feat: on-demand external script analysis + code viewer; refactor form analysis to rule engine

- API: add `POST /api/analyze_script` (app/blueprints/api.py)
  - Fetch one external script to artifacts, run rules, return findings + snippet
  - Uses new ExternalScriptFetcher (results_path aware) and job UUID
  - Returns: { ok, final_url, status_code, bytes, truncated, sha256, artifact_path, findings[], snippet, snippet_len }
  - TODO: document in openapi/openapi.yaml

- Fetcher: update `app/utils/external_fetch.py`
  - Constructed with `results_path` (UUID dir); writes to `<results_path>/scripts/fetched/<index>.js`
  - Loads settings via `get_settings()`, logs via std logging

- UI (results.html):
  - Move “Analyze external script” action into **Content Snippet** column for external rows
  - Clicking replaces button with `<details>` snippet, shows rule matches, and adds “open in viewer” link
  - Robust fetch handler (checks JSON, shows errors); builds viewer URL from absolute artifact path

- Viewer:
  - New route: `GET /view/artifact/<run_uuid>/<path:filename>` (app/blueprints/ui.py)
  - New template: Monaco-based read-only code viewer (viewer.html)
  - Removes SRI on loader to avoid integrity block; loads file via `raw_url` and detects language by extension

- Forms:
  - Refactor `analyze_forms` to mirror scripts analysis:
    - Uses rule engine (`category == "form"`) across regex/function rules
    - Emits rows only when matches exist
    - Includes `content_snippet`, `action`, `method`, `inputs`, `rules`
  - Replace legacy plumbing (`flagged`, `flag_reasons`, `status`) in output
  - Normalize form function rules to canonical returns `(bool, Optional[str])`:
    - `form_action_missing`
    - `form_http_on_https_page`
    - `form_submits_to_different_host`
    - Add minor hardening (lowercasing hosts, no-op actions, clearer reasons)

- CSS: add `.forms-table` to mirror `.scripts-table` (5 columns)
  - Fixed table layout, widths per column, chip/snippet styling, responsive tweaks

- Misc:
  - Fix “working outside app context” issue by avoiding `current_app` at import time (left storage logic inside routes)
  - Add “View Source” link to open page source in viewer

Refs:
- Roadmap: mark “Source code viewer” done; keep TODO to add `/api/analyze_script` to OpenAPI

app/static/style.css

@@ -279,6 +279,7 @@ details ul, details p {
   }
 }
 
+/* SCRIPTS TABLE */
 .scripts-table td ul {
   margin: 0.25rem 0 0.25rem 1rem;
   padding-left: 1rem;
@@ -305,6 +306,59 @@ details ul, details p {
   white-space: nowrap;
 }
 
+
+/* lists & small text inside cells */
+.forms-table td ul {
+  margin: 0.25rem 0 0.25rem 1rem;
+  padding-left: 1rem;
+}
+.forms-table td small {
+  opacity: 0.85;
+}
+
+/* keep the table from exploding */
+.forms-table {
+  table-layout: fixed;
+  width: 100%;
+}
+
+/* columns: Action | Method | Inputs | Matches | Form Snippet */
+.forms-table th:nth-child(1) { width: 15rem; } /* Action */
+.forms-table th:nth-child(2) { width: 5rem;  } /* Method */
+.forms-table th:nth-child(3) { width: 15rem; } /* Inputs */
+.forms-table th:nth-child(5) { width: 24rem; } /* Snippet */
+.forms-table th:nth-child(4) { width: auto;  } /* Matches grows */
+
+/* ellipsize cells by default */
+.forms-table td,
+.forms-table th {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+/* nicer wrapping inside snippet/details & input chips */
+.forms-table details { white-space: normal; }
+.forms-table details > pre.code {
+  white-space: pre-wrap;     /* let long lines wrap */
+  max-height: 28rem;
+  overflow: auto;
+}
+.forms-table .chips {
+  display: flex;
+  gap: 0.25rem;
+  flex-wrap: wrap;
+  white-space: normal;       /* allow chip text to wrap if needed */
+}
+
+/* (optional) responsive tweaks */
+@media (max-width: 1200px) {
+  .forms-table th:nth-child(1) { width: 22rem; }
+  .forms-table th:nth-child(3) { width: 16rem; }
+  .forms-table th:nth-child(5) { width: 18rem; }
+}
+
+
 /* let URLs/snippets wrap *inside* their cell when expanded content shows */
 .breakable {
   white-space: normal;