fix(assail): strip C-family line comments before cross-language URL detection

Self-scan repro: a doc-comment line like

  /// types: ["http://hyperpolymath.dev/panic-attack/AssailReport"]

was flagging InsecureProtocol PA-IP. The string in the comment is an
illustrative JSON-LD `@type` namespace URI, not a configured endpoint —
it has no runtime effect, but the cross-language detector's regex
matched it anyway because `analyze_cross_language` was being passed
the raw file content (no comment stripping).

Fix: new `strip_c_family_line_comments` helper, applied to the content
before the http://-URL regex runs in `analyze_cross_language`. The
helper detects `//` (and `///`, `//!` by extension), respects string
literals (so `"http://localhost"` is preserved), and handles escape
sequences inside strings.

Naturally covers Rust, JavaScript, TypeScript, Java, C, C++, Go — every
language whose comment syntax is `//`. Python `#`, Lisp `;`, Lua/Idris
`--` etc. are not (yet) language-aware; the cross-language detector
remains best-effort and could be extended per file_path extension in a
follow-up.

Limits:
- Block comments (/* */) and raw-string literals (r#"..."#) are not
  consumed here. The detector's existing localhost exemption + this
  line-comment strip handle the bulk of FPs in practice.
- A real string-literal URL like `"http://example.com"` is STILL
  flagged — the regex sees through the string. That's correct: a
  hardcoded HTTP endpoint in production code is the signal we want.
- JSON-LD `@type` URIs that genuinely live in code (not in comments)
  remain a TP from the regex's perspective; suppress them via the
  user-classification registry if they're audited.

Regression coverage: 6 new tests in `assail::analyzer::tests` covering
basic `//`, doc-comments, string-literal preservation, escape
sequences, and the self-scan repro patterns (doc-URL stripped /
JSON-LD-string preserved).

Test URLs use http://localhost so panic-attack scanning its own
source under self-scan doesn't trip the InsecureProtocol detector on
the test data.

Verification:
- cargo test --bin panic-attack --features signing,http — 242 passed
  (was 236; +6 new tests, no failures)
- cargo clippy --all-targets --features signing,http -D warnings — clean
- cargo fmt --check — clean
- self-scan before: 2 InsecureProtocol findings in storage/mod.rs
  (1 doc-comment FP, 1 JSON-LD literal — out of scope)
- self-scan after:  1 InsecureProtocol finding in storage/mod.rs
  (the JSON-LD literal remains; the doc-comment FP is gone)
- self-scan total findings: 11 (down from 12 yesterday; was already 11
  after #51, this PR preserves the count while fixing a categorical
  FP class)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/assail/analyzer.rs

@@ -4729,15 +4729,26 @@ impl Analyzer {
         file_path: &str,
     ) -> Result<()> {
         // HTTP (insecure) URLs - should be HTTPS
-        // Count http:// URLs that are NOT localhost/127.0.0.1 (those are fine)
+        // Count http:// URLs that are NOT localhost/127.0.0.1 (those are fine).
+        //
+        // Strip C-family line comments first: `/// example: http://example.com`
+        // in a doc-comment is illustrative prose, not a configured endpoint,
+        // and was the source of repeated FPs on JSON-LD `@type` namespace URIs
+        // documented in /// blocks. The same heuristic naturally handles JS,
+        // Java, C, C++, Go — every language whose comment syntax is `//`.
+        // Python `#`, Lisp `;`, etc. are not currently de-noised; the
+        // cross-language detector is best-effort, and a follow-up can add
+        // language-aware stripping per file_path extension.
+        let scan_content_owned = strip_c_family_line_comments(content);
+        let scan_content: &str = &scan_content_owned;
         let http_re = RE_HTTP_URL
             .get_or_init(|| Regex::new(r#"http://[a-zA-Z0-9]"#).expect("static regex is valid"));
         let http_localhost_re = RE_HTTP_LOCALHOST.get_or_init(|| {
             Regex::new(r#"http://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])"#)
                 .expect("static regex is valid")
         });
-        let http_total = http_re.find_iter(content).count();
-        let http_local = http_localhost_re.find_iter(content).count();
+        let http_total = http_re.find_iter(scan_content).count();
+        let http_local = http_localhost_re.find_iter(scan_content).count();
         let http_count = http_total.saturating_sub(http_local);
         if http_count > 0 {
             weak_points.push(WeakPoint {
@@ -5531,6 +5542,57 @@ fn strip_proof_comments(content: &str, line_marker: &str, block: Option<(&str, &
     out
 }
 
+/// Strip C-family line comments (`//`, `///`, `//!`) from each line, leaving
+/// the rest of the source intact. String literals are detected so a `//`
+/// inside `"http://example.com"` is NOT treated as a comment.
+///
+/// Used by `analyze_cross_language` to keep URL / secret regexes from firing
+/// on illustrative code in doc-comments. Best-effort: handles `"..."` strings
+/// with `\\` escapes. Raw-string literals (`r#"..."#`) and block comments
+/// (`/* ... */`) are NOT consumed here — adding them would broaden semantics
+/// and is left for a follow-up if FP evidence warrants it.
+fn strip_c_family_line_comments(content: &str) -> String {
+    let mut out = String::with_capacity(content.len());
+    for (i, line) in content.lines().enumerate() {
+        if i > 0 {
+            out.push('\n');
+        }
+        out.push_str(strip_c_family_line_comment(line));
+    }
+    out
+}
+
+fn strip_c_family_line_comment(line: &str) -> &str {
+    let bytes = line.as_bytes();
+    let mut in_string = false;
+    let mut escape = false;
+    let mut idx = 0;
+    while idx < bytes.len() {
+        let b = bytes[idx];
+        if escape {
+            escape = false;
+            idx += 1;
+            continue;
+        }
+        if in_string {
+            if b == b'\\' {
+                escape = true;
+            } else if b == b'"' {
+                in_string = false;
+            }
+            idx += 1;
+            continue;
+        }
+        match b {
+            b'"' => in_string = true,
+            b'/' if idx + 1 < bytes.len() && bytes[idx + 1] == b'/' => return &line[..idx],
+            _ => {}
+        }
+        idx += 1;
+    }
+    line
+}
+
 /// Strip Isabelle prose constructs that are documentation, not proof code:
 ///
 /// 1. `@{text ...}` antiquotations — used inside prose blocks AND inside
@@ -5869,6 +5931,73 @@ mod tests {
     use std::fs;
     use tempfile::TempDir;
 
+    // ---------------------------------------------------------------
+    // 0a. C-family line-comment stripping (cross-lang URL/secret FPs)
+    // ---------------------------------------------------------------
+
+    #[test]
+    fn strip_c_family_line_comment_handles_basic_double_slash() {
+        let line = "let x = 1;  // a comment";
+        assert_eq!(strip_c_family_line_comment(line), "let x = 1;  ");
+    }
+
+    #[test]
+    fn strip_c_family_line_comment_handles_doc_comments() {
+        // URLs use http://localhost so panic-attack's own InsecureProtocol
+        // detector (which scans this file during self-scan) treats them as
+        // exempt — otherwise the regression test plants a finding in its
+        // own source. Same exemption rule used in production for dev
+        // endpoints.
+        for prefix in ["///", "//!"] {
+            let line = format!("{prefix} example: http://localhost/example");
+            assert_eq!(strip_c_family_line_comment(&line), "");
+        }
+    }
+
+    #[test]
+    fn strip_c_family_line_comment_preserves_urls_in_strings() {
+        // Real string literals containing // must NOT be treated as comments.
+        let line = r#"let url = "http://localhost/path";"#;
+        let kept = strip_c_family_line_comment(line);
+        assert!(
+            kept.contains("http://localhost"),
+            "string-literal URL was wrongly stripped: {kept:?}"
+        );
+    }
+
+    #[test]
+    fn strip_c_family_line_comment_handles_escaped_quote_in_string() {
+        let line = r#"let s = "she said \"hi\"";  // trailing"#;
+        let kept = strip_c_family_line_comment(line);
+        assert!(kept.contains(r#"\"hi\""#));
+        assert!(!kept.contains("trailing"));
+    }
+
+    #[test]
+    fn strip_c_family_line_comments_doc_comment_url_fp_gone() {
+        // Self-scan repro: doc-comment example URL must not feed the
+        // InsecureProtocol detector.
+        let src = "/// Endpoint: http://localhost/X\nfn foo() {}\n";
+        let stripped = strip_c_family_line_comments(src);
+        assert!(!stripped.contains("http://"));
+        assert!(stripped.contains("fn foo"));
+    }
+
+    #[test]
+    fn strip_c_family_line_comments_keeps_jsonld_type_string() {
+        // The second self-scan FP: an http:// URL inside a JSON literal
+        // (NOT a comment) must STILL be present after stripping. The
+        // JSON-LD-identifier-vs-endpoint distinction is left to the
+        // user-classification registry; the comment stripper must not
+        // accidentally hide real string-literal URLs.
+        let src = r#"json!({"types": ["http://localhost/X"]});"#;
+        let stripped = strip_c_family_line_comments(src);
+        assert!(
+            stripped.contains("http://"),
+            "string-literal URL was wrongly stripped: {stripped:?}"
+        );
+    }
+
     // ---------------------------------------------------------------
     // 0. Isabelle prose-stripping (regression for #43 false positives)
     // ---------------------------------------------------------------