Move launch-strategy rationale from the spec resolver to _spawn_coana

The 'why npx, not npm install -g' explanation describes how coana is launched, not
how a package spec string is built, so it belongs on _spawn_coana (per review). Leaves
_resolve_coana_package_spec with a minimal docstring.

Author: mtorp

socketsecurity/core/tools/reachability.py

@@ -55,13 +55,7 @@ def __init__(self, sdk: socketdev, api_token: str):
 
     def _resolve_coana_package_spec(self, version: Optional[str] = None) -> str:
         """
-        Resolve the @coana-tech/cli package spec to run with npx.
-
-        We pass an exact, versioned spec to npx so it runs a deterministic version from its
-        own cache (fetching once if absent). We intentionally do NOT ``npm install -g`` here:
-        that would silently auto-update the engine on every run and mutate the user's global
-        install. The pinned version rides with the Python CLI release instead, so engine
-        changes only happen through a standard pip upgrade (advance notice).
+        Resolve the @coana-tech/cli package spec to run (e.g. '@coana-tech/cli@15.3.24').
 
         Args:
             version: Coana CLI version to use.
@@ -313,6 +307,11 @@ def _spawn_coana(
     ) -> int:
         """Run coana for the given args, returning the process exit code.
 
+        We run a pinned, versioned spec via npx and intentionally do NOT ``npm install -g``:
+        that would silently auto-update the engine on every run and mutate the user's global
+        install. The pinned version rides with the Python CLI release instead (see
+        ``DEFAULT_COANA_CLI_VERSION``).
+
         Primary path: ``npx --yes --force @coana-tech/cli@<version> ...`` — the exact flags the
         Socket Node CLI passes for coana (``--yes`` skips npx's interactive install prompt so
         CI runs don't hang).