refactor: consolidate file layout and break circular dependencies

- Move error-handling, git-manager, prompt-manager, queue-validation, and reporting into src/services/
- Delete src/constants.ts — relocate AGENT_VALIDATORS and MCP_AGENT_MAPPING into session-manager.ts alongside agent definitions
- Delete src/utils/output-formatter.ts — absorb filterJsonToolCalls and getAgentPrefix into ai/output-formatters.ts
- Extract ActivityLogger interface into src/types/activity-logger.ts to break temporal/ → services circular dependency
- Consolidate VulnType, ExploitationDecision into types/agents.ts and SessionMetadata into types/audit.ts
- Remove dead timingResults/costResults globals from utils/metrics.ts and all consumers

src/types/agents.ts

@@ -41,7 +41,7 @@ export type PlaywrightAgent =
   | 'playwright-agent4'
   | 'playwright-agent5';
 
-import type { ActivityLogger } from '../temporal/activity-logger.js';
+import type { ActivityLogger } from './activity-logger.js';
 
 export type AgentValidator = (sourceDir: string, logger: ActivityLogger) => Promise<boolean>;
 
@@ -59,3 +59,18 @@ export interface AgentDefinition {
   promptTemplate: string;
   deliverableFilename: string;
 }
+
+/**
+ * Vulnerability types supported by the pipeline.
+ */
+export type VulnType = 'injection' | 'xss' | 'auth' | 'ssrf' | 'authz';
+
+/**
+ * Decision returned by queue validation for exploitation phase.
+ */
+export interface ExploitationDecision {
+  shouldExploit: boolean;
+  shouldRetry: boolean;
+  vulnerabilityCount: number;
+  vulnType: VulnType;
+}