docs(cli): document ARP findings output is unbounded in --arp help [PC-015]

[Zious11]

Summary

Closes open item PC-015 from fix bundle fix-pc-013-014-015.

The --arp flag in wirerust analyze --help previously contained only a one-line short description that made no mention of the unbounded findings behavior. This left operators unaware that analyzing adversarial or large captures with ARP could produce Vec growth proportional to triggering frames, with no platform-imposed cap.

What changed

• src/cli.rs — Added long_help to the --arp clap argument documenting:

  • ARP findings output is UNBOUNDED (no MAX_FINDINGS cap, unlike HTTP/TLS/Modbus/DNP3 which cap at 10,000 via the TCP reassembly layer)
  • ARP operates at the Ethernet link layer and bypasses the reassembly cap entirely
  • The ARP binding table (MAX_ARP_BINDINGS = 65,536) and storm-counter table (MAX_STORM_COUNTERS = 4,096) are internal state bounds only — they do not cap findings output
  • Operator awareness guidance for adversarial/large captures

• src/analyzer/arp.rs — Added mod bc_2_16_016 characterization test verifying that process_arp returns >10,000 findings when processing 10,001 distinct IP rebinds (spoof_threshold=1), confirming no MAX_FINDINGS cap exists on the ARP path. Serves as a regression guard.

• tests/bc_2_16_016_arp_tests.rs — New integration test (Red Gate): asserts the word "unbounded" appears in the --arp flag's help entry in wirerust analyze --help. This test was the original Red Gate for PC-015 — it FAILED before this fix and PASSES after long_help is added.

BC Traceability

Layer	Reference
Behavioral Contract	BC-2.16.016 v1.0 — "ARP Findings Output is Unbounded"
Supporting contract	BC-2.16.010 v1.8 — ARP analyzer state/output behavior
Story	STORY-113, AC-022
Fix cycle	fix-pc-013-014-015, open item PC-015

Traceability chain:
BC-2.16.016 PC4 (CLI help must document unbounded behavior) → AC-022 (STORY-113) → src/cli.rs --arp long_help → tests/bc_2_16_016_arp_tests.rs Red Gate

F1 Finding Correction

The original F1 (PC-015) incorrectly flagged the ARP analyzer as having a hidden findings cap. The corrected finding: ARP has no findings cap at all — this is correct behavior (ARP operates at L2, bypassing TCP reassembly limits), but the absence of a cap was undocumented. This PR closes the documentation gap.

Test Evidence

All local gates pass on fix/arp-findings-unbounded-help:

cargo test --all-targets       ✓ PASS
cargo clippy --all-targets -- -D warnings   ✓ PASS (0 warnings)
cargo fmt --check              ✓ PASS

Specific tests added/passing:

• src/analyzer/arp.rs::bc_2_16_016::test_BC_2_16_016_arp_findings_vec_has_no_cap — characterization, all_findings.len() == 10,001 (>10,000), no cap applied
• tests/bc_2_16_016_arp_tests.rs::bc_2_16_016::test_BC_2_16_016_cli_help_documents_arp_findings_unbounded — Red Gate integration test, asserts "unbounded" in --arp help text

Risk Assessment

Blast radius: Documentation-only change to CLI help text + new tests. Zero behavior change. No production code paths altered beyond the long_help string in src/cli.rs.

Risk level: Low. No logic changes; clap long_help is rendered only when user passes --help.

Fix Bundle Context

This is item 3 of 3 in the fix-pc-013-014-015 bundle:

• PC-013: ARP table bounds (MAX_ARP_BINDINGS) — already merged
• PC-014: Storm counter bounds (MAX_STORM_COUNTERS) — already merged
• PC-015: Document unbounded findings output — THIS PR

Pre-Merge Checklist

• Semantic PR title (docs scope, CI-compliant)
• BC traceability complete (BC-2.16.016 → AC-022 → test → code)
• All local gates pass (test, clippy, fmt)
• Red Gate test added (bc_2_16_016_arp_tests.rs)
• Characterization regression guard added (arp.rs mod bc_2_16_016)
• No .factory/STATE.md changes
• No behavior changes (doc + test only)