docs: correct stale analyzer status and dangling references

[AbhiramDwivedi]

Closes #55

What

Documentation/comment-only corrections — no behavior change.

• docs/DEVELOPMENT.md described the MCP, semantic, and taint-tracking analyzers as "stubs"; they are implemented. Updated the package-layout and "Stub analyzers" sections to reflect actual status. mcp_rug_pull is correctly kept as the one remaining stub (RP1–RP3 planned).
• Fixed an invalid // comment in the Python example in DEVELOPMENT.md.
• Replaced dangling internal "SADD §…" references in graph.py with neutral roadmap notes (the SADD design doc isn't in the public repo).
• Refreshed two stale "stub" docstrings.

Test

No code changes; lint and the unit suite are unaffected.

🤖 Generated with Claude Code

[rng1995]

Review: APPROVE

Accurate, low-risk documentation/comment cleanup that removes real sources of confusion. Each change checks out:

• The package-layout and "Stub analyzers" sections previously labeled the behavioral taint-tracking, MCP, and semantic analyzers as stubs; they're implemented, and the table now reflects that (TT/LP/TP rule families called out) while correctly keeping mcp_rug_pull as the one remaining stub with planned rule IDs. This matches the actual analyzer behavior (e.g. the telemetry/coverage those analyzers carry), so the docs are no longer misleading about what runs.
• Good catch fixing the // comment in the Python example to # — the previous form is not valid Python and would mislead anyone copy-pasting the programmatic snippet.
• Replacing the internal design-doc references in graph.py with neutral roadmap notes is the right call for a public repo, and the roadmap content is preserved in a form that doesn't point at a non-public document. The refreshed module docstrings are consistent with this.

Open-source hygiene — clean; no internal hostnames, tickets, or infra details introduced, and this actually reduces the repo's exposure of internal references.

Minor / optional (non-blocking)

• One more internal design-doc reference of the same style still lives in src/skillspector/models.py (the AnalyzerPlugin protocol docstring). Since this PR is specifically sweeping those out, it'd be worth folding that one into the same cleanup so none remain.

No behavior change, nothing blocking. Approving.

[AbhiramDwivedi]

@rng1995 Thanks! Folded the models.py AnalyzerPlugin docstring into the sweep (d4ea814) — and while there I grepped the tree and found several more internal SADD references beyond that one: behavioral_taint_tracking.py, mcp_rug_pull.py, both semantic analyzer module docstrings, and a few test docstrings/comments. Neutralized all of them so a repo-wide grep is now clean, while preserving the public rule IDs (TT1–TT5, RP1–RP3).

I also caught a related stale claim in the same spirit as this PR: the "Semantic Analyzer Stubs" table in docs/LLM_ANALYZER_BASE_GUIDE.md still called the (now-implemented) semantic analyzers stubs "ready to be implemented" and carried a "SADD Reference" column. Retitled it to "Semantic Analyzers", noted they emit findings only when use_llm is enabled, and dropped the internal-reference column — consistent with the DEVELOPMENT.md correction in this PR.

[rng1995]

Please resolve merge conflicts

[rng1995]

[Automated SkillSpector Review]

Re-review — re-confirming approval.

Docs/comment-only, no behavior change. My one non-blocking nit from the first pass (the residual SADD reference in models.py's AnalyzerPlugin docstring) was folded in, along with a thorough sweep of the remaining internal design-doc references and a corrected "Semantic Analyzers" table in the LLM guide. All edits are accurate (taint tracking is TT1-TT5; mcp_rug_pull correctly remains the one stub). Approving.

[AbhiramDwivedi]

@rng1995 Resolved against the latest main (merged it in) — conflicts were in mcp_rug_pull.py and test_registry.py.

One thing worth flagging: main now implements mcp_rug_pull (it was the last stub this PR documented), so I extended the same stale-status sweep to the two remaining "stub" references it left behind — the DEVELOPMENT.md table row and the "Stub analyzers" section (→ "Placeholder analyzers") — and corrected the static-pattern analyzer count to 14 to match ANALYZER_NODE_IDS / test_registry. Net diff stays docs/comments-only; test_registry is green. Ready for re-merge.