docs(analysis): document zip-slip safety guarantee in extract_docx_text

Only a single hardcoded entry (word/document.xml) is ever accessed from
the ZIP archive; no arbitrary path extraction occurs, so path traversal
attacks cannot apply. Add a comment to make this invariant explicit for
future maintainers.

src-tauri/src/commands/analysis.rs

@@ -108,6 +108,8 @@ fn extract_docx_text(path: &Path) -> Result<String, String> {
         zip::ZipArchive::new(file).map_err(|e| format!("Failed to open as ZIP/DOCX: {e}"))?;
     let mut xml_content = String::new();
     {
+        // Safety: only one hardcoded entry is ever accessed; no arbitrary path extraction is
+        // performed, so zip-slip path traversal attacks cannot apply here.
         let mut doc_xml = archive
             .by_name("word/document.xml")
             .map_err(|_| "Not a valid DOCX: missing word/document.xml".to_string())?;