feat(web-security): add browser XSS verifier

[GangGreenTemperTatum]

Summary

• supersedes the stale ads/cap-984-build-xss-verifier-with-agent-browser approach with verifier tools on the existing agent-browser MCP server
• adds token-based XSS execution proof via agent_browser_xss_verifier_start, agent_browser_xss_verifier_check, and agent_browser_xss_verifier_reset
• updates web-security agent and verifier guidance so confirmed XSS requires browser-side controlled JS execution proof, not reflection or challenge-status alone

Validation

• uv run pytest capabilities/web-security/tests/test_agent_browser_mcp.py
• live smoke with agent-browser 0.26.0: arm verifier on a data URL, execute proof token in page context, check returns CONFIRMED
• uv run ruff check capabilities/web-security/mcp/agent_browser.py capabilities/web-security/tests/test_agent_browser_mcp.py
• uv run ruff format --check capabilities/web-security/mcp/agent_browser.py capabilities/web-security/tests/test_agent_browser_mcp.py
• just validate (0 failed; existing local check warnings for missing optional tools: android APK tools, Ghidra checks, BHE runtime module, web-security caido/burp/fireprox)
• pre-commit run --files capabilities/web-security/mcp/agent_browser.py capabilities/web-security/tests/test_agent_browser_mcp.py capabilities/web-security/agents/web-security.md capabilities/web-security/skills/agent-browser/SKILL.md capabilities/web-security/skills/exploit-verifier/SKILL.md

Notes

• Full uv run pytest capabilities/web-security/tests currently fails before this change area on existing test_bbscope.py import pathing (expects dreadnode/web-security/tools instead of this repo's capabilities/web-security/tools).

[GangGreenTemperTatum]

Closing this direction. We do not want to rely on an XSS-specific verifier tool call as the primary verification mechanism; next exploration should move toward capability hooks / policy-driven evidence capture.