      url_path: "/logout"
+      type: url_path
+      value: "/logout"
     
     - description: "No DELETE operations on user API"
-      type: path
-      url_path: "/api/v1/users/*"
+      type: url_path
+      value: "/api/v1/users/*"
   
+    # code_path values are repo-relative file paths or globs (e.g. "src/auth.ts", "test/**").
+    # - description: "Test fixtures and specs (not production code)"
+    #   type: code_path
+    #   value: "test/**"
+    #
+    # - description: "Generated migrations"
+    #   type: code_path
+    #   value: "db/migrations/**"
+
   focus:
     - description: "Prioritize beta admin panel subdomain"
       type: subdomain
-      url_path: "beta-admin"
+      value: "beta-admin"
 
     - description: "Focus on user profile updates"
-      type: path
-      url_path: "/api/v2/user-profile"
+      type: url_path
+      value: "/api/v2/user-profile"
+
+    # code_path values are repo-relative file paths or globs (e.g. "src/auth.ts", "routes/*.ts").
+    # - description: "Express route handlers"
+    #   type: code_path
+    #   value: "routes/*.ts"
+    #
+    # - description: "Sequelize ORM model definitions"
+    #   type: code_path
+    #   value: "models/*.ts"
+
+# Report filters applied by the report agent when assembling the final report (optional).
+# Example below is illustrative; edit, remove, or add sections as needed.
+# report:
+#   min_severity: low
+#   min_confidence: low
+#   guidance: |
+#     Drop findings about missing security headers and rate-limit gaps.
+#     ...
 
 # Pipeline execution settings (optional)
 # pipeline: