fix(assail): close CryptoMisuse self-reference FP (use code_only not content)

Self-scan of panic-attack found 1 Critical CryptoMisuse finding in
src/assail/analyzer.rs itself — the detector's own source code.

Cause: the dangerous_insecure_decode detector was using raw `content`
instead of `code_only` (the string-, comment-, and test-mod-stripped
variant that every other check in analyze_rust uses). The old code
carried a comment claiming "this identifier never appears inside a
string literal" — but that was immediately falsified by the format!
macro right below, and by the #[test] fixture at line 5802.

Fix: one-line change to use `code_only`. Comment updated to reflect
the real reason (strip self-references, test fixtures, doc mentions).

Dogfood pass: self-scan Critical count 15 -> 14 (remaining 14 are
UnboundedAllocation from unbounded read_to_string calls in panic-
attack's own src/ — triage pending, all are TPs by detector semantics
and need .take(LIMIT) bounds the same way 007-lang got them).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/assail/analyzer.rs

@@ -1034,9 +1034,9 @@ impl Analyzer {
         // This Rust function explicitly skips ALL JWT verification (signature,
         // expiry, audience, issuer).  Its name documents the risk; any call
         // site is a CryptoMisuse finding regardless of context.
-        // Uses `content` directly — this identifier never appears inside a
-        // string literal, so string-stripping would only produce false negatives.
-        if content.contains("dangerous_insecure_decode") {
+        // Use `code_only` so the detector doesn't flag string literals that
+        // mention the identifier (analyzer self-reference, test fixtures, etc).
+        if code_only.contains("dangerous_insecure_decode") {
             weak_points.push(WeakPoint {
                 file: None,
                 line: None,