Support custom security rule definitions via R functionsΒ #10
Description
Problem
Some security checks require logic beyond regex pattern matching β e.g., checking if a file exceeds a size threshold, validating that tests exist for new functions, or enforcing branch naming conventions.
Proposed Solution
- Add a
register_security_rule()API for custom R-function-based rules - Rules receive the diff context and return pass/fail with message
- Support rule severity: block, warn, or inform
- Bundle useful default rules:
- "No large binary files" (> configurable size)
- "New exported functions must have tests"
- "No TODO/FIXME in production code"
- "Secrets scanner" (entropy-based detection beyond regex)
Example
counselor::register_security_rule(
name = "no_large_files",
check = function(diff_info) {
large <- diff_info$files[diff_info$sizes > 1e6]
list(pass = length(large) == 0, message = paste("Large files:", large))
},
severity = "warn"
)Acceptance Criteria
- Custom rules can be registered and persist per project
- Rules receive full diff context
- Clear error messages when rules fail