Make clause security check pluggable

[qqxhb]

Summary

• add ClauseChecker hook with ErrClauseNotHandled fallback behavior
• centralize clause validation with optional custom checker
• add tests for custom checker behavior

Tests

• go test ./...

[propel-code-bot]

This PR introduces a configurable clause security checker integrated into DO clause validation, with a new option to plug in custom handling that can delegate back to the default checker when needed.

Affected Areas

• do_options.go
• sec_check.go
• do.go
• do_clause_checker_test.go

This summary was automatically generated by @propel-code-bot

[propel-code-bot]

[Logic] Calling d.ClauseChecker will panic if DOConfig was never initialized (e.g., Table(...) returns a *DO without calling UseDB). That makes Clauses() unsafe on those instances. Guard against a nil DOConfig and pass a nil checker to fall back to CheckClause.

Suggested change

	if err := checkCondsWithChecker(conds, d.ClauseChecker); err != nil {
	var checker ClauseChecker
	if d.DOConfig != nil {
	checker = d.ClauseChecker
	}
	if err := checkCondsWithChecker(conds, checker); err != nil {

Context for Agents

Calling `d.ClauseChecker` will panic if `DOConfig` was never initialized (e.g., `Table(...)` returns a `*DO` without calling `UseDB`). That makes `Clauses()` unsafe on those instances. Guard against a nil `DOConfig` and pass a nil checker to fall back to `CheckClause`.

```suggestion
	var checker ClauseChecker
	if d.DOConfig != nil {
		checker = d.ClauseChecker
	}
	if err := checkCondsWithChecker(conds, checker); err != nil {
```

File: do.go
Line: 175