pub fn trigger_context_mismatch(graph: &AuthorityGraph) -> Vec<Finding>Expand description
Rule: dangerous trigger type (pull_request_target / pr) combined with secret/identity access.
Fires once per workflow when the graph-level META_TRIGGER indicates a high-risk
trigger and at least one step holds authority. Aggregates all involved nodes.