Problem
The risk-gate trigger in src/analyze/verifier.rs uses hardcoded strings for security-sensitive detection:
if changed_set.iter().any(|n| n.contains("auth")
|| n.contains("security")
|| n.contains("payment")
|| n.contains("credentials"))This means developers cannot customize risk gates for their specific business domains (e.g., "billing", "crypto", "pii") without modifying source code.
Proposal
Move the risk-trigger keywords into the policy configuration system under a new policy variant (e.g., Policy::RiskTriggers(Vec<String>)). This would allow developers to define domain-specific risk gates in policy files.
Acceptance
- Custom risk trigger keywords can be defined per project
- Default triggers still fire for "auth", "security", "payment", "credentials"
- No regression in existing verifier tests
Problem
The risk-gate trigger in
src/analyze/verifier.rsuses hardcoded strings for security-sensitive detection:This means developers cannot customize risk gates for their specific business domains (e.g., "billing", "crypto", "pii") without modifying source code.
Proposal
Move the risk-trigger keywords into the policy configuration system under a new policy variant (e.g.,
Policy::RiskTriggers(Vec<String>)). This would allow developers to define domain-specific risk gates in policy files.Acceptance