feat: add workflow resume from workspace via --workspace flag

When a workflow is interrupted (VM crash, Ctrl+C, Docker restart), it can
now be resumed by passing the workspace name. The system reads session.json
to determine which agents completed, validates deliverables exist on disk,
restores the git checkpoint, and skips already-completed agents.

- Add --workspace CLI flag and auto-terminate conflicting workflows
- Add loadResumeState, restoreGitCheckpoint, recordResumeAttempt activities
- Add skip logic for all 5 pipeline phases including parallel execution
- Separate sessionId (persistent directory) from workflowId (execution ID)
- Track resume attempts in session.json for audit trail
- Derive AgentName type from ALL_AGENTS array to eliminate duplication
- Add getDeliverablePath mapping for deliverable validation

src/types/agents.ts

@@ -8,20 +8,33 @@
  * Agent type definitions
  */
 
-export type AgentName =
-  | 'pre-recon'
-  | 'recon'
-  | 'injection-vuln'
-  | 'xss-vuln'
-  | 'auth-vuln'
-  | 'ssrf-vuln'
-  | 'authz-vuln'
-  | 'injection-exploit'
-  | 'xss-exploit'
-  | 'auth-exploit'
-  | 'ssrf-exploit'
-  | 'authz-exploit'
-  | 'report';
+import path from 'path';
+
+/**
+ * List of all agents in execution order.
+ * Used for iteration during resume state checking.
+ */
+export const ALL_AGENTS = [
+  'pre-recon',
+  'recon',
+  'injection-vuln',
+  'xss-vuln',
+  'auth-vuln',
+  'ssrf-vuln',
+  'authz-vuln',
+  'injection-exploit',
+  'xss-exploit',
+  'auth-exploit',
+  'ssrf-exploit',
+  'authz-exploit',
+  'report',
+] as const;
+
+/**
+ * Agent name type derived from ALL_AGENTS.
+ * This ensures type safety and prevents drift between type and array.
+ */
+export type AgentName = typeof ALL_AGENTS[number];
 
 export type PromptName =
   | 'pre-recon-code'
@@ -82,3 +95,28 @@ export function getPromptNameForAgent(agentName: AgentName): PromptName {
 
   return mappings[agentName];
 }
+
+/**
+ * Maps an agent name to its deliverable file path.
+ * Must match mcp-server/src/types/deliverables.ts:DELIVERABLE_FILENAMES
+ */
+export function getDeliverablePath(agentName: AgentName, repoPath: string): string {
+  const deliverableMap: Record<AgentName, string> = {
+    'pre-recon': 'code_analysis_deliverable.md',
+    'recon': 'recon_deliverable.md',
+    'injection-vuln': 'injection_analysis_deliverable.md',
+    'xss-vuln': 'xss_analysis_deliverable.md',
+    'auth-vuln': 'auth_analysis_deliverable.md',
+    'ssrf-vuln': 'ssrf_analysis_deliverable.md',
+    'authz-vuln': 'authz_analysis_deliverable.md',
+    'injection-exploit': 'injection_exploitation_evidence.md',
+    'xss-exploit': 'xss_exploitation_evidence.md',
+    'auth-exploit': 'auth_exploitation_evidence.md',
+    'ssrf-exploit': 'ssrf_exploitation_evidence.md',
+    'authz-exploit': 'authz_exploitation_evidence.md',
+    'report': 'comprehensive_security_assessment_report.md',
+  };
+
+  const filename = deliverableMap[agentName];
+  return path.join(repoPath, 'deliverables', filename);
+}