fix(assail): TODO-in-string-literal FP closed (Task #23)

UncheckedError detector was counting TODO/FIXME/HACK/XXX markers
against raw `content` via `content.matches(\"TODO\").count()`. This
inflated counts for every `.expect(\"TODO: handle error\")` call —
observed on 007-lang where parser.rs has 155 such stubs, each
double-counted as both PanicPath (correct) AND UncheckedError (FP).

Fix: replace the substring count with a regex that requires a
comment-starter on the same line. Comment-starters handled:
  //  /*  *  #  --  ;;  %%

Covers Rust/C/JS/Go/Zig (// + /*), Python/Ruby/Shell/Nix/Elixir (#),
Haskell/Ada/SQL/Lua/Idris (--), Lisp/Scheme/Racket (;;),
Erlang/Matlab (%%). OCaml (* *) and a few others are not yet handled
— edge cases for later. Block-comment continuation lines starting
with `*` also match (e.g. `  * TODO: …` inside a /** … */ block).

Regex stored in OnceLock<Regex> — compiled once per process.

Estate-wide impact:
  007-lang self-scan: 24 findings -> 9 findings.
    UncheckedError: 15 -> 0  (all were TODO-in-.expect-string FPs)
    PanicPath:       4 -> 4  (155 .expect() in parser.rs is real debt)
    UnsafeCode:      4 -> 4  (legit — see audits/audit-ffi-unsafe.md)
    InsecureProtocol:1 -> 1  (integration_tests.rs — test context)

Regression tests added:
  test_todo_in_string_literal_does_not_trigger_unchecked_error
  test_real_todo_comments_still_detected

190/190 lib tests + 12/12 unbounded corpus + new analyzer tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

src/assail/analyzer.rs

@@ -243,6 +243,20 @@ static RE_SHELL_UNQUOTED_VAR: OnceLock<Regex> = OnceLock::new();
 static RE_HTTP_URL: OnceLock<Regex> = OnceLock::new();
 static RE_HTTP_LOCALHOST: OnceLock<Regex> = OnceLock::new();
 static RE_HARDCODED_SECRET: OnceLock<Regex> = OnceLock::new();
+/// Match TODO/FIXME/HACK/XXX markers only when preceded by a
+/// comment-starter on the same line. Excludes string-literal matches
+/// like `.expect("TODO: handle error")` which were previously
+/// inflating the UncheckedError count for every `.expect(...)` call
+/// that mentioned TODO in its message (observed on 007-lang:
+/// parser.rs has 155 `.expect("TODO: ...")` patterns, each of which
+/// was being double-counted as both PanicPath (correct) and
+/// UncheckedError (FP).
+///
+/// Comment-starters handled: `//` (Rust/C/JS/...), `/*` (block),
+/// `#` (Python/Ruby/Shell/Nix/Elixir-preamble), `--` (Haskell/Ada/
+/// SQL/Lua/Idris), `;;` (Lisp/Scheme/Racket), `%%` (Erlang/Matlab).
+/// Does not handle OCaml `(* *)` or Forth `\` — edge cases for later.
+static RE_TODO_COMMENT: OnceLock<Regex> = OnceLock::new();
 
 pub struct Analyzer {
     target: PathBuf,
@@ -4543,11 +4557,15 @@ impl Analyzer {
             });
         }
 
-        // TODO/FIXME/HACK/XXX markers
-        let todo_count = content.matches("TODO").count()
-            + content.matches("FIXME").count()
-            + content.matches("HACK").count()
-            + content.matches("XXX").count();
+        // TODO/FIXME/HACK/XXX markers — count only when the marker
+        // appears on a line that also contains a comment-starter, so
+        // string literals like `.expect("TODO: handle error")` don't
+        // inflate the count. See RE_TODO_COMMENT definition above.
+        let todo_re = RE_TODO_COMMENT.get_or_init(|| {
+            Regex::new(r"(?m)^[^\n]*?(//|/\*|\*|#|--|;;|%%)[^\n]*?\b(TODO|FIXME|HACK|XXX)\b")
+                .expect("static regex is valid")
+        });
+        let todo_count = todo_re.find_iter(content).count();
         if todo_count > 10 {
             weak_points.push(WeakPoint {
                 file: None,

tests/analyzer_tests.rs

@@ -209,6 +209,84 @@ fn test_framework_detection_database() {
     );
 }
 
+#[test]
+fn test_todo_in_string_literal_does_not_trigger_unchecked_error() {
+    // Regression test for 007-lang false positive: parser.rs contained
+    // 155 `.expect("TODO: handle error")` calls. The old detector did
+    // `content.matches("TODO").count()` on raw content, so each string
+    // literal incremented the TODO count. This pattern is common in
+    // stub code and shouldn't be classified as UncheckedError.
+    let dir = TempDir::new().unwrap();
+    let content = r#"
+pub fn parse_stubbed(input: &str) -> String {
+    let first = input.split(',').next().expect("TODO: handle error");
+    let second = input.split('.').next().expect("TODO: handle error");
+    let third = input.split('/').next().expect("TODO: handle error");
+    let fourth = input.split(':').next().expect("TODO: handle error");
+    let fifth = input.split(';').next().expect("TODO: handle error");
+    let sixth = input.split('-').next().expect("TODO: handle error");
+    let seventh = input.split('_').next().expect("TODO: handle error");
+    let eighth = input.split('+').next().expect("TODO: handle error");
+    let ninth = input.split('*').next().expect("TODO: handle error");
+    let tenth = input.split('!').next().expect("TODO: handle error");
+    let eleventh = input.split('?').next().expect("TODO: handle error");
+    format!("{}{}{}{}{}{}{}{}{}{}{}",
+        first, second, third, fourth, fifth, sixth,
+        seventh, eighth, ninth, tenth, eleventh)
+}
+"#;
+    let file = create_test_file(&dir, "stubby.rs", content);
+    let report = assail::analyze(&file).expect("analysis should succeed");
+
+    let unchecked: Vec<_> = report
+        .weak_points
+        .iter()
+        .filter(|wp| wp.category == WeakPointCategory::UncheckedError)
+        .collect();
+
+    assert!(
+        unchecked.is_empty(),
+        "TODO inside .expect() string literals must not count as \
+         UncheckedError markers: got {:?}",
+        unchecked
+    );
+}
+
+#[test]
+fn test_real_todo_comments_still_detected() {
+    // Sanity: actual `// TODO` comments in the 11+ threshold still fire.
+    let dir = TempDir::new().unwrap();
+    let content = r#"
+// TODO: implement proper error handling
+// TODO: add tests for edge cases
+// TODO: optimise hot path
+// TODO: document invariants
+// FIXME: this leaks memory on panic
+// FIXME: race condition in iterator
+// FIXME: buffer overflow possible
+// HACK: using unsafe pointer cast as workaround
+// HACK: bypassing type check with transmute
+// HACK: relying on undocumented behaviour
+// XXX: this block needs review
+// XXX: performance critical but correctness unclear
+pub fn stub() -> i32 { 42 }
+"#;
+    let file = create_test_file(&dir, "debt.rs", content);
+    let report = assail::analyze(&file).expect("analysis should succeed");
+
+    let unchecked: Vec<_> = report
+        .weak_points
+        .iter()
+        .filter(|wp| wp.category == WeakPointCategory::UncheckedError)
+        .collect();
+
+    assert!(
+        !unchecked.is_empty(),
+        "real // TODO / // FIXME / // HACK / // XXX comments above \
+         the threshold should still fire the detector"
+    );
+}
+
 #[test]
 fn test_per_file_stats_populated() {
     let dir = TempDir::new().unwrap();