Metadata matcher: map of field -> predicate, with an optional not
sub-matcher (negation). The not: key is reserved and parsed specially —
it cannot be used as a metadata field name.
Per-field metadata predicate. Bare string is equals (back-compat with
v0.4.x). Operator object supports equals, not_equals, contains (substring
match on string values), and in (any-of allowed values).
A scalar-or-list helper. Lets YAML write node_type: secret (single value)
or node_type: [secret, identity] (any-of). Single form preserved for
backward compatibility with v0.4.x rule files.
Evaluate every (rule, path) pair. A finding is produced when the rule’s
source, sink, and path predicates all match. Findings carry the rule id in
the message so operators can trace back to the originating YAML.
Load all *.yml and *.yaml files from dir. Files are read in sorted
order for deterministic output. Returns a list of all errors alongside
successfully parsed rules — callers decide whether to fail fast or continue.
Parse a YAML string containing one or more CustomRule documents (separated
by ---). Single-doc files behave identically to the legacy
serde_yaml::from_str::<CustomRule> path. Empty/whitespace-only documents
(e.g. a leading --- followed by a real doc) are skipped.
Parse one or more CustomRule documents from content and stamp every
produced rule with source_file = source so downstream finding emission
can attribute authority back to the originating YAML file. Used by
load_rules_dir to thread file paths through into FindingSource::Custom.