ci: broaden subprocess scanner and ignore Rust string literals

Two CodeRabbit findings on the linter, both failure-critical when the
step is run with `--fail`:

* `scan_workspace()` only globbed `crates/**/*.rs`, missing
  `build.rs`, `examples/**`, `benches/**`, top-level `tests/**`, and
  any other `**/*.rs` that might appear in the repo. Scan from
  `REPO_ROOT` instead and exclude known junk dirs (`target`, `.git`,
  `node_modules`, `.venv`, `venv`).

* `_is_doc_or_string()` only filtered comment/doc *lines*. A normal
  line of Rust code containing `"Command::new("` inside a string
  literal would therefore fire a false positive on `--fail`. Add a
  whole-file literal-stripping pass that understands:
    - normal strings with `\"` / `\` escapes
    - char literals (distinguished from lifetimes)
    - raw strings `r"..."`, `r#"..."#`, any number of `#`s
    - byte strings `b"..."` and `br#"..."#`
    - line and nestable block comments
  The regex is run on the stripped source while line numbers stay
  aligned with the original, so reporting still points at the real
  line.

Adds a `--self-test` mode exercising all of the above (string,
raw-string, byte-string, real spawn, block comment, top-level
`build.rs` discovery, string-literal false-positive suppression).

Addresses CodeRabbit review on #200.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: zackees