fix(yara): use content hash for rule cache invalidation

[mimran-khan]

Summary

The YARA rule cache (_content_hash) invalidated based on file paths and sizes only. If a rule file is edited without changing its byte count (e.g., changing a pattern string to a same-length alternative), the module continues serving stale compiled rules from the previous version.

Changes

• static_yara.py: _content_hash() now hashes actual file content (read_bytes()) instead of just st_size.
• test_static_yara.py: 3 new tests in TestContentHashInvalidation — validates that same-size edits produce different hashes, identical content produces stable hashes, and _load_rules recompiles after a same-size edit.

Before / After

# Before — size-only, misses same-length edits
h.update(str(p.stat().st_size).encode())

# After — content-based, catches all edits
h.update(p.read_bytes())

Trade-off

Reading file content is slightly slower than stat-only (~microseconds per rule file). Given that YARA rule directories typically contain <50 small files and compilation itself is the expensive step, this is negligible.

Testing

• 3 new tests pass
• Full existing YARA test suite continues to pass

Fixes #152

[keshprad]

looks good to me. thanks!

I'll merge later today after double checking all the unit tests, linting issues, static analysis reports on our internal CI

[keshprad]

just added on minor linting fix.