Add WebApp.API ruleset for detecting exposed HTTP/REST APIs

[Copilot]

Adds a default ruleset that flags when scanned software exposes an HTTP/REST API, so consumers can reliably answer "does this repo serve an API?" The detection goes beyond the literal patterns suggested in the issue to cover conceptually equivalent indicators across major server-side ecosystems.

Changes

• New rule file AppInspector/rules/default/webapp/api.json — 12 rules (AI090000–AI090700, previously-unused ID range), auto-embedded via the existing rules/default/**/*.json glob.
• Framework coverage:
  • Python — FastAPI, Flask, Django REST Framework
  • JavaScript/TypeScript — Express/Koa/Hapi/Fastify/Restify, NestJS
  • C# — ASP.NET MVC / Web API / Minimal APIs
  • Java/Kotlin — Spring, JAX-RS
  • Go — net/http, Gin, Echo, gorilla/mux, chi
  • Ruby — Sinatra/Rails; PHP — Laravel/Slim/Symfony
  • OpenAPI/Swagger JSON & YAML specification documents
• Two-level tagging for classification in reports:
  • WebApp.API — umbrella tag; match this alone to detect API exposure regardless of stack
  • WebApp.API.<Stack>.<Framework> — e.g. WebApp.API.Python.FastAPI, WebApp.API.DotNet.AspNet — for drill-down
• Each rule carries must-match/must-not-match self-tests; patterns are scoped/anchored (word boundaries, app|router prefixes, verb-suffixed .Map*() to limit false positives like store.getItem( or dictionary.MapValues().

WebApp is an existing top-level tag prefix and the file sits in the existing webapp/ directory, keeping naming consistent.

Example output

Analyzing a FastAPI app surfaces both tags in metaData.uniqueTags:

app = FastAPI()

@app.get("/items/{item_id}")
def read_item(item_id: int): ...

WebApp.API
WebApp.API.Python.FastAPI