Deprecate and remove protopollution module (#26)

This change removes the `protopollution` analysis module, adapter, and all associated configuration and task definitions, as its functionality has been subsumed by the `taint` analysis module.

Changes:
- Removed `internal/analysis/active/protopollution` directory.
- Removed `internal/worker/adapters/proto_adapter.go` and its test.
- Updated `internal/config/config.go` and `config.example.yaml` to remove `protopollution` settings.
- Updated `api/schemas/tasks.go` to remove `TaskAnalyzeWebPageProtoPP` task type.
- Updated `internal/agent/models.go` to remove `ActionAnalyzeProtoPollution`.
- Updated `internal/worker/worker.go` to remove adapter registration.
- Updated `internal/agent/analysis_executor.go` and `internal/discovery/engine.go` to remove dispatch logic.
- Updated relevant tests to reflect the removal.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

Author: google-labs-jules[bot]

api/schemas/tasks.go

@@ -8,11 +8,10 @@ package schemas
 type TaskType string
 
 const (
-	TaskAgentMission          TaskType = "AGENT_MISSION"            // A high-level mission for the autonomous agent.
-	TaskAnalyzeWebPageTaint   TaskType = "ANALYZE_WEB_PAGE_TAINT"   // Performs taint analysis on a web page.
-	TaskAnalyzeWebPageProtoPP TaskType = "ANALYZE_WEB_PAGE_PROTOPP" // Checks for prototype pollution vulnerabilities.
-	TaskTestRaceCondition     TaskType = "TEST_RACE_CONDITION"      // Tests for race conditions in web applications.
-	TaskTestAuthATO           TaskType = "TEST_AUTH_ATO"            // Tests for account takeover vulnerabilities.
+	TaskAgentMission          TaskType = "AGENT_MISSION"          // A high-level mission for the autonomous agent.
+	TaskAnalyzeWebPageTaint   TaskType = "ANALYZE_WEB_PAGE_TAINT" // Performs taint analysis on a web page.
+	TaskTestRaceCondition     TaskType = "TEST_RACE_CONDITION"    // Tests for race conditions in web applications.
+	TaskTestAuthATO           TaskType = "TEST_AUTH_ATO"          // Tests for account takeover vulnerabilities.
 	TaskTestAuthIDOR          TaskType = "TEST_AUTH_IDOR"           // Tests for Insecure Direct Object References.
 	TaskAnalyzeHeaders        TaskType = "ANALYZE_HEADERS"          // Analyzes HTTP security headers.
 	TaskAnalyzeJWT            TaskType = "ANALYZE_JWT"              // Analyzes JSON Web Tokens for vulnerabilities.

config.example.yaml

@@ -88,9 +88,6 @@ scanners:
       enabled: true
       depth: 3
       concurrency: 2
-    protopollution:
-      enabled: true
-      wait_duration: "8s"
     timeslip:
       enabled: true
       request_count: 25

internal/agent/analysis_executor.go

@@ -185,8 +185,6 @@ func (e *AnalysisExecutor) mapActionToTaskType(actionType ActionType) (schemas.T
 	switch actionType {
 	case ActionAnalyzeTaint:
 		return schemas.TaskAnalyzeWebPageTaint, nil
-	case ActionAnalyzeProtoPollution:
-		return schemas.TaskAnalyzeWebPageProtoPP, nil
 	case ActionAnalyzeHeaders:
 		return schemas.TaskAnalyzeHeaders, nil
 	case ActionTestRaceCondition:

internal/agent/analysis_executor_test.go

@@ -264,7 +264,6 @@ func TestAnalysisExecutor_MapActionToTaskType(t *testing.T) {
 		expectErr  bool
 	}{
 		{ActionAnalyzeTaint, schemas.TaskAnalyzeWebPageTaint, false},
-		{ActionAnalyzeProtoPollution, schemas.TaskAnalyzeWebPageProtoPP, false},
 		{ActionAnalyzeHeaders, schemas.TaskAnalyzeHeaders, false},
 		{ActionClick, "", true}, // Unsupported type
 	}

internal/agent/executors.go

@@ -81,7 +81,6 @@ func NewExecutorRegistry(projectRoot string, globalCtx *core.GlobalContext) *Exe
 	// Register analysis actions (Updated to include all defined actions).
 	r.register(analysisExec,
 		ActionAnalyzeTaint,
-		ActionAnalyzeProtoPollution,
 		ActionAnalyzeHeaders,
 		ActionAnalyzeJWT,
 		ActionTestRaceCondition,

internal/agent/models.go

@@ -53,9 +53,8 @@ const (
 
 	// -- Security Analysis Actions (Active & IAST) --
 	// These actions involve injecting payloads, manipulating the environment, or analyzing the live state.
-	ActionAnalyzeTaint          ActionType = "ANALYZE_TAINT"           // (IAST/Taint) Taint analysis (XSS, Injection) on the current page state.
-	ActionAnalyzeProtoPollution ActionType = "ANALYZE_PROTO_POLLUTION" // (Active/Proto) Scans for client-side prototype pollution and DOM clobbering.
-	ActionTestRaceCondition     ActionType = "TEST_RACE_CONDITION"     // (Active/TimeSlip) Tests an endpoint for race conditions (TOCTOU).
+	ActionAnalyzeTaint      ActionType = "ANALYZE_TAINT"       // (IAST/Taint) Taint analysis (XSS, Injection) on the current page state.
+	ActionTestRaceCondition ActionType = "TEST_RACE_CONDITION" // (Active/TimeSlip) Tests an endpoint for race conditions (TOCTOU).
 
 	// -- Authentication & Authorization Testing --
 	ActionTestATO  ActionType = "TEST_ATO"  // (Active/ATO) Account Takeover: Tests login endpoints for credential stuffing/enumeration.