feat(web-security): add archivealchemist runtime support and archive-path-traversal skill

[GangGreenTemperTatum]

Summary

Adds archivealchemist runtime support to the web-security capability and updates the archive-path-traversal skill to use it.

What's included

• capabilities/web-security/scripts/install_tools.sh — clones https://github.com/avlidienbrunn/archivealchemist to ~/git/archivealchemist during sandbox provisioning.
• capabilities/web-security/docker/Dockerfile.runtime — same archivealchemist install for local/CI runtime builds.
• capabilities/web-security/capability.yaml —
  • Bumps version to 1.1.4
  • Adds optional archivealchemist check (test -f "$HOME/git/archivealchemist/archive-alchemist.py")
  • Updates description and keywords (archive-extraction, zip-slip, path-traversal)
• capabilities/web-security/skills/archive-path-traversal/SKILL.md — rewritten to cover:
  • Tool path and command reference
  • Attack patterns: Zip Slip, symlink file read, symlink collision, setuid escalation, polyglot MIME bypass, Unicode path confusion
  • Iterative working-directory workflow
  • Testing procedure and constraints
• capabilities/web-security/agents/web-security.md — mentions archive-alchemist CLI and the archive-path-traversal skill.

Design notes

• Kept to the requested "small addition to the dockerfile + light context engineering" scope.
• No new Dreadnode tool wrapper; agents invoke python3 ~/git/archivealchemist/archive-alchemist.py via bash.
• The skill replaces the previous Zip Slip-only skill with a fuller archive extraction vulnerability guide.

Validation

• bash -n capabilities/web-security/scripts/install_tools.sh
• capability.yaml parses and includes archivealchemist check, version 1.1.4
• archive-path-traversal/SKILL.md frontmatter valid
• python3 -m pytest capabilities/web-security/tests/ --ignore=capabilities/web-security/tests/test_bbscope.py -q → 153 passed