fix(scanner): always surface cisco static-analysis coverage caveat (MCP-2399)

[Dumbris]

Summary

Resolves the residual coverage-honesty concern raised in MCP-2399 / gh #383: the cisco-mcp-scanner returns blanket is_safe:true/SAFE for URL targets and makes no network request, which risks being over-trusted as live coverage.

Forensic context (what was already true)

• gh Cisco scanner output shows hardcoded mcp.deepwiki.com URL in execution logs #383 is already CLOSED. Its actual content was the cosmetic hardcoded deepwiki server_url leak in the Cisco execution log — fixed in fix(scanner): strip hardcoded deepwiki URL from Cisco scanner raw stdout #528 (sanitizeCiscoStdout).
• Cisco is NOT a no-op stub. The bundled scanner runs static --tools tools.json and performs real YARA + readiness analysis of the exported tool definitions; parseCiscoScannerOutput reads real scan_results and emits findings. So removing it from coverage would be wrong — it would discard legitimate tool-poisoning detection.

The residual gap this PR fixes

The only caveat ("no network request was made") was emitted solely when upstream stdout happened to contain the deepwiki placeholder. If a future cisco-ai-mcp-scanner release changes/drops that placeholder, the caveat silently vanishes while the static-only limitation remains.

Change

• Prepend a permanent coverage caveat to every Cisco execution log, independent of the deepwiki string, leading the output so it survives MaxLogBytes truncation. The caveat states plainly: static analysis of tool definitions only, no live endpoint probe, no network request — so is_safe reflects the tool definitions, not runtime behavior.
• Still strip the deepwiki placeholder line when present (unchanged behavior).
• Docs: reframe the docs/features/security-scanner-plugins.md note from "cosmetic" to an explicit coverage caveat.

This is backend + docs only (internal/ + docs/), no frontend/API surface change. The displayed stdout is log-viewing only; findings are parsed from the report bytes, so the annotation does not affect parsed results (existing TestSetScannerLogs_* cover this).

Tests (TDD)

• New: TestSanitizeCiscoStdout_SurfacesCoverageCaveatWithoutDeepwiki, TestSanitizeCiscoStdout_CaveatAlwaysLeadsOutput
• Updated the obsolete no-op test to the new contract.
• All 7 sanitize/log tests pass; go test ./internal/security/... -race green; golangci-lint (v2 CI config) 0 issues; go build ./cmd/mcpproxy clean.

Disposition for gh #383

Already CLOSED (cosmetic fix shipped in #528). This PR closes out the broader coverage-caveat ask from MCP-2399.

Related #383

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	0ba6236
Status:	✅  Deploy successful!
Preview URL:	https://182bfd9e.mcpproxy-docs.pages.dev
Branch Preview URL:	https://fix-mcp-2399-cisco-coverage.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[mcpproxy-gatekeeper]

Approved via Claude Code review (Codex out): cisco coverage caveat (MCP-2399/#383). Reviewer verified fix + tests + CI green; VERDICT ACCEPT.

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: fix/mcp-2399-cisco-coverage-caveat

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27501576546 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.