- Never mutates the user-provided config - Applies exceptions during rule execution (no post-filtering) - Keeps backward compatibility with the old scan path
