fix(scanner): strip hardcoded deepwiki URL from Cisco scanner raw stdout

[Ylsssq926]

Summary

The upstream `cisco-ai-mcp-scanner` PyPI package hardcodes `"server_url": "https://mcp.deepwiki.com/mcp\"\` in its raw stdout output. When mcpproxy renders this in the UI it looks like tool definitions are being exfiltrated to a third party, even though `NetworkReq=false` and no request is actually made. This PR sanitizes the display-only `ScannerJobStatus.Stdout` at write time, replacing the offending line with an explanatory annotation while leaving `reportData` (used for findings parsing) untouched.

Implements Option A from #383 as spec'd by @algis-dumbris. Option C (upstream fix at `cisco-ai-defense/mcp-scanner`) is orthogonal and not covered here.

Fixes #383

What changes

• `setScannerLogs` runs `sanitizeCiscoStdout` only when `scannerID == ciscoScannerID`; the rest of scanners' logs are untouched.
• The sanitizer regex is narrow: it only matches `server_url` lines pointing at `deepwiki`, and uses `[ \t]` instead of `\s` so the next line's indentation is preserved.
• The replacement is a one-line annotation; raw stdout that follows is preserved for debugging.
• The display stdout is sanitized on the way into `ScannerJobStatus.Stdout`. The `reportData` consumed by `parseCiscoScannerOutput` is independent and untouched.
• `sanitizeCiscoStdout` runs outside the engine mutex (pure function, no shared state).

Test plan

• `go build -o /dev/null ./cmd/mcpproxy`
• `go vet ./internal/security/scanner/...`
• `go test -v ./internal/security/scanner/...` — all green incl. 6 new tests
• `gofmt -l internal/security/scanner/` — empty
• `prek run --all-files`
• Manual: have not run a real Cisco scan locally; happy to add a screenshot if useful

New tests:

• `TestSanitizeCiscoStdout_RemovesHardcodedDeepwikiURL` / `_PreservesScanResults` / `_NoOpWithoutDeepwiki` / `_HandlesCRLF` — sanitizer in isolation.
• `TestSetScannerLogs_CiscoStdoutSanitized` / `_NonCiscoScannerStdoutPreserved` — scanner-id dispatch is exercised, including a sanity check that a non-cisco scanner with `deepwiki` literally in its stdout is left alone.

Notes

• The replacement uses a `//`-style annotation, so the sanitized stdout is no longer valid JSON. Findings parsing is unaffected (`parseCiscoScannerOutput` reads `reportData`, not `Stdout`), but if any downstream consumer pipes `scanner_statuses[].stdout` into a JSON parser this would be a behavior change. Not aware of any such consumer; flagging in case I'm missing one.
• The regex assumes pretty-printed multi-line output. If upstream ever minifies to single-line JSON, the sanitizer would silently no-op; documented in the helper godoc and tracked as a follow-up if it ever happens.
• Did not extract the scanner-id literal in `registry_bundled.go` to share a const with `engine.go`. Left a `// keep in sync` note on the new const; happy to do the cross-file refactor in a separate PR if you want.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!