feat(ui): add attack path custom query skill for Lighthouse AI

[puchy22]

Context

Add the first Lighthouse skill: Attack Path Custom Query. This skill provides the LLM with openCypher syntax guidance and Cartography schema knowledge for writing graph queries against Prowler's cloud infrastructure data.

Depends on:

• PR feat(mcp): add cartography schema tool for attack paths #10321 (MCP cartography schema tool)
• PR feat(ui): add skills system infrastructure to Lighthouse AI #10322 (Skills infrastructure) — this PR's base branch

Description

New file:

• ui/lib/lighthouse/skills/definitions/attack-path-custom-query.ts — Full skill definition with openCypher patterns, Cartography schema reference, provider isolation rules, and example queries

Modified files:

• ui/lib/lighthouse/skills/index.ts — Import skill definition to trigger registration
• ui/lib/lighthouse/workflow.ts — Add prowler_app_get_attack_paths_cartography_schema to allowed tools

Steps to review

1. Review the skill definition in definitions/attack-path-custom-query.ts
2. Verify the skill instructions cover: provider isolation, query parameters, openCypher v9 compatibility, Prowler findings enrichment
3. Confirm the import in index.ts triggers registration
4. Confirm the cartography schema tool is added to ALLOWED_TOOLS in workflow.ts

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

UI (if applicable)

• All issue/task requirements work as expected on the UI
• N/A — no visual changes, skill definition only

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:e0b6933
Last scan: 2026-03-18 17:37:23 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	1
Total	1

1 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[alejandrobailo]

No issues found.

Notes (below threshold, informational only):

• The side-effect import pattern (import "./definitions/..." triggering registerSkill()) relies on skills/index.ts being imported by a consumer (confirmed: workflow.ts and tools/load-skill.ts both import it). Future skill authors should be aware that adding a definition file also requires adding the side-effect import to index.ts.

• The fallback schema reference in the instructions is AWS-only. When non-AWS providers use this skill and the prowler_app_get_attack_paths_cartography_schema tool fails, the fallback won't help. This is documented in the skill instructions and is a reasonable first iteration.

[alejandrobailo]

Suggestion: make skill registration explicit instead of side-effect imports

The current pattern uses bare side-effect imports to trigger registration:

// index.ts
import "./definitions/attack-path-custom-query"; // side-effect triggers registerSkill()

This has three risks:

1. Tree-shaking — bare imports with no consumed exports can be eliminated by bundlers (webpack/turbopack) if they determine the module is pure. Works today on server code, but not guaranteed across Next.js versions.
2. Silent failure — forget the import line when adding a new skill and getSkillById silently returns undefined. No error, no warning.
3. Scaling — every new skill requires remembering to add the bare import to index.ts.

Suggested refactor (2 files, ~5 lines):

// definitions/attack-path-custom-query.ts
import type { SkillDefinition } from "../types";

export const customAttackPathQuerySkill: SkillDefinition = {
  metadata: { ... },
  instructions: `...`,
};
// Remove the registerSkill() call — registration moves to the barrel

// index.ts
import { registerSkill } from "./registry";
import { customAttackPathQuerySkill } from "./definitions/attack-path-custom-query";

// Explicit registration — tree-shake-proof, grep-friendly
registerSkill(customAttackPathQuerySkill);

export { getAllSkillMetadata, getRegisteredSkillIds, getSkillById } from "./registry";
export type { SkillDefinition, SkillMetadata } from "./types";

The named import creates a real binding the bundler must preserve (it's consumed by registerSkill()), unlike the bare import "./foo" which the bundler has discretion to drop.